envoyproxy/envoy

Wasm module signature verification

Open

#17 220 ouverte le 2 juil. 2021

Voir sur GitHub
 (5 commentaires) (0 réactions) (0 assignés)C++ (5 373 forks)batch import
area/securityarea/wasmenhancementhelp wanted

Métriques du dépôt

Stars
 (27 997 stars)
Métriques de merge PR
 (Merge moyen 8j) (378 PRs mergées en 30 j)

Description

Title: Wasm module signature verification

Description: Add the ability to configure verification options to satisfy before executing a Wasm module. This could include checking all/some/at least one signature is present from a list of specified verification keys in the Wasm bytecode according to https://github.com/jedisct1/wasmsign. I propose some kind of VerificationOption struct that contains

  • repeated public keys
  • verification type (at least 'n', ALL)
  • signature type (maybe reference to wasmsign)

If this is something interesting/use-able to others, I am happy to continue implementation.

Relevant Links Draft PR here: https://github.com/envoyproxy/envoy/pull/17221 The change depends on a PR in proxy-wasm-cpp-host: https://github.com/proxy-wasm/proxy-wasm-cpp-host/pull/177

Guide contributeur