refactor:support cose signature format

Signed-off-by: zaihaoyin <[email protected]>

Author: zaihaoyin

config/config.go

@@ -23,6 +23,8 @@ type Config struct {
 	InsecureRegistries       []string                 `json:"insecureRegistries"`
 	CredentialsStore         string                   `json:"credsStore,omitempty"`
 	CredentialHelpers        map[string]string        `json:"credHelpers,omitempty"`
+	// EnvelopeType defines the envelope type for signing
+	EnvelopeType string `json:"envelopeType,omitempty"`
 }
 
 // VerificationCertificates is a collection of public certs used for verification.

config/config_test.go

@@ -29,6 +29,7 @@ var sampleConfig = &Config{
 	InsecureRegistries: []string{
 		"registry.wabbit-networks.io",
 	},
+	EnvelopeType: "jws",
 }
 
 func TestLoadFile(t *testing.T) {

config/testdata/config.json

@@ -13,5 +13,6 @@
     },
     "insecureRegistries": [
         "registry.wabbit-networks.io"
-    ]
+    ],
+    "envelopeType": "jws"
 }

go.mod

@@ -4,18 +4,21 @@ go 1.17
 
 require (
 	github.com/go-ldap/ldap/v3 v3.4.4
-	github.com/golang-jwt/jwt/v4 v4.4.2
-	github.com/notaryproject/notation-core-go v0.1.0-alpha.3
+	github.com/notaryproject/notation-core-go v0.0.0-20220901064119-7bf2b3e37c06
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.0.2
 	github.com/oras-project/artifacts-spec v1.0.0-rc.2
+	github.com/veraison/go-cose v1.0.0-rc.1.0.20220824135457-9d2fab636b83
 	oras.land/oras-go/v2 v2.0.0-rc.2
 )
 
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e // indirect
+	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
+	github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
 	github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 )

go.sum

@@ -2,14 +2,17 @@ github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e h1:NeAW1fUYUEWhft
 github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
+github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
 github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A=
 github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs=
 github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI=
+github.com/golang-jwt/jwt/v4 v4.4.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
 github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/notaryproject/notation-core-go v0.1.0-alpha.3 h1:gzB+h5TGzuocWiJxuYZgE/FwUIbJyKAHfk2hWSBbCGg=
-github.com/notaryproject/notation-core-go v0.1.0-alpha.3/go.mod h1:Wfyh5SrQ718JegKPhTs7y74rXg86tWd5NfOx2uHK1nI=
+github.com/notaryproject/notation-core-go v0.0.0-20220901064119-7bf2b3e37c06 h1:tvnxwHtQEACckbLYYoyCPkAawNJk1BAsGFLrDhou2U0=
+github.com/notaryproject/notation-core-go v0.0.0-20220901064119-7bf2b3e37c06/go.mod h1:vRFI64uedpKUChiadJ/2q8jJNdKtxHa7Er1JbSnm8AY=
 github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86 h1:Oumw+lPnO8qNLTY2mrqPJZMoGExLi/0h/DdikoLTXVU=
 github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86/go.mod h1:aA4vdXRS8E1TG7pLZOz85InHi3BiPdErh8IpJN6E0x4=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -23,6 +26,10 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
+github.com/veraison/go-cose v1.0.0-rc.1.0.20220824135457-9d2fab636b83 h1:g8vDfnNOPcGzg6mnlBGc0J5t5lAJkaepXqbc9qFRnFs=
+github.com/veraison/go-cose v1.0.0-rc.1.0.20220824135457-9d2fab636b83/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=

internal/mock/mocks.go

@@ -1,12 +1,10 @@
 package mock
 
 import (
+	"context"
 	_ "embed"
-	nsigner "github.com/notaryproject/notation-core-go/signer"
-)
 
-import (
-	"context"
+	"github.com/notaryproject/notation-core-go/signature"
 	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation-go/plugin"
 	"github.com/notaryproject/notation-go/plugin/manager"
@@ -54,7 +52,7 @@ var (
 		Size:        100,
 		Annotations: Annotations,
 	}
-	PluginExtendedCriticalAttribute = nsigner.Attribute{
+	PluginExtendedCriticalAttribute = signature.Attribute{
 		Key:      "SomeKey",
 		Critical: true,
 		Value:    "SomeValue",
@@ -93,7 +91,7 @@ func (t Repository) GetBlob(ctx context.Context, digest digest.Digest) ([]byte,
 	return t.GetResponse, t.GetError
 }
 
-func (t Repository) PutSignatureManifest(ctx context.Context, signature []byte, manifest notation.Descriptor, annotaions map[string]string) (notation.Descriptor, registry.SignatureManifest, error) {
+func (t Repository) PutSignatureManifest(ctx context.Context, signature []byte, signatureMediaType string, manifest notation.Descriptor, annotaions map[string]string) (notation.Descriptor, registry.SignatureManifest, error) {
 	return notation.Descriptor{}, registry.SignatureManifest{}, nil
 }
 

notation.go

@@ -9,8 +9,8 @@ import (
 	"github.com/opencontainers/go-digest"
 )
 
-// Media type for Notary payload for OCI artifacts, which contains an artifact descriptor.
-const MediaTypePayload = "application/vnd.cncf.notary.payload.v1+json"
+// SigningAgent is the unprotected header field used by signature
+const SigningAgent = "Notation/1.0.0"
 
 // Descriptor describes the artifact that needs to be signed.
 type Descriptor struct {
@@ -65,7 +65,9 @@ type Signer interface {
 }
 
 // VerifyOptions contains parameters for Verifier.Verify.
-type VerifyOptions struct{}
+type VerifyOptions struct {
+	SignatureMediaType string
+}
 
 // Validate does basic validation on VerifyOptions.
 func (opts VerifyOptions) Validate() error {

plugin/plugin.go

@@ -3,8 +3,6 @@ package plugin
 import (
 	"context"
 	"time"
-
-	"github.com/notaryproject/notation-core-go/signer"
 )
 
 // Prefix is the prefix required on all plugin binary names.
@@ -127,17 +125,21 @@ type DescribeKeyResponse struct {
 
 	// One of following supported key types:
 	// https://github.com/notaryproject/notaryproject/blob/main/signature-specification.md#algorithm-selection
-	KeySpec signer.KeySpec `json:"keySpec"`
+	KeySpec string `json:"keySpec"`
+
+	// Ordered list of certificates starting with leaf certificate
+	// and ending with root certificate.
 }
 
 // GenerateSignatureRequest contains the parameters passed in a generate-signature request.
+// do we still need keyspec and hash?
 type GenerateSignatureRequest struct {
-	ContractVersion string               `json:"contractVersion"`
-	KeyID           string               `json:"keyId"`
-	KeySpec         signer.KeySpec       `json:"keySpec"`
-	Hash            signer.HashAlgorithm `json:"hashAlgorithm"`
-	Payload         []byte               `json:"payload"`
-	PluginConfig    map[string]string    `json:"pluginConfig,omitempty"`
+	ContractVersion string            `json:"contractVersion"`
+	KeyID           string            `json:"keyId"`
+	Payload         []byte            `json:"payload"`
+	KeySpec         string            `json:"keySpec"`
+	Hash            string            `json:"hashAlgorithm"`
+	PluginConfig    map[string]string `json:"pluginConfig,omitempty"`
 }
 
 func (GenerateSignatureRequest) Command() Command {
@@ -146,9 +148,9 @@ func (GenerateSignatureRequest) Command() Command {
 
 // GenerateSignatureResponse is the response of a generate-signature request.
 type GenerateSignatureResponse struct {
-	KeyID            string                    `json:"keyId"`
-	Signature        []byte                    `json:"signature"`
-	SigningAlgorithm signer.SignatureAlgorithm `json:"signingAlgorithm"`
+	KeyID            string `json:"keyId"`
+	Signature        []byte `json:"signature"`
+	SigningAlgorithm string `json:"signingAlgorithm"`
 
 	// Ordered list of certificates starting with leaf certificate
 	// and ending with root certificate.
@@ -194,13 +196,11 @@ type Signature struct {
 // CriticalAttributes contains all Notary V2 defined critical
 // attributes and their values in the signature envelope
 type CriticalAttributes struct {
-	ContentType                  string                 `json:"contentType"`
-	SigningScheme                string                 `json:"signingScheme"`
-	Expiry                       *time.Time             `json:"expiry,omitempty"`
-	AuthenticSigningTime         *time.Time             `json:"authenticSigningTime,omitempty"`
-	VerificationPlugin           string                 `json:"verificationPlugin,omitempty"`
-	VerificationPluginMinVersion string                 `json:"verificationPluginMinVersion,omitempty"`
-	ExtendedAttributes           map[string]interface{} `json:"extendedAttributes,omitempty"`
+	ContentType          string                 `json:"contentType"`
+	SigningScheme        string                 `json:"signingScheme"`
+	Expiry               *time.Time             `json:"expiry,omitempty"`
+	AuthenticSigningTime *time.Time             `json:"authenticSigningTime,omitempty"`
+	ExtendedAttributes   map[string]interface{} `json:"extendedAttributes,omitempty"`
 }
 
 // TrustPolicy represents trusted identities that sign the artifacts

registry/interface.go

@@ -16,7 +16,7 @@ type SignatureRepository interface {
 	GetBlob(ctx context.Context, digest digest.Digest) ([]byte, error)
 
 	// PutSignatureManifest creates and uploads an signature artifact linking the manifest and the signature
-	PutSignatureManifest(ctx context.Context, signature []byte, manifest notation.Descriptor, annotations map[string]string) (notation.Descriptor, SignatureManifest, error)
+	PutSignatureManifest(ctx context.Context, signature []byte, signatureMediaType string, manifest notation.Descriptor, annotations map[string]string) (notation.Descriptor, SignatureManifest, error)
 }
 
 // Repository provides functions for verification and signing workflows

registry/mediatype.go

@@ -2,6 +2,3 @@ package registry
 
 // ArtifactTypeNotation specifies the artifact type for a notation object.
 const ArtifactTypeNotation = "application/vnd.cncf.notary.v2.signature"
-
-// MediaTypeNotationSignature specifies the media type for the notation signature.
-const MediaTypeNotationSignature = "application/jose+json"

registry/repository.go

@@ -92,8 +92,8 @@ func (c *RepositoryClient) GetBlob(ctx context.Context, digest digest.Digest) ([
 }
 
 // PutSignatureManifest creates and uploads an signature artifact linking the manifest and the signature
-func (c *RepositoryClient) PutSignatureManifest(ctx context.Context, signature []byte, subjectManifest notation.Descriptor, annotations map[string]string) (notation.Descriptor, SignatureManifest, error) {
-	signatureDesc, err := c.uploadSignature(ctx, signature)
+func (c *RepositoryClient) PutSignatureManifest(ctx context.Context, signature []byte, signatureMediaType string, subjectManifest notation.Descriptor, annotations map[string]string) (notation.Descriptor, SignatureManifest, error) {
+	signatureDesc, err := c.uploadSignature(ctx, signature, signatureMediaType)
 	if err != nil {
 		return notation.Descriptor{}, SignatureManifest{}, err
 	}
@@ -137,9 +137,9 @@ func (c *RepositoryClient) getArtifactManifest(ctx context.Context, manifestDige
 }
 
 // uploadSignature uploads the signature to the registry
-func (c *RepositoryClient) uploadSignature(ctx context.Context, signature []byte) (artifactspec.Descriptor, error) {
+func (c *RepositoryClient) uploadSignature(ctx context.Context, signature []byte, signatureMediaType string) (artifactspec.Descriptor, error) {
 	desc := ocispec.Descriptor{
-		MediaType: MediaTypeNotationSignature,
+		MediaType: signatureMediaType,
 		Digest:    digest.FromBytes(signature),
 		Size:      int64(len(signature)),
 	}

registry/repository_test.go

@@ -28,6 +28,7 @@ const (
 	validDigest7             = "13b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
 	validDigest8             = "57f2c47061dae97063dc46598168a80a9f89302c1f24fe2a422a1ec0aba3017a"
 	validDigest9             = "023c624b58dbbcd3c0dd82b4c53f04194d1247c6eebdaab7c610cf7d66709b3b"
+	validDigest10            = "1761e09cad8aa44e48ffb41c78371a6c139bd0df555c90b5d99739b9551c7828"
 	invalidDigest            = "invaliddigest"
 	algo                     = "sha256"
 	validDigestWithAlgo      = algo + ":" + validDigest
@@ -39,6 +40,7 @@ const (
 	validDigestWithAlgo7     = algo + ":" + validDigest7
 	validDigestWithAlgo8     = algo + ":" + validDigest8
 	validDigestWithAlgo9     = algo + ":" + validDigest9
+	validDigestWithAlgo10    = algo + ":" + validDigest10
 	validHost                = "localhost"
 	validRegistry            = validHost + ":5000"
 	invalidHost              = "badhost"
@@ -52,6 +54,7 @@ const (
 	validReference6          = validRegistry + "/" + validRepo + "@" + validDigest6
 	invalidReference         = "invalid reference"
 	joseTag                  = "application/jose+json"
+	coseTag                  = "application/cose"
 	validTimestamp           = "2022-07-29T02:23:10Z"
 	size                     = 104
 	size2                    = 135
@@ -103,14 +106,15 @@ const (
 )
 
 type args struct {
-	ctx             context.Context
-	reference       string
-	remoteClient    remote.Client
-	plainHttp       bool
-	digest          digest.Digest
-	annotations     map[string]string
-	subjectManifest notation.Descriptor
-	signature       []byte
+	ctx                context.Context
+	reference          string
+	remoteClient       remote.Client
+	plainHttp          bool
+	digest             digest.Digest
+	annotations        map[string]string
+	subjectManifest    notation.Descriptor
+	signature          []byte
+	signatureMediaType string
 }
 
 type mockRemoteClient struct {
@@ -255,6 +259,17 @@ func (c mockRemoteClient) Do(req *http.Request) (*http.Response, error) {
 				"Content-Type":          {mediaType},
 			},
 		}, nil
+	case "/v2/test/manifests/" + validDigestWithAlgo10:
+		if req.Method == "GET" {
+			return &http.Response{}, fmt.Errorf(msg)
+		}
+		return &http.Response{
+			StatusCode: http.StatusCreated,
+			Body:       io.NopCloser(bytes.NewReader([]byte(msg))),
+			Header: map[string][]string{
+				"Docker-Content-Digest": {validDigestWithAlgo10},
+			},
+		}, nil
 	case "/v2/test/blobs/uploads/":
 		switch req.Host {
 		case validRegistry:
@@ -507,7 +522,7 @@ func TestPutSignatureManifest(t *testing.T) {
 			},
 		},
 		{
-			name:      "succeed to put signature manifest",
+			name:      "succeed to put signature manifest with jws media type",
 			expectErr: false,
 			expectDes: notation.Descriptor{
 				MediaType: artifactspec.MediaTypeArtifactManifest,
@@ -531,6 +546,35 @@ func TestPutSignatureManifest(t *testing.T) {
 				annotations: map[string]string{
 					artifactspec.AnnotationArtifactCreated: validTimestamp,
 				},
+				signatureMediaType: joseTag,
+			},
+		},
+		{
+			name:      "succeed to put signature manifest with cose media type",
+			expectErr: false,
+			expectDes: notation.Descriptor{
+				MediaType: artifactspec.MediaTypeArtifactManifest,
+				Digest:    digest.Digest(validDigestWithAlgo10),
+				Size:      364,
+			},
+			expectManifest: SignatureManifest{
+				Annotations: map[string]string{
+					artifactspec.AnnotationArtifactCreated: validTimestamp,
+				},
+				Blob: notation.Descriptor{
+					MediaType: coseTag,
+					Digest:    validDigestWithAlgo5,
+				},
+			},
+			args: args{
+				reference:    validReference,
+				signature:    make([]byte, 0),
+				ctx:          context.Background(),
+				remoteClient: mockRemoteClient{},
+				annotations: map[string]string{
+					artifactspec.AnnotationArtifactCreated: validTimestamp,
+				},
+				signatureMediaType: coseTag,
 			},
 		},
 	}
@@ -540,7 +584,7 @@ func TestPutSignatureManifest(t *testing.T) {
 			ref, _ := registry.ParseReference(args.reference)
 			client := NewRepositoryClient(args.remoteClient, ref, args.plainHttp)
 
-			des, manifest, err := client.PutSignatureManifest(args.ctx, args.signature, args.subjectManifest, args.annotations)
+			des, manifest, err := client.PutSignatureManifest(args.ctx, args.signature, args.signatureMediaType, args.subjectManifest, args.annotations)
 			if (err != nil) != tt.expectErr {
 				t.Errorf("error = %v, expectErr = %v", err, tt.expectErr)
 			}