docker/attest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: docker:v0.5.2
Branches Tags
docker:main
docker:v0.6.8 docker:v0.6.7 docker:v0.6.6 docker:v0.6.5 docker:v0.6.4 docker:v0.6.3 docker:v0.6.2 docker:v0.6.1 docker:v0.6.0 docker:v0.5.2 docker:v0.5.1 docker:v0.5.0 docker:v0.4.4 docker:v0.4.3 docker:v0.4.2 docker:v0.4.1 docker:v0.4.0 docker:v0.3.2 docker:v0.3.1 docker:v0.3.0 docker:v0.2.1 docker:v0.2.0 docker:v0.1.12 docker:v0.1.11 docker:v0.1.10 docker:v0.1.9 docker:v0.1.8 docker:v0.1.7 docker:v0.1.6 docker:v0.1.5 docker:v0.1.4 docker:v0.1.3 docker:v0.1.2 docker:v0.1.1 docker:v0.1.0
...
compare: docker:v0.6.0
Branches Tags
docker:main
docker:v0.6.8 docker:v0.6.7 docker:v0.6.6 docker:v0.6.5 docker:v0.6.4 docker:v0.6.3 docker:v0.6.2 docker:v0.6.1 docker:v0.6.0 docker:v0.5.2 docker:v0.5.1 docker:v0.5.0 docker:v0.4.4 docker:v0.4.3 docker:v0.4.2 docker:v0.4.1 docker:v0.4.0 docker:v0.3.2 docker:v0.3.1 docker:v0.3.0 docker:v0.2.1 docker:v0.2.0 docker:v0.1.12 docker:v0.1.11 docker:v0.1.10 docker:v0.1.9 docker:v0.1.8 docker:v0.1.7 docker:v0.1.6 docker:v0.1.5 docker:v0.1.4 docker:v0.1.3 docker:v0.1.2 docker:v0.1.1 docker:v0.1.0

7 Commits
v0.5.2 ... v0.6.0

Author SHA1 Message Date
James Carnegie
2ace988b1c chore: add test for RegoFnOpts (#171) 2024-09-19 13:54:10 +01:00
dependabot[bot]
be7a17f214 feat(deps): bump github.com/sigstore/sigstore from 1.8.8 to 1.8.9 (#169) 
Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.8.8 to 1.8.9.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.8...v1.8.9)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-09-19 11:24:30 +01:00
dependabot[bot]
1a49b5c068 chore(deps): bump actions/create-github-app-token from 1.10.4 to 1.11.0 (#164) 
Bumps [actions/create-github-app-token](https://github.com/actions/create-github-app-token) from 1.10.4 to 1.11.0.
- [Release notes](https://github.com/actions/create-github-app-token/releases)
- [Commits](3378cda945...5d869da34e)

---
updated-dependencies:
- dependency-name: actions/create-github-app-token
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-09-19 11:18:57 +01:00
James Carnegie
3e82338649 refactor: remove explicit closures. expose rego fns (#170) 2024-09-19 11:04:00 +01:00
James Carnegie
4a70e5ae36 Add platform filtering support to mapping.yml (#167) 
* chore!: rename package config -> mapping
* feat: add platform filtering support to mapping.yml
 2024-09-18 21:11:55 +01:00
James Carnegie
05caa959c4 Use a Factory to create signature verifiers at policy evaluation time (#165) 
* Make verifiers composable

* fix: remove unused code and improve signature verification logic

* fix: simplify abstractions and renamed some things

* fix: improve tl interface.

* fix: sort out signer/verifier
 2024-09-18 13:34:10 +01:00
dependabot[bot]
5335a56da1 feat(deps): bump github.com/aws/aws-sdk-go-v2/config (#168) 
Bumps [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) from 1.27.33 to 1.27.35.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.27.33...config/v1.27.35)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2024-09-18 09:43:50 +01:00
58 changed files with 1469 additions and 860 deletions
Expand all files Collapse all files

2
.github/workflows/release.yml vendored
View File

@@ -10,7 +10,7 @@ jobs:
steps:
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@3378cda945da322a8db4b193e19d46352ebe2de5 # v1.10.4
uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
with:
app-id: ${{ vars.ATTEST_RELEASE_APP_ID }}
private-key: ${{ secrets.ATTEST_RELEASE_APP_PRIVATE_KEY }}

6
README.md
View File

@@ -203,8 +203,14 @@ rules:
- pattern: "^docker[.]io/library/(.*)$"
policy-id: docker-official-images
- pattern: "^public[.]ecr[.]aws/docker/library/(.*)$"
platforms: ["linux/amd64"] # optional: restrict image platforms for matching policies (default: all)
rewrite: docker.io/library/$1
```
`platforms` in the second rule above is optional and can be used to restrict the platforms for which the policy
is evaluated. If the `platforms` field is not present, the policy will be applied to all platforms.
It's important to note that the `platforms` field is a filter, and is applied before the `pattern`
field is processed, so both `platforms` and `pattern` need to match in order for the policy to be selected
(or the rewrite to be processed if present).
As before, any repository in the `docker.io/library` namespace will be evaluated against the policy in `doi/policy.rego`.
The second rule will rewrite any repository in the `public.ecr.aws/docker/library` namespace to `docker.io/library`.

2
attestation/example_attestation_manifest_test.go
View File

@@ -26,7 +26,7 @@ func ExampleManifest() {
// configure signing options
opts := &attestation.SigningOptions{
SkipTL: true, // skip trust logging to a transparency log
TransparencyLog: nil, // set this to log to a transparency log
}
ref := "docker/image-signer-verifier:latest"

28
attestation/referrers_test.go
View File

@@ -9,8 +9,8 @@ import (
"github.com/docker/attest"
"github.com/docker/attest/attestation"
"github.com/docker/attest/config"
"github.com/docker/attest/internal/test"
"github.com/docker/attest/mapping"
"github.com/docker/attest/oci"
"github.com/docker/attest/policy"
"github.com/google/go-containerregistry/pkg/name"
@@ -39,7 +39,7 @@ func TestAttestationReferenceTypes(t *testing.T) {
referrersServer *httptest.Server
useDigest bool
referrersRepo string
attestationSource config.AttestationStyle
attestationSource mapping.AttestationStyle
expectFailure bool
}{
{
@@ -55,26 +55,26 @@ func TestAttestationReferenceTypes(t *testing.T) {
name: "attached attestations, referrers repo (mismatched args)",
server: test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
expectFailure: true, // mismatched args
attestationSource: config.AttestationStyleAttached,
attestationSource: mapping.AttestationStyleAttached,
referrersRepo: "referrers",
},
{
name: "referrers attestations, referrers repo (no policy)",
server: test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
expectFailure: true, // no policy
attestationSource: config.AttestationStyleReferrers,
attestationSource: mapping.AttestationStyleReferrers,
referrersRepo: "referrers",
},
{
name: "referrers attestations",
server: test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
attestationSource: config.AttestationStyleReferrers,
attestationSource: mapping.AttestationStyleReferrers,
},
{
name: "referrers attestations, no referrers support on server",
server: test.NewLocalRegistry(ctx, registry.WithReferrersSupport(false)),
attestationSource: config.AttestationStyleReferrers,
attestationSource: mapping.AttestationStyleReferrers,
referrersServer: test.NewLocalRegistry(ctx, registry.WithReferrersSupport(true)),
},
} {
@@ -88,9 +88,7 @@ func TestAttestationReferenceTypes(t *testing.T) {
u, err := url.Parse(s.URL)
require.NoError(t, err)
opts := &attestation.SigningOptions{
SkipTL: true,
}
opts := &attestation.SigningOptions{}
attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
require.NoError(t, err)
@@ -210,9 +208,7 @@ func TestReferencesInDifferentRepo(t *testing.T) {
refServerURL, err := url.Parse(refServer.URL)
require.NoError(t, err)
opts := &attestation.SigningOptions{
SkipTL: true,
}
opts := &attestation.SigningOptions{}
attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
require.NoError(t, err)
@@ -236,9 +232,7 @@ func TestReferencesInDifferentRepo(t *testing.T) {
refServerURL, err := url.Parse(refServer.URL)
require.NoError(t, err)
opts := &attestation.SigningOptions{
SkipTL: true,
}
opts := &attestation.SigningOptions{}
attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
require.NoError(t, err)
@@ -291,9 +285,7 @@ func TestCorrectArtifactTypeInTagFallback(t *testing.T) {
repoName := "repo"
opts := &attestation.SigningOptions{
SkipTL: true,
}
opts := &attestation.SigningOptions{}
attIdx, err := oci.IndexFromPath(test.UnsignedTestImage(".."))
require.NoError(t, err)

20
attestation/sign.go
View File

@@ -37,10 +37,10 @@ func SignDSSE(ctx context.Context, payload []byte, signer dsse.SignerVerifier, o
KeyID: keyID,
Sig: base64Encoding.EncodeToString(sig),
}
if !opts.SkipTL {
ext, err := logSignature(ctx, tlog.GetTL(ctx), &sig, &encPayload, signer)
if opts.TransparencyLog != nil {
ext, err := logSignature(ctx, opts.TransparencyLog, sig, encPayload, signer)
if err != nil {
return nil, fmt.Errorf("failed to log to rekor: %w", err)
return nil, fmt.Errorf("failed to log signature: %w", err)
}
dsseSig.Extension = ext
}
@@ -51,27 +51,21 @@ func SignDSSE(ctx context.Context, payload []byte, signer dsse.SignerVerifier, o
}
// returns a new envelope with the transparency log entry added to the signature extension.
func logSignature(ctx context.Context, t tlog.TL, sig *[]byte, encPayload *[]byte, signer dsse.SignerVerifier) (*Extension, error) {
func logSignature(ctx context.Context, t tlog.TransparencyLog, sig []byte, encPayload []byte, signer dsse.SignerVerifier) (*Extension, error) {
// get Key ID from signer
keyID, err := signer.KeyID()
if err != nil {
return nil, fmt.Errorf("error getting public key ID: %w", err)
}
entry, err := t.UploadLogEntry(ctx, keyID, *encPayload, *sig, signer)
entry, err := t.UploadEntry(ctx, keyID, encPayload, sig, signer)
if err != nil {
return nil, fmt.Errorf("error uploading TL entry: %w", err)
}
entryObj, err := t.UnmarshalEntry(entry)
if err != nil {
return nil, fmt.Errorf("error unmarshaling tl entry: %w", err)
}
return &Extension{
Kind: DockerDSSEExtKind,
Ext: &DockerDSSEExtension{
TL: &DockerTLExtension{
Kind: RekorTLExtKind,
Data: entryObj, // transparency log entry metadata
},
TL: entry,
},
}, nil
}

19
attestation/sign_test.go
View File

@@ -1,6 +1,7 @@
package attestation_test
import (
"context"
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
@@ -14,6 +15,7 @@ import (
"github.com/docker/attest/internal/test"
"github.com/docker/attest/oci"
"github.com/docker/attest/signerverifier"
"github.com/docker/attest/tlog"
"github.com/google/go-containerregistry/pkg/registry"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/static"
@@ -35,7 +37,10 @@ func TestSignVerifyAttestation(t *testing.T) {
payload, err := json.Marshal(stmt)
require.NoError(t, err)
opts := &attestation.SigningOptions{}
tl := tlog.GetMockTL()
opts := &attestation.SigningOptions{
TransparencyLog: tl,
}
env, err := attestation.SignDSSE(ctx, payload, signer, opts)
require.NoError(t, err)
@@ -146,8 +151,17 @@ func TestSignVerifyAttestation(t *testing.T) {
opts := &attestation.VerifyOptions{
Keys: attestation.Keys{keyMeta},
}
_, err = attestation.VerifyDSSE(ctx, deserializedEnv, opts)
getTL := func(_ context.Context, opts *attestation.VerifyOptions) (tlog.TransparencyLog, error) {
if opts.SkipTL {
return nil, nil
}
return tl, nil
}
verifier, err := attestation.NewVerfier(attestation.WithLogVerifierFactory(getTL))
require.NoError(t, err)
_, err = attestation.VerifyDSSE(ctx, verifier, deserializedEnv, opts)
if tc.expectedError != "" {
require.Error(t, err)
assert.Contains(t, err.Error(), tc.expectedError)
} else {
assert.NoError(t, err)
@@ -222,7 +236,6 @@ func TestSimpleStatementSigning(t *testing.T) {
{"replaced", true},
{"not replaced", false},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
opts := &attestation.SigningOptions{}

40
attestation/types.go
View File

@@ -1,9 +1,12 @@
package attestation
import (
"crypto"
"encoding/base64"
"fmt"
"time"
"github.com/docker/attest/tlog"
v1 "github.com/google/go-containerregistry/pkg/v1"
intoto "github.com/in-toto/in-toto-golang/in_toto"
v02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
@@ -17,7 +20,6 @@ const (
InTotoPredicateType = "in-toto.io/predicate-type"
DockerReferenceDigest = "vnd.docker.reference.digest"
DockerDSSEExtKind = "application/vnd.docker.attestation-verification.v1+json"
RekorTLExtKind = "Rekor"
OCIDescriptorDSSEMediaType = ociv1.MediaTypeDescriptor + "+dsse"
InTotoReferenceLifecycleStage = "vnd.docker.lifecycle-stage"
LifecycleStageExperimental = "experimental"
@@ -72,22 +74,40 @@ type AnnotatedStatement struct {
}
type DockerDSSEExtension struct {
TL *DockerTLExtension `json:"tl"`
TL *tlog.DockerTLExtension `json:"tl"`
}
type DockerTLExtension struct {
Kind string `json:"kind"`
Data any `json:"data"`
}
type TransparencyLogKind string
const (
RekorTransparencyLogKind = "rekor"
)
type VerifyOptions struct {
Keys []*KeyMetadata `json:"keys"`
SkipTL bool `json:"skip_tl"`
Keys []*KeyMetadata `json:"keys"`
SkipTL bool `json:"skip_tl"`
TransparencyLog TransparencyLogKind `json:"tl"`
}
type KeyMetadata struct {
ID string `json:"id"`
PEM string `json:"key"`
From time.Time `json:"from"`
To *time.Time `json:"to"`
Status string `json:"status"`
SigningFormat string `json:"signing-format"`
Distrust bool `json:"distrust,omitempty"`
publicKey crypto.PublicKey
}
type (
Keys []*KeyMetadata
KeysMap map[string]*KeyMetadata
)
type SigningOptions struct {
// don't log to the configured transparency log
SkipTL bool
// set this in order to log to a transparency log
TransparencyLog tlog.TransparencyLog
}
type Options struct {

143
attestation/verifier.go Normal file
View File

@@ -0,0 +1,143 @@
package attestation
import (
"context"
"crypto"
"crypto/x509"
"fmt"
"github.com/docker/attest/signerverifier"
"github.com/docker/attest/tlog"
"github.com/docker/attest/tuf"
"github.com/secure-systems-lab/go-securesystemslib/dsse"
)
func WithTUFDownloader(tufDownloader tuf.Downloader) func(*verifier) {
return func(r *verifier) {
r.tufDownloader = tufDownloader
}
}
type SignatureVerifierFactory func(ctx context.Context, publicKey crypto.PublicKey, opts *VerifyOptions) (dsse.Verifier, error)
func WithSignatureVerifierFactory(factory SignatureVerifierFactory) func(*verifier) {
return func(r *verifier) {
r.signatureVerifierFactory = factory
}
}
func WithLogVerifierFactory(factory LogVerifierFactory) func(*verifier) {
return func(r *verifier) {
r.logVerifierFactory = factory
}
}
type LogVerifierFactory func(ctx context.Context, opts *VerifyOptions) (tlog.TransparencyLog, error)
func NewVerfier(options ...func(*verifier)) (Verifier, error) {
verifier := &verifier{}
for _, opt := range options {
opt(verifier)
}
return verifier, nil
}
type Verifier interface {
GetSignatureVerifier(ctx context.Context, publicKey crypto.PublicKey, opts *VerifyOptions) (dsse.Verifier, error)
GetLogVerifier(ctx context.Context, opts *VerifyOptions) (tlog.TransparencyLog, error)
VerifySignature(ctx context.Context, publicKey crypto.PublicKey, data []byte, signature []byte, opts *VerifyOptions) error
VerifyLog(ctx context.Context, keyMeta *KeyMetadata, data []byte, sig *Signature, opts *VerifyOptions) error
}
// ensure it has all the necessary methods.
var _ Verifier = (*verifier)(nil)
type verifier struct {
tufDownloader tuf.Downloader
signatureVerifierFactory SignatureVerifierFactory
logVerifierFactory LogVerifierFactory
}
// GetLogVerifier implements Verifier.
func (v *verifier) GetLogVerifier(ctx context.Context, opts *VerifyOptions) (tlog.TransparencyLog, error) {
if v.logVerifierFactory != nil {
return v.logVerifierFactory(ctx, opts)
}
if opts.SkipTL {
return nil, nil
}
// TODO support other transparency logs
var transparencyLog tlog.TransparencyLog
switch opts.TransparencyLog {
case "", RekorTransparencyLogKind:
var err error
transparencyLog, err = tlog.NewRekorLog(tlog.WithTUFDownloader(v.tufDownloader))
if err != nil {
return nil, fmt.Errorf("error failed to create rekor verifier: %w", err)
}
default:
return nil, fmt.Errorf("unsupported transparency log: %s", opts.TransparencyLog)
}
return transparencyLog, nil
}
// GetSignatureVerifier implements Verifier.
func (v *verifier) GetSignatureVerifier(ctx context.Context, publicKey crypto.PublicKey, opts *VerifyOptions) (dsse.Verifier, error) {
if v.signatureVerifierFactory != nil {
return v.signatureVerifierFactory(ctx, publicKey, opts)
}
// TODO: use details from opts to decide which algorithm to use here
ecdsaVerifier, err := signerverifier.NewECDSAVerifier(publicKey)
if err != nil {
return nil, fmt.Errorf("error failed to create ecdsa verifier: %w", err)
}
return ecdsaVerifier, nil
}
func (v *verifier) VerifySignature(ctx context.Context, publicKey crypto.PublicKey, data []byte, signature []byte, opts *VerifyOptions) error {
sigVerifier, err := v.GetSignatureVerifier(ctx, publicKey, opts)
if err != nil {
return fmt.Errorf("error failed to get verifier: %w", err)
}
return sigVerifier.Verify(ctx, data, signature)
}
func (v *verifier) VerifyLog(ctx context.Context, keyMeta *KeyMetadata, encPayload []byte, sig *Signature, opts *VerifyOptions) error {
if opts.SkipTL {
return nil
}
if sig.Extension == nil || sig.Extension.Kind == "" {
return fmt.Errorf("error missing signature extension")
}
if sig.Extension.Kind != DockerDSSEExtKind {
return fmt.Errorf("error unsupported signature extension kind: %s", sig.Extension.Kind)
}
transparencyLog, err := v.GetLogVerifier(ctx, opts)
if err != nil {
return fmt.Errorf("error failed to get transparency log verifier: %w", err)
}
if transparencyLog == nil {
return fmt.Errorf("error missing transparency log verifier")
}
// verify TL entry payload
publicKey, err := keyMeta.ParsedKey()
if err != nil {
return fmt.Errorf("error failed to parse public key: %w", err)
}
encodedPub, err := x509.MarshalPKIXPublicKey(publicKey)
if err != nil {
return fmt.Errorf("error failed to marshal public key: %w", err)
}
integratedTime, err := transparencyLog.VerifyEntry(ctx, sig.Extension.Ext.TL, encPayload, encodedPub)
if err != nil {
return fmt.Errorf("TL entry failed verification: %w", err)
}
if integratedTime.Before(keyMeta.From) {
return fmt.Errorf("key %s was not yet valid at TL log time %s (key valid from %s)", keyMeta.ID, integratedTime, keyMeta.From)
}
if keyMeta.To != nil && !integratedTime.Before(*keyMeta.To) {
return fmt.Errorf("key %s was already %s at TL log time %s (key %s at %s)", keyMeta.ID, keyMeta.Status, integratedTime, keyMeta.Status, *keyMeta.To)
}
return nil
}

55
attestation/verifier_test.go Normal file
View File

@@ -0,0 +1,55 @@
package attestation
import (
"context"
"reflect"
"testing"
"github.com/docker/attest/tlog"
"github.com/docker/attest/tuf"
"github.com/stretchr/testify/require"
)
func Test_verifier_GetLogVerifier(t *testing.T) {
type fields struct {
tufDownloader tuf.Downloader
signatureVerifierFactory SignatureVerifierFactory
logVerifierFactory LogVerifierFactory
}
type args struct {
ctx context.Context
opts *VerifyOptions
}
rekor, err := tlog.NewRekorLog()
require.NoError(t, err)
tests := []struct {
name string
fields fields
args args
want tlog.TransparencyLog
wantErr bool
}{
{name: "skip_tl true", fields: fields{}, args: args{ctx: context.Background(), opts: &VerifyOptions{SkipTL: true}}},
{name: "skip_tl false", fields: fields{}, args: args{ctx: context.Background(), opts: &VerifyOptions{SkipTL: false}}, want: rekor},
{name: "tl: rekor", fields: fields{logVerifierFactory: func(_ context.Context, _ *VerifyOptions) (tlog.TransparencyLog, error) {
return &tlog.Rekor{}, nil
}}, args: args{ctx: context.Background(), opts: &VerifyOptions{}}, want: &tlog.Rekor{}},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
v := &verifier{
tufDownloader: tt.fields.tufDownloader,
signatureVerifierFactory: tt.fields.signatureVerifierFactory,
logVerifierFactory: tt.fields.logVerifierFactory,
}
got, err := v.GetLogVerifier(tt.args.ctx, tt.args.opts)
if (err != nil) != tt.wantErr {
t.Errorf("verifier.GetLogVerifier() error = %v, wantErr %v", err, tt.wantErr)
return
}
if !reflect.DeepEqual(got, tt.want) {
t.Errorf("verifier.GetLogVerifier() = %v, want %v", got, tt.want)
}
})
}
}

141
attestation/verify.go
View File

@@ -2,37 +2,17 @@ package attestation
import (
"context"
"crypto/ecdsa"
"crypto/x509"
"crypto"
"encoding/base64"
"encoding/json"
"fmt"
"time"
"github.com/docker/attest/internal/util"
"github.com/docker/attest/signerverifier"
"github.com/docker/attest/tlog"
intoto "github.com/in-toto/in-toto-golang/in_toto"
ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
"github.com/secure-systems-lab/go-securesystemslib/dsse"
)
type KeyMetadata struct {
ID string `json:"id"`
PEM string `json:"key"`
From time.Time `json:"from"`
To *time.Time `json:"to"`
Status string `json:"status"`
SigningFormat string `json:"signing-format"`
Distrust bool `json:"distrust,omitempty"`
}
type (
Keys []*KeyMetadata
KeysMap map[string]*KeyMetadata
)
func VerifyDSSE(ctx context.Context, env *Envelope, opts *VerifyOptions) ([]byte, error) {
func VerifyDSSE(ctx context.Context, verifier Verifier, env *Envelope, opts *VerifyOptions) ([]byte, error) {
// enforce payload type
if !ValidPayloadType(env.PayloadType) {
return nil, fmt.Errorf("unsupported payload type %s", env.PayloadType)
@@ -42,97 +22,62 @@ func VerifyDSSE(ctx context.Context, env *Envelope, opts *VerifyOptions) ([]byte
return nil, fmt.Errorf("no signatures found")
}
keys := make(map[string]*KeyMetadata, len(opts.Keys))
for _, key := range opts.Keys {
keys[key.ID] = key
}
payload, err := base64Encoding.DecodeString(env.Payload)
if err != nil {
return nil, fmt.Errorf("error failed to decode payload: %w", err)
}
encPayload := dsse.PAE(env.PayloadType, payload)
// verify signatures and transparency log entry
for _, sig := range env.Signatures {
err := verifySignature(ctx, sig, encPayload, opts)
// resolve public key used to sign
keyMeta, ok := keys[sig.KeyID]
if !ok {
return nil, fmt.Errorf("error key not found: %s", sig.KeyID)
}
if keyMeta.Distrust {
return nil, fmt.Errorf("key %s is distrusted", keyMeta.ID)
}
publicKey, err := keyMeta.ParsedKey()
if err != nil {
return nil, err
return nil, fmt.Errorf("failed to parse public key: %w", err)
}
// decode signature
signature, err := base64.StdEncoding.Strict().DecodeString(sig.Sig)
if err != nil {
return nil, fmt.Errorf("error failed to decode signature: %w", err)
}
err = verifier.VerifySignature(ctx, publicKey, encPayload, signature, opts)
if err != nil {
return nil, fmt.Errorf("error failed to verify signature: %w", err)
}
if err := verifier.VerifyLog(ctx, keyMeta, encPayload, sig, opts); err != nil {
return nil, fmt.Errorf("error failed to verify transparency log entry: %w", err)
}
}
return payload, nil
}
func verifySignature(ctx context.Context, sig *Signature, payload []byte, opts *VerifyOptions) error {
keys := make(map[string]*KeyMetadata, len(opts.Keys))
for _, key := range opts.Keys {
keys[key.ID] = key
}
keyMeta, ok := keys[sig.KeyID]
if !ok {
return fmt.Errorf("error key not found: %s", sig.KeyID)
}
if keyMeta.Distrust {
return fmt.Errorf("key %s is distrusted", keyMeta.ID)
}
// TODO: this is unmarshalling with MarshalPKIXPublicKey only for us to marshal it again
publicKey, err := signerverifier.ParsePublicKey([]byte(keyMeta.PEM))
if err != nil {
return fmt.Errorf("failed to parse public key: %w", err)
}
if !opts.SkipTL {
t := tlog.GetTL(ctx)
if sig.Extension == nil || sig.Extension.Kind == "" {
return fmt.Errorf("error missing signature extension")
}
if sig.Extension.Kind != DockerDSSEExtKind {
return fmt.Errorf("error unsupported signature extension kind: %s", sig.Extension.Kind)
}
// verify TL entry
if sig.Extension.Ext.TL.Kind != RekorTLExtKind {
return fmt.Errorf("error unsupported TL extension kind: %s", sig.Extension.Ext.TL.Kind)
}
entry := sig.Extension.Ext.TL.Data
entryBytes, err := json.Marshal(entry)
if err != nil {
return fmt.Errorf("failed to marshal TL entry: %w", err)
}
integratedTime, err := t.VerifyLogEntry(ctx, entryBytes)
if err != nil {
return fmt.Errorf("TL entry failed verification: %w", err)
}
if integratedTime.Before(keyMeta.From) {
return fmt.Errorf("key %s was not yet valid at TL log time %s (key valid from %s)", keyMeta.ID, integratedTime, keyMeta.From)
}
if keyMeta.To != nil && !integratedTime.Before(*keyMeta.To) {
return fmt.Errorf("key %s was already %s at TL log time %s (key %s at %s)", keyMeta.ID, keyMeta.Status, integratedTime, keyMeta.Status, *keyMeta.To)
}
// verify TL entry payload
encodedPub, err := x509.MarshalPKIXPublicKey(publicKey)
if err != nil {
return fmt.Errorf("error failed to marshal public key: %w", err)
}
err = t.VerifyEntryPayload(entryBytes, payload, encodedPub)
if err != nil {
return fmt.Errorf("TL entry failed payload verification: %w", err)
}
}
// decode signature
signature, err := base64.StdEncoding.Strict().DecodeString(sig.Sig)
if err != nil {
return fmt.Errorf("error failed to decode signature: %w", err)
}
// verify payload ecdsa signature
ok = ecdsa.VerifyASN1(publicKey, util.SHA256(payload), signature)
if !ok {
return fmt.Errorf("payload signature is not valid")
}
return nil
}
func ValidPayloadType(payloadType string) bool {
return payloadType == intoto.PayloadType || payloadType == ociv1.MediaTypeDescriptor
}
func (km *KeyMetadata) ParsedKey() (crypto.PublicKey, error) {
if km.publicKey != nil {
return km.publicKey, nil
}
publicKey, err := signerverifier.ParsePublicKey([]byte(km.PEM))
if err != nil {
return nil, fmt.Errorf("failed to parse public key: %w", err)
}
km.publicKey = publicKey
return publicKey, nil
}

3
attestation/verify_test.go
View File

@@ -42,8 +42,7 @@ func TestVerifyUnsignedAttestation(t *testing.T) {
opts := &attestation.VerifyOptions{
Keys: attestation.Keys{},
}
_, err := attestation.VerifyDSSE(ctx, env, opts)
_, err := attestation.VerifyDSSE(ctx, nil, env, opts)
assert.Error(t, err)
assert.Contains(t, err.Error(), "no signatures")
}

9
example_sign_test.go
View File

@@ -7,6 +7,7 @@ import (
"github.com/docker/attest/attestation"
"github.com/docker/attest/oci"
"github.com/docker/attest/signerverifier"
"github.com/docker/attest/tlog"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/empty"
"github.com/google/go-containerregistry/pkg/v1/mutate"
@@ -25,8 +26,14 @@ func ExampleSignStatements_remote() {
// signer, err := signerverifier.GetAWSSigner(cmd.Context(), aws_arn, aws_region)
// configure signing options
// use rekor transparency log wit static rekor public key (see options to use dynamic rekor public key)
rekor, err := tlog.NewRekorLog()
if err != nil {
panic(err)
}
opts := &attestation.SigningOptions{
SkipTL: true, // skip trust logging to a transparency log
TransparencyLog: rekor, // unset this to disable signature transparency logging
}
// load image index with unsigned attestation-manifests

12
go.mod
View File

@@ -4,7 +4,7 @@ go 1.22.5
require (
github.com/Masterminds/semver/v3 v3.3.0
github.com/aws/aws-sdk-go-v2/config v1.27.33
github.com/aws/aws-sdk-go-v2/config v1.27.35
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8
github.com/containerd/platforms v0.2.1
github.com/distribution/reference v0.6.0
@@ -18,6 +18,7 @@ require (
github.com/secure-systems-lab/go-securesystemslib v0.8.0
github.com/sigstore/cosign/v2 v2.4.0
github.com/sigstore/rekor v1.3.6
github.com/sigstore/sigstore v1.8.9
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.9
github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.9
github.com/stretchr/testify v1.9.0
@@ -42,7 +43,7 @@ require (
github.com/agnivade/levenshtein v1.1.1 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go-v2 v1.30.5 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.32 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.17.33 // indirect
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.17 // indirect
@@ -52,9 +53,9 @@ require (
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.4 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 // indirect
github.com/aws/aws-sdk-go-v2/service/kms v1.35.5 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.22.8 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.8 // indirect
github.com/aws/aws-sdk-go-v2/service/sts v1.30.8 // indirect
github.com/aws/smithy-go v1.20.4 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
@@ -126,7 +127,6 @@ require (
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/sigstore/protobuf-specs v0.3.2 // indirect
github.com/sigstore/sigstore v1.8.8 // indirect
github.com/sigstore/timestamp-authority v1.2.2 // indirect
github.com/sirupsen/logrus v1.9.3 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect

24
go.sum
View File

@@ -98,10 +98,10 @@ github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU
github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
github.com/aws/aws-sdk-go-v2 v1.30.5 h1:mWSRTwQAb0aLE17dSzztCVJWI9+cRMgqebndjwDyK0g=
github.com/aws/aws-sdk-go-v2 v1.30.5/go.mod h1:CT+ZPWXbYrci8chcARI3OmI/qgd+f6WtuLOoaIA8PR0=
github.com/aws/aws-sdk-go-v2/config v1.27.33 h1:Nof9o/MsmH4oa0s2q9a0k7tMz5x/Yj5k06lDODWz3BU=
github.com/aws/aws-sdk-go-v2/config v1.27.33/go.mod h1:kEqdYzRb8dd8Sy2pOdEbExTTF5v7ozEXX0McgPE7xks=
github.com/aws/aws-sdk-go-v2/credentials v1.17.32 h1:7Cxhp/BnT2RcGy4VisJ9miUPecY+lyE9I8JvcZofn9I=
github.com/aws/aws-sdk-go-v2/credentials v1.17.32/go.mod h1:P5/QMF3/DCHbXGEGkdbilXHsyTBX5D3HSwcrSc9p20I=
github.com/aws/aws-sdk-go-v2/config v1.27.35 h1:jeFgiWYNV0vrgdZqB4kZBjYNdy0IKkwrAjr2fwpHIig=
github.com/aws/aws-sdk-go-v2/config v1.27.35/go.mod h1:qnpEvTq8ZfjrCqmJGRfWZuF+lGZ/vG8LK2K0L/TY1gQ=
github.com/aws/aws-sdk-go-v2/credentials v1.17.33 h1:lBHAQQznENv0gLHAZ73ONiTSkCtr8q3pSqWrpbBBZz0=
github.com/aws/aws-sdk-go-v2/credentials v1.17.33/go.mod h1:MBuqCUOT3ChfLuxNDGyra67eskx7ge9e3YKYBce7wpI=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13 h1:pfQ2sqNpMVK6xz2RbqLEL0GH87JOwSxPV2rzm8Zsb74=
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.13/go.mod h1:NG7RXPUlqfsCLLFfi0+IpKN4sCB9D9fw/qTaSB+xRoU=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.17 h1:pI7Bzt0BJtYA0N/JEC6B8fJ4RBrEMi1LBrkMdFYNSnQ=
@@ -120,12 +120,12 @@ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19 h1:rfprUlsd
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.19/go.mod h1:SCWkEdRq8/7EK60NcvvQ6NXKuTcchAD4ROAsC37VEZE=
github.com/aws/aws-sdk-go-v2/service/kms v1.35.5 h1:XUomV7SiclZl1QuXORdGcfFqHxEHET7rmNGtxTfNB+M=
github.com/aws/aws-sdk-go-v2/service/kms v1.35.5/go.mod h1:A5CS0VRmxxj2YKYLCY08l/Zzbd01m6JZn0WzxgT1OCA=
github.com/aws/aws-sdk-go-v2/service/sso v1.22.7 h1:pIaGg+08llrP7Q5aiz9ICWbY8cqhTkyy+0SHvfzQpTc=
github.com/aws/aws-sdk-go-v2/service/sso v1.22.7/go.mod h1:eEygMHnTKH/3kNp9Jr1n3PdejuSNcgwLe1dWgQtO0VQ=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7 h1:/Cfdu0XV3mONYKaOt1Gr0k1KvQzkzPyiKUdlWJqy+J4=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.7/go.mod h1:bCbAxKDqNvkHxRaIMnyVPXPo+OaPRwvmgzMxbz1VKSA=
github.com/aws/aws-sdk-go-v2/service/sts v1.30.7 h1:NKTa1eqZYw8tiHSRGpP0VtTdub/8KNk8sDkNPFaOKDE=
github.com/aws/aws-sdk-go-v2/service/sts v1.30.7/go.mod h1:NXi1dIAGteSaRLqYgarlhP/Ij0cFT+qmCwiJqWh/U5o=
github.com/aws/aws-sdk-go-v2/service/sso v1.22.8 h1:JRwuL+S1Qe1owZQoxblV7ORgRf2o0SrtzDVIbaVCdQ0=
github.com/aws/aws-sdk-go-v2/service/sso v1.22.8/go.mod h1:eEygMHnTKH/3kNp9Jr1n3PdejuSNcgwLe1dWgQtO0VQ=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.8 h1:+HpGETD9463PFSj7lX5+eq7aLDs85QUIA+NBkeAsscA=
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.8/go.mod h1:bCbAxKDqNvkHxRaIMnyVPXPo+OaPRwvmgzMxbz1VKSA=
github.com/aws/aws-sdk-go-v2/service/sts v1.30.8 h1:bAi+4p5EKnni+jrfcAhb7iHFQ24bthOAV9t0taf3DCE=
github.com/aws/aws-sdk-go-v2/service/sts v1.30.8/go.mod h1:NXi1dIAGteSaRLqYgarlhP/Ij0cFT+qmCwiJqWh/U5o=
github.com/aws/smithy-go v1.20.4 h1:2HK1zBdPgRbjFOHlfeQZfpC4r72MOb9bZkiFwggKO+4=
github.com/aws/smithy-go v1.20.4/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M=
@@ -513,8 +513,8 @@ github.com/sigstore/protobuf-specs v0.3.2 h1:nCVARCN+fHjlNCk3ThNXwrZRqIommIeNKWw
github.com/sigstore/protobuf-specs v0.3.2/go.mod h1:RZ0uOdJR4OB3tLQeAyWoJFbNCBFrPQdcokntde4zRBA=
github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
github.com/sigstore/sigstore v1.8.8 h1:B6ZQPBKK7Z7tO3bjLNnlCMG+H66tO4E/+qAphX8T/hg=
github.com/sigstore/sigstore v1.8.8/go.mod h1:GW0GgJSCTBJY3fUOuGDHeFWcD++c4G8Y9K015pwcpDI=
github.com/sigstore/sigstore v1.8.9 h1:NiUZIVWywgYuVTxXmRoTT4O4QAGiTEKup4N1wdxFadk=
github.com/sigstore/sigstore v1.8.9/go.mod h1:d9ZAbNDs8JJfxJrYmulaTazU3Pwr8uLL9+mii4BNR3w=
github.com/sigstore/sigstore-go v0.5.1 h1:5IhKvtjlQBeLnjKkzMELNG4tIBf+xXQkDzhLV77+/8Y=
github.com/sigstore/sigstore-go v0.5.1/go.mod h1:TuOfV7THHqiDaUHuJ5+QN23RP/YoKmsbwJpY+aaYPN0=
github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.9 h1:tgpdvjyoEgYFeTBFe4MHvBKsG+J4E7NVtstChIExVT8=

40
internal/test/test.go
View File

@@ -7,24 +7,22 @@ import (
_ "embed"
"encoding/pem"
"fmt"
"io"
"log"
"net/http"
"net/http/httptest"
"os"
"path/filepath"
"strings"
"testing"
"time"
"github.com/docker/attest/attestation"
"github.com/docker/attest/signerverifier"
"github.com/docker/attest/tlog"
"github.com/docker/attest/useragent"
"github.com/google/go-containerregistry/pkg/registry"
"github.com/secure-systems-lab/go-securesystemslib/dsse"
)
const (
UseMockTL = true
UseMockKMS = true
AWSRegion = "us-east-1"
@@ -60,15 +58,7 @@ func GetMockSigner(_ context.Context) (dsse.SignerVerifier, error) {
}
func Setup(t *testing.T) (context.Context, dsse.SignerVerifier) {
var tl tlog.TL
if UseMockTL {
tl = tlog.GetMockTL()
} else {
tl = &tlog.RekorTL{}
}
ctx := tlog.WithTL(context.Background(), tl)
ctx := context.Background()
var signer dsse.SignerVerifier
var err error
if UseMockKMS {
@@ -87,6 +77,7 @@ func Setup(t *testing.T) (context.Context, dsse.SignerVerifier) {
}
func NewLocalRegistry(ctx context.Context, options ...registry.Option) *httptest.Server {
options = append(options, registry.Logger(log.New(io.Discard, "", log.LstdFlags)))
regHandler := registry.New(options...)
return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Check the user agent
@@ -99,7 +90,7 @@ func NewLocalRegistry(ctx context.Context, options ...registry.Option) *httptest
}))
}
func publicKeyToPEM(pubKey crypto.PublicKey) (string, error) {
func PublicKeyToPEM(pubKey crypto.PublicKey) (string, error) {
derBytes, err := x509.MarshalPKIXPublicKey(pubKey)
if err != nil {
return "", err
@@ -112,24 +103,3 @@ func publicKeyToPEM(pubKey crypto.PublicKey) (string, error) {
return string(pem.EncodeToMemory(pemBlock)), nil
}
// LoadKeyMetadata loads the key metadata for the given signer verifier.
func GenKeyMetadata(sv dsse.SignerVerifier) (*attestation.KeyMetadata, error) {
pub := sv.Public()
pem, err := publicKeyToPEM(pub)
if err != nil {
return nil, fmt.Errorf("failed to convert public key to PEM: %w", err)
}
id, err := sv.KeyID()
if err != nil {
return nil, err
}
return &attestation.KeyMetadata{
ID: id,
Status: "active",
SigningFormat: "dssev1",
From: time.Now(),
PEM: pem,
}, nil
}

24
config/config.go → mapping/mapping.go
View File

@@ -1,4 +1,4 @@
package config
package mapping
import (
"errors"
@@ -8,6 +8,7 @@ import (
"regexp"
"github.com/docker/attest/tuf"
v1 "github.com/google/go-containerregistry/pkg/v1"
"sigs.k8s.io/yaml"
)
@@ -33,6 +34,13 @@ func validateMappingsFile(mappings *policyMappingsFile) error {
if rule.PolicyID != "" && rule.Replacement != "" {
validationErrors = append(validationErrors, fmt.Errorf("rule cannot have both policy-id and replacement: %s", rule))
}
if rule.Platforms != nil {
for _, platform := range rule.Platforms {
if platform == "" {
validationErrors = append(validationErrors, fmt.Errorf("rule has empty platform: %s", rule))
}
}
}
}
for _, policy := range mappings.Policies {
if policy.ID == "" {
@@ -100,14 +108,24 @@ func expandMappingFile(mappingFile *policyMappingsFile) (*PolicyMappings, error)
var rules []*PolicyRule
for _, rule := range mappingFile.Rules {
r, err := regexp.Compile(rule.Pattern)
patternRegex, err := regexp.Compile(rule.Pattern)
if err != nil {
return nil, err
}
platforms := make([]*v1.Platform, 0, len(rule.Platforms))
for _, platform := range rule.Platforms {
parsedPlatform, err := v1.ParsePlatform(platform)
if err != nil {
return nil, fmt.Errorf("failed to parse platform %s: %w", platform, err)
}
platforms = append(platforms, parsedPlatform)
}
rules = append(rules, &PolicyRule{
Pattern: r,
Pattern: patternRegex,
PolicyID: rule.PolicyID,
Replacement: rule.Replacement,
Platforms: platforms,
})
}

2
config/config_test.go → mapping/mapping_test.go
View File

@@ -1,4 +1,4 @@
package config
package mapping
import (
"testing"

80
mapping/match.go Normal file
View File

@@ -0,0 +1,80 @@
package mapping
import (
"fmt"
v1 "github.com/google/go-containerregistry/pkg/v1"
)
type matchType string
const (
MatchTypePolicy matchType = "policy"
MatchTypeMatchNoPolicy matchType = "match_no_policy"
MatchTypeNoMatch matchType = "no_match"
)
type PolicyMatch struct {
MatchType matchType
Policy *PolicyMapping
Rule *PolicyRule
MatchedName string
}
func (mappings *PolicyMappings) FindPolicyMatch(imageName string, platform *v1.Platform) (*PolicyMatch, error) {
if mappings == nil {
return &PolicyMatch{MatchType: MatchTypeNoMatch, MatchedName: imageName}, nil
}
return mappings.findPolicyMatchImpl(imageName, platform, make(map[*PolicyRule]bool))
}
func (mappings *PolicyMappings) findPolicyMatchImpl(imageName string, platform *v1.Platform, matched map[*PolicyRule]bool) (*PolicyMatch, error) {
for _, rule := range mappings.Rules {
if !rule.matchesPlatform(platform) {
continue
}
if rule.Pattern.MatchString(imageName) {
switch {
case rule.PolicyID == "" && rule.Replacement == "":
return nil, fmt.Errorf("rule %s has neither policy-id nor rewrite", rule.Pattern)
case rule.PolicyID != "" && rule.Replacement != "":
return nil, fmt.Errorf("rule %s has both policy-id and rewrite", rule.Pattern)
case rule.PolicyID != "":
policy := mappings.Policies[rule.PolicyID]
if policy != nil {
return &PolicyMatch{
MatchType: MatchTypePolicy,
Policy: policy,
Rule: rule,
MatchedName: imageName,
}, nil
}
return &PolicyMatch{
MatchType: MatchTypeMatchNoPolicy,
Rule: rule,
MatchedName: imageName,
}, nil
case rule.Replacement != "":
if matched[rule] {
return nil, fmt.Errorf("rewrite loop detected")
}
matched[rule] = true
imageName = rule.Pattern.ReplaceAllString(imageName, rule.Replacement)
return mappings.findPolicyMatchImpl(imageName, platform, matched)
}
}
}
return &PolicyMatch{MatchType: MatchTypeNoMatch}, nil
}
func (rule *PolicyRule) matchesPlatform(platform *v1.Platform) bool {
if len(rule.Platforms) == 0 {
return true
}
for i := range rule.Platforms {
if rule.Platforms[i].Equals(*platform) {
return true
}
}
return false
}

200
mapping/match_test.go Normal file
View File

@@ -0,0 +1,200 @@
package mapping
import (
"path/filepath"
"testing"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestFindPolicyMatch(t *testing.T) {
defaultPlatform, err := v1.ParsePlatform("linux/amd64")
require.NoError(t, err)
testCases := []struct {
name string
imageName string
mappingDir string
expectError bool
expectLoadingError bool
expectedMatchType matchType
expectedPolicyID string
expectedImageName string
platform string
}{
{
name: "alpine",
mappingDir: "doi",
imageName: "docker.io/library/alpine",
expectedMatchType: MatchTypePolicy,
expectedPolicyID: "docker-official-images",
expectedImageName: "docker.io/library/alpine",
},
{
name: "no match",
mappingDir: "doi",
imageName: "docker.io/something/else",
expectedMatchType: MatchTypeNoMatch,
},
{
name: "match, no policy",
mappingDir: "local",
imageName: "docker.io/library/alpine",
expectedMatchType: MatchTypeMatchNoPolicy,
expectedImageName: "docker.io/library/alpine",
},
{
name: "simple rewrite",
mappingDir: "simple-rewrite",
imageName: "mycoolmirror.org/library/alpine",
expectedMatchType: MatchTypePolicy,
expectedPolicyID: "docker-official-images",
expectedImageName: "docker.io/library/alpine",
},
{
name: "rewrite no match",
mappingDir: "rewrite-to-no-match",
imageName: "mycoolmirror.org/library/alpine",
expectedMatchType: MatchTypeNoMatch,
},
{
name: "rewrite to match, no policy",
mappingDir: "rewrite-to-local",
imageName: "mycoolmirror.org/library/alpine",
expectedMatchType: MatchTypeMatchNoPolicy,
expectedImageName: "docker.io/library/alpine",
},
{
name: "multiple rewrites",
mappingDir: "rewrite-multiple",
imageName: "myevencoolermirror.org/library/alpine",
expectedMatchType: MatchTypePolicy,
expectedPolicyID: "docker-official-images",
expectedImageName: "docker.io/library/alpine",
},
{
name: "rewrite loop",
mappingDir: "rewrite-loop",
imageName: "yin/alpine",
expectError: true,
},
{
name: "alpine with platform",
mappingDir: "doi",
imageName: "docker.io/library/alpine",
platform: "linux/amd64",
expectedMatchType: MatchTypePolicy,
expectedPolicyID: "docker-official-images",
expectedImageName: "docker.io/library/alpine",
},
{
name: "alpine with platform",
mappingDir: "doi-platform",
imageName: "docker.io/library/alpine",
platform: "linux/amd64",
expectedMatchType: MatchTypePolicy,
expectedPolicyID: "docker-official-images",
expectedImageName: "docker.io/library/alpine",
},
{
name: "alpine with no matching platform",
mappingDir: "doi-platform",
imageName: "docker.io/library/alpine",
platform: "linux/arm64",
expectedMatchType: MatchTypeNoMatch,
expectedPolicyID: "docker-official-images",
},
{
name: "alpine with platform",
mappingDir: "doi-platform",
imageName: "docker.io/library/alpine",
platform: "linux/amd64",
expectedMatchType: MatchTypePolicy,
expectedPolicyID: "docker-official-images",
expectedImageName: "docker.io/library/alpine",
},
{
name: "alpine with invalid platform in mapping",
mappingDir: "doi-platform-broken",
imageName: "docker.io/library/alpine",
platform: "linux/amd64",
expectLoadingError: true,
},
{
name: "firefox with > 1 platforms in policy",
mappingDir: "doi-platform",
imageName: "docker.io/mozilla/firefox",
platform: "linux/arm64",
expectedMatchType: MatchTypePolicy,
expectedPolicyID: "docker-official-images",
expectedImageName: "docker.io/mozilla/firefox",
},
{
name: "firefox with > 1 platforms in policy (no match)",
mappingDir: "doi-platform",
imageName: "docker.io/mozilla/firefox",
platform: "macOs/arm64",
expectedMatchType: MatchTypeNoMatch,
expectedPolicyID: "docker-official-images",
},
{
name: "rewrite and platform",
mappingDir: "doi-platform",
imageName: "mycoolmirror.org/library/alpine",
platform: "linux/amd64",
expectedMatchType: MatchTypePolicy,
expectedPolicyID: "docker-official-images",
expectedImageName: "docker.io/library/alpine",
},
{
name: "rewrite and platform mismatch",
mappingDir: "doi-platform",
imageName: "mycoolmirror.org/library/alpine",
platform: "macOs/amd64",
expectedMatchType: MatchTypeNoMatch,
expectedPolicyID: "docker-official-images",
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
mappings, err := LoadLocalMappings(filepath.Join("testdata", "mappings", tc.mappingDir))
if tc.expectLoadingError {
require.Error(t, err)
return
}
require.NoError(t, err)
platform := defaultPlatform
if tc.platform != "" {
platform, err = v1.ParsePlatform(tc.platform)
require.NoError(t, err)
}
match, err := mappings.FindPolicyMatch(tc.imageName, platform)
if tc.expectError {
require.Error(t, err)
// TODO: check error matches expected error message
return
}
require.NoError(t, err)
assert.Equal(t, tc.expectedMatchType, match.MatchType)
if match.MatchType == MatchTypePolicy {
if assert.NotNil(t, match.Policy) {
assert.Equal(t, tc.expectedPolicyID, match.Policy.ID)
}
}
if match.MatchType == MatchTypeMatchNoPolicy || match.MatchType == MatchTypePolicy {
assert.Equal(t, tc.expectedImageName, match.MatchedName)
}
})
}
}

11
mapping/testdata/mappings/doi-platform-broken/mapping.yaml vendored Normal file
View File

@@ -0,0 +1,11 @@
version: v1
kind: policy-mapping
policies:
- id: docker-official-images
description: Docker Official Images
files:
- path: doi/policy.rego
rules:
- pattern: "^docker[.]io/library/(.*)$"
platforms: ["linux/amd64/broken/platform/spec/1.0:foobar"]
policy-id: docker-official-images

17
mapping/testdata/mappings/doi-platform/mapping.yaml vendored Normal file
View File

@@ -0,0 +1,17 @@
version: v1
kind: policy-mapping
policies:
- id: docker-official-images
description: Docker Official Images
files:
- path: doi/policy.rego
rules:
- pattern: "^docker[.]io/library/(.*)$"
platforms: ["linux/amd64"]
policy-id: docker-official-images
- pattern: "^docker.io/mozilla/(.*)$"
platforms: ["linux/amd64", "linux/arm64"]
policy-id: docker-official-images
- pattern: "^mycoolmirror[.]org/library/(.*)$"
platforms: ["linux/amd64"]
rewrite: "docker.io/library/$1"

0
policy/testdata/mappings/doi/mapping.yaml → mapping/testdata/mappings/doi/mapping.yaml vendored
View File

0
policy/testdata/mappings/local/mapping.yaml → mapping/testdata/mappings/local/mapping.yaml vendored
View File

0
policy/testdata/mappings/rewrite-invalid/mapping.yaml → mapping/testdata/mappings/rewrite-invalid/mapping.yaml vendored
View File

0
policy/testdata/mappings/rewrite-loop/mapping.yaml → mapping/testdata/mappings/rewrite-loop/mapping.yaml vendored
View File

0
policy/testdata/mappings/rewrite-multiple/mapping.yaml → mapping/testdata/mappings/rewrite-multiple/mapping.yaml vendored
View File

0
policy/testdata/mappings/rewrite-to-local/mapping.yaml → mapping/testdata/mappings/rewrite-to-local/mapping.yaml vendored
View File

0
policy/testdata/mappings/rewrite-to-no-match/mapping.yaml → mapping/testdata/mappings/rewrite-to-no-match/mapping.yaml vendored
View File

0
policy/testdata/mappings/simple-rewrite/mapping.yaml → mapping/testdata/mappings/simple-rewrite/mapping.yaml vendored
View File

12
config/types.go → mapping/types.go
View File

@@ -1,7 +1,9 @@
package config
package mapping
import (
"regexp"
v1 "github.com/google/go-containerregistry/pkg/v1"
)
type policyMappingsFile struct {
@@ -12,9 +14,10 @@ type policyMappingsFile struct {
}
type policyRuleFile struct {
Pattern string `json:"pattern"`
PolicyID string `json:"policy-id"`
Replacement string `json:"rewrite"`
Pattern string `json:"pattern"`
Platforms []string `json:"platforms"`
PolicyID string `json:"policy-id"`
Replacement string `json:"rewrite"`
}
type PolicyMappings struct {
@@ -51,4 +54,5 @@ type PolicyRule struct {
Pattern *regexp.Regexp
PolicyID string
Replacement string
Platforms []*v1.Platform
}

65
policy/match.go
View File

@@ -1,65 +0,0 @@
package policy
import (
"fmt"
"github.com/docker/attest/config"
)
type matchType string
const (
matchTypePolicy matchType = "policy"
matchTypeMatchNoPolicy matchType = "match_no_policy"
matchTypeNoMatch matchType = "no_match"
)
type policyMatch struct {
matchType matchType
policy *config.PolicyMapping
rule *config.PolicyRule
matchedName string
}
func findPolicyMatch(imageName string, mappings *config.PolicyMappings) (*policyMatch, error) {
if mappings == nil {
return &policyMatch{matchType: matchTypeNoMatch, matchedName: imageName}, nil
}
return findPolicyMatchImpl(imageName, mappings, make(map[*config.PolicyRule]bool))
}
func findPolicyMatchImpl(imageName string, mappings *config.PolicyMappings, matched map[*config.PolicyRule]bool) (*policyMatch, error) {
for _, rule := range mappings.Rules {
if rule.Pattern.MatchString(imageName) {
switch {
case rule.PolicyID == "" && rule.Replacement == "":
return nil, fmt.Errorf("rule %s has neither policy-id nor rewrite", rule.Pattern)
case rule.PolicyID != "" && rule.Replacement != "":
return nil, fmt.Errorf("rule %s has both policy-id and rewrite", rule.Pattern)
case rule.PolicyID != "":
policy := mappings.Policies[rule.PolicyID]
if policy != nil {
return &policyMatch{
matchType: matchTypePolicy,
policy: policy,
rule: rule,
matchedName: imageName,
}, nil
}
return &policyMatch{
matchType: matchTypeMatchNoPolicy,
rule: rule,
matchedName: imageName,
}, nil
case rule.Replacement != "":
if matched[rule] {
return nil, fmt.Errorf("rewrite loop detected")
}
matched[rule] = true
imageName = rule.Pattern.ReplaceAllString(imageName, rule.Replacement)
return findPolicyMatchImpl(imageName, mappings, matched)
}
}
}
return &policyMatch{matchType: matchTypeNoMatch, matchedName: imageName}, nil
}

112
policy/match_test.go
View File

@@ -1,112 +0,0 @@
package policy
import (
"path/filepath"
"testing"
"github.com/docker/attest/config"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestFindPolicyMatch(t *testing.T) {
testCases := []struct {
name string
imageName string
mappingDir string
expectError bool
expectLoadingError bool
expectedMatchType matchType
expectedPolicyID string
expectedImageName string
}{
{
name: "alpine",
mappingDir: "doi",
imageName: "docker.io/library/alpine",
expectedMatchType: matchTypePolicy,
expectedPolicyID: "docker-official-images",
expectedImageName: "docker.io/library/alpine",
},
{
name: "no match",
mappingDir: "doi",
imageName: "docker.io/something/else",
expectedMatchType: matchTypeNoMatch,
expectedImageName: "docker.io/something/else",
},
{
name: "match, no policy",
mappingDir: "local",
imageName: "docker.io/library/alpine",
expectedMatchType: matchTypeMatchNoPolicy,
expectedImageName: "docker.io/library/alpine",
},
{
name: "simple rewrite",
mappingDir: "simple-rewrite",
imageName: "mycoolmirror.org/library/alpine",
expectedMatchType: matchTypePolicy,
expectedPolicyID: "docker-official-images",
expectedImageName: "docker.io/library/alpine",
},
{
name: "rewrite no match",
mappingDir: "rewrite-to-no-match",
imageName: "mycoolmirror.org/library/alpine",
expectedMatchType: matchTypeNoMatch,
expectedImageName: "badredirect.org/alpine",
},
{
name: "rewrite to match, no policy",
mappingDir: "rewrite-to-local",
imageName: "mycoolmirror.org/library/alpine",
expectedMatchType: matchTypeMatchNoPolicy,
expectedImageName: "docker.io/library/alpine",
},
{
name: "multiple rewrites",
mappingDir: "rewrite-multiple",
imageName: "myevencoolermirror.org/library/alpine",
expectedMatchType: matchTypePolicy,
expectedPolicyID: "docker-official-images",
expectedImageName: "docker.io/library/alpine",
},
{
name: "rewrite loop",
mappingDir: "rewrite-loop",
imageName: "yin/alpine",
expectError: true,
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
mappings, err := config.LoadLocalMappings(filepath.Join("testdata", "mappings", tc.mappingDir))
require.NoError(t, err)
match, err := findPolicyMatch(tc.imageName, mappings)
if tc.expectError {
require.Error(t, err)
// TODO: check error matches expected error message
return
}
require.NoError(t, err)
assert.Equal(t, tc.expectedMatchType, match.matchType)
if match.matchType == matchTypePolicy {
if assert.NotNil(t, match.policy) {
assert.Equal(t, tc.expectedPolicyID, match.policy.ID)
}
}
assert.Equal(t, tc.expectedImageName, match.matchedName)
})
}
}

12
policy/policy.go
View File

@@ -6,7 +6,7 @@ import (
"github.com/distribution/reference"
"github.com/docker/attest/attestation"
"github.com/docker/attest/config"
"github.com/docker/attest/mapping"
"github.com/docker/attest/oci"
intoto "github.com/in-toto/in-toto-golang/in_toto"
"github.com/package-url/packageurl-go"
@@ -22,9 +22,9 @@ func CreateImageDetailsResolver(imageSource *oci.ImageSpec) (oci.ImageDetailsRes
return nil, fmt.Errorf("unsupported image source type: %s", imageSource.Type)
}
func CreateAttestationResolver(resolver oci.ImageDetailsResolver, mapping *config.PolicyMapping) (attestation.Resolver, error) {
if mapping.Attestations != nil {
if mapping.Attestations.Style == config.AttestationStyleAttached {
func CreateAttestationResolver(resolver oci.ImageDetailsResolver, policyMapping *mapping.PolicyMapping) (attestation.Resolver, error) {
if policyMapping.Attestations != nil {
if policyMapping.Attestations.Style == mapping.AttestationStyleAttached {
switch resolver := resolver.(type) {
case *oci.RegistryImageDetailsResolver:
return attestation.NewRegistryResolver(resolver)
@@ -34,8 +34,8 @@ func CreateAttestationResolver(resolver oci.ImageDetailsResolver, mapping *confi
return nil, fmt.Errorf("unsupported image details resolver type: %T", resolver)
}
}
if mapping.Attestations.Repo != "" {
return attestation.NewReferrersResolver(resolver, attestation.WithReferrersRepo(mapping.Attestations.Repo))
if policyMapping.Attestations.Repo != "" {
return attestation.NewReferrersResolver(resolver, attestation.WithReferrersRepo(policyMapping.Attestations.Repo))
}
}
return attestation.NewReferrersResolver(resolver)

42
policy/policy_test.go
View File

@@ -8,8 +8,8 @@ import (
"testing"
"github.com/docker/attest/attestation"
"github.com/docker/attest/config"
"github.com/docker/attest/internal/test"
"github.com/docker/attest/mapping"
"github.com/docker/attest/oci"
"github.com/docker/attest/policy"
v1 "github.com/google/go-containerregistry/pkg/v1"
@@ -39,12 +39,14 @@ func TestRegoEvaluator_Evaluate(t *testing.T) {
TestDataPath := filepath.Join("..", "test", "testdata")
ExampleAttestation := filepath.Join(TestDataPath, "example_attestation.json")
re := policy.NewRegoEvaluator(true)
verifier, err := attestation.NewVerfier()
require.NoError(t, err)
re := policy.NewRegoEvaluator(true, verifier)
defaultResolver := attestation.MockResolver{
Envs: []*attestation.Envelope{loadAttestation(t, ExampleAttestation)},
}
defaultPlatform, err := v1.ParsePlatform("linux/amd64")
require.NoError(t, err)
testCases := []struct {
policyPath string
expectSuccess bool
@@ -86,7 +88,7 @@ func TestRegoEvaluator_Evaluate(t *testing.T) {
imageName, err := tc.resolver.ImageName(ctx)
require.NoError(t, err)
resolver := policy.NewResolver(nil, tc.opts)
policy, err := resolver.ResolvePolicy(ctx, imageName)
policy, err := resolver.ResolvePolicy(ctx, imageName, defaultPlatform)
if tc.resolveErrorStr != "" {
require.Error(t, err)
assert.Contains(t, err.Error(), tc.resolveErrorStr)
@@ -107,7 +109,7 @@ func TestRegoEvaluator_Evaluate(t *testing.T) {
}
func TestLoadingMappings(t *testing.T) {
policyMappings, err := config.LoadLocalMappings(filepath.Join("testdata", "policies", "allow"))
policyMappings, err := mapping.LoadLocalMappings(filepath.Join("testdata", "policies", "allow"))
require.NoError(t, err)
assert.Equal(t, len(policyMappings.Rules), 3)
for _, mirror := range policyMappings.Rules {
@@ -124,32 +126,32 @@ func TestCreateAttestationResolver(t *testing.T) {
layoutResolver := &attestation.LayoutResolver{}
registryResolver := &oci.RegistryImageDetailsResolver{}
nilRepoReferrers := &config.PolicyMapping{
Attestations: &config.AttestationConfig{
Style: config.AttestationStyleReferrers,
nilRepoReferrers := &mapping.PolicyMapping{
Attestations: &mapping.AttestationConfig{
Style: mapping.AttestationStyleReferrers,
},
}
referrers := &config.PolicyMapping{
Attestations: &config.AttestationConfig{
referrers := &mapping.PolicyMapping{
Attestations: &mapping.AttestationConfig{
Repo: "localhost:5000/repo",
Style: config.AttestationStyleReferrers,
Style: mapping.AttestationStyleReferrers,
},
}
attached := &config.PolicyMapping{
Attestations: &config.AttestationConfig{
Style: config.AttestationStyleAttached,
attached := &mapping.PolicyMapping{
Attestations: &mapping.AttestationConfig{
Style: mapping.AttestationStyleAttached,
},
}
testCases := []struct {
name string
resolver oci.ImageDetailsResolver
mapping *config.PolicyMapping
mapping *mapping.PolicyMapping
errorStr string
}{
{name: "referrers", resolver: layoutResolver, mapping: referrers},
{name: "referrers (no mapped repo)", resolver: layoutResolver, mapping: nilRepoReferrers},
{name: "referrers (no mapping)", resolver: layoutResolver, mapping: &config.PolicyMapping{Attestations: nil}},
{name: "referrers (no mapping)", resolver: layoutResolver, mapping: &mapping.PolicyMapping{Attestations: nil}},
{name: "attached (registry)", resolver: registryResolver, mapping: attached},
{name: "attached (layout)", resolver: layoutResolver, mapping: attached},
{name: "attached (unsupported)", resolver: mockResolver, mapping: attached, errorStr: "unsupported image details resolver type"},
@@ -168,11 +170,11 @@ func TestCreateAttestationResolver(t *testing.T) {
}
switch resolver.(type) {
case *attestation.ReferrersResolver:
assert.Equal(t, tc.mapping.Attestations.Style, config.AttestationStyleReferrers)
assert.Equal(t, tc.mapping.Attestations.Style, mapping.AttestationStyleReferrers)
case *attestation.RegistryResolver:
assert.Equal(t, tc.mapping.Attestations.Style, config.AttestationStyleAttached)
assert.Equal(t, tc.mapping.Attestations.Style, mapping.AttestationStyleAttached)
case *attestation.LayoutResolver:
assert.Equal(t, tc.mapping.Attestations.Style, config.AttestationStyleAttached)
assert.Equal(t, tc.mapping.Attestations.Style, mapping.AttestationStyleAttached)
}
})
}

151
policy/rego.go
View File

@@ -21,7 +21,8 @@ import (
)
type regoEvaluator struct {
debug bool
debug bool
attestationVerifier attestation.Verifier
}
const (
@@ -29,9 +30,10 @@ const (
resultBinding = "result"
)
func NewRegoEvaluator(debug bool) Evaluator {
func NewRegoEvaluator(debug bool, attestationVerifier attestation.Verifier) Evaluator {
return &regoEvaluator{
debug: debug,
debug: debug,
attestationVerifier: attestationVerifier,
}
}
@@ -86,7 +88,8 @@ func (re *regoEvaluator) Evaluate(ctx context.Context, resolver attestation.Reso
rego.Store(store),
rego.GenerateJSON(jsonGenerator[Result]()),
)
for _, custom := range RegoFunctions(resolver) {
regoFnOpts := NewRegoFunctionOptions(resolver, re.attestationVerifier)
for _, custom := range RegoFunctions(regoFnOpts) {
regoOpts = append(regoOpts, custom.Func)
}
@@ -169,7 +172,7 @@ func handleErrors2(f func(rCtx rego.BuiltinContext, a, b *ast.Term) (*ast.Term,
}
}
func RegoFunctions(resolver attestation.Resolver) []*tester.Builtin {
func RegoFunctions(regoOpts *RegoFnOpts) []*tester.Builtin {
return []*tester.Builtin{
{
Decl: verifyDecl,
@@ -180,7 +183,7 @@ func RegoFunctions(resolver attestation.Resolver) []*tester.Builtin {
Memoize: true,
Nondeterministic: verifyDecl.Nondeterministic,
},
handleErrors2(verifyInTotoEnvelope(resolver))),
handleErrors2(regoOpts.verifyInTotoEnvelope)),
},
{
Decl: attestDecl,
@@ -191,83 +194,95 @@ func RegoFunctions(resolver attestation.Resolver) []*tester.Builtin {
Memoize: true,
Nondeterministic: attestDecl.Nondeterministic,
},
handleErrors1(fetchInTotoAttestations(resolver))),
handleErrors1(regoOpts.fetchInTotoAttestations)),
},
}
}
func fetchInTotoAttestations(resolver attestation.Resolver) rego.Builtin1 {
return func(rCtx rego.BuiltinContext, predicateTypeTerm *ast.Term) (*ast.Term, error) {
predicateTypeStr, ok := predicateTypeTerm.Value.(ast.String)
if !ok {
return nil, fmt.Errorf("predicateTypeTerm is not a string")
}
predicateType := string(predicateTypeStr)
// because we don't control the signature here (blame rego)
// nolint:gocritic
func (regoOpts *RegoFnOpts) fetchInTotoAttestations(rCtx rego.BuiltinContext, predicateTypeTerm *ast.Term) (*ast.Term, error) {
predicateTypeStr, ok := predicateTypeTerm.Value.(ast.String)
if !ok {
return nil, fmt.Errorf("predicateTypeTerm is not a string")
}
predicateType := string(predicateTypeStr)
envelopes, err := resolver.Attestations(rCtx.Context, predicateType)
envelopes, err := regoOpts.attestationResolver.Attestations(rCtx.Context, predicateType)
if err != nil {
return nil, err
}
// Convert each envelope to an ast.Value.
values := make([]*ast.Term, len(envelopes))
for i, envelope := range envelopes {
value, err := ast.InterfaceToValue(envelope)
if err != nil {
return nil, err
}
values[i] = ast.NewTerm(value)
}
// Convert each envelope to an ast.Value.
values := make([]*ast.Term, len(envelopes))
for i, envelope := range envelopes {
value, err := ast.InterfaceToValue(envelope)
if err != nil {
return nil, err
}
values[i] = ast.NewTerm(value)
}
// Wrap the values in an ast.Set and convert it to an ast.Term.
set := ast.NewTerm(ast.NewSet(values...))
// Wrap the values in an ast.Set and convert it to an ast.Term.
set := ast.NewTerm(ast.NewSet(values...))
return set, nil
}
return set, nil
type RegoFnOpts struct {
attestationResolver attestation.Resolver
attestationVerifier attestation.Verifier
}
// this is exported for testing here and in clients of the library.
func NewRegoFunctionOptions(resolver attestation.Resolver, verifier attestation.Verifier) *RegoFnOpts {
return &RegoFnOpts{
attestationResolver: resolver,
attestationVerifier: verifier,
}
}
func verifyInTotoEnvelope(resolver attestation.Resolver) rego.Builtin2 {
return func(rCtx rego.BuiltinContext, envTerm, optsTerm *ast.Term) (*ast.Term, error) {
env := new(attestation.Envelope)
opts := new(attestation.VerifyOptions)
err := ast.As(envTerm.Value, env)
if err != nil {
return nil, fmt.Errorf("failed to cast envelope: %w", err)
}
err = ast.As(optsTerm.Value, &opts)
if err != nil {
return nil, fmt.Errorf("failed to cast verifier options: %w", err)
}
payload, err := attestation.VerifyDSSE(rCtx.Context, env, opts)
if err != nil {
return nil, fmt.Errorf("failed to verify envelope: %w", err)
}
statement := new(intoto.Statement)
switch env.PayloadType {
case intoto.PayloadType:
err = json.Unmarshal(payload, statement)
if err != nil {
return nil, fmt.Errorf("failed to unmarshal statement: %w", err)
}
// TODO: implement other types of envelope
default:
return nil, fmt.Errorf("unsupported payload type: %s", env.PayloadType)
}
err = VerifySubject(rCtx.Context, statement.Subject, resolver)
if err != nil {
return nil, fmt.Errorf("failed to verify subject: %w", err)
}
value, err := ast.InterfaceToValue(statement)
if err != nil {
return nil, err
}
return ast.NewTerm(value), nil
// because we don't control the signature here (blame rego)
// nolint:gocritic
func (regoOpts *RegoFnOpts) verifyInTotoEnvelope(rCtx rego.BuiltinContext, envTerm, optsTerm *ast.Term) (*ast.Term, error) {
env := new(attestation.Envelope)
opts := new(attestation.VerifyOptions)
err := ast.As(envTerm.Value, env)
if err != nil {
return nil, fmt.Errorf("failed to cast envelope: %w", err)
}
err = ast.As(optsTerm.Value, &opts)
if err != nil {
return nil, fmt.Errorf("failed to cast verifier options: %w", err)
}
payload, err := attestation.VerifyDSSE(rCtx.Context, regoOpts.attestationVerifier, env, opts)
if err != nil {
return nil, fmt.Errorf("failed to verify envelope: %w", err)
}
statement := new(intoto.Statement)
switch env.PayloadType {
case intoto.PayloadType:
err = json.Unmarshal(payload, statement)
if err != nil {
return nil, fmt.Errorf("failed to unmarshal statement: %w", err)
}
// TODO: implement other types of envelope
default:
return nil, fmt.Errorf("unsupported payload type: %s", env.PayloadType)
}
err = VerifySubject(rCtx.Context, statement.Subject, regoOpts.attestationResolver)
if err != nil {
return nil, fmt.Errorf("failed to verify subject: %w", err)
}
value, err := ast.InterfaceToValue(statement)
if err != nil {
return nil, err
}
return ast.NewTerm(value), nil
}
func loadYAML(path string, bs []byte) (interface{}, error) {

65
policy/rego_test.go Normal file
View File

@@ -0,0 +1,65 @@
package policy
import (
"context"
"testing"
"github.com/docker/attest/attestation"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/open-policy-agent/opa/tester"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestPolicy(t *testing.T) {
paths := []string{"testdata/policies/test"}
modules, store, err := tester.Load(paths, nil)
require.NoError(t, err)
resolver := &NullAttestationResolver{}
opts := NewRegoFunctionOptions(resolver, nil)
ctx := context.Background()
ch, err := tester.NewRunner().
SetStore(store).
AddCustomBuiltins(RegoFunctions(opts)).
CapturePrintOutput(true).
RaiseBuiltinErrors(true).
EnableTracing(true).
SetModules(modules).
RunTests(ctx, nil)
require.NoError(t, err)
require.NoError(t, err)
results := buffer(ch)
assert.Equalf(t, 1, len(results), "expected 1 results, got %d", len(results))
assert.Truef(t, results[0].Pass(), "expected result 1 to pass, got %v", results[0])
assert.True(t, resolver.called)
}
func buffer[T any](ch chan T) []T {
var out []T
for v := range ch {
out = append(out, v)
}
return out
}
type NullAttestationResolver struct {
called bool
}
func (r *NullAttestationResolver) ImageName(_ context.Context) (string, error) {
return "", nil
}
func (r *NullAttestationResolver) ImagePlatform(_ context.Context) (*v1.Platform, error) {
return v1.ParsePlatform("")
}
func (r *NullAttestationResolver) ImageDescriptor(_ context.Context) (*v1.Descriptor, error) {
return nil, nil
}
func (r *NullAttestationResolver) Attestations(_ context.Context, _ string) ([]*attestation.Envelope, error) {
r.called = true
return nil, nil
}

35
policy/resolver.go
View File

@@ -8,9 +8,10 @@ import (
"path/filepath"
"github.com/distribution/reference"
"github.com/docker/attest/config"
"github.com/docker/attest/internal/util"
"github.com/docker/attest/mapping"
"github.com/docker/attest/tuf"
v1 "github.com/google/go-containerregistry/pkg/v1"
)
type Resolver struct {
@@ -25,7 +26,7 @@ func NewResolver(tufClient tuf.Downloader, opts *Options) *Resolver {
}
}
func (r *Resolver) ResolvePolicy(_ context.Context, imageName string) (*Policy, error) {
func (r *Resolver) ResolvePolicy(_ context.Context, imageName string, platform *v1.Platform) (*Policy, error) {
p, err := r.resolvePolicyByID()
if err != nil {
return nil, fmt.Errorf("failed to resolve policy by id: %w", err)
@@ -37,45 +38,45 @@ func (r *Resolver) ResolvePolicy(_ context.Context, imageName string) (*Policy,
if err != nil {
return nil, fmt.Errorf("failed to parse image name: %w", err)
}
localMappings, err := config.LoadLocalMappings(r.opts.LocalPolicyDir)
localMappings, err := mapping.LoadLocalMappings(r.opts.LocalPolicyDir)
if err != nil {
return nil, fmt.Errorf("failed to load local policy mappings: %w", err)
}
match, err := findPolicyMatch(imageName, localMappings)
match, err := localMappings.FindPolicyMatch(imageName, platform)
if err != nil {
return nil, err
}
if match.matchType == matchTypePolicy {
return r.resolveLocalPolicy(match.policy, imageName, match.matchedName)
if match.MatchType == mapping.MatchTypePolicy {
return r.resolveLocalPolicy(match.Policy, imageName, match.MatchedName)
}
if !r.opts.DisableTUF {
tufMappings, err := config.LoadTUFMappings(r.tufClient, r.opts.LocalTargetsDir)
tufMappings, err := mapping.LoadTUFMappings(r.tufClient, r.opts.LocalTargetsDir)
if err != nil {
return nil, fmt.Errorf("failed to load tuf policy mappings as fallback: %w", err)
}
// it's a mirror of a tuf policy
if match.matchType == matchTypeMatchNoPolicy {
if match.MatchType == mapping.MatchTypeMatchNoPolicy {
for _, mapping := range tufMappings.Policies {
if mapping.ID == match.rule.PolicyID {
return r.resolveTUFPolicy(mapping, imageName, match.matchedName)
if mapping.ID == match.Rule.PolicyID {
return r.resolveTUFPolicy(mapping, imageName, match.MatchedName)
}
}
}
// try to resolve a tuf policy directly
match, err = findPolicyMatch(imageName, tufMappings)
match, err = tufMappings.FindPolicyMatch(imageName, platform)
if err != nil {
return nil, err
}
if match.matchType == matchTypePolicy {
return r.resolveTUFPolicy(match.policy, imageName, match.matchedName)
if match.MatchType == mapping.MatchTypePolicy {
return r.resolveTUFPolicy(match.Policy, imageName, match.MatchedName)
}
}
return nil, nil
}
func (r *Resolver) resolveLocalPolicy(mapping *config.PolicyMapping, imageName string, matchedName string) (*Policy, error) {
func (r *Resolver) resolveLocalPolicy(mapping *mapping.PolicyMapping, imageName string, matchedName string) (*Policy, error) {
if r.opts.LocalPolicyDir == "" {
return nil, fmt.Errorf("local policy dir not set")
}
@@ -118,7 +119,7 @@ func (r *Resolver) resolveLocalPolicy(mapping *config.PolicyMapping, imageName s
return policy, nil
}
func (r *Resolver) resolveTUFPolicy(mapping *config.PolicyMapping, imageName string, matchedName string) (*Policy, error) {
func (r *Resolver) resolveTUFPolicy(mapping *mapping.PolicyMapping, imageName string, matchedName string) (*Policy, error) {
var URI string
var digest map[string]string
files := make([]*File, 0, len(mapping.Files))
@@ -159,7 +160,7 @@ func (r *Resolver) resolveTUFPolicy(mapping *config.PolicyMapping, imageName str
func (r *Resolver) resolvePolicyByID() (*Policy, error) {
if r.opts.PolicyID != "" {
localMappings, err := config.LoadLocalMappings(r.opts.LocalPolicyDir)
localMappings, err := mapping.LoadLocalMappings(r.opts.LocalPolicyDir)
if err != nil {
return nil, fmt.Errorf("failed to load local policy mappings: %w", err)
}
@@ -171,7 +172,7 @@ func (r *Resolver) resolvePolicyByID() (*Policy, error) {
}
if !r.opts.DisableTUF {
tufMappings, err := config.LoadTUFMappings(r.tufClient, r.opts.LocalTargetsDir)
tufMappings, err := mapping.LoadTUFMappings(r.tufClient, r.opts.LocalTargetsDir)
if err != nil {
return nil, fmt.Errorf("failed to load tuf policy mappings by id: %w", err)
}

6
policy/resolver_test.go
View File

@@ -7,6 +7,7 @@ import (
"github.com/docker/attest/internal/test"
"github.com/docker/attest/policy"
"github.com/docker/attest/tuf"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
@@ -17,7 +18,8 @@ func TestResolvePolicy(t *testing.T) {
noLocalPolicyPath := "testdata/policies/no-policy"
testPolicyID := "docker-official-images"
testImageName := "localhost:5001/test/repo:tag"
defaultPlatform, err := v1.ParsePlatform("linux/amd64")
require.NoError(t, err)
testCases := []struct {
name string
policyPath string
@@ -52,7 +54,7 @@ func TestResolvePolicy(t *testing.T) {
opts.DisableTUF = tc.DisableTUF
opts.LocalTargetsDir = tempDir
resolver := policy.NewResolver(tufClient, opts)
policy, err := resolver.ResolvePolicy(context.Background(), testImageName)
policy, err := resolver.ResolvePolicy(context.Background(), testImageName, defaultPlatform)
require.NoError(t, err)
assert.NotNil(t, policy)
if tc.DisableTUF || tc.localOverridesTUF {

7
policy/testdata/policies/test/fetch.rego vendored Normal file
View File

@@ -0,0 +1,7 @@
package attest
import rego.v1
success if {
some env in attest.fetch("foo")
}

7
policy/testdata/policies/test/fetch_test.rego vendored Normal file
View File

@@ -0,0 +1,7 @@
package attest
import rego.v1
test_sucess if {
success
}

22
policy/types.go
View File

@@ -1,7 +1,8 @@
package policy
import (
"github.com/docker/attest/config"
"github.com/docker/attest/attestation"
"github.com/docker/attest/mapping"
"github.com/docker/attest/tuf"
intoto "github.com/in-toto/in-toto-golang/in_toto"
)
@@ -27,20 +28,21 @@ type Result struct {
}
type Options struct {
TUFClientOptions *tuf.ClientOptions
DisableTUF bool
LocalTargetsDir string
LocalPolicyDir string
PolicyID string
ReferrersRepo string
AttestationStyle config.AttestationStyle
Debug bool
TUFClientOptions *tuf.ClientOptions
DisableTUF bool
LocalTargetsDir string
LocalPolicyDir string
PolicyID string
ReferrersRepo string
AttestationStyle mapping.AttestationStyle
Debug bool
AttestationVerifier attestation.Verifier
}
type Policy struct {
InputFiles []*File
Query string
Mapping *config.PolicyMapping
Mapping *mapping.PolicyMapping
ResolvedName string
URI string
Digest map[string]string

5
signerverifier/aws.go
View File

@@ -20,8 +20,5 @@ func GetAWSSigner(ctx context.Context, keyARN string, region string) (dsse.Signe
if err != nil {
return nil, fmt.Errorf("error getting aws crypto signer: %w", err)
}
signer := &ECDSA256SignerVerifier{
Signer: cs,
}
return signer, nil
return NewECDSASignerVerifier(cs)
}

64
signerverifier/common.go
View File

@@ -9,52 +9,17 @@ import (
"crypto/x509"
"encoding/pem"
"fmt"
"io"
"github.com/docker/attest/internal/util"
"github.com/secure-systems-lab/go-securesystemslib/dsse"
)
type ECDSA256SignerVerifier struct {
crypto.Signer
}
// implement keyid function.
func (s *ECDSA256SignerVerifier) KeyID() (string, error) {
keyid, err := KeyID(s.Signer.Public())
if err != nil {
return "", fmt.Errorf("error getting keyid: %w", err)
}
return keyid, nil
}
func (s *ECDSA256SignerVerifier) Public() crypto.PublicKey {
return s.Signer.Public()
}
func (s *ECDSA256SignerVerifier) Sign(_ context.Context, data []byte) ([]byte, error) {
return s.Signer.Sign(rand.Reader, data, crypto.SHA256)
}
func (s *ECDSA256SignerVerifier) Verify(_ context.Context, data []byte, sig []byte) error {
pub, ok := s.Signer.Public().(*ecdsa.PublicKey)
if !ok {
return fmt.Errorf("public key is not ecdsa")
}
ok = ecdsa.VerifyASN1(pub, util.SHA256(data), sig)
if !ok {
return fmt.Errorf("payload signature is not valid")
}
return nil
}
func LoadKeyPair(priv []byte) (dsse.SignerVerifier, error) {
privateKey, err := parsePriv(priv)
if err != nil {
return nil, err
}
return &ECDSA256SignerVerifier{
Signer: privateKey,
}, nil
return NewECDSASignerVerifier(privateKey)
}
func parsePriv(privkeyBytes []byte) (*ecdsa.PrivateKey, error) {
@@ -78,7 +43,26 @@ func GenKeyPair() (dsse.SignerVerifier, error) {
if err != nil {
return nil, err
}
return &ECDSA256SignerVerifier{
Signer: signer,
}, nil
return NewECDSASignerVerifier(signer)
}
// ensure it implements crypto.Signer.
var _ crypto.Signer = (*cryptoSignerWrapper)(nil)
type cryptoSignerWrapper struct {
sv dsse.SignerVerifier
}
// Public implements crypto.Signer.
func (c *cryptoSignerWrapper) Public() crypto.PublicKey {
return c.sv.Public()
}
// Sign implements crypto.Signer.
func (c *cryptoSignerWrapper) Sign(_ io.Reader, digest []byte, _ crypto.SignerOpts) (signature []byte, err error) {
return c.sv.Sign(context.Background(), digest)
}
func AsCryptoSigner(signer dsse.SignerVerifier) (crypto.Signer, error) {
return &cryptoSignerWrapper{sv: signer}, nil
}

80
signerverifier/ecdsa.go Normal file
View File

@@ -0,0 +1,80 @@
package signerverifier
import (
"context"
"crypto"
"crypto/ecdsa"
"crypto/rand"
"fmt"
"github.com/docker/attest/internal/util"
"github.com/secure-systems-lab/go-securesystemslib/dsse"
)
type ecdsaVerifier struct {
publicKey *ecdsa.PublicKey
keyID string
}
// ensure ECDSAVerifier implements dsse.Verifier.
var _ dsse.Verifier = (*ecdsaVerifier)(nil)
func NewECDSAVerifier(publicKey crypto.PublicKey) (dsse.Verifier, error) {
ecdsaPublicKey, ok := (publicKey).(*ecdsa.PublicKey)
if !ok {
return nil, fmt.Errorf("public key is not an ECDSA public key")
}
return &ecdsaVerifier{
publicKey: ecdsaPublicKey,
}, nil
}
func (v *ecdsaVerifier) Verify(_ context.Context, data, signature []byte) error {
// verify payload ecdsa signature
ok := ecdsa.VerifyASN1(v.publicKey, util.SHA256(data), signature)
if !ok {
return fmt.Errorf("payload signature is not valid")
}
return nil
}
func (v *ecdsaVerifier) Public() crypto.PublicKey {
return v.publicKey
}
func (v *ecdsaVerifier) KeyID() (string, error) {
if v.keyID != "" {
return v.keyID, nil
}
keyID, err := KeyID(v.publicKey)
if err != nil {
return "", fmt.Errorf("failed to get key ID: %w", err)
}
v.keyID = keyID
return v.keyID, nil
}
// must implement dsse.SignerVerifier interface.
var _ dsse.SignerVerifier = (*ecdsa256SignerVerifier)(nil)
type ecdsa256SignerVerifier struct {
signer crypto.Signer
dsse.Verifier
}
func NewECDSASignerVerifier(signer crypto.Signer) (dsse.SignerVerifier, error) {
verifier, err := NewECDSAVerifier(signer.Public())
if err != nil {
return nil, fmt.Errorf("failed to create verifier: %w", err)
}
sv := &ecdsa256SignerVerifier{
signer: signer,
Verifier: verifier,
}
return sv, nil
}
func (s *ecdsa256SignerVerifier) Sign(_ context.Context, data []byte) ([]byte, error) {
return s.signer.Sign(rand.Reader, data, crypto.SHA256)
}

5
signerverifier/gcp.go
View File

@@ -21,8 +21,5 @@ func GetGCPSigner(ctx context.Context, reference string, opts ...option.ClientOp
if err != nil {
return nil, fmt.Errorf("error getting gcp crypto signer: %w", err)
}
signer := &ECDSA256SignerVerifier{
Signer: cs,
}
return signer, nil
return NewECDSASignerVerifier(cs)
}

10
signerverifier/gcp_test.go
View File

@@ -40,6 +40,14 @@ func TestGCPKMS_Signer(t *testing.T) {
publicKey, err := ParsePublicKey([]byte(publicKeyPEM))
require.NoError(t, err)
// verify payload ecdsa signature
ok := ecdsa.VerifyASN1(publicKey, hash, sig)
ecdsaPublicKey, ok := publicKey.(*ecdsa.PublicKey)
if !ok {
t.Fatal("Failed to convert publicKey to *ecdsa.PublicKey")
}
ok = ecdsa.VerifyASN1(ecdsaPublicKey, hash, sig)
assert.True(t, ok)
err = signer.Verify(ctx, msg, sig)
require.NoError(t, err)
}

17
signerverifier/parse.go
View File

@@ -1,6 +1,7 @@
package signerverifier
import (
"crypto"
"crypto/ecdsa"
"crypto/x509"
"encoding/pem"
@@ -9,7 +10,7 @@ import (
const pemType = "PUBLIC KEY"
func ParsePublicKey(pubkeyBytes []byte) (*ecdsa.PublicKey, error) {
func ParsePublicKey(pubkeyBytes []byte) (crypto.PublicKey, error) {
p, _ := pem.Decode(pubkeyBytes)
if p == nil {
return nil, fmt.Errorf("pubkey file does not contain any PEM data")
@@ -17,12 +18,15 @@ func ParsePublicKey(pubkeyBytes []byte) (*ecdsa.PublicKey, error) {
if p.Type != pemType {
return nil, fmt.Errorf("pubkey file does not contain a public key")
}
pubKey, err := x509.ParsePKIXPublicKey(p.Bytes)
if err != nil {
return nil, fmt.Errorf("error failed to parse public key: %w", err)
}
return x509.ParsePKIXPublicKey(p.Bytes)
}
ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)
func ParseECDSAPublicKey(pubkeyBytes []byte) (*ecdsa.PublicKey, error) {
pk, err := ParsePublicKey(pubkeyBytes)
if err != nil {
return nil, err
}
ecdsaPubKey, ok := pk.(*ecdsa.PublicKey)
if !ok {
return nil, fmt.Errorf("error public key is not an ecdsa key: %w", err)
}
@@ -34,6 +38,5 @@ func ConvertToPEM(ecdsaPubKey *ecdsa.PublicKey) ([]byte, error) {
if err != nil {
return nil, fmt.Errorf("error failed to marshal public key: %w", err)
}
return pem.EncodeToMemory(&pem.Block{Type: pemType, Bytes: pubKeyBytes}), nil
}

2
test/testdata/local-policy-fail/policy.rego vendored
View File

@@ -23,7 +23,7 @@ atts := union({
provs("https://spdx.dev/Document"),
})
opts := {"keys": keys}
opts := {"keys": keys, "skip_tl": true}
statements contains s if {
some att in atts

2
test/testdata/local-policy-pass/policy.rego vendored
View File

@@ -23,7 +23,7 @@ atts := union({
provs("https://spdx.dev/Document"),
})
opts := {"keys": keys}
opts := {"keys": keys, "skip_tl": true}
statements contains s if {
some att in atts

2
test/testdata/local-policy/doi/policy.rego vendored
View File

@@ -22,7 +22,7 @@ atts := union({
provs("https://spdx.dev/Document"),
})
opts := {"keys": keys}
opts := {"keys": keys, "skip_tl": false}
statements contains s if {
some att in atts

4
tlog/keys/c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d.pem Normal file
View File

@@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwr
kBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==
-----END PUBLIC KEY-----

61
tlog/mock.go
View File

@@ -2,6 +2,7 @@ package tlog
import (
"context"
"encoding/json"
"fmt"
"time"
@@ -15,36 +16,48 @@ const (
TestEntry = `{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI5Zjg2ZDA4MTg4NGM3ZDY1OWEyZmVhYTBjNTVhZDAxNWEzYmY0ZjFiMmIwYjgyMmNkMTVkNmMxNWIwZjAwYTA4In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FUUNJQUlyVUZGUzBIYmNzZjc5L08yajVXdHl2R2Vvd1NVSXpZcDlBM2IwWnREVUFpQVQxZU42ZjFyVmVWa011REFlN3dxWkJ2bE5LY2VsajNVVDNmaWhyQjZSY2c9PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVSlZla05DSzJGQlJFRm5SVU5CWjBWQ1RVRnZSME5EY1VkVFRUUTVRa0ZOUTAxQk9IaEVWRUZNUW1kT1ZrSkJUVlJDU0ZKc1l6TlJkMGhvWTA0S1RXcE5lRTFxU1ROTlZHdDVUWHBWTlZkb1kwNU5hbEY0VFdwSk1rMVVhM2xOZWxVMVYycEJVRTFSTUhkRGQxbEVWbEZSUkVWM1VqQmFXRTR3VFVacmR3cEZkMWxJUzI5YVNYcHFNRU5CVVZsSlMyOWFTWHBxTUVSQlVXTkVVV2RCUlVRMFZpdFNSV2g0SzJGeFYwZzNlV3hOVFVSSVlXaE9UVzVOVEZOUFNsQXZDamxyUVcwNWJIQXJNMjF4V1ZSQmFGVlNjbUUyVDBRMVVYZzRXbUprSzJWMVVIbFFhemw1SzNjdloxZEhSRUk1ZW00dlNXd3hTMDVIVFVWUmQwUm5XVVFLVmxJd1VFRlJTQzlDUVZGRVFXZGxRVTFDVFVkQk1WVmtTbEZSVFUxQmIwZERRM05IUVZGVlJrSjNUVVJOUVhkSFFURlZaRVYzUlVJdmQxRkRUVUZCZHdwRWQxbEVWbEl3VWtKQlozZENiMGxGWkVkV2VtUkVRVXRDWjJkeGFHdHFUMUJSVVVSQlowNUtRVVJDUjBGcFJVRTNOMjFFTDFSbVJtRlJVemxrWlhRMENqbFhaRk41YURKT1VTOUZiMVJtYVVGdFFtaHVWblpEVTNSUVowTkpVVU1yZDNSdllpOU9iMUp4T0c5cU4wZDNibTVKYUZKVGRDOVJNbmtyVXpoUkwzSUthRkpVYW5GaE9HZExRVDA5Q2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fX0=","integratedTime":1703705039,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d","logIndex":59674396,"verification":{"inclusionProof":{"checkpoint":"rekor.sigstore.dev - 2605736670972794746\n55510966\nJCi1O53Xmdi9lXnui4Q5SQ+MJSMnWr1Bxn+Q2Qf22tU=\nTimestamp: 1703705040158839214\n\n— rekor.sigstore.dev wNI9ajBFAiAXgtjFDVqCSgiSP04TQzELrz4+EyBwyYVL2EEULTCy0AIhAI9peLU76ZUD1tvU8qvzBJBo77IYD1rc+A1MPc35AeVK\n","hashes":["fb77ee213b48f4b18dc81c6e634c570abf99b257713561f174f2e0f4c039af67","6cb113bbefadecbbb8b89b1c08232438a6125071790b6a062cff8c1ccfdcb91e","6fbe1424e264e4590ca502d671b7a036c87f7a90d1f57534b98eb781144160bf","077b606720a6478200f6c3ed08a68e9b01b1cae192cb120888ddcc95521601bd","b6f8e8bc21ae0cde82b92422a4b4f37b28a43185821e468a4e65b6c79ed8f5b7","89332533fac54e9bc68c7353c42f6ebb9fe38039f67910332ff95082072068d4","0814d6f707a75fb3334bab14ab5466bd8b9a64ae7be7cd4d53a428c64932bc66","e883e826f10329c63a4a2ed21156037a050df43b9d74079296beac6968ed4150","d79230703257b7e4a8a61b032b6980d1a0bdbc7ae96ca838b525b3751785fe48","2f4a77e5288462cd3b75084d37f1502dcbe0943d18dd95cb247fc1ebbabc0aad","38562c253d3536d0d00e3547c880b6b0251a25ac69605b50c9eaa1a27186cc7a","9dea192350ff8b3c0f5ccda38261cb38ebd61869281c3928912332d1144e0a04","2c4d25ba59aa573ab2c79c2d3cd9e1d74789b10632432724d63112ce50b44874","98c486feb5d87092a78a46c4b5be04868654900affc2e86ffb20074dc73a883a","6969c49bd73f19bf28a5eaeabd331ddd60502defb2cd3d96e17b741c80adec6c"],"logIndex":55510965,"rootHash":"2428b53b9dd799d8bd9579ee8b8439490f8c2523275abd41c67f90d907f6dad5","treeSize":55510966},"signedEntryTimestamp":"MEUCIQCG9PRI8PcvtJyE9pbcculZipze6NEWR1Nk8EYocto3BwIgYu5gqgjW80HMjSjUxUNJLp0wlVTesnJCeByUBySc59w="}}`
)
func GetMockTL() TL {
unmarshalEntry := func(entry []byte) (*models.LogEntryAnon, error) {
le := new(models.LogEntryAnon)
err := le.UnmarshalBinary(entry)
if err != nil {
return nil, fmt.Errorf("error failed to unmarshal TL entry: %w", err)
}
return le, nil
}
return &MockTL{
UploadLogEntryFunc: func(_ context.Context, _ string, _ []byte, _ []byte, _ dsse.SignerVerifier) ([]byte, error) {
return []byte(TestEntry), nil
func GetMockTL() TransparencyLog {
return &MockTransparencyLog{
UploadLogEntryFunc: func(_ context.Context, _ string, _ []byte, _ []byte, _ dsse.SignerVerifier) (*DockerTLExtension, error) {
return &DockerTLExtension{
Kind: "Mock",
Data: json.RawMessage(TestEntry),
}, nil
},
VerifyLogEntryFunc: func(_ context.Context, entryBytes []byte) (time.Time, error) {
VerifyLogEntryFunc: func(_ context.Context, ext *DockerTLExtension, _, _ []byte) (time.Time, error) {
// return the integrated time in the log entry without any checking
le, err := unmarshalEntry(entryBytes)
entry := new(models.LogEntryAnon)
entryBytes, err := json.Marshal(ext.Data)
if err != nil {
return time.Time{}, err
return time.Time{}, fmt.Errorf("error failed to marshal TL entry: %w", err)
}
if le.IntegratedTime == nil {
err = entry.UnmarshalBinary(entryBytes)
if err != nil {
return time.Time{}, fmt.Errorf("error failed to unmarshal TL entry: %w", err)
}
if entry.IntegratedTime == nil {
return time.Time{}, fmt.Errorf("error missing integrated time in TL entry")
}
return time.Unix(*le.IntegratedTime, 0), nil
},
VerifyEntryPayloadFunc: func(_, _, _ []byte) error {
return nil
},
UnmarshalEntryFunc: func(entry []byte) (any, error) {
return unmarshalEntry(entry)
return time.Unix(*entry.IntegratedTime, 0), nil
},
}
}
type MockTransparencyLog struct {
UploadLogEntryFunc func(ctx context.Context, subject string, payload, signature []byte, signer dsse.SignerVerifier) (*DockerTLExtension, error)
VerifyLogEntryFunc func(ctx context.Context, ext *DockerTLExtension, payload, publicKey []byte) (time.Time, error)
}
func (tl *MockTransparencyLog) UploadEntry(ctx context.Context, subject string, payload, signature []byte, signer dsse.SignerVerifier) (*DockerTLExtension, error) {
if tl.UploadLogEntryFunc != nil {
return tl.UploadLogEntryFunc(ctx, subject, payload, signature, signer)
}
return nil, nil
}
func (tl *MockTransparencyLog) VerifyEntry(ctx context.Context, ext *DockerTLExtension, payload, publicKey []byte) (time.Time, error) {
if tl.VerifyLogEntryFunc != nil {
return tl.VerifyLogEntryFunc(ctx, ext, payload, publicKey)
}
return time.Time{}, nil
}

229
tlog/rekor.go Normal file
View File

@@ -0,0 +1,229 @@
package tlog
import (
"bytes"
"context"
"crypto/sha256"
"crypto/x509"
"encoding/base64"
"encoding/json"
"encoding/pem"
"fmt"
"path/filepath"
"strings"
"time"
"github.com/docker/attest/internal/util"
"github.com/docker/attest/signerverifier"
"github.com/docker/attest/tuf"
"github.com/docker/attest/useragent"
"github.com/go-openapi/runtime"
"github.com/go-openapi/strfmt"
"github.com/secure-systems-lab/go-securesystemslib/dsse"
"github.com/sigstore/cosign/v2/pkg/cosign"
rclient "github.com/sigstore/rekor/pkg/client"
"github.com/sigstore/rekor/pkg/generated/models"
"github.com/sigstore/rekor/pkg/types"
hashedrekord_v001 "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
stuf "github.com/sigstore/sigstore/pkg/tuf"
_ "embed"
)
const RekorTLExtKind = "Rekor"
// ensure it has all the necessary methods.
var _ TransparencyLog = (*Rekor)(nil)
const defaultPublicKeysDir = "rekor"
type Rekor struct {
publicKeys *cosign.TrustedTransparencyLogPubKeys
tufDownloader tuf.Downloader
publicKeysDir string
}
//go:embed keys/c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d.pem
var rekorPublicKey []byte
func WithTUFDownloader(tufDownloader tuf.Downloader) func(*Rekor) {
return func(r *Rekor) {
r.tufDownloader = tufDownloader
}
}
func WithTUFPublicKeysDir(dir string) func(*Rekor) {
return func(r *Rekor) {
r.publicKeysDir = dir
}
}
func NewRekorLog(options ...func(*Rekor)) (*Rekor, error) {
pk, err := signerverifier.ParsePublicKey(rekorPublicKey)
if err != nil {
return nil, fmt.Errorf("error parsing rekor public key: %w", err)
}
kid, err := signerverifier.KeyID(pk)
if err != nil {
return nil, fmt.Errorf("error getting keyid: %w", err)
}
keys := map[string]cosign.TransparencyLogPubKey{
kid: {
PubKey: pk,
Status: stuf.Active,
},
}
rekor := &Rekor{
publicKeys: &cosign.TrustedTransparencyLogPubKeys{
Keys: keys,
},
publicKeysDir: defaultPublicKeysDir,
}
for _, opt := range options {
opt(rekor)
}
return rekor, nil
}
// UploadEntry submits a PK token signature to the transparency log.
func (tl *Rekor) UploadEntry(ctx context.Context, subject string, encPayload, signature []byte, signer dsse.SignerVerifier) (*DockerTLExtension, error) {
// generate self-signed x509 cert
pubCert, err := CreateX509Cert(subject, signer)
if err != nil {
return nil, fmt.Errorf("Error creating x509 cert: %w", err)
}
// generate hash of payload
hasher := sha256.New()
hasher.Write(encPayload)
// upload entry
rekorClient, err := rclient.GetRekorClient(DefaultRekorURL, rclient.WithUserAgent(useragent.Get(ctx)))
if err != nil {
return nil, fmt.Errorf("Error creating rekor client: %w", err)
}
entry, err := cosign.TLogUpload(ctx, rekorClient, signature, hasher, pubCert)
if err != nil {
return nil, fmt.Errorf("Error uploading tlog: %w", err)
}
return &DockerTLExtension{
Kind: RekorTLExtKind,
Data: entry, // transparency log entry metadata
}, nil
}
// VerifyEntry verifies a transparency log entry.
func (tl *Rekor) VerifyEntry(ctx context.Context, ext *DockerTLExtension, encPayload, publicKey []byte) (time.Time, error) {
zeroTime := time.Time{}
// because the Data field has been unmarsalled into a map[string]interface{} we need to marshal it back to bytes
// for the unmarshaler to work correctly
entryBytes, err := json.Marshal(ext.Data)
if err != nil {
return time.Time{}, fmt.Errorf("error failed to marshal TL entry: %w", err)
}
entry, err := tl.UnmarshalEntry(entryBytes)
if err != nil {
return zeroTime, fmt.Errorf("error unmarshaling TL entry: %w", err)
}
err = entry.Validate(strfmt.Default)
if err != nil {
return zeroTime, fmt.Errorf("TL entry failed validation: %w", err)
}
// check if tl.publicKeys containers le.LogId
_, ok := tl.publicKeys.Keys[*entry.LogID]
if !ok {
// otherwise check TUF
pkTarget, err := tl.tufDownloader.DownloadTarget(filepath.Join(tl.publicKeysDir, fmt.Sprintf("%s.pem", *entry.LogID)), "")
if err != nil {
return zeroTime, fmt.Errorf("error downloading rekor public key %s: %w", *entry.LogID, err)
}
pk, err := signerverifier.ParsePublicKey(pkTarget.Data)
if err != nil {
return zeroTime, fmt.Errorf("error parsing public key: %w", err)
}
tl.publicKeys.Keys[*entry.LogID] = cosign.TransparencyLogPubKey{
PubKey: pk,
Status: stuf.Active,
}
}
err = cosign.VerifyTLogEntryOffline(ctx, entry, tl.publicKeys)
if err != nil {
return zeroTime, fmt.Errorf("TL entry failed verification: %w", err)
}
integratedTime := time.Unix(*entry.IntegratedTime, 0)
err = tl.VerifyEntryPayload(entry, encPayload, publicKey)
if err != nil {
return zeroTime, fmt.Errorf("error verifying TL entry payload: %w", err)
}
return integratedTime, nil
}
// VerifyEntryPayload checks that the TL entry payload matches envelope payload.
func (tl *Rekor) VerifyEntryPayload(entry *models.LogEntryAnon, payload, publicKey []byte) error {
tlBody, ok := entry.Body.(string)
if !ok {
return fmt.Errorf("expected tl body to be of type string, got %T", entry)
}
rekord, err := extractHashedRekord(tlBody)
if err != nil {
return fmt.Errorf("error extract HashedRekord from TL entry: %w", err)
}
// compare payload hashes
payloadHash := util.SHA256Hex(payload)
if rekord.Hash != payloadHash {
return fmt.Errorf("error payload and tl entry hash mismatch")
}
// compare public keys
cert, err := base64.StdEncoding.Strict().DecodeString(rekord.PublicKey)
if err != nil {
return fmt.Errorf("failed to decode public key: %w", err)
}
p, _ := pem.Decode(cert)
result, err := x509.ParseCertificate(p.Bytes)
if err != nil {
return fmt.Errorf("failed to parse certificate: %w", err)
}
if !bytes.Equal(result.RawSubjectPublicKeyInfo, publicKey) {
return fmt.Errorf("error payload and tl entry public key mismatch")
}
return nil
}
func (tl *Rekor) UnmarshalEntry(entry []byte) (*models.LogEntryAnon, error) {
le := new(models.LogEntryAnon)
err := le.UnmarshalBinary(entry)
if err != nil {
return nil, fmt.Errorf("error failed to unmarshal Rekor entry: %w", err)
}
return le, nil
}
func extractHashedRekord(body string) (*Payload, error) {
sig := new(Payload)
pe, err := models.UnmarshalProposedEntry(base64.NewDecoder(base64.StdEncoding, strings.NewReader(body)), runtime.JSONConsumer())
if err != nil {
return nil, err
}
impl, err := types.UnmarshalEntry(pe)
if err != nil {
return nil, err
}
switch entry := impl.(type) {
case *hashedrekord_v001.V001Entry:
sig.Algorithm = *entry.HashedRekordObj.Data.Hash.Algorithm
sig.Hash = *entry.HashedRekordObj.Data.Hash.Value
sig.Signature = entry.HashedRekordObj.Signature.Content.String()
sig.PublicKey = entry.HashedRekordObj.Signature.PublicKey.Content.String()
return sig, nil
default:
return nil, fmt.Errorf("failed to extract haskedrekord, unsupported type: %T", entry)
}
}

64
tlog/rekor_test.go Normal file
View File

@@ -0,0 +1,64 @@
//go:build e2e
package tlog
import (
"context"
"crypto/x509"
_ "embed"
"testing"
"time"
"github.com/docker/attest/internal/test"
"github.com/docker/attest/internal/util"
"github.com/docker/attest/signerverifier"
"github.com/docker/attest/tuf"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
// NOTE: these are only run on CI to protect Rekor, but work just fine locally.
func TestRekor(t *testing.T) {
// message digest
payload := []byte("test")
hash := util.SHA256(payload)
// generate ephemeral keys to sign message digest
signer, err := signerverifier.GenKeyPair()
assert.NoError(t, err)
sig, err := signer.Sign(context.Background(), hash)
assert.NoError(t, err)
tests := []struct {
name string
tufDownloader tuf.Downloader
pubKeysDir string
}{
{name: "TestRekor (no tuf)"},
{name: "TestRekor (with tuf)", tufDownloader: tuf.NewMockTufClient("."), pubKeysDir: "keys"},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
pk := signer.Public()
publicKey, err := x509.MarshalPKIXPublicKey(pk)
if tt.tufDownloader != nil {
// set to incorrect public key to test TUF flow
keyStr, err := test.PublicKeyToPEM(pk)
require.NoError(t, err)
rekorPublicKey = []byte(keyStr)
}
rekor, err := NewRekorLog(WithTUFDownloader(tt.tufDownloader), WithTUFPublicKeysDir(tt.pubKeysDir))
require.NoError(t, err)
require.NotNil(t, rekor)
ext, err := rekor.UploadEntry(context.Background(), "test", payload, sig, signer)
require.NoError(t, err)
require.NotNil(t, ext)
assert.Equal(t, RekorTLExtKind, ext.Kind)
assert.NotEmpty(t, ext.Data)
when, err := rekor.VerifyEntry(context.Background(), ext, payload, publicKey)
require.NoError(t, err)
assert.WithinDuration(t, time.Now(), when, 5*time.Second)
})
}
}

218
tlog/tl.go
View File

@@ -1,162 +1,38 @@
package tlog
import (
"bytes"
"context"
"crypto/rand"
"crypto/sha256"
"crypto/x509"
"crypto/x509/pkix"
"encoding/base64"
"encoding/pem"
"fmt"
"math/big"
"strings"
"time"
"github.com/docker/attest/internal/util"
"github.com/docker/attest/signerverifier"
"github.com/docker/attest/useragent"
"github.com/go-openapi/runtime"
"github.com/go-openapi/strfmt"
"github.com/secure-systems-lab/go-securesystemslib/dsse"
"github.com/sigstore/cosign/v2/pkg/cosign"
rclient "github.com/sigstore/rekor/pkg/client"
"github.com/sigstore/rekor/pkg/generated/models"
"github.com/sigstore/rekor/pkg/types"
hashedrekord_v001 "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
)
const (
DefaultRekorURL = "https://rekor.sigstore.dev"
)
type tlCtxKeyType struct{}
var TLCtxKey tlCtxKeyType
// sets TL in context.
func WithTL(ctx context.Context, tl TL) context.Context {
return context.WithValue(ctx, TLCtxKey, tl)
type TransparencyLog interface {
UploadEntry(ctx context.Context, subject string, payload, signature []byte, signer dsse.SignerVerifier) (*DockerTLExtension, error)
VerifyEntry(ctx context.Context, entry *DockerTLExtension, payload, publicKey []byte) (time.Time, error)
}
// gets TL from context, defaults to Rekor TL if not set.
func GetTL(ctx context.Context) TL {
t, ok := ctx.Value(TLCtxKey).(TL)
if !ok {
t = &RekorTL{}
}
return t
}
type TLPayload struct {
type Payload struct {
Algorithm string
Hash string
Signature string
PublicKey string
}
type TL interface {
UploadLogEntry(ctx context.Context, subject string, payload, signature []byte, signer dsse.SignerVerifier) ([]byte, error)
VerifyLogEntry(ctx context.Context, entryBytes []byte) (time.Time, error)
VerifyEntryPayload(entryBytes, payload, publicKey []byte) error
UnmarshalEntry(entryBytes []byte) (any, error)
}
type MockTL struct {
UploadLogEntryFunc func(ctx context.Context, subject string, payload, signature []byte, signer dsse.SignerVerifier) ([]byte, error)
VerifyLogEntryFunc func(ctx context.Context, entryBytes []byte) (time.Time, error)
VerifyEntryPayloadFunc func(entryBytes, payload, publicKey []byte) error
UnmarshalEntryFunc func(entryBytes []byte) (any, error)
}
func (tl *MockTL) UploadLogEntry(ctx context.Context, subject string, payload, signature []byte, signer dsse.SignerVerifier) ([]byte, error) {
if tl.UploadLogEntryFunc != nil {
return tl.UploadLogEntryFunc(ctx, subject, payload, signature, signer)
}
return nil, nil
}
func (tl *MockTL) VerifyLogEntry(ctx context.Context, entryBytes []byte) (time.Time, error) {
if tl.VerifyLogEntryFunc != nil {
return tl.VerifyLogEntryFunc(ctx, entryBytes)
}
return time.Time{}, nil
}
func (tl *MockTL) VerifyEntryPayload(entryBytes, payload, publicKey []byte) error {
if tl.VerifyEntryPayloadFunc != nil {
return tl.VerifyEntryPayloadFunc(entryBytes, payload, publicKey)
}
return nil
}
func (tl *MockTL) UnmarshalEntry(entryBytes []byte) (any, error) {
if tl.UnmarshalEntryFunc != nil {
return tl.UnmarshalEntryFunc(entryBytes)
}
return nil, nil
}
type RekorTL struct{}
// UploadLogEntry submits a PK token signature to the transparency log.
func (tl *RekorTL) UploadLogEntry(ctx context.Context, subject string, payload, signature []byte, signer dsse.SignerVerifier) ([]byte, error) {
// generate self-signed x509 cert
pubCert, err := CreateX509Cert(subject, signer)
if err != nil {
return nil, fmt.Errorf("Error creating x509 cert: %w", err)
}
// generate hash of payload
hasher := sha256.New()
hasher.Write(payload)
// upload entry
rekorClient, err := rclient.GetRekorClient(DefaultRekorURL, rclient.WithUserAgent(useragent.Get(ctx)))
if err != nil {
return nil, fmt.Errorf("Error creating rekor client: %w", err)
}
entry, err := cosign.TLogUpload(ctx, rekorClient, signature, hasher, pubCert)
if err != nil {
return nil, fmt.Errorf("Error uploading tlog: %w", err)
}
entryBytes, err := entry.MarshalBinary()
if err != nil {
return nil, fmt.Errorf("error marshaling TL entry: %w", err)
}
return entryBytes, nil
}
// VerifyLogEntry verifies a transparency log entry.
func (tl *RekorTL) VerifyLogEntry(ctx context.Context, entryBytes []byte) (time.Time, error) {
zeroTime := time.Time{}
entry, err := tl.UnmarshalEntry(entryBytes)
if err != nil {
return zeroTime, fmt.Errorf("error failed to unmarshal TL entry: %w", err)
}
le, ok := entry.(*models.LogEntryAnon)
if !ok {
return zeroTime, fmt.Errorf("expected entry to be of type *models.LogEntryAnon, got %T", entry)
}
err = le.Validate(strfmt.Default)
if err != nil {
return zeroTime, fmt.Errorf("TL entry failed validation: %w", err)
}
// TODO: get rekor public keys from TUF (ours or theirs?), and/or embed the public key in the binary
rekorPubKeys, err := cosign.GetRekorPubs(ctx)
if err != nil {
return zeroTime, fmt.Errorf("error failed to get rekor public keys: %w", err)
}
err = cosign.VerifyTLogEntryOffline(ctx, le, rekorPubKeys)
if err != nil {
return zeroTime, fmt.Errorf("TL entry failed verification: %w", err)
}
integratedTime := time.Unix(*le.IntegratedTime, 0)
return integratedTime, nil
type DockerTLExtension struct {
Kind string `json:"kind"`
Data any `json:"data"`
}
// CreateX509Cert generates a self-signed x509 cert for TL submission.
@@ -182,87 +58,15 @@ func CreateX509Cert(subject string, signer dsse.SignerVerifier) ([]byte, error)
// dsse.SignerVerifier doesn't implement cypto.Signer exactly
csigner, ok := signer.(*signerverifier.ECDSA256SignerVerifier)
if !ok {
return nil, fmt.Errorf("expected signer to be of type *signerverifier.ECDSA_SignerVerifier, got %T", signer)
csigner, err := signerverifier.AsCryptoSigner(signer)
if err != nil {
return nil, fmt.Errorf("error converting signer to crypto.Signer: %w", err)
}
// create a self-signed X.509 certificate
certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, signer.Public(), csigner.Signer)
certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, signer.Public(), csigner)
if err != nil {
return nil, fmt.Errorf("error creating X.509 certificate: %w", err)
}
certBlock := &pem.Block{Type: "CERTIFICATE", Bytes: certDER}
return pem.EncodeToMemory(certBlock), nil
}
// VerifyEntryPayload checks that the TL entry payload matches envelope payload.
func (tl *RekorTL) VerifyEntryPayload(entryBytes, payload, publicKey []byte) error {
entry, err := tl.UnmarshalEntry(entryBytes)
if err != nil {
return fmt.Errorf("error failed to unmarshal TL entry: %w", err)
}
le, ok := entry.(*models.LogEntryAnon)
if !ok {
return fmt.Errorf("expected tl entry to be of type *models.LogEntryAnon, got %T", entry)
}
tlBody, ok := le.Body.(string)
if !ok {
return fmt.Errorf("expected tl body to be of type string, got %T", entry)
}
rekord, err := extractHashedRekord(tlBody)
if err != nil {
return fmt.Errorf("error extract HashedRekord from TL entry: %w", err)
}
// compare payload hashes
payloadHash := util.SHA256Hex(payload)
if rekord.Hash != payloadHash {
return fmt.Errorf("error payload and tl entry hash mismatch")
}
// compare public keys
cert, err := base64.StdEncoding.Strict().DecodeString(rekord.PublicKey)
if err != nil {
return fmt.Errorf("failed to decode public key: %w", err)
}
p, _ := pem.Decode(cert)
result, err := x509.ParseCertificate(p.Bytes)
if err != nil {
return fmt.Errorf("failed to parse certificate: %w", err)
}
if !bytes.Equal(result.RawSubjectPublicKeyInfo, publicKey) {
return fmt.Errorf("error payload and tl entry public key mismatch")
}
return nil
}
func (tl *RekorTL) UnmarshalEntry(entry []byte) (any, error) {
le := new(models.LogEntryAnon)
err := le.UnmarshalBinary(entry)
if err != nil {
return nil, fmt.Errorf("error failed to unmarshal TL entry: %w", err)
}
return le, nil
}
func extractHashedRekord(body string) (*TLPayload, error) {
sig := new(TLPayload)
pe, err := models.UnmarshalProposedEntry(base64.NewDecoder(base64.StdEncoding, strings.NewReader(body)), runtime.JSONConsumer())
if err != nil {
return nil, err
}
impl, err := types.UnmarshalEntry(pe)
if err != nil {
return nil, err
}
switch entry := impl.(type) {
case *hashedrekord_v001.V001Entry:
sig.Algorithm = *entry.HashedRekordObj.Data.Hash.Algorithm
sig.Hash = *entry.HashedRekordObj.Data.Hash.Value
sig.Signature = entry.HashedRekordObj.Signature.Content.String()
sig.PublicKey = entry.HashedRekordObj.Signature.PublicKey.Content.String()
return sig, nil
default:
return nil, fmt.Errorf("failed to extract haskedrekord, unsupported type: %T", entry)
}
}

37
tlog/tl_test.go
View File

@@ -52,42 +52,31 @@ func TestUploadAndVerifyLogEntry(t *testing.T) {
sig, err := signer.Sign(context.Background(), hash)
assert.NoError(t, err)
var tl TL
var tl TransparencyLog
if UseMockTL {
tl = &MockTL{
UploadLogEntryFunc: func(_ context.Context, _ string, _ []byte, _ []byte, _ dsse.SignerVerifier) ([]byte, error) {
return []byte(TestEntry), nil
tl = &MockTransparencyLog{
UploadLogEntryFunc: func(_ context.Context, _ string, _ []byte, _ []byte, _ dsse.SignerVerifier) (*DockerTLExtension, error) {
return &DockerTLExtension{
Kind: RekorTLExtKind,
Data: []byte(TestEntry),
}, nil
},
VerifyLogEntryFunc: func(_ context.Context, _ []byte) (time.Time, error) {
VerifyLogEntryFunc: func(_ context.Context, _ *DockerTLExtension, _, _ []byte) (time.Time, error) {
return time.Time{}, nil
},
VerifyEntryPayloadFunc: func(_, _, _ []byte) error {
return nil
},
}
} else {
tl = &RekorTL{}
assert.NoError(t, err)
}
// test upload log entry
ctx := WithTL(context.Background(), tl)
entry, err := tl.UploadLogEntry(ctx, "test", payload, sig, signer)
ctx := context.Background()
entry, err := tl.UploadEntry(ctx, "test", payload, sig, signer)
assert.NoError(t, err)
// test verify log entry
_, err = tl.VerifyLogEntry(ctx, entry)
assert.NoError(t, err)
// verify TL entry payload
// verify TL entry
ecPub, err := x509.MarshalPKIXPublicKey(signer.Public())
assert.NoError(t, err)
err = tl.VerifyEntryPayload(entry, payload, ecPub)
assert.NoError(t, err)
}
func TestVerifyEntryPayload(t *testing.T) {
tl := &RekorTL{}
p, _ := pem.Decode([]byte(TestPublicKey))
err := tl.VerifyEntryPayload([]byte(TestEntry), []byte(TestPayload), p.Bytes)
_, err = tl.VerifyEntry(ctx, entry, payload, ecPub)
assert.NoError(t, err)
}

56
verify.go
View File

@@ -10,23 +10,20 @@ import (
"github.com/distribution/reference"
"github.com/docker/attest/attestation"
"github.com/docker/attest/config"
"github.com/docker/attest/mapping"
"github.com/docker/attest/oci"
"github.com/docker/attest/policy"
"github.com/docker/attest/tuf"
intoto "github.com/in-toto/in-toto-golang/in_toto"
)
type Verifier interface {
Verify(ctx context.Context, src *oci.ImageSpec) (result *VerificationResult, err error)
type ImageVerifier struct {
opts *policy.Options
tufClient tuf.Downloader
attestationVerifier attestation.Verifier
}
type tufVerifier struct {
opts *policy.Options
tufClient tuf.Downloader
}
func NewVerifier(ctx context.Context, opts *policy.Options) (Verifier, error) {
func NewImageVerifier(ctx context.Context, opts *policy.Options) (*ImageVerifier, error) {
err := populateDefaultOptions(opts)
if err != nil {
return nil, err
@@ -38,13 +35,21 @@ func NewVerifier(ctx context.Context, opts *policy.Options) (Verifier, error) {
return nil, fmt.Errorf("failed to create TUF client: %w", err)
}
}
return &tufVerifier{
opts: opts,
tufClient: tufClient,
attestationVerifier := opts.AttestationVerifier
if attestationVerifier == nil {
attestationVerifier, err = attestation.NewVerfier(attestation.WithTUFDownloader(tufClient))
if err != nil {
return nil, fmt.Errorf("failed to create attestation verifier: %w", err)
}
}
return &ImageVerifier{
opts: opts,
tufClient: tufClient,
attestationVerifier: attestationVerifier,
}, nil
}
func (verifier *tufVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (result *VerificationResult, err error) {
func (verifier *ImageVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (result *VerificationResult, err error) {
// so that we can resolve mapping from the image name earlier
detailsResolver, err := policy.CreateImageDetailsResolver(src)
if err != nil {
@@ -55,7 +60,12 @@ func (verifier *tufVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (re
return nil, fmt.Errorf("failed to resolve image name: %w", err)
}
policyResolver := policy.NewResolver(verifier.tufClient, verifier.opts)
resolvedPolicy, err := policyResolver.ResolvePolicy(ctx, imageName)
platform, err := detailsResolver.ImagePlatform(ctx)
if err != nil {
return nil, fmt.Errorf("failed to get image platform: %w", err)
}
resolvedPolicy, err := policyResolver.ResolvePolicy(ctx, imageName, platform)
if err != nil {
return nil, fmt.Errorf("failed to resolve policy: %w", err)
}
@@ -67,14 +77,14 @@ func (verifier *tufVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (re
}
// this is overriding the mapping with a referrers config. Useful for testing if nothing else
if verifier.opts.ReferrersRepo != "" {
resolvedPolicy.Mapping.Attestations = &config.AttestationConfig{
resolvedPolicy.Mapping.Attestations = &mapping.AttestationConfig{
Repo: verifier.opts.ReferrersRepo,
Style: config.AttestationStyleReferrers,
Style: mapping.AttestationStyleReferrers,
}
} else if verifier.opts.AttestationStyle == config.AttestationStyleAttached {
resolvedPolicy.Mapping.Attestations = &config.AttestationConfig{
} else if verifier.opts.AttestationStyle == mapping.AttestationStyleAttached {
resolvedPolicy.Mapping.Attestations = &mapping.AttestationConfig{
Repo: verifier.opts.ReferrersRepo,
Style: config.AttestationStyleAttached,
Style: mapping.AttestationStyleAttached,
}
}
// because we have a mapping now, we can select a resolver based on its contents (ie. referrers or attached)
@@ -82,7 +92,7 @@ func (verifier *tufVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (re
if err != nil {
return nil, fmt.Errorf("failed to create attestation resolver: %w", err)
}
evaluator := policy.NewRegoEvaluator(verifier.opts.Debug)
evaluator := policy.NewRegoEvaluator(verifier.opts.Debug, verifier.attestationVerifier)
result, err = VerifyAttestations(ctx, resolver, evaluator, resolvedPolicy)
if err != nil {
return nil, fmt.Errorf("failed to evaluate policy: %w", err)
@@ -91,7 +101,7 @@ func (verifier *tufVerifier) Verify(ctx context.Context, src *oci.ImageSpec) (re
}
func Verify(ctx context.Context, src *oci.ImageSpec, opts *policy.Options) (result *VerificationResult, err error) {
verifier, err := NewVerifier(ctx, opts)
verifier, err := NewImageVerifier(ctx, opts)
if err != nil {
return nil, err
}
@@ -115,9 +125,9 @@ func populateDefaultOptions(opts *policy.Options) (err error) {
}
if opts.AttestationStyle == "" {
opts.AttestationStyle = config.AttestationStyleReferrers
opts.AttestationStyle = mapping.AttestationStyleReferrers
}
if opts.ReferrersRepo != "" && opts.AttestationStyle != config.AttestationStyleReferrers {
if opts.ReferrersRepo != "" && opts.AttestationStyle != mapping.AttestationStyleReferrers {
return fmt.Errorf("referrers repo specified but attestation source not set to referrers")
}
return nil

59
verify_test.go
View File

@@ -7,15 +7,18 @@ import (
"os"
"path/filepath"
"testing"
"time"
"github.com/distribution/reference"
"github.com/docker/attest/attestation"
"github.com/docker/attest/config"
"github.com/docker/attest/internal/test"
"github.com/docker/attest/mapping"
"github.com/docker/attest/oci"
"github.com/docker/attest/policy"
"github.com/docker/attest/tlog"
"github.com/docker/attest/tuf"
intoto "github.com/in-toto/in-toto-golang/in_toto"
"github.com/secure-systems-lab/go-securesystemslib/dsse"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"sigs.k8s.io/yaml"
@@ -74,7 +77,9 @@ func TestVSA(t *testing.T) {
// setup an image with signed attestations
outputLayout := test.CreateTempDir(t, "", TestTempDir)
opts := &attestation.SigningOptions{}
opts := &attestation.SigningOptions{
TransparencyLog: tlog.GetMockTL(),
}
attIdx, err := oci.IndexFromPath(test.UnsignedTestImage())
assert.NoError(t, err)
signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts)
@@ -92,7 +97,7 @@ func TestVSA(t *testing.T) {
// mocked vsa query should pass
policyOpts := &policy.Options{
LocalPolicyDir: PassPolicyDir,
AttestationStyle: config.AttestationStyleAttached,
AttestationStyle: mapping.AttestationStyleAttached,
DisableTUF: true,
}
results, err := Verify(ctx, spec, policyOpts)
@@ -118,7 +123,8 @@ func TestVSA(t *testing.T) {
assert.Equal(t, []string{"SLSA_BUILD_LEVEL_3"}, attestationPredicate.VerifiedLevels)
assert.Equal(t, PassPolicyDir+"/policy.rego", attestationPredicate.Policy.DownloadLocation)
assert.Equal(t, "https://docker.com/official/policy/v0.1", attestationPredicate.Policy.URI)
assert.Equal(t, map[string]string{"sha256": "d71d6b8f49fcba1295b16f5394dd5863a14e4277eb663d66d8c48e392509afe0"}, attestationPredicate.Policy.Digest)
// this is the digest of the policy file
assert.Equal(t, map[string]string{"sha256": "ae71defe3b9ecebdf4f939a396b68884d0cba3c2c9d78ce5e64146d9487b0ade"}, attestationPredicate.Policy.Digest)
}
func TestVerificationFailure(t *testing.T) {
@@ -126,7 +132,9 @@ func TestVerificationFailure(t *testing.T) {
// setup an image with signed attestations
outputLayout := test.CreateTempDir(t, "", TestTempDir)
opts := &attestation.SigningOptions{}
opts := &attestation.SigningOptions{
TransparencyLog: tlog.GetMockTL(),
}
attIdx, err := oci.IndexFromPath(test.UnsignedTestImage())
assert.NoError(t, err)
signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts)
@@ -144,7 +152,7 @@ func TestVerificationFailure(t *testing.T) {
// mocked vsa query should fail
policyOpts := &policy.Options{
LocalPolicyDir: FailPolicyDir,
AttestationStyle: config.AttestationStyleAttached,
AttestationStyle: mapping.AttestationStyleAttached,
DisableTUF: true,
}
results, err := Verify(ctx, spec, policyOpts)
@@ -170,7 +178,7 @@ func TestVerificationFailure(t *testing.T) {
assert.Equal(t, []string{"SLSA_BUILD_LEVEL_3"}, attestationPredicate.VerifiedLevels)
assert.Equal(t, FailPolicyDir+"/policy.rego", attestationPredicate.Policy.DownloadLocation)
assert.Equal(t, "https://docker.com/official/policy/v0.1", attestationPredicate.Policy.URI)
assert.Equal(t, map[string]string{"sha256": "ad045e1bd7cd602d90196acf68f2c57d7b51565d59e6e30e30d94ae86aa16201"}, attestationPredicate.Policy.Digest)
assert.Equal(t, map[string]string{"sha256": "4345a4f5db3ce02664bd83f8e4aad03bd9a26d4edb334338c762d9648e16bed1"}, attestationPredicate.Policy.Digest)
}
func TestSignVerify(t *testing.T) {
@@ -178,7 +186,7 @@ func TestSignVerify(t *testing.T) {
// setup an image with signed attestations
outputLayout := test.CreateTempDir(t, "", TestTempDir)
keys, err := test.GenKeyMetadata(signer)
keys, err := GenKeyMetadata(signer)
require.NoError(t, err)
config := struct {
Keys []*attestation.KeyMetadata `json:"keys"`
@@ -210,11 +218,11 @@ func TestSignVerify(t *testing.T) {
attIdx, err := oci.IndexFromPath(test.UnsignedTestImage())
assert.NoError(t, err)
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
opts := &attestation.SigningOptions{
SkipTL: !tc.signTL,
opts := &attestation.SigningOptions{}
if tc.signTL {
opts.TransparencyLog = tlog.GetMockTL()
}
signedManifests, err := SignStatements(ctx, attIdx.Index, signer, opts)
@@ -265,7 +273,7 @@ func TestDefaultOptions(t *testing.T) {
name string
tufOpts *tuf.ClientOptions
localTargetsDir string
attestationStyle config.AttestationStyle
attestationStyle mapping.AttestationStyle
referrersRepo string
expectedError string
disableTuf bool
@@ -274,9 +282,9 @@ func TestDefaultOptions(t *testing.T) {
{name: "empty"},
{name: "tufClient provided", tufOpts: &tuf.ClientOptions{MetadataSource: "a", TargetsSource: "b"}},
{name: "localTargetsDir provided", localTargetsDir: test.CreateTempDir(t, "", TestTempDir)},
{name: "attestationStyle provided", attestationStyle: config.AttestationStyleAttached},
{name: "attestationStyle provided", attestationStyle: mapping.AttestationStyleAttached},
{name: "referrersRepo provided", referrersRepo: "referrers"},
{name: "referrersRepo provided with attached", referrersRepo: "referrers", attestationStyle: config.AttestationStyleAttached, expectedError: "referrers repo specified but attestation source not set to referrers"},
{name: "referrersRepo provided with attached", referrersRepo: "referrers", attestationStyle: mapping.AttestationStyleAttached, expectedError: "referrers repo specified but attestation source not set to referrers"},
{name: "tuf disabled and no local-policy-dir", disableTuf: true, expectedError: "local policy dir must be set if not using TUF"},
{name: "tuf disabled but options set", disableTuf: true, tufOpts: &tuf.ClientOptions{MetadataSource: "a", TargetsSource: "b"}, localPolicyDir: "foo", expectedError: "TUF client options set but TUF disabled"},
}
@@ -312,7 +320,7 @@ func TestDefaultOptions(t *testing.T) {
if tc.attestationStyle != "" {
assert.Equal(t, tc.attestationStyle, opts.AttestationStyle)
} else {
assert.Equal(t, config.AttestationStyleReferrers, opts.AttestationStyle)
assert.Equal(t, mapping.AttestationStyleReferrers, opts.AttestationStyle)
}
if tc.tufOpts != nil {
@@ -329,3 +337,24 @@ func TestDefaultOptions(t *testing.T) {
})
}
}
// LoadKeyMetadata loads the key metadata for the given signer verifier.
func GenKeyMetadata(sv dsse.SignerVerifier) (*attestation.KeyMetadata, error) {
pub := sv.Public()
pem, err := test.PublicKeyToPEM(pub)
if err != nil {
return nil, fmt.Errorf("failed to convert public key to PEM: %w", err)
}
id, err := sv.KeyID()
if err != nil {
return nil, err
}
return &attestation.KeyMetadata{
ID: id,
Status: "active",
SigningFormat: "dssev1",
From: time.Now(),
PEM: pem,
}, nil
}