attest/attestation/types.go

/*
   Copyright Docker attest authors

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
*/

package attestation

import (
	"crypto"
	"encoding/base64"
	"fmt"
	"time"

	"github.com/docker/attest/tlog"
	v1 "github.com/google/go-containerregistry/pkg/v1"
	intoto "github.com/in-toto/in-toto-golang/in_toto"
	v02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
	slsav1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1"
	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
)

const (
	DockerReferenceType           = "vnd.docker.reference.type"
	AttestationManifestType       = "attestation-manifest"
	InTotoPredicateType           = "in-toto.io/predicate-type"
	DockerReferenceDigest         = "vnd.docker.reference.digest"
	DockerDSSEExtKind             = "application/vnd.docker.attestation-verification.v1+json"
	OCIDescriptorDSSEMediaType    = ociv1.MediaTypeDescriptor + "+dsse"
	InTotoReferenceLifecycleStage = "vnd.docker.lifecycle-stage"
	LifecycleStageExperimental    = "experimental"
)

var base64Encoding = base64.StdEncoding.Strict()

type Layer struct {
	Statement   *intoto.Statement
	Layer       v1.Layer
	Annotations map[string]string
}

type Manifest struct {
	OriginalDescriptor *v1.Descriptor
	OriginalLayers     []*Layer

	// accumulated during signing
	SignedLayers []*Layer
	// details of subject image
	SubjectName       string
	SubjectDescriptor *v1.Descriptor
}

type ManifestImageOptions struct {
	// how to output the image
	skipSubject   bool
	replaceLayers bool
	laxReferrers  bool
}

// the following types are needed until https://github.com/secure-systems-lab/dsse/pull/61 is merged.
type Envelope struct {
	PayloadType string       `json:"payloadType"`
	Payload     string       `json:"payload"`
	Signatures  []*Signature `json:"signatures"`
}
type Signature struct {
	KeyID     string     `json:"keyid"`
	Sig       string     `json:"sig"`
	Extension *Extension `json:"extension,omitempty"`
}
type Extension struct {
	Kind string               `json:"kind"`
	Ext  *DockerDSSEExtension `json:"ext"`
}

type EnvelopeReference struct {
	*Envelope
	ResourceDescriptor *ResourceDescriptor `json:"resourceDescriptor"`
}

type ResourceDescriptor struct {
	MediaType string            `json:"mediaType"`
	Digest    map[string]string `json:"digest"`
	URI       string            `json:"uri,omitempty"`
}

type AnnotatedStatement struct {
	OCIDescriptor   *v1.Descriptor
	InTotoStatement *intoto.Statement
	Annotations     map[string]string
}

type DockerDSSEExtension struct {
	TL *tlog.DockerTLExtension `json:"tl"`
}

type TransparencyLogKind string

const (
	RekorTransparencyLogKind = "rekor"
)

type VerifyOptions struct {
	Keys            []*KeyMetadata      `json:"keys"`
	SkipTL          bool                `json:"skip_tl"`
	TransparencyLog TransparencyLogKind `json:"tl"`
}

type KeyMetadata struct {
	ID            string     `json:"id"`
	PEM           string     `json:"key"`
	From          time.Time  `json:"from"`
	To            *time.Time `json:"to"`
	Status        string     `json:"status"`
	SigningFormat string     `json:"signing-format"`
	Distrust      bool       `json:"distrust,omitempty"`
	publicKey     crypto.PublicKey
}

type (
	Keys    []*KeyMetadata
	KeysMap map[string]*KeyMetadata
)

type SigningOptions struct {
	// set this in order to log to a transparency log
	TransparencyLog tlog.TransparencyLog
}

type Options struct {
	NoReferrers   bool
	Attach        bool
	ReferrersRepo string
}

func DSSEMediaType(predicateType string) (string, error) {
	var predicateName string
	switch predicateType {
	case slsav1.PredicateSLSAProvenance:
		predicateName = "provenance"
	case v02.PredicateSLSAProvenance:
		predicateName = "provenance"
	case intoto.PredicateSPDX:
		predicateName = "spdx"
	case VSAPredicateType:
		predicateName = "verification_summary"

	default:
		return "", fmt.Errorf("unknown predicate type %q", predicateType)
	}

	return fmt.Sprintf("application/vnd.in-toto.%s+dsse", predicateName), nil
}
chore: apply license headers 2024-10-17 13:40:17 -05:00			`/*`
refactor: remove copyright year; add newline 2024-10-18 09:25:31 -05:00			`Copyright Docker attest authors`
chore: apply license headers 2024-10-17 13:40:17 -05:00
			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`
refactor: remove copyright year; add newline 2024-10-18 09:25:31 -05:00
feat: add policy, oci, attestation 2024-04-22 12:22:15 -05:00			`package attestation`

feat: add attest sign/verify 2024-04-29 15:02:21 -05:00			`import (`
Use a Factory to create signature verifiers at policy evaluation time (#165) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier 2024-09-18 13:34:10 +01:00			`"crypto"`
feat: add attest sign/verify 2024-04-29 15:02:21 -05:00			`"encoding/base64"`
			`"fmt"`
Use a Factory to create signature verifiers at policy evaluation time (#165) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier 2024-09-18 13:34:10 +01:00			`"time"`
feat: add attest sign/verify 2024-04-29 15:02:21 -05:00
Use a Factory to create signature verifiers at policy evaluation time (#165) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier 2024-09-18 13:34:10 +01:00			`"github.com/docker/attest/tlog"`
refactor: SignIndexAttestations 2024-04-30 12:23:07 -05:00			`v1 "github.com/google/go-containerregistry/pkg/v1"`
feat: add attest sign/verify 2024-04-29 15:02:21 -05:00			`intoto "github.com/in-toto/in-toto-golang/in_toto"`
			`v02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"`
feat: add slsa v1 predicate type 2024-09-04 16:03:55 -05:00			`slsav1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1"`
feat: add attest sign/verify 2024-04-29 15:02:21 -05:00			`ociv1 "github.com/opencontainers/image-spec/specs-go/v1"`
			`)`
feat: add policy, oci, attestation 2024-04-22 12:22:15 -05:00
			`const (`
Unify functions for use in `sign` & `verify --vsa` (#71) * Use receivers for manifest functions * Move SaveImage/SaveIndex from image-signing-verifier * Ignore test fixtures in coverage * Add AddImagesToIndex function 2024-07-05 09:29:14 +01:00			`DockerReferenceType = "vnd.docker.reference.type"`
			`AttestationManifestType = "attestation-manifest"`
			`InTotoPredicateType = "in-toto.io/predicate-type"`
			`DockerReferenceDigest = "vnd.docker.reference.digest"`
fix: standardize casing of initialisms (#112) * fix: standardize casing of initialisms * fix: rename intoto -> inToto and Intoto to InToto * fix: fix all linting errors 2024-08-01 15:35:15 +01:00			`DockerDSSEExtKind = "application/vnd.docker.attestation-verification.v1+json"`
Unify functions for use in `sign` & `verify --vsa` (#71) * Use receivers for manifest functions * Move SaveImage/SaveIndex from image-signing-verifier * Ignore test fixtures in coverage * Add AddImagesToIndex function 2024-07-05 09:29:14 +01:00			`OCIDescriptorDSSEMediaType = ociv1.MediaTypeDescriptor + "+dsse"`
			`InTotoReferenceLifecycleStage = "vnd.docker.lifecycle-stage"`
			`LifecycleStageExperimental = "experimental"`
feat: add policy, oci, attestation 2024-04-22 12:22:15 -05:00			`)`

			`var base64Encoding = base64.StdEncoding.Strict()`

fix: standardize casing of initialisms (#112) * fix: standardize casing of initialisms * fix: rename intoto -> inToto and Intoto to InToto * fix: fix all linting errors 2024-08-01 15:35:15 +01:00			`type Layer struct {`
refactor: SignIndexAttestations 2024-04-30 12:23:07 -05:00			`Statement *intoto.Statement`
			`Layer v1.Layer`
			`Annotations map[string]string`
			`}`

fix: standardize casing of initialisms (#112) * fix: standardize casing of initialisms * fix: rename intoto -> inToto and Intoto to InToto * fix: fix all linting errors 2024-08-01 15:35:15 +01:00			`type Manifest struct {`
Make referrers attestations OCI compliant (#80) * Single attestation when creating VSA * Create single layer images for referrers attestations * Move mock to test package. Add artifacts test * Add test for envelope detection * Add tests for image/index saving * Add mirror tests * Remove AttestationImage field from AttestationManifest * Update naming. strictReferers != laxReferrers * Add specific test for SaveReferrers 2024-07-16 10:05:17 +01:00			`OriginalDescriptor *v1.Descriptor`
fix: standardize casing of initialisms (#112) * fix: standardize casing of initialisms * fix: rename intoto -> inToto and Intoto to InToto * fix: fix all linting errors 2024-08-01 15:35:15 +01:00			`OriginalLayers []*Layer`
refactor: SignIndexAttestations 2024-04-30 12:23:07 -05:00
Make referrers attestations OCI compliant (#80) * Single attestation when creating VSA * Create single layer images for referrers attestations * Move mock to test package. Add artifacts test * Add test for envelope detection * Add tests for image/index saving * Add mirror tests * Remove AttestationImage field from AttestationManifest * Update naming. strictReferers != laxReferrers * Add specific test for SaveReferrers 2024-07-16 10:05:17 +01:00			`// accumulated during signing`
fix: standardize casing of initialisms (#112) * fix: standardize casing of initialisms * fix: rename intoto -> inToto and Intoto to InToto * fix: fix all linting errors 2024-08-01 15:35:15 +01:00			`SignedLayers []*Layer`
fix: layout attestation resolver 2024-08-05 13:24:58 -05:00			`// details of subject image`
Make referrers attestations OCI compliant (#80) * Single attestation when creating VSA * Create single layer images for referrers attestations * Move mock to test package. Add artifacts test * Add test for envelope detection * Add tests for image/index saving * Add mirror tests * Remove AttestationImage field from AttestationManifest * Update naming. strictReferers != laxReferrers * Add specific test for SaveReferrers 2024-07-16 10:05:17 +01:00			`SubjectName string`
			`SubjectDescriptor *v1.Descriptor`
Add support for OCI Referrers and fallback (#50) * Add support for OCI Referrers and fallback 2024-06-13 16:10:41 +01:00			`}`

fix: standardize casing of initialisms (#112) * fix: standardize casing of initialisms * fix: rename intoto -> inToto and Intoto to InToto * fix: fix all linting errors 2024-08-01 15:35:15 +01:00			`type ManifestImageOptions struct {`
Make referrers attestations OCI compliant (#80) * Single attestation when creating VSA * Create single layer images for referrers attestations * Move mock to test package. Add artifacts test * Add test for envelope detection * Add tests for image/index saving * Add mirror tests * Remove AttestationImage field from AttestationManifest * Update naming. strictReferers != laxReferrers * Add specific test for SaveReferrers 2024-07-16 10:05:17 +01:00			`// how to output the image`
			`skipSubject bool`
			`replaceLayers bool`
			`laxReferrers bool`
refactor: SignIndexAttestations 2024-04-30 12:23:07 -05:00			`}`

fix: standardize casing of initialisms (#112) * fix: standardize casing of initialisms * fix: rename intoto -> inToto and Intoto to InToto * fix: fix all linting errors 2024-08-01 15:35:15 +01:00			`// the following types are needed until https://github.com/secure-systems-lab/dsse/pull/61 is merged.`
feat: add policy, oci, attestation 2024-04-22 12:22:15 -05:00			`type Envelope struct {`
fix: standardize casing of initialisms (#112) * fix: standardize casing of initialisms * fix: rename intoto -> inToto and Intoto to InToto * fix: fix all linting errors 2024-08-01 15:35:15 +01:00			PayloadType string `json:"payloadType"`
			Payload string `json:"payload"`
			Signatures []*Signature `json:"signatures"`
feat: add policy, oci, attestation 2024-04-22 12:22:15 -05:00			`}`
			`type Signature struct {`
fix: standardize casing of initialisms (#112) * fix: standardize casing of initialisms * fix: rename intoto -> inToto and Intoto to InToto * fix: fix all linting errors 2024-08-01 15:35:15 +01:00			KeyID string `json:"keyid"`
			Sig string `json:"sig"`
			Extension *Extension `json:"extension,omitempty"`
feat: add policy, oci, attestation 2024-04-22 12:22:15 -05:00			`}`
			`type Extension struct {`
fix: standardize casing of initialisms (#112) * fix: standardize casing of initialisms * fix: rename intoto -> inToto and Intoto to InToto * fix: fix all linting errors 2024-08-01 15:35:15 +01:00			Kind string `json:"kind"`
			Ext *DockerDSSEExtension `json:"ext"`
feat: add policy, oci, attestation 2024-04-22 12:22:15 -05:00			`}`

feat: add reference wrapper for envelope 2024-10-07 13:34:04 -05:00			`type EnvelopeReference struct {`
			`*Envelope`
feat: add input atts to result summary 2024-10-07 13:36:30 -05:00			ResourceDescriptor *ResourceDescriptor `json:"resourceDescriptor"`
feat: add reference wrapper for envelope 2024-10-07 13:34:04 -05:00			`}`

			`type ResourceDescriptor struct {`
			MediaType string `json:"mediaType"`
			Digest map[string]string `json:"digest"`
feat: add input atts to result summary 2024-10-07 13:36:30 -05:00			URI string `json:"uri,omitempty"`
feat: add reference wrapper for envelope 2024-10-07 13:34:04 -05:00			`}`

fix: cyclical imports 2024-08-12 14:49:52 -05:00			`type AnnotatedStatement struct {`
			`OCIDescriptor *v1.Descriptor`
			`InTotoStatement *intoto.Statement`
			`Annotations map[string]string`
			`}`

fix: standardize casing of initialisms (#112) * fix: standardize casing of initialisms * fix: rename intoto -> inToto and Intoto to InToto * fix: fix all linting errors 2024-08-01 15:35:15 +01:00			`type DockerDSSEExtension struct {`
Use a Factory to create signature verifiers at policy evaluation time (#165) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier 2024-09-18 13:34:10 +01:00			TL *tlog.DockerTLExtension `json:"tl"`
feat: add policy, oci, attestation 2024-04-22 12:22:15 -05:00			`}`

Use a Factory to create signature verifiers at policy evaluation time (#165) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier 2024-09-18 13:34:10 +01:00			`type TransparencyLogKind string`

			`const (`
			`RekorTransparencyLogKind = "rekor"`
			`)`
feat: add attest sign/verify 2024-04-29 15:02:21 -05:00
Handle errors from Go in Rego. Support for skipping TL (#47) * Make TL logging/verification optional * Return errors from go-lang fns * Update pkg/policy/rego.go Co-authored-by: Jonny Stoten <jonny@jonnystoten.com> * Update pkg/attestation/sign.go Co-authored-by: Joel Kamp <joel.kamp@docker.com> * Move public key marshelling until later * Simplify logSignature and pass down opts --------- Co-authored-by: Jonny Stoten <jonny@jonnystoten.com> Co-authored-by: Joel Kamp <joel.kamp@docker.com> 2024-06-06 09:59:32 +01:00			`type VerifyOptions struct {`
Use a Factory to create signature verifiers at policy evaluation time (#165) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier 2024-09-18 13:34:10 +01:00			Keys []*KeyMetadata `json:"keys"`
			SkipTL bool `json:"skip_tl"`
			TransparencyLog TransparencyLogKind `json:"tl"`
Handle errors from Go in Rego. Support for skipping TL (#47) * Make TL logging/verification optional * Return errors from go-lang fns * Update pkg/policy/rego.go Co-authored-by: Jonny Stoten <jonny@jonnystoten.com> * Update pkg/attestation/sign.go Co-authored-by: Joel Kamp <joel.kamp@docker.com> * Move public key marshelling until later * Simplify logSignature and pass down opts --------- Co-authored-by: Jonny Stoten <jonny@jonnystoten.com> Co-authored-by: Joel Kamp <joel.kamp@docker.com> 2024-06-06 09:59:32 +01:00			`}`

Use a Factory to create signature verifiers at policy evaluation time (#165) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier 2024-09-18 13:34:10 +01:00			`type KeyMetadata struct {`
			ID string `json:"id"`
			PEM string `json:"key"`
			From time.Time `json:"from"`
			To *time.Time `json:"to"`
			Status string `json:"status"`
			SigningFormat string `json:"signing-format"`
			Distrust bool `json:"distrust,omitempty"`
			`publicKey crypto.PublicKey`
			`}`

			`type (`
			`Keys []*KeyMetadata`
			`KeysMap map[string]*KeyMetadata`
			`)`

Handle errors from Go in Rego. Support for skipping TL (#47) * Make TL logging/verification optional * Return errors from go-lang fns * Update pkg/policy/rego.go Co-authored-by: Jonny Stoten <jonny@jonnystoten.com> * Update pkg/attestation/sign.go Co-authored-by: Joel Kamp <joel.kamp@docker.com> * Move public key marshelling until later * Simplify logSignature and pass down opts --------- Co-authored-by: Jonny Stoten <jonny@jonnystoten.com> Co-authored-by: Joel Kamp <joel.kamp@docker.com> 2024-06-06 09:59:32 +01:00			`type SigningOptions struct {`
Use a Factory to create signature verifiers at policy evaluation time (#165) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier 2024-09-18 13:34:10 +01:00			`// set this in order to log to a transparency log`
			`TransparencyLog tlog.TransparencyLog`
Handle errors from Go in Rego. Support for skipping TL (#47) * Make TL logging/verification optional * Return errors from go-lang fns * Update pkg/policy/rego.go Co-authored-by: Jonny Stoten <jonny@jonnystoten.com> * Update pkg/attestation/sign.go Co-authored-by: Joel Kamp <joel.kamp@docker.com> * Move public key marshelling until later * Simplify logSignature and pass down opts --------- Co-authored-by: Jonny Stoten <jonny@jonnystoten.com> Co-authored-by: Joel Kamp <joel.kamp@docker.com> 2024-06-06 09:59:32 +01:00			`}`

fix: cyclical imports 2024-08-12 14:49:52 -05:00			`type Options struct {`
			`NoReferrers bool`
			`Attach bool`
			`ReferrersRepo string`
			`}`

feat: add attest sign/verify 2024-04-29 15:02:21 -05:00			`func DSSEMediaType(predicateType string) (string, error) {`
			`var predicateName string`
			`switch predicateType {`
feat: add slsa v1 predicate type 2024-09-04 16:03:55 -05:00			`case slsav1.PredicateSLSAProvenance:`
			`predicateName = "provenance"`
feat: add attest sign/verify 2024-04-29 15:02:21 -05:00			`case v02.PredicateSLSAProvenance:`
			`predicateName = "provenance"`
			`case intoto.PredicateSPDX:`
			`predicateName = "spdx"`
			`case VSAPredicateType:`
			`predicateName = "verification_summary"`

			`default:`
			`return "", fmt.Errorf("unknown predicate type %q", predicateType)`
			`}`

			`return fmt.Sprintf("application/vnd.in-toto.%s+dsse", predicateName), nil`
			`}`