envoyproxy/envoy

Wasm module signature verification

Open

#17.220 geöffnet am 2. Juli 2021

Auf GitHub ansehen
 (5 Kommentare) (0 Reaktionen) (0 zugewiesene Personen)C++ (5.373 Forks)batch import
area/securityarea/wasmenhancementhelp wanted

Repository-Metriken

Stars
 (27.997 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 8T) (378 gemergte PRs in 30 T)

Beschreibung

Title: Wasm module signature verification

Description: Add the ability to configure verification options to satisfy before executing a Wasm module. This could include checking all/some/at least one signature is present from a list of specified verification keys in the Wasm bytecode according to https://github.com/jedisct1/wasmsign. I propose some kind of VerificationOption struct that contains

  • repeated public keys
  • verification type (at least 'n', ALL)
  • signature type (maybe reference to wasmsign)

If this is something interesting/use-able to others, I am happy to continue implementation.

Relevant Links Draft PR here: https://github.com/envoyproxy/envoy/pull/17221 The change depends on a PR in proxy-wasm-cpp-host: https://github.com/proxy-wasm/proxy-wasm-cpp-host/pull/177

Contributor Guide