feat: add timestamping options

Signed-off-by: Mikhail Swift <mikhail@testifysec.com>
in-toto · Oct 17, 2022 · f4304f5 · f4304f5
1 parent 29c1ff1
commit f4304f5
Show file tree

Hide file tree

Showing 9 changed files with 31 additions and 12 deletions.
diff --git a/cmd/run.go b/cmd/run.go
@@ -23,7 +23,9 @@ import (
 	witness "github.com/testifysec/go-witness"
 	"github.com/testifysec/go-witness/archivist"
 	"github.com/testifysec/go-witness/attestation"
+	"github.com/testifysec/go-witness/dsse"
 	"github.com/testifysec/go-witness/log"
+	"github.com/testifysec/go-witness/timestamp"
 	"github.com/testifysec/witness/options"
 )
 
@@ -63,22 +65,25 @@ func runRun(ctx context.Context, ro options.RunOptions, args []string) error {
 		return fmt.Errorf("no signers found")
 	}
 
-	signer := signers[0]
-
 	out, err := loadOutfile(ro.OutFilePath)
 	if err != nil {
 		return fmt.Errorf("failed to open out file: %w", err)
 	}
 
-	defer out.Close()
+	timestampers := []dsse.Timestamper{}
+	for _, url := range ro.TimestampServers {
+		timestampers = append(timestampers, timestamp.NewTimestamper(timestamp.TimestampWithUrl(url)))
+	}
 
+	defer out.Close()
 	result, err := witness.Run(
 		ro.StepName,
-		signer,
+		signers[0],
 		witness.RunWithTracing(ro.Tracing),
 		witness.RunWithCommand(args),
 		witness.RunWithAttestors(ro.Attestations),
 		witness.RunWithAttestationOpts(attestation.WithWorkingDir(ro.WorkingDir)),
+		witness.RunWithTimestampers(timestampers...),
 	)
 
 	if err != nil {

diff --git a/cmd/sign.go b/cmd/sign.go
@@ -21,7 +21,9 @@ import (
 
 	"github.com/spf13/cobra"
 	witness "github.com/testifysec/go-witness"
+	"github.com/testifysec/go-witness/dsse"
 	"github.com/testifysec/go-witness/log"
+	"github.com/testifysec/go-witness/timestamp"
 	"github.com/testifysec/witness/options"
 )
 
@@ -71,7 +73,10 @@ func runSign(so options.SignOptions) error {
 		return fmt.Errorf("no signers found")
 	}
 
-	signer := signers[0]
+	timestampers := []dsse.Timestamper{}
+	for _, url := range so.TimestampServers {
+		timestampers = append(timestampers, timestamp.NewTimestamper(timestamp.TimestampWithUrl(url)))
+	}
 
 	inFile, err := os.Open(so.InFilePath)
 	if err != nil {
@@ -84,5 +89,5 @@ func runSign(so options.SignOptions) error {
 	}
 
 	defer outFile.Close()
-	return witness.Sign(inFile, so.DataType, outFile, signer)
+	return witness.Sign(inFile, so.DataType, outFile, dsse.SignWithSigners(signers[0]), dsse.SignWithTimestampers(timestampers...))
 }
diff --git a/cmd/verify_test.go b/cmd/verify_test.go
@@ -28,6 +28,7 @@ import (
 	witness "github.com/testifysec/go-witness"
 	"github.com/testifysec/go-witness/attestation/commandrun"
 	"github.com/testifysec/go-witness/cryptoutil"
+	"github.com/testifysec/go-witness/dsse"
 	"github.com/testifysec/go-witness/policy"
 	"github.com/testifysec/witness/options"
 )
@@ -238,7 +239,7 @@ func signPolicyRSA(t *testing.T, p []byte) (signedPolicy []byte, pub []byte) {
 
 	writer := bytes.NewBuffer(outBytes)
 
-	err = witness.Sign(reader, "https://witness.testifysec.com/policy/v0.1", writer, sign)
+	err = witness.Sign(reader, "https://witness.testifysec.com/policy/v0.1", writer, dsse.SignWithSigners(sign))
 	if err != nil {
 		t.Error(err)
 	}

diff --git a/docs/witness_run.md b/docs/witness_run.md
@@ -22,6 +22,7 @@ witness run [cmd] [flags]
   -o, --outfile string                 File to which to write signed data.  Defaults to stdout
       --spiffe-socket string           Path to the SPIFFE Workload API socket
   -s, --step string                    Name of the step being run
+      --timestamp-servers strings      Timestamp Authority Servers to use when signing envelope
       --trace                          Enable tracing for the command
   -d, --workingdir string              Directory from which commands will run
 ```

diff --git a/docs/witness_sign.md b/docs/witness_sign.md
@@ -24,6 +24,7 @@ witness sign [file] [flags]
   -k, --key string                     Path to the signing key
   -o, --outfile string                 File to write signed data. Defaults to stdout
       --spiffe-socket string           Path to the SPIFFE Workload API socket
+      --timestamp-servers strings      Timestamp Authority Servers to use when signing envelope
 ```
 
 ### Options inherited from parent commands

diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.12.0
 	github.com/stretchr/testify v1.8.0
-	github.com/testifysec/go-witness v0.1.14
+	github.com/testifysec/go-witness v0.1.15
 )
 
 require (

diff --git a/go.sum b/go.sum
@@ -1360,6 +1360,8 @@ github.com/testifysec/archivist-api v0.0.0-20221012004029-f5ceac2d8a3b h1:HBEM8C
 github.com/testifysec/archivist-api v0.0.0-20221012004029-f5ceac2d8a3b/go.mod h1:4BAH0+DBqP7QQRfJuUw4Tm+LNrptYa0qOjJNcN0Lf7Q=
 github.com/testifysec/go-witness v0.1.14 h1:MEFXx/W8OgaIri3HfbAKpJfg3qkWaT04GaWYujZZhLE=
 github.com/testifysec/go-witness v0.1.14/go.mod h1:xBejEG5VrwCqJogmWxr//8sQKSwnR+9v70xMmwhOPzs=
+github.com/testifysec/go-witness v0.1.15 h1:FnD20gvWrQMxxbquzhxH7waf6Aiip3aPnvJtGk2i+TQ=
+github.com/testifysec/go-witness v0.1.15/go.mod h1:xBejEG5VrwCqJogmWxr//8sQKSwnR+9v70xMmwhOPzs=
 github.com/thales-e-security/pool v0.0.2 h1:RAPs4q2EbWsTit6tpzuvTFlgFRJ3S8Evf5gtvVDbmPg=
 github.com/thales-e-security/pool v0.0.2/go.mod h1:qtpMm2+thHtqhLzTwgDBj/OuNnMpupY8mv0Phz0gjhU=
 github.com/theupdateframework/go-tuf v0.0.0-20211203210025-7ded50136bf9/go.mod h1:n2n6wwC9BEnYS/C/APAtNln0eM5zYAYOkOTx6VEG/mA=

diff --git a/options/run.go b/options/run.go
@@ -24,6 +24,7 @@ type RunOptions struct {
 	OutFilePath      string
 	StepName         string
 	Tracing          bool
+	TimestampServers []string
 }
 
 func (ro *RunOptions) AddFlags(cmd *cobra.Command) {
@@ -34,6 +35,7 @@ func (ro *RunOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVarP(&ro.OutFilePath, "outfile", "o", "", "File to which to write signed data.  Defaults to stdout")
 	cmd.Flags().StringVarP(&ro.StepName, "step", "s", "", "Name of the step being run")
 	cmd.Flags().BoolVar(&ro.Tracing, "trace", false, "Enable tracing for the command")
+	cmd.Flags().StringSliceVar(&ro.TimestampServers, "timestamp-servers", []string{}, "Timestamp Authority Servers to use when signing envelope")
 }
 
 type ArchivistOptions struct {

diff --git a/options/sign.go b/options/sign.go
@@ -17,15 +17,17 @@ package options
 import "github.com/spf13/cobra"
 
 type SignOptions struct {
-	KeyOptions  KeyOptions
-	DataType    string
-	OutFilePath string
-	InFilePath  string
+	KeyOptions       KeyOptions
+	DataType         string
+	OutFilePath      string
+	InFilePath       string
+	TimestampServers []string
 }
 
 func (so *SignOptions) AddFlags(cmd *cobra.Command) {
 	so.KeyOptions.AddFlags(cmd)
 	cmd.Flags().StringVarP(&so.DataType, "datatype", "t", "https://witness.testifysec.com/policy/v0.1", "The URI reference to the type of data being signed. Defaults to the Witness policy type")
 	cmd.Flags().StringVarP(&so.OutFilePath, "outfile", "o", "", "File to write signed data. Defaults to stdout")
 	cmd.Flags().StringVarP(&so.InFilePath, "infile", "f", "", "Witness policy file to sign")
+	cmd.Flags().StringSliceVar(&so.TimestampServers, "timestamp-servers", []string{}, "Timestamp Authority Servers to use when signing envelope")
 }