Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor bundle validation code, add support for DSSE rekor type #3016

Merged
merged 7 commits into from
Jun 15, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 42 additions & 2 deletions cmd/cosign/cli/verify/verify_blob_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ import (
"github.com/sigstore/rekor/pkg/generated/models"
"github.com/sigstore/rekor/pkg/pki"
"github.com/sigstore/rekor/pkg/types"
rekor_dsse "github.com/sigstore/rekor/pkg/types/dsse"
"github.com/sigstore/rekor/pkg/types/hashedrekord"
hashedrekord_v001 "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
"github.com/sigstore/rekor/pkg/types/intoto"
Expand Down Expand Up @@ -861,7 +862,44 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
t.Fatal("expected error due to expired cert, received nil")
}
})
t.Run("Attestation", func(t *testing.T) {
t.Run("dsse Attestation", func(t *testing.T) {
identity := "[email protected]"
issuer := "issuer"
leafCert, _, leafPemCert, signer := keyless.genLeafCert(t, identity, issuer)

stmt := `{"_type":"https://in-toto.io/Statement/v0.1","predicateType":"customFoo","subject":[{"name":"subject","digest":{"sha256":"deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"}}],"predicate":{}}`
wrapped := dsse.WrapSigner(signer, ctypes.IntotoPayloadType)
signedPayload, err := wrapped.SignMessage(bytes.NewReader([]byte(stmt)), signatureoptions.WithContext(context.Background()))
if err != nil {
t.Fatal(err)
}
// intoto sig = json-serialized dsse envelope
sig := signedPayload

// Create bundle
entry := genRekorEntry(t, rekor_dsse.KIND, "0.0.1", signedPayload, leafPemCert, sig)
b := createBundle(t, sig, leafPemCert, keyless.rekorLogID, leafCert.NotBefore.Unix()+1, entry)
b.Bundle.SignedEntryTimestamp = keyless.rekorSignPayload(t, b.Bundle.Payload)
bundlePath := writeBundleFile(t, keyless.td, b, "bundle.json")
blobPath := writeBlobFile(t, keyless.td, string(signedPayload), "attestation.txt")

// Verify command
cmd := VerifyBlobAttestationCommand{
CertVerifyOptions: options.CertVerifyOptions{
CertIdentity: identity,
CertOidcIssuer: issuer,
},
CertRef: "", // Cert is fetched from bundle
CertChain: "", // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
SignaturePath: "", // Sig is fetched from bundle
KeyOpts: options.KeyOpts{BundlePath: bundlePath},
IgnoreSCT: true,
}
if err := cmd.Exec(context.Background(), blobPath); err != nil {
t.Fatal(err)
}
})
t.Run("intoto Attestation", func(t *testing.T) {
identity := "[email protected]"
issuer := "issuer"
leafCert, _, leafPemCert, signer := keyless.genLeafCert(t, identity, issuer)
Expand Down Expand Up @@ -1192,7 +1230,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
t.Fatalf("expected error with mismatched root, got %v", err)
}
})
t.Run("Attestation with keyless", func(t *testing.T) {
t.Run("intoto Attestation with keyless", func(t *testing.T) {
identity := "[email protected]"
issuer := "issuer"
leafCert, _, leafPemCert, signer := keyless.genLeafCert(t, identity, issuer)
Expand Down Expand Up @@ -1477,6 +1515,8 @@ func createEntry(ctx context.Context, kind, apiVersion string, blobBytes, certBy
props.SignatureBytes = sigBytes
case intoto.KIND:
props.ArtifactBytes = blobBytes
case rekor_dsse.KIND:
props.ArtifactBytes = blobBytes
default:
return nil, fmt.Errorf("unexpected entry kind: %s", kind)
}
Expand Down
4 changes: 1 addition & 3 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ require (
github.com/pkg/errors v0.9.1
github.com/secure-systems-lab/go-securesystemslib v0.6.0
github.com/sigstore/fulcio v1.3.1
github.com/sigstore/rekor v1.2.1
github.com/sigstore/rekor v1.2.2-0.20230530122220-67cc9e58bd23
github.com/sigstore/sigstore v1.7.0
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.0
github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.0
Expand Down Expand Up @@ -165,7 +165,6 @@ require (
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/s2a-go v0.1.4 // indirect
github.com/google/tink/go v1.7.0 // indirect
github.com/google/trillian v1.5.2 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.2.4 // indirect
github.com/googleapis/gax-go/v2 v2.10.0 // indirect
Expand Down Expand Up @@ -219,7 +218,6 @@ require (
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/segmentio/ksuid v1.0.4 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/sigstore/protobuf-specs v0.1.0 // indirect
github.com/sirupsen/logrus v1.9.0 // indirect
github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
github.com/spf13/afero v1.9.5 // indirect
Expand Down
10 changes: 3 additions & 7 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -526,8 +526,6 @@ github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc=
github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w=
github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM=
github.com/google/trillian v1.5.2 h1:roGP6G8aaAch7vP08+oitPkvmZzxjTfIkguozqJ04Ok=
github.com/google/trillian v1.5.2/go.mod h1:H8vOoa2dxd3xCdMzOOwt9kIz/3MSoJhcqLJGG8iRwbg=
github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
Expand Down Expand Up @@ -666,7 +664,7 @@ github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GW
github.com/markbates/oncer v0.0.0-20181203154359-bf2de49a0be2/go.mod h1:Ld9puTsIW75CHf65OeIOkyKbteujpZVXDpWK6YGZbxE=
github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0=
github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
Expand Down Expand Up @@ -804,10 +802,8 @@ github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
github.com/sigstore/fulcio v1.3.1 h1:0ntW9VbQbt2JytoSs8BOGB84A65eeyvGSavWteYp29Y=
github.com/sigstore/fulcio v1.3.1/go.mod h1:/XfqazOec45ulJZpyL9sq+OsVQ8g2UOVoNVi7abFgqU=
github.com/sigstore/protobuf-specs v0.1.0 h1:X0l/E2C2c79t/rI/lmSu8WAoKWsQtMqDzAMiDdEMGr8=
github.com/sigstore/protobuf-specs v0.1.0/go.mod h1:5shUCxf82hGnjUEFVWiktcxwzdtn6EfeeJssxZ5Q5HE=
github.com/sigstore/rekor v1.2.1 h1:cEI4qn9IBvM7EkPQYl3YzCwCw97Mx8O2nHrv02XiI8U=
github.com/sigstore/rekor v1.2.1/go.mod h1:zcFO54qIg2G1/i0sE/nvmELUOng/n0MPjTszRYByVPo=
github.com/sigstore/rekor v1.2.2-0.20230530122220-67cc9e58bd23 h1:eZY7mQFcc0VvNr0fiAK3/n7kh73+T06KzBEIUYzFSDQ=
github.com/sigstore/rekor v1.2.2-0.20230530122220-67cc9e58bd23/go.mod h1:h1tOLhldpfILtziWpUDgGBu0vulWk9Kh72t6XzBGJok=
github.com/sigstore/sigstore v1.7.0 h1:0jLlzxX68LtirwSTWAwRPMKhulT0aWVLmFU5ofnbtYA=
github.com/sigstore/sigstore v1.7.0/go.mod h1:0PmMzfJP2Y9+lugD0wer4e7TihR5tM7NcIs3bQNk5xg=
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.7.0 h1:fRv9grFx22NsmXTkfhF8/+UzqkrCND8JI/QfCpYjEnc=
Expand Down
2 changes: 1 addition & 1 deletion pkg/cosign/ctlog_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ Nmo7M3bN7+dQddw9Ibc2R3SV8tzBZw0rST8FKcn4apJepcKM4qUpYUeNfw==
func TestGetCTLogPubKeys(t *testing.T) {
keys, err := GetCTLogPubs(context.Background())
if err != nil {
t.Errorf("Unexpected error calling GetCTLogPubs, expected nil: %v", err)
t.Fatalf("Unexpected error calling GetCTLogPubs, expected nil: %v", err)
}
if len(keys.Keys) == 0 {
t.Errorf("expected 1 or more keys, got 0")
Expand Down
29 changes: 28 additions & 1 deletion pkg/cosign/tlog.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ import (
"github.com/sigstore/rekor/pkg/generated/client/entries"
"github.com/sigstore/rekor/pkg/generated/models"
"github.com/sigstore/rekor/pkg/types"
"github.com/sigstore/rekor/pkg/types/dsse"
dsse_v001 "github.com/sigstore/rekor/pkg/types/dsse/v0.0.1"
hashedrekord_v001 "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
"github.com/sigstore/rekor/pkg/types/intoto"
intoto_v001 "github.com/sigstore/rekor/pkg/types/intoto/v0.0.1"
Expand Down Expand Up @@ -82,6 +84,21 @@ func GetTransparencyLogID(pub crypto.PublicKey) (string, error) {
return hex.EncodeToString(digest[:]), nil
}

func dsseEntry(ctx context.Context, signature, pubKey []byte) (models.ProposedEntry, error) {
var pubKeyBytes [][]byte

if len(pubKey) == 0 {
return nil, errors.New("public key provided has 0 length")
}

pubKeyBytes = append(pubKeyBytes, pubKey)

return types.NewProposedEntry(ctx, dsse.KIND, dsse_v001.APIVERSION, types.ArtifactProperties{
ArtifactBytes: signature,
PublicKeyBytes: pubKeyBytes,
})
}

func intotoEntry(ctx context.Context, signature, pubKey []byte) (models.ProposedEntry, error) {
var pubKeyBytes [][]byte

Expand Down Expand Up @@ -162,7 +179,17 @@ func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature []byte
return doUpload(ctx, rekorClient, &returnVal)
}

// TLogUploadInTotoAttestation will upload and in-toto entry for the signature and public key to the transparency log.
// TLogUploadDSSEEnvelope will upload a DSSE entry for the signature and public key to the Rekor transparency log.
func TLogUploadDSSEEnvelope(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error) {
e, err := dsseEntry(ctx, signature, pemBytes)
if err != nil {
return nil, err
}

return doUpload(ctx, rekorClient, e)
}

// TLogUploadInTotoAttestation will upload an in-toto entry for the signature and public key to the transparency log.
func TLogUploadInTotoAttestation(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error) {
e, err := intotoEntry(ctx, signature, pemBytes)
if err != nil {
Expand Down
2 changes: 1 addition & 1 deletion pkg/cosign/tlog_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ var (
func TestGetRekorPubKeys(t *testing.T) {
keys, err := GetRekorPubs(context.Background())
if err != nil {
t.Errorf("Unexpected error calling GetRekorPubs, expected nil: %v", err)
t.Fatalf("Unexpected error calling GetRekorPubs, expected nil: %v", err)
}
if len(keys.Keys) == 0 {
t.Errorf("expected 1 or more keys, got 0")
Expand Down
Loading