-
Notifications
You must be signed in to change notification settings - Fork 537
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Split apart
fulcioverifier
for transparency log verification. (#660)
Split off a new constructor for the fulcio signer that performs transparency log verification. This simplifies the tests a bit because they no longer need to mock out `VerifySCT`. However, the main purpose of this change is to enable folks to vendor `fulcio.NewSigner` without pulling in ~600k LoC of dependencies, since the CT stuff pulls in trillian, prometheus, envoy's go controlplane stuff, ... Signed-off-by: Matt Moore <mattomata@gmail.com>
- Loading branch information
Showing
6 changed files
with
112 additions
and
45 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
// | ||
// Copyright 2021 The Sigstore Authors. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package fulcio_test | ||
|
||
import ( | ||
"testing" | ||
|
||
"knative.dev/pkg/depcheck" | ||
) | ||
|
||
func TestNoDeps(t *testing.T) { | ||
depcheck.AssertNoDependency(t, map[string][]string{ | ||
"github.com/sigstore/cosign/cmd/cosign/cli/fulcio": { | ||
// Avoid pulling in a variety of things that are massive dependencies. | ||
"github.com/google/certificate-transparency-go", | ||
"github.com/google/trillian", | ||
"github.com/envoyproxy/go-control-plane", | ||
"github.com/gogo/protobuf/protoc-gen-gogo", | ||
"github.com/grpc-ecosystem/go-grpc-middleware", | ||
"github.com/jhump/protoreflect", | ||
}, | ||
}) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
// | ||
// Copyright 2021 The Sigstore Authors. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package fulcioverifier | ||
|
||
import ( | ||
"context" | ||
_ "embed" // To enable the `go:embed` directive. | ||
"encoding/json" | ||
"fmt" | ||
"os" | ||
|
||
ct "github.com/google/certificate-transparency-go" | ||
"github.com/google/certificate-transparency-go/ctutil" | ||
ctx509 "github.com/google/certificate-transparency-go/x509" | ||
"github.com/google/certificate-transparency-go/x509util" | ||
"github.com/pkg/errors" | ||
"github.com/sigstore/cosign/cmd/cosign/cli/fulcio" | ||
"github.com/sigstore/cosign/pkg/cosign" | ||
fulcioClient "github.com/sigstore/fulcio/pkg/generated/client" | ||
) | ||
|
||
// This is the CT log public key | ||
//go:embed ctfe.pub | ||
var ctPublicKey string | ||
|
||
// verifySCT verifies the SCT against the Fulcio CT log public key | ||
// The SCT is a `Signed Certificate Timestamp`, which promises that | ||
// the certificate issued by Fulcio was also added to the public CT log within | ||
// some defined time period | ||
func verifySCT(certPEM, rawSCT []byte) error { | ||
pubKey, err := cosign.PemToECDSAKey([]byte(ctPublicKey)) | ||
if err != nil { | ||
return err | ||
} | ||
cert, err := x509util.CertificateFromPEM(certPEM) | ||
if err != nil { | ||
return err | ||
} | ||
var sct ct.SignedCertificateTimestamp | ||
if err := json.Unmarshal(rawSCT, &sct); err != nil { | ||
return errors.Wrap(err, "unmarshal") | ||
} | ||
return ctutil.VerifySCT(pubKey, []*ctx509.Certificate{cert}, &sct, false) | ||
} | ||
|
||
func NewSigner(ctx context.Context, idToken, oidcIssuer, oidcClientID string, fClient *fulcioClient.Fulcio) (*fulcio.Signer, error) { | ||
fs, err := fulcio.NewSigner(ctx, idToken, oidcIssuer, oidcClientID, fClient) | ||
if err != nil { | ||
return nil, err | ||
} | ||
|
||
// verify the sct | ||
if err := verifySCT(fs.Cert, fs.SCT); err != nil { | ||
return nil, errors.Wrap(err, "verifying SCT") | ||
} | ||
fmt.Fprintln(os.Stderr, "Successfully verified SCT...") | ||
|
||
return fs, nil | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters