Bundle TUF timestamp with signature on signing

cmd/cosign/cli/sign/sign.go

@@ -205,7 +205,9 @@ func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko KeyO
 
 	var s icos.Signer
 	s = ipayload.NewSigner(sv)
-	s = ifulcio.NewSigner(s, sv.Cert, sv.Chain)
+	if sv.Cert != nil {
+		s = ifulcio.NewSigner(s, sv.Cert, sv.Chain)
+	}
 	if ShouldUploadToTlog(ctx, digest, force, ko.RekorURL) {
 		rClient, err := rekor.NewClient(ko.RekorURL)
 		if err != nil {

internal/pkg/cosign/fulcio/signer.go

@@ -20,6 +20,7 @@ import (
 	"io"
 
 	"github.com/sigstore/cosign/internal/pkg/cosign"
+	"github.com/sigstore/cosign/pkg/cosign/tuf"
 	"github.com/sigstore/cosign/pkg/oci"
 	"github.com/sigstore/cosign/pkg/oci/mutate"
 )
@@ -41,8 +42,13 @@ func (fs *signerWrapper) Sign(ctx context.Context, payload io.Reader) (oci.Signa
 		return nil, nil, err
 	}
 
+	timestamp, err := tuf.GetTimestamp(ctx)
+	if err != nil {
+		return nil, nil, err
+	}
+
 	// TODO(dekkagaijin): move the fulcio SignerVerifier logic here
-	newSig, err := mutate.Signature(sig, mutate.WithCertChain(fs.cert, fs.chain))
+	newSig, err := mutate.Signature(sig, mutate.WithCertChain(fs.cert, fs.chain), mutate.WithTimestamp(timestamp))
 	if err != nil {
 		return nil, nil, err
 	}

internal/pkg/cosign/fulcio/signer_test.go

@@ -0,0 +1,140 @@
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package fulcio
+
+import (
+	"bytes"
+	"context"
+	"crypto"
+	"encoding/base64"
+	"strings"
+	"testing"
+
+	"github.com/sigstore/cosign/internal/pkg/cosign/payload"
+	"github.com/sigstore/cosign/pkg/cosign"
+	"github.com/sigstore/sigstore/pkg/signature"
+)
+
+var (
+	testCertBytes = []byte(`
+-----BEGIN CERTIFICATE-----
+MIICjzCCAhSgAwIBAgITV2heiswW9YldtVEAu98QxDO8TTAKBggqhkjOPQQDAzAq
+MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIx
+MDkxNDE5MTI0MFoXDTIxMDkxNDE5MzIzOVowADBZMBMGByqGSM49AgEGCCqGSM49
+AwEHA0IABMF1AWZcfvubslc4ABNnvGbRjm6GWVHxrJ1RRthTHMCE4FpFmiHQBfGt
+6n80DqszGj77Whb35O33+Dal4Y2po+CjggFBMIIBPTAOBgNVHQ8BAf8EBAMCB4Aw
+EwYDVR0lBAwwCgYIKwYBBQUHAwMwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU340G
+3G1ozVNmFC5TBFV0yNuouvowHwYDVR0jBBgwFoAUyMUdAEGaJCkyUSTrDa5K7UoG
+0+wwgY0GCCsGAQUFBwEBBIGAMH4wfAYIKwYBBQUHMAKGcGh0dHA6Ly9wcml2YXRl
+Y2EtY29udGVudC02MDNmZTdlNy0wMDAwLTIyMjctYmY3NS1mNGY1ZTgwZDI5NTQu
+c3RvcmFnZS5nb29nbGVhcGlzLmNvbS9jYTM2YTFlOTYyNDJiOWZjYjE0Ni9jYS5j
+cnQwOAYDVR0RAQH/BC4wLIEqa2V5bGVzc0BkaXN0cm9sZXNzLmlhbS5nc2Vydmlj
+ZWFjY291bnQuY29tMAoGCCqGSM49BAMDA2kAMGYCMQDcH9cdkxW6ugsbPHqX9qrM
+wlMaprcwnlktS3+5xuABr5icuqwrB/Fj5doFtS7AnM0CMQD9MjSaUmHFFF7zoLMx
+uThR1Z6JuA21HwxtL3GyJ8UQZcEPOlTBV593HrSAwBhiCoY=
+-----END CERTIFICATE-----
+`)
+	testChainBytes = []byte(`
+-----BEGIN CERTIFICATE-----
+MIIB+DCCAX6gAwIBAgITNVkDZoCiofPDsy7dfm6geLbuhzAKBggqhkjOPQQDAzAq
+MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIx
+MDMwNzAzMjAyOVoXDTMxMDIyMzAzMjAyOVowKjEVMBMGA1UEChMMc2lnc3RvcmUu
+ZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLSy
+A7Ii5k+pNO8ZEWY0ylemWDowOkNa3kL+GZE5Z5GWehL9/A9bRNA3RbrsZ5i0Jcas
+taRL7Sp5fp/jD5dxqc/UdTVnlvS16an+2Yfswe/QuLolRUCrcOE2+2iA5+tzd6Nm
+MGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYE
+FMjFHQBBmiQpMlEk6w2uSu1KBtPsMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2u
+Su1KBtPsMAoGCCqGSM49BAMDA2gAMGUCMH8liWJfMui6vXXBhjDgY4MwslmN/TJx
+Ve/83WrFomwmNf056y1X48F9c4m3a3ozXAIxAKjRay5/aj/jsKKGIkmQatjI8uup
+Hr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ==
+-----END CERTIFICATE-----
+`)
+)
+
+func mustGetNewSigner(t *testing.T) signature.Signer {
+	t.Helper()
+	priv, err := cosign.GeneratePrivateKey()
+	if err != nil {
+		t.Fatalf("cosign.GeneratePrivateKey() failed: %v", err)
+	}
+	s, err := signature.LoadECDSASignerVerifier(priv, crypto.SHA256)
+	if err != nil {
+		t.Fatalf("signature.LoadECDSASignerVerifier(key, crypto.SHA256) failed: %v", err)
+	}
+	return s
+}
+
+func TestSigner(t *testing.T) {
+	// Need real cert and chain
+	payloadSigner := payload.NewSigner(mustGetNewSigner(t))
+	testSigner := NewSigner(payloadSigner, testCertBytes, testChainBytes)
+
+	testPayload := "test payload"
+
+	ociSig, pub, err := testSigner.Sign(context.Background(), strings.NewReader(testPayload))
+	if err != nil {
+		t.Fatalf("Sign() returned error: %v", err)
+	}
+
+	// Verify that the OCI signature contains a cert, chain and timestamp.
+	cert, err := ociSig.Cert()
+	if err != nil {
+		t.Fatalf("ociSig.Cert() returned error: %v", err)
+	}
+	if cert == nil {
+		t.Fatal("ociSig.Cert() missing certificate, got nil")
+	}
+	chain, err := ociSig.Chain()
+	if err != nil {
+		t.Fatalf("ociSig.Chain() returned error: %v", err)
+	}
+	if len(chain) != 1 {
+		t.Fatalf("ociSig.Chain() expected to be of length 1, got %d", len(chain))
+	}
+	if chain[0] == nil {
+		t.Fatal("ociSig.Chain()[0] missing certificate, got nil")
+	}
+	timestamp, err := ociSig.Timestamp()
+	if err != nil {
+		t.Fatalf("ociSig.Timestamp() returned error: %v", err)
+	}
+	if timestamp == nil {
+		t.Fatal("ociSig.Timestamp() missing TUF timestamp, got nil")
+	}
+
+	// Verify that the wrapped signer was called.
+	verifier, err := signature.LoadVerifier(pub, crypto.SHA256)
+	if err != nil {
+		t.Fatalf("signature.LoadVerifier(pub) returned error: %v", err)
+	}
+	b64Sig, err := ociSig.Base64Signature()
+	if err != nil {
+		t.Fatalf("ociSig.Base64Signature() returned error: %v", err)
+	}
+	sig, err := base64.StdEncoding.DecodeString(b64Sig)
+	if err != nil {
+		t.Fatalf("base64.StdEncoding.DecodeString(b64Sig) returned error: %v", err)
+	}
+	gotPayload, err := ociSig.Payload()
+	if err != nil {
+		t.Fatalf("ociSig.Payload() returned error: %v", err)
+	}
+	if string(gotPayload) != testPayload {
+		t.Errorf("ociSig.Payload() returned %q, wanted %q", string(gotPayload), testPayload)
+	}
+	if err = verifier.VerifySignature(bytes.NewReader(sig), bytes.NewReader(gotPayload)); err != nil {
+		t.Errorf("VerifySignature() returned error: %v", err)
+	}
+}

internal/pkg/cosign/rekor/mock_rekor_client.go

@@ -0,0 +1,64 @@
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package rekor
+
+import (
+	"github.com/go-openapi/runtime"
+	"github.com/sigstore/rekor/pkg/generated/client/entries"
+	"github.com/sigstore/rekor/pkg/generated/models"
+)
+
+// Client that implements entries.ClientService for Rekor
+// To use:
+// var mClient client.Rekor
+// mClient.entries = &MockEntriesClient{}
+type MockEntriesClient struct {
+}
+
+func (m *MockEntriesClient) CreateLogEntry(params *entries.CreateLogEntryParams, opts ...entries.ClientOption) (*entries.CreateLogEntryCreated, error) {
+	return &entries.CreateLogEntryCreated{
+		ETag:     "",
+		Location: "",
+		Payload: map[string]models.LogEntryAnon{
+			"sdf": {
+				Attestation:    &models.LogEntryAnonAttestation{},
+				Body:           nil,
+				IntegratedTime: new(int64),
+				LogID:          new(string),
+				LogIndex:       new(int64),
+				Verification:   &models.LogEntryAnonVerification{},
+			},
+		},
+	}, nil
+}
+
+// TODO: Implement mock
+func (m *MockEntriesClient) GetLogEntryByIndex(params *entries.GetLogEntryByIndexParams, opts ...entries.ClientOption) (*entries.GetLogEntryByIndexOK, error) {
+	return nil, nil
+}
+
+// TODO: Implement mock
+func (m *MockEntriesClient) GetLogEntryByUUID(params *entries.GetLogEntryByUUIDParams, opts ...entries.ClientOption) (*entries.GetLogEntryByUUIDOK, error) {
+	return nil, nil
+}
+
+// TODO: Implement mock
+func (m *MockEntriesClient) SearchLogQuery(params *entries.SearchLogQueryParams, opts ...entries.ClientOption) (*entries.SearchLogQueryOK, error) {
+	return nil, nil
+}
+
+// TODO: Implement mock
+func (m *MockEntriesClient) SetTransport(transport runtime.ClientTransport) {
+}

internal/pkg/cosign/rekor/signer.go

@@ -25,6 +25,7 @@ import (
 	"github.com/sigstore/cosign/internal/pkg/cosign"
 	cosignv1 "github.com/sigstore/cosign/pkg/cosign"
 	cbundle "github.com/sigstore/cosign/pkg/cosign/bundle"
+	"github.com/sigstore/cosign/pkg/cosign/tuf"
 	"github.com/sigstore/cosign/pkg/oci"
 	"github.com/sigstore/cosign/pkg/oci/mutate"
 
@@ -96,7 +97,12 @@ func (rs *signerWrapper) Sign(ctx context.Context, payload io.Reader) (oci.Signa
 		return nil, nil, err
 	}
 
-	newSig, err := mutate.Signature(sig, mutate.WithBundle(bundle))
+	timestamp, err := tuf.GetTimestamp(ctx)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	newSig, err := mutate.Signature(sig, mutate.WithBundle(bundle), mutate.WithTimestamp(timestamp))
 	if err != nil {
 		return nil, nil, err
 	}

internal/pkg/cosign/rekor/signer_test.go

@@ -0,0 +1,93 @@
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package rekor
+
+import (
+	"bytes"
+	"context"
+	"crypto"
+	"encoding/base64"
+	"strings"
+	"testing"
+
+	"github.com/sigstore/cosign/internal/pkg/cosign/payload"
+	"github.com/sigstore/cosign/pkg/cosign"
+	"github.com/sigstore/rekor/pkg/generated/client"
+	"github.com/sigstore/sigstore/pkg/signature"
+)
+
+func mustGetNewSigner(t *testing.T) signature.Signer {
+	t.Helper()
+	priv, err := cosign.GeneratePrivateKey()
+	if err != nil {
+		t.Fatalf("cosign.GeneratePrivateKey() failed: %v", err)
+	}
+	s, err := signature.LoadECDSASignerVerifier(priv, crypto.SHA256)
+	if err != nil {
+		t.Fatalf("signature.LoadECDSASignerVerifier(key, crypto.SHA256) failed: %v", err)
+	}
+	return s
+}
+
+func TestSigner(t *testing.T) {
+	// Need real cert and chain
+	payloadSigner := payload.NewSigner(mustGetNewSigner(t))
+
+	// Mock out Rekor client
+	var mClient client.Rekor
+	mClient.Entries = &MockEntriesClient{}
+
+	testSigner := NewSigner(payloadSigner, &mClient)
+
+	testPayload := "test payload"
+
+	ociSig, pub, err := testSigner.Sign(context.Background(), strings.NewReader(testPayload))
+	if err != nil {
+		t.Fatalf("Sign() returned error: %v", err)
+	}
+
+	// Verify that the OCI signature contains a timestamp.
+	timestamp, err := ociSig.Timestamp()
+	if err != nil {
+		t.Fatalf("ociSig.Timestamp() returned error: %v", err)
+	}
+	if timestamp == nil {
+		t.Fatal("ociSig.Timestamp() missing TUF timestamp, got nil")
+	}
+
+	// Verify that the wrapped signer was called.
+	verifier, err := signature.LoadVerifier(pub, crypto.SHA256)
+	if err != nil {
+		t.Fatalf("signature.LoadVerifier(pub) returned error: %v", err)
+	}
+	b64Sig, err := ociSig.Base64Signature()
+	if err != nil {
+		t.Fatalf("ociSig.Base64Signature() returned error: %v", err)
+	}
+	sig, err := base64.StdEncoding.DecodeString(b64Sig)
+	if err != nil {
+		t.Fatalf("base64.StdEncoding.DecodeString(b64Sig) returned error: %v", err)
+	}
+	gotPayload, err := ociSig.Payload()
+	if err != nil {
+		t.Fatalf("ociSig.Payload() returned error: %v", err)
+	}
+	if string(gotPayload) != testPayload {
+		t.Errorf("ociSig.Payload() returned %q, wanted %q", string(gotPayload), testPayload)
+	}
+	if err = verifier.VerifySignature(bytes.NewReader(sig), bytes.NewReader(gotPayload)); err != nil {
+		t.Errorf("VerifySignature() returned error: %v", err)
+	}
+}