Upgrade dependencies (microsoft#2)

Signed-off-by: Shiwei Zhang <[email protected]>

cmd/notation-cose/sign.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto"
 	"crypto/tls"
 	"encoding/json"
 	"errors"
@@ -9,9 +10,9 @@ import (
 
 	"github.com/microsoft/notation-cose/pkg/cose"
 	"github.com/microsoft/notation-cose/pkg/protocol"
-	"github.com/notaryproject/notation-go-lib"
-	"github.com/notaryproject/notation-go-lib/crypto/cryptoutil"
-	"github.com/notaryproject/notation-go-lib/crypto/timestamp"
+	"github.com/notaryproject/notation-go"
+	"github.com/notaryproject/notation-go/crypto/cryptoutil"
+	"github.com/notaryproject/notation-go/crypto/timestamp"
 	"github.com/urfave/cli/v2"
 )
 
@@ -84,7 +85,11 @@ func getSignerWithOptions(keyInfo string, opts notation.SignOptions) (notation.S
 	}
 
 	// construct signer
-	signer, err := cose.NewSigner(keyPair.PrivateKey, certs)
+	privateKey, ok := keyPair.PrivateKey.(crypto.Signer)
+	if !ok {
+		return nil, opts, errors.New("unsupported private key")
+	}
+	signer, err := cose.NewSigner(privateKey, certs)
 	if err != nil {
 		return nil, opts, err
 	}

cmd/notation-cose/verify.go

@@ -8,8 +8,8 @@ import (
 
 	"github.com/microsoft/notation-cose/pkg/cose"
 	"github.com/microsoft/notation-cose/pkg/protocol"
-	"github.com/notaryproject/notation-go-lib"
-	"github.com/notaryproject/notation-go-lib/crypto/cryptoutil"
+	"github.com/notaryproject/notation-go"
+	"github.com/notaryproject/notation-go/crypto/cryptoutil"
 	"github.com/urfave/cli/v2"
 )
 

go.mod

@@ -1,20 +1,18 @@
 module github.com/microsoft/notation-cose
 
-go 1.17
+go 1.18
 
 require (
-	github.com/fxamacker/cbor/v2 v2.2.1-0.20200429214022-fc263b46c618
-	github.com/notaryproject/notation-go-lib v0.0.0-20220214031612-1b9631b34681
+	github.com/notaryproject/notation-go v0.8.0-alpha.1
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/oras-project/artifacts-spec v0.0.0-20220226030613-b469ef86bd0b
-	github.com/urfave/cli/v2 v2.3.0
-	github.com/veraison/go-cose v0.0.0-20211126173600-dee3b3e54910
+	github.com/oras-project/artifacts-spec v1.0.0-rc.1
+	github.com/urfave/cli/v2 v2.5.0
+	github.com/veraison/go-cose v0.0.0-20220425074922-8cef769ef52c
 )
 
 require (
-	github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d // indirect
-	github.com/pkg/errors v0.8.0 // indirect
-	github.com/russross/blackfriday/v2 v2.0.1 // indirect
-	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
+	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 )

go.sum

@@ -1,37 +1,18 @@
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fxamacker/cbor/v2 v2.2.1-0.20200429214022-fc263b46c618 h1:RIQZGQ00xy1acO7H7mjL8N5ZDyI0soZG7X8akiXwSTo=
-github.com/fxamacker/cbor/v2 v2.2.1-0.20200429214022-fc263b46c618/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
-github.com/golang-jwt/jwt/v4 v4.3.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
-github.com/notaryproject/notation-go-lib v0.0.0-20220214031612-1b9631b34681 h1:y4t1k6cUqrYiLi/XQxAg+5/qSdQVJly14JoyUdJeEeQ=
-github.com/notaryproject/notation-go-lib v0.0.0-20220214031612-1b9631b34681/go.mod h1:lQcnTNXR+rhNJY8nYQ5OWihh5mBDnoBAfYP0HQC8jEw=
+github.com/cpuguy83/go-md2man/v2 v2.0.1 h1:r/myEWzV9lfsM1tFLgDyu0atFtJ1fXn261LKYj/3DxU=
+github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
+github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
+github.com/notaryproject/notation-go v0.8.0-alpha.1 h1:YbrmzZiEdK2/XSqwkT0/qvACiJGy7AXSaMbzbQc2RmI=
+github.com/notaryproject/notation-go v0.8.0-alpha.1/go.mod h1:B/JbgikwvLoD9gFeWYhFtxIEozRoFAs9q31mj3vz1i4=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/oras-project/artifacts-spec v0.0.0-20220226030613-b469ef86bd0b h1:7527DSVoMm7PAN6A+83UDPlHj4IB7I3bFW1rIqf6cvs=
-github.com/oras-project/artifacts-spec v0.0.0-20220226030613-b469ef86bd0b/go.mod h1:Xch2aLzSwtkhbFFN6LUzTfLtukYvMMdXJ4oZ8O7BOdc=
-github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/urfave/cli/v2 v2.3.0 h1:qph92Y649prgesehzOrQjdWyxFOp/QVM+6imKHad91M=
-github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
-github.com/veraison/go-cose v0.0.0-20211126173600-dee3b3e54910 h1:dtZjTJ/89XAZjDygdVe5X5/wnxo9gYtmKpfxGqYGbws=
-github.com/veraison/go-cose v0.0.0-20211126173600-dee3b3e54910/go.mod h1:sjLU/8dYHRJj3RWtKLJUbPLoByKdV7nnegaTBgQ+9XA=
+github.com/oras-project/artifacts-spec v1.0.0-rc.1 h1:bCHf9mPbrgiNwQFyVzBX79BYZVAl0OUrmvICZOCOwts=
+github.com/oras-project/artifacts-spec v1.0.0-rc.1/go.mod h1:Xch2aLzSwtkhbFFN6LUzTfLtukYvMMdXJ4oZ8O7BOdc=
+github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/urfave/cli/v2 v2.5.0 h1:2sqblaW62ebcTIEvwb8eRvDfNHeBAeKxfhdynaanhug=
+github.com/urfave/cli/v2 v2.5.0/go.mod h1:oDzoM7pVwz6wHn5ogWgFUU1s4VJayeQS+aEZDqXIEJs=
+github.com/veraison/go-cose v0.0.0-20220425074922-8cef769ef52c h1:ix/10qPlr0+90VVJD5yJGQtL6Dgrl/AxkQuKcWhTcys=
+github.com/veraison/go-cose v0.0.0-20220425074922-8cef769ef52c/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

pkg/cose/algorithm.go

@@ -12,7 +12,7 @@ import (
 // AlgorithmFromKey picks up a recommended algorithm for private and public
 // keys.
 // Reference: RFC 8152 8 Signature Algorithms.
-func AlgorithmFromKey(key interface{}) (*cose.Algorithm, error) {
+func AlgorithmFromKey(key interface{}) (cose.Algorithm, error) {
 	if k, ok := key.(interface {
 		Public() crypto.PublicKey
 	}); ok {
@@ -21,20 +21,27 @@ func AlgorithmFromKey(key interface{}) (*cose.Algorithm, error) {
 
 	switch key := key.(type) {
 	case *rsa.PublicKey:
-		// use PS256 for all key sizes since PS256 is the only supported
-		// algorithm by go-cose.
-		return cose.PS256, nil
+		switch key.Size() {
+		case 256:
+			return cose.AlgorithmPS256, nil
+		case 384:
+			return cose.AlgorithmPS384, nil
+		case 512:
+			return cose.AlgorithmPS512, nil
+		default:
+			return cose.AlgorithmPS256, nil
+		}
 	case *ecdsa.PublicKey:
 		switch key.Curve.Params().BitSize {
 		case 256:
-			return cose.ES256, nil
+			return cose.AlgorithmES256, nil
 		case 384:
-			return cose.ES384, nil
+			return cose.AlgorithmES384, nil
 		case 521:
-			return cose.ES512, nil
+			return cose.AlgorithmES512, nil
 		default:
-			return nil, errors.New("ecdsa key not supported")
+			return 0, errors.New("ecdsa key not supported")
 		}
 	}
-	return nil, errors.New("key not supported")
+	return 0, errors.New("key not supported")
 }

pkg/cose/signer.go

@@ -10,16 +10,16 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/notaryproject/notation-go-lib"
-	"github.com/notaryproject/notation-go-lib/crypto/timestamp"
+	"github.com/notaryproject/notation-go"
+	"github.com/notaryproject/notation-go/crypto/timestamp"
 	artifactspec "github.com/oras-project/artifacts-spec/specs-go/v1"
 	"github.com/veraison/go-cose"
 )
 
 // Signer signs artifacts and generates COSE signatures.
 type Signer struct {
 	// base is the base COSE signer
-	base *cose.Signer
+	base cose.Signer
 
 	// certChain contains the X.509 public key certificate or certificate chain
 	// corresponding to the key used to generate the signature.
@@ -28,7 +28,7 @@ type Signer struct {
 
 // NewSigner creates a signer with the recommended signing algorithm and a
 // signing key bundled with a certificate chain.
-func NewSigner(key crypto.PrivateKey, certChain []*x509.Certificate) (*Signer, error) {
+func NewSigner(key crypto.Signer, certChain []*x509.Certificate) (*Signer, error) {
 	alg, err := AlgorithmFromKey(key)
 	if err != nil {
 		return nil, err
@@ -38,18 +38,15 @@ func NewSigner(key crypto.PrivateKey, certChain []*x509.Certificate) (*Signer, e
 
 // NewSignerWithCertificateChain creates a signer with the specified signing
 // algorithm and a signing key bundled with a (partial) certificate chain.
-func NewSignerWithCertificateChain(alg *cose.Algorithm, key crypto.PrivateKey, certChain []*x509.Certificate) (*Signer, error) {
-	if alg == nil {
-		return nil, errors.New("nil signing algorithm")
-	}
+func NewSignerWithCertificateChain(alg cose.Algorithm, key crypto.Signer, certChain []*x509.Certificate) (*Signer, error) {
 	if key == nil {
 		return nil, errors.New("nil signing key")
 	}
 	if len(certChain) == 0 {
 		return nil, errors.New("missing signer certificate chain")
 	}
 
-	base, err := cose.NewSignerFromKey(alg, key)
+	base, err := cose.NewSigner(alg, key)
 	if err != nil {
 		return nil, err
 	}
@@ -78,17 +75,19 @@ func (s *Signer) Sign(ctx context.Context, desc notation.Descriptor, opts notati
 		return nil, err
 	}
 	msg.Payload = payload
-	msg.Headers.Protected = map[interface{}]interface{}{
-		1:             s.base.GetAlg().Value,            // alg
-		2:             []interface{}{3},                 // crit
-		3:             artifactspec.MediaTypeDescriptor, // cty
-		33:            s.certChain,                      // x5chain
-		"signingtime": time.Now(),
+	msg.Headers.Protected = cose.ProtectedHeader{
+		cose.HeaderLabelAlgorithm: s.base.Algorithm(),
+		cose.HeaderLabelCritical: []interface{}{
+			cose.HeaderLabelContentType,
+		},
+		cose.HeaderLabelContentType: artifactspec.MediaTypeDescriptor,
+		cose.HeaderLabelX5Chain:     s.certChain,
+		"signingtime":               time.Now(),
 	}
 	if !opts.Expiry.IsZero() {
 		msg.Headers.Protected["exp"] = opts.Expiry.Unix()
 	}
-	if err := msg.Sign(rand.Reader, []byte{}, *s.base); err != nil {
+	if err := msg.Sign(rand.Reader, nil, s.base); err != nil {
 		return nil, err
 	}
 
@@ -102,7 +101,7 @@ func (s *Signer) Sign(ctx context.Context, desc notation.Descriptor, opts notati
 	}
 
 	// encode in CBOR
-	return cose.Marshal(msg)
+	return msg.MarshalCBOR()
 }
 
 // timestampSignature sends a request to the TSA for timestamping the signature.

pkg/cose/signer_test.go

@@ -11,8 +11,8 @@ import (
 	"testing"
 	"time"
 
-	"github.com/notaryproject/notation-go-lib"
-	"github.com/notaryproject/notation-go-lib/crypto/timestamp/timestamptest"
+	"github.com/notaryproject/notation-go"
+	"github.com/notaryproject/notation-go/crypto/timestamp/timestamptest"
 	"github.com/opencontainers/go-digest"
 )