refactor:add verification plugin checker

Signed-off-by: zaihaoyin <[email protected]>

Author: zaihaoyin

go.mod

@@ -4,7 +4,7 @@ go 1.17
 
 require (
 	github.com/go-ldap/ldap/v3 v3.4.4
-	github.com/notaryproject/notation-core-go v0.0.0-20220901064119-7bf2b3e37c06
+	github.com/notaryproject/notation-core-go v0.0.0-20220907034926-8cdaf86b4d7c
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.0.2
 	github.com/oras-project/artifacts-spec v1.0.0-rc.2

go.sum

@@ -8,11 +8,10 @@ github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF
 github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs=
 github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI=
-github.com/golang-jwt/jwt/v4 v4.4.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
 github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/notaryproject/notation-core-go v0.0.0-20220901064119-7bf2b3e37c06 h1:tvnxwHtQEACckbLYYoyCPkAawNJk1BAsGFLrDhou2U0=
-github.com/notaryproject/notation-core-go v0.0.0-20220901064119-7bf2b3e37c06/go.mod h1:vRFI64uedpKUChiadJ/2q8jJNdKtxHa7Er1JbSnm8AY=
+github.com/notaryproject/notation-core-go v0.0.0-20220907034926-8cdaf86b4d7c h1:myIrd0sic/mu8PRt9/jvtkMmC/eVPsB2ufBGhbAM1hg=
+github.com/notaryproject/notation-core-go v0.0.0-20220907034926-8cdaf86b4d7c/go.mod h1:cebNvAIpFQXqBGGJa8c13FS1ln47c5qd8E6WjeQDkAA=
 github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86 h1:Oumw+lPnO8qNLTY2mrqPJZMoGExLi/0h/DdikoLTXVU=
 github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86/go.mod h1:aA4vdXRS8E1TG7pLZOz85InHi3BiPdErh8IpJN6E0x4=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=

verification/verifier.go

@@ -151,13 +151,20 @@ func (v *Verifier) processSignature(ctx context.Context, sigBlob []byte, sigMani
 
 	// check if we need to verify using a plugin
 	var pluginCapabilities []plugin.Capability
-	verificationPluginName := GetVerificationPlugin(outcome.SignerInfo)
-	if verificationPluginName != "" {
+	verificationPluginName, err := getVerificationPlugin(outcome.SignerInfo)
+	// use plugin, but getPluginName returns an error
+	if err != nil && err != errExtendedAttributeNotExist {
+		return err
+	}
+	if err == nil {
 		installedPlugin, err := v.PluginManager.Get(ctx, verificationPluginName)
 		if err != nil {
 			return ErrorVerificationInconclusive{msg: fmt.Sprintf("error while locating the verification plugin %q, make sure the plugin is installed successfully before verifying the signature. error: %s", verificationPluginName, err)}
 		}
 
+		if _, err := getVerificationPluginMinVersion(signerInfo); err != nil && err != errExtendedAttributeNotExist {
+			return ErrorVerificationInconclusive{msg: fmt.Sprintf("error while getting plugin minimum version, error: %s", err)}
+		}
 		// TODO verify the plugin's version is equal to or greater than `outcome.SignerInfo.SignedAttributes.VerificationPluginMinVersion`
 		// https://github.com/notaryproject/notation-go/issues/102
 
@@ -234,8 +241,10 @@ func (v *Verifier) processSignature(ctx context.Context, sigBlob []byte, sigMani
 }
 
 func (v *Verifier) processPluginResponse(capabilitiesToVerify []plugin.VerificationCapability, response *plugin.VerifySignatureResponse, outcome *SignatureVerificationOutcome) error {
-	verificationPluginName := GetVerificationPlugin(outcome.SignerInfo)
-
+	verificationPluginName, err := getVerificationPlugin(outcome.SignerInfo)
+	if err != nil {
+		return err
+	}
 	// verify all extended critical attributes are processed by the plugin
 	for _, attr := range outcome.SignerInfo.SignedAttributes.ExtendedAttributes {
 		if attr.Critical {

verification/verifier_helpers.go

@@ -3,7 +3,9 @@ package verification
 import (
 	"context"
 	"crypto/x509"
+	"errors"
 	"fmt"
+	"regexp"
 	"strings"
 	"time"
 
@@ -13,6 +15,10 @@ import (
 	"github.com/notaryproject/notation-go/registry"
 )
 
+var errExtendedAttributeNotExist = errors.New("Extended attribute not exist")
+
+var semVerRegEx = regexp.MustCompile("^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$")
+
 // isCriticalFailure checks whether a VerificationResult fails the entire signature verification workflow.
 // signature verification workflow is considered failed if there is a VerificationResult with "Enforced" as the action but the result was unsuccessful
 func isCriticalFailure(result *VerificationResult) bool {
@@ -235,7 +241,10 @@ func verifyX509TrustedIdentities(certs []*x509.Certificate, trustPolicy *TrustPo
 }
 
 func (v *Verifier) executePlugin(ctx context.Context, trustPolicy *TrustPolicy, capabilitiesToVerify []plugin.VerificationCapability, signerInfo *signature.SignerInfo, payloadInfo *signature.Payload) (*plugin.VerifySignatureResponse, error) {
-	verificationPluginName := GetVerificationPlugin(signerInfo)
+	verificationPluginName, err := getVerificationPlugin(signerInfo)
+	if err != nil {
+		return nil, err
+	}
 	var attributesToProcess []string
 	extendedAttributes := make(map[string]interface{})
 
@@ -298,20 +307,49 @@ func (v *Verifier) executePlugin(ctx context.Context, trustPolicy *TrustPolicy,
 	return response, nil
 }
 
-func GetVerificationPlugin(signerInfo *signature.SignerInfo) string {
-	if verificationPlugin, err := signerInfo.ExtendedAttribute(VerificationPlugin); err == nil {
-		if name, ok := verificationPlugin.Value.(string); ok {
-			return name
-		}
+// extractCriticalStringExtendedAttribute extracts a critical string Extended attribute from a signer
+func extractCriticalStringExtendedAttribute(signerInfo *signature.SignerInfo, key string) (string, error) {
+	attr, err := signerInfo.ExtendedAttribute(key)
+	// not exist
+	if err != nil {
+		return "", errExtendedAttributeNotExist
+	}
+	// not critical
+	if !attr.Critical {
+		return "", fmt.Errorf("%v is not a critical Extended attribute", key)
+	}
+	// not string
+	val, ok := attr.Value.(string)
+	if !ok {
+		return "", fmt.Errorf("%v from Extended attribute is not a string", key)
 	}
-	return ""
+	return val, nil
 }
 
-func GetVerificationPluginMinVersion(signerInfo *signature.SignerInfo) string {
-	if verificationPluginVersion, err := signerInfo.ExtendedAttribute(VerificationPluginMinVersion); err == nil {
-		if version, ok := verificationPluginVersion.Value.(string); ok {
-			return version
-		}
+// getVerificationPlugin get plugin name from the Extended attributes
+func getVerificationPlugin(signerInfo *signature.SignerInfo) (string, error) {
+	name, err := extractCriticalStringExtendedAttribute(signerInfo, VerificationPlugin)
+	if err != nil {
+		return "", err
+	}
+	// not an empty string
+	if strings.TrimSpace(name) == "" {
+		return "", fmt.Errorf("%v from Extended attribute is an empty string", VerificationPlugin)
+	}
+	return name, nil
+}
+
+func getVerificationPluginMinVersion(signerInfo *signature.SignerInfo) (string, error) {
+	version, err := extractCriticalStringExtendedAttribute(signerInfo, VerificationPluginMinVersion)
+	if err != nil {
+		return "", err
+	}
+	// empty version
+	if strings.TrimSpace(version) == "" {
+		return "", fmt.Errorf("%v from Extended attribute is an empty string", VerificationPluginMinVersion)
+	}
+	if !semVerRegEx.MatchString(version) {
+		return "", fmt.Errorf("%v from Extended attribute is not a is not valid SemVer", VerificationPluginMinVersion)
 	}
-	return ""
+	return version, nil
 }

verification/verifier_test.go

@@ -258,7 +258,7 @@ func assertNotationVerification(t *testing.T, scheme signature.SigningScheme) {
 		policyDocument := dummyPolicyDocument()
 		repo := mock.NewRepository()
 		repo.GetResponse = invalidSigEnv
-		expectedErr := fmt.Errorf("payload error: illegal base64 data at input byte 242")
+		expectedErr := fmt.Errorf("signature is invalid. Error: illegal base64 data at input byte 242")
 		testCases = append(testCases, testCase{
 			verificationType:  Integrity,
 			verificationLevel: level,