Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tsa #4

Closed
wants to merge 42 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
4b42738
initial test
Two-Hearts Dec 1, 2023
ca5bba2
fix trust store
Two-Hearts Dec 4, 2023
73ec77c
resolved conflicts
Two-Hearts Dec 26, 2023
2937f68
Merge branch 'notaryproject:main' into tsa
Two-Hearts Dec 28, 2023
f06d289
Merge branch 'notaryproject:main' into tsa
Two-Hearts Jan 12, 2024
9819ba2
Merge branch 'notaryproject:main' into tsa
Two-Hearts Jan 15, 2024
8e6bbdb
initial commits
Two-Hearts Jan 15, 2024
b454646
initial commits
Two-Hearts Jan 15, 2024
d058046
Merge branch 'notaryproject:main' into tsa
Two-Hearts Jan 16, 2024
1df563c
Merge branch 'notaryproject:main' into tsa
Two-Hearts Jan 19, 2024
9cd5aaf
updated to use tspclient-go
Two-Hearts Jan 23, 2024
ef01821
resolved conflicts
Two-Hearts Jan 24, 2024
e655c04
Merge branch 'notaryproject:main' into tsa
Two-Hearts Jan 31, 2024
ea97a99
updated tspclient-go
Two-Hearts Jan 31, 2024
fa4eaaf
test
Two-Hearts Feb 1, 2024
dc9c5fe
update
Two-Hearts Feb 1, 2024
00d7dfd
Merge branch 'notaryproject:main' into tsa
Two-Hearts Feb 1, 2024
62bacd0
resolved conflicts
Two-Hearts Feb 2, 2024
1f4bd5c
Merge branch 'notaryproject:main' into tsa
Two-Hearts Mar 18, 2024
3b98cd7
update sign with timestamping
Two-Hearts Mar 22, 2024
09810a9
resolved conflicts
Two-Hearts Mar 22, 2024
e598416
update timestamp verification
Two-Hearts Mar 22, 2024
be2ea0e
updated timestmap
Two-Hearts Mar 27, 2024
c8f8e4e
updated timestamp
Two-Hearts Mar 27, 2024
28e0166
resolve conflicts
Two-Hearts Mar 28, 2024
200a071
added tsa cert chain revocation check
Two-Hearts Apr 8, 2024
6ab5a0e
Merge branch 'notaryproject:main' into tsa
Two-Hearts Apr 8, 2024
53ee15c
update tsa
Two-Hearts Apr 8, 2024
e5aaefe
added tsa ocsp check
Two-Hearts Apr 8, 2024
2e674e4
updated timestamping
Two-Hearts Apr 8, 2024
31de40f
update
Two-Hearts Apr 10, 2024
f4536db
update
Two-Hearts Apr 11, 2024
998d79f
added skip tsa cert expire check
Two-Hearts Apr 11, 2024
545e1e7
update
Two-Hearts Apr 11, 2024
527b84a
added timestamp trust policy
Two-Hearts Apr 16, 2024
1e21a3d
update
Two-Hearts Apr 17, 2024
27a5b35
update
Two-Hearts Apr 17, 2024
90424bd
update
Two-Hearts Apr 17, 2024
d7a0396
timestamp trust policy
Two-Hearts Apr 17, 2024
12ac6b6
update
Two-Hearts Apr 18, 2024
6e36303
update
Two-Hearts Apr 18, 2024
bea674c
error msg
Two-Hearts Apr 18, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ require (
github.com/go-ldap/ldap/v3 v3.4.6
github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e
github.com/notaryproject/notation-plugin-framework-go v1.0.0
github.com/notaryproject/tspclient-go v0.0.0-20240122083733-a373599795a2
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.0
github.com/veraison/go-cose v1.1.0
Expand All @@ -23,3 +24,7 @@ require (
github.com/x448/float16 v0.8.4 // indirect
golang.org/x/sync v0.6.0 // indirect
)

replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20240418044922-14d05519328b

replace github.com/notaryproject/tspclient-go => github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019
6 changes: 4 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
github.com/Two-Hearts/notation-core-go v0.0.0-20240418044922-14d05519328b h1:a27dSIOWWw7rJSD2ebmWUYjwhhhPnIaMGlqPl9OuCmI=
github.com/Two-Hearts/notation-core-go v0.0.0-20240418044922-14d05519328b/go.mod h1:o3qDLatecAi3cQKnlnTk32mJNoNWovGFMiToV5n8KW4=
github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019 h1:7SJ4FlWTmpXssu5J+XI7Fzn50tPsagFMEJSWmqv8nLU=
github.com/Two-Hearts/tspclient-go v0.0.0-20240410033505-94c3b3def019/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
Expand All @@ -15,8 +19,6 @@ github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOW
github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e h1:GdPnC0iJ2gIhed529oaVXtzWUTyDafmOUah/07uEQVo=
github.com/notaryproject/notation-core-go v1.0.3-0.20240325061945-807a3386734e/go.mod h1:HsaLU1gXhal0p5a0noBFEZxs2NIDCqdFgx4mD4DmlmY=
github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
Expand Down
3 changes: 3 additions & 0 deletions notation.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,9 @@ type SignerSignOptions struct {

// SigningAgent sets the signing agent name
SigningAgent string

// TSA denotes the TSA server URL
TSAServerURL string
}

// Signer is a generic interface for signing an OCI artifact.
Expand Down
11 changes: 8 additions & 3 deletions signer/signer.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
SigningTime: time.Now(),
SigningScheme: signature.SigningSchemeX509,
SigningAgent: signingAgentId,
TSAServerURL: opts.TSAServerURL,
}

// Add expiry only if ExpiryDuration is not zero
Expand All @@ -135,16 +136,22 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
logger.Debugf(" Expiry: %v", signReq.Expiry)
logger.Debugf(" SigningScheme: %v", signReq.SigningScheme)
logger.Debugf(" SigningAgent: %v", signReq.SigningAgent)
logger.Debugf(" TSAServerURL: %v", signReq.TSAServerURL)

// perform signing
sigEnv, err := signature.NewEnvelope(opts.SignatureMediaType)
if err != nil {
return nil, nil, err
}

var timestampErr *signature.TimestampError
sig, err := sigEnv.Sign(signReq)
if err != nil {
return nil, nil, err
if !errors.As(err, &timestampErr) {
return nil, nil, err
}
// warn on timestamping error, but do not fail the signing process
logger.Warnf("Failed to timestamp the signature. Error: %v", timestampErr)
}

envContent, err := sigEnv.Verify()
Expand All @@ -154,8 +161,6 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
if err := envelope.ValidatePayloadContentType(&envContent.Payload); err != nil {
return nil, nil, err
}

// TODO: re-enable timestamping https://github.com/notaryproject/notation-go/issues/78
return sig, &envContent.SignerInfo, nil
}

Expand Down
64 changes: 39 additions & 25 deletions verifier/helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,31 +57,7 @@ func loadX509TrustStores(ctx context.Context, scheme signature.SigningScheme, po
default:
return nil, truststore.TrustStoreError{Msg: fmt.Sprintf("error while loading the trust store, unrecognized signing scheme %q", scheme)}
}

processedStoreSet := set.New[string]()
var certificates []*x509.Certificate
for _, trustStore := range policy.TrustStores {
if processedStoreSet.Contains(trustStore) {
// we loaded this trust store already
continue
}

storeType, name, found := strings.Cut(trustStore, ":")
if !found {
return nil, truststore.TrustStoreError{Msg: fmt.Sprintf("error while loading the trust store, trust policy statement %q is missing separator in trust store value %q. The required format is <TrustStoreType>:<TrustStoreName>", policy.Name, trustStore)}
}
if typeToLoad != truststore.Type(storeType) {
continue
}

certs, err := x509TrustStore.GetCertificates(ctx, typeToLoad, name)
if err != nil {
return nil, err
}
certificates = append(certificates, certs...)
processedStoreSet.Add(trustStore)
}
return certificates, nil
return loadX509TrustStoresWithType(ctx, typeToLoad, policy, x509TrustStore)
}

// isCriticalFailure checks whether a VerificationResult fails the entire
Expand Down Expand Up @@ -154,3 +130,41 @@ func getVerificationPluginMinVersion(signerInfo *signature.SignerInfo) (string,
}
return version, nil
}

func loadX509TSATrustStores(ctx context.Context, scheme signature.SigningScheme, policy *trustpolicy.TrustPolicy, x509TrustStore truststore.X509TrustStore) ([]*x509.Certificate, error) {
var typeToLoad truststore.Type
switch scheme {
case signature.SigningSchemeX509:
typeToLoad = truststore.TypeTSA
default:
return nil, truststore.TrustStoreError{Msg: fmt.Sprintf("error while loading the TSA trust store, signing scheme must be notary.x509, but got %s", scheme)}
}
return loadX509TrustStoresWithType(ctx, typeToLoad, policy, x509TrustStore)
}

func loadX509TrustStoresWithType(ctx context.Context, trustStoreType truststore.Type, policy *trustpolicy.TrustPolicy, x509TrustStore truststore.X509TrustStore) ([]*x509.Certificate, error) {
processedStoreSet := set.New[string]()
var certificates []*x509.Certificate
for _, trustStore := range policy.TrustStores {
if processedStoreSet.Contains(trustStore) {
// we loaded this trust store already
continue
}

storeType, name, found := strings.Cut(trustStore, ":")
if !found {
return nil, truststore.TrustStoreError{Msg: fmt.Sprintf("error while loading the trust store, trust policy statement %q is missing separator in trust store value %q. The required format is <TrustStoreType>:<TrustStoreName>", policy.Name, trustStore)}
}
if trustStoreType != truststore.Type(storeType) {
continue
}

certs, err := x509TrustStore.GetCertificates(ctx, trustStoreType, name)
if err != nil {
return nil, err
}
certificates = append(certificates, certs...)
processedStoreSet.Add(trustStore)
}
return certificates, nil
}
24 changes: 22 additions & 2 deletions verifier/trustpolicy/trustpolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ var (
}
)

var supportedPolicyVersions = []string{"1.0"}
var supportedPolicyVersions = []string{"1.0", "1.1"}

// Document represents a trustPolicy.json document
type Document struct {
Expand All @@ -156,19 +156,34 @@ type TrustPolicy struct {
// SignatureVerification setting for this policy statement
SignatureVerification SignatureVerification `json:"signatureVerification"`

// TimestampVerification setting for this policy statement
TimestampVerification *TimestampVerification `json:"timestampVerification,omitempty"`

// TrustStores this policy statement uses
TrustStores []string `json:"trustStores,omitempty"`

// TrustedIdentities this policy statement pins
TrustedIdentities []string `json:"trustedIdentities,omitempty"`
}

// String returns print out of TrustPolicy as a string
func (t *TrustPolicy) String() string {
return fmt.Sprintf("Name: %s, RegistryScopes: %v, SignatureVerification: %+v, TimestampVerification: %+v, TrustStores: %v, TrustedIdentities: %v", t.Name, t.RegistryScopes, t.SignatureVerification, t.TimestampVerification, t.TrustStores, t.TrustedIdentities)
}

// SignatureVerification represents verification configuration in a trust policy
type SignatureVerification struct {
VerificationLevel string `json:"level"`
Override map[ValidationType]ValidationAction `json:"override,omitempty"`
}

// TimestampVerification represents timestamp countersignature verification
// configuration in a trust policy
type TimestampVerification struct {
Enable bool `json:"enable,omitempty"`
ExpiryRelaxed bool `json:"expiryRelaxed,omitempty"`
}

// Validate validates a policy document according to its version's rule set.
// if any rule is violated, returns an error
func (policyDoc *Document) Validate() error {
Expand All @@ -185,7 +200,6 @@ func (policyDoc *Document) Validate() error {
return fmt.Errorf("trust policy document uses unsupported version %q", policyDoc.Version)
}

// Validate the policy according to 1.0 rules
if len(policyDoc.TrustPolicies) == 0 {
return errors.New("trust policy document can not have zero trust policy statements")
}
Expand All @@ -206,6 +220,11 @@ func (policyDoc *Document) Validate() error {
return fmt.Errorf("trust policy statement %q has invalid signatureVerification: %w", statement.Name, err)
}

// Verify timestamp verification is valid
if statement.TimestampVerification != nil && policyDoc.Version != "1.1" {
return fmt.Errorf("trust policy document version must be 1.1 to support timestamp verification, but got %q", policyDoc.Version)
}

// Any signature verification other than "skip" needs a trust store and
// trusted identities
if verificationLevel.Name == "skip" {
Expand Down Expand Up @@ -394,6 +413,7 @@ func (t *TrustPolicy) clone() *TrustPolicy {
return &TrustPolicy{
Name: t.Name,
SignatureVerification: t.SignatureVerification,
TimestampVerification: t.TimestampVerification,
RegistryScopes: append([]string(nil), t.RegistryScopes...),
TrustedIdentities: append([]string(nil), t.TrustedIdentities...),
TrustStores: append([]string(nil), t.TrustStores...),
Expand Down
2 changes: 2 additions & 0 deletions verifier/truststore/truststore.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,12 +36,14 @@ type Type string
const (
TypeCA Type = "ca"
TypeSigningAuthority Type = "signingAuthority"
TypeTSA Type = "tsa"
)

var (
Types = []Type{
TypeCA,
TypeSigningAuthority,
TypeTSA,
}
)

Expand Down
Loading
Loading