Adds verification key for Wasm module

.github/workflows/cpp.yml

@@ -81,7 +81,3 @@ jobs:
     - name: Test
       run: |
         bazel test --define runtime=${{ matrix.runtime }} //test/...
-
-    - name: Test (signed Wasm module)
-      run: |
-        bazel test --define runtime=${{ matrix.runtime }} --per_file_copt=//...@-DPROXY_WASM_VERIFY_WITH_ED25519_PUBKEY=\"$(xxd -p -c 256 test/test_data/signature_key1.pub | cut -b9-)\" //test:signature_util_test

include/proxy-wasm/signature_util.h

@@ -27,7 +27,7 @@ class SignatureUtil {
    * @param message is the reference to store the message (success or error).
    * @return indicates whether the bytecode has a valid Wasm signature.
    */
-  static bool verifySignature(std::string_view bytecode, std::string &message);
+  static bool verifySignature(std::string_view bytecode, const std::string pubkey, std::string &message);
 };
 
 } // namespace proxy_wasm

include/proxy-wasm/wasm.h

@@ -58,7 +58,7 @@ class WasmBase : public std::enable_shared_from_this<WasmBase> {
   WasmBase(const std::shared_ptr<WasmHandleBase> &other, WasmVmFactory factory);
   virtual ~WasmBase();
 
-  bool load(const std::string &code, bool allow_precompiled = false);
+  bool load(const std::string &code, bool allow_precompiled = false, const std::string pubkey = "");
   bool initialize();
   void startVm(ContextBase *root_context);
   bool configure(ContextBase *root_context, std::shared_ptr<PluginBase> plugin);
@@ -311,8 +311,10 @@ using WasmHandleCloneFactory =
     std::function<std::shared_ptr<WasmHandleBase>(std::shared_ptr<WasmHandleBase> wasm)>;
 
 // Returns nullptr on failure (i.e. initialization of the VM fails).
+// TODO: Consider a VerificationOptions struct rather than a single pubkey.
 std::shared_ptr<WasmHandleBase>
-createWasm(std::string vm_key, std::string code, std::shared_ptr<PluginBase> plugin,
+    createWasm(std::string vm_key, std::string code, std::string pubkey,
+               std::shared_ptr<PluginBase> plugin,
            WasmHandleFactory factory, WasmHandleCloneFactory clone_factory, bool allow_precompiled);
 // Get an existing ThreadLocal VM matching 'vm_id' or nullptr if there isn't one.
 std::shared_ptr<WasmHandleBase> getThreadLocalWasm(std::string_view vm_id);

src/signature_util.cc

@@ -24,7 +24,6 @@
 
 namespace {
 
-#ifdef PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY
 
 static uint8_t hex2dec(const unsigned char c) {
   if (c >= '0' && c <= '9') {
@@ -46,15 +45,13 @@ template <size_t N> constexpr std::array<uint8_t, N> hex2pubkey(const char (&hex
   return pubkey;
 }
 
-#endif
 
 } // namespace
 
 namespace proxy_wasm {
 
-bool SignatureUtil::verifySignature(std::string_view bytecode, std::string &message) {
-
-#ifdef PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY
+bool SignatureUtil::verifySignature(std::string_view bytecode, std::string pubkey, std::string &message) {
+  if (!pubkey.empty()) {
 
   /*
    * Ed25519 signature generated using https://github.com/jedisct1/wasmsign
@@ -101,7 +98,9 @@ bool SignatureUtil::verifySignature(std::string_view bytecode, std::string &mess
   uint8_t hash[SHA512_DIGEST_LENGTH];
   SHA512_Final(hash, &ctx);
 
-  static const auto ed25519_pubkey = hex2pubkey<32>(PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY);
+  char pubkey_char[65];
+  strcpy(pubkey_char, pubkey.c_str());
+  static const auto ed25519_pubkey = hex2pubkey<32>(pubkey_char);
 
   if (!ED25519_verify(hash, sizeof(hash), signature, ed25519_pubkey.data())) {
     message = "Signature mismatch";
@@ -110,9 +109,7 @@ bool SignatureUtil::verifySignature(std::string_view bytecode, std::string &mess
 
   message = "Wasm signature OK (Ed25519)";
   return true;
-
-#endif
-
+  }
   return true;
 }
 

src/wasm.cc

@@ -234,7 +234,7 @@ WasmBase::~WasmBase() {
   pending_delete_.clear();
 }
 
-bool WasmBase::load(const std::string &code, bool allow_precompiled) {
+bool WasmBase::load(const std::string &code, bool allow_precompiled, const std::string pubkey) {
   assert(!started_from_.has_value());
 
   if (!wasm_vm_) {
@@ -251,13 +251,15 @@ bool WasmBase::load(const std::string &code, bool allow_precompiled) {
     return true;
   }
 
-  // Verify signature.
-  std::string message;
-  if (!SignatureUtil::verifySignature(code, message)) {
-    fail(FailState::UnableToInitializeCode, message);
-    return false;
-  } else {
-    wasm_vm_->integration()->trace(message);
+  // Verify signature if a pubkey is present.
+  if (!pubkey.empty()) {
+    std::string message;
+    if (!SignatureUtil::verifySignature(code, pubkey, message)) {
+      fail(FailState::UnableToInitializeCode, message);
+      return false;
+    } else {
+      wasm_vm_->integration()->trace(message);
+    }
   }
 
   // Get ABI version from the module.
@@ -465,6 +467,7 @@ WasmForeignFunction WasmBase::getForeignFunction(std::string_view function_name)
 }
 
 std::shared_ptr<WasmHandleBase> createWasm(std::string vm_key, std::string code,
+                                           std::string pubkey,
                                            std::shared_ptr<PluginBase> plugin,
                                            WasmHandleFactory factory,
                                            WasmHandleCloneFactory clone_factory,
@@ -492,7 +495,7 @@ std::shared_ptr<WasmHandleBase> createWasm(std::string vm_key, std::string code,
     (*base_wasms)[vm_key] = wasm_handle;
   }
 
-  if (!wasm_handle->wasm()->load(code, allow_precompiled)) {
+  if (!wasm_handle->wasm()->load(code, allow_precompiled, pubkey)) {
     wasm_handle->wasm()->fail(FailState::UnableToInitializeCode, "Failed to load Wasm code");
     return nullptr;
   }

test/BUILD

@@ -35,6 +35,7 @@ cc_test(
         "//test/test_data:abi_export.signed.with.key1.wasm",
         "//test/test_data:abi_export.signed.with.key2.wasm",
         "//test/test_data:abi_export.wasm",
+        "//test/test_data:signature_key1.pub",
     ],
     # Test only when compiled to verify plugins.
     tags = ["manual"],

test/signature_util_test.cc

@@ -24,36 +24,49 @@
 
 namespace proxy_wasm {
 
-TEST(TestSignatureUtil, GoodSignature) {
-#ifndef PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY
-  FAIL() << "Built without a key for verifying signed Wasm modules.";
-#endif
+std::string BytesToHex(std::vector<uint8_t> bytes) {
+  static const char *const hex = "0123456789ABCDEF";
+  std::string result;
+  result.reserve(bytes.size() * 2);
+  for (auto byte : bytes) {
+    result.push_back(hex[byte >> 4]);
+    result.push_back(hex[byte & 0xf]);
+  }
+  return result;
+}
+
+static std::string publickey(std::string filename) {
+  auto path = "test/test_data/" + filename;
+  std::ifstream file(path, std::ios::binary);
+  EXPECT_FALSE(file.fail()) << "failed to open: " << path;
+  std::stringstream file_string_stream;
+  file_string_stream << file.rdbuf();
+  std::string input = file_string_stream.str();
+  std::vector<uint8_t> bytes(input.begin() + 4, input.end());
+  return BytesToHex(bytes);
+}
 
+TEST(TestSignatureUtil, GoodSignature) {
+  std::string pubkey = publickey("signature_key1.pub");
   const auto bytecode = readTestWasmFile("abi_export.signed.with.key1.wasm");
   std::string message;
-  EXPECT_TRUE(SignatureUtil::verifySignature(bytecode, message));
+  EXPECT_TRUE(SignatureUtil::verifySignature(bytecode, pubkey, message));
   EXPECT_EQ(message, "Wasm signature OK (Ed25519)");
 }
 
 TEST(TestSignatureUtil, BadSignature) {
-#ifndef PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY
-  FAIL() << "Built without a key for verifying signed Wasm modules.";
-#endif
-
+  std::string pubkey = publickey("signature_key1.pub");
   const auto bytecode = readTestWasmFile("abi_export.signed.with.key2.wasm");
   std::string message;
-  EXPECT_FALSE(SignatureUtil::verifySignature(bytecode, message));
+  EXPECT_FALSE(SignatureUtil::verifySignature(bytecode, pubkey, message));
   EXPECT_EQ(message, "Signature mismatch");
 }
 
 TEST(TestSignatureUtil, NoSignature) {
-#ifndef PROXY_WASM_VERIFY_WITH_ED25519_PUBKEY
-  FAIL() << "Built without a key for verifying signed Wasm modules.";
-#endif
-
+  std::string pubkey = publickey("signature_key1.pub");
   const auto bytecode = readTestWasmFile("abi_export.wasm");
   std::string message;
-  EXPECT_FALSE(SignatureUtil::verifySignature(bytecode, message));
+  EXPECT_FALSE(SignatureUtil::verifySignature(bytecode, pubkey, message));
   EXPECT_EQ(message, "Custom Section \"signature_wasmsign\" not found");
 }