From 95c089b0529515045608ce3b9394c6ee73557693 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Thu, 21 Nov 2024 13:53:18 +0800 Subject: [PATCH 1/5] timestamping Signed-off-by: Patrick Zheng --- go.mod | 2 ++ go.sum | 4 ++-- notation.go | 6 ++++++ signer/signer.go | 13 +++++++------ 4 files changed, 17 insertions(+), 8 deletions(-) diff --git a/go.mod b/go.mod index 71bdf92e..4a644e2b 100644 --- a/go.mod +++ b/go.mod @@ -24,3 +24,5 @@ require ( github.com/x448/float16 v0.8.4 // indirect golang.org/x/sync v0.6.0 // indirect ) + +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20241121052224-0fcd11654a68 diff --git a/go.sum b/go.sum index deea61a7..9ed17ea5 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= +github.com/Two-Hearts/notation-core-go v0.0.0-20241121052224-0fcd11654a68 h1:SnQGrOkslzR0yh36nUtrIXXCy8radd+4NfufX4E1Ey0= +github.com/Two-Hearts/notation-core-go v0.0.0-20241121052224-0fcd11654a68/go.mod h1:Umjn4NKGmuHpVffMgKVcUnArNG3Qtd3duKYpPILUBg4= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -32,8 +34,6 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= -github.com/notaryproject/notation-core-go v1.2.0-rc.1.0.20241112001243-33af15a18954 h1:UbjH/ePjxU8jcYMca9NVYqU8Qcr7pP1SKDWCxl++ToA= -github.com/notaryproject/notation-core-go v1.2.0-rc.1.0.20241112001243-33af15a18954/go.mod h1:phjvE2bqHsLfJMqMUYqRCqNIH3TQ4GCcFQuEVyQTpDg= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/notaryproject/tspclient-go v0.2.1-0.20241030015323-90a141e7525c h1:bX6gGxFw9+DShmYTgbD+vr6neF1SoXIMUU2fDgdLsfA= diff --git a/notation.go b/notation.go index 85c25f8f..ae2b39ba 100644 --- a/notation.go +++ b/notation.go @@ -31,6 +31,7 @@ import ( orasRegistry "oras.land/oras-go/v2/registry" "oras.land/oras-go/v2/registry/remote" + "github.com/notaryproject/notation-core-go/revocation" "github.com/notaryproject/notation-core-go/signature" "github.com/notaryproject/notation-core-go/signature/cose" "github.com/notaryproject/notation-core-go/signature/jws" @@ -69,6 +70,11 @@ type SignerSignOptions struct { // TSARootCAs is the cert pool holding caller's TSA trust anchor TSARootCAs *x509.CertPool + + // RevocationTimestampingValidator is used for verifying revocation of + // timestamping certificate chain with context after signing. + // When present, only used when timestamping is performed. + RevocationTimestampingValidator revocation.Validator } // Signer is a generic interface for signing an OCI artifact. diff --git a/signer/signer.go b/signer/signer.go index 740a5dab..6d53c1f4 100644 --- a/signer/signer.go +++ b/signer/signer.go @@ -124,12 +124,13 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts ContentType: envelope.MediaTypePayloadV1, Content: payloadBytes, }, - Signer: s.signer, - SigningTime: time.Now(), - SigningScheme: signature.SigningSchemeX509, - SigningAgent: signingAgentId, - Timestamper: opts.Timestamper, - TSARootCAs: opts.TSARootCAs, + Signer: s.signer, + SigningTime: time.Now(), + SigningScheme: signature.SigningSchemeX509, + SigningAgent: signingAgentId, + Timestamper: opts.Timestamper, + TSARootCAs: opts.TSARootCAs, + RevocationTimestampingValidator: opts.RevocationTimestampingValidator, } // Add expiry only if ExpiryDuration is not zero From d71c67f31b1dd2aa0013e57c3b211b644b054d97 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Mon, 25 Nov 2024 19:06:34 +0800 Subject: [PATCH 2/5] update Signed-off-by: Patrick Zheng --- go.mod | 2 +- go.sum | 4 ++-- notation.go | 4 ++-- signer/signer.go | 14 +++++++------- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/go.mod b/go.mod index 4a644e2b..6fc0fb10 100644 --- a/go.mod +++ b/go.mod @@ -25,4 +25,4 @@ require ( golang.org/x/sync v0.6.0 // indirect ) -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20241121052224-0fcd11654a68 +replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20241125110326-106e8214d4ad diff --git a/go.sum b/go.sum index 9ed17ea5..d7789649 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,7 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20241121052224-0fcd11654a68 h1:SnQGrOkslzR0yh36nUtrIXXCy8radd+4NfufX4E1Ey0= -github.com/Two-Hearts/notation-core-go v0.0.0-20241121052224-0fcd11654a68/go.mod h1:Umjn4NKGmuHpVffMgKVcUnArNG3Qtd3duKYpPILUBg4= +github.com/Two-Hearts/notation-core-go v0.0.0-20241125110326-106e8214d4ad h1:s5vniqkDwVpAJpKj0yDK/ah1NlYCZWccFm0TjT1qoVs= +github.com/Two-Hearts/notation-core-go v0.0.0-20241125110326-106e8214d4ad/go.mod h1:Umjn4NKGmuHpVffMgKVcUnArNG3Qtd3duKYpPILUBg4= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= diff --git a/notation.go b/notation.go index ae2b39ba..a033918b 100644 --- a/notation.go +++ b/notation.go @@ -71,10 +71,10 @@ type SignerSignOptions struct { // TSARootCAs is the cert pool holding caller's TSA trust anchor TSARootCAs *x509.CertPool - // RevocationTimestampingValidator is used for verifying revocation of + // TSARevocationValidator is used for verifying revocation of // timestamping certificate chain with context after signing. // When present, only used when timestamping is performed. - RevocationTimestampingValidator revocation.Validator + TSARevocationValidator revocation.Validator } // Signer is a generic interface for signing an OCI artifact. diff --git a/signer/signer.go b/signer/signer.go index 6d53c1f4..2a9b9371 100644 --- a/signer/signer.go +++ b/signer/signer.go @@ -124,13 +124,13 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts ContentType: envelope.MediaTypePayloadV1, Content: payloadBytes, }, - Signer: s.signer, - SigningTime: time.Now(), - SigningScheme: signature.SigningSchemeX509, - SigningAgent: signingAgentId, - Timestamper: opts.Timestamper, - TSARootCAs: opts.TSARootCAs, - RevocationTimestampingValidator: opts.RevocationTimestampingValidator, + Signer: s.signer, + SigningTime: time.Now(), + SigningScheme: signature.SigningSchemeX509, + SigningAgent: signingAgentId, + Timestamper: opts.Timestamper, + TSARootCAs: opts.TSARootCAs, + TSARevocationValidator: opts.TSARevocationValidator, } // Add expiry only if ExpiryDuration is not zero From 3fbc3765ec46221f1d77811f55ff1de12e963aea Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 29 Nov 2024 11:16:52 +0800 Subject: [PATCH 3/5] timestamping with revocation check Signed-off-by: Patrick Zheng --- example_signWithTimestmap_test.go | 17 ++++++++++++++--- go.mod | 4 +--- go.sum | 4 ++-- notation.go | 4 ++-- signer/signer.go | 9 ++++++--- 5 files changed, 25 insertions(+), 13 deletions(-) diff --git a/example_signWithTimestmap_test.go b/example_signWithTimestmap_test.go index 8e0ebe5c..ef4eeb47 100644 --- a/example_signWithTimestmap_test.go +++ b/example_signWithTimestmap_test.go @@ -21,6 +21,8 @@ import ( "oras.land/oras-go/v2/registry/remote" + "github.com/notaryproject/notation-core-go/revocation" + "github.com/notaryproject/notation-core-go/revocation/purpose" "github.com/notaryproject/notation-core-go/testhelper" "github.com/notaryproject/notation-go" "github.com/notaryproject/notation-go/registry" @@ -77,12 +79,21 @@ func Example_signWithTimestamp() { tsaRootCAs := x509.NewCertPool() tsaRootCAs.AddCert(tsaRootCert) + // enable timestamping certificate chain revocation check + tsaRevocationValidator, err := revocation.NewWithOptions(revocation.Options{ + CertChainPurpose: purpose.Timestamping, + }) + if err != nil { + panic(err) // Handle error + } + // exampleSignOptions is an example of notation.SignOptions. exampleSignOptions := notation.SignOptions{ SignerSignOptions: notation.SignerSignOptions{ - SignatureMediaType: exampleSignatureMediaType, - Timestamper: httpTimestamper, - TSARootCAs: tsaRootCAs, + SignatureMediaType: exampleSignatureMediaType, + Timestamper: httpTimestamper, + TSARootCAs: tsaRootCAs, + TSARevocationValidator: tsaRevocationValidator, }, ArtifactReference: exampleArtifactReference, } diff --git a/go.mod b/go.mod index 6fc0fb10..500bf084 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.22.0 require ( github.com/go-ldap/ldap/v3 v3.4.8 - github.com/notaryproject/notation-core-go v1.2.0-rc.1.0.20241112001243-33af15a18954 + github.com/notaryproject/notation-core-go v1.2.0-rc.1.0.20241129024749-95d89543c9f9 github.com/notaryproject/notation-plugin-framework-go v1.0.0 github.com/notaryproject/tspclient-go v0.2.1-0.20241030015323-90a141e7525c github.com/opencontainers/go-digest v1.0.0 @@ -24,5 +24,3 @@ require ( github.com/x448/float16 v0.8.4 // indirect golang.org/x/sync v0.6.0 // indirect ) - -replace github.com/notaryproject/notation-core-go => github.com/Two-Hearts/notation-core-go v0.0.0-20241125110326-106e8214d4ad diff --git a/go.sum b/go.sum index d7789649..887c93a4 100644 --- a/go.sum +++ b/go.sum @@ -1,7 +1,5 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= -github.com/Two-Hearts/notation-core-go v0.0.0-20241125110326-106e8214d4ad h1:s5vniqkDwVpAJpKj0yDK/ah1NlYCZWccFm0TjT1qoVs= -github.com/Two-Hearts/notation-core-go v0.0.0-20241125110326-106e8214d4ad/go.mod h1:Umjn4NKGmuHpVffMgKVcUnArNG3Qtd3duKYpPILUBg4= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI= github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -34,6 +32,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs= github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY= github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= +github.com/notaryproject/notation-core-go v1.2.0-rc.1.0.20241129024749-95d89543c9f9 h1:FURo9xpGLKmghWCcWypCPQTlcOGKxzayeXacGfb8WUU= +github.com/notaryproject/notation-core-go v1.2.0-rc.1.0.20241129024749-95d89543c9f9/go.mod h1:Umjn4NKGmuHpVffMgKVcUnArNG3Qtd3duKYpPILUBg4= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= github.com/notaryproject/tspclient-go v0.2.1-0.20241030015323-90a141e7525c h1:bX6gGxFw9+DShmYTgbD+vr6neF1SoXIMUU2fDgdLsfA= diff --git a/notation.go b/notation.go index a033918b..3cf306d3 100644 --- a/notation.go +++ b/notation.go @@ -71,8 +71,8 @@ type SignerSignOptions struct { // TSARootCAs is the cert pool holding caller's TSA trust anchor TSARootCAs *x509.CertPool - // TSARevocationValidator is used for verifying revocation of - // timestamping certificate chain with context after signing. + // TSARevocationValidator is used for validating revocation status of + // timestamping certificate chain with context during signing. // When present, only used when timestamping is performed. TSARevocationValidator revocation.Validator } diff --git a/signer/signer.go b/signer/signer.go index 2a9b9371..276049ff 100644 --- a/signer/signer.go +++ b/signer/signer.go @@ -106,7 +106,6 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts if err != nil { return nil, nil, fmt.Errorf("envelope payload can't be marshalled: %w", err) } - var signingAgentId string if opts.SigningAgent != "" { signingAgentId = opts.SigningAgent @@ -144,6 +143,12 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts logger.Debugf(" Expiry: %v", signReq.Expiry) logger.Debugf(" SigningScheme: %v", signReq.SigningScheme) logger.Debugf(" SigningAgent: %v", signReq.SigningAgent) + if signReq.Timestamper != nil { + logger.Debug("Enabled timestamping") + if signReq.TSARevocationValidator != nil { + logger.Debug("Enabled timestamping certificate chain revocation check") + } + } // Add ctx to the SignRequest signReq = signReq.WithContext(ctx) @@ -153,12 +158,10 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts if err != nil { return nil, nil, err } - sig, err := sigEnv.Sign(signReq) if err != nil { return nil, nil, err } - envContent, err := sigEnv.Verify() if err != nil { return nil, nil, fmt.Errorf("generated signature failed verification: %v", err) From 2cc9c4b677793fc4090085b0430555f4edb86c31 Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 29 Nov 2024 11:36:20 +0800 Subject: [PATCH 4/5] update Signed-off-by: Patrick Zheng --- signer/signer_test.go | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/signer/signer_test.go b/signer/signer_test.go index fd1f4fb5..c497623d 100644 --- a/signer/signer_test.go +++ b/signer/signer_test.go @@ -30,6 +30,8 @@ import ( "testing" "time" + "github.com/notaryproject/notation-core-go/revocation" + "github.com/notaryproject/notation-core-go/revocation/purpose" "github.com/notaryproject/notation-core-go/signature" _ "github.com/notaryproject/notation-core-go/signature/cose" _ "github.com/notaryproject/notation-core-go/signature/jws" @@ -257,6 +259,27 @@ func TestSignWithTimestamping(t *testing.T) { if err == nil || err.Error() != expectedErrMsg { t.Fatalf("expected %s, but got %s", expectedErrMsg, err) } + + // timestamping with unknown authority + desc, sOpts = generateSigningContent() + sOpts.SignatureMediaType = envelopeType + sOpts.Timestamper, err = tspclient.NewHTTPTimestamper(nil, rfc3161URL) + if err != nil { + t.Fatal(err) + } + sOpts.TSARootCAs = x509.NewCertPool() + tsaRevocationValidator, err := revocation.NewWithOptions(revocation.Options{ + CertChainPurpose: purpose.Timestamping, + }) + if err != nil { + t.Fatal(err) + } + sOpts.TSARevocationValidator = tsaRevocationValidator + _, _, err = s.Sign(ctx, desc, sOpts) + expectedErrMsg = "timestamp: failed to verify signed token: cms verification failure: x509: certificate signed by unknown authority" + if err == nil || err.Error() != expectedErrMsg { + t.Fatalf("expected %s, but got %s", expectedErrMsg, err) + } } func TestSignBlobWithCertChain(t *testing.T) { From 9aa32c2d150d4f045b544fe69ebba7110613e00e Mon Sep 17 00:00:00 2001 From: Patrick Zheng Date: Fri, 29 Nov 2024 11:37:41 +0800 Subject: [PATCH 5/5] update Signed-off-by: Patrick Zheng --- .github/.codecov.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/.codecov.yml b/.github/.codecov.yml index cb44908a..56e810e1 100644 --- a/.github/.codecov.yml +++ b/.github/.codecov.yml @@ -14,5 +14,8 @@ coverage: status: project: + default: + target: 80% + patch: default: target: 80% \ No newline at end of file