diff --git a/go.mod b/go.mod index 526b7e2f48..0e73d4dec5 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,8 @@ module github.com/Microsoft/hcsshim go 1.18 require ( + github.com/Microsoft/cosesign1go v0.0.1 + github.com/Microsoft/didx509go v0.0.2 github.com/Microsoft/go-winio v0.6.1 github.com/blang/semver/v4 v4.0.0 github.com/cenkalti/backoff/v4 v4.2.1 @@ -15,7 +17,6 @@ require ( github.com/containerd/typeurl/v2 v2.1.1 github.com/google/go-cmp v0.5.9 github.com/google/go-containerregistry v0.15.2 - github.com/lestrrat-go/jwx v1.2.26 github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3 github.com/mattn/go-shellwords v1.0.12 github.com/open-policy-agent/opa v0.42.2 @@ -25,7 +26,6 @@ require ( github.com/pkg/errors v0.9.1 github.com/sirupsen/logrus v1.9.3 github.com/urfave/cli v1.22.14 - github.com/veraison/go-cose v1.0.0-rc.1 github.com/vishvananda/netlink v1.2.1-beta.2 github.com/vishvananda/netns v0.0.4 go.etcd.io/bbolt v1.3.7 @@ -68,6 +68,7 @@ require ( github.com/lestrrat-go/blackmagic v1.0.1 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect github.com/lestrrat-go/iter v1.0.2 // indirect + github.com/lestrrat-go/jwx v1.2.26 // indirect github.com/lestrrat-go/option v1.0.1 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/moby/sys/mountinfo v0.6.2 // indirect @@ -78,6 +79,7 @@ require ( github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/vbatts/tar-split v0.11.3 // indirect github.com/vektah/gqlparser/v2 v2.4.5 // indirect + github.com/veraison/go-cose v1.0.0 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect diff --git a/go.sum b/go.sum index d3373ecb97..c4a2aed40f 100644 --- a/go.sum +++ b/go.sum @@ -66,6 +66,10 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= +github.com/Microsoft/cosesign1go v0.0.1 h1:Iqc4BHfK4z/kgyW3VFr1eWBMDfqwQ5lAiUfbdLn1M00= +github.com/Microsoft/cosesign1go v0.0.1/go.mod h1:fj1svfAxQeQNJ2SLaQu8mHx2rtPIsloZl065GqLF3io= +github.com/Microsoft/didx509go v0.0.2 h1:x1b3Hp1svlSgj4e4191cDtjYCgQIwQXZgudftw7VKtE= +github.com/Microsoft/didx509go v0.0.2/go.mod h1:F+msvNlKCEm3RgUE3kRpi7E+6hdR6r5PtOLWQKYfGbs= github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA= github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw= @@ -991,8 +995,8 @@ github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RV github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY= github.com/vektah/gqlparser/v2 v2.4.5 h1:C02NsyEsL4TXJB7ndonqTfuQOL4XPIu0aAWugdmTgmc= github.com/vektah/gqlparser/v2 v2.4.5/go.mod h1:flJWIR04IMQPGz+BXLrORkrARBxv/rtyIAFvd/MceW0= -github.com/veraison/go-cose v1.0.0-rc.1 h1:4qA7dbFJGvt7gcqv5MCIyCQvN+NpHFPkW7do3EeDLb8= -github.com/veraison/go-cose v1.0.0-rc.1/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= +github.com/veraison/go-cose v1.0.0 h1:Jxirc0rl3gG7wUFgW+82tBQNeK8T8e2Bk1Vd298ob4A= +github.com/veraison/go-cose v1.0.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= diff --git a/internal/cosesign1/cosesign1util_test.go b/internal/cosesign1/cosesign1util_test.go deleted file mode 100644 index 3342b8ac7f..0000000000 --- a/internal/cosesign1/cosesign1util_test.go +++ /dev/null @@ -1,172 +0,0 @@ -//go:build linux -// +build linux - -package cosesign1 - -import ( - "bytes" - "fmt" - "os" - "os/exec" - "testing" - - "github.com/veraison/go-cose" -) - -func readFileBytes(filename string) ([]byte, error) { - content, err := os.ReadFile(filename) - if err != nil { - println("Error reading '" + filename + "': " + string(err.Error())) - return nil, err - } - if len(content) == 0 { - println("Warning: empty file '" + filename + "'") - } - return content, nil -} - -func readFileBytesOrExit(filename string) []byte { - val, err := readFileBytes(filename) - if err != nil { - println("failed to load from file '" + filename + "' with error " + string(err.Error())) - os.Exit(1) - } - return val -} - -func readFileStringOrExit(filename string) string { - val := readFileBytesOrExit(filename) - return string(val) -} - -var fragmentRego string -var fragmentCose []byte -var leafPrivatePem string -var leafCertPEM string -var leafPubkeyPEM string -var certChainPEM string - -func TestMain(m *testing.M) { - fmt.Println("Generating files...") - - err := exec.Command("make", "chain.pem", "infra.rego.cose").Run() - if err != nil { - fmt.Fprintf(os.Stderr, "Failed to build the required test files: %s", err) - os.Exit(1) - } - - fragmentRego = readFileStringOrExit("infra.rego.base64") - fragmentCose = readFileBytesOrExit("infra.rego.cose") - leafPrivatePem = readFileStringOrExit("leaf.private.pem") - leafCertPEM = readFileStringOrExit("leaf.cert.pem") - leafPubkeyPEM = readFileStringOrExit("leaf.public.pem") - certChainPEM = readFileStringOrExit("chain.pem") - - os.Exit(m.Run()) -} - -func comparePEMs(pk1pem string, pk2pem string) bool { - pk1der := pem2der([]byte(pk1pem)) - pk2der := pem2der([]byte(pk2pem)) - return bytes.Equal(pk1der, pk2der) -} - -func base64PublicKeyToPEM(base64Key string) string { - begin := "-----BEGIN PUBLIC KEY-----\n" - end := "\n-----END PUBLIC KEY-----" - - pemData := begin + base64Key + end - return pemData -} - -// Decode a COSE_Sign1 document and check that we get the expected payload, issuer, keys, certs etc. -func Test_UnpackAndValidateCannedFragment(t *testing.T) { - var unpacked *UnpackedCoseSign1 - unpacked, err := UnpackAndValidateCOSE1CertChain(fragmentCose) - - if err != nil { - t.Errorf("UnpackAndValidateCOSE1CertChain failed: %s", err.Error()) - } - - iss := unpacked.Issuer - feed := unpacked.Feed - pubkey := base64PublicKeyToPEM(unpacked.Pubkey) - pubcert := base64CertToPEM(unpacked.Pubcert) - payload := string(unpacked.Payload[:]) - cty := unpacked.ContentType - - if !comparePEMs(pubkey, leafPubkeyPEM) { - t.Fatal("pubkey did not match") - } - if !comparePEMs(pubcert, leafCertPEM) { - t.Fatal("pubcert did not match") - } - if cty != "application/unknown+json" { - t.Fatal("cty did not match") - } - if payload != fragmentRego { - t.Fatal("payload did not match") - } - if iss != "TestIssuer" { - t.Fatal("iss did not match") - } - if feed != "TestFeed" { - t.Fatal("feed did not match") - } -} - -func Test_UnpackAndValidateCannedFragmentCorrupted(t *testing.T) { - fragCose := make([]byte, len(fragmentCose)) - copy(fragCose, fragmentCose) - - offset := len(fragCose) / 2 - // corrupt the cose document (use the uncorrupted one as source in case we loop back to a good value) - fragCose[offset] = fragmentCose[offset] + 1 - - _, err := UnpackAndValidateCOSE1CertChain(fragCose) - // expect it to fail - if err == nil { - t.Fatal("corrupted document passed validation") - } -} - -// Use CreateCoseSign1 to make a document that should match the one made by the makefile -func Test_CreateCoseSign1Fragment(t *testing.T) { - var raw, err = CreateCoseSign1([]byte(fragmentRego), "TestIssuer", "TestFeed", "application/unknown+json", []byte(certChainPEM), []byte(leafPrivatePem), "zero", cose.AlgorithmES384) - if err != nil { - t.Fatalf("CreateCoseSign1 failed: %s", err) - } - - if len(raw) != len(fragmentCose) { - t.Fatal("created fragment length does not match expected") - } - - for i := range raw { - if raw[i] != fragmentCose[i] { - t.Errorf("created fragment byte offset %d does not match expected", i) - } - } -} - -func Test_OldCose(t *testing.T) { - filename := "esrp.test.cose" - cose, err := readFileBytes(filename) - if err == nil { - _, err = UnpackAndValidateCOSE1CertChain(cose) - } - if err != nil { - t.Fatalf("validation of %s failed: %s", filename, err) - } -} - -func Test_DidX509(t *testing.T) { - chainPEMBytes, err := os.ReadFile("chain.pem") - if err != nil { - t.Fatalf("failed to read PEM: %s", err) - } - chainPEM := string(chainPEMBytes) - - if _, err := MakeDidX509("sha256", 1, chainPEM, "subject:CN:Test Leaf (DO NOT TRUST)", true); err != nil { - t.Fatalf("did:x509 creation failed: %s", err) - } -} diff --git a/internal/cosesign1/esrp.test.cose b/internal/cosesign1/esrp.test.cose deleted file mode 100644 index 88d9ab9604..0000000000 Binary files a/internal/cosesign1/esrp.test.cose and /dev/null differ diff --git a/internal/did-x509-resolver/resolver_test.go b/internal/did-x509-resolver/resolver_test.go deleted file mode 100644 index 10f1f628c8..0000000000 --- a/internal/did-x509-resolver/resolver_test.go +++ /dev/null @@ -1,131 +0,0 @@ -package didx509resolver - -import ( - "os" - "testing" -) - -func checkFailed(t *testing.T, err error) { - t.Helper() - if err == nil { - t.Errorf("error: should have failed") - } -} - -func checkOk(t *testing.T, err error) { - t.Helper() - if err != nil { - t.Errorf("error: rejected valid DID: %s", err) - } -} - -func loadCertificateChain(t *testing.T, path string) string { - t.Helper() - chain, err := os.ReadFile(path) - if err != nil { - t.Errorf("error: can't read file") - } - return string(chain) -} - -func TestWrongPrefix(t *testing.T) { - chain := loadCertificateChain(t, "test-data/ms-code-signing.pem") - _, err := Resolve(chain, "djd:y508:1:abcd::", true) - checkFailed(t, err) -} - -func TestRootCA(t *testing.T) { - chain := loadCertificateChain(t, "test-data/ms-code-signing.pem") - _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::subject:CN:Microsoft%20Corporation", true) - checkOk(t, err) -} - -func TestIntermediateCA(t *testing.T) { - chain := loadCertificateChain(t, "test-data/ms-code-signing.pem") - _, err := Resolve(chain, "did:x509:0:sha256:VtqHIq_ZQGb_4eRZVHOkhUiSuEOggn1T-32PSu7R4Ys::subject:CN:Microsoft%20Corporation", true) - checkOk(t, err) -} - -func TestInvalidLeafCA(t *testing.T) { - chain := loadCertificateChain(t, "test-data/ms-code-signing.pem") - _, err := Resolve(chain, "did:x509:0:sha256:h::subject:CN:Microsoft%20Corporation", true) - checkFailed(t, err) -} - -func TestInvalidCA(t *testing.T) { - chain := loadCertificateChain(t, "test-data/ms-code-signing.pem") - _, err := Resolve(chain, "did:x509:0:sha256:abc::CN:Microsoft%20Corporation", true) - checkFailed(t, err) -} - -func TestMultiplePolicies(t *testing.T) { - chain := loadCertificateChain(t, "test-data/ms-code-signing.pem") - _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::eku:1.3.6.1.5.5.7.3.3::eku:1.3.6.1.4.1.311.10.3.21", true) - checkOk(t, err) -} - -func TestSubject(t *testing.T) { - chain := loadCertificateChain(t, "test-data/ms-code-signing.pem") - _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::subject:CN:Microsoft%20Corporation", true) - checkOk(t, err) -} - -func TestSubjectInvalidName(t *testing.T) { - chain := loadCertificateChain(t, "test-data/ms-code-signing.pem") - _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::subject:CN:MicrosoftCorporation", true) - checkFailed(t, err) -} - -func TestSubjectDuplicateField(t *testing.T) { - chain := loadCertificateChain(t, "test-data/ms-code-signing.pem") - _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::subject:CN:Microsoft%20Corporation:CN:Microsoft%20Corporation", true) - checkFailed(t, err) -} - -func TestSAN(t *testing.T) { - chain := loadCertificateChain(t, "test-data/fulcio-email.pem") - _, err := Resolve(chain, "did:x509:0:sha256:O6e2zE6VRp1NM0tJyyV62FNwdvqEsMqH_07P5qVGgME::san:email:igarcia%40suse.com", true) - checkOk(t, err) -} - -func TestSANInvalidType(t *testing.T) { - chain := loadCertificateChain(t, "test-data/fulcio-email.pem") - _, err := Resolve(chain, "did:x509:0:sha256:O6e2zE6VRp1NM0tJyyV62FNwdvqEsMqH_07P5qVGgME::san:uri:igarcia%40suse.com", true) - checkFailed(t, err) -} - -func TestSANInvalidValue(t *testing.T) { - chain := loadCertificateChain(t, "test-data/fulcio-email.pem") - _, err := Resolve(chain, "did:x509:0:sha256:O6e2zE6VRp1NM0tJyyV62FNwdvqEsMqH_07P5qVGgME::email:bob%40example.com", true) - checkFailed(t, err) -} - -func TestBadEKU(t *testing.T) { - chain := loadCertificateChain(t, "test-data/ms-code-signing.pem") - _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::eku:1.3.6.1.5.5.7.3.12", true) - checkFailed(t, err) -} - -func TestGoodEKU(t *testing.T) { - chain := loadCertificateChain(t, "test-data/ms-code-signing.pem") - _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::eku:1.3.6.1.4.1.311.10.3.21", true) - checkOk(t, err) -} - -func TestEKUInvalidValue(t *testing.T) { - chain := loadCertificateChain(t, "test-data/ms-code-signing.pem") - _, err := Resolve(chain, "did:x509:0:sha256:hH32p4SXlD8n_HLrk_mmNzIKArVh0KkbCeh6eAftfGE::eku:1.2.3", true) - checkFailed(t, err) -} - -func TestFulcioIssuerWithEmailSAN(t *testing.T) { - chain := loadCertificateChain(t, "test-data/fulcio-email.pem") - _, err := Resolve(chain, "did:x509:0:sha256:O6e2zE6VRp1NM0tJyyV62FNwdvqEsMqH_07P5qVGgME::fulcio-issuer:github.com%2Flogin%2Foauth::san:email:igarcia%40suse.com", true) - checkOk(t, err) -} - -func TestFulcioIssuerWithURISAN(t *testing.T) { - chain := loadCertificateChain(t, "test-data/fulcio-github-actions.pem") - _, err := Resolve(chain, "did:x509:0:sha256:O6e2zE6VRp1NM0tJyyV62FNwdvqEsMqH_07P5qVGgME::fulcio-issuer:token.actions.githubusercontent.com::san:uri:https%3A%2F%2Fgithub.com%2Fbrendancassells%2Fmcw-continuous-delivery-lab-files%2F.github%2Fworkflows%2Ffabrikam-web.yml%40refs%2Fheads%2Fmain", true) - checkOk(t, err) -} diff --git a/internal/did-x509-resolver/test-data/fulcio-email.pem b/internal/did-x509-resolver/test-data/fulcio-email.pem deleted file mode 100644 index daefff20c9..0000000000 --- a/internal/did-x509-resolver/test-data/fulcio-email.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICEDCCAZagAwIBAgITIK73YV52uJcmxL9ZeKo+wZbm3zAKBggqhkjOPQQDAzAq -MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIy -MDgwOTEyNDcxNFoXDTIyMDgwOTEyNTcxM1owADBZMBMGByqGSM49AgEGCCqGSM49 -AwEHA0IABPmQP4xa5TxXg/HkUrw3CUcqmW6F5eEBQSU8tcGMIIzIHnMCVwTa4uoq -ZGgdCN+0Erk+toNwkGG+pS3Qc2EocbejgcQwgcEwDgYDVR0PAQH/BAQDAgeAMBMG -A1UdJQQMMAoGCCsGAQUFBwMDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJITi/Hz -4QkD5qz2gKoi4UBYfaRRMB8GA1UdIwQYMBaAFFjAHl+RRaVmqXrMkKGTItAqxcX6 -MB4GA1UdEQEB/wQUMBKBEGlnYXJjaWFAc3VzZS5jb20wLAYKKwYBBAGDvzABAQQe -aHR0cHM6Ly9naXRodWIuY29tL2xvZ2luL29hdXRoMAoGCCqGSM49BAMDA2gAMGUC -MQDPO3n+JgPlTbXSQy942esSy7KQ6OI4N9Q9MsqN4UR2tkML7tUm5feKTQUkfwTs -6BsCMADuoj3fJGAiRDMlSphfrZ0tAEIFaVZtJmvKWXpElHQo9y39W0w9bJTEVgTa -4xvX4w== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw -KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y -MTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl -LmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7 -XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex -X69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j -YzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY -wB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ -KsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM -WP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9 -TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ ------END CERTIFICATE----- diff --git a/internal/did-x509-resolver/test-data/fulcio-github-actions.pem b/internal/did-x509-resolver/test-data/fulcio-github-actions.pem deleted file mode 100644 index 4685c7ea99..0000000000 --- a/internal/did-x509-resolver/test-data/fulcio-github-actions.pem +++ /dev/null @@ -1,33 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDTzCCAtSgAwIBAgIUAOuDsEYQXN1cbwfqYOy5ADUqqDAwCgYIKoZIzj0EAwMw -KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y -MjA2MDkwMjM4MTJaFw0yMjA2MDkwMjQ4MTFaMAAwWTATBgcqhkjOPQIBBggqhkjO -PQMBBwNCAAR8Qujd0dQ2F7uSANd+0M7VXVkhXlGvFERJc1oPxk+R/ApEantKDVd/ -5/+e2AOoS1ltjcZkCt1oP1mAZ/+2G3i6o4ICADCCAfwwDgYDVR0PAQH/BAQDAgeA -MBMGA1UdJQQMMAoGCCsGAQUFBwMDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLcK -jVaYdV1BcZimzcrE8foM3xAPMB8GA1UdIwQYMBaAFFjAHl+RRaVmqXrMkKGTItAq -xcX6MIGFBgNVHREBAf8EezB5hndodHRwczovL2dpdGh1Yi5jb20vYnJlbmRhbmNh -c3NlbGxzL21jdy1jb250aW51b3VzLWRlbGl2ZXJ5LWxhYi1maWxlcy8uZ2l0aHVi -L3dvcmtmbG93cy9mYWJyaWthbS13ZWIueW1sQHJlZnMvaGVhZHMvbWFpbjAWBgor -BgEEAYO/MAECBAhzY2hlZHVsZTA/BgorBgEEAYO/MAEFBDFicmVuZGFuY2Fzc2Vs -bHMvbWN3LWNvbnRpbnVvdXMtZGVsaXZlcnktbGFiLWZpbGVzMDkGCisGAQQBg78w -AQEEK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20w -NgYKKwYBBAGDvzABAwQoMTIxMDQ4ZDVkMmViNTc3OTg3NTFlY2Y1N2FjNWNlNTg2 -NmVmMWEyZDAUBgorBgEEAYO/MAEEBAZEb2NrZXIwHQYKKwYBBAGDvzABBgQPcmVm -cy9oZWFkcy9tYWluMAoGCCqGSM49BAMDA2kAMGYCMQDfg/L1SnH1EdkPtmPN197q -Y+oc+mdFz1ica3Xlx8/En/JcxHUtBkHx1Lv5w++Wg3sCMQC4YKWGL0AfIIES1XT7 -b96WTdxBSnBx2Nvrqg0VuzLvM+wIjaz3dXWf41eKB2sXvwo= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw -KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y -MTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl -LmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7 -XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex -X69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j -YzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY -wB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ -KsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM -WP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9 -TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ ------END CERTIFICATE----- diff --git a/internal/did-x509-resolver/test-data/ms-code-signing.pem b/internal/did-x509-resolver/test-data/ms-code-signing.pem deleted file mode 100644 index a2e1fb16f8..0000000000 --- a/internal/did-x509-resolver/test-data/ms-code-signing.pem +++ /dev/null @@ -1,111 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIF/zCCA+egAwIBAgITMwAAAs+gJZDjEwTvFQAAAAACzzANBgkqhkiG9w0BAQsF -ADB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH -UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYDVQQD -Ex9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMB4XDTIyMDUxMjIwNDYw -NFoXDTIzMDUxMTIwNDYwNFowdDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp -bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw -b3JhdGlvbjEeMBwGA1UEAxMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMIIBIjANBgkq -hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs9HduD2rvmO+SGksB4HR+qvSK379St8N -nUZBH8xBiQvt2zONOLUHWQibeBW4NLUfHfzMaOM77RhNlqPNiDRKhChlG1aHqEHS -AaQBGrmr0ULGIzq+1YvqQufMGYBFfq0sc10UdvWqT0RjwkPQTu4bjg37zSYF9OcG -xS9uGnPMdWRM0ThOsYUcDmMoCaJRebsLUBpMmYXkcUYXJrcSGAaUNd0wjhwIpEog -OD+AbWW/7TPZOl+JciMj40a78EEXIc2p06lWHfe5hegQ7uGIlSAPG6zDzjhjNkzE -63/+GoqJU+6QLazbL5/y27ZDUAEYJokbb305A+dOp930CjTar3BvWQIDAQABo4IB -fjCCAXowHwYDVR0lBBgwFgYKKwYBBAGCNwoDFQYIKwYBBQUHAwMwHQYDVR0OBBYE -FHs4/z9sVQLrJJTk5iEaOQwyHU0iMFAGA1UdEQRJMEekRTBDMSkwJwYDVQQLEyBN -aWNyb3NvZnQgT3BlcmF0aW9ucyBQdWVydG8gUmljbzEWMBQGA1UEBRMNMjMwMjE3 -KzQ3MDUzMjAfBgNVHSMEGDAWgBRIbmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8E -TTBLMEmgR6BFhkNodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9N -aWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBR -BggrBgEFBQcwAoZFaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0 -cy9NaWNDb2RTaWdQQ0EyMDExXzIwMTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAw -DQYJKoZIhvcNAQELBQADggIBAIBiYcrj5Ph8uwFKZXw0eCS9qv2lk4lZY4Semy2D -4sfKDNUqKsqP5Q0zJcAq3Z+uEKc9Q8boxkm9/3PPESQKWhTRqLY+LL2XTjbm1S/L -AhtQ09ftHkxwienGU+Xo8ntz6Z7iQV2xCqjTMRWGFysEKgMgdAMPftWPXNa9k1G9 -qEJpPcCLeiM6UEJdxnRDHKgDSugW4fYvcEXlOJJXn/VZr4fFJZ+xLGT+US/NwGwb -8DdoUYls2u5o2250nm0TA0cZkJCzrxzV6Fptv14jbPcTZpRU6D0zGSSLPaM2cA/A -Q3yxRi9FZOpcbrJM+2Rp6aufmyxUgIN6MvG2IH2D++Xq3a4Zy+Gmce9thBRBff1i -IROq6CdGJHbOVbfdivV3L7qBD9pQYqSKitq4fJV95iYEchgMoXGwkJwagXix+f8g -jnOmlSjysSwzAmDwtAxUkX+lNoU5xUJLwf9/4nIXp7drjWptpn9IIiARLPFxLRYg -7S9digox7quSKM/xXb1bFzp346lwjuvK+QHC8pUOF8OojQ0YAZ+Q0EKKukchQ3wF -7RiHk/INqYgEFli/xpMzwVM2k91UlArvYylUKLGDGy8QabMosUrZdNQvBCWiePYR -AaJR5t+IR5QeBNdaKEqh2EQ/VzCu7J247Q3UrZrPLUJ9bGp2INwL8jynhVOeZteW -CEKV ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIHejCCBWKgAwIBAgIKYQ6Q0gAAAAAAAzANBgkqhkiG9w0BAQsFADCBiDELMAkG -A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx -HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9z -b2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwNzA4MjA1 -OTA5WhcNMjYwNzA4MjEwOTA5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz -aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv -cnBvcmF0aW9uMSgwJgYDVQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAy -MDExMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3YbqqC -EE00uvK2WCGfQhsqa+laUKq4BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUBFDFC -04kNeWSHfpRgJGyvnkmc6Whe0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnboMlIm -Ei/nqwhQz7NEt13YxC4Ddato88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT+OPe -Bw3VXHmlSSnnDb6gE3e+lD3v++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuye4Yb -2T6xjF3oiU+EGvKhL1nkkDstrjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEhNSXD -OW5kf1O6nA+tGSOEy/S6A4aN91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2z3yx -kq4cI6epZuxhH2rhKEmdX4jiJV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3s/gA -4bysAoJf28AVs70b1FVL5zmhD+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78IcV9uD -jexNSTCnq47f7Fufr/zdsGbiwZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E11ec -XL93KCjx7W3DKI8sj0A3T8HhhUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5PM4Ta -sIgX3p5O9JawvEagbJjS4NaIjAsCAwEAAaOCAe0wggHpMBAGCSsGAQQBgjcVAQQD -AgEAMB0GA1UdDgQWBBRIbmTlUAXTgqoXNzcitW2oynUClTAZBgkrBgEEAYI3FAIE -DB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNV -HSMEGDAWgBRyLToCMZBDuRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBLhklo -dHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29D -ZXJBdXQyMDExXzIwMTFfMDNfMjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggrBgEF -BQcwAoZCaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29D -ZXJBdXQyMDExXzIwMTFfMDNfMjIuY3J0MIGfBgNVHSAEgZcwgZQwgZEGCSsGAQQB -gjcuAzCBgzA/BggrBgEFBQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3Br -aW9wcy9kb2NzL3ByaW1hcnljcHMuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBn -AGEAbABfAHAAbwBsAGkAYwB5AF8AcwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqG -SIb3DQEBCwUAA4ICAQBn8oalmOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDBZV8u -LD74w3LRbYP+vj/oCso7v0epo/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc8zxC -i1LQsP1r4z4HLimb5j0bpdS1HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYqwooQ -u6SpBQyb7Wj6aC6VoCo/KmtYSWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu5a8n -7dDd8w6vmSiXmE0OPQvyCInWH8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWIUUVY -ODJxJxp/sfQn+N4sOiBpmLJZiWhub6e3dMNABQamASooPoI/E01mC8CzTfXhj38c -bxV9Rad25UAqZaPDXVJihsMdYzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yHPgZ3 -BtEGsXUfFL5hYbXw3MYbBL7fQccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtIEJmA -H9AAKcWxm6U/RXceNcbSoqKfenoi+kiVH6v7RyOA9Z74v2u3S5fi63V4GuzqN5l5 -GEv/1rMjaHXmr/r8i+sLgOppO6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgRMiF6 -70EKsT/7qMykXcGhiJtXcVZOSEXAQsmbdlsKgEhr/Xmfwb1tbWrJUnMTDXpQzQ== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIF7TCCA9WgAwIBAgIQP4vItfyfspZDtWnWbELhRDANBgkqhkiG9w0BAQsFADCB -iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl -ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMp -TWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEw -MzIyMjIwNTI4WhcNMzYwMzIyMjIxMzA0WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV -BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv -c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm -aWNhdGUgQXV0aG9yaXR5IDIwMTEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK -AoICAQCygEGqNThNE3IyaCJNuLLx/9VSvGzH9dJKjDbu0cJcfoyKrq8TKG/Ac+M6 -ztAlqFo6be+ouFmrEyNozQwph9FvgFyPRH9dkAFSWKxRxV8qh9zc2AodwQO5e7BW -6KPeZGHCnvjzfLnsDbVU/ky2ZU+I8JxImQxCCwl8MVkXeQZ4KI2JOkwDJb5xalwL -54RgpJki49KvhKSn+9GY7Qyp3pSJ4Q6g3MDOmT3qCFK7VnnkH4S6Hri0xElcTzFL -h93dBWcmmYDgcRGjuKVB4qRTufcyKYMME782XgSzS0NHL2vikR7TmE/dQgfI6B0S -/Jmpaz6SfsjWaTr8ZL22CZ3K/QwLopt3YEsDlKQwaRLWQi3BQUzK3Kr9j1uDRprZ -/LHR47PJf0h6zSTwQY9cdNCssBAgBkm3xy0hyFfj0IbzA2j70M5xwYmZSmQBbP3s -MJHPQTySx+W6hh1hhMdfgzlirrSSL0fzC/hV66AfWdC7dJse0Hbm8ukG1xDo+mTe -acY1logC8Ea4PyeZb8txiSk190gWAjWP1Xl8TQLPX+uKg09FcYj5qQ1OcunCnAfP -SRtOBA5jUYxe2ADBVSy2xuDCZU7JNDn1nLPEfuhhbhNfFcRf2X7tHc7uROzLLoax -7Dj2cO2rXBPB2Q8Nx4CyVe0096yb5MPa50c8prWPMd/FS6/r8QIDAQABo1EwTzAL -BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUci06AjGQQ7kU -BU7h6qfHMdEjiTQwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggIB -AH9yzw+3xRXbm8BJyiZb/p4T5tPw0tuXX/JLP02zrhmu7deXoKzvqTqjwkGw5biR -nhOBJAPmCf0/V0A5ISRW0RAvS0CpNoZLtFNXmvvxfomPEf4YbFGq6O0JlbXlccmh -6Yd1phV/yX43VF50k8XDZ8wNT2uoFwxtCJJ+i92Bqi1wIcM9BhS7vyRep4TXPw8h -Ir1LAAbblxzYXtTFC1yHblCk6MM4pPvLLMWSZpuFXst6bJN8gClYW1e1QGm6CHmm -ZGIVnYeWRbVmIyADixxzoNOieTPgUFmG2y/lAiXqcyqfABTINseSO+lOAOzYVgm5 -M0kS0lQLAausR7aRKX1MtHWAUgHoyoL2n8ysnI8X6i8msKtyrAv+nlEex0NVZ09R -s1fWtuzuUrc66U7h14GIvE+OdbtLqPA1qibUZ2dJsnBMO5PcHd94kIZysjik0dyS -TclY6ysSXNQ7roxrsIPlAT/4CTL2kzU0Iq/dNw13CYArzUgA8YyZGUcFAenRv9FO -0OYoQzeZpApKCNmacXPSqs0xE2N2oTdvkjgefRI8ZjLny23h/FKJ3crWZgWalmG+ -oijHHKOnNlA8OqTfSm7mhzvO6/DggTedEzxSjr25HTTGHdUKaj2YKXCMiSrRq4IQ -SB/c9O+lxbtVGjhjhE63bK2VVOxlIhBJF7jAHscPrFRH ------END CERTIFICATE----- diff --git a/internal/guest/runtime/hcsv2/uvm.go b/internal/guest/runtime/hcsv2/uvm.go index a1d46c0458..28eaed66e2 100644 --- a/internal/guest/runtime/hcsv2/uvm.go +++ b/internal/guest/runtime/hcsv2/uvm.go @@ -20,9 +20,9 @@ import ( "syscall" "time" - "github.com/Microsoft/hcsshim/internal/cosesign1" + "github.com/Microsoft/cosesign1go/pkg/cosesign1" + didx509resolver "github.com/Microsoft/didx509go/pkg/did-x509-resolver" "github.com/Microsoft/hcsshim/internal/debug" - didx509resolver "github.com/Microsoft/hcsshim/internal/did-x509-resolver" "github.com/Microsoft/hcsshim/internal/guest/gcserr" "github.com/Microsoft/hcsshim/internal/guest/policy" "github.com/Microsoft/hcsshim/internal/guest/prot" diff --git a/internal/tools/sign1util/README.md b/internal/tools/sign1util/README.md deleted file mode 100644 index 2331984a9e..0000000000 --- a/internal/tools/sign1util/README.md +++ /dev/null @@ -1,52 +0,0 @@ -# sign1util - -`sign1util` exists as a tool to make it possible to sign policy fragments and check such -signed fragments. It is intended for developers working functionality related to policy -fragments in this repository. It is not intended to be used by "end users". - -Usage is of the form `sign1util flag1 value1 flag2 value2...` - -The output is generally a COSE Sign1 wrapped payload. COSE Sign1 is a signed binary blob that can contain arbitary binary data. -For a fragment the COSE Sign1 document must have been signed by a trusted party (aka "issuer") and use the did matching the cert chain leading to the private signing key as the issuer. Below that chain is `chain.pem` and the private key `leaf.private.pem`. When creating a fragment the issuer can be set using this tool or via the corportate signing authority's COSE Sign1 generating service. It is very important that these private keys and associated signing services are properly controlled. The signing offered by sign1util is by way of an example and useful for testing. It does not have facilities to use a secure key store. - -Security policy fragments are checked for having the correct issuer did:x509 and feed as allowed by user security policy. The did must match the chain and key used to sign the document. - -## Commands - -`sign1utils --help` gives an overview of the commands and flags. Here is a description of the purpose of the commands. - -### create - -Creates a COSE Sign1 document containing a payload "claims" signed with the supplied key and containing the matching public cert chain. -For the purposes of making fragments documents supply an issuer (typically the did:x509 of the chain) and feed to identity what the fragment represents. - -`sign1util create -algo ES384 -chain chain.pem -claims infra.rego -key leaf.private.pem -out infra.rego.cose -feed myregistry.azurecr.io/infra -issuer did:x509:0:sha256:I5ni_nuWegx4NiLaeGabiz36bDUhDDiHEFl8HXMA_4o::subject:CN:Test%20Leaf%20%28DO%20NOT%20TRUST%29` - -A zero salt option is available is to facilitate unit tests such that the generated file is deterministic. - -### check - -Validate such a COSE Sign1 document is signed by the chain it contains and that that chain is a valid chain - -`sign1util check -in infra.rego.cose` - -Also checking a did matches. -`sign1util check -in infra.rego.cose -did did:x509:0:sha256:I5ni_nuWegx4NiLaeGabiz36bDUhDDiHEFl8HXMA_4o::subject:CN:Test%20Leaf%20%28DO%20NOT%20TRUST%29` - -### print - -Dumps out various parts of the document to help developers understand what information is contained in the wrapping part of the COSE Sign1 document vs the payload. - -### leaf - -In some cases (eg UVM reference info document) the check for a good document is by the leaf public key being as expected. This command allows extracting that key from a given COSE Sign1 document. - -### did:x509 - -Print the did:x509 that matches the chain for a given subject. This can be used as an issuer. - -`sign1util.exe did:x509 -chain chain.pem -policy CN` might produce `did:x509:0:sha256:I5ni_nuWegx4NiLaeGabiz36bDUhDDiHEFl8HXMA_4o::subject:CN:Test%20Leaf%20%28DO%20NOT%20TRUST%29` - -### chain - -Dumps the PEM formatted cert chain found in the COSE Sign1 document. diff --git a/internal/tools/sign1util/main.go b/internal/tools/sign1util/main.go deleted file mode 100644 index 4a24fad10d..0000000000 --- a/internal/tools/sign1util/main.go +++ /dev/null @@ -1,378 +0,0 @@ -package main - -import ( - "fmt" - "os" - "strings" - - "github.com/Microsoft/hcsshim/internal/cosesign1" - didx509resolver "github.com/Microsoft/hcsshim/internal/did-x509-resolver" - "github.com/urfave/cli" -) - -func checkCoseSign1(inputFilename string, chainFilename string, didString string, verbose bool) (*cosesign1.UnpackedCoseSign1, error) { - coseBlob, err := os.ReadFile(inputFilename) - if err != nil { - return nil, err - } - - var chainPEM []byte - var chainPEMString string - if chainFilename != "" { - chainPEM, err = os.ReadFile(chainFilename) - if err != nil { - return nil, err - } - chainPEMString = string(chainPEM[:]) - } - - unpacked, err := cosesign1.UnpackAndValidateCOSE1CertChain(coseBlob) - if err != nil { - fmt.Fprintf(os.Stdout, "checkCoseSign1 failed - %s\n", err) - return nil, err - } - - fmt.Fprint(os.Stdout, "checkCoseSign1 passed\n") - if verbose { - fmt.Fprintf(os.Stdout, "iss: %s\n", unpacked.Issuer) - fmt.Fprintf(os.Stdout, "feed: %s\n", unpacked.Feed) - fmt.Fprintf(os.Stdout, "cty: %s\n", unpacked.ContentType) - fmt.Fprintf(os.Stdout, "pubkey: %s\n", unpacked.Pubkey) - fmt.Fprintf(os.Stdout, "pubcert: %s\n", unpacked.Pubcert) - fmt.Fprintf(os.Stdout, "payload:\n%s\n", string(unpacked.Payload[:])) - } - if len(didString) > 0 { - if len(chainPEMString) == 0 { - chainPEMString = unpacked.ChainPem - } - didDoc, err := didx509resolver.Resolve(chainPEMString, didString, true) - if err == nil { - fmt.Fprintf(os.Stdout, "DID resolvers passed:\n%s\n", didDoc) - } else { - fmt.Fprintf(os.Stdout, "DID resolvers failed: err: %s doc:\n%s\n", err.Error(), didDoc) - } - } - return unpacked, err -} - -var createCmd = cli.Command{ - Name: "create", - Usage: "", - Flags: []cli.Flag{ - cli.StringFlag{ - Name: "claims", - Usage: "filename of payload", - Value: "fragment.rego", - }, - cli.StringFlag{ - Name: "content-type", - Usage: "payload content type", - Value: "application/unknown+json", - }, - cli.StringFlag{ - Name: "chain", - Usage: "key or cert file to use (pem)", - Value: "chain.pem", - }, - cli.StringFlag{ - Name: "key", - Usage: "key to sign with - private key of the leaf of the chain", - Value: "key.pem", - }, - cli.StringFlag{ - Name: "algo", - Usage: "PS256, PS384 etc (required)", - Required: true, - }, - cli.StringFlag{ - Name: "out", - Usage: "output file (default: out.cose)", - Value: "out.cose", - }, - cli.StringFlag{ - Name: "salt", - Usage: "salt type [rand|zero] (default: rand)", - Value: "rand", - }, - cli.StringFlag{ - Name: "issuer", - Usage: "the party making the claims (optional). See https://ietf-scitt.github." + - "io/draft-birkholz-scitt-architecture/draft-birkholz-scitt-architecture.html#name-terminology", - }, - cli.StringFlag{ - Name: "feed", - Usage: "identifier for an artifact within the scope of an issuer (optional)", - }, - cli.BoolFlag{ - Name: "verbose,v", - Usage: "verbose output (optional)", - }, - }, - Action: func(ctx *cli.Context) error { - payloadBlob, err := os.ReadFile(ctx.String("claims")) - if err != nil { - return err - } - keyPem, err := os.ReadFile(ctx.String("key")) - if err != nil { - return err - } - chainPem, err := os.ReadFile(ctx.String("chain")) - if err != nil { - return err - } - algo, err := cosesign1.StringToAlgorithm(ctx.String("algo")) - if err != nil { - return err - } - - raw, err := cosesign1.CreateCoseSign1( - payloadBlob, - ctx.String("issuer"), - ctx.String("feed"), - ctx.String("content-type"), - chainPem, - keyPem, - ctx.String("salt"), - algo, - ) - if err != nil { - return fmt.Errorf("create failed: %w", err) - } - - err = cosesign1.WriteBlob(ctx.String("out"), raw) - if err != nil { - return fmt.Errorf("failed to write output file: %w", err) - } - fmt.Fprint(os.Stdout, "create completed\n") - return nil - }, -} - -var checkCmd = cli.Command{ - Name: "check", - Usage: "", - Flags: []cli.Flag{ - cli.StringFlag{ - Name: "in", - Usage: "input COSE Sign1 file (default: input.cose)", - Value: "input.cose", - }, - cli.StringFlag{ - Name: "chain", - Usage: "key or cert file to use (pem) (optional)", - }, - cli.StringFlag{ - Name: "did", - Usage: "DID x509 string to resolve against cert chain (optional)", - }, - cli.BoolFlag{ - Name: "verbose", - Usage: "verbose output (optional)", - }, - }, - Action: func(ctx *cli.Context) error { - _, err := checkCoseSign1( - ctx.String("in"), - ctx.String("chain"), - ctx.String("did"), - ctx.Bool("verbose"), - ) - if err != nil { - return fmt.Errorf("failed check: %w", err) - } - return nil - }, -} - -var printCmd = cli.Command{ - Name: "print", - Usage: "", - Flags: []cli.Flag{ - cli.StringFlag{ - Name: "in", - Usage: "input COSE Sign1 file", - Value: "input.cose", - }, - }, - Action: func(ctx *cli.Context) error { - _, err := checkCoseSign1(ctx.String("in"), "", "", true) - if err != nil { - return fmt.Errorf("failed verbose checkCoseSign1: %w", err) - } - return nil - }, -} - -var leafCmd = cli.Command{ - Name: "leaf", - Usage: "", - Flags: []cli.Flag{ - cli.StringFlag{ - Name: "in", - Usage: "input COSE Sign1 file", - Value: "input.cose", - }, - cli.StringFlag{ - Name: "keyout", - Usage: "leaf key output file", - Value: "leafkey.pem", - }, - cli.StringFlag{ - Name: "certout", - Usage: "leaf cert output file", - Value: "leafcert.pem", - }, - cli.BoolFlag{ - Name: "verbose", - Usage: "print information about COSE Sign1 document", - }, - }, - Action: func(ctx *cli.Context) error { - inputFilename := ctx.String("in") - outputKeyFilename := ctx.String("keyout") - outputCertFilename := ctx.String("certout") - unpacked, err := checkCoseSign1( - inputFilename, - "", - "", - ctx.Bool("verbose"), - ) - if err != nil { - return fmt.Errorf("reading the COSE Sign1 from %s failed: %w", inputFilename, err) - } - - // fixme(maksiman): instead of just printing the error, consider returning - // it right away and skipping cert writing. - keyWriteErr := cosesign1.WriteString(outputKeyFilename, unpacked.Pubkey) - if keyWriteErr != nil { - fmt.Fprintf(os.Stderr, "writing the leaf pub key to %s failed: %s\n", outputKeyFilename, keyWriteErr) - } - certWriteErr := cosesign1.WriteString(outputCertFilename, unpacked.Pubcert) - if certWriteErr != nil { - fmt.Fprintf(os.Stderr, "writing the leaf cert to %s failed: %s", outputCertFilename, certWriteErr) - } - - var retErr error - if keyWriteErr != nil { - retErr = fmt.Errorf("key write failed: %s", retErr) - } - if certWriteErr != nil { - if retErr != nil { - return fmt.Errorf("cert write failed: %s: %s", certWriteErr, retErr) - } - return fmt.Errorf("cert write failed: %s", certWriteErr) - } - return nil - }, -} - -var didX509Cmd = cli.Command{ - Name: "did-x509", - Usage: "", - Flags: []cli.Flag{ - cli.StringFlag{ - Name: "in", - Usage: "input file", - }, - cli.StringFlag{ - Name: "fingerprint-algorithm", - Usage: "hash algorithm for certificate fingerprints", - Value: "sha256", - }, - cli.StringFlag{ - Name: "chain", - Usage: "certificate chain to use (pem)", - }, - cli.IntFlag{ - Name: "index, i", - Usage: "index of the certificate fingerprint in the chain", - Value: 1, - }, - cli.StringFlag{ - Name: "policy", - Usage: "did:509 policy, can be one of [cn|eku|custom]", - Value: "cn", - }, - }, - Action: func(ctx *cli.Context) error { - chainFilename := ctx.String("chain") - inputFilename := ctx.String("in") - if len(chainFilename) > 0 && len(inputFilename) > 0 { - return fmt.Errorf("cannot specify chain with cose file - it comes from the chain in the file") - } - var chainPEM string - if len(chainFilename) > 0 { - chainPEMBytes, err := os.ReadFile(chainFilename) - if err != nil { - return err - } - chainPEM = string(chainPEMBytes) - } - if len(inputFilename) > 0 { - unpacked, err := checkCoseSign1(inputFilename, "", "", true) - if err != nil { - return err - } - chainPEM = unpacked.ChainPem - } - r, err := cosesign1.MakeDidX509( - ctx.String("fingerprint-algorithm"), - ctx.Int("index"), - chainPEM, - ctx.String("policy"), - ctx.Bool("verbose"), - ) - if err != nil { - return fmt.Errorf("failed make DID: %w", err) - } - fmt.Fprint(os.Stdout, r) - return nil - }, -} - -var chainCmd = cli.Command{ - Name: "chain", - Usage: "", - Flags: []cli.Flag{ - cli.StringFlag{ - Name: "in", - Usage: "input COSE Sign1 file", - Value: "input.cose", - }, - cli.StringFlag{ - Name: "out", - Usage: "output chain PEM text file", - }, - }, - Action: func(ctx *cli.Context) error { - pems, err := cosesign1.ParsePemChain(ctx.String("in")) - if err != nil { - return err - } - if len(ctx.String("out")) > 0 { - return cosesign1.WriteString(ctx.String("out"), strings.Join(pems, "\n")) - } else { - fmt.Fprintf(os.Stdout, "%s\n", strings.Join(pems, "\n")) - return nil - } - }, -} - -func main() { - app := cli.NewApp() - app.Name = "sign1util" - app.Commands = []cli.Command{ - createCmd, - checkCmd, - printCmd, - leafCmd, - didX509Cmd, - chainCmd, - } - - if err := app.Run(os.Args); err != nil { - _, _ = fmt.Fprintln(os.Stderr, err) - os.Exit(1) - } -} diff --git a/test/go.mod b/test/go.mod index a07d8e0611..e20fc1b7c5 100644 --- a/test/go.mod +++ b/test/go.mod @@ -30,6 +30,8 @@ require ( require ( github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // indirect github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20221215162035-5330a85ea652 // indirect + github.com/Microsoft/cosesign1go v0.0.1 // indirect + github.com/Microsoft/didx509go v0.0.2 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/agnivade/levenshtein v1.0.1 // indirect github.com/cenkalti/backoff/v4 v4.2.1 // indirect @@ -86,7 +88,7 @@ require ( github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect github.com/vbatts/tar-split v0.11.3 // indirect github.com/vektah/gqlparser/v2 v2.4.5 // indirect - github.com/veraison/go-cose v1.0.0-rc.1 // indirect + github.com/veraison/go-cose v1.0.0 // indirect github.com/vishvananda/netlink v1.2.1-beta.2 // indirect github.com/vishvananda/netns v0.0.4 // indirect github.com/x448/float16 v0.8.4 // indirect diff --git a/test/go.sum b/test/go.sum index 398491f1a1..517a9aed73 100644 --- a/test/go.sum +++ b/test/go.sum @@ -630,6 +630,10 @@ github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbi github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk= +github.com/Microsoft/cosesign1go v0.0.1 h1:Iqc4BHfK4z/kgyW3VFr1eWBMDfqwQ5lAiUfbdLn1M00= +github.com/Microsoft/cosesign1go v0.0.1/go.mod h1:fj1svfAxQeQNJ2SLaQu8mHx2rtPIsloZl065GqLF3io= +github.com/Microsoft/didx509go v0.0.2 h1:x1b3Hp1svlSgj4e4191cDtjYCgQIwQXZgudftw7VKtE= +github.com/Microsoft/didx509go v0.0.2/go.mod h1:F+msvNlKCEm3RgUE3kRpi7E+6hdR6r5PtOLWQKYfGbs= github.com/Microsoft/go-winio v0.4.11/go.mod h1:VhR8bwka0BXejwEJY73c50VrPtXAaKcyvVC4A4RozmA= github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA= github.com/Microsoft/go-winio v0.4.16-0.20201130162521-d1ffc52c7331/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0= @@ -924,7 +928,9 @@ github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnG github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc= github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo= +github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE= github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs= github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= github.com/denverdino/aliyungo v0.0.0-20190125010748-a747050bb1ba/go.mod h1:dV8lFg6daOBZbT6/BDGIz6Y3WFGn8juu6G+CQ6LHtl0= @@ -1071,6 +1077,7 @@ github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/me github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/goccy/go-json v0.9.7/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU= github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= @@ -1331,12 +1338,15 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A= github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y= +github.com/lestrrat-go/blackmagic v1.0.0/go.mod h1:TNgH//0vYSs8VXDCfkZLgIrVTTXQELZffUV0tz3MtdQ= github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80= github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU= github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= +github.com/lestrrat-go/iter v1.0.1/go.mod h1:zIdgO1mRKhn8l9vrZJZz9TUMMFbQbLeTsbqPDrJ/OJc= github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= +github.com/lestrrat-go/jwx v1.2.25/go.mod h1:zoNuZymNl5lgdcu6P7K6ie2QRll5HVfF4xwxBBK1NxY= github.com/lestrrat-go/jwx v1.2.26 h1:4iFo8FPRZGDYe1t19mQP0zTRqA7n8HnJ5lkIiDvJcB0= github.com/lestrrat-go/jwx v1.2.26/go.mod h1:MaiCdGbn3/cckbOFSCluJlJMmp9dmZm5hDuIkx8ftpQ= github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= @@ -1696,14 +1706,15 @@ github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtX github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8= +github.com/urfave/cli v1.22.13/go.mod h1:VufqObjsMTF2BBwKawpx9R8eAneNEWhoO0yx8Vd+FkE= github.com/urfave/cli v1.22.14/go.mod h1:X0eDS6pD6Exaclxm99NJ3FiCDRED7vIHpx2mDOHLvkA= github.com/vbatts/tar-split v0.11.2/go.mod h1:vV3ZuO2yWSVsz+pfFzDG/upWH1JhjOiEaWq6kXyQ3VI= github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck= github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY= github.com/vektah/gqlparser/v2 v2.4.5 h1:C02NsyEsL4TXJB7ndonqTfuQOL4XPIu0aAWugdmTgmc= github.com/vektah/gqlparser/v2 v2.4.5/go.mod h1:flJWIR04IMQPGz+BXLrORkrARBxv/rtyIAFvd/MceW0= -github.com/veraison/go-cose v1.0.0-rc.1 h1:4qA7dbFJGvt7gcqv5MCIyCQvN+NpHFPkW7do3EeDLb8= -github.com/veraison/go-cose v1.0.0-rc.1/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= +github.com/veraison/go-cose v1.0.0 h1:Jxirc0rl3gG7wUFgW+82tBQNeK8T8e2Bk1Vd298ob4A= +github.com/veraison/go-cose v1.0.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE= github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= @@ -1875,8 +1886,10 @@ golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= +golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE= golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g= golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= diff --git a/vendor/github.com/Microsoft/cosesign1go/LICENSE b/vendor/github.com/Microsoft/cosesign1go/LICENSE new file mode 100644 index 0000000000..9e841e7a26 --- /dev/null +++ b/vendor/github.com/Microsoft/cosesign1go/LICENSE @@ -0,0 +1,21 @@ + MIT License + + Copyright (c) Microsoft Corporation. + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE diff --git a/internal/cosesign1/.gitignore b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/.gitignore similarity index 100% rename from internal/cosesign1/.gitignore rename to vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/.gitignore diff --git a/internal/cosesign1/Makefile b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/Makefile old mode 100755 new mode 100644 similarity index 89% rename from internal/cosesign1/Makefile rename to vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/Makefile index c7db632eea..de2f703bc7 --- a/internal/cosesign1/Makefile +++ b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/Makefile @@ -18,7 +18,7 @@ # # where # -# ./sign1util did:x509 -chain chain.pem -i 1 -policy "subject:CN:Test Leaf (DO NOT TRUST)" +# ./sign1util did-x509 -chain chain.pem -i 1 -policy "subject:CN:Test Leaf (DO NOT TRUST)" # # will print the new fingerprint of the intermediate cert as part of the did:x509 generated # @@ -32,8 +32,8 @@ cose: infra.rego.cose # Use a local linux build of the tool for the purposes of this Makefile - ie assume using in wsl. # Usually sign1util.exe is a windows exe in /mnt/c/ContainerPlat aka c:\ContainerPlat but that is not certain. -sign1util: ../../internal/tools/sign1util/main.go *.go - go build ../../internal/tools/sign1util +sign1util: ../../cmd/sign1util/main.go *.go + go build ../../cmd/sign1util infra.rego.cose: infra.rego.base64 chain.pem leaf.private.pem sign1util ./sign1util create -algo ES384 -chain chain.pem -claims infra.rego.base64 -key leaf.private.pem -out $@ -issuer TestIssuer -feed TestFeed -salt zero @@ -41,15 +41,15 @@ infra.rego.cose: infra.rego.base64 chain.pem leaf.private.pem sign1util print: infra.rego.cose sign1util ./sign1util chain -in $< > tmp.chain.pem - ./sign1util did:x509 -chain tmp.chain.pem --policy cn + ./sign1util did-x509 -chain tmp.chain.pem --policy cn show: sign1util ./sign1util chain -in esrp.test.cose > tmp.chain.pem - ./sign1util did:x509 -chain tmp.chain.pem -policy cn + ./sign1util did-x509 -chain tmp.chain.pem -policy cn didx509: chain.pem sign1util - ./sign1util did:x509 -chain chain.pem -i 1 -policy "subject:CN:Test Leaf (DO NOT TRUST)" -verbose + ./sign1util did-x509 -chain chain.pem -i 1 -policy "subject:CN:Test Leaf (DO NOT TRUST)" -verbose # for this to pass the did:x509 fingerprint (RgpNsHOK5hPlCAfTtiGY_BcDhFRxQbJnhlxNDhxps6U here) needs to be the one output from make print did-check: chain.pem infra.rego.cose sign1util @@ -59,7 +59,7 @@ did-check: chain.pem infra.rego.cose sign1util # as otherwise expected (ie that the issuer DID matches the chain) or to shortcut getting a DID from a cose document. did-from-cose: sign1util infra.rego.cose - ./sign1util did:x509 -in infra.rego.cose -policy cn + ./sign1util did-x509 -in infra.rego.cose -policy cn did-fail-fingerprint: chain.pem sign1util ./sign1util check -chain chain.pem -in infra.rego.cose -did did:x509:0:sha256:XXXi_nuWegx4NiLaeGabiz36bDUhDDiHEFl8HXMA_4o::subject:CN:Test+Leaf+%28DO+NOT+TRUST%29 @@ -89,6 +89,8 @@ did-fail: did-fail-subject did-fail-fingerprint infra.rego.base64: infra.rego base64 infra.rego > infra.rego.base64 +test-all: print show didx509 did-check did-from-cose did-fail + clean: $(MAKE) -f Makefile.certs $@ rm -f infra.rego.base64 infra.rego.cose sign1util diff --git a/internal/cosesign1/Makefile.certs b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/Makefile.certs similarity index 100% rename from internal/cosesign1/Makefile.certs rename to vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/Makefile.certs diff --git a/internal/cosesign1/cert.extensions.cfg b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/cert.extensions.cfg similarity index 100% rename from internal/cosesign1/cert.extensions.cfg rename to vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/cert.extensions.cfg diff --git a/internal/cosesign1/check.go b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/check.go similarity index 98% rename from internal/cosesign1/check.go rename to vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/check.go index 93ea5a1b9f..7366c37897 100644 --- a/internal/cosesign1/check.go +++ b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/check.go @@ -4,7 +4,7 @@ import ( "crypto/x509" "fmt" - didx509resolver "github.com/Microsoft/hcsshim/internal/did-x509-resolver" + didx509resolver "github.com/Microsoft/didx509go/pkg/did-x509-resolver" "github.com/sirupsen/logrus" diff --git a/internal/cosesign1/create.go b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/create.go similarity index 100% rename from internal/cosesign1/create.go rename to vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/create.go diff --git a/internal/cosesign1/infra.rego b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/infra.rego similarity index 100% rename from internal/cosesign1/infra.rego rename to vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/infra.rego diff --git a/internal/cosesign1/makedidx509.go b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/makedidx509.go similarity index 97% rename from internal/cosesign1/makedidx509.go rename to vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/makedidx509.go index 8839136652..b3fdd9a23b 100644 --- a/internal/cosesign1/makedidx509.go +++ b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/makedidx509.go @@ -10,7 +10,7 @@ import ( "net/url" "strings" - didx509resolver "github.com/Microsoft/hcsshim/internal/did-x509-resolver" + didx509resolver "github.com/Microsoft/didx509go/pkg/did-x509-resolver" "github.com/sirupsen/logrus" ) diff --git a/internal/cosesign1/misc.go b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/misc.go similarity index 100% rename from internal/cosesign1/misc.go rename to vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/misc.go diff --git a/vendor/github.com/Microsoft/didx509go/LICENSE b/vendor/github.com/Microsoft/didx509go/LICENSE new file mode 100644 index 0000000000..9e841e7a26 --- /dev/null +++ b/vendor/github.com/Microsoft/didx509go/LICENSE @@ -0,0 +1,21 @@ + MIT License + + Copyright (c) Microsoft Corporation. + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in all + copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE diff --git a/internal/did-x509-resolver/resolver.go b/vendor/github.com/Microsoft/didx509go/pkg/did-x509-resolver/resolver.go similarity index 99% rename from internal/did-x509-resolver/resolver.go rename to vendor/github.com/Microsoft/didx509go/pkg/did-x509-resolver/resolver.go index a4fd5a0c1c..8eb373c5b5 100644 --- a/internal/did-x509-resolver/resolver.go +++ b/vendor/github.com/Microsoft/didx509go/pkg/did-x509-resolver/resolver.go @@ -370,7 +370,7 @@ func createDidDocument(did string, chain []*x509.Certificate) (string, error) { "id": "%[1]s#key-1", "type": "JsonWebKey2020", "controller": "%[1]s", - "publicKeyJwk": %s, + "publicKeyJwk": %s }] %s %s diff --git a/vendor/github.com/veraison/go-cose/README.md b/vendor/github.com/veraison/go-cose/README.md index 2b2e492e18..d3de617824 100644 --- a/vendor/github.com/veraison/go-cose/README.md +++ b/vendor/github.com/veraison/go-cose/README.md @@ -8,7 +8,7 @@ A golang library for the [COSE specification][cose-spec] ## Project Status -**Current Release**: [go-cose alpha 1][release-alpha-1] +**Current Release**: [go-cose rc 1][release-rc-1] The project was *initially* forked from the upstream [mozilla-services/go-cose][mozilla-go-cose] project, however the Veraison and Mozilla maintainers have agreed to retire the mozilla-services/go-cose project and focus on [veraison/go-cose][veraison-go-cose] as the active project. @@ -40,41 +40,98 @@ go get github.com/veraison/go-cose@main ## Usage +### Signing and Verification + ```go import "github.com/veraison/go-cose" ``` -Construct a new COSE_Sign1 message, then sign it using ECDSA w/ SHA-512 and finally marshal it. For example: +Construct a new COSE_Sign1 message, then sign it using ECDSA w/ SHA-256 and finally marshal it. For example: ```go -// create a signer -privateKey, _ := ecdsa.GenerateKey(elliptic.P521(), rand.Reader) -signer, _ := cose.NewSigner(cose.AlgorithmES512, privateKey) - -// create message header -headers := cose.Headers{ - Protected: cose.ProtectedHeader{ - cose.HeaderLabelAlgorithm: cose.AlgorithmES512, - }, +package main + +import ( + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + _ "crypto/sha256" + + "github.com/veraison/go-cose" +) + +func SignP256(data []byte) ([]byte, error) { + // create a signer + privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + return nil, err + } + signer, err := cose.NewSigner(cose.AlgorithmES256, privateKey) + if err != nil { + return nil, err + } + + // create message header + headers := cose.Headers{ + Protected: cose.ProtectedHeader{ + cose.HeaderLabelAlgorithm: cose.AlgorithmES256, + }, + } + + // sign and marshal message + return cose.Sign1(rand.Reader, signer, headers, data, nil) } - -// sign and marshal message -sig, _ := cose.Sign1(rand.Reader, signer, headers, []byte("hello world"), nil) ``` Verify a raw COSE_Sign1 message. For example: ```go -// create a verifier from a trusted private key -publicKey := privateKey.Public() -verifier, _ := cose.NewVerifier(cose.AlgorithmES512, publicKey) - -// create a sign message from a raw COSE_Sign1 payload -var msg cose.Sign1Message -_ = msg.UnmarshalCBOR(raw) -_ = msg.Verify(nil, verifier) +package main + +import ( + "crypto" + _ "crypto/sha256" + + "github.com/veraison/go-cose" +) + +func VerifyP256(publicKey crypto.PublicKey, sig []byte) error { + // create a verifier from a trusted private key + verifier, err := cose.NewVerifier(cose.AlgorithmES256, publicKey) + if err != nil { + return err + } + + // create a sign message from a raw COSE_Sign1 payload + var msg cose.Sign1Message + if err = msg.UnmarshalCBOR(sig); err != nil { + return err + } + return msg.Verify(nil, verifier) +} ``` +See [example_test.go](./example_test.go) for more examples. + +### About hashing + +`go-cose` does not import any hash package by its own to avoid linking unnecessary algorithms to the final binary. +It is the the responsibility of the `go-cose` user to make the necessary hash functions available at runtime, i.e., +by using a blank import: + +```go +import ( + _ "crypto/sha256" + _ "crypto/sha512" +) +``` + +These are the required packages for each built-in cose.Algorithm: + +- cose.AlgorithmPS256, cose.AlgorithmES256: `crypto/sha256` +- cose.AlgorithmPS384, cose.AlgorithmPS512, cose.AlgorithmES384, cose.AlgorithmES512: `crypto/sha512` +- cose.AlgorithmEd25519: none + ## Features ### Signing and Verifying Objects @@ -110,12 +167,12 @@ per RFC 8152, are rejected by the go-cose library. ### Conformance Tests -go-cose runs the [GlueCOSE](https://github.com/gluecose/test-vectors) test suite on every local `go test` execution. +`go-cose` runs the [GlueCOSE](https://github.com/gluecose/test-vectors) test suite on every local `go test` execution. These are also executed on every CI job. ### Fuzz Tests -go-cose implements several fuzz tests using [Go's native fuzzing](https://go.dev/doc/fuzz). +`go-cose` implements several fuzz tests using [Go's native fuzzing](https://go.dev/doc/fuzz). Fuzzing requires Go 1.18 or higher, and can be executed as follows: @@ -123,8 +180,12 @@ Fuzzing requires Go 1.18 or higher, and can be executed as follows: go test -fuzz=FuzzSign1 ``` -[cose-spec]: https://datatracker.ietf.org/doc/draft-ietf-cose-rfc8152bis-struct/ +### Security Reviews + +`go-cose` undergoes periodic security review. The security review reports are located [here](./reports) + +[cose-spec]: https://datatracker.ietf.org/doc/rfc9052/ [mozilla-contributors]: https://github.com/mozilla-services/go-cose/graphs/contributors [mozilla-go-cose]: http://github.com/mozilla-services/go-cose [veraison-go-cose]: https://github.com/veraison/go-cose -[release-alpha-1]: https://github.com/veraison/go-cose/releases/tag/v1.0.0-alpha.1 +[release-rc-1]: https://github.com/veraison/go-cose/releases/tag/v1.0.0-rc.1 diff --git a/vendor/github.com/veraison/go-cose/SECURITY.md b/vendor/github.com/veraison/go-cose/SECURITY.md index 1840d0f2b5..a11239e2bd 100644 --- a/vendor/github.com/veraison/go-cose/SECURITY.md +++ b/vendor/github.com/veraison/go-cose/SECURITY.md @@ -8,7 +8,7 @@ This document provides the details on the veraison/go-cose security policy and d | Version | Supported | | ------- | ------------------ | -| [v1.0.0-alpha1][v1.0.0-alpha1-release] | :green_check_mark: | +| [v1.0.0-rc1][v1.0.0-rc1-release] | Yes | ## Report A Vulnerability @@ -23,7 +23,7 @@ To make a report please email the private security list at