notaryproject
diff --git a/‎go.mod
+5-2 b/‎go.mod
+5-2
diff --git a/‎go.sum
+8-2 b/‎go.sum
+8-2
diff --git a/‎notation.go
+5-3 b/‎notation.go
+5-3
diff --git a/‎plugin/plugin.go
+11-12 b/‎plugin/plugin.go
+11-12
diff --git a/‎signature/algorithm.go
+159 b/‎signature/algorithm.go
+159
diff --git a/‎signature/envelope.go
+35 b/‎signature/envelope.go
+35
@@ -4,18 +4,21 @@ go 1.17
 
 require (
 	github.com/go-ldap/ldap/v3 v3.4.4
-	github.com/golang-jwt/jwt/v4 v4.4.2
-	github.com/notaryproject/notation-core-go v0.1.0-alpha.3
+	github.com/notaryproject/notation-core-go v0.0.0-20220907034926-8cdaf86b4d7c
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.0.2
 	github.com/oras-project/artifacts-spec v1.0.0-rc.2
+	github.com/veraison/go-cose v1.0.0-rc.1.0.20220824135457-9d2fab636b83
 	oras.land/oras-go/v2 v2.0.0-rc.2
 )
 
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e // indirect
+	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
+	github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
 	github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 )
@@ -2,14 +2,16 @@ github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e h1:NeAW1fUYUEWhft
 github.com/Azure/go-ntlmssp v0.0.0-20220621081337-cb9428e4ac1e/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
+github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
 github.com/go-asn1-ber/asn1-ber v1.5.4 h1:vXT6d/FNDiELJnLb6hGNa309LMsrCoYFvpwHDF0+Y1A=
 github.com/go-asn1-ber/asn1-ber v1.5.4/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs=
 github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI=
 github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
 github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/notaryproject/notation-core-go v0.1.0-alpha.3 h1:gzB+h5TGzuocWiJxuYZgE/FwUIbJyKAHfk2hWSBbCGg=
-github.com/notaryproject/notation-core-go v0.1.0-alpha.3/go.mod h1:Wfyh5SrQ718JegKPhTs7y74rXg86tWd5NfOx2uHK1nI=
+github.com/notaryproject/notation-core-go v0.0.0-20220907034926-8cdaf86b4d7c h1:myIrd0sic/mu8PRt9/jvtkMmC/eVPsB2ufBGhbAM1hg=
+github.com/notaryproject/notation-core-go v0.0.0-20220907034926-8cdaf86b4d7c/go.mod h1:cebNvAIpFQXqBGGJa8c13FS1ln47c5qd8E6WjeQDkAA=
 github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86 h1:Oumw+lPnO8qNLTY2mrqPJZMoGExLi/0h/DdikoLTXVU=
 github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86/go.mod h1:aA4vdXRS8E1TG7pLZOz85InHi3BiPdErh8IpJN6E0x4=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -23,6 +25,10 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
+github.com/veraison/go-cose v1.0.0-rc.1.0.20220824135457-9d2fab636b83 h1:g8vDfnNOPcGzg6mnlBGc0J5t5lAJkaepXqbc9qFRnFs=
+github.com/veraison/go-cose v1.0.0-rc.1.0.20220824135457-9d2fab636b83/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 
@@ -9,8 +9,8 @@ import (
 	"github.com/opencontainers/go-digest"
 )
 
-// Media type for Notary payload for OCI artifacts, which contains an artifact descriptor.
-const MediaTypePayload = "application/vnd.cncf.notary.payload.v1+json"
+// SigningAgent is the unprotected header field used by signature
+const SigningAgent = "Notation/1.0.0"
 
 // Descriptor describes the artifact that needs to be signed.
 type Descriptor struct {
@@ -65,7 +65,9 @@ type Signer interface {
 }
 
 // VerifyOptions contains parameters for Verifier.Verify.
-type VerifyOptions struct{}
+type VerifyOptions struct {
+	SignatureMediaType string
+}
 
 // Validate does basic validation on VerifyOptions.
 func (opts VerifyOptions) Validate() error {
 
@@ -3,8 +3,6 @@ package plugin
 import (
 	"context"
 	"time"
-
-	"github.com/notaryproject/notation-core-go/signer"
 )
 
 // Prefix is the prefix required on all plugin binary names.
@@ -127,17 +125,18 @@ type DescribeKeyResponse struct {
 
 	// One of following supported key types:
 	// https://github.com/notaryproject/notaryproject/blob/main/signature-specification.md#algorithm-selection
-	KeySpec signer.KeySpec `json:"keySpec"`
+	KeySpec string `json:"keySpec"`
 }
 
 // GenerateSignatureRequest contains the parameters passed in a generate-signature request.
+// do we still need keyspec and hash?
 type GenerateSignatureRequest struct {
-	ContractVersion string               `json:"contractVersion"`
-	KeyID           string               `json:"keyId"`
-	KeySpec         signer.KeySpec       `json:"keySpec"`
-	Hash            signer.HashAlgorithm `json:"hashAlgorithm"`
-	Payload         []byte               `json:"payload"`
-	PluginConfig    map[string]string    `json:"pluginConfig,omitempty"`
+	ContractVersion string            `json:"contractVersion"`
+	KeyID           string            `json:"keyId"`
+	Payload         []byte            `json:"payload"`
+	KeySpec         string            `json:"keySpec"`
+	Hash            string            `json:"hashAlgorithm"`
+	PluginConfig    map[string]string `json:"pluginConfig,omitempty"`
 }
 
 func (GenerateSignatureRequest) Command() Command {
@@ -146,9 +145,9 @@ func (GenerateSignatureRequest) Command() Command {
 
 // GenerateSignatureResponse is the response of a generate-signature request.
 type GenerateSignatureResponse struct {
-	KeyID            string                    `json:"keyId"`
-	Signature        []byte                    `json:"signature"`
-	SigningAlgorithm signer.SignatureAlgorithm `json:"signingAlgorithm"`
+	KeyID            string `json:"keyId"`
+	Signature        []byte `json:"signature"`
+	SigningAlgorithm string `json:"signingAlgorithm"`
 
 	// Ordered list of certificates starting with leaf certificate
 	// and ending with root certificate.
 
@@ -0,0 +1,159 @@
+package signature
+
+import (
+	"errors"
+
+	"github.com/notaryproject/notation-core-go/signature"
+)
+
+// one of the following supported key spec names.
+//
+// https://github.com/notaryproject/notaryproject/blob/main/signature-specification.md#algorithm-selection
+const (
+	RSA_2048 = "RSA-2048"
+	RSA_3072 = "RSA-3072"
+	RSA_4096 = "RSA-4096"
+	EC_256   = "EC-256"
+	EC_384   = "EC-384"
+	EC_521   = "EC-521"
+)
+
+// one of the following supported hash algorithm names.
+//
+// https://github.com/notaryproject/notaryproject/blob/main/signature-specification.md#algorithm-selection
+const (
+	SHA_256 = "SHA-256"
+	SHA_384 = "SHA-384"
+	SHA_512 = "SHA-512"
+)
+
+// one of the following supported signing algorithm names.
+//
+// https://github.com/notaryproject/notaryproject/blob/main/signature-specification.md#algorithm-selection
+const (
+	ECDSA_SHA_256      = "ECDSA-SHA-256"
+	ECDSA_SHA_384      = "ECDSA-SHA-384"
+	ECDSA_SHA_512      = "ECDSA-SHA-512"
+	RSASSA_PSS_SHA_256 = "RSASSA-PSS-SHA-256"
+	RSASSA_PSS_SHA_384 = "RSASSA-PSS-SHA-384"
+	RSASSA_PSS_SHA_512 = "RSASSA-PSS-SHA-512"
+)
+
+// InvalidKeySpec is the invalid value of keySpec.
+var InvalidKeySpec = signature.KeySpec{}
+
+// KeySpecName returns the name of a keySpec according to the spec.
+func KeySpecName(k signature.KeySpec) string {
+	switch k.Type {
+	case signature.KeyTypeEC:
+		switch k.Size {
+		case 256:
+			return EC_256
+		case 384:
+			return EC_384
+		case 521:
+			return EC_521
+		}
+	case signature.KeyTypeRSA:
+		switch k.Size {
+		case 2048:
+			return RSA_2048
+		case 3072:
+			return RSA_3072
+		case 4096:
+			return RSA_4096
+		}
+	}
+	return ""
+}
+
+// KeySpecHashName returns the name of hash function according to the spec.
+func KeySpecHashName(k signature.KeySpec) string {
+	switch k.Type {
+	case signature.KeyTypeEC:
+		switch k.Size {
+		case 256:
+			return SHA_256
+		case 384:
+			return SHA_384
+		case 521:
+			return SHA_512
+		}
+	case signature.KeyTypeRSA:
+		switch k.Size {
+		case 2048:
+			return SHA_256
+		case 3072:
+			return SHA_384
+		case 4096:
+			return SHA_512
+		}
+	}
+	return ""
+}
+
+// ParseKeySpecFromName parses keySpec name to a signature.keySpec type.
+func ParseKeySpecFromName(raw string) (keySpec signature.KeySpec, err error) {
+	switch raw {
+	case RSA_2048:
+		keySpec.Size = 2048
+		keySpec.Type = signature.KeyTypeRSA
+	case RSA_3072:
+		keySpec.Size = 3072
+		keySpec.Type = signature.KeyTypeRSA
+	case RSA_4096:
+		keySpec.Size = 4096
+		keySpec.Type = signature.KeyTypeRSA
+	case EC_256:
+		keySpec.Size = 256
+		keySpec.Type = signature.KeyTypeEC
+	case EC_384:
+		keySpec.Size = 384
+		keySpec.Type = signature.KeyTypeEC
+	case EC_521:
+		keySpec.Size = 521
+		keySpec.Type = signature.KeyTypeEC
+	default:
+		keySpec = InvalidKeySpec
+		err = errors.New("parse KeySpec error, keySpec not supported")
+	}
+	return
+}
+
+// SigningAlgorithmName returns the signing algorithm name of an algorithm according to the spec.
+func SigningAlgorithmName(alg signature.Algorithm) string {
+	switch alg {
+	case signature.AlgorithmES256:
+		return ECDSA_SHA_256
+	case signature.AlgorithmES384:
+		return ECDSA_SHA_384
+	case signature.AlgorithmES512:
+		return ECDSA_SHA_512
+	case signature.AlgorithmPS256:
+		return RSASSA_PSS_SHA_256
+	case signature.AlgorithmPS384:
+		return RSASSA_PSS_SHA_384
+	case signature.AlgorithmPS512:
+		return RSASSA_PSS_SHA_512
+	}
+	return ""
+}
+
+// ParseSigningAlgorithFromName parses the signing algorithm name from a given string.
+func ParseSigningAlgorithFromName(raw string) (signature.Algorithm, error) {
+	switch raw {
+	case ECDSA_SHA_256:
+		return signature.AlgorithmES256, nil
+	case ECDSA_SHA_384:
+		return signature.AlgorithmES384, nil
+	case ECDSA_SHA_512:
+		return signature.AlgorithmES512, nil
+	case RSASSA_PSS_SHA_256:
+		return signature.AlgorithmPS256, nil
+	case RSASSA_PSS_SHA_384:
+		return signature.AlgorithmPS384, nil
+	case RSASSA_PSS_SHA_512:
+		return signature.AlgorithmPS512, nil
+	}
+	return 0, errors.New("parse Signing algorithm error, signing algorithm not supported")
+}
@@ -0,0 +1,35 @@
+package signature
+
+import (
+	"errors"
+
+	"github.com/notaryproject/notation-core-go/signature"
+	"github.com/notaryproject/notation-core-go/signature/cose"
+	"github.com/notaryproject/notation-core-go/signature/jws"
+	gcose "github.com/veraison/go-cose"
+)
+
+// GuessSignatureEnvelopeFormat guesses envelope format by looping all builtin envelope format.
+//
+// TODO: need a better way to inspect the type of envelope.
+func GuessSignatureEnvelopeFormat(raw []byte) (string, error) {
+	var msg gcose.Sign1Message
+	if err := msg.UnmarshalCBOR(raw); err == nil {
+		return cose.MediaTypeEnvelope, nil
+	}
+	if len(raw) == 0 || raw[0] != '{' {
+		// very certain
+		return "", errors.New("unsupported signature format")
+	}
+	return jws.MediaTypeEnvelope, nil
+}
+
+// ValidateEnvelopeMediaType validetes envelope media type is supported by notation-core-go.
+func ValidateEnvelopeMediaType(mediaType string) error {
+	for _, types := range signature.RegisteredEnvelopeTypes() {
+		if mediaType == types {
+			return nil
+		}
+	}
+	return errors.New("signing mediaTypeEnvelope invalid")
+}