Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implementation of new In-toto 0.1.0, DSSE 1.0.0, and SLSA Provenance 0.1.1 #24

Merged
merged 22 commits into from
Nov 1, 2021
Merged
Show file tree
Hide file tree
Changes from 13 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 79 additions & 17 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,26 +1,88 @@
# Compiled class file
##############################
## Java
##############################
.mtj.tmp/
*.class
*.jar
*.war
*.ear
*.nar
hs_err_pid*

# Log file
*.log
##############################
## Maven
##############################
target/
pom.xml.tag
pom.xml.releaseBackup
pom.xml.versionsBackup
pom.xml.next
pom.xml.bak
release.properties
dependency-reduced-pom.xml
buildNumber.properties
.mvn/timing.properties
.mvn/wrapper/maven-wrapper.jar

# BlueJ files
*.ctxt
##############################
## Gradle
##############################
bin/
build/
.gradle
.gradletasknamecache
gradle-app.setting
!gradle-wrapper.jar

# Mobile Tools for Java (J2ME)
.mtj.tmp/
##############################
## IntelliJ
##############################
out/
.idea/
.idea_modules/
*.iml
*.ipr
*.iws

# Package Files #
*.jar
*.war
*.nar
*.ear
*.zip
*.tar.gz
*.rar
##############################
## Eclipse
##############################
.settings/
bin/
tmp/
.metadata
.classpath
.project
*.tmp
*.bak
*.swp
*~.nib
local.properties
.loadpath
.factorypath

##############################
## NetBeans
##############################
nbproject/private/
build/
nbbuild/
dist/
nbdist/
nbactions.xml
nb-configuration.xml

##############################
## Visual Studio Code
##############################
.vscode/
.code-workspace

##############################
## OS X
##############################
.DS_Store

# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
hs_err_pid*

# mvn build dir
target/*
3 changes: 0 additions & 3 deletions .travis.yml

This file was deleted.

9 changes: 8 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
# Changelog

## Version 0.3.3

- Added implementation for in-toto 0.1.0
- Moved Link to legacy directory
- Update Dependencies for validation

## Version 0.3

- Improve javadoc documentation
Expand All @@ -17,5 +23,6 @@
## Version 0.1

- Initial release.
- Adds support for creation, serialization and de-serialization of link metadata.
- Adds support for creation, serialization and de-serialization of link
metadata.
- Adds support for RSA-PSSS signatures and PKCS1 key loading.
2 changes: 0 additions & 2 deletions Makefile

This file was deleted.

153 changes: 102 additions & 51 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,46 +1,121 @@
in-toto java
============
# in-toto java

This repository contains an in-toto compliant library in Java. This document
describes the repository layout, the usage purpose of this library as well as
its current limitations.

# Usage

## installation
## Installation

This library is intended to be used with maven buildsystem, although you can
probably easily move it to any other if you're familiar with those. To add it
to your mvn project edit the pom.xml file to add:
This library is intended to be used with maven build system, although you can
probably easily move it to any other if you're familiar with those. To add it to
your mvn project edit the pom.xml file to add:

```xml
...
<dependency>
<groupId>io.github.in-toto</groupId>
<artifactId>in-toto</artifactId>
<version>0.1</version>
<scope>compile</scope>
<groupId>io.github.in-toto</groupId>
<artifactId>in-toto</artifactId>
<version>0.3.3</version>
</dependency>
...
```

With it you should be able to use the library inside of your project.
With it, you should be able to use the library inside your project.

## Using the library
## Using the new library

The library exposes a series of objects and convenience methods to create,
sign, and serialize in-toto metadata. As of now, only Link metadata is
supported (see the Limitations section to see what exactly is supported as of
now).
The library exposes a new set of models used for in-toto 0.1.0, DSSE 1.0.0 and .
If you wish to use the deprecated legacy Link library, please skip to the next
section.

Metadata classes are located in the `io.in_toto.models.*` namespace. You can,
for example create a link as follows:
The new library allows you to instantiate a Statement and populate it as
follows:

```java
Link link = new Link(null, null, "test", null, null);
Subject subject=new Subject();
subject.setName("curl-7.72.0.tar.bz2");
subject.setDigest(
Map.of(
DigestSetAlgorithmType.SHA256.toString(),
"d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2"))
Predicate predicate=createPredicate();
Statement statement=new Statement();

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

optional: create a version of the constructor that accepts the subject list and predicate as args so users don't have to set them manually.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is getting big. Let's add this to a post PR merge. I also want to add the ability for the library to generate a DSSE envelope with multiple statements. This could be something we introduce after this PR

statement.set_type(StatementType.STATEMENT_V_0_1);
Alos marked this conversation as resolved.
Show resolved Hide resolved
statement.setSubject(List.of(subject));
statement.setPredicateType(PredicateType.SLSA_PROVENANCE_V_0_1);
Alos marked this conversation as resolved.
Show resolved Hide resolved
statement.setPredicate(predicate);
```

This will create a link object that you can operate with.
Finally, you can use the built-in `IntotoHelper` class to validate and transform
it into its JSON representation as follows:

```java
String jsonStatement=IntotoHelper.validateAndTransformToJson(statement);
```

If the statement passed to the method is malformed the library will throw
an `InvalidModelException` that will contain a message with the errors.

If you, however wish to create a DSSE based In-toto envelope, the library
features a convenience method:

```java
IntotoEnvelope intotoEnvelope=IntotoHelper.produceIntotoEnvelope(statement,signer);
Alos marked this conversation as resolved.
Show resolved Hide resolved
```

This method accepts a `io.github.intoto.models.Statement` and an implementation
of the ` io.github.dsse.models.Signer` interface.

### Implementing a Signer and a Verifier

The Signer and Verifier are used to abstract away the sign and verify mechanism
from this library. This allows the user to implement their own Signer/Verifier.
An example of such an implementation is available in
the [io.github.dsse.helpers](/src/main/java/io/github/dsse/helpers) package.

### Creating a new Predicate

Users that wish to extend the Predicate in the library will see that the
Predicate contains an abstract method:

```java
String getPredicateType();
```

When extending the base Predicate type to create your own, make sure that this
method returns a String that contains a URI identifying the type of the
Predicate.

The library will use the Predicate type and automatically fill in the
Statement's predicateType field with its value.


### Generating keys

The keys in the project where generated with:

```
openssl ecparam -genkey -name secp521r1 -noout -out private.pem #generate private key
openssl ec -in private.pem -pubout -out public.pem #generate public key
openssl pkcs8 -topk8 -nocrypt -in private.pem -out p8private.pem #convert to pkcs8 format
```

## Using the legacy Link library

The library exposes a series of objects and convenience methods to create, sign,
and serialize in-toto metadata. As of now, only Link metadata is supported (see
the Limitations section to see what exactly is supported as of now).

Metadata classes are located in the `io.github.legacy.models.*` package. You
can, for example create a link as follows:

```java
Link link = new Link(null,null,"test",null,null);
```

This will create a link object that you can operate with.

You can populate a link and track artifacts using the Artifact class and the
ArtifactHash subclass. You can also use the link's convenience method:
Expand All @@ -49,54 +124,30 @@ ArtifactHash subclass. You can also use the link's convenience method:
link.addArtifact("alice");
```

Once the artfifact is populated, it hashes the target artifact with any of the
Once the artifact is populated, it hashes the target artifact with any of the
supported hashes.

Finally, you can sign and dump a link by calling sign and dump respectively.

```java
import io.github.in_toto.keys.Key;
import io.github.in_toto.keys.RSAKey;
...
...
Key thiskey = RSAKey.read("src/test/resources/somekey.pem");
System.out.println("Loaded key: " + thiskey.computeKeyId());
System.out.println("Loaded key: "+thiskey.computeKeyId());

...
Link link = new Link(null, null, "test", null, null, null);
Link link = new Link(null,null,"test",null,null,null);
link.addMaterialt("alice");

link.sign(thiskey);
link.dump(somelink);
```

You can see a complete example on `src/java/io/github/in_toto/lib/App.java`.

## Note on reduced feature-set

in-toto java is not yet a fully compliant in-toto implementation. This
implementation is focused on providing a stable, usable core feature set for
its main goal. The features that we will add in the near future include:

- A more user-friendly API to create and interact with metadata.
- Layout metadata support, including full supply chain verification.
- DSA (and possibly GPG) key support.
- A more thorough test suite that includes integration tests.

We can guarantee that the dumped link metadata passes in-toto verification on
the [python](https://github.com/in-toto/in-toto) reference implementation when
providing the right key.

As of now, the near-future goals of this library are to be used in a Jenkins
plugin and to support Android buildsystems. However, for any other step in the
supply chain I *highly* recommend you use the python implementation, for it has
more features, it's better tested and will be updated to comply wih the spec
before this one.

If you'd like to help with the development of this library, patches are
welcome!
You can see a complete example on `src/java/io/github/legacy/lib/App.java`.

## Acknowledgements

This work was mostly driven forward by the awesome guys at
[control-plane](https://control-plane.io). If you're interested in cloud native
security, do check out their website.

If you'd like to help with the development of this library, patches are welcome!
1 change: 1 addition & 0 deletions intoto_test.attestation
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInN1YmplY3QiOlt7Im5hbWUiOiJjdXJsLTcuNzIuMC50YXIuYnoyIiwiZGlnZXN0Ijp7InNoYTI1NiI6ImQ0ZDU4OTlhMzg2OGZiYjZhZTE4NTZjM2U1NWEzMmNlMzU5MTNkZTM5NTZkMTk3M2NhY2NkMzdiZDAxNzRmYTIifX1dLCJwcmVkaWNhdGVUeXBlIjoiaHR0cHM6Ly9zbHNhLmRldi9wcm92ZW5hbmNlL3YwLjEiLCJwcmVkaWNhdGUiOnsiYnVpbGRlciI6eyJpZCI6Im1haWx0bzpwZXJzb25AZXhhbXBsZS5jb20ifSwicmVjaXBlIjp7InR5cGUiOiJodHRwczovL2V4YW1wbGUuY29tL01ha2VmaWxlIiwiZGVmaW5lZEluTWF0ZXJpYWwiOjAsImVudHJ5UG9pbnQiOiJzcmM6Zm9vIn0sIm1hdGVyaWFscyI6W3sidXJpIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS9leGFtcGxlLTEuMi4zLnRhci5neiIsImRpZ2VzdCI6eyJzaGEyNTYiOiIxMjM0Li4uIn19XX19","signatures":[{"sig":"MIGIAkIBSNsRnhB2KspzighMidZplukYb2Gnd6l+1gDIk4V/yyAm75fPEKSa6k+ysDNWlqiKlkjbrNVfxSJxOt5LaO6RtPsCQgHibHfYTN5KzBRA5Ax6A6vdDA2jwx5LfFjHKAJVze+BeA7RXDsmLIO9YgVwxnvys0Mu/3I4We5AeVglCXOJo+LydA==","keyid":"MyKey"}]}
Loading