notaryproject
/
notation-go
mirror of https://github.com/notaryproject/notation-go.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: notaryproject:v1.3.0
Branches Tags
notaryproject:main
notaryproject:dependabot/go_modules/golang.org/x/mod-0.27.0
notaryproject:dependabot/go_modules/golang.org/x/crypto-0.41.0
notaryproject:release-1.3
notaryproject:release-1.1
notaryproject:release-1.2
notaryproject:v1.3.2
notaryproject:v1.3.1
notaryproject:v1.3.0
notaryproject:v1.3.0-rc.2
notaryproject:v1.3.0-rc.1
notaryproject:v1.1.2
notaryproject:v1.2.1
notaryproject:v1.2.0
notaryproject:v1.2.0-rc.1
notaryproject:v1.2.0-beta.1
notaryproject:v1.1.1
notaryproject:v1.1.0
notaryproject:v1.0.1
notaryproject:v1.0.0
notaryproject:v1.0.0-rc.6
notaryproject:v1.0.0-rc.5
notaryproject:v1.0.0-rc.4
notaryproject:v1.0.0-rc.2
notaryproject:v1.0.0-rc.3
notaryproject:v1.0.0-rc.1
notaryproject:v0.12.0-beta.1
notaryproject:v0.11.0-alpha.4
notaryproject:v0.10.0-alpha.3
notaryproject:v0.9.0-alpha.1
notaryproject:v0.8.0-alpha.1
notaryproject:v0.7.0-alpha.1
..
compare: notaryproject:main
Branches Tags
notaryproject:dependabot/go_modules/golang.org/x/mod-0.27.0
notaryproject:dependabot/go_modules/golang.org/x/crypto-0.41.0
notaryproject:main
notaryproject:release-1.3
notaryproject:release-1.1
notaryproject:release-1.2
notaryproject:v1.3.2
notaryproject:v1.3.1
notaryproject:v1.3.0
notaryproject:v1.3.0-rc.2
notaryproject:v1.3.0-rc.1
notaryproject:v1.1.2
notaryproject:v1.2.1
notaryproject:v1.2.0
notaryproject:v1.2.0-rc.1
notaryproject:v1.2.0-beta.1
notaryproject:v1.1.1
notaryproject:v1.1.0
notaryproject:v1.0.1
notaryproject:v1.0.0
notaryproject:v1.0.0-rc.6
notaryproject:v1.0.0-rc.5
notaryproject:v1.0.0-rc.4
notaryproject:v1.0.0-rc.2
notaryproject:v1.0.0-rc.3
notaryproject:v1.0.0-rc.1
notaryproject:v0.12.0-beta.1
notaryproject:v0.11.0-alpha.4
notaryproject:v0.10.0-alpha.3
notaryproject:v0.9.0-alpha.1
notaryproject:v0.8.0-alpha.1
notaryproject:v0.7.0-alpha.1

53 Commits
v1.3.0 ... main

Author SHA1 Message Date
Junjie Gao 6063ebe30f
chore: update maintainer list: Junjie Gao retired (#551) 
Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
 2025-06-30 17:46:34 +08:00
dependabot[bot] f457e85917
build(deps): bump golang.org/x/mod from 0.24.0 to 0.25.0 (#550) 2025-06-20 07:15:57 +00:00
dependabot[bot] 8c17f1cfc2
build(deps): bump golang.org/x/crypto from 0.38.0 to 0.39.0 (#549) 2025-06-16 07:22:29 +00:00
dependabot[bot] 2bc67e7695
build(deps): bump oras.land/oras-go/v2 from 2.5.0 to 2.6.0 (#548) 2025-05-12 01:58:18 +00:00
dependabot[bot] 9d3ac1c22d
build(deps): bump golang.org/x/crypto from 0.37.0 to 0.38.0 (#547) 2025-05-12 01:55:26 +00:00
Jakub Jarosz e1a37eb756
chore: show openssf scorecard (#543) 
Signed-off-by: Jakub Jarosz <jakub@jarosz.dev>
 2025-05-09 18:01:53 +08:00
Junjie Gao 626ac1d9c0
fix: remove generate-envelope plugin support for blob signing (#546) 
resolves #544

---------

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
 2025-05-09 16:27:41 +08:00
Patrick Zheng de3655adc0
feat: `artifactType` support in signature manifest (#542) 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2025-05-08 17:01:58 +08:00
dependabot[bot] 02cc632b8b
build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.10 to 3.4.11 (#539) 2025-04-28 08:58:14 +00:00
Patrick Zheng 287b8785c6
bump: bump up dependencies (#535) 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2025-04-18 10:53:59 +08:00
Jakub Jarosz 81056bd695
fix: staticcheck complains - replace deprecated functions (#533) 
This PR fixes a part of `staticcheck` complains reported in
https://github.com/notaryproject/notation-go/issues/531

The remaining issues will be addressed in a separate PRs.

Signed-off-by: Jakub Jarosz <jakub@jarosz.dev>
 2025-04-16 13:31:47 +08:00
dependabot[bot] 0caf40c9ae
build(deps): bump golang.org/x/crypto from 0.36.0 to 0.37.0 (#530) 
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from
0.36.0 to 0.37.0.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="959f8f3db0"><code>959f8f3</code></a>
go.mod: update golang.org/x dependencies</li>
<li><a
href="769bcd6997"><code>769bcd6</code></a>
ssh: use the configured rand in kex init</li>
<li><a
href="d0a798f774"><code>d0a798f</code></a>
cryptobyte: fix typo 'octects' into 'octets' for asn1.go</li>
<li><a
href="acbcbef23f"><code>acbcbef</code></a>
acme: remove unnecessary []byte conversion</li>
<li><a
href="376eb14006"><code>376eb14</code></a>
x509roots: support constrained roots</li>
<li><a
href="b369b723c8"><code>b369b72</code></a>
crypto/internal/poly1305: implement function update in assembly on
loong64</li>
<li><a
href="6b853fbea3"><code>6b853fb</code></a>
ssh/knownhosts: check more than one key</li>
<li>See full diff in <a
href="https://github.com/golang/crypto/compare/v0.36.0...v0.37.0">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=golang.org/x/crypto&package-manager=go_modules&previous-version=0.36.0&new-version=0.37.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2025-04-16 09:57:16 +08:00
Jakub Jarosz dbbeca1679
refactor: update error names to align with Go convention (#529) 
This PR fixes https://github.com/notaryproject/notation-go/issues/528
and adds the following changes:

- add new custom errors (naming aligned with [Go
convention](https://go.dev/doc/effective_go#errors))
- mark old custom error deprecated

---------

Signed-off-by: Jakub Jarosz <jakub@jarosz.dev>
 2025-04-11 15:24:06 +08:00
dependabot[bot] 3bd0ac92b2
build(deps): bump github.com/opencontainers/image-spec from 1.1.0 to 1.1.1 (#523) 2025-03-25 09:39:58 +00:00
dependabot[bot] 02ff112615
build(deps): bump golang.org/x/crypto from 0.35.0 to 0.36.0 (#525) 2025-03-25 09:36:18 +00:00
dependabot[bot] d6e291d617
build(deps): bump golang.org/x/mod from 0.23.0 to 0.24.0 (#524) 2025-03-25 09:12:14 +00:00
dependabot[bot] fd2a749d85
build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.1 to 4.5.2 (#526) 2025-03-25 09:09:36 +00:00
Patrick Zheng fcc1ce32f8
fix: update error message for signing key config (#527) 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2025-03-24 14:25:55 +08:00
Junjie Gao fdcf9cc476
feat: add `SignOCI` function to return both artifact and signature manifest descriptor (#522) 
Feat:
- added `SignOCI` function and **deprecated** the `Sign` function to
return both artifact and signature manifest descriptor.

Fix:
- handled referrer index deletion error as a warning to avoid confusion
about the final signing status.

Resolve part of https://github.com/notaryproject/notation/issues/695

---------

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
 2025-03-10 14:03:48 +08:00
dependabot[bot] 4b058c99ef
build(deps): bump golang.org/x/crypto from 0.33.0 to 0.35.0 (#520) 2025-03-07 03:30:54 +00:00
Patrick Zheng bb2ee7a8a7
fix: timestamp against signing time (#518) 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2025-02-21 16:11:11 +08:00
Junjie Gao 752832c674
bump: update go v1.23 (#512) 
bump:
- updated go v1.23

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
 2025-02-20 16:05:20 +08:00
dependabot[bot] 93b25a3e46
build(deps): bump golang.org/x/crypto from 0.32.0 to 0.33.0 (#510) 2025-02-17 02:30:16 +00:00
dependabot[bot] c2b5474983
build(deps): bump golang.org/x/mod from 0.22.0 to 0.23.0 (#509) 2025-02-14 01:08:20 +00:00
Patrick Zheng 6eb53a50d6
refactor: updated verifier constructor (#508) 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2025-01-22 15:22:55 +08:00
Patrick Zheng 96b7133718
bump: bump up dependencies (#504) 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2025-01-15 14:15:29 +08:00
dependabot[bot] 851cbabbc4
build(deps): bump golang.org/x/crypto from 0.31.0 to 0.32.0 (#503) 2025-01-14 00:44:47 +00:00
Patrick Zheng b40566d885
chore: clean up (#502) 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2025-01-14 07:55:12 +08:00
Patrick Zheng 26ce0894a6
docs: fix docs (#498) 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2025-01-07 08:36:20 +08:00
dependabot[bot] e5eef5e899
build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.8 to 3.4.10 (#501) 2024-12-31 00:28:04 +00:00
Junjie Gao 9fe530b5fd
fix: `check-line-endings` command of Makefile (#499) 
Fix:
- update the command to search script file in `.` instead of `scripts/`
folder to avoid returning an error.

---------

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
Co-authored-by: Patrick Zheng <patrickzheng@microsoft.com>
 2024-12-30 10:13:10 +08:00
Patrick Zheng 3eeef95a40
chore(verifier): improve log (#497) 
This PR improves log readability of the library.

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2024-12-29 00:56:17 -08:00
Junjie Gao cefd007065
fix: limit the plugin output size (#484) 
Fix:
- set the plugin output limit for STDOUT and STDERR to be 10MiB

Test:
- when the plugin output size exceeds 64MiB, the output pipe breaks, and
the plugin process outputs an error to STDERR

Spec changes: https://github.com/notaryproject/specifications/pull/320
Resolves #187

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
 2024-12-13 08:19:49 +08:00
dependabot[bot] d1d64e7041
build(deps): bump golang.org/x/crypto from 0.29.0 to 0.31.0 (#491) 2024-12-13 00:15:40 +00:00
Patrick Zheng 57c5e0dadf
bump: bump up dependencies (#488) 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2024-12-10 07:57:44 +08:00
Junjie Gao 95bac00829
perf(log): encode objects only when logged (#481) 
Fix:
- replaced `.String()` with the `%v` format to avoid rendering the
string before actually logging it.

Resolves #480

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
 2024-12-02 10:03:54 +08:00
Patrick Zheng e99be1954a
fix: enable timestamping cert chain revocation check during signing (#482) 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2024-12-02 08:30:56 +08:00
Junjie Gao 240181a5eb
fix: add warning message for non-revokable certificate (#479) 
Fix:
- added warning message for non-revokable certificate

---------

Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
 2024-11-29 08:38:08 +08:00
Patrick Zheng 5a323330d0
fix: timestamping (#478) 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
Co-authored-by: Pritesh Bandi <priteshbandi@gmail.com>
 2024-11-15 16:09:00 +08:00
Pritesh Bandi 7b9636e239
chore: Improve error message in case of plugin timeout (#472) 
When a plugin exceeds the specified timeout or deadline for content
processing, the current error message displayed is ```signal: killed```.
This PR updates the error message to a more informative message:
```[plugin_name] [command_name] command execution timeout: signal:
killed```

---------

Signed-off-by: Pritesh Bandi <priteshbandi@gmail.com>
 2024-11-14 11:06:45 -08:00
dependabot[bot] 8797d86735
build(deps): bump golang.org/x/mod from 0.21.0 to 0.22.0 (#477) 2024-11-14 19:03:25 +00:00
Patrick Zheng cf70e77099
fix: crl cache log and err msg (#475) 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2024-11-12 07:51:07 +08:00
dependabot[bot] 0191e75373
build(deps): bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#476) 2024-11-11 17:44:50 +00:00
dependabot[bot] f332ed9212
build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#474) 2024-11-11 17:42:01 +00:00
dependabot[bot] f855f25526
build(deps): bump golang.org/x/crypto from 0.27.0 to 0.28.0 (#468) 2024-11-05 04:44:48 +00:00
Patrick Zheng c6c8cc7f66
chore: add crl cache debug logs (#473) 
Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2024-11-03 20:19:01 +08:00
Patrick Zheng 1dc55d0add
fix: added tsa trust store root cert validation (#471) 
This PR adds tsa trust store root cert validation while getting
certificates from trust store. This is to fail fast if cert in TSA trust
store is not a root CA certificate.

Resolves #470

---------

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2024-11-01 10:40:07 -07:00
Shiwei Zhang e1b80e2f2e
Merge commit from fork 
fix: OS error when setting CRL cache leads to denial of signature verification
 2024-11-01 10:35:22 +08:00
Junjie Gao 7d11fa2346
fix: OS error when setting CRL cache leads to denial of signature verification 
Signed-off-by: Junjie Gao <junjiegao@microsoft.com>
 2024-10-23 02:59:09 +00:00
Patrick Zheng 82014a953f
chore: update logs (#469) 
This PR updates logs.
Resolves #430. Also should resolve issue https://github.com/notaryproject/notation/issues/1004.

Signed-off-by: Patrick Zheng <patrickzheng@microsoft.com>
 2024-10-16 10:31:10 -07:00
dependabot[bot] 11866a54a0
build(deps): bump github.com/notaryproject/notation-core-go from 1.1.1-0.20240920045731-0786f51de737 to 1.2.0-rc.1 (#466) 2024-10-01 05:51:37 +00:00
dependabot[bot] 4c2d986035
build(deps): bump github.com/veraison/go-cose from 1.1.0 to 1.3.0 (#467) 2024-10-01 05:48:38 +00:00
AdamKorcz a86f8da6ea
test: add fuzz test (#459) 
Adds a fuzz test from cncf-fuzzing:
https://github.com/cncf/cncf-fuzzing/blob/main/projects/notary/fuzz_pkix_test.go

Signed-off-by: Adam Korczynski <adam@adalogics.com>
 2024-09-29 14:11:20 -07:00
44 changed files with 2508 additions and 741 deletions
Show Stats Expand all files Collapse all files

2
CODEOWNERS
View File

@ -1,3 +1,3 @@
# Repo-Level Owners (in alphabetical order)
# Note: This is only for the notaryproject/notation-go repo
* @gokarnm @JeyJeyGao @niazfk @priteshbandi @rgnote @shizhMSFT @toddysm @Two-Hearts @vaninrao10 @yizha1
* @gokarnm @niazfk @priteshbandi @rgnote @shizhMSFT @toddysm @Two-Hearts @vaninrao10 @yizha1

6
MAINTAINERS
View File

@ -9,11 +9,13 @@ Yi Zha <yizha1@microsoft.com> (@yizha1)
# Repo-Level Maintainers (in alphabetical order)
# Note: This is for the notaryproject/notation-go repo
Junjie Gao <junjiegao@microsoft.com> (@JeyJeyGao)
Milind Gokarn <gokarnm@amazon.com> (@gokarnm)
Patrick Zheng <patrickzheng@microsoft.com> (@Two-Hearts)
Rakesh Gariganti <garigant@amazon.com> (@rgnote)
# Emeritus Org Maintainers (in alphabetical order)
Justin Cormack <justin.cormack@docker.com> (@justincormack)
Steve Lasker <StevenLasker@hotmail.com> (@stevelasker)
Steve Lasker <StevenLasker@hotmail.com> (@stevelasker)
# Emeritus Repo-Level Maintainers (in alphabetical order)
Junjie Gao <junjiegao@microsoft.com> (@JeyJeyGao)

1
README.md
View File

@ -3,6 +3,7 @@
[![Build Status](https://github.com/notaryproject/notation-go/actions/workflows/build.yml/badge.svg?event=push&branch=main)](https://github.com/notaryproject/notation-go/actions/workflows/build.yml?query=workflow%3Abuild+event%3Apush+branch%3Amain)
[![Codecov](https://codecov.io/gh/notaryproject/notation-go/branch/main/graph/badge.svg)](https://codecov.io/gh/notaryproject/notation-go)
[![Go Reference](https://pkg.go.dev/badge/github.com/notaryproject/notation-go.svg)](https://pkg.go.dev/github.com/notaryproject/notation-go@main)
[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/notaryproject/notation-go/badge)](https://scorecard.dev/viewer/?uri=github.com/notaryproject/notation-go)
notation-go contains libraries for signing and verification of artifacts as per [Notary Project specifications](https://github.com/notaryproject/specifications). notation-go is being used by [notation](https://github.com/notaryproject/notation) CLI for signing and verifying artifacts.

36
RELEASE_CHECKLIST.md Normal file
View File

@ -0,0 +1,36 @@
# Release Checklist
## Overview
This document describes the checklist to publish a release for notation-go.
## Release Process from main
1. Check if there are any security vulnerabilities fixed and security advisories published before a release. Security advisories should be linked on the release notes.
2. Determine a [SemVer2](https://semver.org/)-valid version prefixed with the letter `v` for release. For example, `version="v1.0.0-rc.1"`.
3. If there is new release in [notation-core-go](https://github.com/notaryproject/notation-core-go) library that are required to be upgraded in notation-go, update the dependency versions in the follow `go.mod` and `go.sum` files of notation-go:
- [go.mod](go.mod), [go.sum](go.sum)
4. Open a bump up PR and submit the changes in step 3 to the notation-go repository.
5. After PR from step 4 is merged. Create another PR to update the value of `signingAgent` defined in file [signer/signer.go](signer/signer.go) with `notation-go/<version>`, where `<version>` is `$version` from step 2 without the `v` prefix. For example, `notation-go/1.0.0-rc.1`. The commit message MUST follow the [conventional commit](https://www.conventionalcommits.org/en/v1.0.0/) and could be `bump: release $version`. Record the digest of that commit as `<commit_digest>`. This PR is also used for voting purpose of the new release. Add the link of change logs and repo-level maintainer list in the PR's description. The PR title could be `bump: release $version`. Make sure to reach a majority of approvals from the [repo-level maintainers](MAINTAINERS) before merging it. This PR MUST be merged using [Create a merge commit](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/about-merge-methods-on-github) method in GitHub.
6. After the voting PR is merged, execute `git clone https://github.com/notaryproject/notation-go.git` to clone the repository to your local file system.
7. Enter the cloned repository and execute `git checkout <commit_digest>` to switch to the specified branch based on the voting result.
8. Create a tag by running `git tag -am $version $version -s`.
9. Run `git tag` and ensure the desired tag name in the list looks correct, then push the new tag directly to the repository by running `git push origin $version`.
10. On notation-go GitHub page, goto [Tags](https://github.com/notaryproject/notation-go/tags). Your newly pushed tag should be shown on the top. Create a new release from the tag. Generate the release notes, revise the release description and change logs, and publish the release.
11. Announce the new release in the Notary Project community.
## Release Process from a release branch
1. Check if there are any security vulnerabilities fixed and security advisories published before a release. Security advisories should be linked on the release notes.
2. Determine a [SemVer2](https://semver.org/)-valid version prefixed with the letter `v` for release. For example, `version="v1.2.0-rc.1"`.
3. If a new release branch is needed, from main branch's [commit list](https://github.com/notaryproject/notation-go/commits/main/), find the commit that you want to cut the release. Click `<>` (Browse repository at this point). Create branch with name `release-<version>` from the commit, where `<version>` is `$version` from step 2 with the major and minor versions only. For example `release-1.2`. If the release branch already exists, skip this step.
4. If there is new release in [notation-core-go](https://github.com/notaryproject/notation-core-go) library that are required to be upgraded in notation-go, update the dependency versions in the follow `go.mod` and `go.sum` files of notation-go:
- [go.mod](go.mod), [go.sum](go.sum)
5. Open a bump up PR and submit the changes in step 4 to the release branch.
6. After PR from step 5 is merged. Create another PR to update the value of `signingAgent` defined in file `signer/signer.go` with `notation-go/<version>`, where `<version>` is `$version` from step 2 without the `v` prefix. For example, `notation-go/1.2.0-rc.1`. The commit message MUST follow the [conventional commit](https://www.conventionalcommits.org/en/v1.0.0/) and could be `bump: release $version`. Record the digest of that commit as `<commit_digest>`. This PR is also used for voting purpose of the new release. Add the link of change logs and repo-level maintainer list in the PR's description. The PR title could be `bump: release $version`. Make sure to reach a majority of approvals from the [repo-level maintainers](MAINTAINERS) before merging it. This PR MUST be merged using [Create a merge commit](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/about-merge-methods-on-github) method in GitHub.
7. After the voting PR is merged, execute `git clone https://github.com/notaryproject/notation-go.git` to clone the repository to your local file system.
8. Enter the cloned repository and execute `git checkout <commit_digest>` to switch to the specified branch based on the voting result.
9. Create a tag by running `git tag -am $version $version -s`.
10. Run `git tag` and ensure the desired tag name in the list looks correct, then push the new tag directly to the repository by running `git push origin $version`.
11. On notation-go GitHub page, goto [Tags](https://github.com/notaryproject/notation-go/tags). Your newly pushed tag should be shown on the top. Create a new release from the tag. Generate the release notes, revise the release description and change logs, and publish the release.
12. Announce the new release in the Notary Project community.

35
config/errors.go Normal file
View File

@ -0,0 +1,35 @@
// Copyright The Notary Project Authors.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package config
import (
"errors"
"fmt"
)
// ErrKeyNameEmpty is used when key name is empty.
var ErrKeyNameEmpty = errors.New("key name cannot be empty")
// KeyNotFoundError is used when key is not found in the signingkeys.json file.
type KeyNotFoundError struct {
KeyName string
}
// Error returns the error message.
func (e KeyNotFoundError) Error() string {
if e.KeyName != "" {
return fmt.Sprintf("signing key %s not found", e.KeyName)
}
return "signing key not found"
}

28
config/errors_test.go Normal file
View File

@ -0,0 +1,28 @@
// Copyright The Notary Project Authors.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package config
import "testing"
func TestErrorKeyNotFound(t *testing.T) {
e := KeyNotFoundError{}
if e.Error() != "signing key not found" {
t.Fatalf("ErrorKeyNotFound.Error() = %v, want %v", e.Error(), "signing key not found")
}
e = KeyNotFoundError{KeyName: "testKey"}
if e.Error() != `signing key testKey not found` {
t.Fatalf("ErrorKeyNotFound.Error() = %v, want %v", e.Error(), "signing key testKey not found")
}
}

43
config/keys.go
View File

@ -50,9 +50,6 @@ type KeySuite struct {
*ExternalKey
}
var errorKeyNameEmpty = errors.New("key name cannot be empty")
var errKeyNotFound = errors.New("signing key not found")
// SigningKeys reflects the signingkeys.json file.
type SigningKeys struct {
Default *string `json:"default,omitempty"`
@ -67,13 +64,12 @@ func NewSigningKeys() *SigningKeys {
// Add adds new signing key
func (s *SigningKeys) Add(name, keyPath, certPath string, markDefault bool) error {
if name == "" {
return errorKeyNameEmpty
return ErrKeyNameEmpty
}
_, err := tls.LoadX509KeyPair(certPath, keyPath)
if err != nil {
return err
}
ks := KeySuite{
Name: name,
X509KeyPair: &X509KeyPair{
@ -88,25 +84,20 @@ func (s *SigningKeys) Add(name, keyPath, certPath string, markDefault bool) erro
func (s *SigningKeys) AddPlugin(ctx context.Context, keyName, id, pluginName string, pluginConfig map[string]string, markDefault bool) error {
logger := log.GetLogger(ctx)
logger.Debugf("Adding key with name %v and plugin name %v", keyName, pluginName)
if keyName == "" {
return errorKeyNameEmpty
return ErrKeyNameEmpty
}
if id == "" {
return errors.New("missing key id")
}
if pluginName == "" {
return errors.New("plugin name cannot be empty")
}
mgr := plugin.NewCLIManager(dir.PluginFS())
_, err := mgr.Get(ctx, pluginName)
if err != nil {
return err
}
ks := KeySuite{
Name: keyName,
ExternalKey: &ExternalKey{
@ -115,7 +106,6 @@ func (s *SigningKeys) AddPlugin(ctx context.Context, keyName, id, pluginName str
PluginConfig: pluginConfig,
},
}
if err = s.add(ks, markDefault); err != nil {
logger.Error("Failed to add key with error: %v", err)
return err
@ -127,14 +117,12 @@ func (s *SigningKeys) AddPlugin(ctx context.Context, keyName, id, pluginName str
// Get returns signing key for the given name
func (s *SigningKeys) Get(keyName string) (KeySuite, error) {
if keyName == "" {
return KeySuite{}, errorKeyNameEmpty
return KeySuite{}, ErrKeyNameEmpty
}
idx := slices.IndexIsser(s.Keys, keyName)
if idx < 0 {
return KeySuite{}, errKeyNotFound
return KeySuite{}, KeyNotFoundError{KeyName: keyName}
}
return s.Keys[idx], nil
}
@ -144,7 +132,6 @@ func (s *SigningKeys) GetDefault() (KeySuite, error) {
return KeySuite{}, errors.New("default signing key not set." +
" Please set default signing key or specify a key name")
}
return s.Get(*s.Default)
}
@ -153,12 +140,11 @@ func (s *SigningKeys) Remove(keyName ...string) ([]string, error) {
var deletedNames []string
for _, name := range keyName {
if name == "" {
return deletedNames, errorKeyNameEmpty
return deletedNames, ErrKeyNameEmpty
}
idx := slices.IndexIsser(s.Keys, name)
if idx < 0 {
return deletedNames, errors.New(name + ": not found")
return deletedNames, KeyNotFoundError{KeyName: name}
}
s.Keys = slices.Delete(s.Keys, idx)
deletedNames = append(deletedNames, name)
@ -172,13 +158,11 @@ func (s *SigningKeys) Remove(keyName ...string) ([]string, error) {
// UpdateDefault updates default signing key
func (s *SigningKeys) UpdateDefault(keyName string) error {
if keyName == "" {
return errorKeyNameEmpty
return ErrKeyNameEmpty
}
if !slices.ContainsIsser(s.Keys, keyName) {
return fmt.Errorf("key with name '%s' not found", keyName)
return KeyNotFoundError{KeyName: keyName}
}
s.Default = &keyName
return nil
}
@ -189,11 +173,9 @@ func (s *SigningKeys) Save() error {
if err != nil {
return err
}
if err := validateKeys(s); err != nil {
return err
}
return save(path, s)
}
@ -208,11 +190,9 @@ func LoadSigningKeys() (*SigningKeys, error) {
}
return nil, err
}
if err := validateKeys(&config); err != nil {
return nil, err
}
return &config, nil
}
@ -224,11 +204,9 @@ func LoadExecSaveSigningKeys(fn func(keys *SigningKeys) error) error {
if err != nil {
return err
}
if err := fn(signingKeys); err != nil {
return err
}
return signingKeys.Save()
}
@ -241,12 +219,10 @@ func (s *SigningKeys) add(key KeySuite, markDefault bool) error {
if slices.ContainsIsser(s.Keys, key.Name) {
return fmt.Errorf("signing key with name %q already exists", key.Name)
}
s.Keys = append(s.Keys, key)
if markDefault {
s.Default = &key.Name
}
return nil
}
@ -262,17 +238,14 @@ func validateKeys(config *SigningKeys) error {
}
uniqueKeyNames.Add(key.Name)
}
if config.Default != nil {
defaultKey := *config.Default
if len(defaultKey) == 0 {
return fmt.Errorf("malformed %s: default key name cannot be empty", dir.PathSigningKeys)
}
if !uniqueKeyNames.Contains(defaultKey) {
return fmt.Errorf("malformed %s: default key '%s' not found", dir.PathSigningKeys, defaultKey)
}
}
return nil
}

50
config/keys_test.go
View File

@ -17,6 +17,7 @@ import (
"context"
"crypto/x509"
"encoding/pem"
"errors"
"os"
"path/filepath"
"reflect"
@ -310,14 +311,22 @@ func TestGet(t *testing.T) {
})
t.Run("NonExistent", func(t *testing.T) {
if _, err := sampleSigningKeysInfo.Get("nonExistent"); err == nil {
_, err := sampleSigningKeysInfo.Get("nonExistent")
if err == nil {
t.Error("expected Get() to fail for nonExistent key name")
}
if !errors.Is(err, KeyNotFoundError{KeyName: "nonExistent"}) {
t.Error("expected Get() to return ErrorKeyNotFound")
}
})
t.Run("InvalidName", func(t *testing.T) {
if _, err := sampleSigningKeysInfo.Get(""); err == nil {
t.Error("expected Get() to fail for invalid key name")
t.Run("EmptyName", func(t *testing.T) {
_, err := sampleSigningKeysInfo.Get("")
if err == nil {
t.Error("expected Get() to fail for empty key name")
}
if !errors.Is(err, ErrKeyNameEmpty) {
t.Error("expected Get() to return ErrorKeyNameEmpty")
}
})
}
@ -358,14 +367,22 @@ func TestUpdateDefault(t *testing.T) {
})
t.Run("NonExistent", func(t *testing.T) {
if err := sampleSigningKeysInfo.UpdateDefault("nonExistent"); err == nil {
err := sampleSigningKeysInfo.UpdateDefault("nonExistent")
if err == nil {
t.Error("expected Get() to fail for nonExistent key name")
}
if !errors.Is(err, KeyNotFoundError{KeyName: "nonExistent"}) {
t.Error("expected Get() to return ErrorKeyNotFound")
}
})
t.Run("InvalidName", func(t *testing.T) {
if err := sampleSigningKeysInfo.UpdateDefault(""); err == nil {
t.Error("expected Get() to fail for invalid key name")
t.Run("EmptyName", func(t *testing.T) {
err := sampleSigningKeysInfo.UpdateDefault("")
if err == nil {
t.Error("expected Get() to fail for empty key name")
}
if !errors.Is(err, ErrKeyNameEmpty) {
t.Error("expected Get() to return ErrorKeyNameEmpty")
}
})
}
@ -382,21 +399,28 @@ func TestRemove(t *testing.T) {
if _, err := testSigningKeysInfo.Get(testKeyName); err == nil {
t.Error("Delete() filed to delete key")
}
if keys[0] != testKeyName {
t.Error("Delete() deleted key name mismatch")
}
})
t.Run("NonExistent", func(t *testing.T) {
if _, err := testSigningKeysInfo.Remove(testKeyName); err == nil {
_, err := testSigningKeysInfo.Remove("nonExistent")
if err == nil {
t.Error("expected Get() to fail for nonExistent key name")
}
if !errors.Is(err, KeyNotFoundError{KeyName: "nonExistent"}) {
t.Error("expected Get() to return ErrorKeyNotFound")
}
})
t.Run("InvalidName", func(t *testing.T) {
if _, err := testSigningKeysInfo.Remove(""); err == nil {
t.Error("expected Get() to fail for invalid key name")
t.Run("EmptyName", func(t *testing.T) {
_, err := testSigningKeysInfo.Remove("")
if err == nil {
t.Error("expected Get() to fail for empty key name")
}
if !errors.Is(err, ErrKeyNameEmpty) {
t.Error("expected Get() to return ErrorKeyNameEmpty")
}
})
}

9
dir/path.go
View File

@ -58,8 +58,15 @@ const (
PathConfigFile = "config.json"
// PathSigningKeys is the signingkeys file relative path.
PathSigningKeys = "signingkeys.json"
// PathTrustPolicy is the trust policy file relative path.
// PathTrustPolicy is the OCI trust policy file relative path.
//
// Deprecated: PathTrustPolicy exists for historical compatibility and should not be used.
// To get OCI trust policy path, use PathOCITrustPolicy.
PathTrustPolicy = "trustpolicy.json"
// PathOCITrustPolicy is the OCI trust policy file relative path.
PathOCITrustPolicy = "trustpolicy.oci.json"
// PathBlobTrustPolicy is the Blob trust policy file relative path.
PathBlobTrustPolicy = "trustpolicy.blob.json"
// LocalKeysDir is the directory name for local key relative path.
LocalKeysDir = "localkeys"
// LocalCertificateExtension defines the extension of the certificate files.

60
errors.go
View File

@ -15,11 +15,17 @@ package notation
// ErrorPushSignatureFailed is used when failed to push signature to the
// target registry.
type ErrorPushSignatureFailed struct {
//
// Deprecated: Use PushSignatureFailedError instead.
type ErrorPushSignatureFailed = PushSignatureFailedError
// PushSignatureFailedError is used when failed to push signature to the
// target registry.
type PushSignatureFailedError struct {
Msg string
}
func (e ErrorPushSignatureFailed) Error() string {
func (e PushSignatureFailedError) Error() string {
if e.Msg != "" {
return "failed to push signature to registry with error: " + e.Msg
}
@ -28,11 +34,17 @@ func (e ErrorPushSignatureFailed) Error() string {
// ErrorVerificationInconclusive is used when signature verification fails due
// to a runtime error (e.g. a network error)
type ErrorVerificationInconclusive struct {
//
// Deprecated: Use VerificationInconclusiveError instead.
type ErrorVerificationInconclusive = VerificationInconclusiveError
// VerificationInconclusiveError is used when signature verification fails due
// to a runtime error (e.g. a network error)
type VerificationInconclusiveError struct {
Msg string
}
func (e ErrorVerificationInconclusive) Error() string {
func (e VerificationInconclusiveError) Error() string {
if e.Msg != "" {
return e.Msg
}
@ -41,11 +53,17 @@ func (e ErrorVerificationInconclusive) Error() string {
// ErrorNoApplicableTrustPolicy is used when there is no trust policy that
// applies to the given artifact
type ErrorNoApplicableTrustPolicy struct {
//
// Deprecated: Use NoApplicableTrustPolicyError instead.
type ErrorNoApplicableTrustPolicy = NoApplicableTrustPolicyError
// NoApplicableTrustPolicyError is used when there is no trust policy that
// applies to the given artifact
type NoApplicableTrustPolicyError struct {
Msg string
}
func (e ErrorNoApplicableTrustPolicy) Error() string {
func (e NoApplicableTrustPolicyError) Error() string {
if e.Msg != "" {
return e.Msg
}
@ -54,11 +72,17 @@ func (e ErrorNoApplicableTrustPolicy) Error() string {
// ErrorSignatureRetrievalFailed is used when notation is unable to retrieve the
// digital signature/s for the given artifact
type ErrorSignatureRetrievalFailed struct {
//
// Deprecated: Use SignatureRetrievalFailedError instead.
type ErrorSignatureRetrievalFailed = SignatureRetrievalFailedError
// SignatureRetrievalFailedError is used when notation is unable to retrieve the
// digital signature/s for the given artifact
type SignatureRetrievalFailedError struct {
Msg string
}
func (e ErrorSignatureRetrievalFailed) Error() string {
func (e SignatureRetrievalFailedError) Error() string {
if e.Msg != "" {
return e.Msg
}
@ -67,11 +91,17 @@ func (e ErrorSignatureRetrievalFailed) Error() string {
// ErrorVerificationFailed is used when it is determined that the digital
// signature/s is not valid for the given artifact
type ErrorVerificationFailed struct {
//
// Deprecated: Use VerificationFailedError instead.
type ErrorVerificationFailed = VerificationFailedError
// VerificationFailedError is used when it is determined that the digital
// signature/s is not valid for the given artifact
type VerificationFailedError struct {
Msg string
}
func (e ErrorVerificationFailed) Error() string {
func (e VerificationFailedError) Error() string {
if e.Msg != "" {
return e.Msg
}
@ -80,11 +110,17 @@ func (e ErrorVerificationFailed) Error() string {
// ErrorUserMetadataVerificationFailed is used when the signature does not
// contain the user specified metadata
type ErrorUserMetadataVerificationFailed struct {
//
// Deprecated: Use UserMetadataVerificationFailedError instead.
type ErrorUserMetadataVerificationFailed = UserMetadataVerificationFailedError
// UserMetadataVerificationFailedError is used when the signature does not
// contain the user specified metadata
type UserMetadataVerificationFailedError struct {
Msg string
}
func (e ErrorUserMetadataVerificationFailed) Error() string {
func (e UserMetadataVerificationFailedError) Error() string {
if e.Msg != "" {
return e.Msg
}

77
errors_test.go
View File

@ -91,3 +91,80 @@ func TestErrorMessages(t *testing.T) {
})
}
}
func TestCustomErrorPrintsCorrectMessage(t *testing.T) {
tests := []struct {
name string
err error
want string
}{
{
name: "PushSignatureFailedError with message",
err: PushSignatureFailedError{Msg: "test message"},
want: "failed to push signature to registry with error: test message",
},
{
name: "PushSignatureFailedError without message",
err: PushSignatureFailedError{},
want: "failed to push signature to registry",
},
{
name: "VerificationInconclusiveError with message",
err: VerificationInconclusiveError{Msg: "test message"},
want: "test message",
},
{
name: "VerificationInconclusiveError without message",
err: VerificationInconclusiveError{},
want: "signature verification was inclusive due to an unexpected error",
},
{
name: "NoApplicableTrustPolicyError with message",
err: NoApplicableTrustPolicyError{Msg: "test message"},
want: "test message",
},
{
name: "NoApplicableTrustPolicyError without message",
err: NoApplicableTrustPolicyError{},
want: "there is no applicable trust policy for the given artifact",
},
{
name: "SignatureRetrievalFailedError with message",
err: SignatureRetrievalFailedError{Msg: "test message"},
want: "test message",
},
{
name: "SignatureRetrievalFailedError without message",
err: SignatureRetrievalFailedError{},
want: "unable to retrieve the digital signature from the registry",
},
{
name: "VerificationFailedError with message",
err: VerificationFailedError{Msg: "test message"},
want: "test message",
},
{
name: "VerificationFailedError without message",
err: VerificationFailedError{},
want: "signature verification failed",
},
{
name: "UserMetadataVerificationFailedError with message",
err: UserMetadataVerificationFailedError{Msg: "test message"},
want: "test message",
},
{
name: "UserMetadataVerificationFailedError without message",
err: UserMetadataVerificationFailedError{},
want: "unable to find specified metadata in the signature",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := tt.err.Error(); got != tt.want {
t.Errorf("Error() = %v, want %v", got, tt.want)
}
})
}
}

2
example_localSign_test.go
View File

@ -46,7 +46,7 @@ func Example_localSign() {
// exampleSigner is a notation.Signer given key and X509 certificate chain.
// Users should replace `exampleCertTuple.PrivateKey` with their own private
// key and replace `exampleCerts` with the corresponding full certificate
// chain, following the Notary certificate requirements:
// chain, following the Notary Project certificate requirements:
// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/signature-specification.md#certificate-requirements
exampleSigner, err := signer.NewGenericSigner(exampleCertTuple.PrivateKey, exampleCerts)
if err != nil {

10
example_localVerify_test.go
View File

@ -32,9 +32,9 @@ import (
// examplePolicyDocument is an example of a valid trust policy document.
// trust policy document should follow this spec:
// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-policy
var examplePolicyDocument = trustpolicy.Document{
var examplePolicyDocument = trustpolicy.OCIDocument{
Version: "1.0",
TrustPolicies: []trustpolicy.TrustPolicy{
TrustPolicies: []trustpolicy.OCITrustPolicy{
{
Name: "test-statement-name",
RegistryScopes: []string{"example/software"},
@ -73,8 +73,8 @@ func Example_localVerify() {
}
// createTrustStore creates a trust store directory for demo purpose.
// Users could use the default trust store from Notary and add trusted
// certificates into it following the trust store spec:
// Users could use the default trust store from Notary Project and
// add trusted certificates into it following the trust store spec:
// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-store
if err := createTrustStore(); err != nil {
panic(err) // Handle error
@ -172,7 +172,7 @@ func createTrustStore() error {
// generate the `exampleSignatureEnvelopePem` above.)
// Users should replace `exampleX509Certificate` with their own trusted
// certificate and add to the trust store, following the
// Notary certificate requirements:
// Notary Project certificate requirements:
// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/signature-specification.md#certificate-requirements
exampleX509Certificate := `-----BEGIN CERTIFICATE-----
MIIDQDCCAiigAwIBAgIBUTANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzEL

13
example_remoteSign_test.go
View File

@ -45,7 +45,7 @@ func Example_remoteSign() {
// exampleSigner is a notation.Signer given key and X509 certificate chain.
// Users should replace `exampleCertTuple.PrivateKey` with their own private
// key and replace `exampleCerts` with the corresponding full certificate
// chain, following the Notary certificate requirements:
// chain, following the Notary Project certificate requirements:
// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/signature-specification.md#certificate-requirements
exampleSigner, err := signer.NewGenericSigner(exampleCertTuple.PrivateKey, exampleCerts)
if err != nil {
@ -70,13 +70,16 @@ func Example_remoteSign() {
// remote sign core process
// upon successful signing, descriptor of the sign content is returned and
// the generated signature is pushed into remote registry.
targetDesc, err := notation.Sign(context.Background(), exampleSigner, exampleRepo, exampleSignOptions)
targetManifestDesc, sigManifestDesc, err := notation.SignOCI(context.Background(), exampleSigner, exampleRepo, exampleSignOptions)
if err != nil {
panic(err) // Handle error
}
fmt.Println("Successfully signed")
fmt.Println("targetDesc MediaType:", targetDesc.MediaType)
fmt.Println("targetDesc Digest:", targetDesc.Digest)
fmt.Println("targetDesc Size:", targetDesc.Size)
fmt.Println("targetManifestDesc.MediaType:", targetManifestDesc.MediaType)
fmt.Println("targetManifestDesc.Digest:", targetManifestDesc.Digest)
fmt.Println("targetManifestDesc.Size:", targetManifestDesc.Size)
fmt.Println("sigManifestDesc.MediaType:", sigManifestDesc.MediaType)
fmt.Println("sigManifestDesc.Digest:", sigManifestDesc.Digest)
fmt.Println("sigManifestDesc.Size:", sigManifestDesc.Size)
}

6
example_remoteVerify_test.go
View File

@ -38,9 +38,9 @@ func Example_remoteVerify() {
// examplePolicyDocument is an example of a valid trust policy document.
// trust policy document should follow this spec:
// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-policy
examplePolicyDocument := trustpolicy.Document{
examplePolicyDocument := trustpolicy.OCIDocument{
Version: "1.0",
TrustPolicies: []trustpolicy.TrustPolicy{
TrustPolicies: []trustpolicy.OCITrustPolicy{
{
Name: "test-statement-name",
RegistryScopes: []string{"*"},
@ -101,7 +101,7 @@ func generateTrustStore() error {
// an example of a valid X509 self-signed certificate for demo purpose ONLY.
// Users should replace `exampleX509Certificate` with their own trusted
// certificate and add to the trust store, following the
// Notary certificate requirements:
// Notary Project certificate requirements:
// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/signature-specification.md#certificate-requirements
exampleX509Certificate := `-----BEGIN CERTIFICATE-----
MIIDQDCCAiigAwIBAgIBUTANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzEL

88
example_signBlob_test.go Normal file
View File

@ -0,0 +1,88 @@
// Copyright The Notary Project Authors.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package notation_test
import (
"context"
"fmt"
"strings"
"github.com/notaryproject/notation-core-go/signature"
"github.com/notaryproject/notation-core-go/signature/jws"
"github.com/notaryproject/notation-go"
"github.com/notaryproject/notation-go/signer"
)
// ExampleSignBlob demonstrates how to use [notation.SignBlob] to sign arbitrary
// data.
func Example_signBlob() {
// exampleSigner implements [notation.Signer] and [notation.BlobSigner].
// Given key and X509 certificate chain, it provides method to sign OCI
// artifacts or blobs.
// Users should replace `exampleCertTuple.PrivateKey` with their own private
// key and replace `exampleCerts` with the corresponding certificate chain,
// following the Notary Project certificate requirements:
// https://github.com/notaryproject/specifications/tree/9c81dc773508dedc5a81c02c8d805de04f65050b/specs/signature-specification.md#certificate-requirements
exampleSigner, err := signer.NewGenericSigner(exampleCertTuple.PrivateKey, exampleCerts)
if err != nil {
panic(err) // Handle error
}
// Both COSE ("application/cose") and JWS ("application/jose+json")
// signature mediaTypes are supported.
exampleSignatureMediaType := jws.MediaTypeEnvelope
exampleContentMediaType := "video/mp4"
// exampleSignOptions is an example of [notation.SignBlobOptions].
exampleSignOptions := notation.SignBlobOptions{
SignerSignOptions: notation.SignerSignOptions{
SignatureMediaType: exampleSignatureMediaType,
SigningAgent: "example signing agent",
},
ContentMediaType: exampleContentMediaType,
UserMetadata: map[string]string{"buildId": "101"},
}
// exampleReader reads the data that needs to be signed.
// This data can be in a file or in memory.
exampleReader := strings.NewReader("example blob")
// Upon successful signing, signature envelope and signerInfo are returned.
// signatureEnvelope can be used in a verification process later on.
signatureEnvelope, signerInfo, err := notation.SignBlob(context.Background(), exampleSigner, exampleReader, exampleSignOptions)
if err != nil {
panic(err) // Handle error
}
fmt.Println("Successfully signed")
// a peek of the signature envelope generated
sigBlob, err := signature.ParseEnvelope(exampleSignatureMediaType, signatureEnvelope)
if err != nil {
panic(err) // Handle error
}
sigContent, err := sigBlob.Content()
if err != nil {
panic(err) // Handle error
}
fmt.Println("signature Payload ContentType:", sigContent.Payload.ContentType)
fmt.Println("signature Payload Content:", string(sigContent.Payload.Content))
fmt.Println("signerInfo SigningAgent:", signerInfo.UnsignedAttributes.SigningAgent)
// Output:
// Successfully signed
// signature Payload ContentType: application/vnd.cncf.notary.payload.v1+json
// signature Payload Content: {"targetArtifact":{"annotations":{"buildId":"101"},"digest":"sha384:b8ab24dafba5cf7e4c89c562f811cf10493d4203da982d3b1345f366ca863d9c2ed323dbd0fb7ff83a80302ceffa5a61","mediaType":"video/mp4","size":12}}
// signerInfo SigningAgent: example signing agent
}

13
example_signWithTimestmap_test.go
View File

@ -45,7 +45,7 @@ func Example_signWithTimestamp() {
// exampleSigner is a notation.Signer given key and X509 certificate chain.
// Users should replace `exampleCertTuple.PrivateKey` with their own private
// key and replace `exampleCerts` with the corresponding full certificate
// chain, following the Notary certificate requirements:
// chain, following the Notary Project certificate requirements:
// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/signature-specification.md#certificate-requirements
exampleSigner, err := signer.NewGenericSigner(exampleCertTuple.PrivateKey, exampleCerts)
if err != nil {
@ -98,13 +98,16 @@ func Example_signWithTimestamp() {
ArtifactReference: exampleArtifactReference,
}
targetDesc, err := notation.Sign(context.Background(), exampleSigner, exampleRepo, exampleSignOptions)
targetManifestDesc, sigManifestDesc, err := notation.SignOCI(context.Background(), exampleSigner, exampleRepo, exampleSignOptions)
if err != nil {
panic(err) // Handle error
}
fmt.Println("Successfully signed")
fmt.Println("targetDesc MediaType:", targetDesc.MediaType)
fmt.Println("targetDesc Digest:", targetDesc.Digest)
fmt.Println("targetDesc Size:", targetDesc.Size)
fmt.Println("targetManifestDesc.MediaType:", targetManifestDesc.MediaType)
fmt.Println("targetManifestDesc.Digest:", targetManifestDesc.Digest)
fmt.Println("targetManifestDesc.Size:", targetManifestDesc.Size)
fmt.Println("sigManifestDesc.MediaType:", sigManifestDesc.MediaType)
fmt.Println("sigManifestDesc.Digest:", sigManifestDesc.Digest)
fmt.Println("sigManifestDesc.Size:", sigManifestDesc.Size)
}

154
example_verifyBlob_test.go Normal file
View File

@ -0,0 +1,154 @@
// Copyright The Notary Project Authors.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package notation_test
import (
"context"
"fmt"
"os"
"strings"
"github.com/notaryproject/notation-core-go/signature/jws"
"github.com/notaryproject/notation-go"
"github.com/notaryproject/notation-go/dir"
"github.com/notaryproject/notation-go/verifier"
"github.com/notaryproject/notation-go/verifier/trustpolicy"
"github.com/notaryproject/notation-go/verifier/truststore"
)
// exampleBlobPolicyDocument is an example of a valid blob trust policy document.
// blob trust policy document should follow this spec:
// https://github.com/notaryproject/specifications/tree/9c81dc773508dedc5a81c02c8d805de04f65050b/specs/trust-store-trust-policy.md#blob-trust-policy
var exampleBlobPolicyDocument = trustpolicy.BlobDocument{
Version: "1.0",
TrustPolicies: []trustpolicy.BlobTrustPolicy{
{
Name: "test-statement-name",
SignatureVerification: trustpolicy.SignatureVerification{VerificationLevel: trustpolicy.LevelStrict.Name, Override: map[trustpolicy.ValidationType]trustpolicy.ValidationAction{trustpolicy.TypeRevocation: trustpolicy.ActionSkip}},
TrustStores: []string{"ca:valid-trust-store"},
TrustedIdentities: []string{"*"},
},
},
}
// ExampleVerifyBlob demonstrates how to use [notation.VerifyBlob] to verify a
// signature of an arbitrary blob.
func Example_verifyBlob() {
// Both COSE ("application/cose") and JWS ("application/jose+json")
// signature mediaTypes are supported.
exampleSignatureMediaType := jws.MediaTypeEnvelope
// exampleSignatureEnvelope is a valid signature envelope.
exampleSignatureEnvelope := getSignatureEnvelope()
// createTrustStoreForBlobVerify creates a trust store directory for demo purpose.
// Users could use the default trust store from Notary Project and add trusted
// certificates into it following the trust store spec:
// https://github.com/notaryproject/specifications/tree/9c81dc773508dedc5a81c02c8d805de04f65050b/specs/trust-store-trust-policy.md#trust-store
if err := createTrustStoreForBlobVerify(); err != nil {
panic(err) // Handle error
}
// exampleVerifier implements [notation.Verify] and [notation.VerifyBlob].
exampleVerifier, err := verifier.NewVerifierWithOptions(truststore.NewX509TrustStore(dir.ConfigFS()), verifier.VerifierOptions{
BlobTrustPolicy: &exampleBlobPolicyDocument,
})
if err != nil {
panic(err) // Handle error
}
// exampleReader reads the data that needs to be verified.
// This data can be in a file or in memory.
exampleReader := strings.NewReader("example blob")
// exampleVerifyOptions is an example of [notation.VerifyBlobOptions]
exampleVerifyOptions := notation.VerifyBlobOptions{
BlobVerifierVerifyOptions: notation.BlobVerifierVerifyOptions{
SignatureMediaType: exampleSignatureMediaType,
TrustPolicyName: "test-statement-name",
},
}
// upon successful verification, the signature verification outcome is
// returned.
_, outcome, err := notation.VerifyBlob(context.Background(), exampleVerifier, exampleReader, []byte(exampleSignatureEnvelope), exampleVerifyOptions)
if err != nil {
panic(err) // Handle error
}
fmt.Println("Successfully verified")
// a peek of the payload inside the signature envelope
fmt.Println("payload ContentType:", outcome.EnvelopeContent.Payload.ContentType)
// Note, upon successful verification, payload.TargetArtifact from the
// signature envelope matches exactly with our exampleTargetDescriptor.
// (This check has been done for the user inside verifier.Verify.)
fmt.Println("payload Content:", string(outcome.EnvelopeContent.Payload.Content))
// Output:
// Successfully verified
// payload ContentType: application/vnd.cncf.notary.payload.v1+json
// payload Content: {"targetArtifact":{"digest":"sha384:b8ab24dafba5cf7e4c89c562f811cf10493d4203da982d3b1345f366ca863d9c2ed323dbd0fb7ff83a80302ceffa5a61","mediaType":"video/mp4","size":12}}
}
func createTrustStoreForBlobVerify() error {
// changing the path of the trust store for demo purpose.
// Users could keep the default value, i.e. os.UserConfigDir.
dir.UserConfigDir = "tmp"
// an example of a valid X509 self-signed certificate for demo purpose ONLY.
// (This self-signed cert is paired with the private key used to
// generate the `exampleSignatureEnvelopePem` above.)
// Users should replace `exampleX509Certificate` with their own trusted
// certificate and add to the trust store, following the
// Notary Project certificate requirements:
// https://github.com/notaryproject/specifications/tree/9c81dc773508dedc5a81c02c8d805de04f65050b/specs/signature-specification.md#certificate-requirements
exampleX509Certificate := `-----BEGIN CERTIFICATE-----
MIIEbDCCAtSgAwIBAgIBUzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEl
MCMGA1UEAxMcTm90YXRpb24gRXhhbXBsZSBzZWxmLXNpZ25lZDAgFw0yNDA0MDQy
MTIwMjBaGA8yMTI0MDQwNDIxMjAyMFowZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxJTAjBgNVBAMT
HE5vdGF0aW9uIEV4YW1wbGUgc2VsZi1zaWduZWQwggGiMA0GCSqGSIb3DQEBAQUA
A4IBjwAwggGKAoIBgQDGIiN4yCjSVqFELZwxK/BMb8BokP587L8oPrZ1g8H7LudB
moLNDT7vF9xccbCfU3yNuOd0WaOgnENiCs81VHidyJsj1Oz3u+0Zn3ng7V+uZr6m
AIO74efA9ClMiY4i4HIt8IAZF57AL2mzDnCITgSWxikf030Il85MI42STvA+qYuz
ZEOp3XvKo8bDgQFvbtgK0HYYMfrka7VDmIWVo0rBMGm5btI8HOYQ0r9aqsrCxLAv
1AQeOQm+wbRcp4R5PIUJr+REGn7JCbOyXg/7qqHXKKmvV5yrGaraw8gZ5pqP/RHK
XUJIfvD0Vf2epJmsvC+6vXkSWtz+cA8J4GQx4J4SXL57hoYkC5qv39SOLzlWls3I
6fgeO+SZ0sceMd8NKlom/L5eOJBfB3bTQB83hq/3bRtjT7/qCMsL3VcndKkS+vGF
JPw5uTH+pmBgHrLr6tRoRRjwRFuZ0dO05AbdjCaxgVDtFI3wNbaXn/1VlRGySQIS
UNWxCrUsSzndeqwmjqsCAwEAAaMnMCUwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQM
MAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IBgQBdi0SaJAaeKBB0I+Fjcbmc
4zRvHE4GDSMSDnAK97nrZCZ9iwKuY4x6mv9lwQe2P3VXROoL9JmONNf0yaObOwQj
ILGnbe2rzYtUardz2gzh+6KNzJHspRvk1f06mp4496XQ3STMRSr8kno1svKQMy0Y
FRsGMKs4fWHavIAqNXg9ymrZvvXiatN2UiVtAA/jBFScZAWskeb2WHNzORi7H5Z1
mp5+IlNYQpzdIu/dvLVxzhh2UvkRdsQqsMgt/MOU84RncwUNZM4yI5EGPoaSJdsj
AGNd+UV6ur7QmVI2Q9EZNRlaDJtaoZmKns5j1SlmDXWKbdRmw42ORDudODj/pHA9
+u+ca9t3uLsbqO9yPm8m+6fyxffWS11QAH6O7EjydJWcEe5tYkPpL6kcaEyQKESm
5CDlsk+W3ElpaUu6tsnGKODvgdAN3m0noC+qxzCMqoCM4+M5V6OptR98MDl2FK0B
5+WF6YHBxf/uqDvFktUczjrIWuyfECywp05bpGAErGE=
-----END CERTIFICATE-----`
// Adding the certificate into the trust store.
if err := os.MkdirAll("tmp/truststore/x509/ca/valid-trust-store", 0700); err != nil {
return err
}
return os.WriteFile("tmp/truststore/x509/ca/valid-trust-store/NotationBlobExample.pem", []byte(exampleX509Certificate), 0600)
}
func getSignatureEnvelope() string {
return `{"payload":"eyJ0YXJnZXRBcnRpZmFjdCI6eyJkaWdlc3QiOiJzaGEzODQ6YjhhYjI0ZGFmYmE1Y2Y3ZTRjODljNTYyZjgxMWNmMTA0OTNkNDIwM2RhOTgyZDNiMTM0NWYzNjZjYTg2M2Q5YzJlZDMyM2RiZDBmYjdmZjgzYTgwMzAyY2VmZmE1YTYxIiwibWVkaWFUeXBlIjoidmlkZW8vbXA0Iiwic2l6ZSI6MTJ9fQ","protected":"eyJhbGciOiJQUzM4NCIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSJdLCJjdHkiOiJhcHBsaWNhdGlvbi92bmQuY25jZi5ub3RhcnkucGF5bG9hZC52MStqc29uIiwiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSI6Im5vdGFyeS54NTA5IiwiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1RpbWUiOiIyMDI0LTA0LTA0VDE0OjIwOjIxLTA3OjAwIn0","header":{"x5c":["MIIEbDCCAtSgAwIBAgIBUzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTElMCMGA1UEAxMcTm90YXRpb24gRXhhbXBsZSBzZWxmLXNpZ25lZDAgFw0yNDA0MDQyMTIwMjBaGA8yMTI0MDQwNDIxMjAyMFowZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxJTAjBgNVBAMTHE5vdGF0aW9uIEV4YW1wbGUgc2VsZi1zaWduZWQwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDGIiN4yCjSVqFELZwxK/BMb8BokP587L8oPrZ1g8H7LudBmoLNDT7vF9xccbCfU3yNuOd0WaOgnENiCs81VHidyJsj1Oz3u+0Zn3ng7V+uZr6mAIO74efA9ClMiY4i4HIt8IAZF57AL2mzDnCITgSWxikf030Il85MI42STvA+qYuzZEOp3XvKo8bDgQFvbtgK0HYYMfrka7VDmIWVo0rBMGm5btI8HOYQ0r9aqsrCxLAv1AQeOQm+wbRcp4R5PIUJr+REGn7JCbOyXg/7qqHXKKmvV5yrGaraw8gZ5pqP/RHKXUJIfvD0Vf2epJmsvC+6vXkSWtz+cA8J4GQx4J4SXL57hoYkC5qv39SOLzlWls3I6fgeO+SZ0sceMd8NKlom/L5eOJBfB3bTQB83hq/3bRtjT7/qCMsL3VcndKkS+vGFJPw5uTH+pmBgHrLr6tRoRRjwRFuZ0dO05AbdjCaxgVDtFI3wNbaXn/1VlRGySQISUNWxCrUsSzndeqwmjqsCAwEAAaMnMCUwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IBgQBdi0SaJAaeKBB0I+Fjcbmc4zRvHE4GDSMSDnAK97nrZCZ9iwKuY4x6mv9lwQe2P3VXROoL9JmONNf0yaObOwQjILGnbe2rzYtUardz2gzh+6KNzJHspRvk1f06mp4496XQ3STMRSr8kno1svKQMy0YFRsGMKs4fWHavIAqNXg9ymrZvvXiatN2UiVtAA/jBFScZAWskeb2WHNzORi7H5Z1mp5+IlNYQpzdIu/dvLVxzhh2UvkRdsQqsMgt/MOU84RncwUNZM4yI5EGPoaSJdsjAGNd+UV6ur7QmVI2Q9EZNRlaDJtaoZmKns5j1SlmDXWKbdRmw42ORDudODj/pHA9+u+ca9t3uLsbqO9yPm8m+6fyxffWS11QAH6O7EjydJWcEe5tYkPpL6kcaEyQKESm5CDlsk+W3ElpaUu6tsnGKODvgdAN3m0noC+qxzCMqoCM4+M5V6OptR98MDl2FK0B5+WF6YHBxf/uqDvFktUczjrIWuyfECywp05bpGAErGE="],"io.cncf.notary.signingAgent":"example signing agent"},"signature":"liOjdgQ9BKuQTZGXRh3o6P8AMUIq_MKQReEcqA5h8M4RYs3DV_wXfaLCr2x_NRcwjTZsoO1_J77hmzkkk4L0IuFP8Qw0KKtmc83G0yFi4yYV5fwzrIbnhC2GRLuqLPnK-C4qYmv52ld3ebvo7XWwRHu30-VXePmTRFp6iG-eSAgkNgwhxSZ0ZmTFLG3ceNiX2bxpLHlXdPwA3aFKbd6nKrzo4CZ1ZyLNmAIaoA5-kmc0Hyt45trpxaaiWusI_pcTLw71YCqEAs32tEq3q6hRAgAZZN-Qvm9GyNp9EuaPiKjMbJFqtjome5ITxyNd-5t09dDCUgSe3t-iqv2Blm4E080AP1TYwUKLYklGniUP1dAtOau5G2juZLpl7tr4LQ99mycflnAmV7e79eEWXffvy5EAl77dW4_vM7lEemm08m2wddGuDOWXYb1j1r2_a5Xb92umHq6ZMhAp200A0pUkm9640x8z5jdudi_7KeezdqUK7ZMmSxHohiylyKD_20Cy"}`
}

8
example_verifyWithTimestamp_test.go
View File

@ -39,9 +39,9 @@ func Example_verifyWithTimestamp() {
// timestamping configurations.
// trust policy document should follow this spec:
// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/trust-store-trust-policy.md#trust-policy
examplePolicyDocument := trustpolicy.Document{
examplePolicyDocument := trustpolicy.OCIDocument{
Version: "1.0",
TrustPolicies: []trustpolicy.TrustPolicy{
TrustPolicies: []trustpolicy.OCITrustPolicy{
{
Name: "test-statement-name",
RegistryScopes: []string{"*"},
@ -115,7 +115,7 @@ func generateTrustStoreWithTimestamp() error {
// an example of a valid X509 self-signed certificate for demo purpose ONLY.
// Users should replace `exampleX509Certificate` with their own trusted
// certificate and add to the trust store, following the
// Notary certificate requirements:
// Notary Project certificate requirements:
// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/signature-specification.md#certificate-requirements
exampleX509Certificate := `-----BEGIN CERTIFICATE-----
MIIDQDCCAiigAwIBAgIBUTANBgkqhkiG9w0BAQsFADBOMQswCQYDVQQGEwJVUzEL
@ -149,7 +149,7 @@ GLAfj/jSf9OH9VLTPHOS8/N0Ka4=
// an example of a valid TSA root certificate for demo purpose ONLY.
// Users should replace `exampleTSARootCertificate` with their own trusted
// TSA root certificate and add to the trust store, following the
// Notary certificate requirements:
// Notary Project certificate requirements:
// https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/signature-specification.md#certificate-requirements
exampleTSARootCertificate := `-----BEGIN CERTIFICATE-----
MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi

22
go.mod
View File

@ -1,26 +1,26 @@
module github.com/notaryproject/notation-go
go 1.22.0
go 1.23.0
require (
github.com/go-ldap/ldap/v3 v3.4.10
github.com/notaryproject/notation-core-go v1.2.0
github.com/go-ldap/ldap/v3 v3.4.11
github.com/notaryproject/notation-core-go v1.3.0
github.com/notaryproject/notation-plugin-framework-go v1.0.0
github.com/notaryproject/tspclient-go v1.0.0
github.com/opencontainers/go-digest v1.0.0
github.com/opencontainers/image-spec v1.1.0
github.com/opencontainers/image-spec v1.1.1
github.com/veraison/go-cose v1.3.0
golang.org/x/crypto v0.32.0
golang.org/x/mod v0.22.0
oras.land/oras-go/v2 v2.5.0
golang.org/x/crypto v0.39.0
golang.org/x/mod v0.25.0
oras.land/oras-go/v2 v2.6.0
)
require (
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
github.com/fxamacker/cbor/v2 v2.8.0 // indirect
github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/x448/float16 v0.8.4 // indirect
golang.org/x/sync v0.10.0 // indirect
golang.org/x/sync v0.14.0 // indirect
)

123
go.sum
View File

@ -2,23 +2,18 @@ github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
github.com/go-ldap/ldap/v3 v3.4.11 h1:4k0Yxweg+a3OyBLjdYn5OKglv18JNvfDykSoI8bW0gU=
github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
@ -33,107 +28,33 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
github.com/notaryproject/notation-core-go v1.2.0 h1:WElMG9X0YXJhBd0A4VOxLNalTLrTjvqtIAj7JHr5X08=
github.com/notaryproject/notation-core-go v1.2.0/go.mod h1:+y3L1dOs2/ZwJIU5Imo7BBvZ/M3CFjXkydGGdK09EtA=
github.com/notaryproject/notation-core-go v1.3.0 h1:mWJaw1QBpBxpjLSiKOjzbZvB+xh2Abzk14FHWQ+9Kfs=
github.com/notaryproject/notation-core-go v1.3.0/go.mod h1:hzvEOit5lXfNATGNBT8UQRx2J6Fiw/dq/78TQL8aE64=
github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
github.com/notaryproject/tspclient-go v1.0.0 h1:AwQ4x0gX8IHnyiZB1tggpn5NFqHpTEm1SDX8YNv4Dg4=
github.com/notaryproject/tspclient-go v1.0.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/veraison/go-cose v1.3.0 h1:2/H5w8kdSpQJyVtIhx8gmwPJ2uSz1PkyWFx0idbd7rk=
github.com/veraison/go-cose v1.3.0/go.mod h1:df09OV91aHoQWLmy1KsDdYiagtXgyAwAl8vFeFn1gMc=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
oras.land/oras-go/v2 v2.5.0 h1:o8Me9kLY74Vp5uw07QXPiitjsw7qNXi8Twd+19Zf02c=
oras.land/oras-go/v2 v2.5.0/go.mod h1:z4eisnLP530vwIOUOJeBIj0aGI0L1C3d53atvCBqZHg=
oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc=
oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o=

240
notation.go
View File

@ -12,7 +12,7 @@
// limitations under the License.
// Package notation provides signer and verifier for notation Sign
// and Verification.
// and Verification. It supports both OCI artifact and arbitrary blob.
package notation
import (
@ -23,6 +23,8 @@ import (
"encoding/json"
"errors"
"fmt"
"io"
"mime"
"strings"
"time"
@ -46,7 +48,7 @@ var errDoneVerification = errors.New("done verification")
var reservedAnnotationPrefixes = [...]string{"io.cncf.notary"}
// SignerSignOptions contains parameters for Signer.Sign.
// SignerSignOptions contains parameters for [Signer] and [BlobSigner].
type SignerSignOptions struct {
// SignatureMediaType is the envelope type of the signature.
// Currently, both `application/jose+json` and `application/cose` are
@ -84,6 +86,38 @@ type Signer interface {
Sign(ctx context.Context, desc ocispec.Descriptor, opts SignerSignOptions) ([]byte, *signature.SignerInfo, error)
}
// SignBlobOptions contains parameters for [notation.SignBlob].
type SignBlobOptions struct {
SignerSignOptions
// ContentMediaType is the media-type of the blob being signed.
ContentMediaType string
// UserMetadata contains key-value pairs that are added to the signature
// payload
UserMetadata map[string]string
}
// BlobDescriptorGenerator creates descriptor using the digest Algorithm.
// Below is the example of minimal descriptor, it must contain mediatype,
// digest and size of the artifact.
//
// {
// "mediaType": "application/octet-stream",
// "digest": "sha256:2f3a23b6373afb134ddcd864be8e037e34a662d090d33ee849471ff73c873345",
// "size": 1024
// }
type BlobDescriptorGenerator func(digest.Algorithm) (ocispec.Descriptor, error)
// BlobSigner is a generic interface for signing arbitrary data.
// The interface allows signing with local or remote keys,
// and packing in various signature formats.
type BlobSigner interface {
// SignBlob signs the descriptor returned by genDesc, and returns the
// signature and SignerInfo.
SignBlob(ctx context.Context, genDesc BlobDescriptorGenerator, opts SignerSignOptions) ([]byte, *signature.SignerInfo, error)
}
// signerAnnotation facilitates return of manifest annotations by signers
type signerAnnotation interface {
// PluginAnnotations returns signature manifest annotations returned from
@ -91,7 +125,7 @@ type signerAnnotation interface {
PluginAnnotations() map[string]string
}
// SignOptions contains parameters for notation.Sign.
// SignOptions contains parameters for [notation.Sign].
type SignOptions struct {
SignerSignOptions
@ -106,13 +140,30 @@ type SignOptions struct {
// Sign signs the OCI artifact and push the signature to the Repository.
// The descriptor of the sign content is returned upon successful signing.
//
// Deprecated: use [SignOCI] instead.
func Sign(ctx context.Context, signer Signer, repo registry.Repository, signOpts SignOptions) (ocispec.Descriptor, error) {
artifactMenifestDesc, _, err := SignOCI(ctx, signer, repo, signOpts)
return artifactMenifestDesc, err
}
// SignOCI signs the OCI artifact and push the signature to the Repository.
//
// Both artifact and signature manifest descriptors are returned upon successful
// signing.
//
// Note: If the error type is [remote.ReferrersError] and
// referrerError.IsReferrersIndexDelete() returns true, the signature is
// successfully pushed to the repository, but the referrers index deletion
// failed. In this case, the artifact and signature manifest descriptors are
// returned with the error.
func SignOCI(ctx context.Context, signer Signer, repo registry.Repository, signOpts SignOptions) (artifactManifestDesc, sigManifestDesc ocispec.Descriptor, err error) {
// sanity check
if err := validateSignArguments(signer, signOpts.SignerSignOptions); err != nil {
return ocispec.Descriptor{}, err
return ocispec.Descriptor{}, ocispec.Descriptor{}, err
}
if repo == nil {
return ocispec.Descriptor{}, errors.New("repo cannot be nil")
return ocispec.Descriptor{}, ocispec.Descriptor{}, errors.New("repo cannot be nil")
}
logger := log.GetLogger(ctx)
@ -121,52 +172,76 @@ func Sign(ctx context.Context, signer Signer, repo registry.Repository, signOpts
// artifactRef is a valid full reference
artifactRef = ref.Reference
}
targetDesc, err := repo.Resolve(ctx, artifactRef)
artifactManifestDesc, err = repo.Resolve(ctx, artifactRef)
if err != nil {
return ocispec.Descriptor{}, fmt.Errorf("failed to resolve reference: %w", err)
return ocispec.Descriptor{}, ocispec.Descriptor{}, fmt.Errorf("failed to resolve reference: %w", err)
}
// artifactRef is a tag or a digest, if it's a digest it has to match
// the resolved digest
if artifactRef != targetDesc.Digest.String() {
if artifactRef != artifactManifestDesc.Digest.String() {
if _, err := digest.Parse(artifactRef); err == nil {
// artifactRef is a digest, but does not match the resolved digest
return ocispec.Descriptor{}, fmt.Errorf("user input digest %s does not match the resolved digest %s", artifactRef, targetDesc.Digest.String())
return ocispec.Descriptor{}, ocispec.Descriptor{}, fmt.Errorf("user input digest %s does not match the resolved digest %s", artifactRef, artifactManifestDesc.Digest.String())
}
// artifactRef is a tag
logger.Warnf("Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:%s`) because tags are mutable and a tag reference can point to a different artifact than the one signed", artifactRef)
logger.Infof("Resolved artifact tag `%s` to digest `%v` before signing", artifactRef, targetDesc.Digest)
logger.Infof("Resolved artifact tag `%s` to digest `%v` before signing", artifactRef, artifactManifestDesc.Digest)
}
descToSign, err := addUserMetadataToDescriptor(ctx, targetDesc, signOpts.UserMetadata)
descToSign, err := addUserMetadataToDescriptor(ctx, artifactManifestDesc, signOpts.UserMetadata)
if err != nil {
return ocispec.Descriptor{}, err
return ocispec.Descriptor{}, ocispec.Descriptor{}, err
}
sig, signerInfo, err := signer.Sign(ctx, descToSign, signOpts.SignerSignOptions)
if err != nil {
return ocispec.Descriptor{}, err
return ocispec.Descriptor{}, ocispec.Descriptor{}, err
}
var pluginAnnotations map[string]string
if signerAnts, ok := signer.(signerAnnotation); ok {
pluginAnnotations = signerAnts.PluginAnnotations()
}
logger.Debug("Generating annotation")
annotations, err := generateAnnotations(signerInfo, pluginAnnotations)
if err != nil {
return ocispec.Descriptor{}, err
return ocispec.Descriptor{}, ocispec.Descriptor{}, err
}
logger.Debugf("Generated annotations: %+v", annotations)
logger.Debugf("Pushing signature of artifact descriptor: %+v, signature media type: %v", targetDesc, signOpts.SignatureMediaType)
_, _, err = repo.PushSignature(ctx, signOpts.SignatureMediaType, sig, targetDesc, annotations)
logger.Debugf("Pushing signature of artifact descriptor: %+v, signature media type: %v", artifactManifestDesc, signOpts.SignatureMediaType)
_, sigManifestDesc, err = repo.PushSignature(ctx, signOpts.SignatureMediaType, sig, artifactManifestDesc, annotations)
if err != nil {
var referrerError *remote.ReferrersError
// do not log an error for failing to delete referral index
if !errors.As(err, &referrerError) || !referrerError.IsReferrersIndexDelete() {
logger.Error("Failed to push the signature")
if errors.As(err, &referrerError) && referrerError.IsReferrersIndexDelete() {
// return the descriptors for referrersIndexDelete error as
// the signature is successfully pushed to the repository
return artifactManifestDesc, sigManifestDesc, err
}
return ocispec.Descriptor{}, ErrorPushSignatureFailed{Msg: err.Error()}
logger.Error("Failed to push the signature")
return ocispec.Descriptor{}, ocispec.Descriptor{}, ErrorPushSignatureFailed{Msg: err.Error()}
}
return artifactManifestDesc, sigManifestDesc, nil
}
// SignBlob signs the arbitrary data from blobReader and returns
// the signature and SignerInfo.
func SignBlob(ctx context.Context, signer BlobSigner, blobReader io.Reader, signBlobOpts SignBlobOptions) ([]byte, *signature.SignerInfo, error) {
// sanity checks
if err := validateSignArguments(signer, signBlobOpts.SignerSignOptions); err != nil {
return nil, nil, err
}
if blobReader == nil {
return nil, nil, errors.New("blobReader cannot be nil")
}
if signBlobOpts.ContentMediaType == "" {
return nil, nil, errors.New("content media-type cannot be empty")
}
if err := validateContentMediaType(signBlobOpts.ContentMediaType); err != nil {
return nil, nil, err
}
return targetDesc, nil
getDescFunc := getDescriptorFunc(ctx, blobReader, signBlobOpts.ContentMediaType, signBlobOpts.UserMetadata)
return signer.SignBlob(ctx, getDescFunc, signBlobOpts.SignerSignOptions)
}
func validateSignArguments(signer any, signOpts SignerSignOptions) error {
@ -185,33 +260,26 @@ func validateSignArguments(signer any, signOpts SignerSignOptions) error {
if err := validateSigMediaType(signOpts.SignatureMediaType); err != nil {
return err
}
return nil
}
func addUserMetadataToDescriptor(ctx context.Context, desc ocispec.Descriptor, userMetadata map[string]string) (ocispec.Descriptor, error) {
logger := log.GetLogger(ctx)
if desc.Annotations == nil && len(userMetadata) > 0 {
desc.Annotations = map[string]string{}
}
for k, v := range userMetadata {
logger.Debugf("Adding metadata %v=%v to annotations", k, v)
for _, reservedPrefix := range reservedAnnotationPrefixes {
if strings.HasPrefix(k, reservedPrefix) {
return desc, fmt.Errorf("error adding user metadata: metadata key %v has reserved prefix %v", k, reservedPrefix)
}
}
if _, ok := desc.Annotations[k]; ok {
return desc, fmt.Errorf("error adding user metadata: metadata key %v is already present in the target artifact", k)
}
desc.Annotations[k] = v
}
return desc, nil
}
@ -253,6 +321,7 @@ type VerificationOutcome struct {
Error error
}
// UserMetadata returns the user metadata from the signature envelope.
func (outcome *VerificationOutcome) UserMetadata() (map[string]string, error) {
if outcome.EnvelopeContent == nil {
return nil, errors.New("unable to find envelope content for verification outcome")
@ -263,15 +332,14 @@ func (outcome *VerificationOutcome) UserMetadata() (map[string]string, error) {
if err != nil {
return nil, errors.New("failed to unmarshal the payload content in the signature blob to envelope.Payload")
}
if payload.TargetArtifact.Annotations == nil {
return map[string]string{}, nil
}
return payload.TargetArtifact.Annotations, nil
}
// VerifierVerifyOptions contains parameters for Verifier.Verify used for verifying OCI artifact.
// VerifierVerifyOptions contains parameters for [Verifier.Verify] used for
// verifying OCI artifact.
type VerifierVerifyOptions struct {
// ArtifactReference is the reference of the artifact that is being
// verified against to. It must be a full reference.
@ -290,22 +358,49 @@ type VerifierVerifyOptions struct {
UserMetadata map[string]string
}
// Verifier is a interface for verifying an OCI artifact.
// Verifier is a generic interface for verifying an OCI artifact.
type Verifier interface {
// Verify verifies the `signature` associated with the target OCI artifact
//with manifest descriptor `desc`, and returns the outcome upon
// with manifest descriptor `desc`, and returns the outcome upon
// successful verification.
// If nil signature is present and the verification level is not 'skip',
// an error will be returned.
Verify(ctx context.Context, desc ocispec.Descriptor, signature []byte, opts VerifierVerifyOptions) (*VerificationOutcome, error)
}
// BlobVerifierVerifyOptions contains parameters for [BlobVerifier.Verify].
type BlobVerifierVerifyOptions struct {
// SignatureMediaType is the envelope type of the signature.
// Currently only `application/jose+json` and `application/cose` are
// supported.
SignatureMediaType string
// PluginConfig is a map of plugin configs.
PluginConfig map[string]string
// UserMetadata contains key-value pairs that must be present in the
// signature.
UserMetadata map[string]string
// TrustPolicyName is the name of trust policy picked by caller.
// If empty, the global trust policy will be applied.
TrustPolicyName string
}
// BlobVerifier is a generic interface for verifying a blob.
type BlobVerifier interface {
// VerifyBlob verifies the `signature` against the target blob using the
// descriptor returned by descGenFunc parameter and
// returns the outcome upon successful verification.
VerifyBlob(ctx context.Context, descGenFunc BlobDescriptorGenerator, signature []byte, opts BlobVerifierVerifyOptions) (*VerificationOutcome, error)
}
type verifySkipper interface {
// SkipVerify validates whether the verification level is skip.
SkipVerify(ctx context.Context, opts VerifierVerifyOptions) (bool, *trustpolicy.VerificationLevel, error)
}
// VerifyOptions contains parameters for notation.Verify.
// VerifyOptions contains parameters for [notation.Verify].
type VerifyOptions struct {
// ArtifactReference is the reference of the artifact that is being
// verified against to.
@ -324,8 +419,51 @@ type VerifyOptions struct {
UserMetadata map[string]string
}
// VerifyBlobOptions contains parameters for [notation.VerifyBlob].
type VerifyBlobOptions struct {
BlobVerifierVerifyOptions
// ContentMediaType is the media-type type of the content being verified.
ContentMediaType string
}
// VerifyBlob performs signature verification for a blob using notation supported
// verification types (like integrity, authenticity, etc.) and returns the
// successful signature verification outcome. The blob is read using blobReader,
// and upon successful verification, it returns the descriptor of the blob.
// For more details on signature verification, see
// https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#signature-verification
func VerifyBlob(ctx context.Context, blobVerifier BlobVerifier, blobReader io.Reader, signature []byte, verifyBlobOpts VerifyBlobOptions) (ocispec.Descriptor, *VerificationOutcome, error) {
if blobVerifier == nil {
return ocispec.Descriptor{}, nil, errors.New("blobVerifier cannot be nil")
}
if blobReader == nil {
return ocispec.Descriptor{}, nil, errors.New("blobReader cannot be nil")
}
if len(signature) == 0 {
return ocispec.Descriptor{}, nil, errors.New("signature cannot be nil or empty")
}
if err := validateContentMediaType(verifyBlobOpts.ContentMediaType); err != nil {
return ocispec.Descriptor{}, nil, err
}
if err := validateSigMediaType(verifyBlobOpts.SignatureMediaType); err != nil {
return ocispec.Descriptor{}, nil, err
}
getDescFunc := getDescriptorFunc(ctx, blobReader, verifyBlobOpts.ContentMediaType, verifyBlobOpts.UserMetadata)
vo, err := blobVerifier.VerifyBlob(ctx, getDescFunc, signature, verifyBlobOpts.BlobVerifierVerifyOptions)
if err != nil {
return ocispec.Descriptor{}, nil, err
}
var desc ocispec.Descriptor
if err = json.Unmarshal(vo.EnvelopeContent.Payload.Content, &desc); err != nil {
return ocispec.Descriptor{}, nil, err
}
return desc, vo, nil
}
// Verify performs signature verification on each of the notation supported
// verification types (like integrity, authenticity, etc.) and return the
// verification types (like integrity, authenticity, etc.) and returns the
// successful signature verification outcome.
// For more details on signature verification, see
// https://github.com/notaryproject/notaryproject/blob/main/specs/trust-store-trust-policy.md#signature-verification
@ -349,7 +487,6 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, ve
PluginConfig: verifyOpts.PluginConfig,
UserMetadata: verifyOpts.UserMetadata,
}
if skipChecker, ok := verifier.(verifySkipper); ok {
logger.Info("Checking whether signature verification should be skipped or not")
skip, verificationLevel, err := skipChecker.SkipVerify(ctx, opts)
@ -423,6 +560,7 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, ve
}
// at this point, the signature is verified successfully
verificationSucceeded = true
// on success, verificationOutcomes only contains the
// succeeded outcome
verificationOutcomes = []*VerificationOutcome{outcome}
@ -431,14 +569,11 @@ func Verify(ctx context.Context, verifier Verifier, repo registry.Repository, ve
// early break on success
return errDoneVerification
}
if numOfSignatureProcessed >= verifyOpts.MaxSignatureAttempts {
return errExceededMaxVerificationLimit
}
return nil
})
if err != nil && !errors.Is(err, errDoneVerification) {
if errors.Is(err, errExceededMaxVerificationLimit) {
return ocispec.Descriptor{}, verificationOutcomes, err
@ -487,6 +622,31 @@ func generateAnnotations(signerInfo *signature.SignerInfo, annotations map[strin
return annotations, nil
}
func getDescriptorFunc(ctx context.Context, reader io.Reader, contentMediaType string, userMetadata map[string]string) BlobDescriptorGenerator {
return func(hashAlgo digest.Algorithm) (ocispec.Descriptor, error) {
digester := hashAlgo.Digester()
bytes, err := io.Copy(digester.Hash(), reader)
if err != nil {
return ocispec.Descriptor{}, err
}
targetDesc := ocispec.Descriptor{
MediaType: contentMediaType,
Digest: digester.Digest(),
Size: bytes,
}
return addUserMetadataToDescriptor(ctx, targetDesc, userMetadata)
}
}
func validateContentMediaType(contentMediaType string) error {
if contentMediaType != "" {
if _, _, err := mime.ParseMediaType(contentMediaType); err != nil {
return fmt.Errorf("invalid content media-type %q: %v", contentMediaType, err)
}
}
return nil
}
func validateSigMediaType(sigMediaType string) error {
if !(sigMediaType == jws.MediaTypeEnvelope || sigMediaType == cose.MediaTypeEnvelope) {
return fmt.Errorf("invalid signature media-type %q", sigMediaType)

188
notation_test.go
View File

@ -18,9 +18,11 @@ import (
"encoding/json"
"errors"
"fmt"
"io"
"math"
"os"
"path/filepath"
"strings"
"testing"
"time"
@ -35,6 +37,7 @@ import (
"github.com/notaryproject/notation-go/plugin"
"github.com/notaryproject/notation-go/registry"
"github.com/notaryproject/notation-go/verifier/trustpolicy"
"github.com/opencontainers/go-digest"
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
)
@ -65,6 +68,85 @@ func TestSignSuccess(t *testing.T) {
}
}
func TestSignBlobSuccess(t *testing.T) {
reader := strings.NewReader("some content")
testCases := []struct {
name string
dur time.Duration
mtype string
agent string
pConfig map[string]string
metadata map[string]string
}{
{"expiryInHours", 24 * time.Hour, "video/mp4", "", nil, nil},
{"oneSecondExpiry", 1 * time.Second, "video/mp4", "", nil, nil},
{"zeroExpiry", 0, "video/mp4", "", nil, nil},
{"validContentType", 1 * time.Second, "video/mp4", "", nil, nil},
{"emptyContentType", 1 * time.Second, "video/mp4", "someDummyAgent", map[string]string{"hi": "hello"}, map[string]string{"bye": "tata"}},
}
for _, tc := range testCases {
t.Run(tc.name, func(b *testing.T) {
opts := SignBlobOptions{
SignerSignOptions: SignerSignOptions{
SignatureMediaType: jws.MediaTypeEnvelope,
ExpiryDuration: tc.dur,
PluginConfig: tc.pConfig,
SigningAgent: tc.agent,
},
UserMetadata: expectedMetadata,
ContentMediaType: tc.mtype,
}
_, _, err := SignBlob(context.Background(), &dummySigner{}, reader, opts)
if err != nil {
b.Fatalf("Sign failed with error: %v", err)
}
})
}
}
func TestSignBlobError(t *testing.T) {
reader := strings.NewReader("some content")
testCases := []struct {
name string
signer BlobSigner
dur time.Duration
rdr io.Reader
sigMType string
ctMType string
errMsg string
}{
{"negativeExpiry", &dummySigner{}, -1 * time.Second, nil, "video/mp4", jws.MediaTypeEnvelope, "expiry duration cannot be a negative value"},
{"milliSecExpiry", &dummySigner{}, 1 * time.Millisecond, nil, "video/mp4", jws.MediaTypeEnvelope, "expiry duration supports minimum granularity of seconds"},
{"invalidContentMediaType", &dummySigner{}, 1 * time.Second, reader, "video/mp4/zoping", jws.MediaTypeEnvelope, "invalid content media-type \"video/mp4/zoping\": mime: unexpected content after media subtype"},
{"emptyContentMediaType", &dummySigner{}, 1 * time.Second, reader, "", jws.MediaTypeEnvelope, "content media-type cannot be empty"},
{"invalidSignatureMediaType", &dummySigner{}, 1 * time.Second, reader, "", "", "content media-type cannot be empty"},
{"nilReader", &dummySigner{}, 1 * time.Second, nil, "video/mp4", jws.MediaTypeEnvelope, "blobReader cannot be nil"},
{"nilSigner", nil, 1 * time.Second, reader, "video/mp4", jws.MediaTypeEnvelope, "signer cannot be nil"},
{"signerError", &dummySigner{fail: true}, 1 * time.Second, reader, "video/mp4", jws.MediaTypeEnvelope, "expected SignBlob failure"},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
opts := SignBlobOptions{
SignerSignOptions: SignerSignOptions{
SignatureMediaType: jws.MediaTypeEnvelope,
ExpiryDuration: tc.dur,
PluginConfig: nil,
},
ContentMediaType: tc.sigMType,
}
_, _, err := SignBlob(context.Background(), tc.signer, tc.rdr, opts)
if err == nil {
t.Fatalf("expected error but didnt found")
}
if err.Error() != tc.errMsg {
t.Fatalf("expected err message to be '%s' but found '%s'", tc.errMsg, err.Error())
}
})
}
}
func TestSignSuccessWithUserMetadata(t *testing.T) {
repo := mock.NewRepository()
opts := SignOptions{}
@ -459,16 +541,73 @@ func TestVerifyFailed(t *testing.T) {
})
}
func dummyPolicyDocument() (policyDoc trustpolicy.Document) {
policyDoc = trustpolicy.Document{
func TestVerifyBlobError(t *testing.T) {
reader := strings.NewReader("some content")
sig := []byte("signature")
testCases := []struct {
name string
verifier BlobVerifier
sig []byte
rdr io.Reader
ctMType string
sigMType string
errMsg string
}{
{"nilVerifier", nil, sig, reader, "video/mp4", jws.MediaTypeEnvelope, "blobVerifier cannot be nil"},
{"verifierError", &dummyVerifier{FailVerify: true}, sig, reader, "video/mp4", jws.MediaTypeEnvelope, "failed verify"},
{"nilSignature", &dummyVerifier{}, nil, reader, "video/mp4", jws.MediaTypeEnvelope, "signature cannot be nil or empty"},
{"emptySignature", &dummyVerifier{}, []byte{}, reader, "video/mp4", jws.MediaTypeEnvelope, "signature cannot be nil or empty"},
{"nilReader", &dummyVerifier{}, sig, nil, "video/mp4", jws.MediaTypeEnvelope, "blobReader cannot be nil"},
{"invalidContentType", &dummyVerifier{}, sig, reader, "video/mp4/zoping", jws.MediaTypeEnvelope, "invalid content media-type \"video/mp4/zoping\": mime: unexpected content after media subtype"},
{"invalidSigType", &dummyVerifier{}, sig, reader, "video/mp4", "hola!", "invalid signature media-type \"hola!\""},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
opts := VerifyBlobOptions{
BlobVerifierVerifyOptions: BlobVerifierVerifyOptions{
SignatureMediaType: tc.sigMType,
UserMetadata: nil,
TrustPolicyName: "",
},
ContentMediaType: tc.ctMType,
}
_, _, err := VerifyBlob(context.Background(), tc.verifier, tc.rdr, tc.sig, opts)
if err == nil {
t.Fatalf("expected error but didnt found")
}
if err.Error() != tc.errMsg {
t.Fatalf("expected err message to be '%s' but found '%s'", tc.errMsg, err.Error())
}
})
}
}
func TestVerifyBlobValid(t *testing.T) {
opts := VerifyBlobOptions{
BlobVerifierVerifyOptions: BlobVerifierVerifyOptions{
SignatureMediaType: jws.MediaTypeEnvelope,
UserMetadata: nil,
TrustPolicyName: "",
},
}
_, _, err := VerifyBlob(context.Background(), &dummyVerifier{}, strings.NewReader("some content"), []byte("signature"), opts)
if err != nil {
t.Fatalf("expected nil error, but got: %v", err)
}
}
func dummyPolicyDocument() (policyDoc trustpolicy.OCIDocument) {
policyDoc = trustpolicy.OCIDocument{
Version: "1.0",
TrustPolicies: []trustpolicy.TrustPolicy{dummyPolicyStatement()},
TrustPolicies: []trustpolicy.OCITrustPolicy{dummyPolicyStatement()},
}
return
}
func dummyPolicyStatement() (policyStatement trustpolicy.TrustPolicy) {
policyStatement = trustpolicy.TrustPolicy{
func dummyPolicyStatement() (policyStatement trustpolicy.OCITrustPolicy) {
policyStatement = trustpolicy.OCITrustPolicy{
Name: "test-statement-name",
RegistryScopes: []string{"registry.acme-rockets.io/software/net-monitor"},
SignatureVerification: trustpolicy.SignatureVerification{VerificationLevel: "strict"},
@ -478,7 +617,9 @@ func dummyPolicyStatement() (policyStatement trustpolicy.TrustPolicy) {
return
}
type dummySigner struct{}
type dummySigner struct {
fail bool
}
func (s *dummySigner) Sign(_ context.Context, _ ocispec.Descriptor, _ SignerSignOptions) ([]byte, *signature.SignerInfo, error) {
return []byte("ABC"), &signature.SignerInfo{
@ -488,6 +629,23 @@ func (s *dummySigner) Sign(_ context.Context, _ ocispec.Descriptor, _ SignerSign
}, nil
}
func (s *dummySigner) SignBlob(_ context.Context, descGenFunc BlobDescriptorGenerator, _ SignerSignOptions) ([]byte, *signature.SignerInfo, error) {
if s.fail {
return nil, nil, errors.New("expected SignBlob failure")
}
_, err := descGenFunc(digest.SHA384)
if err != nil {
return nil, nil, err
}
return []byte("ABC"), &signature.SignerInfo{
SignedAttributes: signature.SignedAttributes{
SigningTime: time.Now(),
},
}, nil
}
type verifyMetadataSigner struct{}
func (s *verifyMetadataSigner) Sign(_ context.Context, desc ocispec.Descriptor, _ SignerSignOptions) ([]byte, *signature.SignerInfo, error) {
@ -504,7 +662,7 @@ func (s *verifyMetadataSigner) Sign(_ context.Context, desc ocispec.Descriptor,
}
type dummyVerifier struct {
TrustPolicyDoc *trustpolicy.Document
TrustPolicyDoc *trustpolicy.OCIDocument
PluginManager plugin.Manager
FailVerify bool
VerificationLevel trustpolicy.VerificationLevel
@ -529,6 +687,22 @@ func (v *dummyVerifier) SkipVerify(_ context.Context, _ VerifierVerifyOptions) (
return false, nil, nil
}
func (v *dummyVerifier) VerifyBlob(_ context.Context, _ BlobDescriptorGenerator, _ []byte, _ BlobVerifierVerifyOptions) (*VerificationOutcome, error) {
if v.FailVerify {
return nil, errors.New("failed verify")
}
return &VerificationOutcome{
VerificationResults: []*ValidationResult{},
VerificationLevel: &v.VerificationLevel,
EnvelopeContent: &signature.EnvelopeContent{
Payload: signature.Payload{
Content: []byte("{}"),
},
},
}, nil
}
var (
reference = "sha256:19dbd2e48e921426ee8ace4dc892edfb2ecdc1d1a72d5416c83670c30acecef0"
artifactReference = "local/oci-layout@sha256:19dbd2e48e921426ee8ace4dc892edfb2ecdc1d1a72d5416c83670c30acecef0"

2
plugin/manager.go
View File

@ -35,7 +35,7 @@ type Manager interface {
List(ctx context.Context) ([]string, error)
}
// CLIManager implements Manager
// CLIManager implements [Manager]
type CLIManager struct {
pluginFS dir.SysFS
}

2
plugin/plugin.go
View File

@ -63,7 +63,7 @@ type VerifyPlugin = plugin.VerifyPlugin
// To access Plugin, use the notation-plugin-framework-go's plugin.Plugin type.
type Plugin = plugin.Plugin
// CLIPlugin implements Plugin interface to CLI plugins.
// CLIPlugin implements [Plugin] interface to CLI plugins.
type CLIPlugin struct {
name string
path string

2
registry/mediatype.go
View File

@ -14,5 +14,5 @@
package registry
// ArtifactTypeNotation specifies the artifact type for a notation object.
// spec: https://github.com/notaryproject/notaryproject/blob/efc828223710f99ab9639d2d0f72d59036a8e80c/specs/signature-specification.md#storage
// spec: https://github.com/notaryproject/specifications/blob/v1.1.0/specs/signature-specification.md#signature
const ArtifactTypeNotation = "application/vnd.cncf.notary.signature"

104
registry/repository.go
View File

@ -14,19 +14,17 @@
package registry
import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"os"
"github.com/notaryproject/notation-go/log"
"github.com/notaryproject/notation-go/registry/internal/artifactspec"
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
"oras.land/oras-go/v2"
"oras.land/oras-go/v2/content"
"oras.land/oras-go/v2/content/oci"
"oras.land/oras-go/v2/errdef"
"oras.land/oras-go/v2/registry"
)
@ -35,30 +33,17 @@ const (
maxManifestSizeLimit = 4 * 1024 * 1024 // 4 MiB
)
var (
// notationEmptyConfigDesc is the descriptor of an empty notation manifest
// config
// reference: https://github.com/notaryproject/specifications/blob/v1.0.0/specs/signature-specification.md#storage
notationEmptyConfigDesc = ocispec.Descriptor{
MediaType: ArtifactTypeNotation,
Digest: ocispec.DescriptorEmptyJSON.Digest,
Size: ocispec.DescriptorEmptyJSON.Size,
}
// notationEmptyConfigData is the data of an empty notation manifest config
notationEmptyConfigData = ocispec.DescriptorEmptyJSON.Data
)
// RepositoryOptions provides user options when creating a Repository
// RepositoryOptions provides user options when creating a [Repository]
// it is kept for future extensibility
type RepositoryOptions struct{}
// repositoryClient implements Repository
// repositoryClient implements [Repository]
type repositoryClient struct {
oras.GraphTarget
RepositoryOptions
}
// NewRepository returns a new Repository.
// NewRepository returns a new [Repository].
// Known implementations of oras.GraphTarget:
// - [remote.Repository](https://pkg.go.dev/oras.land/oras-go/v2/registry/remote#Repository)
// - [oci.Store](https://pkg.go.dev/oras.land/oras-go/v2/content/oci#Store)
@ -68,7 +53,7 @@ func NewRepository(target oras.GraphTarget) Repository {
}
}
// NewRepositoryWithOptions returns a new Repository with user specified
// NewRepositoryWithOptions returns a new [Repository] with user specified
// options.
func NewRepositoryWithOptions(target oras.GraphTarget, opts RepositoryOptions) Repository {
return &repositoryClient{
@ -77,7 +62,7 @@ func NewRepositoryWithOptions(target oras.GraphTarget, opts RepositoryOptions) R
}
}
// NewOCIRepository returns a new Repository with oci.Store as
// NewOCIRepository returns a new [Repository] with oci.Store as
// its oras.GraphTarget. `path` denotes directory path to the target OCI layout.
func NewOCIRepository(path string, opts RepositoryOptions) (Repository, error) {
fileInfo, err := os.Stat(path)
@ -108,7 +93,6 @@ func (c *repositoryClient) ListSignatures(ctx context.Context, desc ocispec.Desc
if repo, ok := c.GraphTarget.(registry.ReferrerLister); ok {
return repo.Referrers(ctx, desc, ArtifactTypeNotation, fn)
}
signatureManifests, err := signatureReferrers(ctx, c.GraphTarget, desc)
if err != nil {
return fmt.Errorf("failed to get referrers during ListSignatures due to %w", err)
@ -126,7 +110,6 @@ func (c *repositoryClient) FetchSignatureBlob(ctx context.Context, desc ocispec.
if sigBlobDesc.Size > maxBlobSizeLimit {
return nil, ocispec.Descriptor{}, fmt.Errorf("signature blob too large: %d bytes", sigBlobDesc.Size)
}
var fetcher content.Fetcher = c.GraphTarget
if repo, ok := c.GraphTarget.(registry.Repository); ok {
fetcher = repo.Blobs()
@ -179,6 +162,7 @@ func (c *repositoryClient) getSignatureBlobDesc(ctx context.Context, sigManifest
// get the signature blob descriptor from signature manifest
var signatureBlobs []ocispec.Descriptor
// OCI image manifest
if sigManifestDesc.MediaType == ocispec.MediaTypeImageManifest {
var sigManifest ocispec.Manifest
@ -193,55 +177,27 @@ func (c *repositoryClient) getSignatureBlobDesc(ctx context.Context, sigManifest
}
signatureBlobs = sigManifest.Blobs
}
if len(signatureBlobs) != 1 {
return ocispec.Descriptor{}, fmt.Errorf("signature manifest requries exactly one signature envelope blob, got %d", len(signatureBlobs))
}
return signatureBlobs[0], nil
}
// uploadSignatureManifest uploads the signature manifest to the registry
func (c *repositoryClient) uploadSignatureManifest(ctx context.Context, subject, blobDesc ocispec.Descriptor, annotations map[string]string) (ocispec.Descriptor, error) {
configDesc, err := pushNotationManifestConfig(ctx, c.GraphTarget)
if err != nil {
return ocispec.Descriptor{}, fmt.Errorf("failed to push notation manifest config: %w", err)
}
opts := oras.PackManifestOptions{
Subject: &subject,
ManifestAnnotations: annotations,
Layers: []ocispec.Descriptor{blobDesc},
ConfigDescriptor: &configDesc,
}
return oras.PackManifest(ctx, c.GraphTarget, oras.PackManifestVersion1_1, "", opts)
}
// pushNotationManifestConfig pushes an empty notation manifest config, if it
// doesn't exist.
//
// if the config exists, it returns the descriptor of the config without error.
func pushNotationManifestConfig(ctx context.Context, pusher content.Storage) (ocispec.Descriptor, error) {
// check if the config exists
exists, err := pusher.Exists(ctx, notationEmptyConfigDesc)
if err != nil {
return ocispec.Descriptor{}, fmt.Errorf("unable to verify existence: %s: %s. Details: %w", notationEmptyConfigDesc.Digest.String(), notationEmptyConfigDesc.MediaType, err)
}
if exists {
return notationEmptyConfigDesc, nil
}
// return nil if the config pushed successfully or it already exists
if err := pusher.Push(ctx, notationEmptyConfigDesc, bytes.NewReader(notationEmptyConfigData)); err != nil && !errors.Is(err, errdef.ErrAlreadyExists) {
return ocispec.Descriptor{}, fmt.Errorf("unable to push: %s: %s. Details: %w", notationEmptyConfigDesc.Digest.String(), notationEmptyConfigDesc.MediaType, err)
}
return notationEmptyConfigDesc, nil
return oras.PackManifest(ctx, c.GraphTarget, oras.PackManifestVersion1_1, ArtifactTypeNotation, opts)
}
// signatureReferrers returns referrer nodes of desc in target filtered by
// the "application/vnd.cncf.notary.signature" artifact type
func signatureReferrers(ctx context.Context, target content.ReadOnlyGraphStorage, desc ocispec.Descriptor) ([]ocispec.Descriptor, error) {
logger := log.GetLogger(ctx)
var results []ocispec.Descriptor
predecessors, err := target.Predecessors(ctx, desc)
if err != nil {
@ -257,6 +213,7 @@ func signatureReferrers(ctx context.Context, target content.ReadOnlyGraphStorage
if err != nil {
return nil, err
}
var artifact artifactspec.Artifact
if err := json.Unmarshal(fetched, &artifact); err != nil {
return nil, err
@ -264,6 +221,10 @@ func signatureReferrers(ctx context.Context, target content.ReadOnlyGraphStorage
if artifact.Subject == nil || !content.Equal(*artifact.Subject, desc) {
continue
}
if artifact.ArtifactType != ArtifactTypeNotation {
// not a valid Notary Project signature
continue
}
node.ArtifactType = artifact.ArtifactType
node.Annotations = artifact.Annotations
case ocispec.MediaTypeImageManifest:
@ -274,6 +235,7 @@ func signatureReferrers(ctx context.Context, target content.ReadOnlyGraphStorage
if err != nil {
return nil, err
}
var image ocispec.Manifest
if err := json.Unmarshal(fetched, &image); err != nil {
return nil, err
@ -281,15 +243,39 @@ func signatureReferrers(ctx context.Context, target content.ReadOnlyGraphStorage
if image.Subject == nil || !content.Equal(*image.Subject, desc) {
continue
}
node.ArtifactType = image.Config.MediaType
// check if image is a valid Notary Project signature
switch image.ArtifactType {
case ArtifactTypeNotation:
// 1. artifactType is "application/vnd.cncf.notary.signature",
// and config.mediaType is "application/vnd.oci.empty.v1+json"
if image.Config.MediaType == ocispec.MediaTypeEmptyJSON {
node.ArtifactType = image.ArtifactType
} else {
// not a valid Notary Project signature
logger.Warnf("not a valid Notary Project signature with artifactType %q, but config.mediaType is %q", image.ArtifactType, image.Config.MediaType)
continue
}
case "":
// 2. artifacteType does not exist,
// and config.mediaType is "application/vnd.cncf.notary.signature"
if image.Config.MediaType == ArtifactTypeNotation {
node.ArtifactType = image.Config.MediaType
} else {
// not a valid Notary Project signature
continue
}
default:
// not a valid Notary Project signature
continue
}
node.Annotations = image.Annotations
default:
continue
}
// only keep nodes of "application/vnd.cncf.notary.signature"
if node.ArtifactType == ArtifactTypeNotation {
results = append(results, node)
}
// add the node to results
results = append(results, node)
}
return results, nil
}

205
registry/repository_test.go
View File

@ -16,6 +16,7 @@ package registry
import (
"bytes"
"context"
"errors"
"fmt"
"io"
"net/http"
@ -140,7 +141,7 @@ func (c mockRemoteClient) Do(req *http.Request) (*http.Response, error) {
Body: io.NopCloser(bytes.NewReader([]byte{})),
}, nil
case "/v2/test/manifests/" + invalidDigest:
return &http.Response{}, fmt.Errorf(errMsg)
return &http.Response{}, errors.New(errMsg)
case "v2/test/manifest/" + validDigest2:
return &http.Response{
StatusCode: http.StatusOK,
@ -164,7 +165,7 @@ func (c mockRemoteClient) Do(req *http.Request) (*http.Response, error) {
},
}, nil
default:
return &http.Response{}, fmt.Errorf(msg)
return &http.Response{}, errors.New(msg)
}
case "/v2/test/referrers/":
return &http.Response{
@ -220,7 +221,7 @@ func (c mockRemoteClient) Do(req *http.Request) (*http.Response, error) {
}
return resp, nil
}
return &http.Response{}, fmt.Errorf(errMsg)
return &http.Response{}, errors.New(errMsg)
}
}
@ -480,8 +481,8 @@ var (
}
expectedSignatureManifestDesc = ocispec.Descriptor{
MediaType: "application/vnd.oci.image.manifest.v1+json",
Digest: "sha256:baeaea44f55c94499b7e082bd3c98ad5ec40fdf23ef89cdf4e5db6b83e4f18f5",
Size: 728,
Digest: "sha256:64300ad03f1dcd18136787363f3069c9598623221cbe76e3233d35266b7973d6",
Size: 793,
}
expectedSignatureBlobDesc = ocispec.Descriptor{
MediaType: joseTag,
@ -810,6 +811,31 @@ func TestSignatureReferrers(t *testing.T) {
}
})
t.Run("artifact manifest with invalid artifactType", func(t *testing.T) {
sigManifest := `{"artifactType":"invalid", "subject":{"mediaType":"application/vnd.oci.artifact.manifest.v1+json","digest":"sha256:sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","size":2}}`
sigManifestDesc := ocispec.Descriptor{
Digest: "sha256:835c3386406350fbddf5ee376b358bd20c6c423d6becbec166f83c533e4df5d6",
MediaType: "application/vnd.oci.artifact.manifest.v1+json",
Size: 198,
}
store := &testStorage{
store: &memory.Store{},
PredecessorsDesc: []ocispec.Descriptor{sigManifestDesc},
FetchContent: []byte(sigManifest),
}
descriptors, err := signatureReferrers(context.Background(), store, ocispec.Descriptor{
Digest: "sha256:sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
MediaType: "application/vnd.oci.artifact.manifest.v1+json",
Size: 2,
})
if err != nil {
t.Fatalf("failed to get referrers: %v", err)
}
if len(descriptors) != 0 {
t.Fatalf("expected to get no referrers, but got: %v", descriptors)
}
})
t.Run("no valid image manifest", func(t *testing.T) {
store := &testStorage{
store: &memory.Store{},
@ -825,7 +851,6 @@ func TestSignatureReferrers(t *testing.T) {
descriptors, err := signatureReferrers(context.Background(), store, ocispec.Descriptor{
Digest: "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
})
if err != nil {
t.Fatalf("failed to get referrers: %v", err)
}
@ -833,4 +858,172 @@ func TestSignatureReferrers(t *testing.T) {
t.Fatalf("expected to get no referrers, but got: %v", descriptors)
}
})
t.Run("image manifest with invalid mediaType", func(t *testing.T) {
sigManifest := `{}`
sigManifestDesc := ocispec.Descriptor{
Digest: "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
MediaType: "invalid",
Size: 2,
}
store := &testStorage{
store: &memory.Store{},
PredecessorsDesc: []ocispec.Descriptor{sigManifestDesc},
FetchContent: []byte(sigManifest),
}
descriptors, err := signatureReferrers(context.Background(), store, ocispec.Descriptor{})
if err != nil {
t.Fatalf("failed to get referrers: %v", err)
}
if len(descriptors) != 0 {
t.Fatal("expected length of descriptors to be 0")
}
})
t.Run("image manifest with valid artifactType and config.MediaType", func(t *testing.T) {
sigManifest := `{"artifactType":"application/vnd.cncf.notary.signature","config":{"mediaType":"application/vnd.oci.empty.v1+json"},"subject":{"mediaType":"application/vnd.oci.image.manifest.v1+json","digest":"sha256:sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","size":2}}`
sigManifestDesc := ocispec.Descriptor{
Digest: "sha256:ad3ab7874c72d7bf5db0e55ce839b37ee71320bf7c18ac1a512600963f03c54d",
MediaType: "application/vnd.oci.image.manifest.v1+json",
Size: 283,
}
store := &testStorage{
store: &memory.Store{},
PredecessorsDesc: []ocispec.Descriptor{sigManifestDesc},
FetchContent: []byte(sigManifest),
}
descriptors, err := signatureReferrers(context.Background(), store, ocispec.Descriptor{
Digest: "sha256:sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
MediaType: "application/vnd.oci.image.manifest.v1+json",
Size: 2,
})
if err != nil {
t.Fatalf("failed to get referrers: %v", err)
}
if len(descriptors) != 1 {
t.Fatal("expected length of descriptors to be 1")
}
if !content.Equal(sigManifestDesc, descriptors[0]) {
t.Fatalf("expected %v, got: %v", sigManifestDesc, descriptors[0])
}
})
t.Run("image manifest with valid artifactType but invalid config.MediaType", func(t *testing.T) {
sigManifest := `{"artifactType":"application/vnd.cncf.notary.signature","config":{"mediaType":"invalid"},"subject":{"mediaType":"application/vnd.oci.image.manifest.v1+json","digest":"sha256:sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","size":2}}`
sigManifestDesc := ocispec.Descriptor{
Digest: "sha256:becfe1975b40352d0c7bd1337707a4c471fdcfa1ac380f2875fe8076a3bc3581",
MediaType: "application/vnd.oci.image.manifest.v1+json",
Size: 257,
}
store := &testStorage{
store: &memory.Store{},
PredecessorsDesc: []ocispec.Descriptor{sigManifestDesc},
FetchContent: []byte(sigManifest),
}
descriptors, err := signatureReferrers(context.Background(), store, ocispec.Descriptor{
Digest: "sha256:sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
MediaType: "application/vnd.oci.image.manifest.v1+json",
Size: 2,
})
if err != nil {
t.Fatalf("failed to get referrers: %v", err)
}
if len(descriptors) != 0 {
t.Fatal("expected length of descriptors to be 0")
}
})
t.Run("image manifest with no artifactType and valid config.MediaType", func(t *testing.T) {
sigManifest := `{"config":{"mediaType":"application/vnd.cncf.notary.signature"},"subject":{"mediaType":"application/vnd.oci.image.manifest.v1+json","digest":"sha256:sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","size":2}}`
sigManifestDesc := ocispec.Descriptor{
Digest: "sha256:0e0be61f687ba634dd772f6d3048101f78f22fabda64cc9600671cee41ab2d47",
MediaType: "application/vnd.oci.image.manifest.v1+json",
Size: 232,
}
store := &testStorage{
store: &memory.Store{},
PredecessorsDesc: []ocispec.Descriptor{sigManifestDesc},
FetchContent: []byte(sigManifest),
}
descriptors, err := signatureReferrers(context.Background(), store, ocispec.Descriptor{
Digest: "sha256:sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
MediaType: "application/vnd.oci.image.manifest.v1+json",
Size: 2,
})
if err != nil {
t.Fatalf("failed to get referrers: %v", err)
}
if len(descriptors) != 1 {
t.Fatal("expected length of descriptors to be 1")
}
if !content.Equal(sigManifestDesc, descriptors[0]) {
t.Fatalf("expected %v, got: %v", sigManifestDesc, descriptors[0])
}
})
t.Run("image manifest with no artifactType and invalid config.MediaType", func(t *testing.T) {
sigManifest := `{"config":{"mediaType":"invalid"},"subject":{"mediaType":"application/vnd.oci.image.manifest.v1+json","digest":"sha256:sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","size":2}}`
sigManifestDesc := ocispec.Descriptor{
Digest: "sha256:1580e4f590269bd40a33e902888429c9bbb250902f5a7eb50f04fbb8bd4dbab3",
MediaType: "application/vnd.oci.image.manifest.v1+json",
Size: 202,
}
store := &testStorage{
store: &memory.Store{},
PredecessorsDesc: []ocispec.Descriptor{sigManifestDesc},
FetchContent: []byte(sigManifest),
}
descriptors, err := signatureReferrers(context.Background(), store, ocispec.Descriptor{
Digest: "sha256:sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
MediaType: "application/vnd.oci.image.manifest.v1+json",
Size: 2,
})
if err != nil {
t.Fatalf("failed to get referrers: %v", err)
}
if len(descriptors) != 0 {
t.Fatal("expected length of descriptors to be 0")
}
})
t.Run("image manifest with invalid artifactType", func(t *testing.T) {
sigManifest := `{"artifactType":"invalid","config":{"mediaType":"application/vnd.oci.empty.v1+json"},"subject":{"mediaType":"application/vnd.oci.image.manifest.v1+json","digest":"sha256:sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","size":2}}`
sigManifestDesc := ocispec.Descriptor{
Digest: "sha256:d8c225cb4eca3e15fa2a44c9d302044e8c8683399939e26f417edb82f8b69cc3",
MediaType: "application/vnd.oci.image.manifest.v1+json",
Size: 253,
}
store := &testStorage{
store: &memory.Store{},
PredecessorsDesc: []ocispec.Descriptor{sigManifestDesc},
FetchContent: []byte(sigManifest),
}
descriptors, err := signatureReferrers(context.Background(), store, ocispec.Descriptor{
Digest: "sha256:sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
MediaType: "application/vnd.oci.image.manifest.v1+json",
Size: 2,
})
if err != nil {
t.Fatalf("failed to get referrers: %v", err)
}
if len(descriptors) != 0 {
t.Fatal("expected length of descriptors to be 0")
}
})
}
func TestUploadSignatureManifest(t *testing.T) {
ref, err := registry.ParseReference(validReference)
if err != nil {
t.Fatalf("failed to parse reference")
}
client := newRepositoryClientWithImageManifest(mockRemoteClient{}, ref, false)
manifest, err := client.uploadSignatureManifest(context.Background(),
ocispec.Descriptor{}, ocispec.Descriptor{}, nil)
if err != nil {
t.Fatalf("failed to upload signature manifest: %v", err)
}
if manifest.ArtifactType != ArtifactTypeNotation {
t.Fatalf("expected artifact type: %s, got: %s", ArtifactTypeNotation, manifest.ArtifactType)
}
}

76
signer/plugin.go
View File

@ -15,6 +15,7 @@ package signer
import (
"context"
"crypto"
"crypto/x509"
"encoding/json"
"errors"
@ -29,11 +30,13 @@ import (
"github.com/notaryproject/notation-go/log"
"github.com/notaryproject/notation-go/plugin/proto"
"github.com/notaryproject/notation-plugin-framework-go/plugin"
"github.com/opencontainers/go-digest"
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
)
// PluginSigner signs artifacts and generates signatures.
// It implements notation.Signer
//
// It implements [notation.Signer] and [notation.BlobSigner].
type PluginSigner struct {
plugin plugin.SignPlugin
keyID string
@ -41,17 +44,23 @@ type PluginSigner struct {
manifestAnnotations map[string]string
}
// NewFromPlugin creates a notation.Signer that signs artifacts and generates
var algorithms = map[crypto.Hash]digest.Algorithm{
crypto.SHA256: digest.SHA256,
crypto.SHA384: digest.SHA384,
crypto.SHA512: digest.SHA512,
}
// NewFromPlugin creates a [PluginSigner] that signs artifacts and generates
// signatures by delegating the one or more operations to the named plugin,
// as defined in https://github.com/notaryproject/notaryproject/blob/main/specs/plugin-extensibility.md#signing-interfaces.
//
// Deprecated: NewFromPlugin function exists for historical compatibility and should not be used.
// To create PluginSigner, use NewPluginSigner() function.
// Deprecated: NewFromPlugin function exists for historical compatibility and
// should not be used. To create [PluginSigner], use NewPluginSigner() function.
func NewFromPlugin(plugin plugin.SignPlugin, keyID string, pluginConfig map[string]string) (notation.Signer, error) {
return NewPluginSigner(plugin, keyID, pluginConfig)
}
// NewPluginSigner creates a notation.Signer that signs artifacts and generates
// NewPluginSigner creates a [PluginSigner] that signs artifacts and generates
// signatures by delegating the one or more operations to the named plugin,
// as defined in https://github.com/notaryproject/notaryproject/blob/main/specs/plugin-extensibility.md#signing-interfaces.
func NewPluginSigner(plugin plugin.SignPlugin, keyID string, pluginConfig map[string]string) (*PluginSigner, error) {
@ -61,7 +70,6 @@ func NewPluginSigner(plugin plugin.SignPlugin, keyID string, pluginConfig map[st
if keyID == "" {
return nil, errors.New("keyID not specified")
}
return &PluginSigner{
plugin: plugin,
keyID: keyID,
@ -75,24 +83,21 @@ func (s *PluginSigner) PluginAnnotations() map[string]string {
}
// Sign signs the artifact described by its descriptor and returns the
// marshalled envelope.
// signature and SignerInfo.
func (s *PluginSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) {
logger := log.GetLogger(ctx)
mergedConfig := s.mergeConfig(opts.PluginConfig)
logger.Debug("Invoking plugin's get-plugin-metadata command")
metadata, err := s.plugin.GetMetadata(ctx, &plugin.GetMetadataRequest{PluginConfig: mergedConfig})
if err != nil {
return nil, nil, err
}
logger.Debugf("Using plugin %v with capabilities %v to sign oci artifact %v in signature media type %v", metadata.Name, metadata.Capabilities, desc.Digest, opts.SignatureMediaType)
if metadata.HasCapability(plugin.CapabilitySignatureGenerator) {
ks, err := s.getKeySpec(ctx, mergedConfig)
if err != nil {
return nil, nil, fmt.Errorf("failed to sign with the plugin %s: %w", metadata.Name, err)
}
sig, signerInfo, err := s.generateSignature(ctx, desc, opts, ks, metadata, mergedConfig)
if err != nil {
return nil, nil, fmt.Errorf("failed to sign with the plugin %s: %w", metadata.Name, err)
@ -105,10 +110,41 @@ func (s *PluginSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts n
}
return sig, signerInfo, nil
}
return nil, nil, fmt.Errorf("plugin does not have signing capabilities")
}
// SignBlob signs the descriptor returned by genDesc, and returns the
// signature and SignerInfo.
func (s *PluginSigner) SignBlob(ctx context.Context, descGenFunc notation.BlobDescriptorGenerator, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) {
logger := log.GetLogger(ctx)
mergedConfig := s.mergeConfig(opts.PluginConfig)
logger.Debug("Invoking plugin's get-plugin-metadata command")
metadata, err := s.plugin.GetMetadata(ctx, &plugin.GetMetadataRequest{PluginConfig: mergedConfig})
if err != nil {
return nil, nil, err
}
// only support blob signing with the signature generator capability because
// the envelope generator capability is designed for OCI signing.
// A new capability may be added in the future for blob signing.
if !metadata.HasCapability(plugin.CapabilitySignatureGenerator) {
return nil, nil, fmt.Errorf("the plugin %q lacks the signature generator capability required for blob signing", metadata.Name)
}
logger.Debug("Invoking plugin's describe-key command")
ks, err := s.getKeySpec(ctx, mergedConfig)
if err != nil {
return nil, nil, err
}
// get descriptor to sign
desc, err := getDescriptor(ks, descGenFunc)
if err != nil {
return nil, nil, err
}
logger.Debugf("Using plugin %v with capabilities %v to sign blob using descriptor %+v", metadata.Name, metadata.Capabilities, desc)
return s.generateSignature(ctx, desc, opts, ks, metadata, mergedConfig)
}
func (s *PluginSigner) getKeySpec(ctx context.Context, config map[string]string) (signature.KeySpec, error) {
logger := log.GetLogger(ctx)
logger.Debug("Invoking plugin's describe-key command")
@ -116,11 +152,9 @@ func (s *PluginSigner) getKeySpec(ctx context.Context, config map[string]string)
if err != nil {
return signature.KeySpec{}, err
}
if s.keyID != descKeyResp.KeyID {
return signature.KeySpec{}, fmt.Errorf("keyID in describeKey response %q does not match request %q", descKeyResp.KeyID, s.keyID)
}
return proto.DecodeKeySpec(descKeyResp.KeySpec)
}
@ -136,7 +170,6 @@ func (s *PluginSigner) generateSignature(ctx context.Context, desc ocispec.Descr
keySpec: ks,
},
}
opts.SigningAgent = fmt.Sprintf("%s %s/%s", signingAgent, metadata.Name, metadata.Version)
return genericSigner.Sign(ctx, desc, opts)
}
@ -149,6 +182,7 @@ func (s *PluginSigner) generateSignatureEnvelope(ctx context.Context, desc ocisp
if err != nil {
return nil, nil, fmt.Errorf("envelope payload can't be marshalled: %w", err)
}
// Execute plugin sign command.
req := &plugin.GenerateEnvelopeRequest{
ContractVersion: plugin.ContractVersion,
@ -171,13 +205,11 @@ func (s *PluginSigner) generateSignatureEnvelope(ctx context.Context, desc ocisp
resp.SignatureEnvelopeType, req.SignatureEnvelopeType,
)
}
logger.Debug("Verifying signature envelope generated by the plugin")
sigEnv, err := signature.ParseEnvelope(opts.SignatureMediaType, resp.SignatureEnvelope)
if err != nil {
return nil, nil, err
}
envContent, err := sigEnv.Verify()
if err != nil {
return nil, nil, fmt.Errorf("generated signature failed verification: %w", err)
@ -185,31 +217,29 @@ func (s *PluginSigner) generateSignatureEnvelope(ctx context.Context, desc ocisp
if err := envelope.ValidatePayloadContentType(&envContent.Payload); err != nil {
return nil, nil, err
}
content := envContent.Payload.Content
var signedPayload envelope.Payload
if err = json.Unmarshal(content, &signedPayload); err != nil {
return nil, nil, fmt.Errorf("signed envelope payload can't be unmarshalled: %w", err)
}
if !isPayloadDescriptorValid(desc, signedPayload.TargetArtifact) {
return nil, nil, fmt.Errorf("during signing descriptor subject has changed from %+v to %+v", desc, signedPayload.TargetArtifact)
}
if unknownAttributes := areUnknownAttributesAdded(content); len(unknownAttributes) != 0 {
return nil, nil, fmt.Errorf("during signing, following unknown attributes were added to subject descriptor: %+q", unknownAttributes)
}
s.manifestAnnotations = resp.Annotations
return resp.SignatureEnvelope, &envContent.SignerInfo, nil
}
func (s *PluginSigner) mergeConfig(config map[string]string) map[string]string {
c := make(map[string]string, len(s.pluginConfig)+len(config))
// First clone s.PluginConfig.
for k, v := range s.pluginConfig {
c[k] = v
}
// Then set or override entries from config.
for k, v := range config {
c[k] = v
@ -227,7 +257,6 @@ func (s *PluginSigner) describeKey(ctx context.Context, config map[string]string
if err != nil {
return nil, err
}
return resp, nil
}
@ -237,6 +266,7 @@ func isDescriptorSubset(original, newDesc ocispec.Descriptor) bool {
if !content.Equal(original, newDesc) {
return false
}
// Plugins may append additional annotations but not replace/override
// existing.
for k, v := range original.Annotations {
@ -254,6 +284,7 @@ func isPayloadDescriptorValid(originalDesc, newDesc ocispec.Descriptor) bool {
func areUnknownAttributesAdded(content []byte) []string {
var targetArtifactMap map[string]interface{}
// Ignoring error because we already successfully unmarshalled before this
// point
_ = json.Unmarshal(content, &targetArtifactMap)
@ -310,12 +341,10 @@ func (s *pluginPrimitiveSigner) Sign(payload []byte) ([]byte, []*x509.Certificat
if err != nil {
return nil, nil, err
}
keySpecHash, err := proto.HashAlgorithmFromKeySpec(s.keySpec)
if err != nil {
return nil, nil, err
}
req := &plugin.GenerateSignatureRequest{
ContractVersion: plugin.ContractVersion,
KeyID: s.keyID,
@ -324,7 +353,6 @@ func (s *pluginPrimitiveSigner) Sign(payload []byte) ([]byte, []*x509.Certificat
Payload: payload,
PluginConfig: s.pluginConfig,
}
resp, err := s.plugin.GenerateSignature(s.ctx, req)
if err != nil {
return nil, nil, err

53
signer/plugin_test.go
View File

@ -32,6 +32,7 @@ import (
"github.com/notaryproject/notation-go/internal/envelope"
"github.com/notaryproject/notation-go/plugin"
"github.com/notaryproject/notation-go/plugin/proto"
"github.com/opencontainers/go-digest"
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
)
@ -70,6 +71,16 @@ type mockPlugin struct {
keySpec signature.KeySpec
}
func getDescriptorFunc(throwError bool) func(hashAlgo digest.Algorithm) (ocispec.Descriptor, error) {
return func(hashAlgo digest.Algorithm) (ocispec.Descriptor, error) {
if throwError {
return ocispec.Descriptor{}, errors.New("")
}
return validSignDescriptor, nil
}
}
func newMockPlugin(key crypto.PrivateKey, certs []*x509.Certificate, keySpec signature.KeySpec) *mockPlugin {
return &mockPlugin{
key: key,
@ -205,6 +216,17 @@ func (p *mockPlugin) GenerateEnvelope(ctx context.Context, req *proto.GenerateEn
return &proto.GenerateEnvelopeResponse{}, nil
}
func TestPluginSignerImpl(t *testing.T) {
p := &PluginSigner{}
if _, ok := interface{}(p).(notation.Signer); !ok {
t.Fatal("PluginSigner does not implement notation.Signer")
}
if _, ok := interface{}(p).(notation.BlobSigner); !ok {
t.Fatal("PluginSigner does not implement notation.BlobSigner")
}
}
func TestNewFromPluginFailed(t *testing.T) {
tests := map[string]struct {
pl plugin.SignPlugin
@ -325,6 +347,37 @@ func TestPluginSigner_Sign_Valid(t *testing.T) {
}
}
func TestPluginSigner_SignBlob_Valid(t *testing.T) {
for _, envelopeType := range signature.RegisteredEnvelopeTypes() {
for _, keyCert := range keyCertPairCollections {
t.Run(fmt.Sprintf("external plugin,envelopeType=%v_keySpec=%v", envelopeType, keyCert.keySpecName), func(t *testing.T) {
keySpec, _ := proto.DecodeKeySpec(proto.KeySpec(keyCert.keySpecName))
pluginSigner := PluginSigner{
plugin: newMockPlugin(keyCert.key, keyCert.certs, keySpec),
}
validSignOpts.SignatureMediaType = envelopeType
data, signerInfo, err := pluginSigner.SignBlob(context.Background(), getDescriptorFunc(false), validSignOpts)
basicSignTest(t, &pluginSigner, envelopeType, data, signerInfo, err)
})
}
}
}
func TestPluginSigner_SignBlob_Invalid(t *testing.T) {
t.Run("blob signing with generate envelope plugin should fail", func(t *testing.T) {
plugin := &mockPlugin{}
plugin.wantEnvelope = true
pluginSigner := PluginSigner{
plugin: plugin,
}
_, _, err := pluginSigner.SignBlob(context.Background(), getDescriptorFunc(false), validSignOpts)
expectedErrMsg := "the plugin \"testPlugin\" lacks the signature generator capability required for blob signing"
if err == nil || !strings.Contains(err.Error(), expectedErrMsg) {
t.Fatalf("expected error %q, got %v", expectedErrMsg, err)
}
})
}
func TestPluginSigner_SignEnvelope_RunFailed(t *testing.T) {
for _, envelopeType := range signature.RegisteredEnvelopeTypes() {
t.Run(fmt.Sprintf("envelopeType=%v", envelopeType), func(t *testing.T) {

49
signer/signer.go
View File

@ -12,8 +12,8 @@
// limitations under the License.
// Package signer provides notation signing functionality. It implements the
// notation.Signer interface by providing builtinSigner for local signing and
// PluginSigner for remote signing.
// [notation.Signer] and [notation.BlobSigner] interfaces by providing
// builtinSigner for local signing and [PluginSigner] for remote signing.
package signer
import (
@ -34,22 +34,24 @@ import (
)
// signingAgent is the unprotected header field used by signature.
const signingAgent = "notation-go/1.3.0"
const signingAgent = "notation-go/1.3.0+unreleased"
// GenericSigner implements notation.Signer and embeds signature.Signer
// GenericSigner implements [notation.Signer] and [notation.BlobSigner].
// It embeds signature.Signer.
type GenericSigner struct {
signer signature.Signer
}
// New returns a builtinSigner given key and cert chain
// New returns a [notation.Signer] given key and cert chain.
//
// Deprecated: New function exists for historical compatibility and should not be used.
// To create GenericSigner, use NewGenericSigner() function.
// Deprecated: New function exists for historical compatibility and
// should not be used. To create [GenericSigner],
// use NewGenericSigner() function.
func New(key crypto.PrivateKey, certChain []*x509.Certificate) (notation.Signer, error) {
return NewGenericSigner(key, certChain)
}
// NewGenericSigner returns a builtinSigner given key and cert chain
// NewGenericSigner returns a builtinSigner given key and cert chain.
func NewGenericSigner(key crypto.PrivateKey, certChain []*x509.Certificate) (*GenericSigner, error) {
localSigner, err := signature.NewLocalSigner(certChain, key)
if err != nil {
@ -60,12 +62,13 @@ func NewGenericSigner(key crypto.PrivateKey, certChain []*x509.Certificate) (*Ge
}, nil
}
// NewFromFiles returns a builtinSigner given key and certChain paths.
// NewFromFiles returns a [notation.Signer] given key and certChain paths.
func NewFromFiles(keyPath, certChainPath string) (notation.Signer, error) {
return NewGenericSignerFromFiles(keyPath, certChainPath)
}
// NewGenericSignerFromFiles returns a builtinSigner given key and certChain paths.
// NewGenericSignerFromFiles returns a builtinSigner given key and certChain
// paths.
func NewGenericSignerFromFiles(keyPath, certChainPath string) (*GenericSigner, error) {
if keyPath == "" {
return nil, errors.New("key path not specified")
@ -97,7 +100,7 @@ func NewGenericSignerFromFiles(keyPath, certChainPath string) (*GenericSigner, e
}
// Sign signs the artifact described by its descriptor and returns the
// marshalled envelope.
// signature and SignerInfo.
func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) {
logger := log.GetLogger(ctx)
logger.Debugf("Generic signing for %v in signature media type %v", desc.Digest, opts.SignatureMediaType)
@ -172,3 +175,27 @@ func (s *GenericSigner) Sign(ctx context.Context, desc ocispec.Descriptor, opts
}
return sig, &envContent.SignerInfo, nil
}
// SignBlob signs the descriptor returned by genDesc, and returns the
// signature and SignerInfo.
func (s *GenericSigner) SignBlob(ctx context.Context, genDesc notation.BlobDescriptorGenerator, opts notation.SignerSignOptions) ([]byte, *signature.SignerInfo, error) {
logger := log.GetLogger(ctx)
logger.Debugf("Generic blob signing for signature media type %s", opts.SignatureMediaType)
ks, err := s.signer.KeySpec()
if err != nil {
return nil, nil, err
}
desc, err := getDescriptor(ks, genDesc)
if err != nil {
return nil, nil, err
}
return s.Sign(ctx, desc, opts)
}
func getDescriptor(ks signature.KeySpec, genDesc notation.BlobDescriptorGenerator) (ocispec.Descriptor, error) {
digestAlg, ok := algorithms[ks.SignatureAlgorithm().Hash()]
if !ok {
return ocispec.Descriptor{}, fmt.Errorf("unknown hashing algo %v", ks.SignatureAlgorithm().Hash())
}
return genDesc(digestAlg)
}

39
signer/signer_test.go
View File

@ -55,7 +55,8 @@ type keyCertPair struct {
var keyCertPairCollections []*keyCertPair
// setUpKeyCertPairCollections setups all combinations of private key and certificates.
// setUpKeyCertPairCollections setups all combinations of private key and
// certificates.
func setUpKeyCertPairCollections() []*keyCertPair {
// rsa
var keyCertPairs []*keyCertPair
@ -162,6 +163,17 @@ func testSignerFromFile(t *testing.T, keyCert *keyCertPair, envelopeType, dir st
basicVerification(t, sig, envelopeType, keyCert.certs[len(keyCert.certs)-1], nil)
}
func TestGenericSignerImpl(t *testing.T) {
g := &GenericSigner{}
if _, ok := interface{}(g).(notation.Signer); !ok {
t.Fatal("GenericSigner does not implement notation.Signer")
}
if _, ok := interface{}(g).(notation.BlobSigner); !ok {
t.Fatal("GenericSigner does not implement notation.BlobSigner")
}
}
func TestNewFromFiles(t *testing.T) {
// sign with key
dir := t.TempDir()
@ -282,6 +294,31 @@ func TestSignWithTimestamping(t *testing.T) {
}
}
func TestSignBlobWithCertChain(t *testing.T) {
// sign with key
for _, envelopeType := range signature.RegisteredEnvelopeTypes() {
for _, keyCert := range keyCertPairCollections {
t.Run(fmt.Sprintf("envelopeType=%v_keySpec=%v", envelopeType, keyCert.keySpecName), func(t *testing.T) {
s, err := NewGenericSigner(keyCert.key, keyCert.certs)
if err != nil {
t.Fatalf("NewSigner() error = %v", err)
}
sOpts := notation.SignerSignOptions{
SignatureMediaType: envelopeType,
}
sig, _, err := s.SignBlob(context.Background(), getDescriptorFunc(false), sOpts)
if err != nil {
t.Fatalf("Sign() error = %v", err)
}
// basic verification
basicVerification(t, sig, envelopeType, keyCert.certs[len(keyCert.certs)-1], nil)
})
}
}
}
func TestSignWithoutExpiry(t *testing.T) {
// sign with key
for _, envelopeType := range signature.RegisteredEnvelopeTypes() {

6
verifier/helpers.go
View File

@ -60,10 +60,10 @@ func loadX509TrustStores(ctx context.Context, scheme signature.SigningScheme, po
return loadX509TrustStoresWithType(ctx, typeToLoad, policyName, trustStores, x509TrustStore)
}
// isCriticalFailure checks whether a VerificationResult fails the entire
// signature verification workflow.
// isCriticalFailure checks whether a [notation.ValidationResult] fails the
// entire signature verification workflow.
// signature verification workflow is considered failed if there is a
// VerificationResult with "Enforced" as the action but the result was
// ValidationResult with "Enforced" as the action but the result was
// unsuccessful.
func isCriticalFailure(result *notation.ValidationResult) bool {
return result.Action == trustpolicy.ActionEnforce && result.Error != nil

20
verifier/helpers_test.go
View File

@ -60,7 +60,7 @@ func TestLoadX509TrustStore(t *testing.T) {
// load "ca" and "signingAuthority" trust store
caStore := "ca:valid-trust-store"
signingAuthorityStore := "signingAuthority:valid-trust-store"
dummyPolicy := dummyPolicyDocument().TrustPolicies[0]
dummyPolicy := dummyOCIPolicyDocument().TrustPolicies[0]
dummyPolicy.TrustStores = []string{caStore, signingAuthorityStore}
dir.UserConfigDir = "testdata"
x509truststore := truststore.NewX509TrustStore(dir.ConfigFS())
@ -138,10 +138,10 @@ func getArtifactDigestFromReference(artifactReference string) (string, error) {
return artifactReference[i+1:], nil
}
func dummyPolicyDocument() (policyDoc trustpolicy.Document) {
return trustpolicy.Document{
func dummyOCIPolicyDocument() (policyDoc trustpolicy.OCIDocument) {
return trustpolicy.OCIDocument{
Version: "1.0",
TrustPolicies: []trustpolicy.TrustPolicy{
TrustPolicies: []trustpolicy.OCITrustPolicy{
{
Name: "test-statement-name",
RegistryScopes: []string{"registry.acme-rockets.io/software/net-monitor"},
@ -153,11 +153,15 @@ func dummyPolicyDocument() (policyDoc trustpolicy.Document) {
}
}
func dummyInvalidPolicyDocument() (policyDoc trustpolicy.Document) {
return trustpolicy.Document{
TrustPolicies: []trustpolicy.TrustPolicy{
func dummyBlobPolicyDocument() (policyDoc trustpolicy.BlobDocument) {
return trustpolicy.BlobDocument{
Version: "1.0",
TrustPolicies: []trustpolicy.BlobTrustPolicy{
{
Name: "invalid",
Name: "blob-test-statement-name",
SignatureVerification: trustpolicy.SignatureVerification{VerificationLevel: "strict"},
TrustStores: []string{"ca:valid-trust-store", "signingAuthority:valid-trust-store"},
TrustedIdentities: []string{"x509.subject:CN=Notation Test Root,O=Notary,L=Seattle,ST=WA,C=US"},
},
},
}

23
verifier/timestamp_test.go
View File

@ -287,29 +287,6 @@ func TestAuthenticTimestamp(t *testing.T) {
}
})
t.Run("verify Authentic Timestamp failed due to signing time after timestamp value", func(t *testing.T) {
signedToken, err := os.ReadFile("testdata/timestamp/countersignature/TimeStampToken.p7s")
if err != nil {
t.Fatalf("failed to get signedToken: %v", err)
}
envContent, err := parseEnvContent("testdata/timestamp/sigEnv/withoutTimestamp.sig", jws.MediaTypeEnvelope)
if err != nil {
t.Fatalf("failed to get signature envelope content: %v", err)
}
envContent.SignerInfo.UnsignedAttributes.TimestampSignature = signedToken
envContent.SignerInfo.Signature = []byte("notation")
envContent.SignerInfo.SignedAttributes.SigningTime = time.Date(3000, time.November, 10, 23, 0, 0, 0, time.UTC)
outcome := &notation.VerificationOutcome{
EnvelopeContent: envContent,
VerificationLevel: trustpolicy.LevelStrict,
}
authenticTimestampResult := verifyAuthenticTimestamp(context.Background(), dummyTrustPolicy.Name, dummyTrustPolicy.TrustStores, dummyTrustPolicy.SignatureVerification, trustStore, revocationTimestampingValidator, outcome)
expectedErrMsg := "timestamp [2021-09-17T14:09:09Z, 2021-09-17T14:09:11Z] is not bounded after the signing time \"3000-11-10 23:00:00 +0000 UTC\""
if err := authenticTimestampResult.Error; err == nil || err.Error() != expectedErrMsg {
t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
}
})
t.Run("verify Authentic Timestamp failed due to trust store does not exist", func(t *testing.T) {
dummyTrustPolicy := &trustpolicy.TrustPolicy{
Name: "test-timestamp",

148
verifier/trustpolicy/blob.go Normal file
View File

@ -0,0 +1,148 @@
// Copyright The Notary Project Authors.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package trustpolicy
import (
"errors"
"fmt"
"reflect"
"strings"
"github.com/notaryproject/notation-go/dir"
set "github.com/notaryproject/notation-go/internal/container"
"github.com/notaryproject/notation-go/internal/slices"
)
// BlobDocument represents a trustpolicy.blob.json document for arbitrary blobs
type BlobDocument struct {
// Version of the policy document
Version string `json:"version"`
// TrustPolicies include each policy statement
TrustPolicies []BlobTrustPolicy `json:"trustPolicies"`
}
// BlobTrustPolicy represents a policy statement in the blob trust policy
// document
type BlobTrustPolicy struct {
// Name of the policy statement
Name string `json:"name"`
// SignatureVerification setting for this policy statement
SignatureVerification SignatureVerification `json:"signatureVerification"`
// TrustStores this policy statement uses
TrustStores []string `json:"trustStores"`
// TrustedIdentities this policy statement pins
TrustedIdentities []string `json:"trustedIdentities"`
// GlobalPolicy defines if policy statement is global or not
GlobalPolicy bool `json:"globalPolicy,omitempty"`
}
var supportedBlobPolicyVersions = []string{"1.0"}
// LoadBlobDocument loads a blob trust policy document from a local file system
func LoadBlobDocument() (*BlobDocument, error) {
var doc BlobDocument
err := getDocument(dir.PathBlobTrustPolicy, &doc)
return &doc, err
}
// Validate validates a blob trust policy document according to its version's
// rule set.
// If any rule is violated, returns an error.
func (policyDoc *BlobDocument) Validate() error {
// sanity check
if policyDoc == nil {
return errors.New("blob trust policy document cannot be nil")
}
// Validate Version
if policyDoc.Version == "" {
return errors.New("blob trust policy document has empty version, version must be specified")
}
if !slices.Contains(supportedBlobPolicyVersions, policyDoc.Version) {
return fmt.Errorf("blob trust policy document uses unsupported version %q", policyDoc.Version)
}
// Validate the policy according to 1.0 rules
if len(policyDoc.TrustPolicies) == 0 {
return errors.New("blob trust policy document can not have zero trust policy statements")
}
policyNames := set.New[string]()
var foundGlobalPolicy bool
for _, statement := range policyDoc.TrustPolicies {
// Verify unique policy statement names across the policy document
if policyNames.Contains(statement.Name) {
return fmt.Errorf("multiple blob trust policy statements use the same name %q, statement names must be unique", statement.Name)
}
if err := validatePolicyCore(statement.Name, statement.SignatureVerification, statement.TrustStores, statement.TrustedIdentities); err != nil {
return fmt.Errorf("blob trust policy: %w", err)
}
if statement.GlobalPolicy {
if foundGlobalPolicy {
return errors.New("multiple blob trust policy statements have globalPolicy set to true. Only one trust policy statement can be marked as global policy")
}
// verificationLevel is skip
if reflect.DeepEqual(statement.SignatureVerification.VerificationLevel, LevelSkip) {
return errors.New("global blob trust policy statement cannot have verification level set to skip")
}
foundGlobalPolicy = true
}
policyNames.Add(statement.Name)
}
return nil
}
// GetApplicableTrustPolicy returns a pointer to the deep copied [BlobTrustPolicy]
// for given policy name.
// see https://github.com/notaryproject/specifications/tree/9c81dc773508dedc5a81c02c8d805de04f65050b/specs/trust-store-trust-policy.md#blob-trust-policy
func (policyDoc *BlobDocument) GetApplicableTrustPolicy(policyName string) (*BlobTrustPolicy, error) {
if strings.TrimSpace(policyName) == "" {
return nil, errors.New("policy name cannot be empty")
}
for _, policyStatement := range policyDoc.TrustPolicies {
// exact match
if policyStatement.Name == policyName {
return (&policyStatement).clone(), nil
}
}
return nil, fmt.Errorf("no applicable blob trust policy with name %q", policyName)
}
// GetGlobalTrustPolicy returns a pointer to the deep copied [BlobTrustPolicy]
// that is marked as global policy.
// see https://github.com/notaryproject/specifications/tree/9c81dc773508dedc5a81c02c8d805de04f65050b/specs/trust-store-trust-policy.md#blob-trust-policy
func (policyDoc *BlobDocument) GetGlobalTrustPolicy() (*BlobTrustPolicy, error) {
for _, policyStatement := range policyDoc.TrustPolicies {
if policyStatement.GlobalPolicy {
return (&policyStatement).clone(), nil
}
}
return nil, fmt.Errorf("no global blob trust policy")
}
// clone returns a pointer to the deep copied [BlobTrustPolicy]
func (t *BlobTrustPolicy) clone() *BlobTrustPolicy {
return &BlobTrustPolicy{
Name: t.Name,
SignatureVerification: t.SignatureVerification,
TrustedIdentities: append([]string(nil), t.TrustedIdentities...),
TrustStores: append([]string(nil), t.TrustStores...),
GlobalPolicy: t.GlobalPolicy,
}
}

168
verifier/trustpolicy/blob_test.go Normal file
View File

@ -0,0 +1,168 @@
// Copyright The Notary Project Authors.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package trustpolicy
import (
"encoding/json"
"os"
"path/filepath"
"reflect"
"testing"
"github.com/notaryproject/notation-go/dir"
)
func TestLoadBlobDocument(t *testing.T) {
tempRoot := t.TempDir()
dir.UserConfigDir = tempRoot
path := filepath.Join(tempRoot, "trustpolicy.blob.json")
policyJson, _ := json.Marshal(dummyBlobPolicyDocument())
if err := os.WriteFile(path, policyJson, 0600); err != nil {
t.Fatalf("TestLoadBlobDocument write policy file failed. Error: %v", err)
}
t.Cleanup(func() { os.RemoveAll(tempRoot) })
if _, err := LoadBlobDocument(); err != nil {
t.Fatalf("LoadBlobDocument() should not throw error for an existing policy file. Error: %v", err)
}
}
func TestValidate_BlobDocument(t *testing.T) {
policyDoc := dummyBlobPolicyDocument()
if err := policyDoc.Validate(); err != nil {
t.Fatalf("Validate() returned error: %v", err)
}
}
func TestValidate_BlobDocument_Error(t *testing.T) {
// Sanity check
var nilPolicyDoc *BlobDocument
err := nilPolicyDoc.Validate()
if err == nil || err.Error() != "blob trust policy document cannot be nil" {
t.Fatalf("nil policyDoc should return error")
}
// empty Version
policyDoc := dummyBlobPolicyDocument()
policyDoc.Version = ""
err = policyDoc.Validate()
if err == nil || err.Error() != "blob trust policy document has empty version, version must be specified" {
t.Fatalf("empty version should return error")
}
// Invalid Version
policyDoc = dummyBlobPolicyDocument()
policyDoc.Version = "invalid"
err = policyDoc.Validate()
if err == nil || err.Error() != "blob trust policy document uses unsupported version \"invalid\"" {
t.Fatalf("invalid version should return error")
}
// No Policy Statements
policyDoc = dummyBlobPolicyDocument()
policyDoc.TrustPolicies = nil
err = policyDoc.Validate()
if err == nil || err.Error() != "blob trust policy document can not have zero trust policy statements" {
t.Fatalf("zero policy statements should return error")
}
// No Policy Statement Name
policyDoc = dummyBlobPolicyDocument()
policyDoc.TrustPolicies[0].Name = ""
err = policyDoc.Validate()
if err == nil || err.Error() != "blob trust policy: a trust policy statement is missing a name, every statement requires a name" {
t.Fatalf("policy statement with no name should return an error")
}
// multiple global rust policy
policyDoc = dummyBlobPolicyDocument()
policyStatement1 := policyDoc.TrustPolicies[0].clone()
policyStatement1.GlobalPolicy = true
policyStatement2 := policyDoc.TrustPolicies[0].clone()
policyStatement2.Name = "test-statement-name-2"
policyStatement2.GlobalPolicy = true
policyDoc.TrustPolicies = []BlobTrustPolicy{*policyStatement1, *policyStatement2}
err = policyDoc.Validate()
if err == nil || err.Error() != "multiple blob trust policy statements have globalPolicy set to true. Only one trust policy statement can be marked as global policy" {
t.Error(err)
t.Fatalf("multiple global blob policy should return error")
}
// Policy Document with duplicate policy statement names
policyDoc = dummyBlobPolicyDocument()
policyStatement1 = policyDoc.TrustPolicies[0].clone()
policyStatement2 = policyDoc.TrustPolicies[0].clone()
policyDoc.TrustPolicies = []BlobTrustPolicy{*policyStatement1, *policyStatement2}
err = policyDoc.Validate()
if err == nil || err.Error() != "multiple blob trust policy statements use the same name \"test-statement-name\", statement names must be unique" {
t.Fatalf("policy statements with same name should return error")
}
}
func TestGetApplicableTrustPolicy(t *testing.T) {
policyDoc := dummyBlobPolicyDocument()
policyStatement := policyDoc.TrustPolicies[0].clone()
policyStatement1 := policyStatement.clone()
policyStatement1.Name = "test-statement-name-1"
policyStatement1.GlobalPolicy = true
policyStatement2 := policyStatement.clone()
policyStatement2.Name = "test-statement-name-2"
policyDoc.TrustPolicies = []BlobTrustPolicy{*policyStatement, *policyStatement1, *policyStatement2}
validateGetApplicableTrustPolicy(t, policyDoc, "test-statement-name-2", policyStatement2)
validateGetApplicableTrustPolicy(t, policyDoc, "test-statement-name", policyStatement)
}
func TestGetApplicableTrustPolicy_Error(t *testing.T) {
policyDoc := dummyBlobPolicyDocument()
t.Run("empty policy name", func(t *testing.T) {
_, err := policyDoc.GetApplicableTrustPolicy("")
if err == nil || err.Error() != "policy name cannot be empty" {
t.Fatalf("GetApplicableTrustPolicy() returned error: %v", err)
}
})
t.Run("non existent policy name", func(t *testing.T) {
_, err := policyDoc.GetApplicableTrustPolicy("blaah")
if err == nil || err.Error() != "no applicable blob trust policy with name \"blaah\"" {
t.Fatalf("GetApplicableTrustPolicy() returned error: %v", err)
}
})
}
func TestGetGlobalTrustPolicy(t *testing.T) {
policyDoc := dummyBlobPolicyDocument()
policyDoc.TrustPolicies[0].GlobalPolicy = true
policy, err := policyDoc.GetGlobalTrustPolicy()
if err != nil {
t.Fatalf("GetGlobalTrustPolicy() returned error: %v", err)
}
if !reflect.DeepEqual(*policy, policyDoc.TrustPolicies[0]) {
t.Fatalf("GetGlobalTrustPolicy() returned unexpected policy")
}
}
func validateGetApplicableTrustPolicy(t *testing.T, policyDoc BlobDocument, policyName string, expectedPolicy *BlobTrustPolicy) {
policy, err := policyDoc.GetApplicableTrustPolicy(policyName)
if err != nil {
t.Fatalf("GetApplicableTrustPolicy() returned error: %v", err)
}
if reflect.DeepEqual(policy, *expectedPolicy) {
t.Fatalf("GetApplicableTrustPolicy() returned unexpected policy for %s", policyName)
}
}

111
verifier/trustpolicy/oci.go
View File

@ -25,23 +25,20 @@ import (
"github.com/notaryproject/notation-go/internal/trustpolicy"
)
// Document represents a trustpolicy.json document
type Document struct {
// OCIDocument represents a trustpolicy.oci.json document for OCI artifacts
type OCIDocument struct {
// Version of the policy document
Version string `json:"version"`
// TrustPolicies include each policy statement
TrustPolicies []TrustPolicy `json:"trustPolicies"`
TrustPolicies []OCITrustPolicy `json:"trustPolicies"`
}
// TrustPolicy represents a policy statement in the policy document
type TrustPolicy struct {
// OCITrustPolicy represents a policy statement in the OCI trust policy document
type OCITrustPolicy struct {
// Name of the policy statement
Name string `json:"name"`
// RegistryScopes that this policy statement affects
RegistryScopes []string `json:"registryScopes"`
// SignatureVerification setting for this policy statement
SignatureVerification SignatureVerification `json:"signatureVerification"`
@ -50,14 +47,50 @@ type TrustPolicy struct {
// TrustedIdentities this policy statement pins
TrustedIdentities []string `json:"trustedIdentities"`
// RegistryScopes that this policy statement affects
RegistryScopes []string `json:"registryScopes"`
}
var supportedPolicyVersions = []string{"1.0"}
// Document represents a trustPolicy.json document
//
// Deprecated: Document exists for historical compatibility and
// should not be used. To create OCI Document, use [OCIDocument].
type Document = OCIDocument
// LoadDocument retrieves a trust policy document from the local file system.
func LoadDocument() (*Document, error) {
var doc Document
if err := getDocument(dir.PathTrustPolicy, &doc); err != nil {
// TrustPolicy represents a policy statement in the policy document
//
// Deprecated: TrustPolicy exists for historical compatibility and
// should not be used. To create OCI TrustPolicy, use [OCITrustPolicy].
type TrustPolicy = OCITrustPolicy
// LoadDocument loads a trust policy document from a local file system
//
// Deprecated: LoadDocument function exists for historical compatibility and
// should not be used. To load OCI Document, use [LoadOCIDocument] function.
var LoadDocument = LoadOCIDocument
var supportedOCIPolicyVersions = []string{"1.0"}
// LoadOCIDocument retrieves a trust policy document from the local file system.
// It attempts to read from [dir.PathOCITrustPolicy] first; if not found,
// it tries [dir.PathTrustPolicy].
// If both dir.PathOCITrustPolicy and dir.PathTrustPolicy exist,
// dir.PathOCITrustPolicy will be read.
func LoadOCIDocument() (*OCIDocument, error) {
var doc OCIDocument
// attempt to load the document from dir.PathOCITrustPolicy
if err := getDocument(dir.PathOCITrustPolicy, &doc); err != nil {
// if the document is not found at the first path, try the second path
if errors.As(err, &errPolicyNotExist{}) {
if err := getDocument(dir.PathTrustPolicy, &doc); err != nil {
return nil, err
}
return &doc, nil
}
// if an error occurred other than the document not found, return it
return nil, err
}
return &doc, nil
@ -65,36 +98,33 @@ func LoadDocument() (*Document, error) {
// Validate validates a policy document according to its version's rule set.
// if any rule is violated, returns an error
func (policyDoc *Document) Validate() error {
func (policyDoc *OCIDocument) Validate() error {
// sanity check
if policyDoc == nil {
return errors.New("trust policy document cannot be nil")
return errors.New("oci trust policy document cannot be nil")
}
// Validate Version
if policyDoc.Version == "" {
return errors.New("trust policy document has empty version, version must be specified")
return errors.New("oci trust policy document has empty version, version must be specified")
}
if !slices.Contains(supportedPolicyVersions, policyDoc.Version) {
return fmt.Errorf("trust policy document uses unsupported version %q", policyDoc.Version)
if !slices.Contains(supportedOCIPolicyVersions, policyDoc.Version) {
return fmt.Errorf("oci trust policy document uses unsupported version %q", policyDoc.Version)
}
// Validate the policy according to 1.0 rules
if len(policyDoc.TrustPolicies) == 0 {
return errors.New("trust policy document can not have zero trust policy statements")
return errors.New("oci trust policy document can not have zero trust policy statements")
}
policyNames := set.New[string]()
for _, statement := range policyDoc.TrustPolicies {
// Verify unique policy statement names across the policy document
if policyNames.Contains(statement.Name) {
return fmt.Errorf("multiple trust policy statements use the same name %q, statement names must be unique", statement.Name)
return fmt.Errorf("multiple oci trust policy statements use the same name %q, statement names must be unique", statement.Name)
}
if err := validatePolicyCore(statement.Name, statement.SignatureVerification, statement.TrustStores, statement.TrustedIdentities); err != nil {
return fmt.Errorf("trust policy: %w", err)
return fmt.Errorf("oci trust policy: %w", err)
}
policyNames.Add(statement.Name)
}
@ -102,22 +132,21 @@ func (policyDoc *Document) Validate() error {
if err := validateRegistryScopes(policyDoc); err != nil {
return err
}
return nil
}
// GetApplicableTrustPolicy returns a pointer to the deep copied TrustPolicy
// GetApplicableTrustPolicy returns a pointer to the deep copied [OCITrustPolicy]
// statement that applies to the given registry scope. If no applicable trust
// policy is found, returns an error
// see https://github.com/notaryproject/notaryproject/blob/v1.0.0/specs/trust-store-trust-policy.md#selecting-a-trust-policy-based-on-artifact-uri
func (policyDoc *Document) GetApplicableTrustPolicy(artifactReference string) (*TrustPolicy, error) {
// policy is found, returns an error.
// see https://github.com/notaryproject/specifications/tree/9c81dc773508dedc5a81c02c8d805de04f65050b/specs/trust-store-trust-policy.md#selecting-a-trust-policy-based-on-artifact-uri
func (policyDoc *OCIDocument) GetApplicableTrustPolicy(artifactReference string) (*OCITrustPolicy, error) {
artifactPath, err := getArtifactPathFromReference(artifactReference)
if err != nil {
return nil, err
}
var wildcardPolicy *TrustPolicy
var applicablePolicy *TrustPolicy
var wildcardPolicy *OCITrustPolicy
var applicablePolicy *OCITrustPolicy
for _, policyStatement := range policyDoc.TrustPolicies {
if slices.Contains(policyStatement.RegistryScopes, trustpolicy.Wildcard) {
// we need to deep copy because we can't use the loop variable
@ -127,7 +156,6 @@ func (policyDoc *Document) GetApplicableTrustPolicy(artifactReference string) (*
applicablePolicy = (&policyStatement).clone()
}
}
if applicablePolicy != nil {
// a policy with exact match for registry scope takes precedence over
// a wildcard (*) policy.
@ -135,13 +163,13 @@ func (policyDoc *Document) GetApplicableTrustPolicy(artifactReference string) (*
} else if wildcardPolicy != nil {
return wildcardPolicy, nil
} else {
return nil, fmt.Errorf("artifact %q has no applicable trust policy statement. Trust policy applicability for a given artifact is determined by registryScopes. To create a trust policy, see: %s", artifactReference, trustPolicyLink)
return nil, fmt.Errorf("artifact %q has no applicable oci trust policy statement. Trust policy applicability for a given artifact is determined by registryScopes. To create a trust policy, see: %s", artifactReference, trustPolicyLink)
}
}
// clone returns a pointer to the deeply copied TrustPolicy
func (t *TrustPolicy) clone() *TrustPolicy {
return &TrustPolicy{
// clone returns a pointer to the deep copied [OCITrustPolicy]
func (t *OCITrustPolicy) clone() *OCITrustPolicy {
return &OCITrustPolicy{
Name: t.Name,
SignatureVerification: t.SignatureVerification,
TrustedIdentities: append([]string(nil), t.TrustedIdentities...),
@ -152,15 +180,15 @@ func (t *TrustPolicy) clone() *TrustPolicy {
// validateRegistryScopes validates if the policy document is following the
// Notary Project spec rules for registry scopes
func validateRegistryScopes(policyDoc *Document) error {
func validateRegistryScopes(policyDoc *OCIDocument) error {
registryScopeCount := make(map[string]int)
for _, statement := range policyDoc.TrustPolicies {
// Verify registry scopes are valid
if len(statement.RegistryScopes) == 0 {
return fmt.Errorf("trust policy statement %q has zero registry scopes, it must specify registry scopes with at least one value", statement.Name)
return fmt.Errorf("oci trust policy statement %q has zero registry scopes, it must specify registry scopes with at least one value", statement.Name)
}
if len(statement.RegistryScopes) > 1 && slices.Contains(statement.RegistryScopes, trustpolicy.Wildcard) {
return fmt.Errorf("trust policy statement %q uses wildcard registry scope '*', a wildcard scope cannot be used in conjunction with other scope values", statement.Name)
return fmt.Errorf("oci trust policy statement %q uses wildcard registry scope '*', a wildcard scope cannot be used in conjunction with other scope values", statement.Name)
}
for _, scope := range statement.RegistryScopes {
if scope != trustpolicy.Wildcard {
@ -175,7 +203,7 @@ func validateRegistryScopes(policyDoc *Document) error {
// Verify one policy statement per registry scope
for key := range registryScopeCount {
if registryScopeCount[key] > 1 {
return fmt.Errorf("registry scope %q is present in multiple trust policy statements, one registry scope value can only be associated with one statement", key)
return fmt.Errorf("registry scope %q is present in multiple oci trust policy statements, one registry scope value can only be associated with one statement", key)
}
}
@ -190,7 +218,6 @@ func getArtifactPathFromReference(artifactReference string) (string, error) {
if i < 0 {
return "", fmt.Errorf("artifact URI %q could not be parsed, make sure it is the fully qualified oci artifact URI without the scheme/protocol. e.g domain.com:80/my/repository@sha256:digest", artifactReference)
}
artifactPath := artifactReference[:i]
if err := validateRegistryScopeFormat(artifactPath); err != nil {
return "", err
@ -214,12 +241,10 @@ func validateRegistryScopeFormat(scope string) error {
if len(scope) > 1 && strings.Contains(scope, "*") {
return fmt.Errorf(errorWildCardMessage, scope)
}
domain, repository, found := strings.Cut(scope, "/")
if !found {
return fmt.Errorf(errorMessage, scope)
}
if domain == "" || repository == "" || !domainRegexp.MatchString(domain) || !repositoryRegexp.MatchString(repository) {
return fmt.Errorf(errorMessage, scope)
}

135
verifier/trustpolicy/oci_test.go
View File

@ -23,32 +23,47 @@ import (
"github.com/notaryproject/notation-go/dir"
)
func TestLoadDocumentFromFileLocation(t *testing.T) {
func TestLoadOCIDocumentFromOldFileLocation(t *testing.T) {
tempRoot := t.TempDir()
dir.UserConfigDir = tempRoot
path := filepath.Join(tempRoot, "trustpolicy.json")
policyJson, _ := json.Marshal(dummyPolicyDocument())
policyJson, _ := json.Marshal(dummyOCIPolicyDocument())
if err := os.WriteFile(path, policyJson, 0600); err != nil {
t.Fatalf("TestLoadDocument write policy file failed. Error: %v", err)
t.Fatalf("TestLoadOCIDocument write policy file failed. Error: %v", err)
}
t.Cleanup(func() { os.RemoveAll(tempRoot) })
if _, err := LoadDocument(); err != nil {
t.Fatalf("LoadDocument() should not throw error for an existing policy file. Error: %v", err)
if _, err := LoadOCIDocument(); err != nil {
t.Fatalf("LoadOCIDocument() should not throw error for an existing policy file. Error: %v", err)
}
}
func TestLoadDocumentError(t *testing.T) {
func TestLoadOCIDocumentFromNewFileLocation(t *testing.T) {
tempRoot := t.TempDir()
dir.UserConfigDir = tempRoot
if _, err := LoadDocument(); err == nil {
t.Fatalf("LoadDocument() should throw error if trust policy is not found")
path := filepath.Join(tempRoot, "trustpolicy.oci.json")
policyJson, _ := json.Marshal(dummyOCIPolicyDocument())
if err := os.WriteFile(path, policyJson, 0600); err != nil {
t.Fatalf("TestLoadOCIDocument write policy file failed. Error: %v", err)
}
t.Cleanup(func() { os.RemoveAll(tempRoot) })
if _, err := LoadOCIDocument(); err != nil {
t.Fatalf("LoadOCIDocument() should not throw error for an existing policy file. Error: %v", err)
}
}
func TestLoadOCIDocumentError(t *testing.T) {
tempRoot := t.TempDir()
dir.UserConfigDir = tempRoot
if _, err := LoadOCIDocument(); err == nil {
t.Fatalf("LoadOCIDocument() should throw error if OCI trust policy is not found")
}
}
// TestApplicableTrustPolicy tests filtering policies against registry scopes
func TestApplicableTrustPolicy(t *testing.T) {
policyDoc := dummyPolicyDocument()
policyDoc := dummyOCIPolicyDocument()
policyStatement := policyDoc.TrustPolicies[0]
policyStatement.Name = "test-statement-name-1"
@ -57,7 +72,7 @@ func TestApplicableTrustPolicy(t *testing.T) {
policyStatement.RegistryScopes = []string{registryScope}
policyStatement.SignatureVerification = SignatureVerification{VerificationLevel: "strict"}
policyDoc.TrustPolicies = []TrustPolicy{
policyDoc.TrustPolicies = []OCITrustPolicy{
policyStatement,
}
// existing Registry Scope
@ -68,12 +83,12 @@ func TestApplicableTrustPolicy(t *testing.T) {
// non-existing Registry Scope
policy, err = (&policyDoc).GetApplicableTrustPolicy("non.existing.scope/repo@sha256:hash")
if policy != nil || err == nil || err.Error() != "artifact \"non.existing.scope/repo@sha256:hash\" has no applicable trust policy statement. Trust policy applicability for a given artifact is determined by registryScopes. To create a trust policy, see: https://notaryproject.dev/docs/quickstart/#create-a-trust-policy" {
if policy != nil || err == nil || err.Error() != "artifact \"non.existing.scope/repo@sha256:hash\" has no applicable oci trust policy statement. Trust policy applicability for a given artifact is determined by registryScopes. To create a trust policy, see: https://notaryproject.dev/docs/quickstart/#create-a-trust-policy" {
t.Fatalf("GetApplicableTrustPolicy() should return nil for non existing registry scope")
}
// wildcard registry scope
wildcardStatement := TrustPolicy{
wildcardStatement := OCITrustPolicy{
Name: "test-statement-name-2",
SignatureVerification: SignatureVerification{VerificationLevel: "skip"},
TrustStores: []string{},
@ -81,7 +96,7 @@ func TestApplicableTrustPolicy(t *testing.T) {
RegistryScopes: []string{"*"},
}
policyDoc.TrustPolicies = []TrustPolicy{
policyDoc.TrustPolicies = []OCITrustPolicy{
policyStatement,
wildcardStatement,
}
@ -95,130 +110,130 @@ func TestApplicableTrustPolicy(t *testing.T) {
// and tests various validations on policy elements
func TestValidateInvalidPolicyDocument(t *testing.T) {
// Sanity check
var nilPolicyDoc *Document
var nilPolicyDoc *OCIDocument
err := nilPolicyDoc.Validate()
if err == nil || err.Error() != "trust policy document cannot be nil" {
if err == nil || err.Error() != "oci trust policy document cannot be nil" {
t.Fatalf("nil policyDoc should return error")
}
// Invalid Version
policyDoc := dummyPolicyDocument()
policyDoc := dummyOCIPolicyDocument()
policyDoc.Version = "invalid"
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy document uses unsupported version \"invalid\"" {
if err == nil || err.Error() != "oci trust policy document uses unsupported version \"invalid\"" {
t.Fatalf("invalid version should return error")
}
// No Policy Statements
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies = nil
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy document can not have zero trust policy statements" {
if err == nil || err.Error() != "oci trust policy document can not have zero trust policy statements" {
t.Fatalf("zero policy statements should return error")
}
// No Policy Statement Name
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].Name = ""
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy: a trust policy statement is missing a name, every statement requires a name" {
if err == nil || err.Error() != "oci trust policy: a trust policy statement is missing a name, every statement requires a name" {
t.Fatalf("policy statement with no name should return an error")
}
// No Registry Scopes
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].RegistryScopes = nil
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy statement \"test-statement-name\" has zero registry scopes, it must specify registry scopes with at least one value" {
if err == nil || err.Error() != "oci trust policy statement \"test-statement-name\" has zero registry scopes, it must specify registry scopes with at least one value" {
t.Fatalf("policy statement with registry scopes should return error")
}
// Multiple policy statements with same registry scope
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyStatement1 := policyDoc.TrustPolicies[0].clone()
policyStatement2 := policyDoc.TrustPolicies[0].clone()
policyStatement2.Name = "test-statement-name-2"
policyDoc.TrustPolicies = []TrustPolicy{*policyStatement1, *policyStatement2}
policyDoc.TrustPolicies = []OCITrustPolicy{*policyStatement1, *policyStatement2}
err = policyDoc.Validate()
if err == nil || err.Error() != "registry scope \"registry.acme-rockets.io/software/net-monitor\" is present in multiple trust policy statements, one registry scope value can only be associated with one statement" {
if err == nil || err.Error() != "registry scope \"registry.acme-rockets.io/software/net-monitor\" is present in multiple oci trust policy statements, one registry scope value can only be associated with one statement" {
t.Fatalf("Policy statements with same registry scope should return error %q", err)
}
// Registry scopes with a wildcard
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].RegistryScopes = []string{"*", "registry.acme-rockets.io/software/net-monitor"}
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy statement \"test-statement-name\" uses wildcard registry scope '*', a wildcard scope cannot be used in conjunction with other scope values" {
if err == nil || err.Error() != "oci trust policy statement \"test-statement-name\" uses wildcard registry scope '*', a wildcard scope cannot be used in conjunction with other scope values" {
t.Fatalf("policy statement with more than a wildcard registry scope should return error")
}
// Invalid SignatureVerification
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].SignatureVerification = SignatureVerification{VerificationLevel: "invalid"}
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy: trust policy statement \"test-statement-name\" has invalid signatureVerification: invalid signature verification level \"invalid\"" {
if err == nil || err.Error() != "oci trust policy: trust policy statement \"test-statement-name\" has invalid signatureVerification: invalid signature verification level \"invalid\"" {
t.Fatalf("policy statement with invalid SignatureVerification should return error")
}
// Invalid SignatureVerification VerifyTimestamp
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].SignatureVerification.VerifyTimestamp = "invalid"
expectedErrMsg := "trust policy: trust policy statement \"test-statement-name\" has invalid signatureVerification: verifyTimestamp must be \"always\" or \"afterCertExpiry\", but got \"invalid\""
expectedErrMsg := "oci trust policy: trust policy statement \"test-statement-name\" has invalid signatureVerification: verifyTimestamp must be \"always\" or \"afterCertExpiry\", but got \"invalid\""
err = policyDoc.Validate()
if err == nil || err.Error() != expectedErrMsg {
t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
}
// strict SignatureVerification should have a trust store
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].TrustStores = []string{}
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy: trust policy statement \"test-statement-name\" is either missing trust stores or trusted identities, both must be specified" {
if err == nil || err.Error() != "oci trust policy: trust policy statement \"test-statement-name\" is either missing trust stores or trusted identities, both must be specified" {
t.Fatalf("strict SignatureVerification should have a trust store")
}
// strict SignatureVerification should have trusted identities
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].TrustedIdentities = []string{}
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy: trust policy statement \"test-statement-name\" is either missing trust stores or trusted identities, both must be specified" {
if err == nil || err.Error() != "oci trust policy: trust policy statement \"test-statement-name\" is either missing trust stores or trusted identities, both must be specified" {
t.Fatalf("strict SignatureVerification should have trusted identities")
}
// skip SignatureVerification should not have trust store or trusted identities
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].SignatureVerification = SignatureVerification{VerificationLevel: "skip"}
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy: trust policy statement \"test-statement-name\" is set to skip signature verification but configured with trust stores and/or trusted identities, remove them if signature verification needs to be skipped" {
if err == nil || err.Error() != "oci trust policy: trust policy statement \"test-statement-name\" is set to skip signature verification but configured with trust stores and/or trusted identities, remove them if signature verification needs to be skipped" {
t.Fatalf("strict SignatureVerification should have trusted identities")
}
// Empty Trusted Identity should throw error
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].TrustedIdentities = []string{""}
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy: trust policy statement \"test-statement-name\" has an empty trusted identity" {
if err == nil || err.Error() != "oci trust policy: trust policy statement \"test-statement-name\" has an empty trusted identity" {
t.Fatalf("policy statement with empty trusted identity should return error")
}
// Trusted Identity without separator should throw error
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].TrustedIdentities = []string{"x509.subject"}
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy: trust policy statement \"test-statement-name\" has trusted identity \"x509.subject\" missing separator" {
if err == nil || err.Error() != "oci trust policy: trust policy statement \"test-statement-name\" has trusted identity \"x509.subject\" missing separator" {
t.Fatalf("policy statement with trusted identity missing separator should return error")
}
// Empty Trusted Identity value should throw error
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].TrustedIdentities = []string{"x509.subject:"}
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy: trust policy statement \"test-statement-name\" has trusted identity \"x509.subject:\" without an identity value" {
if err == nil || err.Error() != "oci trust policy: trust policy statement \"test-statement-name\" has trusted identity \"x509.subject:\" without an identity value" {
t.Fatalf("policy statement with trusted identity missing identity value should return error")
}
// trust store/trusted identities are optional for skip SignatureVerification
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].SignatureVerification = SignatureVerification{VerificationLevel: "skip"}
policyDoc.TrustPolicies[0].TrustStores = []string{}
policyDoc.TrustPolicies[0].TrustedIdentities = []string{}
@ -228,52 +243,52 @@ func TestValidateInvalidPolicyDocument(t *testing.T) {
}
// Trust Store missing separator
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].TrustStores = []string{"ca"}
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy: trust policy statement \"test-statement-name\" has malformed trust store value \"ca\". The required format is <TrustStoreType>:<TrustStoreName>" {
if err == nil || err.Error() != "oci trust policy: trust policy statement \"test-statement-name\" has malformed trust store value \"ca\". The required format is <TrustStoreType>:<TrustStoreName>" {
t.Fatalf("policy statement with trust store missing separator should return error")
}
// Invalid Trust Store type
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].TrustStores = []string{"invalid:test-trust-store"}
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy: trust policy statement \"test-statement-name\" uses an unsupported trust store type \"invalid\" in trust store value \"invalid:test-trust-store\"" {
if err == nil || err.Error() != "oci trust policy: trust policy statement \"test-statement-name\" uses an unsupported trust store type \"invalid\" in trust store value \"invalid:test-trust-store\"" {
t.Fatalf("policy statement with invalid trust store type should return error")
}
// Empty Named Store
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].TrustStores = []string{"ca:"}
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy: trust policy statement \"test-statement-name\" uses an unsupported trust store name \"\" in trust store value \"ca:\". Named store name needs to follow [a-zA-Z0-9_.-]+ format" {
if err == nil || err.Error() != "oci trust policy: trust policy statement \"test-statement-name\" uses an unsupported trust store name \"\" in trust store value \"ca:\". Named store name needs to follow [a-zA-Z0-9_.-]+ format" {
t.Fatalf("policy statement with trust store missing named store should return error")
}
// trusted identities with a wildcard
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].TrustedIdentities = []string{"*", "test-identity"}
err = policyDoc.Validate()
if err == nil || err.Error() != "trust policy: trust policy statement \"test-statement-name\" uses a wildcard trusted identity '*', a wildcard identity cannot be used in conjunction with other values" {
if err == nil || err.Error() != "oci trust policy: trust policy statement \"test-statement-name\" uses a wildcard trusted identity '*', a wildcard identity cannot be used in conjunction with other values" {
t.Fatalf("policy statement with more than a wildcard trusted identity should return error")
}
// Policy Document with duplicate policy statement names
policyDoc = dummyPolicyDocument()
policyDoc = dummyOCIPolicyDocument()
policyStatement1 = policyDoc.TrustPolicies[0].clone()
policyStatement2 = policyDoc.TrustPolicies[0].clone()
policyStatement2.RegistryScopes = []string{"registry.acme-rockets.io/software/legacy/metrics"}
policyDoc.TrustPolicies = []TrustPolicy{*policyStatement1, *policyStatement2}
policyDoc.TrustPolicies = []OCITrustPolicy{*policyStatement1, *policyStatement2}
err = policyDoc.Validate()
if err == nil || err.Error() != "multiple trust policy statements use the same name \"test-statement-name\", statement names must be unique" {
if err == nil || err.Error() != "multiple oci trust policy statements use the same name \"test-statement-name\", statement names must be unique" {
t.Fatalf("policy statements with same name should return error")
}
}
// TestValidRegistryScopes tests valid scopes are accepted
func TestValidRegistryScopes(t *testing.T) {
policyDoc := dummyPolicyDocument()
policyDoc := dummyOCIPolicyDocument()
validScopes := []string{
"*", "example.com/rep", "example.com:8080/rep/rep2", "example.com/rep/subrep/subsub",
"10.10.10.10:8080/rep/rep2", "domain/rep", "domain:1234/rep",
@ -290,7 +305,7 @@ func TestValidRegistryScopes(t *testing.T) {
// TestInvalidRegistryScopes tests invalid scopes are rejected
func TestInvalidRegistryScopes(t *testing.T) {
policyDoc := dummyPolicyDocument()
policyDoc := dummyOCIPolicyDocument()
invalidScopes := []string{
"", "1:1", "a,b", "abcd", "1111", "1,2", "example.com/rep:tag",
"example.com/rep/subrep/sub:latest", "example.com", "rep/rep2:latest",
@ -318,7 +333,7 @@ func TestInvalidRegistryScopes(t *testing.T) {
// TestValidateValidPolicyDocument tests a happy policy document
func TestValidateValidPolicyDocument(t *testing.T) {
policyDoc := dummyPolicyDocument()
policyDoc := dummyOCIPolicyDocument()
policyStatement1 := policyDoc.TrustPolicies[0].clone()
@ -361,7 +376,7 @@ func TestValidateValidPolicyDocument(t *testing.T) {
policyStatement8.RegistryScopes = []string{"registry.acme-rockets.io/software/net-monitor8"}
policyStatement8.SignatureVerification.VerifyTimestamp = OptionAfterCertExpiry
policyDoc.TrustPolicies = []TrustPolicy{
policyDoc.TrustPolicies = []OCITrustPolicy{
*policyStatement1,
*policyStatement2,
*policyStatement3,

17
verifier/trustpolicy/trustpolicy.go
View File

@ -158,8 +158,9 @@ func (e errPolicyNotExist) Error() string {
return fmt.Sprintf("trust policy is not present. To create a trust policy, see: %s", trustPolicyLink)
}
// GetVerificationLevel returns VerificationLevel struct for the given
// SignatureVerification struct throws error if SignatureVerification is invalid
// GetVerificationLevel returns [VerificationLevel] for the given
// [SignatureVerification] struct.
// It throws error if SignatureVerification is invalid.
func (signatureVerification *SignatureVerification) GetVerificationLevel() (*VerificationLevel, error) {
if signatureVerification.VerificationLevel == "" {
return nil, errors.New("signature verification level is empty or missing in the trust policy statement")
@ -174,16 +175,13 @@ func (signatureVerification *SignatureVerification) GetVerificationLevel() (*Ver
if baseLevel == nil {
return nil, fmt.Errorf("invalid signature verification level %q", signatureVerification.VerificationLevel)
}
if len(signatureVerification.Override) == 0 {
// nothing to override, return the base verification level
return baseLevel, nil
}
if baseLevel == LevelSkip {
return nil, fmt.Errorf("signature verification level %q can't be used to customize signature verification", baseLevel.Name)
}
customVerificationLevel := &VerificationLevel{
Name: "custom",
Enforcement: make(map[ValidationType]ValidationAction),
@ -218,13 +216,11 @@ func (signatureVerification *SignatureVerification) GetVerificationLevel() (*Ver
if validationAction == "" {
return nil, fmt.Errorf("verification action %q in custom signature verification is not supported, supported values are %q", value, ValidationActions)
}
if validationType == TypeIntegrity {
return nil, fmt.Errorf("%q verification can not be overridden in custom signature verification", key)
} else if validationType != TypeRevocation && validationAction == ActionSkip {
return nil, fmt.Errorf("%q verification can not be skipped in custom signature verification", key)
}
customVerificationLevel.Enforcement[validationType] = validationAction
}
return customVerificationLevel, nil
@ -244,12 +240,10 @@ func getDocument(path string, v any) error {
}
return err
}
mode := fileInfo.Mode()
if mode.IsDir() || mode&fs.ModeSymlink != 0 {
return fmt.Errorf("trust policy is not a regular file (symlinks are not supported). To create a trust policy, see: %s", trustPolicyLink)
}
jsonFile, err := os.Open(path)
if err != nil {
if errors.Is(err, os.ErrPermission) {
@ -322,7 +316,6 @@ func validateTrustStore(policyName string, trustStores []string) error {
return fmt.Errorf("trust policy statement %q uses an unsupported trust store name %q in trust store value %q. Named store name needs to follow [a-zA-Z0-9_.-]+ format", policyName, namedStore, trustStore)
}
}
return nil
}
@ -341,7 +334,6 @@ func validateTrustedIdentities(policyName string, tis []string) error {
if identity == "" {
return fmt.Errorf("trust policy statement %q has an empty trusted identity", policyName)
}
if identity != trustpolicy.Wildcard {
identityPrefix, identityValue, found := strings.Cut(identity, ":")
if !found {
@ -380,12 +372,11 @@ func validateOverlappingDNs(policyName string, parsedDNs []parsedDN) error {
}
}
}
return nil
}
// isValidTrustStoreType returns true if the given string is a valid
// truststore.Type, otherwise false.
// [truststore.Type], otherwise false.
func isValidTrustStoreType(s string) bool {
for _, p := range truststore.Types {
if s == string(p) {

42
verifier/trustpolicy/trustpolicy_test.go
View File

@ -26,10 +26,10 @@ import (
"github.com/notaryproject/notation-go/dir"
)
func dummyPolicyDocument() Document {
return Document{
func dummyOCIPolicyDocument() OCIDocument {
return OCIDocument{
Version: "1.0",
TrustPolicies: []TrustPolicy{
TrustPolicies: []OCITrustPolicy{
{
Name: "test-statement-name",
RegistryScopes: []string{"registry.acme-rockets.io/software/net-monitor"},
@ -41,6 +41,20 @@ func dummyPolicyDocument() Document {
}
}
func dummyBlobPolicyDocument() BlobDocument {
return BlobDocument{
Version: "1.0",
TrustPolicies: []BlobTrustPolicy{
{
Name: "test-statement-name",
SignatureVerification: SignatureVerification{VerificationLevel: "strict"},
TrustStores: []string{"ca:valid-trust-store", "signingAuthority:valid-trust-store"},
TrustedIdentities: []string{"x509.subject:CN=Notation Test Root,O=Notary,L=Seattle,ST=WA,C=US"},
},
},
}
}
// create testcase for validatePolicyCore method
func TestValidatePolicyCore(t *testing.T) {
policyName := "test-statement-name"
@ -292,16 +306,22 @@ func TestGetDocument(t *testing.T) {
t.Skip("skipping test on Windows")
}
dir.UserConfigDir = "/"
var doc Document
var ociDoc OCIDocument
var blobDoc BlobDocument
tests := []struct {
name string
expectedDocument any
actualDocument any
}{
{
name: "valid policy file",
expectedDocument: dummyPolicyDocument(),
actualDocument: &doc,
name: "valid OCI policy file",
expectedDocument: dummyOCIPolicyDocument(),
actualDocument: &ociDoc,
},
{
name: "valid Blob policy file",
expectedDocument: dummyBlobPolicyDocument(),
actualDocument: &blobDoc,
},
}
@ -325,7 +345,7 @@ func TestGetDocument(t *testing.T) {
func TestGetDocumentErrors(t *testing.T) {
dir.UserConfigDir = "/"
t.Run("non-existing policy file", func(t *testing.T) {
var doc Document
var doc OCIDocument
if err := getDocument("blaah", &doc); err == nil || err.Error() != fmt.Sprintf("trust policy is not present. To create a trust policy, see: %s", trustPolicyLink) {
t.Fatalf("getDocument() should throw error for non existent policy")
}
@ -342,7 +362,7 @@ func TestGetDocumentErrors(t *testing.T) {
}
t.Cleanup(func() { os.RemoveAll(tempRoot) })
var doc Document
var doc OCIDocument
if err := getDocument(path, &doc); err == nil || err.Error() != fmt.Sprintf("malformed trust policy. To create a trust policy, see: %s", trustPolicyLink) {
t.Fatalf("getDocument() should throw error for invalid policy file. Error: %v", err)
}
@ -359,7 +379,7 @@ func TestGetDocumentErrors(t *testing.T) {
t.Fatalf("creation of invalid permission policy file failed. Error: %v", err)
}
expectedErrMsg := fmt.Sprintf("unable to read trust policy due to file permissions, please verify the permissions of %s", path)
var doc Document
var doc OCIDocument
if err := getDocument(path, &doc); err == nil || err.Error() != expectedErrMsg {
t.Errorf("getDocument() should throw error for a policy file with bad permissions. "+
"Expected error: '%v'qq but found '%v'", expectedErrMsg, err.Error())
@ -380,7 +400,7 @@ func TestGetDocumentErrors(t *testing.T) {
if err := os.Symlink(path, symlinkPath); err != nil {
t.Fatalf("creation of symlink for policy file failed. Error: %v", err)
}
var doc Document
var doc OCIDocument
if err := getDocument(symlinkPath, &doc); err == nil || !strings.HasPrefix(err.Error(), "trust policy is not a regular file (symlinks are not supported)") {
t.Fatalf("getDocument() should throw error for a symlink policy file. Error: %v", err)
}

9
verifier/truststore/truststore.go
View File

@ -30,8 +30,7 @@ import (
"github.com/notaryproject/notation-go/internal/slices"
)
// Type is an enum for trust store types supported such as
// "ca" and "signingAuthority"
// Type is an enum for trust store types supported
type Type string
const (
@ -48,18 +47,18 @@ var (
}
)
// X509TrustStore provide list and get behaviors for the trust store
// X509TrustStore provides list and get behaviors for the trust store
type X509TrustStore interface {
// GetCertificates returns certificates under storeType/namedStore
GetCertificates(ctx context.Context, storeType Type, namedStore string) ([]*x509.Certificate, error)
}
// NewX509TrustStore generates a new X509TrustStore
// NewX509TrustStore generates a new [X509TrustStore]
func NewX509TrustStore(trustStorefs dir.SysFS) X509TrustStore {
return &x509TrustStore{trustStorefs}
}
// x509TrustStore implements X509TrustStore
// x509TrustStore implements [X509TrustStore]
type x509TrustStore struct {
trustStorefs dir.SysFS
}

213
verifier/verifier.go
View File

@ -11,11 +11,13 @@
// See the License for the specific language governing permissions and
// limitations under the License.
// Package verifier provides an implementation of notation.Verifier interface
// Package verifier provides implementations of [notation.Verifier] and
// [notation.BlobVerifier] interfaces.
package verifier
import (
"context"
"crypto"
"crypto/x509"
"encoding/json"
"errors"
@ -46,12 +48,21 @@ import (
"github.com/notaryproject/notation-go/verifier/truststore"
pluginframework "github.com/notaryproject/notation-plugin-framework-go/plugin"
"github.com/notaryproject/tspclient-go"
"github.com/opencontainers/go-digest"
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
)
// verifier implements notation.Verifier and notation.verifySkipper
var algorithms = map[crypto.Hash]digest.Algorithm{
crypto.SHA256: digest.SHA256,
crypto.SHA384: digest.SHA384,
crypto.SHA512: digest.SHA512,
}
// verifier implements [notation.Verifier], [notation.BlobVerifier] and
// notation.verifySkipper interfaces.
type verifier struct {
trustPolicyDoc *trustpolicy.Document
ociTrustPolicyDoc *trustpolicy.OCIDocument
blobTrustPolicyDoc *trustpolicy.BlobDocument
trustStore truststore.X509TrustStore
pluginManager plugin.Manager
revocationClient revocation.Revocation
@ -60,7 +71,7 @@ type verifier struct {
}
// VerifierOptions specifies additional parameters that can be set when using
// the NewWithOptions constructor
// the [NewVerifierWithOptions] constructor
type VerifierOptions struct {
// RevocationClient is an implementation of revocation.Revocation to use for
// verifying revocation of code signing certificate chain
@ -77,44 +88,86 @@ type VerifierOptions struct {
// RevocationTimestampingValidator is used for verifying revocation of
// timestamping certificate chain with context.
RevocationTimestampingValidator revocation.Validator
// OCITrustpolicy is the trust policy document for OCI artifacts.
OCITrustPolicy *trustpolicy.OCIDocument
// BlobTrustPolicy is the trust policy document for Blob artifacts.
BlobTrustPolicy *trustpolicy.BlobDocument
// PluginManager manages plugins installed on the system.
PluginManager plugin.Manager
}
// NewFromConfig returns a verifier based on local file system.
func NewFromConfig() (notation.Verifier, error) {
// NewOCIVerifierFromConfig returns an OCI verifier based on local file system
func NewOCIVerifierFromConfig() (*verifier, error) {
// load trust policy
policyDocument, err := trustpolicy.LoadDocument()
policyDocument, err := trustpolicy.LoadOCIDocument()
if err != nil {
return nil, err
}
// load trust store
x509TrustStore := truststore.NewX509TrustStore(dir.ConfigFS())
return New(policyDocument, x509TrustStore, plugin.NewCLIManager(dir.PluginFS()))
return NewVerifierWithOptions(x509TrustStore, VerifierOptions{
OCITrustPolicy: policyDocument,
PluginManager: plugin.NewCLIManager(dir.PluginFS()),
})
}
// New creates a new verifier given trustPolicy, trustStore and pluginManager
func New(trustPolicy *trustpolicy.Document, trustStore truststore.X509TrustStore, pluginManager plugin.Manager) (notation.Verifier, error) {
return NewWithOptions(trustPolicy, trustStore, pluginManager, VerifierOptions{})
// NewBlobVerifierFromConfig returns a Blob verifier based on local file system
func NewBlobVerifierFromConfig() (*verifier, error) {
// load blob trust policy
policyDocument, err := trustpolicy.LoadBlobDocument()
if err != nil {
return nil, err
}
// load trust store
x509TrustStore := truststore.NewX509TrustStore(dir.ConfigFS())
return NewVerifierWithOptions(x509TrustStore, VerifierOptions{
BlobTrustPolicy: policyDocument,
PluginManager: plugin.NewCLIManager(dir.PluginFS()),
})
}
// NewWithOptions creates a new verifier given trustPolicy, trustStore,
// pluginManager, and verifierOptions
func NewWithOptions(trustPolicy *trustpolicy.Document, trustStore truststore.X509TrustStore, pluginManager plugin.Manager, verifierOptions VerifierOptions) (notation.Verifier, error) {
// NewWithOptions creates a new verifier given ociTrustPolicy, trustStore,
// pluginManager, and VerifierOptions.
//
// Deprecated: NewWithOptions function exists for historical compatibility and
// should not be used. To create verifier, use [NewVerifierWithOptions] function.
func NewWithOptions(ociTrustPolicy *trustpolicy.OCIDocument, trustStore truststore.X509TrustStore, pluginManager plugin.Manager, opts VerifierOptions) (notation.Verifier, error) {
opts.OCITrustPolicy = ociTrustPolicy
opts.PluginManager = pluginManager
return NewVerifierWithOptions(trustStore, opts)
}
// NewVerifierWithOptions creates a new verifier given trustStore and
// verifierOptions.
func NewVerifierWithOptions(trustStore truststore.X509TrustStore, verifierOptions VerifierOptions) (*verifier, error) {
ociTrustPolicy := verifierOptions.OCITrustPolicy
blobTrustPolicy := verifierOptions.BlobTrustPolicy
if trustStore == nil {
return nil, errors.New("trustStore cannot be nil")
}
if trustPolicy == nil {
return nil, errors.New("trustPolicy cannot be nil")
if ociTrustPolicy == nil && blobTrustPolicy == nil {
return nil, errors.New("ociTrustPolicy and blobTrustPolicy both cannot be nil")
}
if err := trustPolicy.Validate(); err != nil {
return nil, err
if ociTrustPolicy != nil {
if err := ociTrustPolicy.Validate(); err != nil {
return nil, err
}
}
if blobTrustPolicy != nil {
if err := blobTrustPolicy.Validate(); err != nil {
return nil, err
}
}
v := &verifier{
trustPolicyDoc: trustPolicy,
trustStore: trustStore,
pluginManager: pluginManager,
ociTrustPolicyDoc: ociTrustPolicy,
blobTrustPolicyDoc: blobTrustPolicy,
trustStore: trustStore,
pluginManager: verifierOptions.PluginManager,
}
if err := v.setRevocation(verifierOptions); err != nil {
@ -123,6 +176,26 @@ func NewWithOptions(trustPolicy *trustpolicy.Document, trustStore truststore.X50
return v, nil
}
// NewFromConfig returns an OCI verifier based on local file system.
//
// Deprecated: NewFromConfig function exists for historical compatibility and
// should not be used. To create an OCI verifier, use [NewOCIVerifierFromConfig]
// function.
func NewFromConfig() (notation.Verifier, error) {
return NewOCIVerifierFromConfig()
}
// New creates a new verifier given ociTrustPolicy, trustStore and pluginManager.
//
// Deprecated: New function exists for historical compatibility and
// should not be used. To create verifier, use [NewVerifier] function.
func New(ociTrustPolicy *trustpolicy.OCIDocument, trustStore truststore.X509TrustStore, pluginManager plugin.Manager) (notation.Verifier, error) {
return NewVerifierWithOptions(trustStore, VerifierOptions{
OCITrustPolicy: ociTrustPolicy,
PluginManager: pluginManager,
})
}
// setRevocation sets revocation validators of v
func (v *verifier) setRevocation(verifierOptions VerifierOptions) error {
// timestamping validator
@ -168,7 +241,7 @@ func (v *verifier) SkipVerify(ctx context.Context, opts notation.VerifierVerifyO
logger := log.GetLogger(ctx)
logger.Debugf("Check verification level against artifact %v", opts.ArtifactReference)
trustPolicy, err := v.trustPolicyDoc.GetApplicableTrustPolicy(opts.ArtifactReference)
trustPolicy, err := v.ociTrustPolicyDoc.GetApplicableTrustPolicy(opts.ArtifactReference)
if err != nil {
return false, nil, notation.ErrorNoApplicableTrustPolicy{Msg: err.Error()}
}
@ -185,7 +258,88 @@ func (v *verifier) SkipVerify(ctx context.Context, opts notation.VerifierVerifyO
return false, verificationLevel, nil
}
// Verify verifies the signature associated the target OCI
// VerifyBlob verifies the signature of given blob, and returns the outcome upon
// successful verification.
func (v *verifier) VerifyBlob(ctx context.Context, descGenFunc notation.BlobDescriptorGenerator, signature []byte, opts notation.BlobVerifierVerifyOptions) (*notation.VerificationOutcome, error) {
logger := log.GetLogger(ctx)
logger.Debugf("Verify signature of media type %v", opts.SignatureMediaType)
if v.blobTrustPolicyDoc == nil {
return nil, errors.New("blobTrustPolicyDoc is nil")
}
var trustPolicy *trustpolicy.BlobTrustPolicy
var err error
if opts.TrustPolicyName == "" {
trustPolicy, err = v.blobTrustPolicyDoc.GetGlobalTrustPolicy()
} else {
trustPolicy, err = v.blobTrustPolicyDoc.GetApplicableTrustPolicy(opts.TrustPolicyName)
}
if err != nil {
return nil, notation.ErrorNoApplicableTrustPolicy{Msg: err.Error()}
}
logger.Infof("Trust policy configuration: %+v", trustPolicy)
// ignore the error since we already validated the policy document
verificationLevel, _ := trustPolicy.SignatureVerification.GetVerificationLevel()
outcome := &notation.VerificationOutcome{
RawSignature: signature,
VerificationLevel: verificationLevel,
}
// verificationLevel is skip
if reflect.DeepEqual(verificationLevel, trustpolicy.LevelSkip) {
logger.Debug("Skipping signature verification")
return outcome, nil
}
err = v.processSignature(ctx, signature, opts.SignatureMediaType, trustPolicy.Name, trustPolicy.TrustedIdentities, trustPolicy.TrustStores, trustPolicy.SignatureVerification, opts.PluginConfig, outcome)
if err != nil {
outcome.Error = err
return outcome, err
}
payload := &envelope.Payload{}
err = json.Unmarshal(outcome.EnvelopeContent.Payload.Content, payload)
if err != nil {
logger.Error("Failed to unmarshal the payload content in the signature blob to envelope.Payload")
outcome.Error = err
return outcome, err
}
cryptoHash := outcome.EnvelopeContent.SignerInfo.SignatureAlgorithm.Hash()
digestAlgo, ok := algorithms[cryptoHash]
if !ok {
logger.Error("Unsupported hashing algorithm: %v", cryptoHash)
err := fmt.Errorf("unsupported hashing algorithm: %v", cryptoHash)
outcome.Error = err
return outcome, err
}
desc, err := descGenFunc(digestAlgo)
if err != nil {
errMsg := fmt.Sprintf("failed to generate descriptor for given artifact. Error: %s", err)
logger.Error(errMsg)
descErr := errors.New(errMsg)
outcome.Error = descErr
return outcome, descErr
}
if desc.Digest != payload.TargetArtifact.Digest || desc.Size != payload.TargetArtifact.Size ||
(desc.MediaType != "" && desc.MediaType != payload.TargetArtifact.MediaType) {
logger.Infof("payload present in the signature: %+v", payload.TargetArtifact)
logger.Infof("payload derived from the blob: %+v", desc)
outcome.Error = errors.New("integrity check failed. signature does not match the given blob")
}
if len(opts.UserMetadata) > 0 {
err := verifyUserMetadata(logger, payload, opts.UserMetadata)
if err != nil {
outcome.Error = err
}
}
return outcome, outcome.Error
}
// Verify verifies the signature associated to the target OCI
// artifact with manifest descriptor `desc`, and returns the outcome upon
// successful verification.
// If nil signature is present and the verification level is not 'skip',
@ -197,11 +351,11 @@ func (v *verifier) Verify(ctx context.Context, desc ocispec.Descriptor, signatur
logger := log.GetLogger(ctx)
logger.Debugf("Verify signature against artifact %v referenced as %s in signature media type %v", desc.Digest, artifactRef, envelopeMediaType)
if v.trustPolicyDoc == nil {
return nil, errors.New("trustPolicyDoc is nil")
if v.ociTrustPolicyDoc == nil {
return nil, errors.New("ociTrustPolicyDoc is nil")
}
trustPolicy, err := v.trustPolicyDoc.GetApplicableTrustPolicy(artifactRef)
trustPolicy, err := v.ociTrustPolicyDoc.GetApplicableTrustPolicy(artifactRef)
if err != nil {
return nil, notation.ErrorNoApplicableTrustPolicy{Msg: err.Error()}
}
@ -928,9 +1082,6 @@ func verifyTimestamp(ctx context.Context, policyName string, trustStores []strin
if err != nil {
return fmt.Errorf("failed to verify the timestamp countersignature with error: %w", err)
}
if !timestamp.BoundedAfter(signerInfo.SignedAttributes.SigningTime) {
return fmt.Errorf("timestamp %s is not bounded after the signing time %q", timestamp.Format(time.RFC3339), signerInfo.SignedAttributes.SigningTime)
}
// 3. Validate timestamping certificate chain
logger.Debug("Validating timestamping certificate chain...")

611
verifier/verifier_test.go
View File

@ -18,11 +18,13 @@ import (
"crypto/x509"
"crypto/x509/pkix"
"encoding/json"
"encoding/pem"
"errors"
"fmt"
"net/http"
"os"
"path/filepath"
"reflect"
"strconv"
"testing"
"time"
@ -32,8 +34,10 @@ import (
"github.com/notaryproject/notation-core-go/revocation"
"github.com/notaryproject/notation-core-go/revocation/purpose"
"github.com/notaryproject/notation-core-go/revocation/result"
revocationresult "github.com/notaryproject/notation-core-go/revocation/result"
"github.com/notaryproject/notation-core-go/signature"
_ "github.com/notaryproject/notation-core-go/signature/cose"
"github.com/notaryproject/notation-core-go/signature/jws"
"github.com/notaryproject/notation-core-go/testhelper"
corex509 "github.com/notaryproject/notation-core-go/x509"
"github.com/notaryproject/notation-go"
@ -45,16 +49,45 @@ import (
"github.com/notaryproject/notation-go/signer"
"github.com/notaryproject/notation-go/verifier/trustpolicy"
"github.com/notaryproject/notation-go/verifier/truststore"
"github.com/opencontainers/go-digest"
ocispec "github.com/opencontainers/image-spec/specs-go/v1"
)
var policy = dummyPolicyDocument()
var invalidPolicy = dummyInvalidPolicyDocument()
var testSig = `{"payload":"eyJ0YXJnZXRBcnRpZmFjdCI6eyJhbm5vdGF0aW9ucyI6eyJidWlsZElkIjoiMTAxIn0sImRpZ2VzdCI6InNoYTM4NDpiOGFiMjRkYWZiYTVjZjdlNGM4OWM1NjJmODExY2YxMDQ5M2Q0MjAzZGE5ODJkM2IxMzQ1ZjM2NmNhODYzZDljMmVkMzIzZGJkMGZiN2ZmODNhODAzMDJjZWZmYTVhNjEiLCJtZWRpYVR5cGUiOiJ2aWRlby9tcDQiLCJzaXplIjoxMn19","protected":"eyJhbGciOiJQUzM4NCIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSJdLCJjdHkiOiJhcHBsaWNhdGlvbi92bmQuY25jZi5ub3RhcnkucGF5bG9hZC52MStqc29uIiwiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSI6Im5vdGFyeS54NTA5IiwiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1RpbWUiOiIyMDI0LTA0LTA0VDE1OjAzOjA2LTA3OjAwIn0","header":{"x5c":["MIIEbTCCAtWgAwIBAgICAK0wDQYJKoZIhvcNAQELBQAwZDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxJTAjBgNVBAMTHE5vdGF0aW9uIEV4YW1wbGUgc2VsZi1zaWduZWQwIBcNMjQwNDA0MjIwMzA1WhgPMjEyNDA0MDQyMjAzMDVaMGQxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTEPMA0GA1UEChMGTm90YXJ5MSUwIwYDVQQDExxOb3RhdGlvbiBFeGFtcGxlIHNlbGYtc2lnbmVkMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA0dXD9UqzZcGlBlvPHO2uf+Sel/xwf/eOMS6Q30GV6JPeu9czLmyR0YMfC6P0N4zDzVYYZtQLkS5lalTMGX9A3yj9aXtXvtoYtLx2mF1CfdQJMcrT63wVVTWiPPe2JT8KHkkiACzVY6LTwc4s+DIAw9Gv21Uu6bFy4WWlGMp8UwTucR0JqaFoXzB6vxVRTkK8RRLM9Pj0hM5NwobpuZ+pc+ZS/7PhdvQHVzHeLLV9S7fHxw3n1c0ti8VUjSPSqCIEqOL3Eu/0pWMXB2A1xzn3RBfnzZMD3Tw3ksFgLMVzblhv41c6gr4cgjaS4wWwUvq9Xndd7Io8QNvxyiRDX5cHwQSEOmDfmegTIaLR0dKfvjY4ZJq8Y1DnaXU4RD6XeihtZykMlx7nTUyZZXpQ1akjh3VMzPykJ4mIknHh02zGRT9ZE8E1kYzRWhU/0MAzVrTTFHpric6jO459ouTnQXFjKwAcoD5+bNY6TuhC18iar7+l4BPPI1mFuqETnMfkkJQZAgMBAAGjJzAlMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAYEAe5wyQPo+h1Yk2PkaA5aJKuU8azF2pTLfhQwAn/1XqPcmhNQuomOP0waoBsh+6sexfIDZaNuJ+zZUxqYHke/23+768SMiJCpuJfion3ak3Ka/IVNz48G0V+V+Vog+elkZzpdUQd30njLVcoQsihp0I/Gs3pnG2SeHmsdvYVuzycdYWTt5BFu4N8VWg4x4pfRMgDG7HGxRAacz2vTdqAx6rpWjO4xc0ZO8iUKjAeKHc7RuSx2dhUaRP9P8G8NBNtG6xNnbXIEjH6kP05srFRZ2jxm1an7sjsOpbBdIDztc0J+cb5yjBx7zo1OzWcmDUqMEXDR/WoygPzwhhHvWWvTqwVSEUvYnSaI6wxyHGxPFuX3+vCEZxU8NEGIuJtfYXWeo9cev5+PqjDgVu0uCWF53ZFsXNWbpff1qpG/CgrpFh3vN6uquMK9H5zaJBKr0GZFUsNRB1S8cUBgcjIZlWv3wrJQaOIFzF4RFO9dsYcG/b7ubdqSNGe4qfbsyuWf+1xsx"],"io.cncf.notary.signingAgent":"example signing agent"},"signature":"WMtF0u9GnQxJCpgrcxKZtNKNf3fvu2vnvOjd_2vQvjB4I9YKRYDQdr1q0AC0rU9b5aAGqP6Uh3jTbPkHHmOzGhXhRtidunfzOAeC6dPinR_RlnVMnVUY4cimZZG6Tg2tlgqGazgdzphnuZQpxUnK5mSInnWztXz_1-l_UJdPII49loJVE23hvWKDp8xOvMLftFXFlCYF9wE1ecTsYEAdrgB_XurFqbhhfeNcYie02aSMXfN0-ip9MHlIPhGrrOKLVm0w_S3nNBnuHHZ5lARgTm7tHtiNC0XxGCCk8qqteRZ4Vm2VM_UFMVOpdfh5KE_iTzmPCiHfNOJfgmvg5nysL1XUwGJ_KzCkPfY1Hq_4k73lia6RS6NSl1bSQ_s3uMBm3nx74WCmjK89RAihMIQ6s0PmUKQoWsIZ_5lWZ6uFW6LreoYyBFwvVVsSGSUx54-Gh76bwrt75va2VHpolSEXdhjcTK0KgscKLjU-LYDA_JD6AUaCi3WzMnpMSnO-9u_G"}`
var trustedCert = `-----BEGIN CERTIFICATE-----
MIIEbTCCAtWgAwIBAgICAK0wDQYJKoZIhvcNAQELBQAwZDELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3Rhcnkx
JTAjBgNVBAMTHE5vdGF0aW9uIEV4YW1wbGUgc2VsZi1zaWduZWQwIBcNMjQwNDA0
MjIwMzA1WhgPMjEyNDA0MDQyMjAzMDVaMGQxCzAJBgNVBAYTAlVTMQswCQYDVQQI
EwJXQTEQMA4GA1UEBxMHU2VhdHRsZTEPMA0GA1UEChMGTm90YXJ5MSUwIwYDVQQD
ExxOb3RhdGlvbiBFeGFtcGxlIHNlbGYtc2lnbmVkMIIBojANBgkqhkiG9w0BAQEF
AAOCAY8AMIIBigKCAYEA0dXD9UqzZcGlBlvPHO2uf+Sel/xwf/eOMS6Q30GV6JPe
u9czLmyR0YMfC6P0N4zDzVYYZtQLkS5lalTMGX9A3yj9aXtXvtoYtLx2mF1CfdQJ
McrT63wVVTWiPPe2JT8KHkkiACzVY6LTwc4s+DIAw9Gv21Uu6bFy4WWlGMp8UwTu
cR0JqaFoXzB6vxVRTkK8RRLM9Pj0hM5NwobpuZ+pc+ZS/7PhdvQHVzHeLLV9S7fH
xw3n1c0ti8VUjSPSqCIEqOL3Eu/0pWMXB2A1xzn3RBfnzZMD3Tw3ksFgLMVzblhv
41c6gr4cgjaS4wWwUvq9Xndd7Io8QNvxyiRDX5cHwQSEOmDfmegTIaLR0dKfvjY4
ZJq8Y1DnaXU4RD6XeihtZykMlx7nTUyZZXpQ1akjh3VMzPykJ4mIknHh02zGRT9Z
E8E1kYzRWhU/0MAzVrTTFHpric6jO459ouTnQXFjKwAcoD5+bNY6TuhC18iar7+l
4BPPI1mFuqETnMfkkJQZAgMBAAGjJzAlMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUE
DDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAYEAe5wyQPo+h1Yk2PkaA5aJ
KuU8azF2pTLfhQwAn/1XqPcmhNQuomOP0waoBsh+6sexfIDZaNuJ+zZUxqYHke/2
3+768SMiJCpuJfion3ak3Ka/IVNz48G0V+V+Vog+elkZzpdUQd30njLVcoQsihp0
I/Gs3pnG2SeHmsdvYVuzycdYWTt5BFu4N8VWg4x4pfRMgDG7HGxRAacz2vTdqAx6
rpWjO4xc0ZO8iUKjAeKHc7RuSx2dhUaRP9P8G8NBNtG6xNnbXIEjH6kP05srFRZ2
jxm1an7sjsOpbBdIDztc0J+cb5yjBx7zo1OzWcmDUqMEXDR/WoygPzwhhHvWWvTq
wVSEUvYnSaI6wxyHGxPFuX3+vCEZxU8NEGIuJtfYXWeo9cev5+PqjDgVu0uCWF53
ZFsXNWbpff1qpG/CgrpFh3vN6uquMK9H5zaJBKr0GZFUsNRB1S8cUBgcjIZlWv3w
rJQaOIFzF4RFO9dsYcG/b7ubdqSNGe4qfbsyuWf+1xsx
-----END CERTIFICATE-----`
var ociPolicy = dummyOCIPolicyDocument()
var blobPolicy = dummyBlobPolicyDocument()
var store = truststore.NewX509TrustStore(dir.ConfigFS())
var pm = mock.PluginManager{}
func TestNewVerifier_Error(t *testing.T) {
policyDocument := dummyPolicyDocument()
policyDocument := dummyOCIPolicyDocument()
_, err := New(&policyDocument, nil, nil)
expectedErr := errors.New("trustStore cannot be nil")
if err == nil || err.Error() != expectedErr.Error() {
@ -62,31 +95,10 @@ func TestNewVerifier_Error(t *testing.T) {
}
}
func TestNewFromConfig(t *testing.T) {
tempRoot := t.TempDir()
dir.UserConfigDir = tempRoot
expectedErrMsg := "trust policy is not present. To create a trust policy, see: https://notaryproject.dev/docs/quickstart/#create-a-trust-policy"
_, err := NewFromConfig()
if err == nil || err.Error() != expectedErrMsg {
t.Fatalf("expected %s, but got %s", expectedErrMsg, err)
}
path := filepath.Join(tempRoot, "trustpolicy.json")
policyJson, _ := json.Marshal(dummyPolicyDocument())
if err := os.WriteFile(path, policyJson, 0600); err != nil {
t.Fatal(err)
}
t.Cleanup(func() { os.RemoveAll(tempRoot) })
_, err = NewFromConfig()
if err != nil {
t.Fatal(err)
}
}
func TestInvalidArtifactUriValidations(t *testing.T) {
verifier := verifier{
trustPolicyDoc: &policy,
pluginManager: mock.PluginManager{},
ociTrustPolicyDoc: &ociPolicy,
pluginManager: mock.PluginManager{},
}
tests := []struct {
@ -116,12 +128,12 @@ func TestInvalidArtifactUriValidations(t *testing.T) {
func TestErrorNoApplicableTrustPolicy_Error(t *testing.T) {
verifier := verifier{
trustPolicyDoc: &policy,
pluginManager: mock.PluginManager{},
ociTrustPolicyDoc: &ociPolicy,
pluginManager: mock.PluginManager{},
}
opts := notation.VerifierVerifyOptions{ArtifactReference: "non-existent-domain.com/repo@sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333"}
_, err := verifier.Verify(context.Background(), ocispec.Descriptor{}, []byte{}, opts)
if !errors.Is(err, notation.ErrorNoApplicableTrustPolicy{Msg: "artifact \"non-existent-domain.com/repo@sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333\" has no applicable trust policy statement. Trust policy applicability for a given artifact is determined by registryScopes. To create a trust policy, see: https://notaryproject.dev/docs/quickstart/#create-a-trust-policy"}) {
if !errors.Is(err, notation.ErrorNoApplicableTrustPolicy{Msg: "artifact \"non-existent-domain.com/repo@sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333\" has no applicable oci trust policy statement. Trust policy applicability for a given artifact is determined by registryScopes. To create a trust policy, see: https://notaryproject.dev/docs/quickstart/#create-a-trust-policy"}) {
t.Fatalf("no applicable trust policy must throw error")
}
}
@ -160,7 +172,7 @@ func assertNotationVerification(t *testing.T, scheme signature.SigningScheme) {
// Unsupported Signature Envelope
for _, level := range verificationLevels {
policyDocument := dummyPolicyDocument()
policyDocument := dummyOCIPolicyDocument()
expectedErr := fmt.Errorf("unable to parse the digital signature, error : signature envelope format with media type \"application/unsupported+json\" is not supported")
testCases = append(testCases, testCase{
verificationType: trustpolicy.TypeIntegrity,
@ -173,7 +185,7 @@ func assertNotationVerification(t *testing.T, scheme signature.SigningScheme) {
// Integrity Success
for _, level := range verificationLevels {
policyDocument := dummyPolicyDocument()
policyDocument := dummyOCIPolicyDocument()
testCases = append(testCases, testCase{
signatureBlob: validSigEnv,
verificationType: trustpolicy.TypeIntegrity,
@ -185,7 +197,7 @@ func assertNotationVerification(t *testing.T, scheme signature.SigningScheme) {
// Integrity Failure
for _, level := range verificationLevels {
policyDocument := dummyPolicyDocument()
policyDocument := dummyOCIPolicyDocument()
expectedErr := fmt.Errorf("signature is invalid. Error: illegal base64 data at input byte 242")
testCases = append(testCases, testCase{
signatureBlob: invalidSigEnv,
@ -199,7 +211,7 @@ func assertNotationVerification(t *testing.T, scheme signature.SigningScheme) {
// Authenticity Success
for _, level := range verificationLevels {
policyDocument := dummyPolicyDocument() // trust store is configured with the root certificate of the signature by default
policyDocument := dummyOCIPolicyDocument() // trust store is configured with the root certificate of the signature by default
testCases = append(testCases, testCase{
signatureBlob: validSigEnv,
verificationType: trustpolicy.TypeAuthenticity,
@ -211,9 +223,9 @@ func assertNotationVerification(t *testing.T, scheme signature.SigningScheme) {
// Authenticity Failure
for _, level := range verificationLevels {
policyDocument := dummyPolicyDocument()
policyDocument := dummyOCIPolicyDocument()
policyDocument.TrustPolicies[0].TrustStores = []string{"ca:valid-trust-store-2", "signingAuthority:valid-trust-store-2"} // trust store is not configured with the root certificate of the signature
expectedErr := fmt.Errorf("signature is not produced by a trusted signer")
expectedErr := fmt.Errorf("the signature's certificate chain does not contain any trusted certificate")
testCases = append(testCases, testCase{
signatureBlob: validSigEnv,
verificationType: trustpolicy.TypeAuthenticity,
@ -226,7 +238,7 @@ func assertNotationVerification(t *testing.T, scheme signature.SigningScheme) {
// Authenticity Failure with trust store missing separator
for _, level := range verificationLevels {
policyDocument := dummyPolicyDocument()
policyDocument := dummyOCIPolicyDocument()
policyDocument.TrustPolicies[0].TrustStores = []string{"ca:valid-trust-store-2", "signingAuthority"}
expectedErr := fmt.Errorf("error while loading the trust store, trust policy statement \"test-statement-name\" is missing separator in trust store value \"signingAuthority\". The required format is <TrustStoreType>:<TrustStoreName>")
testCases = append(testCases, testCase{
@ -241,7 +253,7 @@ func assertNotationVerification(t *testing.T, scheme signature.SigningScheme) {
// TrustedIdentity Failure
for _, level := range verificationLevels {
policyDocument := dummyPolicyDocument()
policyDocument := dummyOCIPolicyDocument()
policyDocument.TrustPolicies[0].TrustedIdentities = []string{"x509.subject:CN=LOL,O=DummyOrg,L=Hyderabad,ST=TG,C=IN"} // configure policy to not trust "CN=Notation Test Leaf Cert,O=Notary,L=Seattle,ST=WA,C=US" which is the subject of the signature's signing certificate
expectedErr := fmt.Errorf("signing certificate from the digital signature does not match the X.509 trusted identities [map[\"C\":\"IN\" \"CN\":\"LOL\" \"L\":\"Hyderabad\" \"O\":\"DummyOrg\" \"ST\":\"TG\"]] defined in the trust policy \"test-statement-name\"")
testCases = append(testCases, testCase{
@ -256,7 +268,7 @@ func assertNotationVerification(t *testing.T, scheme signature.SigningScheme) {
// TrustedIdentity Failure without separator
for _, level := range verificationLevels {
policyDocument := dummyPolicyDocument()
policyDocument := dummyOCIPolicyDocument()
policyDocument.TrustPolicies[0].TrustedIdentities = []string{"x509.subject"}
expectedErr := fmt.Errorf("trust policy statement \"test-statement-name\" has trusted identity \"x509.subject\" missing separator")
testCases = append(testCases, testCase{
@ -271,7 +283,7 @@ func assertNotationVerification(t *testing.T, scheme signature.SigningScheme) {
// TrustedIdentity Failure with empty value
for _, level := range verificationLevels {
policyDocument := dummyPolicyDocument()
policyDocument := dummyOCIPolicyDocument()
policyDocument.TrustPolicies[0].TrustedIdentities = []string{"x509.subject:"}
expectedErr := fmt.Errorf("trust policy statement \"test-statement-name\" has trusted identity \"x509.subject:\" without an identity value")
testCases = append(testCases, testCase{
@ -286,7 +298,7 @@ func assertNotationVerification(t *testing.T, scheme signature.SigningScheme) {
// Expiry Success
for _, level := range verificationLevels {
policyDocument := dummyPolicyDocument()
policyDocument := dummyOCIPolicyDocument()
testCases = append(testCases, testCase{
signatureBlob: validSigEnv,
verificationType: trustpolicy.TypeExpiry,
@ -298,7 +310,7 @@ func assertNotationVerification(t *testing.T, scheme signature.SigningScheme) {
// Expiry Failure
for _, level := range verificationLevels {
policyDocument := dummyPolicyDocument()
policyDocument := dummyOCIPolicyDocument()
expectedErr := fmt.Errorf("digital signature has expired on \"Fri, 29 Jul 2022 23:59:00 +0000\"")
testCases = append(testCases, testCase{
signatureBlob: expiredSigEnv,
@ -330,10 +342,10 @@ func assertNotationVerification(t *testing.T, scheme signature.SigningScheme) {
t.Fatalf("unexpected error while creating revocation object: %v", err)
}
verifier := verifier{
trustPolicyDoc: &tt.policyDocument,
trustStore: truststore.NewX509TrustStore(dir.ConfigFS()),
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &tt.policyDocument,
trustStore: truststore.NewX509TrustStore(dir.ConfigFS()),
pluginManager: pluginManager,
revocationClient: revocationClient,
}
outcome, _ := verifier.Verify(context.Background(), ocispec.Descriptor{}, tt.signatureBlob, tt.opts)
verifyResult(outcome, expectedResult, tt.expectedErr, t)
@ -381,7 +393,7 @@ func TestVerifyRevocationEnvelope(t *testing.T) {
t.Run("enforced revoked cert", func(t *testing.T) {
testedLevel := trustpolicy.LevelStrict
policyDoc := dummyPolicyDocument()
policyDoc := dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].SignatureVerification.VerificationLevel = testedLevel.Name
policyDoc.TrustPolicies[0].SignatureVerification.Override = map[trustpolicy.ValidationType]trustpolicy.ValidationAction{
trustpolicy.TypeAuthenticity: trustpolicy.ActionLog,
@ -397,10 +409,10 @@ func TestVerifyRevocationEnvelope(t *testing.T) {
dir.UserConfigDir = "testdata"
verifier := verifier{
trustPolicyDoc: &policyDoc,
trustStore: truststore.NewX509TrustStore(dir.ConfigFS()),
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDoc,
trustStore: truststore.NewX509TrustStore(dir.ConfigFS()),
pluginManager: pluginManager,
revocationClient: revocationClient,
}
outcome, err := verifier.Verify(context.Background(), desc, envelopeBlob, opts)
if err == nil || err.Error() != expectedErr.Error() {
@ -410,7 +422,7 @@ func TestVerifyRevocationEnvelope(t *testing.T) {
})
t.Run("log revoked cert", func(t *testing.T) {
testedLevel := trustpolicy.LevelStrict
policyDoc := dummyPolicyDocument()
policyDoc := dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].SignatureVerification.VerificationLevel = testedLevel.Name
policyDoc.TrustPolicies[0].SignatureVerification.Override = map[trustpolicy.ValidationType]trustpolicy.ValidationAction{
trustpolicy.TypeAuthenticity: trustpolicy.ActionLog,
@ -426,10 +438,10 @@ func TestVerifyRevocationEnvelope(t *testing.T) {
dir.UserConfigDir = "testdata"
verifier := verifier{
trustPolicyDoc: &policyDoc,
trustStore: truststore.NewX509TrustStore(dir.ConfigFS()),
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDoc,
trustStore: truststore.NewX509TrustStore(dir.ConfigFS()),
pluginManager: pluginManager,
revocationClient: revocationClient,
}
ctx := context.Background()
outcome, err := verifier.Verify(ctx, desc, envelopeBlob, opts)
@ -440,7 +452,7 @@ func TestVerifyRevocationEnvelope(t *testing.T) {
})
t.Run("skip revoked cert", func(t *testing.T) {
testedLevel := trustpolicy.LevelStrict
policyDoc := dummyPolicyDocument()
policyDoc := dummyOCIPolicyDocument()
policyDoc.TrustPolicies[0].SignatureVerification.VerificationLevel = testedLevel.Name
policyDoc.TrustPolicies[0].SignatureVerification.Override = map[trustpolicy.ValidationType]trustpolicy.ValidationAction{
trustpolicy.TypeAuthenticity: trustpolicy.ActionLog,
@ -450,10 +462,10 @@ func TestVerifyRevocationEnvelope(t *testing.T) {
dir.UserConfigDir = "testdata"
verifier := verifier{
trustPolicyDoc: &policyDoc,
trustStore: truststore.NewX509TrustStore(dir.ConfigFS()),
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDoc,
trustStore: truststore.NewX509TrustStore(dir.ConfigFS()),
pluginManager: pluginManager,
revocationClient: revocationClient,
}
outcome, err := verifier.Verify(context.Background(), desc, envelopeBlob, opts)
if err != nil {
@ -702,56 +714,92 @@ func TestVerifyRevocation(t *testing.T) {
}
func TestNew(t *testing.T) {
if _, err := New(&policy, store, pm); err != nil {
if _, err := New(&ociPolicy, store, pm); err != nil {
t.Fatalf("expected New constructor to succeed, but got %v", err)
}
}
func TestNewWithOptions(t *testing.T) {
if _, err := NewWithOptions(&policy, store, pm, VerifierOptions{}); err != nil {
t.Fatalf("expected NewWithOptions constructor to succeed, but got %v", err)
}
r, err := revocation.New(&http.Client{})
if err != nil {
t.Fatalf("unexpected error while creating revocation object: %v", err)
}
opts := VerifierOptions{RevocationClient: r}
_, err = NewWithOptions(&policy, store, pm, opts)
if err != nil {
t.Fatalf("expected NewWithOptions constructor to succeed, but got %v", err)
}
revocationCodeSigningValidator, err := revocation.NewWithOptions(revocation.Options{
OCSPHTTPClient: &http.Client{},
CertChainPurpose: purpose.CodeSigning,
})
if err != nil {
t.Fatal(err)
}
revocationTimestampingValidator, err := revocation.NewWithOptions(revocation.Options{
OCSPHTTPClient: &http.Client{},
CertChainPurpose: purpose.Timestamping,
})
if err != nil {
t.Fatal(err)
}
opts.RevocationCodeSigningValidator = revocationCodeSigningValidator
opts.RevocationTimestampingValidator = revocationTimestampingValidator
_, err = NewWithOptions(&policy, store, pm, opts)
if err != nil {
t.Fatalf("expected NewWithOptions constructor to succeed, but got %v", err)
}
opts.RevocationClient = nil
_, err = NewWithOptions(&policy, store, pm, opts)
if err != nil {
if _, err := NewWithOptions(&ociPolicy, store, pm, VerifierOptions{}); err != nil {
t.Fatalf("expected NewWithOptions constructor to succeed, but got %v", err)
}
}
func TestNewWithOptionsError(t *testing.T) {
func TestNewVerifierWithOptions(t *testing.T) {
r, err := revocation.New(&http.Client{})
if err != nil {
t.Fatalf("unexpected error while creating revocation object: %v", err)
}
v, err := NewVerifierWithOptions(store, VerifierOptions{
RevocationClient: r,
OCITrustPolicy: &ociPolicy,
BlobTrustPolicy: &blobPolicy,
PluginManager: pm,
})
if err != nil {
t.Fatalf("expected NewVerifierWithOptions constructor to succeed, but got %v", err)
}
if !(v.ociTrustPolicyDoc == &ociPolicy) {
t.Fatalf("expected ociTrustPolicyDoc %v, but got %v", v, v.ociTrustPolicyDoc)
}
if !(v.trustStore == store) {
t.Fatalf("expected trustStore %v, but got %v", store, v.trustStore)
}
if !reflect.DeepEqual(v.pluginManager, pm) {
t.Fatalf("expected pluginManager %v, but got %v", pm, v.pluginManager)
}
if v.revocationClient == nil {
t.Fatal("expected nonnil revocationClient")
}
if v.revocationCodeSigningValidator != nil {
t.Fatal("expected nil revocationCodeSigningValidator")
}
_, err = NewVerifierWithOptions(store, VerifierOptions{
RevocationClient: r,
BlobTrustPolicy: &blobPolicy,
PluginManager: pm,
})
if err != nil {
t.Fatalf("expected NewVerifierWithOptions constructor to succeed, but got %v", err)
}
_, err = NewVerifierWithOptions(store, VerifierOptions{
RevocationClient: r,
OCITrustPolicy: &ociPolicy,
PluginManager: pm,
})
if err != nil {
t.Fatalf("expected NewVerifierWithOptions constructor to succeed, but got %v", err)
}
_, err = NewVerifierWithOptions(store, VerifierOptions{
OCITrustPolicy: &ociPolicy,
PluginManager: pm,
})
if err != nil {
t.Fatalf("expected NewVerifierWithOptions constructor to succeed, but got %v", err)
}
csValidator, err := revocation.NewWithOptions(revocation.Options{})
if err != nil {
t.Fatal(err)
}
v, err = NewVerifierWithOptions(store, VerifierOptions{
RevocationCodeSigningValidator: csValidator,
OCITrustPolicy: &ociPolicy,
PluginManager: pm,
})
if err != nil {
t.Fatalf("expected NewVerifierWithOptions constructor to succeed, but got %v", err)
}
if v.revocationCodeSigningValidator == nil {
t.Fatal("expected v.revocationCodeSigningValidator to be non-nil")
}
}
func TestNewVerifierWithOptionsError(t *testing.T) {
r, err := revocation.New(&http.Client{})
if err != nil {
t.Fatalf("unexpected error while creating revocation object: %v", err)
@ -763,28 +811,174 @@ func TestNewWithOptionsError(t *testing.T) {
if err != nil {
t.Fatalf("unexpected error while creating revocation timestamp object: %v", err)
}
opts := VerifierOptions{
_, err = NewVerifierWithOptions(store, VerifierOptions{
RevocationClient: r,
RevocationTimestampingValidator: rt,
PluginManager: pm,
})
if err == nil || err.Error() != "ociTrustPolicy and blobTrustPolicy both cannot be nil" {
t.Errorf("expected err but not found.")
}
_, err = NewWithOptions(nil, store, pm, opts)
expectedErrMsg := "trustPolicy cannot be nil"
if err == nil || err.Error() != expectedErrMsg {
t.Errorf("expected %s, but got %s", expectedErrMsg, err)
_, err = NewVerifierWithOptions(nil, VerifierOptions{
RevocationClient: r,
RevocationTimestampingValidator: rt,
OCITrustPolicy: &ociPolicy,
BlobTrustPolicy: &blobPolicy,
PluginManager: pm,
})
if err == nil || err.Error() != "trustStore cannot be nil" {
t.Errorf("expected err but not found.")
}
}
func TestNewOCIVerifierFromConfig(t *testing.T) {
defer func(oldUserConfigDir string) {
dir.UserConfigDir = oldUserConfigDir
}(dir.UserConfigDir)
tempRoot := t.TempDir()
dir.UserConfigDir = tempRoot
path := filepath.Join(tempRoot, "trustpolicy.oci.json")
policyJson, _ := json.Marshal(dummyOCIPolicyDocument())
if err := os.WriteFile(path, policyJson, 0600); err != nil {
t.Fatalf("TestLoadOCIDocument write policy file failed. Error: %v", err)
}
t.Cleanup(func() { os.RemoveAll(tempRoot) })
_, err := NewOCIVerifierFromConfig()
if err != nil {
t.Fatalf("expected NewOCIVerifierFromConfig constructor to succeed, but got %v", err)
}
}
func TestNewBlobVerifierFromConfig(t *testing.T) {
defer func(oldUserConfigDir string) {
dir.UserConfigDir = oldUserConfigDir
}(dir.UserConfigDir)
tempRoot := t.TempDir()
dir.UserConfigDir = tempRoot
path := filepath.Join(tempRoot, "trustpolicy.blob.json")
policyJson, _ := json.Marshal(dummyBlobPolicyDocument())
if err := os.WriteFile(path, policyJson, 0600); err != nil {
t.Fatalf("TestLoadBlobDocument write policy file failed. Error: %v", err)
}
t.Cleanup(func() { os.RemoveAll(tempRoot) })
_, err := NewBlobVerifierFromConfig()
if err != nil {
t.Fatalf("expected NewBlobVerifierFromConfig constructor to succeed, but got %v", err)
}
}
func TestVerifyBlob(t *testing.T) {
policy := &trustpolicy.BlobDocument{
Version: "1.0",
TrustPolicies: []trustpolicy.BlobTrustPolicy{
{
Name: "blob-test-policy",
SignatureVerification: trustpolicy.SignatureVerification{VerificationLevel: "strict"},
TrustStores: []string{"ca:dummy-ts"},
TrustedIdentities: []string{"*"},
},
},
}
v, err := NewVerifierWithOptions(&testTrustStore{}, VerifierOptions{
BlobTrustPolicy: policy,
PluginManager: pm,
})
if err != nil {
t.Fatalf("unexpected error while creating verifier: %v", err)
}
_, err = NewWithOptions(&policy, nil, pm, opts)
expectedErrMsg = "trustStore cannot be nil"
if err == nil || err.Error() != expectedErrMsg {
t.Errorf("expected %s, but got %s", expectedErrMsg, err)
opts := notation.BlobVerifierVerifyOptions{
SignatureMediaType: jws.MediaTypeEnvelope,
TrustPolicyName: "blob-test-policy",
}
descGenFunc := getTestDescGenFunc(false, "")
t.Run("without user defined metadata", func(t *testing.T) {
// verify with
if _, err = v.VerifyBlob(context.Background(), descGenFunc, []byte(testSig), opts); err != nil {
t.Fatalf("VerifyBlob() returned unexpected error: %v", err)
}
})
t.Run("with user defined metadata", func(t *testing.T) {
opts.UserMetadata = map[string]string{"buildId": "101"}
if _, err = v.VerifyBlob(context.Background(), descGenFunc, []byte(testSig), opts); err != nil {
t.Fatalf("VerifyBlob() with user metadata returned unexpected error: %v", err)
}
})
t.Run("trust policy set to skip", func(t *testing.T) {
policy.TrustPolicies[0].SignatureVerification = trustpolicy.SignatureVerification{VerificationLevel: "skip"}
opts.UserMetadata = map[string]string{"buildId": "101"}
if _, err = v.VerifyBlob(context.Background(), descGenFunc, []byte(testSig), opts); err != nil {
t.Fatalf("VerifyBlob() with user metadata returned unexpected error: %v", err)
}
})
}
func TestVerifyBlob_Error(t *testing.T) {
policy := &trustpolicy.BlobDocument{
Version: "1.0",
TrustPolicies: []trustpolicy.BlobTrustPolicy{
{
Name: "blob-test-policy",
SignatureVerification: trustpolicy.SignatureVerification{VerificationLevel: "strict"},
TrustStores: []string{"ca:dummy-ts"},
TrustedIdentities: []string{"*"},
},
},
}
v, err := NewVerifierWithOptions(&testTrustStore{}, VerifierOptions{
BlobTrustPolicy: policy,
PluginManager: pm,
})
if err != nil {
t.Fatalf("unexpected error while creating verifier: %v", err)
}
_, err = NewWithOptions(&invalidPolicy, store, pm, opts)
expectedErrMsg = "trust policy document has empty version, version must be specified"
if err == nil || err.Error() != expectedErrMsg {
t.Errorf("expected %s, but got %s", expectedErrMsg, err)
opts := notation.BlobVerifierVerifyOptions{
SignatureMediaType: jws.MediaTypeEnvelope,
TrustPolicyName: "blob-test-policy",
}
t.Run("BlobDescriptorGenerator returns error", func(t *testing.T) {
descGenFunc := getTestDescGenFunc(true, "")
_, err = v.VerifyBlob(context.Background(), descGenFunc, []byte(testSig), opts)
if err == nil || err.Error() != "failed to generate descriptor for given artifact. Error: intentional test desc generation error" {
t.Errorf("VerifyBlob() didn't return error or didnt returned expected error: %v", err)
}
})
t.Run("descriptor mismatch returns error", func(t *testing.T) {
descGenFunc := getTestDescGenFunc(false, "sha384:b8ab24dafba5cf7e4c89c562f811cf10493d4203da982d3b1345f366ca863d9c2ed323dbd0fb7ff83a80302ceffa5a62")
_, err = v.VerifyBlob(context.Background(), descGenFunc, []byte(testSig), opts)
if err == nil || err.Error() != "integrity check failed. signature does not match the given blob" {
t.Errorf("VerifyBlob() didn't return error or didnt returned expected error: %v", err)
}
})
t.Run("signature malformed returns error", func(t *testing.T) {
descGenFunc := getTestDescGenFunc(false, "")
_, err = v.VerifyBlob(context.Background(), descGenFunc, []byte(""), opts)
if err == nil || err.Error() != "unable to parse the digital signature, error : unexpected end of JSON input" {
t.Errorf("VerifyBlob() didn't return error or didnt returned expected error: %v", err)
}
})
t.Run("user defined metadata mismatch returns error", func(t *testing.T) {
descGenFunc := getTestDescGenFunc(false, "")
opts.UserMetadata = map[string]string{"buildId": "zzz"}
_, err = v.VerifyBlob(context.Background(), descGenFunc, []byte(testSig), opts)
if err == nil || err.Error() != "unable to find specified metadata in the signature" {
t.Fatalf("VerifyBlob() with user metadata returned unexpected error: %v", err)
}
})
}
func TestVerificationPluginInteractions(t *testing.T) {
@ -800,7 +994,7 @@ func assertPluginVerification(scheme signature.SigningScheme, t *testing.T) {
pluginSigEnv = mock.MockSaPluginSigEnv
}
policyDocument := dummyPolicyDocument()
policyDocument := dummyOCIPolicyDocument()
dir.UserConfigDir = "testdata"
x509TrustStore := truststore.NewX509TrustStore(dir.ConfigFS())
@ -813,10 +1007,10 @@ func assertPluginVerification(scheme signature.SigningScheme, t *testing.T) {
t.Fatalf("unexpected error while creating revocation object: %v", err)
}
v := verifier{
trustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
}
opts := notation.VerifierVerifyOptions{ArtifactReference: mock.SampleArtifactUri, SignatureMediaType: "application/jose+json"}
outcome, err := v.Verify(context.Background(), ocispec.Descriptor{}, pluginSigEnv, opts)
@ -829,10 +1023,10 @@ func assertPluginVerification(scheme signature.SigningScheme, t *testing.T) {
pluginManager.PluginCapabilities = []proto.Capability{proto.CapabilitySignatureGenerator}
v = verifier{
trustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
}
opts = notation.VerifierVerifyOptions{ArtifactReference: mock.SampleArtifactUri, SignatureMediaType: "application/jose+json"}
outcome, err = v.Verify(context.Background(), ocispec.Descriptor{}, pluginSigEnv, opts)
@ -853,10 +1047,10 @@ func assertPluginVerification(scheme signature.SigningScheme, t *testing.T) {
}
v = verifier{
trustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
}
opts = notation.VerifierVerifyOptions{ArtifactReference: mock.SampleArtifactUri, SignatureMediaType: "application/jose+json"}
outcome, err = v.Verify(context.Background(), mock.ImageDescriptor, pluginSigEnv, opts)
@ -878,10 +1072,10 @@ func assertPluginVerification(scheme signature.SigningScheme, t *testing.T) {
}
v = verifier{
trustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
}
opts = notation.VerifierVerifyOptions{ArtifactReference: mock.SampleArtifactUri, SignatureMediaType: "application/jose+json"}
outcome, err = v.Verify(context.Background(), ocispec.Descriptor{}, pluginSigEnv, opts)
@ -902,10 +1096,10 @@ func assertPluginVerification(scheme signature.SigningScheme, t *testing.T) {
}
v = verifier{
trustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
}
opts = notation.VerifierVerifyOptions{ArtifactReference: mock.SampleArtifactUri, SignatureMediaType: "application/jose+json"}
outcome, err = v.Verify(context.Background(), mock.ImageDescriptor, pluginSigEnv, opts)
@ -927,10 +1121,10 @@ func assertPluginVerification(scheme signature.SigningScheme, t *testing.T) {
}
v = verifier{
trustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
}
opts = notation.VerifierVerifyOptions{ArtifactReference: mock.SampleArtifactUri, SignatureMediaType: "application/jose+json"}
outcome, err = v.Verify(context.Background(), ocispec.Descriptor{}, pluginSigEnv, opts)
@ -954,10 +1148,10 @@ func assertPluginVerification(scheme signature.SigningScheme, t *testing.T) {
}
v = verifier{
trustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
}
opts = notation.VerifierVerifyOptions{ArtifactReference: mock.SampleArtifactUri, SignatureMediaType: "application/jose+json"}
outcome, err = v.Verify(context.Background(), mock.ImageDescriptor, pluginSigEnv, opts)
@ -972,10 +1166,10 @@ func assertPluginVerification(scheme signature.SigningScheme, t *testing.T) {
pluginManager.PluginRunnerExecuteError = errors.New("revocation plugin should not be invoked when the trust policy skips revocation check")
v = verifier{
trustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
}
opts = notation.VerifierVerifyOptions{ArtifactReference: mock.SampleArtifactUri, SignatureMediaType: "application/jose+json"}
trustPolicy, err := (&policyDocument).GetApplicableTrustPolicy(opts.ArtifactReference)
@ -999,10 +1193,10 @@ func assertPluginVerification(scheme signature.SigningScheme, t *testing.T) {
pluginManager.PluginRunnerExecuteError = errors.New("invalid plugin response")
v = verifier{
trustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
}
opts = notation.VerifierVerifyOptions{ArtifactReference: mock.SampleArtifactUri, SignatureMediaType: "application/jose+json"}
trustPolicy, err = (&policyDocument).GetApplicableTrustPolicy(opts.ArtifactReference)
@ -1032,10 +1226,10 @@ func assertPluginVerification(scheme signature.SigningScheme, t *testing.T) {
}
v = verifier{
trustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
}
opts = notation.VerifierVerifyOptions{ArtifactReference: mock.SampleArtifactUri, SignatureMediaType: "application/jose+json"}
outcome, err = v.Verify(context.Background(), mock.ImageDescriptor, pluginSigEnv, opts)
@ -1052,10 +1246,10 @@ func assertPluginVerification(scheme signature.SigningScheme, t *testing.T) {
}
v = verifier{
trustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
}
opts = notation.VerifierVerifyOptions{ArtifactReference: mock.SampleArtifactUri, SignatureMediaType: "application/jose+json"}
outcome, err = v.Verify(context.Background(), mock.ImageDescriptor, pluginSigEnv, opts)
@ -1103,7 +1297,7 @@ func TestVerifyX509TrustedIdentities(t *testing.T) {
}
func TestVerifyUserMetadata(t *testing.T) {
policyDocument := dummyPolicyDocument()
policyDocument := dummyOCIPolicyDocument()
policyDocument.TrustPolicies[0].SignatureVerification.VerificationLevel = trustpolicy.LevelAudit.Name
pluginManager := mock.PluginManager{}
@ -1114,10 +1308,10 @@ func TestVerifyUserMetadata(t *testing.T) {
t.Fatalf("unexpected error while creating revocation object: %v", err)
}
verifier := verifier{
trustPolicyDoc: &policyDocument,
trustStore: truststore.NewX509TrustStore(dir.ConfigFS()),
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDocument,
trustStore: truststore.NewX509TrustStore(dir.ConfigFS()),
pluginManager: pluginManager,
revocationClient: revocationClient,
}
tests := []struct {
@ -1183,10 +1377,10 @@ func TestPluginVersionCompatibility(t *testing.T) {
t.Fatalf("unexpected error while creating revocation object: %v", err)
}
v := verifier{
trustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
ociTrustPolicyDoc: &policyDocument,
trustStore: x509TrustStore,
pluginManager: pluginManager,
revocationClient: revocationClient,
}
opts := notation.VerifierVerifyOptions{ArtifactReference: "localhost:5000/net-monitor@sha256:fe7e9333395060c2f5e63cf36a38fba10176f183b4163a5794e081a480abba5f", SignatureMediaType: "application/jose+json"}
@ -1239,15 +1433,15 @@ func TestIsRequiredVerificationPluginVer(t *testing.T) {
}
func TestRevocationFinalResult(t *testing.T) {
certResult := []*result.CertRevocationResult{
certResult := []*revocationresult.CertRevocationResult{
{
// update leaf cert result in each sub-test
},
{
Result: result.ResultNonRevokable,
ServerResults: []*result.ServerResult{
Result: revocationresult.ResultNonRevokable,
ServerResults: []*revocationresult.ServerResult{
{
Result: result.ResultNonRevokable,
Result: revocationresult.ResultNonRevokable,
},
},
},
@ -1265,12 +1459,12 @@ func TestRevocationFinalResult(t *testing.T) {
},
}
t.Run("OCSP error without fallback", func(t *testing.T) {
certResult[0] = &result.CertRevocationResult{
Result: result.ResultUnknown,
ServerResults: []*result.ServerResult{
certResult[0] = &revocationresult.CertRevocationResult{
Result: revocationresult.ResultUnknown,
ServerResults: []*revocationresult.ServerResult{
{
Server: "http://ocsp.example.com",
Result: result.ResultUnknown,
Result: revocationresult.ResultUnknown,
Error: errors.New("ocsp error"),
RevocationMethod: result.RevocationMethodOCSP,
},
@ -1278,23 +1472,23 @@ func TestRevocationFinalResult(t *testing.T) {
}
finalResult, problematicCertSubject := revocationFinalResult(certResult, certChain, log.Discard)
if finalResult != result.ResultUnknown || problematicCertSubject != "CN=leafCert" {
if finalResult != revocationresult.ResultUnknown || problematicCertSubject != "CN=leafCert" {
t.Fatalf("unexpected final result: %v, problematic cert subject: %s", finalResult, problematicCertSubject)
}
})
t.Run("OCSP error with fallback", func(t *testing.T) {
certResult[0] = &result.CertRevocationResult{
Result: result.ResultOK,
ServerResults: []*result.ServerResult{
certResult[0] = &revocationresult.CertRevocationResult{
Result: revocationresult.ResultOK,
ServerResults: []*revocationresult.ServerResult{
{
Server: "http://ocsp.example.com",
Result: result.ResultUnknown,
Result: revocationresult.ResultUnknown,
Error: errors.New("ocsp error"),
RevocationMethod: result.RevocationMethodOCSP,
},
{
Result: result.ResultOK,
Result: revocationresult.ResultOK,
Server: "http://crl.example.com",
RevocationMethod: result.RevocationMethodCRL,
},
@ -1303,23 +1497,23 @@ func TestRevocationFinalResult(t *testing.T) {
}
finalResult, problematicCertSubject := revocationFinalResult(certResult, certChain, log.Discard)
if finalResult != result.ResultOK || problematicCertSubject != "" {
if finalResult != revocationresult.ResultOK || problematicCertSubject != "" {
t.Fatalf("unexpected final result: %v, problematic cert subject: %s", finalResult, problematicCertSubject)
}
})
t.Run("OCSP error with fallback and CRL error", func(t *testing.T) {
certResult[0] = &result.CertRevocationResult{
Result: result.ResultUnknown,
ServerResults: []*result.ServerResult{
certResult[0] = &revocationresult.CertRevocationResult{
Result: revocationresult.ResultUnknown,
ServerResults: []*revocationresult.ServerResult{
{
Server: "http://ocsp.example.com",
Result: result.ResultUnknown,
Result: revocationresult.ResultUnknown,
Error: errors.New("ocsp error"),
RevocationMethod: result.RevocationMethodOCSP,
},
{
Result: result.ResultUnknown,
Result: revocationresult.ResultUnknown,
Error: errors.New("crl error"),
RevocationMethod: result.RevocationMethodCRL,
},
@ -1328,17 +1522,17 @@ func TestRevocationFinalResult(t *testing.T) {
}
finalResult, problematicCertSubject := revocationFinalResult(certResult, certChain, log.Discard)
if finalResult != result.ResultUnknown || problematicCertSubject != "CN=leafCert" {
if finalResult != revocationresult.ResultUnknown || problematicCertSubject != "CN=leafCert" {
t.Fatalf("unexpected final result: %v, problematic cert subject: %s", finalResult, problematicCertSubject)
}
})
t.Run("revocation method unknown error(should never reach here)", func(t *testing.T) {
certResult[0] = &result.CertRevocationResult{
Result: result.ResultUnknown,
ServerResults: []*result.ServerResult{
certResult[0] = &revocationresult.CertRevocationResult{
Result: revocationresult.ResultUnknown,
ServerResults: []*revocationresult.ServerResult{
{
Result: result.ResultUnknown,
Result: revocationresult.ResultUnknown,
Error: errors.New("unknown error"),
RevocationMethod: result.RevocationMethodUnknown,
},
@ -1346,7 +1540,7 @@ func TestRevocationFinalResult(t *testing.T) {
}
finalResult, problematicCertSubject := revocationFinalResult(certResult, certChain, log.Discard)
if finalResult != result.ResultUnknown || problematicCertSubject != "CN=leafCert" {
if finalResult != revocationresult.ResultUnknown || problematicCertSubject != "CN=leafCert" {
t.Fatalf("unexpected final result: %v, problematic cert subject: %s", finalResult, problematicCertSubject)
}
})
@ -1374,3 +1568,32 @@ func verifyResult(outcome *notation.VerificationOutcome, expectedResult notation
t.Fatalf("assertion failed. expected : %v got : %v", expectedErr, outcome.Error)
}
}
// testTrustStore implements [truststore.X509TrustStore] and returns the trusted certificates for a given trust-store.
type testTrustStore struct{}
func (ts *testTrustStore) GetCertificates(_ context.Context, _ truststore.Type, _ string) ([]*x509.Certificate, error) {
block, _ := pem.Decode([]byte(trustedCert))
cert, _ := x509.ParseCertificate(block.Bytes)
return []*x509.Certificate{cert}, nil
}
func getTestDescGenFunc(returnErr bool, customDigest digest.Digest) notation.BlobDescriptorGenerator {
return func(digest.Algorithm) (ocispec.Descriptor, error) {
var err error = nil
if returnErr {
err = errors.New("intentional test desc generation error")
}
var expDigest digest.Digest = "sha384:b8ab24dafba5cf7e4c89c562f811cf10493d4203da982d3b1345f366ca863d9c2ed323dbd0fb7ff83a80302ceffa5a61"
if customDigest != "" {
expDigest = customDigest
}
return ocispec.Descriptor{
MediaType: "video/mp4",
Digest: expDigest,
Size: 12,
}, err
}
}