Adding protobuf bundle support to sign-blob and attest-blob (sigstore…

…#3752) This pull requests addresses the first part of sigstore#3139: adding protobuf bundle support for cosign sign-blob and cosign attest-blob. Signed-off-by: Zach Steindler <[email protected]>
kipz · Oct 21, 2024 · 89b6a71 · 89b6a71
1 parent 4e4ec1b
commit 89b6a71
Show file tree

Hide file tree

Showing 15 changed files with 448 additions and 58 deletions.
diff --git a/cmd/cosign/cli/attest/attest_blob.go b/cmd/cosign/cli/attest/attest_blob.go
@@ -18,6 +18,8 @@ import (
 	"bytes"
 	"context"
 	"crypto"
+	"crypto/sha256"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
@@ -30,6 +32,9 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+	"google.golang.org/protobuf/encoding/protojson"
+
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
@@ -39,10 +44,12 @@ import (
 	"github.com/sigstore/cosign/v2/pkg/cosign/attestation"
 	cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle"
 	"github.com/sigstore/cosign/v2/pkg/types"
+	protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1"
+	protodsse "github.com/sigstore/protobuf-specs/gen/pb-go/dsse"
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
-	"github.com/sigstore/sigstore/pkg/signature/dsse"
+	sigstoredsse "github.com/sigstore/sigstore/pkg/signature/dsse"
 	signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
 )
 
@@ -88,8 +95,8 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
 		defer cancelFn()
 	}
 
-	if c.TSAServerURL != "" && c.RFC3161TimestampPath == "" {
-		return errors.New("expected an rfc3161-timestamp path when using a TSA server")
+	if c.TSAServerURL != "" && c.RFC3161TimestampPath == "" && !c.NewBundleFormat {
+		return errors.New("expected either new bundle or an rfc3161-timestamp path when using a TSA server")
 	}
 
 	var artifact []byte
@@ -129,7 +136,7 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
 		return fmt.Errorf("getting signer: %w", err)
 	}
 	defer sv.Close()
-	wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType)
+	wrapped := sigstoredsse.WrapSigner(sv, types.IntotoPayloadType)
 
 	base := path.Base(artifactPath)
 
@@ -154,28 +161,34 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
 	}
 
 	var rfc3161Timestamp *cbundle.RFC3161Timestamp
+	var timestampBytes []byte
+	var rekorEntry *models.LogEntryAnon
+
 	if c.TSAServerURL != "" {
-		respBytes, err := tsa.GetTimestampedSignature(sig, client.NewTSAClient(c.TSAServerURL))
+		timestampBytes, err = tsa.GetTimestampedSignature(sig, client.NewTSAClient(c.TSAServerURL))
 		if err != nil {
 			return err
 		}
-		rfc3161Timestamp = cbundle.TimestampToRFC3161Timestamp(respBytes)
+		rfc3161Timestamp = cbundle.TimestampToRFC3161Timestamp(timestampBytes)
 		// TODO: Consider uploading RFC3161 TS to Rekor
 
 		if rfc3161Timestamp == nil {
 			return fmt.Errorf("rfc3161 timestamp is nil")
 		}
-		ts, err := json.Marshal(rfc3161Timestamp)
-		if err != nil {
-			return err
-		}
-		if err := os.WriteFile(c.RFC3161TimestampPath, ts, 0600); err != nil {
-			return fmt.Errorf("create RFC3161 timestamp file: %w", err)
+
+		if c.RFC3161TimestampPath != "" {
+			ts, err := json.Marshal(rfc3161Timestamp)
+			if err != nil {
+				return err
+			}
+			if err := os.WriteFile(c.RFC3161TimestampPath, ts, 0600); err != nil {
+				return fmt.Errorf("create RFC3161 timestamp file: %w", err)
+			}
+			fmt.Fprintln(os.Stderr, "RFC3161 timestamp bundle written to file ", c.RFC3161TimestampPath)
 		}
-		fmt.Fprintln(os.Stderr, "RFC3161 timestamp bundle written to file ", c.RFC3161TimestampPath)
 	}
 
-	rekorBytes, err := sv.Bytes(ctx)
+	signer, err := sv.Bytes(ctx)
 	if err != nil {
 		return err
 	}
@@ -189,28 +202,36 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
 		if err != nil {
 			return err
 		}
-		var entry *models.LogEntryAnon
 		if c.RekorEntryType == "intoto" {
-			entry, err = cosign.TLogUploadInTotoAttestation(ctx, rekorClient, sig, rekorBytes)
+			rekorEntry, err = cosign.TLogUploadInTotoAttestation(ctx, rekorClient, sig, signer)
 		} else {
-			entry, err = cosign.TLogUploadDSSEEnvelope(ctx, rekorClient, sig, rekorBytes)
+			rekorEntry, err = cosign.TLogUploadDSSEEnvelope(ctx, rekorClient, sig, signer)
 		}
 
 		if err != nil {
 			return err
 		}
-		fmt.Fprintln(os.Stderr, "tlog entry created with index:", *entry.LogIndex)
-		signedPayload.Bundle = cbundle.EntryToBundle(entry)
+		fmt.Fprintln(os.Stderr, "tlog entry created with index:", *rekorEntry.LogIndex)
+		signedPayload.Bundle = cbundle.EntryToBundle(rekorEntry)
 	}
 
 	if c.BundlePath != "" {
-		signedPayload.Base64Signature = base64.StdEncoding.EncodeToString(sig)
-		signedPayload.Cert = base64.StdEncoding.EncodeToString(rekorBytes)
+		var contents []byte
+		if c.NewBundleFormat {
+			contents, err = makeNewBundle(sv, rekorEntry, payload, sig, signer, timestampBytes)
+			if err != nil {
+				return err
+			}
+		} else {
+			signedPayload.Base64Signature = base64.StdEncoding.EncodeToString(sig)
+			signedPayload.Cert = base64.StdEncoding.EncodeToString(signer)
 
-		contents, err := json.Marshal(signedPayload)
-		if err != nil {
-			return err
+			contents, err = json.Marshal(signedPayload)
+			if err != nil {
+				return err
+			}
 		}
+
 		if err := os.WriteFile(c.BundlePath, contents, 0600); err != nil {
 			return fmt.Errorf("create bundle file: %w", err)
 		}
@@ -258,3 +279,64 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
 
 	return nil
 }
+
+func makeNewBundle(sv *sign.SignerVerifier, rekorEntry *models.LogEntryAnon, payload, sig, signer, timestampBytes []byte) ([]byte, error) {
+	// Determine if signature is certificate or not
+	var hint string
+	var rawCert []byte
+
+	cert, err := cryptoutils.UnmarshalCertificatesFromPEM(signer)
+	if err != nil || len(cert) == 0 {
+		pubKey, err := sv.PublicKey()
+		if err != nil {
+			return nil, err
+		}
+		pkixPubKey, err := x509.MarshalPKIXPublicKey(pubKey)
+		if err != nil {
+			return nil, err
+		}
+		hashedBytes := sha256.Sum256(pkixPubKey)
+		hint = base64.StdEncoding.EncodeToString(hashedBytes[:])
+	} else {
+		rawCert = cert[0].Raw
+	}
+
+	bundle, err := cbundle.MakeProtobufBundle(hint, rawCert, rekorEntry, timestampBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	var envelope dsse.Envelope
+	err = json.Unmarshal(sig, &envelope)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(envelope.Signatures) == 0 {
+		return nil, fmt.Errorf("no signature in DSSE envelope")
+	}
+
+	sigBytes, err := base64.StdEncoding.DecodeString(envelope.Signatures[0].Sig)
+	if err != nil {
+		return nil, err
+	}
+
+	bundle.Content = &protobundle.Bundle_DsseEnvelope{
+		DsseEnvelope: &protodsse.Envelope{
+			Payload:     payload,
+			PayloadType: envelope.PayloadType,
+			Signatures: []*protodsse.Signature{
+				{
+					Sig: sigBytes,
+				},
+			},
+		},
+	}
+
+	contents, err := protojson.Marshal(bundle)
+	if err != nil {
+		return nil, err
+	}
+
+	return contents, nil
+}
diff --git a/cmd/cosign/cli/attest/attest_blob_test.go b/cmd/cosign/cli/attest/attest_blob_test.go
@@ -122,6 +122,7 @@ func TestAttestBlobCmdLocalKeyAndCert(t *testing.T) {
 				keyref       string
 				certref      string
 				certchainref string
+				newBundle    bool
 				errString    string
 			}{
 				{
@@ -133,6 +134,12 @@ func TestAttestBlobCmdLocalKeyAndCert(t *testing.T) {
 					keyref:  keyRef,
 					certref: certRef,
 				},
+				{
+					name:      "new bundle generation",
+					keyref:    keyRef,
+					certref:   certRef,
+					newBundle: true,
+				},
 				{
 					name:      "fail: cert no match key",
 					keyref:    keyRef,
@@ -160,8 +167,12 @@ func TestAttestBlobCmdLocalKeyAndCert(t *testing.T) {
 				},
 			} {
 				t.Run(tc.name, func(t *testing.T) {
+					keyOpts := options.KeyOpts{KeyRef: tc.keyref}
+					if tc.newBundle {
+						keyOpts.NewBundleFormat = true
+					}
 					at := AttestBlobCommand{
-						KeyOpts:        options.KeyOpts{KeyRef: tc.keyref},
+						KeyOpts:        keyOpts,
 						CertPath:       tc.certref,
 						CertChainPath:  tc.certchainref,
 						PredicatePath:  predicatePath,

diff --git a/cmd/cosign/cli/attest_blob.go b/cmd/cosign/cli/attest_blob.go
@@ -73,6 +73,7 @@ func AttestBlob() *cobra.Command {
 				TSAServerURL:             o.TSAServerURL,
 				RFC3161TimestampPath:     o.RFC3161TimestampPath,
 				BundlePath:               o.BundlePath,
+				NewBundleFormat:          o.NewBundleFormat,
 			}
 			v := attest.AttestBlobCommand{
 				KeyOpts:           ko,

diff --git a/cmd/cosign/cli/options/attest_blob.go b/cmd/cosign/cli/options/attest_blob.go
@@ -36,6 +36,7 @@ type AttestBlobOptions struct {
 	OutputAttestation string
 	OutputCertificate string
 	BundlePath        string
+	NewBundleFormat   bool
 
 	RekorEntryType string
 
@@ -85,6 +86,10 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) {
 		"write everything required to verify the blob to a FILE")
 	_ = cmd.Flags().SetAnnotation("bundle", cobra.BashCompFilenameExt, []string{})
 
+	// TODO: have this default to true as a breaking change
+	cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false,
+		"output bundle in new format that contains all verification material")
+
 	cmd.Flags().StringVar(&o.Hash, "hash", "",
 		"hash of blob in hexadecimal (base16). Used if you want to sign an artifact stored elsewhere and have the hash")
 

diff --git a/cmd/cosign/cli/options/key.go b/cmd/cosign/cli/options/key.go
@@ -32,6 +32,7 @@ type KeyOpts struct {
 	OIDCDisableProviders bool   // Disable OIDC credential providers in keyless signer
 	OIDCProvider         string // Specify which OIDC credential provider to use for keyless signer
 	BundlePath           string
+	NewBundleFormat      bool
 	SkipConfirmation     bool
 	TSAClientCACert      string
 	TSAClientCert        string

diff --git a/cmd/cosign/cli/options/signblob.go b/cmd/cosign/cli/options/signblob.go
@@ -33,6 +33,7 @@ type SignBlobOptions struct {
 	OIDC                 OIDCOptions
 	Registry             RegistryOptions
 	BundlePath           string
+	NewBundleFormat      bool
 	SkipConfirmation     bool
 	TlogUpload           bool
 	TSAClientCACert      string
@@ -75,6 +76,10 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) {
 		"write everything required to verify the blob to a FILE")
 	_ = cmd.Flags().SetAnnotation("bundle", cobra.BashCompFilenameExt, []string{})
 
+	// TODO: have this default to true as a breaking change
+	cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false,
+		"output bundle in new format that contains all verification material")
+
 	cmd.Flags().BoolVarP(&o.SkipConfirmation, "yes", "y", false,
 		"skip confirmation prompts for non-destructive operations")