From e55832d375c455dab9376848e95e53fa392de0cd Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Mon, 13 Nov 2023 02:07:38 +0000 Subject: [PATCH] incorporate code reviews Signed-off-by: Reinhard Tartler --- signature/fulcio_cert.go | 3 ++ signature/fulcio_cert_stub.go | 28 +++++++++++++++++++ signature/fulcio_cert_test.go | 3 ++ signature/internal/rekor_set.go | 3 ++ signature/internal/rekor_set_stub.go | 15 ++++++++++ signature/internal/rekor_set_test.go | 3 ++ signature/policy_eval_sigstore_test.go | 3 ++ .../fulcio/{no_fulcio.go => fulcio_stub.go} | 6 ++-- .../rekor/{no_rekor.go => rekor_stub.go} | 2 +- 9 files changed, 62 insertions(+), 4 deletions(-) create mode 100644 signature/fulcio_cert_stub.go create mode 100644 signature/internal/rekor_set_stub.go rename signature/sigstore/fulcio/{no_fulcio.go => fulcio_stub.go} (92%) rename signature/sigstore/rekor/{no_rekor.go => rekor_stub.go} (85%) diff --git a/signature/fulcio_cert.go b/signature/fulcio_cert.go index ef5d3df6f0..c11fa46a9d 100644 --- a/signature/fulcio_cert.go +++ b/signature/fulcio_cert.go @@ -1,3 +1,6 @@ +//go:build !containers_image_fulcio_stub +// +build !containers_image_fulcio_stub + package signature import ( diff --git a/signature/fulcio_cert_stub.go b/signature/fulcio_cert_stub.go new file mode 100644 index 0000000000..ee79b031dd --- /dev/null +++ b/signature/fulcio_cert_stub.go @@ -0,0 +1,28 @@ +//go:build containers_image_fulcio_stub +// +build containers_image_fulcio_stub + +package signature + +import ( + "crypto" + "crypto/ecdsa" + "crypto/x509" + "errors" +) + +type fulcioTrustRoot struct { + caCertificates *x509.CertPool + oidcIssuer string + subjectEmail string +} + +func (f *fulcioTrustRoot) validate() error { + return errors.New("fulcio disabled at compile-time") +} + +func verifyRekorFulcio(rekorPublicKey *ecdsa.PublicKey, fulcioTrustRoot *fulcioTrustRoot, untrustedRekorSET []byte, + untrustedCertificateBytes []byte, untrustedIntermediateChainBytes []byte, untrustedBase64Signature string, + untrustedPayloadBytes []byte) (crypto.PublicKey, error) { + return nil, errors.New("fulcio diabled at compile-time") + +} diff --git a/signature/fulcio_cert_test.go b/signature/fulcio_cert_test.go index e283ae45a0..ccf619f4d0 100644 --- a/signature/fulcio_cert_test.go +++ b/signature/fulcio_cert_test.go @@ -1,3 +1,6 @@ +//go:build !containers_image_fulcio_stub +// +build !containers_image_fulcio_stub + package signature import ( diff --git a/signature/internal/rekor_set.go b/signature/internal/rekor_set.go index d439b5f7a7..d86e98a45b 100644 --- a/signature/internal/rekor_set.go +++ b/signature/internal/rekor_set.go @@ -1,3 +1,6 @@ +//go:build !containers_image_rekor_stub +// +build !containers_image_rekor_stub + package internal import ( diff --git a/signature/internal/rekor_set_stub.go b/signature/internal/rekor_set_stub.go new file mode 100644 index 0000000000..7c121cc2ee --- /dev/null +++ b/signature/internal/rekor_set_stub.go @@ -0,0 +1,15 @@ +//go:build containers_image_rekor_stub +// +build containers_image_rekor_stub + +package internal + +import ( + "crypto/ecdsa" + "time" +) + +// VerifyRekorSET verifies that unverifiedRekorSET is correctly signed by publicKey and matches the rest of the data. +// Returns bundle upload time on success. +func VerifyRekorSET(publicKey *ecdsa.PublicKey, unverifiedRekorSET []byte, unverifiedKeyOrCertBytes []byte, unverifiedBase64Signature string, unverifiedPayloadBytes []byte) (time.Time, error) { + return time.Time{}, NewInvalidSignatureError("rekor disabled at compile-time") +} diff --git a/signature/internal/rekor_set_test.go b/signature/internal/rekor_set_test.go index 0cc8483d4a..0040b7b4c2 100644 --- a/signature/internal/rekor_set_test.go +++ b/signature/internal/rekor_set_test.go @@ -1,3 +1,6 @@ +//go:build !containers_image_rekor_stub +// +build !containers_image_rekor_stub + package internal import ( diff --git a/signature/policy_eval_sigstore_test.go b/signature/policy_eval_sigstore_test.go index f4dd11368e..b460071237 100644 --- a/signature/policy_eval_sigstore_test.go +++ b/signature/policy_eval_sigstore_test.go @@ -1,3 +1,6 @@ +//go:build !containers_image_fulcio_stub +// +build !containers_image_fulcio_stub + // Policy evaluation for prCosignSigned. package signature diff --git a/signature/sigstore/fulcio/no_fulcio.go b/signature/sigstore/fulcio/fulcio_stub.go similarity index 92% rename from signature/sigstore/fulcio/no_fulcio.go rename to signature/sigstore/fulcio/fulcio_stub.go index ec901154b6..4f4d435c1d 100644 --- a/signature/sigstore/fulcio/no_fulcio.go +++ b/signature/sigstore/fulcio/fulcio_stub.go @@ -13,7 +13,7 @@ import ( func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) internal.Option { return func(s *internal.SigstoreSigner) error { - return fmt.Errorf("Fulcio disabled at compile time") + return fmt.Errorf("fulcio disabled at compile time") } } @@ -24,7 +24,7 @@ func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string, interactiveOutput io.Writer) internal.Option { return func(s *internal.SigstoreSigner) error { - return fmt.Errorf("Fulcio disabled at compile time") + return fmt.Errorf("fulcio disabled at compile time") } } @@ -40,6 +40,6 @@ func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL func WithFulcioAndInteractiveOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string, interactiveInput io.Reader, interactiveOutput io.Writer) internal.Option { return func(s *internal.SigstoreSigner) error { - return fmt.Errorf("Fulcio disabled at compile time") + return fmt.Errorf("fulcio disabled at compile time") } } diff --git a/signature/sigstore/rekor/no_rekor.go b/signature/sigstore/rekor/rekor_stub.go similarity index 85% rename from signature/sigstore/rekor/no_rekor.go rename to signature/sigstore/rekor/rekor_stub.go index 8957a87331..d61926530f 100644 --- a/signature/sigstore/rekor/no_rekor.go +++ b/signature/sigstore/rekor/rekor_stub.go @@ -12,6 +12,6 @@ import ( func WithRekor(rekorURL *url.URL) signerInternal.Option { return func(s *signerInternal.SigstoreSigner) error { - return fmt.Errorf("Rekor disabled at build time") + return fmt.Errorf("rekor disabled at build time") } }