From ec42378613e1e189da0e94f1c225dba0b06a0fed Mon Sep 17 00:00:00 2001 From: Pritesh Bandi Date: Thu, 14 Mar 2024 11:16:03 -0700 Subject: [PATCH] feat: add support for signing blob (#379) This PR adds support for signing blobs. Signed-off-by: Pritesh Bandi --- example_localSign_test.go | 4 +- example_remoteSign_test.go | 7 ++- notation.go | 113 +++++++++++++++++++++++++++++++------ notation_test.go | 109 ++++++++++++++++++++++++++++++++++- signer/plugin.go | 103 ++++++++++++++++++++++++--------- signer/plugin_test.go | 102 ++++++++++++++++++++++++--------- signer/signer.go | 57 ++++++++++++++++--- signer/signer_test.go | 60 ++++++++++++++++++++ 8 files changed, 472 insertions(+), 83 deletions(-) diff --git a/example_localSign_test.go b/example_localSign_test.go index 996784ce..9672c02f 100644 --- a/example_localSign_test.go +++ b/example_localSign_test.go @@ -47,8 +47,8 @@ func Example_localSign() { // Users should replace `exampleCertTuple.PrivateKey` with their own private // key and replace `exampleCerts` with the corresponding full certificate // chain, following the Notary certificate requirements: - // https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.1/specs/signature-specification.md#certificate-requirements - exampleSigner, err := signer.New(exampleCertTuple.PrivateKey, exampleCerts) + // https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/signature-specification.md#certificate-requirements + exampleSigner, err := signer.NewGenericSigner(exampleCertTuple.PrivateKey, exampleCerts) if err != nil { panic(err) // Handle error } diff --git a/example_remoteSign_test.go b/example_remoteSign_test.go index 9cf51058..03565e98 100644 --- a/example_remoteSign_test.go +++ b/example_remoteSign_test.go @@ -18,12 +18,13 @@ import ( "crypto/x509" "fmt" + "oras.land/oras-go/v2/registry/remote" + "github.com/notaryproject/notation-core-go/signature/cose" "github.com/notaryproject/notation-core-go/testhelper" "github.com/notaryproject/notation-go" "github.com/notaryproject/notation-go/registry" "github.com/notaryproject/notation-go/signer" - "oras.land/oras-go/v2/registry/remote" ) // Both COSE ("application/cose") and JWS ("application/jose+json") @@ -45,8 +46,8 @@ func Example_remoteSign() { // Users should replace `exampleCertTuple.PrivateKey` with their own private // key and replace `exampleCerts` with the corresponding full certificate // chain, following the Notary certificate requirements: - // https://github.com/notaryproject/notaryproject/blob/v1.0.0-rc.1/specs/signature-specification.md#certificate-requirements - exampleSigner, err := signer.New(exampleCertTuple.PrivateKey, exampleCerts) + // https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/signature-specification.md#certificate-requirements + exampleSigner, err := signer.NewGenericSigner(exampleCertTuple.PrivateKey, exampleCerts) if err != nil { panic(err) // Handle error } diff --git a/notation.go b/notation.go index ef8593c7..8cb566a8 100644 --- a/notation.go +++ b/notation.go @@ -22,17 +22,22 @@ import ( "encoding/json" "errors" "fmt" + "io" + "mime" "strings" "time" + orasRegistry "oras.land/oras-go/v2/registry" + "github.com/notaryproject/notation-core-go/signature" + "github.com/notaryproject/notation-core-go/signature/cose" + "github.com/notaryproject/notation-core-go/signature/jws" "github.com/notaryproject/notation-go/internal/envelope" "github.com/notaryproject/notation-go/log" "github.com/notaryproject/notation-go/registry" "github.com/notaryproject/notation-go/verifier/trustpolicy" "github.com/opencontainers/go-digest" ocispec "github.com/opencontainers/image-spec/specs-go/v1" - orasRegistry "oras.land/oras-go/v2/registry" ) var errDoneVerification = errors.New("done verification") @@ -41,7 +46,7 @@ var reservedAnnotationPrefixes = [...]string{"io.cncf.notary"} // SignerSignOptions contains parameters for Signer.Sign. type SignerSignOptions struct { // SignatureMediaType is the envelope type of the signature. - // Currently both `application/jose+json` and `application/cose` are + // Currently, both `application/jose+json` and `application/cose` are // supported. SignatureMediaType string @@ -56,15 +61,37 @@ type SignerSignOptions struct { SigningAgent string } -// Signer is a generic interface for signing an artifact. +// Signer is a generic interface for signing an OCI artifact. // The interface allows signing with local or remote keys, // and packing in various signature formats. type Signer interface { - // Sign signs the artifact described by its descriptor, + // Sign signs the OCI artifact described by its descriptor, // and returns the signature and SignerInfo. Sign(ctx context.Context, desc ocispec.Descriptor, opts SignerSignOptions) ([]byte, *signature.SignerInfo, error) } +// SignBlobOptions contains parameters for notation.SignBlob. +type SignBlobOptions struct { + SignerSignOptions + // ContentMediaType is the media-type of the blob being signed. + ContentMediaType string + // UserMetadata contains key-value pairs that are added to the signature + // payload + UserMetadata map[string]string +} + +// BlobDescriptorGenerator creates descriptor using the digest Algorithm. +type BlobDescriptorGenerator func(digest.Algorithm) (ocispec.Descriptor, error) + +// BlobSigner is a generic interface for signing arbitrary data. +// The interface allows signing with local or remote keys, +// and packing in various signature formats. +type BlobSigner interface { + // SignBlob signs the descriptor returned by genDesc , + // and returns the signature and SignerInfo + SignBlob(ctx context.Context, genDesc BlobDescriptorGenerator, opts SignerSignOptions) ([]byte, *signature.SignerInfo, error) +} + // signerAnnotation facilitates return of manifest annotations by signers type signerAnnotation interface { // PluginAnnotations returns signature manifest annotations returned from @@ -85,22 +112,16 @@ type SignOptions struct { UserMetadata map[string]string } -// Sign signs the artifact and push the signature to the Repository. -// The descriptor of the sign content is returned upon sucessful signing. +// Sign signs the OCI artifact and push the signature to the Repository. +// The descriptor of the sign content is returned upon successful signing. func Sign(ctx context.Context, signer Signer, repo registry.Repository, signOpts SignOptions) (ocispec.Descriptor, error) { // sanity check - if signer == nil { - return ocispec.Descriptor{}, errors.New("signer cannot be nil") + if err := validateSignArguments(signer, signOpts.SignerSignOptions); err != nil { + return ocispec.Descriptor{}, err } if repo == nil { return ocispec.Descriptor{}, errors.New("repo cannot be nil") } - if signOpts.ExpiryDuration < 0 { - return ocispec.Descriptor{}, fmt.Errorf("expiry duration cannot be a negative value") - } - if signOpts.ExpiryDuration%time.Second != 0 { - return ocispec.Descriptor{}, fmt.Errorf("expiry duration supports minimum granularity of seconds") - } logger := log.GetLogger(ctx) artifactRef := signOpts.ArtifactReference @@ -152,6 +173,50 @@ func Sign(ctx context.Context, signer Signer, repo registry.Repository, signOpts return targetDesc, nil } +// SignBlob signs the arbitrary data and returns the signature +func SignBlob(ctx context.Context, signer BlobSigner, blobReader io.Reader, signBlobOpts SignBlobOptions) ([]byte, *signature.SignerInfo, error) { + // sanity checks + if err := validateSignArguments(signer, signBlobOpts.SignerSignOptions); err != nil { + return nil, nil, err + } + + if blobReader == nil { + return nil, nil, errors.New("blobReader cannot be nil") + } + + if signBlobOpts.ContentMediaType == "" { + return nil, nil, errors.New("content media-type cannot be empty") + } + + if _, _, err := mime.ParseMediaType(signBlobOpts.ContentMediaType); err != nil { + return nil, nil, fmt.Errorf("invalid content media-type '%s': %v", signBlobOpts.ContentMediaType, err) + } + + getDescFunc := getDescriptorFunc(ctx, blobReader, signBlobOpts.ContentMediaType, signBlobOpts.UserMetadata) + return signer.SignBlob(ctx, getDescFunc, signBlobOpts.SignerSignOptions) +} + +func validateSignArguments(signer any, signOpts SignerSignOptions) error { + if signer == nil { + return errors.New("signer cannot be nil") + } + if signOpts.ExpiryDuration < 0 { + return errors.New("expiry duration cannot be a negative value") + } + if signOpts.ExpiryDuration%time.Second != 0 { + return errors.New("expiry duration supports minimum granularity of seconds") + } + if signOpts.SignatureMediaType == "" { + return errors.New("signature media-type cannot be empty") + } + + if !(signOpts.SignatureMediaType == jws.MediaTypeEnvelope || signOpts.SignatureMediaType == cose.MediaTypeEnvelope) { + return fmt.Errorf("invalid signature media-type '%s'", signOpts.SignatureMediaType) + } + + return nil +} + func addUserMetadataToDescriptor(ctx context.Context, desc ocispec.Descriptor, userMetadata map[string]string) (ocispec.Descriptor, error) { logger := log.GetLogger(ctx) @@ -236,7 +301,7 @@ func (outcome *VerificationOutcome) UserMetadata() (map[string]string, error) { // VerifierVerifyOptions contains parameters for Verifier.Verify. type VerifierVerifyOptions struct { - // ArtifactReference is the reference of the artifact that is been + // ArtifactReference is the reference of the artifact that is being // verified against to. It must be a full reference. ArtifactReference string @@ -270,7 +335,7 @@ type verifySkipper interface { // VerifyOptions contains parameters for notation.Verify. type VerifyOptions struct { - // ArtifactReference is the reference of the artifact that is been + // ArtifactReference is the reference of the artifact that is being // verified against to. ArtifactReference string @@ -449,3 +514,19 @@ func generateAnnotations(signerInfo *signature.SignerInfo, annotations map[strin annotations[ocispec.AnnotationCreated] = signingTime.Format(time.RFC3339) return annotations, nil } + +func getDescriptorFunc(ctx context.Context, reader io.Reader, contentMediaType string, userMetadata map[string]string) BlobDescriptorGenerator { + return func(hashAlgo digest.Algorithm) (ocispec.Descriptor, error) { + digester := hashAlgo.Digester() + bytes, err := io.Copy(digester.Hash(), reader) + if err != nil { + return ocispec.Descriptor{}, err + } + targetDesc := ocispec.Descriptor{ + MediaType: contentMediaType, + Digest: digester.Digest(), + Size: bytes, + } + return addUserMetadataToDescriptor(ctx, targetDesc, userMetadata) + } +} diff --git a/notation_test.go b/notation_test.go index 31264cee..72255f5c 100644 --- a/notation_test.go +++ b/notation_test.go @@ -17,18 +17,22 @@ import ( "context" "errors" "fmt" + "io" "math" "os" "path/filepath" + "strings" "testing" "time" "github.com/notaryproject/notation-core-go/signature" "github.com/notaryproject/notation-core-go/signature/cose" + "github.com/notaryproject/notation-core-go/signature/jws" "github.com/notaryproject/notation-go/internal/mock" "github.com/notaryproject/notation-go/plugin" "github.com/notaryproject/notation-go/registry" "github.com/notaryproject/notation-go/verifier/trustpolicy" + "github.com/opencontainers/go-digest" ocispec "github.com/opencontainers/image-spec/specs-go/v1" ) @@ -47,6 +51,7 @@ func TestSignSuccess(t *testing.T) { for _, tc := range testCases { t.Run(tc.name, func(b *testing.T) { opts := SignOptions{} + opts.SignatureMediaType = jws.MediaTypeEnvelope opts.ExpiryDuration = tc.dur opts.ArtifactReference = mock.SampleArtifactUri @@ -58,11 +63,91 @@ func TestSignSuccess(t *testing.T) { } } +func TestSignBlobSuccess(t *testing.T) { + reader := strings.NewReader("some content") + testCases := []struct { + name string + dur time.Duration + mtype string + agent string + pConfig map[string]string + metadata map[string]string + }{ + {"expiryInHours", 24 * time.Hour, "video/mp4", "", nil, nil}, + {"oneSecondExpiry", 1 * time.Second, "video/mp4", "", nil, nil}, + {"zeroExpiry", 0, "video/mp4", "", nil, nil}, + {"validContentType", 1 * time.Second, "video/mp4", "", nil, nil}, + {"emptyContentType", 1 * time.Second, "video/mp4", "someDummyAgent", map[string]string{"hi": "hello"}, map[string]string{"bye": "tata"}}, + } + for _, tc := range testCases { + t.Run(tc.name, func(b *testing.T) { + opts := SignBlobOptions{ + SignerSignOptions: SignerSignOptions{ + SignatureMediaType: jws.MediaTypeEnvelope, + ExpiryDuration: tc.dur, + PluginConfig: tc.pConfig, + SigningAgent: tc.agent, + }, + UserMetadata: expectedMetadata, + ContentMediaType: tc.mtype, + } + + _, _, err := SignBlob(context.Background(), &dummySigner{}, reader, opts) + if err != nil { + b.Fatalf("Sign failed with error: %v", err) + } + }) + } +} + +func TestSignBlobError(t *testing.T) { + reader := strings.NewReader("some content") + testCases := []struct { + name string + signer BlobSigner + dur time.Duration + rdr io.Reader + sigMType string + ctMType string + errMsg string + }{ + {"negativeExpiry", &dummySigner{}, -1 * time.Second, nil, "video/mp4", jws.MediaTypeEnvelope, "expiry duration cannot be a negative value"}, + {"milliSecExpiry", &dummySigner{}, 1 * time.Millisecond, nil, "video/mp4", jws.MediaTypeEnvelope, "expiry duration supports minimum granularity of seconds"}, + {"invalidContentMediaType", &dummySigner{}, 1 * time.Second, reader, "video/mp4/zoping", jws.MediaTypeEnvelope, "invalid content media-type 'video/mp4/zoping': mime: unexpected content after media subtype"}, + {"emptyContentMediaType", &dummySigner{}, 1 * time.Second, reader, "", jws.MediaTypeEnvelope, "content media-type cannot be empty"}, + {"invalidSignatureMediaType", &dummySigner{}, 1 * time.Second, reader, "", "", "content media-type cannot be empty"}, + {"nilReader", &dummySigner{}, 1 * time.Second, nil, "video/mp4", jws.MediaTypeEnvelope, "blobReader cannot be nil"}, + {"nilSigner", nil, 1 * time.Second, reader, "video/mp4", jws.MediaTypeEnvelope, "signer cannot be nil"}, + {"signerError", &dummySigner{fail: true}, 1 * time.Second, reader, "video/mp4", jws.MediaTypeEnvelope, "expected SignBlob failure"}, + } + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + opts := SignBlobOptions{ + SignerSignOptions: SignerSignOptions{ + SignatureMediaType: jws.MediaTypeEnvelope, + ExpiryDuration: tc.dur, + PluginConfig: nil, + }, + ContentMediaType: tc.sigMType, + } + + _, _, err := SignBlob(context.Background(), tc.signer, tc.rdr, opts) + if err == nil { + t.Fatalf("expected error but didnt found") + } + if err.Error() != tc.errMsg { + t.Fatalf("expected err message to be '%s' but found '%s'", tc.errMsg, err.Error()) + } + }) + } +} + func TestSignSuccessWithUserMetadata(t *testing.T) { repo := mock.NewRepository() opts := SignOptions{} opts.ArtifactReference = mock.SampleArtifactUri opts.UserMetadata = expectedMetadata + opts.SignatureMediaType = jws.MediaTypeEnvelope _, err := Sign(context.Background(), &verifyMetadataSigner{}, repo, opts) if err != nil { @@ -182,6 +267,9 @@ func TestSignDigestNotMatchResolve(t *testing.T) { repo := mock.NewRepository() repo.MissMatchDigest = true signOpts := SignOptions{ + SignerSignOptions: SignerSignOptions{ + SignatureMediaType: jws.MediaTypeEnvelope, + }, ArtifactReference: mock.SampleArtifactUri, } @@ -320,7 +408,9 @@ func dummyPolicyStatement() (policyStatement trustpolicy.TrustPolicy) { return } -type dummySigner struct{} +type dummySigner struct { + fail bool +} func (s *dummySigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts SignerSignOptions) ([]byte, *signature.SignerInfo, error) { return []byte("ABC"), &signature.SignerInfo{ @@ -330,6 +420,23 @@ func (s *dummySigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts Si }, nil } +func (s *dummySigner) SignBlob(_ context.Context, descGenFunc BlobDescriptorGenerator, _ SignerSignOptions) ([]byte, *signature.SignerInfo, error) { + if s.fail { + return nil, nil, errors.New("expected SignBlob failure") + } + + _, err := descGenFunc(digest.SHA384) + if err != nil { + return nil, nil, err + } + + return []byte("ABC"), &signature.SignerInfo{ + SignedAttributes: signature.SignedAttributes{ + SigningTime: time.Now(), + }, + }, nil +} + type verifyMetadataSigner struct{} func (s *verifyMetadataSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts SignerSignOptions) ([]byte, *signature.SignerInfo, error) { diff --git a/signer/plugin.go b/signer/plugin.go index 3bf14321..d0c96e6b 100644 --- a/signer/plugin.go +++ b/signer/plugin.go @@ -15,6 +15,7 @@ package signer import ( "context" + "crypto" "crypto/x509" "encoding/json" "errors" @@ -29,22 +30,38 @@ import ( "github.com/notaryproject/notation-go/log" "github.com/notaryproject/notation-go/plugin/proto" "github.com/notaryproject/notation-plugin-framework-go/plugin" + "github.com/opencontainers/go-digest" ocispec "github.com/opencontainers/image-spec/specs-go/v1" ) -// pluginSigner signs artifacts and generates signatures. +// PluginSigner signs artifacts and generates signatures. // It implements notation.Signer -type pluginSigner struct { +type PluginSigner struct { plugin plugin.SignPlugin keyID string pluginConfig map[string]string manifestAnnotations map[string]string } +var algorithms = map[crypto.Hash]digest.Algorithm{ + crypto.SHA256: digest.SHA256, + crypto.SHA384: digest.SHA384, + crypto.SHA512: digest.SHA512, +} + // NewFromPlugin creates a notation.Signer that signs artifacts and generates // signatures by delegating the one or more operations to the named plugin, // as defined in https://github.com/notaryproject/notaryproject/blob/main/specs/plugin-extensibility.md#signing-interfaces. +// Deprecated: NewFromPlugin function exists for historical compatibility and should not be used. +// To create PluginSigner, use NewPluginSigner() function. func NewFromPlugin(plugin plugin.SignPlugin, keyID string, pluginConfig map[string]string) (notation.Signer, error) { + return NewPluginSigner(plugin, keyID, pluginConfig) +} + +// NewPluginSigner creates a notation.Signer that signs artifacts and generates +// signatures by delegating the one or more operations to the named plugin, +// as defined in https://github.com/notaryproject/notaryproject/blob/main/specs/plugin-extensibility.md#signing-interfaces. +func NewPluginSigner(plugin plugin.SignPlugin, keyID string, pluginConfig map[string]string) (*PluginSigner, error) { if plugin == nil { return nil, errors.New("nil plugin") } @@ -52,7 +69,7 @@ func NewFromPlugin(plugin plugin.SignPlugin, keyID string, pluginConfig map[stri return nil, errors.New("keyID not specified") } - return &pluginSigner{ + return &PluginSigner{ plugin: plugin, keyID: keyID, pluginConfig: pluginConfig, @@ -60,57 +77,91 @@ func NewFromPlugin(plugin plugin.SignPlugin, keyID string, pluginConfig map[stri } // PluginAnnotations returns signature manifest annotations returned from plugin -func (s *pluginSigner) PluginAnnotations() map[string]string { +func (s *PluginSigner) PluginAnnotations() map[string]string { return s.manifestAnnotations } // Sign signs the artifact described by its descriptor and returns the // marshalled envelope. -func (s *pluginSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) { +func (s *PluginSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) { logger := log.GetLogger(ctx) + mergedConfig := s.mergeConfig(opts.PluginConfig) + logger.Debug("Invoking plugin's get-plugin-metadata command") - req := &plugin.GetMetadataRequest{ - PluginConfig: s.mergeConfig(opts.PluginConfig), - } - metadata, err := s.plugin.GetMetadata(ctx, req) + metadata, err := s.plugin.GetMetadata(ctx, &plugin.GetMetadataRequest{PluginConfig: mergedConfig}) if err != nil { return nil, nil, err } - logger.Debugf("Using plugin %v with capabilities %v to sign artifact %v in signature media type %v", metadata.Name, metadata.Capabilities, desc.Digest, opts.SignatureMediaType) + logger.Debugf("Using plugin %v with capabilities %v to sign oci artifact %v in signature media type %v", metadata.Name, metadata.Capabilities, desc.Digest, opts.SignatureMediaType) if metadata.HasCapability(plugin.CapabilitySignatureGenerator) { - return s.generateSignature(ctx, desc, opts, metadata) + ks, err := s.getKeySpec(ctx, mergedConfig) + if err != nil { + return nil, nil, err + } + return s.generateSignature(ctx, desc, opts, ks, metadata, mergedConfig) } else if metadata.HasCapability(plugin.CapabilityEnvelopeGenerator) { return s.generateSignatureEnvelope(ctx, desc, opts) } return nil, nil, fmt.Errorf("plugin does not have signing capabilities") } -func (s *pluginSigner) generateSignature(ctx context.Context, desc ocispec.Descriptor, opts notation.SignerSignOptions, metadata *plugin.GetMetadataResponse) ([]byte, *signature.SignerInfo, error) { +// SignBlob signs the arbitrary data and returns the marshalled envelope. +func (s *PluginSigner) SignBlob(ctx context.Context, descGenFunc notation.BlobDescriptorGenerator, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) { logger := log.GetLogger(ctx) - logger.Debug("Generating signature by plugin") - config := s.mergeConfig(opts.PluginConfig) - // Get key info. - key, err := s.describeKey(ctx, config) + mergedConfig := s.mergeConfig(opts.PluginConfig) + + logger.Debug("Invoking plugin's get-plugin-metadata command") + metadata, err := s.plugin.GetMetadata(ctx, &plugin.GetMetadataRequest{PluginConfig: mergedConfig}) if err != nil { return nil, nil, err } - // Check keyID is honored. - if s.keyID != key.KeyID { - return nil, nil, fmt.Errorf("keyID in describeKey response %q does not match request %q", key.KeyID, s.keyID) + logger.Debug("Invoking plugin's describe-key command") + ks, err := s.getKeySpec(ctx, mergedConfig) + if err != nil { + return nil, nil, err } - ks, err := proto.DecodeKeySpec(key.KeySpec) + + // get descriptor to sign + desc, err := getDescriptor(ks, descGenFunc) if err != nil { return nil, nil, err } - genericSigner := genericSigner{ - Signer: &pluginPrimitiveSigner{ + logger.Debugf("Using plugin %v with capabilities %v to sign blob using descriptor %+v", metadata.Name, metadata.Capabilities, desc) + if metadata.HasCapability(plugin.CapabilitySignatureGenerator) { + return s.generateSignature(ctx, desc, opts, ks, metadata, mergedConfig) + } else if metadata.HasCapability(plugin.CapabilityEnvelopeGenerator) { + return s.generateSignatureEnvelope(ctx, desc, opts) + } + return nil, nil, fmt.Errorf("plugin does not have signing capabilities") +} + +func (s *PluginSigner) getKeySpec(ctx context.Context, config map[string]string) (signature.KeySpec, error) { + logger := log.GetLogger(ctx) + logger.Debug("Invoking plugin's describe-key command") + descKeyResp, err := s.describeKey(ctx, config) + if err != nil { + return signature.KeySpec{}, err + } + + if s.keyID != descKeyResp.KeyID { + return signature.KeySpec{}, fmt.Errorf("keyID in describeKey response %q does not match request %q", descKeyResp.KeyID, s.keyID) + } + + return proto.DecodeKeySpec(descKeyResp.KeySpec) +} + +func (s *PluginSigner) generateSignature(ctx context.Context, desc ocispec.Descriptor, opts notation.SignerSignOptions, ks signature.KeySpec, metadata *plugin.GetMetadataResponse, pluginConfig map[string]string) ([]byte, *signature.SignerInfo, error) { + logger := log.GetLogger(ctx) + logger.Debug("Generating signature by plugin") + genericSigner := GenericSigner{ + signer: &pluginPrimitiveSigner{ ctx: ctx, plugin: s.plugin, keyID: s.keyID, - pluginConfig: config, + pluginConfig: pluginConfig, keySpec: ks, }, } @@ -119,7 +170,7 @@ func (s *pluginSigner) generateSignature(ctx context.Context, desc ocispec.Descr return genericSigner.Sign(ctx, desc, opts) } -func (s *pluginSigner) generateSignatureEnvelope(ctx context.Context, desc ocispec.Descriptor, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) { +func (s *PluginSigner) generateSignatureEnvelope(ctx context.Context, desc ocispec.Descriptor, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) { logger := log.GetLogger(ctx) logger.Debug("Generating signature envelope by plugin") payload := envelope.Payload{TargetArtifact: envelope.SanitizeTargetArtifact(desc)} @@ -181,7 +232,7 @@ func (s *pluginSigner) generateSignatureEnvelope(ctx context.Context, desc ocisp return resp.SignatureEnvelope, &envContent.SignerInfo, nil } -func (s *pluginSigner) mergeConfig(config map[string]string) map[string]string { +func (s *PluginSigner) mergeConfig(config map[string]string) map[string]string { c := make(map[string]string, len(s.pluginConfig)+len(config)) // First clone s.PluginConfig. for k, v := range s.pluginConfig { @@ -194,7 +245,7 @@ func (s *pluginSigner) mergeConfig(config map[string]string) map[string]string { return c } -func (s *pluginSigner) describeKey(ctx context.Context, config map[string]string) (*plugin.DescribeKeyResponse, error) { +func (s *PluginSigner) describeKey(ctx context.Context, config map[string]string) (*plugin.DescribeKeyResponse, error) { req := &plugin.DescribeKeyRequest{ KeyID: s.keyID, PluginConfig: config, diff --git a/signer/plugin_test.go b/signer/plugin_test.go index c3dd2b30..634df66f 100644 --- a/signer/plugin_test.go +++ b/signer/plugin_test.go @@ -32,6 +32,7 @@ import ( "github.com/notaryproject/notation-go/internal/envelope" "github.com/notaryproject/notation-go/plugin" "github.com/notaryproject/notation-go/plugin/proto" + "github.com/opencontainers/go-digest" ocispec "github.com/opencontainers/image-spec/specs-go/v1" ) @@ -70,6 +71,16 @@ type mockPlugin struct { keySpec signature.KeySpec } +func getDescriptorFunc(throwError bool) func(hashAlgo digest.Algorithm) (ocispec.Descriptor, error) { + return func(hashAlgo digest.Algorithm) (ocispec.Descriptor, error) { + if throwError { + return ocispec.Descriptor{}, errors.New("") + } + return validSignDescriptor, nil + } + +} + func newMockPlugin(key crypto.PrivateKey, certs []*x509.Certificate, keySpec signature.KeySpec) *mockPlugin { return &mockPlugin{ key: key, @@ -136,7 +147,7 @@ func (p *mockPlugin) GenerateSignature(ctx context.Context, req *proto.GenerateS // GenerateEnvelope generates the Envelope with signature based on the request. func (p *mockPlugin) GenerateEnvelope(ctx context.Context, req *proto.GenerateEnvelopeRequest) (*proto.GenerateEnvelopeResponse, error) { - internalPluginSigner := pluginSigner{ + internalPluginSigner := PluginSigner{ plugin: newMockPlugin(p.key, p.certs, p.keySpec), } @@ -206,15 +217,34 @@ func (p *mockPlugin) GenerateEnvelope(ctx context.Context, req *proto.GenerateEn } func TestNewFromPluginFailed(t *testing.T) { - wantErr := "keyID not specified" - _, err := NewFromPlugin(&plugin.CLIPlugin{}, "", make(map[string]string)) - if err == nil || err.Error() != wantErr { - t.Fatalf("TestNewFromPluginFailed expects error %q, got %q", wantErr, err.Error()) + tests := map[string]struct { + pl plugin.SignPlugin + keyID string + errMsg string + }{ + "Invalid KeyID": { + pl: &plugin.CLIPlugin{}, + keyID: "", + errMsg: "keyID not specified", + }, + "nilPlugin": { + pl: nil, + keyID: "someKeyId", + errMsg: "nil plugin", + }, + } + for name, tc := range tests { + t.Run(name, func(t *testing.T) { + _, err := NewFromPlugin(tc.pl, tc.keyID, make(map[string]string)) + if err == nil || err.Error() != tc.errMsg { + t.Fatalf("TestNewFromPluginFailed expects error %q, got %q", tc.errMsg, err.Error()) + } + }) } } func TestSigner_Sign_EnvelopeNotSupported(t *testing.T) { - signer := pluginSigner{ + signer := PluginSigner{ plugin: newMockPlugin(nil, nil, signature.KeySpec{Type: signature.KeyTypeRSA, Size: 2048}), } opts := notation.SignerSignOptions{SignatureMediaType: "unsupported"} @@ -225,7 +255,7 @@ func TestSigner_Sign_DescribeKeyIDMismatch(t *testing.T) { respKeyId := "" for _, envelopeType := range signature.RegisteredEnvelopeTypes() { t.Run(fmt.Sprintf("envelopeType=%v", envelopeType), func(t *testing.T) { - signer := pluginSigner{ + signer := PluginSigner{ plugin: newMockPlugin(nil, nil, signature.KeySpec{}), keyID: "1", } @@ -238,7 +268,7 @@ func TestSigner_Sign_ExpiryInValid(t *testing.T) { for _, envelopeType := range signature.RegisteredEnvelopeTypes() { t.Run(fmt.Sprintf("envelopeType=%v", envelopeType), func(t *testing.T) { ks, _ := signature.ExtractKeySpec(keyCertPairCollections[0].certs[0]) - signer := pluginSigner{ + signer := PluginSigner{ plugin: newMockPlugin(keyCertPairCollections[0].key, keyCertPairCollections[0].certs, ks), } _, _, err := signer.Sign(context.Background(), ocispec.Descriptor{}, notation.SignerSignOptions{ExpiryDuration: -24 * time.Hour, SignatureMediaType: envelopeType}) @@ -255,7 +285,7 @@ func TestSigner_Sign_InvalidCertChain(t *testing.T) { t.Run(fmt.Sprintf("envelopeType=%v", envelopeType), func(t *testing.T) { mockPlugin := newMockPlugin(defaultKeyCert.key, defaultKeyCert.certs, defaultKeySpec) mockPlugin.invalidCertChain = true - signer := pluginSigner{ + signer := PluginSigner{ plugin: mockPlugin, } testSignerError(t, signer, "x509: malformed certificate", notation.SignerSignOptions{SignatureMediaType: envelopeType}) @@ -269,7 +299,7 @@ func TestSigner_Sign_InvalidDescriptor(t *testing.T) { mockPlugin := newMockPlugin(defaultKeyCert.key, defaultKeyCert.certs, defaultKeySpec) mockPlugin.wantEnvelope = true mockPlugin.invalidDescriptor = true - signer := pluginSigner{ + signer := PluginSigner{ plugin: mockPlugin, } testSignerError(t, signer, "during signing, following unknown attributes were added to subject descriptor: [\"additional_field\"]", notation.SignerSignOptions{SignatureMediaType: envelopeType}) @@ -282,7 +312,7 @@ func TestPluginSigner_Sign_SignatureVerifyError(t *testing.T) { t.Run(fmt.Sprintf("envelopeType=%v", envelopeType), func(t *testing.T) { mockPlugin := newMockPlugin(defaultKeyCert.key, defaultKeyCert.certs, defaultKeySpec) mockPlugin.invalidSig = true - signer := pluginSigner{ + signer := PluginSigner{ plugin: mockPlugin, } testSignerError(t, signer, "signature is invalid", notation.SignerSignOptions{SignatureMediaType: envelopeType}) @@ -295,10 +325,28 @@ func TestPluginSigner_Sign_Valid(t *testing.T) { for _, keyCert := range keyCertPairCollections { t.Run(fmt.Sprintf("external plugin,envelopeType=%v_keySpec=%v", envelopeType, keyCert.keySpecName), func(t *testing.T) { keySpec, _ := proto.DecodeKeySpec(proto.KeySpec(keyCert.keySpecName)) - pluginSigner := pluginSigner{ + pluginSigner := PluginSigner{ + plugin: newMockPlugin(keyCert.key, keyCert.certs, keySpec), + } + validSignOpts.SignatureMediaType = envelopeType + data, signerInfo, err := pluginSigner.Sign(context.Background(), validSignDescriptor, validSignOpts) + basicSignTest(t, &pluginSigner, envelopeType, data, signerInfo, err) + }) + } + } +} + +func TestPluginSigner_SignBlob_Valid(t *testing.T) { + for _, envelopeType := range signature.RegisteredEnvelopeTypes() { + for _, keyCert := range keyCertPairCollections { + t.Run(fmt.Sprintf("external plugin,envelopeType=%v_keySpec=%v", envelopeType, keyCert.keySpecName), func(t *testing.T) { + keySpec, _ := proto.DecodeKeySpec(proto.KeySpec(keyCert.keySpecName)) + pluginSigner := PluginSigner{ plugin: newMockPlugin(keyCert.key, keyCert.certs, keySpec), } - basicSignTest(t, &pluginSigner, envelopeType, &validMetadata) + validSignOpts.SignatureMediaType = envelopeType + data, signerInfo, err := pluginSigner.SignBlob(context.Background(), getDescriptorFunc(false), validSignOpts) + basicSignTest(t, &pluginSigner, envelopeType, data, signerInfo, err) }) } } @@ -311,7 +359,7 @@ func TestPluginSigner_SignEnvelope_RunFailed(t *testing.T) { wantEnvelope: true, failEnvelope: true, } - signer := pluginSigner{ + signer := PluginSigner{ plugin: p, } testSignerError(t, signer, "failed GenerateEnvelope", notation.SignerSignOptions{SignatureMediaType: envelopeType}) @@ -326,10 +374,12 @@ func TestPluginSigner_SignEnvelope_Valid(t *testing.T) { keySpec, _ := proto.DecodeKeySpec(proto.KeySpec(keyCert.keySpecName)) mockPlugin := newMockPlugin(keyCert.key, keyCert.certs, keySpec) mockPlugin.wantEnvelope = true - pluginSigner := pluginSigner{ + pluginSigner := PluginSigner{ plugin: mockPlugin, } - basicSignTest(t, &pluginSigner, envelopeType, &validMetadata) + validSignOpts.SignatureMediaType = envelopeType + data, signerInfo, err := pluginSigner.Sign(context.Background(), validSignDescriptor, validSignOpts) + basicSignTest(t, &pluginSigner, envelopeType, data, signerInfo, err) }) } } @@ -341,7 +391,7 @@ func TestPluginSigner_SignWithAnnotations_Valid(t *testing.T) { t.Run(fmt.Sprintf("external plugin,envelopeType=%v_keySpec=%v", envelopeType, keyCert.keySpecName), func(t *testing.T) { keySpec, _ := proto.DecodeKeySpec(proto.KeySpec(keyCert.keySpecName)) annts := map[string]string{"key": "value"} - pluginSigner := pluginSigner{ + pluginSigner := PluginSigner{ plugin: &mockPlugin{ key: keyCert.key, certs: keyCert.certs, @@ -350,7 +400,9 @@ func TestPluginSigner_SignWithAnnotations_Valid(t *testing.T) { wantEnvelope: true, }, } - basicSignTest(t, &pluginSigner, envelopeType, &validMetadata) + validSignOpts.SignatureMediaType = envelopeType + data, signerInfo, err := pluginSigner.Sign(context.Background(), validSignDescriptor, validSignOpts) + basicSignTest(t, &pluginSigner, envelopeType, data, signerInfo, err) if !reflect.DeepEqual(pluginSigner.PluginAnnotations(), annts) { fmt.Println(pluginSigner.PluginAnnotations()) t.Errorf("mismatch in annotations returned from PluginAnnotations()") @@ -360,7 +412,7 @@ func TestPluginSigner_SignWithAnnotations_Valid(t *testing.T) { } } -func testSignerError(t *testing.T, signer pluginSigner, wantEr string, opts notation.SignerSignOptions) { +func testSignerError(t *testing.T, signer PluginSigner, wantEr string, opts notation.SignerSignOptions) { t.Helper() _, _, err := signer.Sign(context.Background(), ocispec.Descriptor{}, opts) if err == nil || !strings.Contains(err.Error(), wantEr) { @@ -368,9 +420,7 @@ func testSignerError(t *testing.T, signer pluginSigner, wantEr string, opts nota } } -func basicSignTest(t *testing.T, pluginSigner *pluginSigner, envelopeType string, metadata *proto.GetMetadataResponse) { - validSignOpts.SignatureMediaType = envelopeType - data, signerInfo, err := pluginSigner.Sign(context.Background(), validSignDescriptor, validSignOpts) +func basicSignTest(t *testing.T, ps *PluginSigner, envelopeType string, data []byte, signerInfo *signature.SignerInfo, err error) { if err != nil { t.Fatalf("Signer.Sign() error = %v, wantErr nil", err) } @@ -399,12 +449,12 @@ func basicSignTest(t *testing.T, pluginSigner *pluginSigner, envelopeType string TargetArtifact: validSignDescriptor, } if !reflect.DeepEqual(expectedPayload, gotPayload) { - t.Fatalf("Signer.Sign() descriptor subject changed, expect: %v, got: %v", expectedPayload, payload) + t.Fatalf("Signer.Sign() descriptor subject changed, expect: %+v, got: %+v", expectedPayload, payload) } if signerInfo.SignedAttributes.SigningScheme != signature.SigningSchemeX509 { - t.Fatalf("Signer.Sign() signing scheme changed, expect: %v, got: %v", signerInfo.SignedAttributes.SigningScheme, signature.SigningSchemeX509) + t.Fatalf("Signer.Sign() signing scheme changed, expect: %+v, got: %+v", signerInfo.SignedAttributes.SigningScheme, signature.SigningSchemeX509) } - mockPlugin := pluginSigner.plugin.(*mockPlugin) + mockPlugin := ps.plugin.(*mockPlugin) if mockPlugin.keySpec.SignatureAlgorithm() != signerInfo.SignatureAlgorithm { t.Fatalf("Signer.Sign() signing algorithm changed") } @@ -414,5 +464,5 @@ func basicSignTest(t *testing.T, pluginSigner *pluginSigner, envelopeType string if !reflect.DeepEqual(mockPlugin.certs, signerInfo.CertificateChain) { t.Fatalf(" Signer.Sign() cert chain changed") } - basicVerification(t, data, envelopeType, mockPlugin.certs[len(mockPlugin.certs)-1], metadata) + basicVerification(t, data, envelopeType, mockPlugin.certs[len(mockPlugin.certs)-1], &validMetadata) } diff --git a/signer/signer.go b/signer/signer.go index cefc7788..05d0ea8c 100644 --- a/signer/signer.go +++ b/signer/signer.go @@ -13,7 +13,7 @@ // Package signer provides notation signing functionality. It implements the // notation.Signer interface by providing builtinSigner for local signing and -// pluginSigner for remote signing. +// PluginSigner for remote signing. package signer import ( @@ -36,24 +36,36 @@ import ( // signingAgent is the unprotected header field used by signature. const signingAgent = "Notation/1.0.0" -// genericSigner implements notation.Signer and embeds signature.Signer -type genericSigner struct { - signature.Signer +// GenericSigner implements notation.Signer and embeds signature.Signer +type GenericSigner struct { + signer signature.Signer } // New returns a builtinSigner given key and cert chain +// Deprecated: New function exists for historical compatibility and should not be used. +// To create GenericSigner, use NewGenericSigner() function. func New(key crypto.PrivateKey, certChain []*x509.Certificate) (notation.Signer, error) { + return NewGenericSigner(key, certChain) +} + +// NewGenericSigner returns a builtinSigner given key and cert chain +func NewGenericSigner(key crypto.PrivateKey, certChain []*x509.Certificate) (*GenericSigner, error) { localSigner, err := signature.NewLocalSigner(certChain, key) if err != nil { return nil, err } - return &genericSigner{ - Signer: localSigner, + return &GenericSigner{ + signer: localSigner, }, nil } // NewFromFiles returns a builtinSigner given key and certChain paths. func NewFromFiles(keyPath, certChainPath string) (notation.Signer, error) { + return NewGenericSignerFromFiles(keyPath, certChainPath) +} + +// NewGenericSignerFromFiles returns a builtinSigner given key and certChain paths. +func NewGenericSignerFromFiles(keyPath, certChainPath string) (*GenericSigner, error) { if keyPath == "" { return nil, errors.New("key path not specified") } @@ -80,12 +92,12 @@ func NewFromFiles(keyPath, certChainPath string) (notation.Signer, error) { } // create signer - return New(cert.PrivateKey, certs) + return NewGenericSigner(cert.PrivateKey, certs) } // Sign signs the artifact described by its descriptor and returns the // marshalled envelope. -func (s *genericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) { +func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) { logger := log.GetLogger(ctx) logger.Debugf("Generic signing for %v in signature media type %v", desc.Digest, opts.SignatureMediaType) // Generate payload to be signed. @@ -106,7 +118,7 @@ func (s *genericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts ContentType: envelope.MediaTypePayloadV1, Content: payloadBytes, }, - Signer: s.Signer, + Signer: s.signer, SigningTime: time.Now(), SigningScheme: signature.SigningSchemeX509, SigningAgent: signingAgentId, @@ -146,3 +158,30 @@ func (s *genericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts // TODO: re-enable timestamping https://github.com/notaryproject/notation-go/issues/78 return sig, &envContent.SignerInfo, nil } + +// SignBlob signs the descriptor returned by blobGen and returns the marshalled envelope +func (s *GenericSigner) SignBlob(ctx context.Context, descGenFunc notation.BlobDescriptorGenerator, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) { + logger := log.GetLogger(ctx) + logger.Debugf("Generic blob signing for signature media type %v", opts.SignatureMediaType) + + ks, err := s.signer.KeySpec() + if err != nil { + return nil, nil, err + } + + desc, err := getDescriptor(ks, descGenFunc) + if err != nil { + return nil, nil, err + } + + return s.Sign(ctx, desc, opts) +} + +func getDescriptor(ks signature.KeySpec, descGenFunc notation.BlobDescriptorGenerator) (ocispec.Descriptor, error) { + digestAlg, ok := algorithms[ks.SignatureAlgorithm().Hash()] + if !ok { + return ocispec.Descriptor{}, fmt.Errorf("unknown hashing algo %v", ks.SignatureAlgorithm().Hash()) + } + + return descGenFunc(digestAlg) +} diff --git a/signer/signer_test.go b/signer/signer_test.go index c8d0ae38..31e16ca5 100644 --- a/signer/signer_test.go +++ b/signer/signer_test.go @@ -168,6 +168,41 @@ func TestNewFromFiles(t *testing.T) { } } +func TestNewFromFilesError(t *testing.T) { + tests := map[string]struct { + keyPath string + certPath string + errMsg string + }{ + "empty key path": { + keyPath: "", + certPath: "someCert", + errMsg: "key path not specified", + }, + "empty cert path": { + keyPath: "someKeyId", + certPath: "", + errMsg: "certificate path not specified", + }, + } + for name, tc := range tests { + t.Run(name, func(t *testing.T) { + _, err := NewFromFiles(tc.keyPath, tc.certPath) + if err == nil || err.Error() != tc.errMsg { + t.Fatalf("TestNewFromPluginFailed expects error %q, got %q", tc.errMsg, err.Error()) + } + }) + } +} + +func TestNewError(t *testing.T) { + wantErr := "\"certs\" param is invalid. Error: empty certs" + _, err := New(nil, nil) + if err == nil || err.Error() != wantErr { + t.Fatalf("TestNewFromPluginFailed expects error %q, got %q", wantErr, err.Error()) + } +} + func TestSignWithCertChain(t *testing.T) { // sign with key for _, envelopeType := range signature.RegisteredEnvelopeTypes() { @@ -179,6 +214,31 @@ func TestSignWithCertChain(t *testing.T) { } } +func TestSignBlobWithCertChain(t *testing.T) { + // sign with key + for _, envelopeType := range signature.RegisteredEnvelopeTypes() { + for _, keyCert := range keyCertPairCollections { + t.Run(fmt.Sprintf("envelopeType=%v_keySpec=%v", envelopeType, keyCert.keySpecName), func(t *testing.T) { + s, err := NewGenericSigner(keyCert.key, keyCert.certs) + if err != nil { + t.Fatalf("NewSigner() error = %v", err) + } + + sOpts := notation.SignerSignOptions{ + SignatureMediaType: envelopeType, + } + sig, _, err := s.SignBlob(context.Background(), getDescriptorFunc(false), sOpts) + if err != nil { + t.Fatalf("Sign() error = %v", err) + } + + // basic verification + basicVerification(t, sig, envelopeType, keyCert.certs[len(keyCert.certs)-1], nil) + }) + } + } +} + func TestSignWithoutExpiry(t *testing.T) { // sign with key for _, envelopeType := range signature.RegisteredEnvelopeTypes() {