image-rs: get public key from CDH when verifying cosign image signatures

Signed-off-by: Xynnn007 <[email protected]>

image-rs/Cargo.toml

@@ -92,6 +92,9 @@ encryption = ["ocicrypt-rs/block-cipher"]
 encryption-ring = ["ocicrypt-rs/block-cipher-ring", "encryption"]
 encryption-openssl = ["ocicrypt-rs/block-cipher-openssl", "encryption"]
 
+# Get needed image verification keys from Confidential Data Hub
+confidential-data-hub = ["dep:ttrpc", "dep:protobuf"]
+
 keywrap-cmd = ["ocicrypt-rs/keywrap-keyprovider-cmd"]
 keywrap-grpc = ["ocicrypt-rs/keywrap-keyprovider-grpc", "prost", "tonic", "tonic-build"]
 keywrap-native = ["ocicrypt-rs/keywrap-keyprovider-native", "attestation_agent"]

image-rs/build.rs

@@ -10,18 +10,33 @@ fn main() -> Result<()> {
     tonic_build::compile_protos("./protos/getresource.proto").context("tonic build")?;
 
     #[cfg(feature = "ttrpc-codegen")]
-    ttrpc_codegen::Codegen::new()
-        .out_dir("./src/resource/kbs/ttrpc_proto")
-        .input("./protos/getresource.proto")
-        .include("./protos")
-        .rust_protobuf()
-        .customize(ttrpc_codegen::Customize {
-            async_all: true,
-            ..Default::default()
-        })
-        .rust_protobuf_customize(ttrpc_codegen::ProtobufCustomize::default().gen_mod_rs(false))
-        .run()
-        .context("ttrpc build")?;
+    {
+        ttrpc_codegen::Codegen::new()
+            .out_dir("./src/resource/kbs/ttrpc_proto")
+            .input("./protos/getresource.proto")
+            .include("./protos")
+            .rust_protobuf()
+            .customize(ttrpc_codegen::Customize {
+                async_all: true,
+                ..Default::default()
+            })
+            .rust_protobuf_customize(ttrpc_codegen::ProtobufCustomize::default().gen_mod_rs(false))
+            .run()
+            .context("ttrpc build")?;
 
+        #[cfg(all(feature = "signature-cosign", feature = "confidential-data-hub"))]
+        ttrpc_codegen::Codegen::new()
+            .out_dir("./src/signature/mechanism/cosign")
+            .input("./protos/cosign_pubkey.proto")
+            .include("./protos")
+            .rust_protobuf()
+            .customize(ttrpc_codegen::Customize {
+                async_all: true,
+                ..Default::default()
+            })
+            .rust_protobuf_customize(ttrpc_codegen::ProtobufCustomize::default().gen_mod_rs(false))
+            .run()
+            .context("ttrpc build")?;
+    }
     Ok(())
 }

image-rs/protos/cosign_pubkey.proto

@@ -0,0 +1,15 @@
+syntax = "proto3";
+
+package api;
+
+message GetPublicKeyRequest {
+    string KeyId = 1;
+}
+
+message GetPublicKeyResponse {
+    bytes PublicKeyPem = 1;
+}
+
+service GetPublicKeyService {
+    rpc GetPublicKey(GetPublicKeyRequest) returns (GetPublicKeyResponse) {};
+}

image-rs/src/signature/mechanism/cosign/cosign_pubkey.rs

@@ -0,0 +1,308 @@
+// This file is generated by rust-protobuf 3.2.0. Do not edit
+// .proto file is parsed by pure
+// @generated
+
+// https://github.com/rust-lang/rust-clippy/issues/702
+#![allow(unknown_lints)]
+#![allow(clippy::all)]
+
+#![allow(unused_attributes)]
+#![cfg_attr(rustfmt, rustfmt::skip)]
+
+#![allow(box_pointers)]
+#![allow(dead_code)]
+#![allow(missing_docs)]
+#![allow(non_camel_case_types)]
+#![allow(non_snake_case)]
+#![allow(non_upper_case_globals)]
+#![allow(trivial_casts)]
+#![allow(unused_results)]
+#![allow(unused_mut)]
+
+//! Generated file from `cosign_pubkey.proto`
+
+/// Generated files are compatible only with the same version
+/// of protobuf runtime.
+const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_2_0;
+
+#[derive(PartialEq,Clone,Default,Debug)]
+// @@protoc_insertion_point(message:api.GetPublicKeyRequest)
+pub struct GetPublicKeyRequest {
+    // message fields
+    // @@protoc_insertion_point(field:api.GetPublicKeyRequest.KeyId)
+    pub KeyId: ::std::string::String,
+    // special fields
+    // @@protoc_insertion_point(special_field:api.GetPublicKeyRequest.special_fields)
+    pub special_fields: ::protobuf::SpecialFields,
+}
+
+impl<'a> ::std::default::Default for &'a GetPublicKeyRequest {
+    fn default() -> &'a GetPublicKeyRequest {
+        <GetPublicKeyRequest as ::protobuf::Message>::default_instance()
+    }
+}
+
+impl GetPublicKeyRequest {
+    pub fn new() -> GetPublicKeyRequest {
+        ::std::default::Default::default()
+    }
+
+    fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData {
+        let mut fields = ::std::vec::Vec::with_capacity(1);
+        let mut oneofs = ::std::vec::Vec::with_capacity(0);
+        fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>(
+            "KeyId",
+            |m: &GetPublicKeyRequest| { &m.KeyId },
+            |m: &mut GetPublicKeyRequest| { &mut m.KeyId },
+        ));
+        ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::<GetPublicKeyRequest>(
+            "GetPublicKeyRequest",
+            fields,
+            oneofs,
+        )
+    }
+}
+
+impl ::protobuf::Message for GetPublicKeyRequest {
+    const NAME: &'static str = "GetPublicKeyRequest";
+
+    fn is_initialized(&self) -> bool {
+        true
+    }
+
+    fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> {
+        while let Some(tag) = is.read_raw_tag_or_eof()? {
+            match tag {
+                10 => {
+                    self.KeyId = is.read_string()?;
+                },
+                tag => {
+                    ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?;
+                },
+            };
+        }
+        ::std::result::Result::Ok(())
+    }
+
+    // Compute sizes of nested messages
+    #[allow(unused_variables)]
+    fn compute_size(&self) -> u64 {
+        let mut my_size = 0;
+        if !self.KeyId.is_empty() {
+            my_size += ::protobuf::rt::string_size(1, &self.KeyId);
+        }
+        my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields());
+        self.special_fields.cached_size().set(my_size as u32);
+        my_size
+    }
+
+    fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> {
+        if !self.KeyId.is_empty() {
+            os.write_string(1, &self.KeyId)?;
+        }
+        os.write_unknown_fields(self.special_fields.unknown_fields())?;
+        ::std::result::Result::Ok(())
+    }
+
+    fn special_fields(&self) -> &::protobuf::SpecialFields {
+        &self.special_fields
+    }
+
+    fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields {
+        &mut self.special_fields
+    }
+
+    fn new() -> GetPublicKeyRequest {
+        GetPublicKeyRequest::new()
+    }
+
+    fn clear(&mut self) {
+        self.KeyId.clear();
+        self.special_fields.clear();
+    }
+
+    fn default_instance() -> &'static GetPublicKeyRequest {
+        static instance: GetPublicKeyRequest = GetPublicKeyRequest {
+            KeyId: ::std::string::String::new(),
+            special_fields: ::protobuf::SpecialFields::new(),
+        };
+        &instance
+    }
+}
+
+impl ::protobuf::MessageFull for GetPublicKeyRequest {
+    fn descriptor() -> ::protobuf::reflect::MessageDescriptor {
+        static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new();
+        descriptor.get(|| file_descriptor().message_by_package_relative_name("GetPublicKeyRequest").unwrap()).clone()
+    }
+}
+
+impl ::std::fmt::Display for GetPublicKeyRequest {
+    fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
+        ::protobuf::text_format::fmt(self, f)
+    }
+}
+
+impl ::protobuf::reflect::ProtobufValue for GetPublicKeyRequest {
+    type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage<Self>;
+}
+
+#[derive(PartialEq,Clone,Default,Debug)]
+// @@protoc_insertion_point(message:api.GetPublicKeyResponse)
+pub struct GetPublicKeyResponse {
+    // message fields
+    // @@protoc_insertion_point(field:api.GetPublicKeyResponse.PublicKeyPem)
+    pub PublicKeyPem: ::std::vec::Vec<u8>,
+    // special fields
+    // @@protoc_insertion_point(special_field:api.GetPublicKeyResponse.special_fields)
+    pub special_fields: ::protobuf::SpecialFields,
+}
+
+impl<'a> ::std::default::Default for &'a GetPublicKeyResponse {
+    fn default() -> &'a GetPublicKeyResponse {
+        <GetPublicKeyResponse as ::protobuf::Message>::default_instance()
+    }
+}
+
+impl GetPublicKeyResponse {
+    pub fn new() -> GetPublicKeyResponse {
+        ::std::default::Default::default()
+    }
+
+    fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData {
+        let mut fields = ::std::vec::Vec::with_capacity(1);
+        let mut oneofs = ::std::vec::Vec::with_capacity(0);
+        fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>(
+            "PublicKeyPem",
+            |m: &GetPublicKeyResponse| { &m.PublicKeyPem },
+            |m: &mut GetPublicKeyResponse| { &mut m.PublicKeyPem },
+        ));
+        ::protobuf::reflect::GeneratedMessageDescriptorData::new_2::<GetPublicKeyResponse>(
+            "GetPublicKeyResponse",
+            fields,
+            oneofs,
+        )
+    }
+}
+
+impl ::protobuf::Message for GetPublicKeyResponse {
+    const NAME: &'static str = "GetPublicKeyResponse";
+
+    fn is_initialized(&self) -> bool {
+        true
+    }
+
+    fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> {
+        while let Some(tag) = is.read_raw_tag_or_eof()? {
+            match tag {
+                10 => {
+                    self.PublicKeyPem = is.read_bytes()?;
+                },
+                tag => {
+                    ::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?;
+                },
+            };
+        }
+        ::std::result::Result::Ok(())
+    }
+
+    // Compute sizes of nested messages
+    #[allow(unused_variables)]
+    fn compute_size(&self) -> u64 {
+        let mut my_size = 0;
+        if !self.PublicKeyPem.is_empty() {
+            my_size += ::protobuf::rt::bytes_size(1, &self.PublicKeyPem);
+        }
+        my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields());
+        self.special_fields.cached_size().set(my_size as u32);
+        my_size
+    }
+
+    fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> {
+        if !self.PublicKeyPem.is_empty() {
+            os.write_bytes(1, &self.PublicKeyPem)?;
+        }
+        os.write_unknown_fields(self.special_fields.unknown_fields())?;
+        ::std::result::Result::Ok(())
+    }
+
+    fn special_fields(&self) -> &::protobuf::SpecialFields {
+        &self.special_fields
+    }
+
+    fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields {
+        &mut self.special_fields
+    }
+
+    fn new() -> GetPublicKeyResponse {
+        GetPublicKeyResponse::new()
+    }
+
+    fn clear(&mut self) {
+        self.PublicKeyPem.clear();
+        self.special_fields.clear();
+    }
+
+    fn default_instance() -> &'static GetPublicKeyResponse {
+        static instance: GetPublicKeyResponse = GetPublicKeyResponse {
+            PublicKeyPem: ::std::vec::Vec::new(),
+            special_fields: ::protobuf::SpecialFields::new(),
+        };
+        &instance
+    }
+}
+
+impl ::protobuf::MessageFull for GetPublicKeyResponse {
+    fn descriptor() -> ::protobuf::reflect::MessageDescriptor {
+        static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new();
+        descriptor.get(|| file_descriptor().message_by_package_relative_name("GetPublicKeyResponse").unwrap()).clone()
+    }
+}
+
+impl ::std::fmt::Display for GetPublicKeyResponse {
+    fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
+        ::protobuf::text_format::fmt(self, f)
+    }
+}
+
+impl ::protobuf::reflect::ProtobufValue for GetPublicKeyResponse {
+    type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage<Self>;
+}
+
+static file_descriptor_proto_data: &'static [u8] = b"\
+    \n\x13cosign_pubkey.proto\x12\x03api\"+\n\x13GetPublicKeyRequest\x12\x14\
+    \n\x05KeyId\x18\x01\x20\x01(\tR\x05KeyId\":\n\x14GetPublicKeyResponse\
+    \x12\"\n\x0cPublicKeyPem\x18\x01\x20\x01(\x0cR\x0cPublicKeyPem2Z\n\x13Ge\
+    tPublicKeyService\x12C\n\x0cGetPublicKey\x12\x18.api.GetPublicKeyRequest\
+    \x1a\x19.api.GetPublicKeyResponseb\x06proto3\
+";
+
+/// `FileDescriptorProto` object which was a source for this generated file
+fn file_descriptor_proto() -> &'static ::protobuf::descriptor::FileDescriptorProto {
+    static file_descriptor_proto_lazy: ::protobuf::rt::Lazy<::protobuf::descriptor::FileDescriptorProto> = ::protobuf::rt::Lazy::new();
+    file_descriptor_proto_lazy.get(|| {
+        ::protobuf::Message::parse_from_bytes(file_descriptor_proto_data).unwrap()
+    })
+}
+
+/// `FileDescriptor` object which allows dynamic access to files
+pub fn file_descriptor() -> &'static ::protobuf::reflect::FileDescriptor {
+    static generated_file_descriptor_lazy: ::protobuf::rt::Lazy<::protobuf::reflect::GeneratedFileDescriptor> = ::protobuf::rt::Lazy::new();
+    static file_descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::FileDescriptor> = ::protobuf::rt::Lazy::new();
+    file_descriptor.get(|| {
+        let generated_file_descriptor = generated_file_descriptor_lazy.get(|| {
+            let mut deps = ::std::vec::Vec::with_capacity(0);
+            let mut messages = ::std::vec::Vec::with_capacity(2);
+            messages.push(GetPublicKeyRequest::generated_message_descriptor_data());
+            messages.push(GetPublicKeyResponse::generated_message_descriptor_data());
+            let mut enums = ::std::vec::Vec::with_capacity(0);
+            ::protobuf::reflect::GeneratedFileDescriptor::new_generated(
+                file_descriptor_proto(),
+                deps,
+                messages,
+                enums,
+            )
+        });
+        ::protobuf::reflect::FileDescriptor::new_generated_2(generated_file_descriptor)
+    })
+}