Implement generate signature plugin workflow

jws.go

@@ -0,0 +1,91 @@
+package notation
+
+const (
+	// MediaTypeJWSEnvelope describes the media type of the JWS envelope.
+	MediaTypeJWSEnvelope = "application/vnd.cncf.notary.v2.jws.v1"
+)
+
+// JWSPayload contains the set of claims used by Notary V2.
+type JWSPayload struct {
+	// Private claim.
+	Subject Descriptor `json:"subject"`
+
+	// Identifies the number of seconds since Epoch at which the signature was issued.
+	IssuedAt int64 `json:"iat"`
+
+	// Identifies the number of seconds since Epoch at which the signature must not be considered valid.
+	ExpiresAt int64 `json:"exp,omitempty"`
+}
+
+// JWSProtectedHeader contains the set of protected headers.
+type JWSProtectedHeader struct {
+	// Defines which algorithm was used to generate the signature.
+	Algorithm string `json:"alg"`
+
+	// Media type of the secured content (the payload).
+	ContentType string `json:"cty"`
+}
+
+// JWSUnprotectedHeader contains the set of unprotected headers.
+type JWSUnprotectedHeader struct {
+	// RFC3161 time stamp token Base64-encoded.
+	TimeStampToken []byte `json:"timestamp,omitempty"`
+
+	// List of X.509 Base64-DER-encoded certificates
+	// as defined at https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6.
+	CertChain [][]byte `json:"x5c"`
+}
+
+// JWSEnvelope is the final signature envelope.
+type JWSEnvelope struct {
+	// JWSPayload Base64URL-encoded.
+	Payload string `json:"payload"`
+
+	// JWSProtectedHeader Base64URL-encoded.
+	Protected string `json:"protected"`
+
+	// Signature metadata that is not integrity protected
+	Header JWSUnprotectedHeader `json:"header"`
+
+	// Base64URL-encoded signature.
+	Signature string `json:"signature"`
+}
+
+// JWS returns the JWS algorithm name.
+func (s SignatureAlgorithm) JWS() string {
+	switch s {
+	case RSASSA_PSS_SHA_256:
+		return "PS256"
+	case RSASSA_PSS_SHA_384:
+		return "PS384"
+	case RSASSA_PSS_SHA_512:
+		return "PS512"
+	case ECDSA_SHA_256:
+		return "ES256"
+	case ECDSA_SHA_384:
+		return "ES384"
+	case ECDSA_SHA_512:
+		return "ES512"
+	}
+	return ""
+}
+
+// NewSignatureAlgorithmJWS returns the algorithm associated to alg.
+// It returns an empty string if alg is not supported.
+func NewSignatureAlgorithmJWS(alg string) SignatureAlgorithm {
+	switch alg {
+	case "PS256":
+		return RSASSA_PSS_SHA_256
+	case "PS384":
+		return RSASSA_PSS_SHA_384
+	case "PS512":
+		return RSASSA_PSS_SHA_512
+	case "ES256":
+		return ECDSA_SHA_256
+	case "ES384":
+		return ECDSA_SHA_384
+	case "ES512":
+		return ECDSA_SHA_512
+	}
+	return ""
+}

notation.go

@@ -2,6 +2,7 @@ package notation
 
 import (
 	"context"
+	"crypto"
 	"crypto/x509"
 	"time"
 
@@ -11,16 +12,16 @@ import (
 
 // Descriptor describes the content signed or to be signed.
 type Descriptor struct {
-	// MediaType is the media type of the targeted content.
+	// The media type of the targeted content.
 	MediaType string `json:"mediaType"`
 
-	// Digest is the digest of the targeted content.
+	// The digest of the targeted content.
 	Digest digest.Digest `json:"digest"`
 
-	// Size specifies the size in bytes of the blob.
+	// Specifies the size in bytes of the blob.
 	Size int64 `json:"size"`
 
-	// Annotations contains optional user defined attributes.
+	// Contains optional user defined attributes.
 	Annotations map[string]string `json:"annotations,omitempty"`
 }
 
@@ -42,11 +43,9 @@ type SignOptions struct {
 	// the certificates in the fetched timestamp signature.
 	// An empty list of `KeyUsages` in the verify options implies ExtKeyUsageTimeStamping.
 	TSAVerifyOptions x509.VerifyOptions
-}
 
-// Validate does basic validation on SignOptions.
-func (opts SignOptions) Validate() error {
-	return nil
+	// Sets or overrides the plugin configuration.
+	PluginConfig map[string]string
 }
 
 // Signer is a generic interface for signing an artifact.
@@ -78,3 +77,83 @@ type Service interface {
 	Signer
 	Verifier
 }
+
+// KeySpec defines a key type and size.
+type KeySpec string
+
+// One of following supported specs
+// https://github.com/notaryproject/notaryproject/blob/main/signature-specification.md#algorithm-selection
+const (
+	RSA_2048 KeySpec = "RSA_2048"
+	RSA_3072 KeySpec = "RSA_3072"
+	RSA_4096 KeySpec = "RSA_4096"
+	EC_256   KeySpec = "EC_256"
+	EC_384   KeySpec = "EC_384"
+	EC_512   KeySpec = "EC_512"
+)
+
+// SignatureAlgorithm returns the signing algorithm associated with KeyType k.
+func (k KeySpec) SignatureAlgorithm() SignatureAlgorithm {
+	switch k {
+	case RSA_2048:
+		return RSASSA_PSS_SHA_256
+	case RSA_3072:
+		return RSASSA_PSS_SHA_384
+	case RSA_4096:
+		return RSASSA_PSS_SHA_512
+	case EC_256:
+		return ECDSA_SHA_256
+	case EC_384:
+		return ECDSA_SHA_384
+	case EC_512:
+		return ECDSA_SHA_512
+	}
+	return ""
+}
+
+// HashAlgorithm algorithm associated with the key spec.
+type HashAlgorithm string
+
+const (
+	SHA256 HashAlgorithm = "SHA_256"
+	SHA384 HashAlgorithm = "SHA_384"
+	SHA512 HashAlgorithm = "SHA_512"
+)
+
+// HashFunc returns the Hash associated k.
+func (h HashAlgorithm) HashFunc() crypto.Hash {
+	switch h {
+	case SHA256:
+		return crypto.SHA256
+	case SHA384:
+		return crypto.SHA384
+	case SHA512:
+		return crypto.SHA512
+	}
+	return 0
+}
+
+// SignatureAlgorithm defines the supported signature algorithms.
+type SignatureAlgorithm string
+
+const (
+	RSASSA_PSS_SHA_256 SignatureAlgorithm = "RSASSA_PSS_SHA_256"
+	RSASSA_PSS_SHA_384 SignatureAlgorithm = "RSASSA_PSS_SHA_384"
+	RSASSA_PSS_SHA_512 SignatureAlgorithm = "RSASSA_PSS_SHA_512"
+	ECDSA_SHA_256      SignatureAlgorithm = "ECDSA_SHA_256"
+	ECDSA_SHA_384      SignatureAlgorithm = "ECDSA_SHA_384"
+	ECDSA_SHA_512      SignatureAlgorithm = "ECDSA_SHA_512"
+)
+
+// Hash returns the Hash associated s.
+func (s SignatureAlgorithm) Hash() HashAlgorithm {
+	switch s {
+	case RSASSA_PSS_SHA_256, ECDSA_SHA_256:
+		return SHA256
+	case RSASSA_PSS_SHA_384, ECDSA_SHA_384:
+		return SHA384
+	case RSASSA_PSS_SHA_512, ECDSA_SHA_512:
+		return SHA512
+	}
+	return ""
+}

plugin/errors.go

@@ -52,6 +52,19 @@ func (e RequestError) Unwrap() error {
 	return e.Err
 }
 
+func (e RequestError) Is(target error) bool {
+	if et, ok := target.(RequestError); ok {
+		if e.Code != et.Code {
+			return false
+		}
+		if e.Err == et.Err {
+			return true
+		}
+		return e.Err != nil && et.Err != nil && e.Err.Error() == et.Err.Error()
+	}
+	return false
+}
+
 func (e RequestError) MarshalJSON() ([]byte, error) {
 	var msg string
 	if e.Err != nil {
@@ -69,6 +82,9 @@ func (e *RequestError) UnmarshalJSON(data []byte) error {
 	if tmp.Code == "" && tmp.Message == "" && tmp.Metadata == nil {
 		return errors.New("incomplete json")
 	}
-	*e = RequestError{tmp.Code, errors.New(tmp.Message), tmp.Metadata}
+	*e = RequestError{Code: tmp.Code, Metadata: tmp.Metadata}
+	if tmp.Message != "" {
+		e.Err = errors.New(tmp.Message)
+	}
 	return nil
 }

plugin/errors_test.go

@@ -88,3 +88,29 @@ func TestRequestError_UnmarshalJSON(t *testing.T) {
 		})
 	}
 }
+
+func TestRequestError_Is(t *testing.T) {
+	type args struct {
+		target error
+	}
+	tests := []struct {
+		name string
+		e    RequestError
+		args args
+		want bool
+	}{
+		{"nil", RequestError{}, args{nil}, false},
+		{"not same type", RequestError{Err: errors.New("foo")}, args{errors.New("foo")}, false},
+		{"only same code", RequestError{Code: ErrorCodeGeneric, Err: errors.New("foo")}, args{RequestError{Code: ErrorCodeGeneric, Err: errors.New("bar")}}, false},
+		{"only same message", RequestError{Code: ErrorCodeTimeout, Err: errors.New("foo")}, args{RequestError{Code: ErrorCodeGeneric, Err: errors.New("foo")}}, false},
+		{"same with nil message", RequestError{Code: ErrorCodeGeneric}, args{RequestError{Code: ErrorCodeGeneric}}, true},
+		{"same", RequestError{Code: ErrorCodeGeneric, Err: errors.New("foo")}, args{RequestError{Code: ErrorCodeGeneric, Err: errors.New("foo")}}, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := tt.e.Is(tt.args.target); got != tt.want {
+				t.Errorf("RequestError.Is() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

plugin/manager/integration_test.go

@@ -1,4 +1,4 @@
-package manager
+package manager_test
 
 import (
 	"context"
@@ -7,9 +7,11 @@ import (
 	"os/exec"
 	"path/filepath"
 	"reflect"
+	"runtime"
 	"testing"
 
 	"github.com/notaryproject/notation-go/plugin"
+	"github.com/notaryproject/notation-go/plugin/manager"
 )
 
 func preparePlugin(t *testing.T) string {
@@ -53,7 +55,7 @@ func TestIntegration(t *testing.T) {
 		t.Skip()
 	}
 	root := preparePlugin(t)
-	mgr := &Manager{rootedFS{os.DirFS(root), root}, execCommander{}}
+	mgr := manager.New(root)
 	p, err := mgr.Get(context.Background(), "foo")
 	if err != nil {
 		t.Fatal(err)
@@ -71,8 +73,19 @@ func TestIntegration(t *testing.T) {
 	if !reflect.DeepEqual(list[0].Metadata, p.Metadata) {
 		t.Errorf("Manager.List() got %v, want %v", list[0], p)
 	}
-	_, err = mgr.Run(context.Background(), "foo", plugin.CommandGetMetadata, nil)
+	r, err := mgr.Runner("foo")
 	if err != nil {
 		t.Fatal(err)
 	}
+	_, err = r.Run(context.Background(), plugin.GetMetadataRequest{})
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func addExeSuffix(s string) string {
+	if runtime.GOOS == "windows" {
+		s += ".exe"
+	}
+	return s
 }