From 6db15d6fa2d00cf8273cf992c85337e522c56eac Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Thu, 9 Nov 2023 16:10:26 +0000 Subject: [PATCH 1/2] Add buildtags to avoid fulcio and rekor dependencies For situations where Fulcio and Rekor operations are not required, this commit provides buildtags to avoid those dependencies. Signed-off-by: Reinhard Tartler --- README.md | 2 ++ signature/sigstore/fulcio/fulcio.go | 3 ++ signature/sigstore/fulcio/no_fulcio.go | 45 ++++++++++++++++++++++++++ signature/sigstore/rekor/no_rekor.go | 17 ++++++++++ signature/sigstore/rekor/rekor.go | 3 ++ 5 files changed, 70 insertions(+) create mode 100644 signature/sigstore/fulcio/no_fulcio.go create mode 100644 signature/sigstore/rekor/no_rekor.go diff --git a/README.md b/README.md index 034665bf1..7628ef529 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,8 @@ the primary downside is that creating new signatures with the Golang-only implem - `containers_image_ostree`: Import `ostree:` transport in `github.com/containers/image/transports/alltransports`. This builds the library requiring the `libostree` development libraries. Otherwise a stub which reports that the transport is not supported gets used. The `github.com/containers/image/ostree` package is completely disabled and impossible to import when this build tag is not in use. - `containers_image_storage_stub`: Don’t import the `containers-storage:` transport in `github.com/containers/image/transports/alltransports`, to decrease the amount of required dependencies. Use a stub which reports that the transport is not supported instead. +- `containers_image_fulcio_stub`: Don't import sigstore/fulcio code, all fulcio operations will return an error code +- `containers_image_rekor_stub`: Don't import sigstore/reckor code, all rekor operations will return an error code ## [Contributing](CONTRIBUTING.md) diff --git a/signature/sigstore/fulcio/fulcio.go b/signature/sigstore/fulcio/fulcio.go index 0e6746abb..4ba98b986 100644 --- a/signature/sigstore/fulcio/fulcio.go +++ b/signature/sigstore/fulcio/fulcio.go @@ -1,3 +1,6 @@ +//go:build !containers_image_fulcio_stub +// +build !containers_image_fulcio_stub + package fulcio import ( diff --git a/signature/sigstore/fulcio/no_fulcio.go b/signature/sigstore/fulcio/no_fulcio.go new file mode 100644 index 000000000..ec901154b --- /dev/null +++ b/signature/sigstore/fulcio/no_fulcio.go @@ -0,0 +1,45 @@ +//go:build containers_image_fulcio_stub +// +build containers_image_fulcio_stub + +package fulcio + +import ( + "fmt" + "io" + "net/url" + + "github.com/containers/image/v5/signature/sigstore/internal" +) + +func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) internal.Option { + return func(s *internal.SigstoreSigner) error { + return fmt.Errorf("Fulcio disabled at compile time") + } +} + +// WithFulcioAndDeviceAuthorizationGrantOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate +// based on an OIDC ID token obtained using a device authorization grant (RFC 8628). +// +// interactiveOutput must be directly accessible to a human user in real time (i.e. not be just a log file). +func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string, + interactiveOutput io.Writer) internal.Option { + return func(s *internal.SigstoreSigner) error { + return fmt.Errorf("Fulcio disabled at compile time") + } +} + +// WithFulcioAndInterativeOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate +// based on an interactively-obtained OIDC ID token. +// The token is obtained +// - directly using a browser, listening on localhost, automatically opening a browser to the OIDC issuer, +// to be redirected on localhost. (I.e. the current environment must allow launching a browser that connect back to the current process; +// either or both may be impossible in a container or a remote VM). +// - or by instructing the user to manually open a browser, obtain the OIDC code, and interactively input it as text. +// +// interactiveInput and interactiveOutput must both be directly operable by a human user in real time (i.e. not be just a log file). +func WithFulcioAndInteractiveOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string, + interactiveInput io.Reader, interactiveOutput io.Writer) internal.Option { + return func(s *internal.SigstoreSigner) error { + return fmt.Errorf("Fulcio disabled at compile time") + } +} diff --git a/signature/sigstore/rekor/no_rekor.go b/signature/sigstore/rekor/no_rekor.go new file mode 100644 index 000000000..8957a8733 --- /dev/null +++ b/signature/sigstore/rekor/no_rekor.go @@ -0,0 +1,17 @@ +//go:build containers_image_rekor_stub +// +build containers_image_rekor_stub + +package rekor + +import ( + "fmt" + "net/url" + + signerInternal "github.com/containers/image/v5/signature/sigstore/internal" +) + +func WithRekor(rekorURL *url.URL) signerInternal.Option { + return func(s *signerInternal.SigstoreSigner) error { + return fmt.Errorf("Rekor disabled at build time") + } +} diff --git a/signature/sigstore/rekor/rekor.go b/signature/sigstore/rekor/rekor.go index 0236f0aab..f8ba6dc3f 100644 --- a/signature/sigstore/rekor/rekor.go +++ b/signature/sigstore/rekor/rekor.go @@ -1,3 +1,6 @@ +//go:build !containers_image_rekor_stub +// +build !containers_image_rekor_stub + package rekor import ( From 9ca4b73c788a1681f0baa6437953668b8de42b21 Mon Sep 17 00:00:00 2001 From: Reinhard Tartler Date: Mon, 13 Nov 2023 02:07:38 +0000 Subject: [PATCH 2/2] incorporate code reviews Signed-off-by: Reinhard Tartler --- signature/fulcio_cert.go | 3 ++ signature/fulcio_cert_stub.go | 28 +++++++++++++++++++ signature/fulcio_cert_test.go | 3 ++ signature/internal/rekor_set.go | 3 ++ signature/internal/rekor_set_stub.go | 15 ++++++++++ signature/internal/rekor_set_test.go | 3 ++ signature/policy_eval_sigstore_test.go | 3 ++ .../fulcio/{no_fulcio.go => fulcio_stub.go} | 6 ++-- .../rekor/{no_rekor.go => rekor_stub.go} | 2 +- 9 files changed, 62 insertions(+), 4 deletions(-) create mode 100644 signature/fulcio_cert_stub.go create mode 100644 signature/internal/rekor_set_stub.go rename signature/sigstore/fulcio/{no_fulcio.go => fulcio_stub.go} (92%) rename signature/sigstore/rekor/{no_rekor.go => rekor_stub.go} (85%) diff --git a/signature/fulcio_cert.go b/signature/fulcio_cert.go index ef5d3df6f..c11fa46a9 100644 --- a/signature/fulcio_cert.go +++ b/signature/fulcio_cert.go @@ -1,3 +1,6 @@ +//go:build !containers_image_fulcio_stub +// +build !containers_image_fulcio_stub + package signature import ( diff --git a/signature/fulcio_cert_stub.go b/signature/fulcio_cert_stub.go new file mode 100644 index 000000000..ee79b031d --- /dev/null +++ b/signature/fulcio_cert_stub.go @@ -0,0 +1,28 @@ +//go:build containers_image_fulcio_stub +// +build containers_image_fulcio_stub + +package signature + +import ( + "crypto" + "crypto/ecdsa" + "crypto/x509" + "errors" +) + +type fulcioTrustRoot struct { + caCertificates *x509.CertPool + oidcIssuer string + subjectEmail string +} + +func (f *fulcioTrustRoot) validate() error { + return errors.New("fulcio disabled at compile-time") +} + +func verifyRekorFulcio(rekorPublicKey *ecdsa.PublicKey, fulcioTrustRoot *fulcioTrustRoot, untrustedRekorSET []byte, + untrustedCertificateBytes []byte, untrustedIntermediateChainBytes []byte, untrustedBase64Signature string, + untrustedPayloadBytes []byte) (crypto.PublicKey, error) { + return nil, errors.New("fulcio diabled at compile-time") + +} diff --git a/signature/fulcio_cert_test.go b/signature/fulcio_cert_test.go index e283ae45a..ccf619f4d 100644 --- a/signature/fulcio_cert_test.go +++ b/signature/fulcio_cert_test.go @@ -1,3 +1,6 @@ +//go:build !containers_image_fulcio_stub +// +build !containers_image_fulcio_stub + package signature import ( diff --git a/signature/internal/rekor_set.go b/signature/internal/rekor_set.go index d439b5f7a..d86e98a45 100644 --- a/signature/internal/rekor_set.go +++ b/signature/internal/rekor_set.go @@ -1,3 +1,6 @@ +//go:build !containers_image_rekor_stub +// +build !containers_image_rekor_stub + package internal import ( diff --git a/signature/internal/rekor_set_stub.go b/signature/internal/rekor_set_stub.go new file mode 100644 index 000000000..7c121cc2e --- /dev/null +++ b/signature/internal/rekor_set_stub.go @@ -0,0 +1,15 @@ +//go:build containers_image_rekor_stub +// +build containers_image_rekor_stub + +package internal + +import ( + "crypto/ecdsa" + "time" +) + +// VerifyRekorSET verifies that unverifiedRekorSET is correctly signed by publicKey and matches the rest of the data. +// Returns bundle upload time on success. +func VerifyRekorSET(publicKey *ecdsa.PublicKey, unverifiedRekorSET []byte, unverifiedKeyOrCertBytes []byte, unverifiedBase64Signature string, unverifiedPayloadBytes []byte) (time.Time, error) { + return time.Time{}, NewInvalidSignatureError("rekor disabled at compile-time") +} diff --git a/signature/internal/rekor_set_test.go b/signature/internal/rekor_set_test.go index 0cc8483d4..0040b7b4c 100644 --- a/signature/internal/rekor_set_test.go +++ b/signature/internal/rekor_set_test.go @@ -1,3 +1,6 @@ +//go:build !containers_image_rekor_stub +// +build !containers_image_rekor_stub + package internal import ( diff --git a/signature/policy_eval_sigstore_test.go b/signature/policy_eval_sigstore_test.go index f4dd11368..b46007123 100644 --- a/signature/policy_eval_sigstore_test.go +++ b/signature/policy_eval_sigstore_test.go @@ -1,3 +1,6 @@ +//go:build !containers_image_fulcio_stub +// +build !containers_image_fulcio_stub + // Policy evaluation for prCosignSigned. package signature diff --git a/signature/sigstore/fulcio/no_fulcio.go b/signature/sigstore/fulcio/fulcio_stub.go similarity index 92% rename from signature/sigstore/fulcio/no_fulcio.go rename to signature/sigstore/fulcio/fulcio_stub.go index ec901154b..4f4d435c1 100644 --- a/signature/sigstore/fulcio/no_fulcio.go +++ b/signature/sigstore/fulcio/fulcio_stub.go @@ -13,7 +13,7 @@ import ( func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) internal.Option { return func(s *internal.SigstoreSigner) error { - return fmt.Errorf("Fulcio disabled at compile time") + return fmt.Errorf("fulcio disabled at compile time") } } @@ -24,7 +24,7 @@ func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string, interactiveOutput io.Writer) internal.Option { return func(s *internal.SigstoreSigner) error { - return fmt.Errorf("Fulcio disabled at compile time") + return fmt.Errorf("fulcio disabled at compile time") } } @@ -40,6 +40,6 @@ func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL func WithFulcioAndInteractiveOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string, interactiveInput io.Reader, interactiveOutput io.Writer) internal.Option { return func(s *internal.SigstoreSigner) error { - return fmt.Errorf("Fulcio disabled at compile time") + return fmt.Errorf("fulcio disabled at compile time") } } diff --git a/signature/sigstore/rekor/no_rekor.go b/signature/sigstore/rekor/rekor_stub.go similarity index 85% rename from signature/sigstore/rekor/no_rekor.go rename to signature/sigstore/rekor/rekor_stub.go index 8957a8733..d61926530 100644 --- a/signature/sigstore/rekor/no_rekor.go +++ b/signature/sigstore/rekor/rekor_stub.go @@ -12,6 +12,6 @@ import ( func WithRekor(rekorURL *url.URL) signerInternal.Option { return func(s *signerInternal.SigstoreSigner) error { - return fmt.Errorf("Rekor disabled at build time") + return fmt.Errorf("rekor disabled at build time") } }