envoyproxy/envoy

Wasm module signature verification

Open

#17.220 aberto em 2 de jul. de 2021

Ver no GitHub
 (5 comments) (0 reactions) (0 assignees)C++ (5.373 forks)batch import
area/securityarea/wasmenhancementhelp wanted

Métricas do repositório

Stars
 (27.997 stars)
Métricas de merge de PR
 (Mesclagem média 8d) (378 fundiu PRs em 30d)

Description

Title: Wasm module signature verification

Description: Add the ability to configure verification options to satisfy before executing a Wasm module. This could include checking all/some/at least one signature is present from a list of specified verification keys in the Wasm bytecode according to https://github.com/jedisct1/wasmsign. I propose some kind of VerificationOption struct that contains

  • repeated public keys
  • verification type (at least 'n', ALL)
  • signature type (maybe reference to wasmsign)

If this is something interesting/use-able to others, I am happy to continue implementation.

Relevant Links Draft PR here: https://github.com/envoyproxy/envoy/pull/17221 The change depends on a PR in proxy-wasm-cpp-host: https://github.com/proxy-wasm/proxy-wasm-cpp-host/pull/177

Guia do colaborador