refactor:support new signer interface

Signed-off-by: zaihaoyin <[email protected]>

Author: zaihaoyin

go.mod

@@ -4,7 +4,7 @@ go 1.18
 
 require (
 	github.com/go-ldap/ldap/v3 v3.4.4
-	github.com/notaryproject/notation-core-go v0.0.0-20220907034926-8cdaf86b4d7c
+	github.com/notaryproject/notation-core-go v0.1.0-alpha.3.0.20220921042126-b9264de6f2c9
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.0.2
 	github.com/oras-project/artifacts-spec v1.0.0-rc.2

go.sum

@@ -10,8 +10,8 @@ github.com/go-ldap/ldap/v3 v3.4.4 h1:qPjipEpt+qDa6SI/h1fzuGWoRUY+qqQ9sOZq67/PYUs
 github.com/go-ldap/ldap/v3 v3.4.4/go.mod h1:fe1MsuN5eJJ1FeLT/LEBVdWfNWKh459R7aXgXtJC+aI=
 github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
 github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/notaryproject/notation-core-go v0.0.0-20220907034926-8cdaf86b4d7c h1:myIrd0sic/mu8PRt9/jvtkMmC/eVPsB2ufBGhbAM1hg=
-github.com/notaryproject/notation-core-go v0.0.0-20220907034926-8cdaf86b4d7c/go.mod h1:cebNvAIpFQXqBGGJa8c13FS1ln47c5qd8E6WjeQDkAA=
+github.com/notaryproject/notation-core-go v0.1.0-alpha.3.0.20220921042126-b9264de6f2c9 h1:XX6d8zEwuW+TLzxU1bGJ16fS2w8SWf5udR8Lt6n7+fQ=
+github.com/notaryproject/notation-core-go v0.1.0-alpha.3.0.20220921042126-b9264de6f2c9/go.mod h1:mM4M9wPdu0CGgh8f3wOcu0XMiXwEKWQurjBG4nmqQ4g=
 github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86 h1:Oumw+lPnO8qNLTY2mrqPJZMoGExLi/0h/DdikoLTXVU=
 github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86/go.mod h1:aA4vdXRS8E1TG7pLZOz85InHi3BiPdErh8IpJN6E0x4=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=

internal/mock/mocks.go

@@ -1,12 +1,10 @@
 package mock
 
 import (
+	"context"
 	_ "embed"
-	nsigner "github.com/notaryproject/notation-core-go/signer"
-)
 
-import (
-	"context"
+	"github.com/notaryproject/notation-core-go/signature"
 	"github.com/notaryproject/notation-go"
 	"github.com/notaryproject/notation-go/plugin"
 	"github.com/notaryproject/notation-go/plugin/manager"
@@ -54,7 +52,7 @@ var (
 		Size:        100,
 		Annotations: Annotations,
 	}
-	PluginExtendedCriticalAttribute = nsigner.Attribute{
+	PluginExtendedCriticalAttribute = signature.Attribute{
 		Key:      "SomeKey",
 		Critical: true,
 		Value:    "SomeValue",

notation.go

@@ -9,8 +9,13 @@ import (
 	"github.com/opencontainers/go-digest"
 )
 
-// SigningAgent is the unprotected header field used by signature
-const SigningAgent = "Notation/1.0.0"
+const (
+	// SigningAgent is the unprotected header field used by signature
+	SigningAgent = "Notation/1.0.0"
+
+	// MediaTypePayloadV1 is the supported content type for signature's payload.
+	MediaTypePayloadV1 = "application/vnd.cncf.notary.payload.v1+json"
+)
 
 // Descriptor describes the artifact that needs to be signed.
 type Descriptor struct {

signature/envelope.go

@@ -4,19 +4,20 @@ import (
 	"errors"
 
 	"github.com/notaryproject/notation-core-go/signature"
-	"github.com/notaryproject/notation-core-go/signature/cose"
+	// "github.com/notaryproject/notation-core-go/signature/cose"
+
 	"github.com/notaryproject/notation-core-go/signature/jws"
-	gcose "github.com/veraison/go-cose"
 )
 
 // GuessSignatureEnvelopeFormat guesses envelope format by looping all builtin envelope format.
 //
-// TODO: need a better way to inspect the type of envelope.
+// TODO: find a better way to inspect the type of envelope.
+// TODO: support inspecting cose format
 func GuessSignatureEnvelopeFormat(raw []byte) (string, error) {
-	var msg gcose.Sign1Message
-	if err := msg.UnmarshalCBOR(raw); err == nil {
-		return cose.MediaTypeEnvelope, nil
-	}
+	// var msg gcose.Sign1Message
+	// if err := msg.UnmarshalCBOR(raw); err == nil {
+	// 	return cose.MediaTypeEnvelope, nil
+	// }
 	if len(raw) == 0 || raw[0] != '{' {
 		// very certain
 		return "", errors.New("unsupported signature format")

signature/envelope_test.go

@@ -5,7 +5,6 @@ import (
 	"errors"
 	"testing"
 
-	"github.com/notaryproject/notation-core-go/signature/cose"
 	"github.com/notaryproject/notation-core-go/signature/jws"
 	gcose "github.com/veraison/go-cose"
 )
@@ -50,12 +49,12 @@ func TestGuessSignatureEnvelopeFormat(t *testing.T) {
 			expectedType: jws.MediaTypeEnvelope,
 			expectedErr:  nil,
 		},
-		{
-			name:         "cose signature media type",
-			raw:          validCoseSignatureEnvelope,
-			expectedType: cose.MediaTypeEnvelope,
-			expectedErr:  nil,
-		},
+		// {
+		// 	name:         "cose signature media type",
+		// 	raw:          validCoseSignatureEnvelope,
+		// 	expectedType: cose.MediaTypeEnvelope,
+		// 	expectedErr:  nil,
+		// },
 		{
 			name:         "invalid signature media type",
 			raw:          invalidSignatureEnvelope,
@@ -87,11 +86,11 @@ func TestValidateEnvelopeMediaType(t *testing.T) {
 			mediaType:   jws.MediaTypeEnvelope,
 			expectedErr: nil,
 		},
-		{
-			name:        "cose signature media type",
-			mediaType:   cose.MediaTypeEnvelope,
-			expectedErr: nil,
-		},
+		// {
+		// 	name:        "cose signature media type",
+		// 	mediaType:   cose.MediaTypeEnvelope,
+		// 	expectedErr: nil,
+		// },
 		{
 			name:        "invalid media type",
 			mediaType:   invalidMediaType,

signature/plugin.go

@@ -119,7 +119,7 @@ func (s *pluginSigner) generateSignature(ctx context.Context, desc notation.Desc
 	s.sigProvider.SetConfig(config)
 	signReq := &signature.SignRequest{
 		Payload: signature.Payload{
-			ContentType: signature.MediaTypePayloadV1,
+			ContentType: notation.MediaTypePayloadV1,
 			Content:     payloadBytes,
 		},
 		Signer:                   s.sigProvider,
@@ -144,10 +144,13 @@ func (s *pluginSigner) generateSignature(ctx context.Context, desc notation.Desc
 		return nil, err
 	}
 
-	_, _, verErr := sigEnv.Verify()
+	envContent, verErr := sigEnv.Verify()
 	if verErr != nil {
 		return nil, fmt.Errorf("signature returned by generateSignature cannot be verified: %v", verErr)
 	}
+	if err := ValidatePayload(&envContent.Payload); err != nil {
+		return nil, err
+	}
 
 	// TODO: re-enable timestamping https://github.com/notaryproject/notation-go/issues/78
 	return sig, nil
@@ -178,7 +181,7 @@ func (s *pluginSigner) generateSignatureEnvelope(ctx context.Context, desc notat
 		KeyID:                 s.keyID,
 		Payload:               payloadBytes,
 		SignatureEnvelopeType: s.envelopeMediaType,
-		PayloadType:           signature.MediaTypePayloadV1,
+		PayloadType:           notation.MediaTypePayloadV1,
 		PluginConfig:          s.mergeConfig(opts.PluginConfig),
 	}
 	out, err := s.sigProvider.Run(ctx, req)
@@ -203,13 +206,16 @@ func (s *pluginSigner) generateSignatureEnvelope(ctx context.Context, desc notat
 		return nil, err
 	}
 
-	sigPayload, _, err := sigEnv.Verify()
+	envContent, err := sigEnv.Verify()
 	if err != nil {
 		return nil, err
 	}
+	if err := ValidatePayload(&envContent.Payload); err != nil {
+		return nil, err
+	}
 
 	var signedPayload notation.Payload
-	if err = json.Unmarshal(sigPayload.Content, &signedPayload); err != nil {
+	if err = json.Unmarshal(envContent.Payload.Content, &signedPayload); err != nil {
 		return nil, fmt.Errorf("signed envelope payload can't be unmarshaled: %w", err)
 	}
 

signature/plugin_test.go

@@ -13,7 +13,6 @@ import (
 	"time"
 
 	"github.com/notaryproject/notation-core-go/signature"
-	"github.com/notaryproject/notation-core-go/signature/cose"
 	"github.com/notaryproject/notation-core-go/signature/jws"
 
 	"github.com/notaryproject/notation-go"
@@ -35,8 +34,8 @@ var (
 	invalidJwsEnvelope, _              = json.Marshal(struct{}{})
 	invalidCoseEnvelope, _             = gcose.NewSign1Message().MarshalCBOR()
 	envelopeTypeToData                 = map[string][]byte{
-		jws.MediaTypeEnvelope:  invalidJwsEnvelope,
-		cose.MediaTypeEnvelope: invalidCoseEnvelope,
+		jws.MediaTypeEnvelope: invalidJwsEnvelope,
+		// cose.MediaTypeEnvelope: invalidCoseEnvelope,
 	}
 )
 
@@ -488,12 +487,18 @@ func basicSignTest(t *testing.T, pluginSigner *pluginSigner) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	payload, signerInfo, err := env.Verify()
+	envContent, err := env.Verify()
 	if err != nil {
 		t.Fatal(err)
 	}
-	if payload.ContentType != signature.MediaTypePayloadV1 {
-		t.Fatalf("Signer.Sign() Payload content type changed, expect: %v, got: %v", payload.ContentType, signature.MediaTypePayloadV1)
+
+	if err := ValidatePayload(&envContent.Payload); err != nil {
+		t.Fatalf("verification failed. error = %v", err)
+	}
+
+	payload, signerInfo := envContent.Payload, envContent.SignerInfo
+	if payload.ContentType != notation.MediaTypePayloadV1 {
+		t.Fatalf("Signer.Sign() Payload content type changed, expect: %v, got: %v", payload.ContentType, notation.MediaTypePayloadV1)
 	}
 	var gotPayload notation.Payload
 	if err := json.Unmarshal(payload.Content, &gotPayload); err != nil {
@@ -503,7 +508,7 @@ func basicSignTest(t *testing.T, pluginSigner *pluginSigner) {
 		TargetArtifact: validSignDescriptor,
 	}
 	if !reflect.DeepEqual(expectedPayload, gotPayload) {
-		t.Fatalf("Signer.Sign() descriptor subject changed, expect: %v, got: %v", expectedPayload, *payload)
+		t.Fatalf("Signer.Sign() descriptor subject changed, expect: %v, got: %v", expectedPayload, payload)
 	}
 	if signerInfo.SignedAttributes.SigningScheme != signature.SigningSchemeX509 {
 		t.Fatalf("Signer.Sign() signing scheme changed, expect: %v, got: %v", signerInfo.SignedAttributes.SigningScheme, signature.SigningSchemeX509)
@@ -745,7 +750,7 @@ func TestPluginSigner_SignEnvelope_MalFormedEnvelope(t *testing.T) {
 				sigProvider:       p,
 				envelopeMediaType: envelopeType,
 			}
-			var expectedErr *signature.MalformedSignatureError
+			var expectedErr *signature.InvalidSignatureError
 			if _, err := signer.Sign(context.Background(), notation.Descriptor{}, notation.SignOptions{}); err == nil || !errors.As(err, &expectedErr) {
 				t.Fatalf("Signer.Sign() error = %v, want MalformedSignatureError", err)
 			}

signature/signer_test.go

@@ -321,12 +321,15 @@ func basicVerification(t *testing.T, sig []byte, envelopeType string, trust *x50
 		t.Fatalf("verification failed. error = %v", err)
 	}
 
-	_, sigInfo, vErr := sigEnv.Verify()
+	envContent, vErr := sigEnv.Verify()
 	if vErr != nil {
 		t.Fatalf("verification failed. error = %v", err)
 	}
+	if err := ValidatePayload(&envContent.Payload); err != nil {
+		t.Fatalf("verification failed. error = %v", err)
+	}
 
-	trustedCert, err := signature.VerifyAuthenticity(sigInfo, []*x509.Certificate{trust})
+	trustedCert, err := signature.VerifyAuthenticity(&envContent.SignerInfo, []*x509.Certificate{trust})
 
 	if err != nil || !trustedCert.Equal(trust) {
 		t.Fatalf("VerifyAuthenticity failed. error = %v", err)

signature/verifier.go

@@ -39,6 +39,18 @@ func NewVerifierFromFiles(certPaths []string) (*Verifier, error) {
 	return &Verifier{TrustedCerts: certs}, nil
 }
 
+func ValidatePayload(payload *signature.Payload) error {
+	switch payload.ContentType {
+	case notation.MediaTypePayloadV1:
+		if len(payload.Content) == 0 {
+			return fmt.Errorf("content not present")
+		}
+	default:
+		return fmt.Errorf("payload content type %s not supported", payload.ContentType)
+	}
+	return nil
+}
+
 // Verify verifies the signature and returns the verified descriptor and
 // metadata of the signed artifact.
 func (v *Verifier) Verify(_ context.Context, sig []byte, opts notation.VerifyOptions) (notation.Descriptor, error) {
@@ -47,19 +59,23 @@ func (v *Verifier) Verify(_ context.Context, sig []byte, opts notation.VerifyOpt
 		return notation.Descriptor{}, err
 	}
 
-	sigPayload, signerInfo, err := sigEnv.Verify()
+	envContent, err := sigEnv.Verify()
 	if err != nil {
 		return notation.Descriptor{}, err
 	}
 
-	_, authErr := signature.VerifyAuthenticity(signerInfo, v.TrustedCerts)
+	if err := ValidatePayload(&envContent.Payload); err != nil {
+		return notation.Descriptor{}, err
+	}
+
+	_, authErr := signature.VerifyAuthenticity(&envContent.SignerInfo, v.TrustedCerts)
 	if authErr != nil {
 		return notation.Descriptor{}, authErr
 	}
 
 	// TODO: validate expiry and timestamp https://github.com/notaryproject/notation-go/issues/78
 	var payload notation.Payload
-	if err = json.Unmarshal(sigPayload.Content, &payload); err != nil {
+	if err = json.Unmarshal(envContent.Payload.Content, &payload); err != nil {
 		return notation.Descriptor{}, fmt.Errorf("envelope payload can't be decoded: %w", err)
 	}
 

verification/helpers.go

@@ -3,12 +3,13 @@ package verification
 import (
 	"encoding/json"
 	"fmt"
-	nsigner "github.com/notaryproject/notation-core-go/signer"
-	"github.com/notaryproject/notation-go/dir"
 	"os"
 	"regexp"
 	"strings"
 
+	"github.com/notaryproject/notation-core-go/signature"
+	"github.com/notaryproject/notation-go/dir"
+
 	ldapv3 "github.com/go-ldap/ldap/v3"
 )
 
@@ -26,11 +27,11 @@ func loadPolicyDocument(policyDocumentPath string) (*PolicyDocument, error) {
 	return policyDocument, nil
 }
 
-func loadX509TrustStores(scheme nsigner.SigningScheme, policy *TrustPolicy, pathManager *dir.PathManager) (map[string]*X509TrustStore, error) {
+func loadX509TrustStores(scheme signature.SigningScheme, policy *TrustPolicy, pathManager *dir.PathManager) (map[string]*X509TrustStore, error) {
 	var prefixToLoad TrustStorePrefix
-	if scheme == nsigner.SigningSchemeX509 {
+	if scheme == signature.SigningSchemeX509 {
 		prefixToLoad = TrustStorePrefixCA
-	} else if scheme == nsigner.SigningSchemeX509SigningAuthority {
+	} else if scheme == signature.SigningSchemeX509SigningAuthority {
 		prefixToLoad = TrustStorePrefixSigningAuthority
 	} else {
 		return nil, fmt.Errorf("unrecognized signing scheme %q", scheme)

verification/helpers_test.go

@@ -2,12 +2,13 @@ package verification
 
 import (
 	"encoding/json"
-	nsigner "github.com/notaryproject/notation-core-go/signer"
-	"github.com/notaryproject/notation-go/dir"
-	"io/ioutil"
+	"os"
 	"path/filepath"
 	"strconv"
 	"testing"
+
+	"github.com/notaryproject/notation-core-go/signature"
+	"github.com/notaryproject/notation-go/dir"
 )
 
 func TestGetArtifactDigestFromUri(t *testing.T) {
@@ -46,7 +47,10 @@ func TestLoadPolicyDocument(t *testing.T) {
 	}
 	// existing invalid json file
 	path := filepath.Join(t.TempDir(), "invalid.json")
-	err = ioutil.WriteFile(path, []byte(`{"invalid`), 0644)
+	err = os.WriteFile(path, []byte(`{"invalid`), 0644)
+	if err != nil {
+		t.Fatalf("TestLoadPolicyDocument create invalid policy file failed. Error: %v", err)
+	}
 	_, err = loadPolicyDocument(path)
 	if err == nil {
 		t.Fatalf("TestLoadPolicyDocument should throw error for invalid policy file. Error: %v", err)
@@ -56,7 +60,10 @@ func TestLoadPolicyDocument(t *testing.T) {
 	path = filepath.Join(t.TempDir(), "trustpolicy.json")
 	policyDoc1 := dummyPolicyDocument()
 	policyJson, _ := json.Marshal(policyDoc1)
-	err = ioutil.WriteFile(path, policyJson, 0644)
+	err = os.WriteFile(path, policyJson, 0644)
+	if err != nil {
+		t.Fatalf("TestLoadPolicyDocument create valid policy file failed. Error: %v", err)
+	}
 	_, err = loadPolicyDocument(path)
 	if err != nil {
 		t.Fatalf("TestLoadPolicyDocument should not throw error for an existing policy file. Error: %v", err)
@@ -74,8 +81,11 @@ func TestLoadX509TrustStore(t *testing.T) {
 			dir.NewRootedFS("testdata", nil),
 		),
 	}
-	caTrustStores, err := loadX509TrustStores(nsigner.SigningSchemeX509, &dummyPolicy, path)
-	saTrustStores, err := loadX509TrustStores(nsigner.SigningSchemeX509SigningAuthority, &dummyPolicy, path)
+	caTrustStores, err := loadX509TrustStores(signature.SigningSchemeX509, &dummyPolicy, path)
+	if err != nil {
+		t.Fatalf("TestLoadX509TrustStore should not throw error for a valid trust store. Error: %v", err)
+	}
+	saTrustStores, err := loadX509TrustStores(signature.SigningSchemeX509SigningAuthority, &dummyPolicy, path)
 	if err != nil {
 		t.Fatalf("TestLoadX509TrustStore should not throw error for a valid trust store. Error: %v", err)
 	}