cosign

package
v2.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 6, 2023 License: Apache-2.0 Imports: 68 Imported by: 64

Documentation

Index

Constants

View Source 
const (
	Signature   = "signature"
	SBOM        = "sbom"
	Attestation = "attestation"
)
View Source 
const (
	CosignPrivateKeyPemType   = "ENCRYPTED COSIGN PRIVATE KEY"
	SigstorePrivateKeyPemType = "ENCRYPTED SIGSTORE PRIVATE KEY"
	// PEM-encoded PKCS #1 RSA private key
	RSAPrivateKeyPemType = "RSA PRIVATE KEY"
	// PEM-encoded ECDSA private key
	ECPrivateKeyPemType = "EC PRIVATE KEY"
	// PEM-encoded PKCS #8 RSA, ECDSA or ED25519 private key
	PrivateKeyPemType   = "PRIVATE KEY"
	BundleKey           = static.BundleAnnotationKey
	RFC3161TimestampKey = static.RFC3161TimestampAnnotationKey
)

Variables

View Source 
var (
	// Fulcio cert-extensions, documented here: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md
	CertExtensionOIDCIssuer               = "1.3.6.1.4.1.57264.1.1"
	CertExtensionGithubWorkflowTrigger    = "1.3.6.1.4.1.57264.1.2"
	CertExtensionGithubWorkflowSha        = "1.3.6.1.4.1.57264.1.3"
	CertExtensionGithubWorkflowName       = "1.3.6.1.4.1.57264.1.4"
	CertExtensionGithubWorkflowRepository = "1.3.6.1.4.1.57264.1.5"
	CertExtensionGithubWorkflowRef        = "1.3.6.1.4.1.57264.1.6"

	CertExtensionMap = map[string]string{
		CertExtensionOIDCIssuer:               "oidcIssuer",
		CertExtensionGithubWorkflowTrigger:    "githubWorkflowTrigger",
		CertExtensionGithubWorkflowSha:        "githubWorkflowSha",
		CertExtensionGithubWorkflowName:       "githubWorkflowName",
		CertExtensionGithubWorkflowRepository: "githubWorkflowRepository",
		CertExtensionGithubWorkflowRef:        "githubWorkflowRef",
	}
)
View Source 
var (
	// NoMatchingAttestations
	ErrNoMatchingAttestationsMessage = "no matching attestations"
	ErrNoMatchingAttestationsType    = "NoMatchingAttestations"

	// NoMatchingSignatures
	ErrNoMatchingSignaturesType    = "NoMatchingSignatures"
	ErrNoMatchingSignaturesMessage = "no matching signatures"

	// NonExistingTagType
	ErrImageTagNotFoundType    = "ImageTagNotFound"
	ErrImageTagNotFoundMessage = "image tag not found"

	// NoSignaturesFound
	ErrNoSignaturesFoundType    = "NoSignaturesFound"
	ErrNoSignaturesFoundMessage = "no signatures found for image"
)

Functions

func CheckCertificatePolicy 

func CheckCertificatePolicy(cert *x509.Certificate, co *CheckOpts) error

CheckCertificatePolicy checks that the certificate subject and issuer match the expected values.

func CheckExpiry 

func CheckExpiry(cert *x509.Certificate, it time.Time) error

CheckExpiry confirms the time provided is within the valid period of the cert

func ComputeLeafHash 

func ComputeLeafHash(e *models.LogEntryAnon) ([]byte, error)

func ContainsSCT 

func ContainsSCT(cert []byte) (bool, error)

ContainsSCT checks if the certificate contains embedded SCTs. cert can either be DER or PEM encoded.

func FindTlogEntry 

func FindTlogEntry(ctx context.Context, rekorClient *client.Rekor,
	b64Sig string, payload, pubKey []byte) ([]models.LogEntryAnon, error)

func GeneratePrivateKey 

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

TODO(jason): Move this to an internal package.

func Get 

func Get(ctx context.Context) *client.Rekor

Get extracts the Rekor client from the context. TODO(jason): Rename this to something better than pkg/cosign.Get.

func GetPassFromTerm 

func GetPassFromTerm(confirm bool) ([]byte, error)

TODO(jason): Move this to an internal package.

func GetTlogEntry 

func GetTlogEntry(ctx context.Context, rekorClient *client.Rekor, entryUUID string) (*models.LogEntryAnon, error)

func GetTransparencyLogID 

func GetTransparencyLogID(pub crypto.PublicKey) (string, error)

GetTransparencyLogID generates a SHA256 hash of a DER-encoded public key. (see RFC 6962 S3.2) In CT V1 the log id is a hash of the public key.

func IntotoSubjectClaimVerifier 

func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error

IntotoSubjectClaimVerifier verifies that sig.Payload() is an Intoto statement which references the given image digest.

func IsTerminal 

func IsTerminal() bool

TODO(jason): Move this to an internal package.

func LoadPrivateKey 

func LoadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error)

TODO(jason): Move this to pkg/signature, the only place it's used, and unimport it.

func NewVerificationError 

func NewVerificationError(msg string, args ...interface{}) error

NewVerificationError constructs a new VerificationError in a manner similar to fmt.Errorf

func PemToECDSAKey 

func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error)

TODO(jason): Move this to an internal package.

func Set 

func Set(ctx context.Context, rekorClient *client.Rekor) context.Context

TODO(jason): Rename this to something better than pkg/cosign.Set.

func SimpleClaimVerifier 

func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error

SimpleClaimVerifier verifies that sig.Payload() is a SimpleContainerImage payload which references the given image digest and contains the given annotations.

func TLogUpload 

func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature []byte, sha256CheckSum hash.Hash, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUpload will upload the signature, public key and payload to the transparency log.

func TLogUploadInTotoAttestation 

func TLogUploadInTotoAttestation(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUploadInTotoAttestation will upload and in-toto entry for the signature and public key to the transparency log.

func TrustedCert 

func TrustedCert(cert *x509.Certificate, roots *x509.CertPool, intermediates *x509.CertPool) ([][]*x509.Certificate, error)

func ValidateAndUnpackCert 

func ValidateAndUnpackCert(cert *x509.Certificate, co *CheckOpts) (signature.Verifier, error)

ValidateAndUnpackCert creates a Verifier from a certificate. Veries that the certificate chains up to a trusted root. Optionally verifies the subject and issuer of the certificate.

func ValidateAndUnpackCertWithChain 

func ValidateAndUnpackCertWithChain(cert *x509.Certificate, chain []*x509.Certificate, co *CheckOpts) (signature.Verifier, error)

ValidateAndUnpackCertWithChain creates a Verifier from a certificate. Verifies that the certificate chains up to the provided root. Chain should start with the parent of the certificate and end with the root. Optionally verifies the subject and issuer of the certificate.

func VerifyBlobAttestation 

func VerifyBlobAttestation(ctx context.Context, att oci.Signature, h v1.Hash, co *CheckOpts) (
	bool, error)

func VerifyBlobSignature 

func VerifyBlobSignature(ctx context.Context, sig oci.Signature, co *CheckOpts) (bundleVerified bool, err error)

VerifyBlobSignature verifies a blob signature.

func VerifyBundle 

func VerifyBundle(sig oci.Signature, co *CheckOpts) (bool, error)

This verifies an offline bundle contained in the sig against the trusted Rekor publicKeys.

func VerifyEmbeddedSCT 

func VerifyEmbeddedSCT(ctx context.Context, chain []*x509.Certificate, pubKeys *TrustedTransparencyLogPubKeys) error

VerifyEmbeddedSCT verifies an embedded SCT in a certificate.

func VerifyImageAttestations 

func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)

VerifyImageAttestations does all the main cosign checks in a loop, returning the verified attestations. If there were no valid attestations, we return an error.

func VerifyImageSignature 

func VerifyImageSignature(ctx context.Context, sig oci.Signature, h v1.Hash, co *CheckOpts) (bundleVerified bool, err error)

VerifyImageSignature verifies a signature

func VerifyImageSignatures 

func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)

VerifyImageSignatures does all the main cosign checks in a loop, returning the verified signatures. If there were no valid signatures, we return an error.

func VerifyLocalImageAttestations 

func VerifyLocalImageAttestations(ctx context.Context, path string, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)

VerifyLocalImageAttestations verifies attestations from a saved, local image, without any network calls, returning the verified attestations. If there were no valid signatures, we return an error.

func VerifyLocalImageSignatures 

func VerifyLocalImageSignatures(ctx context.Context, path string, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)

VerifyLocalImageSignatures verifies signatures from a saved, local image, without any network calls, returning the verified signatures. If there were no valid signatures, we return an error.

func VerifyRFC3161Timestamp 

func VerifyRFC3161Timestamp(sig oci.Signature, co *CheckOpts) (*timestamp.Timestamp, error)

VerifyRFC3161Timestamp verifies that the timestamp in sig is correctly signed, and if so, returns the timestamp value. It returns (nil, nil) if there is no timestamp, or (nil, err) if there is an invalid timestamp.

func VerifySCT 

func VerifySCT(_ context.Context, certPEM, chainPEM, rawSCT []byte, pubKeys *TrustedTransparencyLogPubKeys) error

VerifySCT verifies SCTs against the Fulcio CT log public key.

The SCT is a `Signed Certificate Timestamp`, which promises that the certificate issued by Fulcio was also added to the public CT log within some defined time period.

VerifySCT can verify an SCT list embedded in the certificate, or a detached SCT provided by Fulcio.

Note that we can't pass in the CheckOpts here which has both RawSCT and CTLogPubKeys due to import cycle, so they are pulled out from the struct to arguments here.

By default the public keys comes from TUF, but you can override this for test purposes by using an env variable `SIGSTORE_CT_LOG_PUBLIC_KEY_FILE`. If using an alternate, the file can be PEM, or DER format.

func VerifySET 

func VerifySET(bundlePayload cbundle.RekorPayload, signature []byte, pub *ecdsa.PublicKey) error

func VerifyTLogEntryOffline 

func VerifyTLogEntryOffline(ctx context.Context, e *models.LogEntryAnon, rekorPubKeys *TrustedTransparencyLogPubKeys) error

VerifyTLogEntryOffline verifies a TLog entry against a map of trusted rekorPubKeys indexed by log id.

Types

type AttestationPayload 

type AttestationPayload struct {
	PayloadType string       `json:"payloadType"`
	PayLoad     string       `json:"payload"`
	Signatures  []Signatures `json:"signatures"`
}

func FetchAttestationsForReference 

func FetchAttestationsForReference(_ context.Context, ref name.Reference, predicateType string, opts ...ociremote.Option) ([]AttestationPayload, error)

type CertExtensions 

type CertExtensions struct {
	Cert *x509.Certificate
}

func (*CertExtensions) GetCertExtensionGithubWorkflowName 

func (ce *CertExtensions) GetCertExtensionGithubWorkflowName() string

GetCertExtensionGithubWorkflowName returns the GitHub Workflow Name for a Certificate

func (*CertExtensions) GetCertExtensionGithubWorkflowRef 

func (ce *CertExtensions) GetCertExtensionGithubWorkflowRef() string

GetCertExtensionGithubWorkflowRef returns the GitHub Workflow Ref for a Certificate

func (*CertExtensions) GetCertExtensionGithubWorkflowRepository 

func (ce *CertExtensions) GetCertExtensionGithubWorkflowRepository() string

GetCertExtensionGithubWorkflowRepository returns the GitHub Workflow Repository for a Certificate

func (*CertExtensions) GetCertExtensionGithubWorkflowTrigger 

func (ce *CertExtensions) GetCertExtensionGithubWorkflowTrigger() string

GetCertExtensionGithubWorkflowTrigger returns the GitHub Workflow Trigger for a Certificate

func (*CertExtensions) GetExtensionGithubWorkflowSha 

func (ce *CertExtensions) GetExtensionGithubWorkflowSha() string

GetExtensionGithubWorkflowSha returns the GitHub Workflow SHA for a Certificate

func (*CertExtensions) GetIssuer 

func (ce *CertExtensions) GetIssuer() string

GetIssuer returns the issuer for a Certificate

type CheckOpts 

type CheckOpts struct {
	// RegistryClientOpts are the options for interacting with the container registry.
	RegistryClientOpts []ociremote.Option

	// Annotations optionally specifies image signature annotations to verify.
	Annotations map[string]interface{}

	// ClaimVerifier, if provided, verifies claims present in the oci.Signature.
	ClaimVerifier func(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error

	// RekorClient, if set, is used to make online tlog calls use to verify signatures and public keys.
	RekorClient *client.Rekor
	// RekorPubKeys, if set, is used to validate signatures on log entries from
	// Rekor. It is a map from LogID to crypto.PublicKey. LogID is
	// derived from the PublicKey (see RFC 6962 S3.2).
	// Note that even though the type is of crypto.PublicKey, Rekor only allows
	// for ecdsa.PublicKey: https://github.com/sigstore/cosign/issues/2540
	RekorPubKeys *TrustedTransparencyLogPubKeys

	// SigVerifier is used to verify signatures.
	SigVerifier signature.Verifier
	// PKOpts are the options provided to `SigVerifier.PublicKey()`.
	PKOpts []signature.PublicKeyOption

	// RootCerts are the root CA certs used to verify a signature's chained certificate.
	RootCerts *x509.CertPool
	// IntermediateCerts are the optional intermediate CA certs used to verify a certificate chain.
	IntermediateCerts *x509.CertPool

	// CertGithubWorkflowTrigger is the GitHub Workflow Trigger name expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertGithubWorkflowTrigger string
	// CertGithubWorkflowSha is the GitHub Workflow SHA expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertGithubWorkflowSha string
	// CertGithubWorkflowName is the GitHub Workflow Name expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertGithubWorkflowName string
	// CertGithubWorkflowRepository is the GitHub Workflow Repository  expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertGithubWorkflowRepository string
	// CertGithubWorkflowRef is the GitHub Workflow Ref expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertGithubWorkflowRef string

	// IgnoreSCT requires that a certificate contain an embedded SCT during verification. An SCT is proof of inclusion in a
	// certificate transparency log.
	IgnoreSCT bool
	// Detached SCT. Optional, as the SCT is usually embedded in the certificate.
	SCT []byte
	// CTLogPubKeys, if set, is used to validate SCTs against those keys.
	// It is a map from log id to LogIDMetadata. It is a map from LogID to crypto.PublicKey. LogID is derived from the PublicKey (see RFC 6962 S3.2).
	CTLogPubKeys *TrustedTransparencyLogPubKeys

	// SignatureRef is the reference to the signature file
	SignatureRef string

	// Identities is an array of Identity (Subject, Issuer) matchers that have
	// to be met for the signature to ve valid.
	Identities []Identity

	// Force offline verification of the signature
	Offline bool

	// Set of flags to verify an RFC3161 timestamp used for trusted timestamping
	// TSACertificate is the certificate used to sign the timestamp. Optional, if provided in the timestamp
	TSACertificate *x509.Certificate
	// TSARootCertificates are the set of roots to verify the TSA certificate
	TSARootCertificates []*x509.Certificate
	// TSAIntermediateCertificates are the set of intermediates for chain building
	TSAIntermediateCertificates []*x509.Certificate

	// IgnoreTlog skip tlog verification
	IgnoreTlog bool
}

CheckOpts are the options for checking signatures.

type Identity 

type Identity struct {
	Issuer        string
	Subject       string
	IssuerRegExp  string
	SubjectRegExp string
}

Identity specifies an issuer/subject to verify a signature against. Both IssuerRegExp/SubjectRegExp support regexp while Issuer/Subject are for strict matching.

type Keys 

type Keys struct {
	// contains filtered or unexported fields
}

type KeysBytes 

type KeysBytes struct {
	PrivateBytes []byte
	PublicBytes  []byte
	// contains filtered or unexported fields
}

TODO(jason): Move this to an internal package.

func GenerateKeyPair 

func GenerateKeyPair(pf PassFunc) (*KeysBytes, error)

TODO(jason): Move this to an internal package.

func ImportKeyPair 

func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error)

TODO(jason): Move this to the only place it's used in cmd/cosign/cli/importkeypair, and unexport it.

func (*KeysBytes) Password 

func (k *KeysBytes) Password() []byte

type LocalSignedPayload 

type LocalSignedPayload struct {
	Base64Signature string              `json:"base64Signature"`
	Cert            string              `json:"cert,omitempty"`
	Bundle          *bundle.RekorBundle `json:"rekorBundle,omitempty"`
}

func FetchLocalSignedPayloadFromPath 

func FetchLocalSignedPayloadFromPath(path string) (*LocalSignedPayload, error)

FetchLocalSignedPayloadFromPath fetches a local signed payload from a path to a file

type PassFunc 

type PassFunc func(bool) ([]byte, error)

PassFunc is the function to be called to retrieve the signer password. If nil, then it assumes that no password is provided.

type Signatures 

type Signatures struct {
	KeyID string `json:"keyid"`
	Sig   string `json:"sig"`
}

type SignedPayload 

type SignedPayload struct {
	Base64Signature  string
	Payload          []byte
	Cert             *x509.Certificate
	Chain            []*x509.Certificate
	Bundle           *bundle.RekorBundle
	RFC3161Timestamp *bundle.RFC3161Timestamp
}

func FetchSignaturesForReference 

func FetchSignaturesForReference(_ context.Context, ref name.Reference, opts ...ociremote.Option) ([]SignedPayload, error)

type TransparencyLogPubKey 

type TransparencyLogPubKey struct {
	PubKey crypto.PublicKey
	Status tuf.StatusKind
}

TransparencyLogPubKey contains the ECDSA verification key and the current status of the key according to TUF metadata, whether it's active or expired.

type TrustedTransparencyLogPubKeys 

type TrustedTransparencyLogPubKeys struct {
	// A map of keys indexed by log ID
	Keys map[string]TransparencyLogPubKey
}

This is a map of TransparencyLog public keys indexed by log ID that's used in verification.

func GetCTLogPubs 

func GetCTLogPubs(ctx context.Context) (*TrustedTransparencyLogPubKeys, error)

GetCTLogPubs retrieves trusted CTLog public keys from the embedded or cached TUF root. If expired, makes a network call to retrieve the updated targets. By default the public keys comes from TUF, but you can override this for test purposes by using an env variable `SIGSTORE_CT_LOG_PUBLIC_KEY_FILE`. If using an alternate, the file can be PEM, or DER format.

func GetRekorPubs 

func GetRekorPubs(ctx context.Context) (*TrustedTransparencyLogPubKeys, error)

GetRekorPubs retrieves trusted Rekor public keys from the embedded or cached TUF root. If expired, makes a network call to retrieve the updated targets. There are two Env variable that can be used to override this behaviour: SIGSTORE_REKOR_PUBLIC_KEY - If specified, location of the file that contains the Rekor Public Key on local filesystem

func NewTrustedTransparencyLogPubKeys 

func NewTrustedTransparencyLogPubKeys() TrustedTransparencyLogPubKeys

func (*TrustedTransparencyLogPubKeys) AddTransparencyLogPubKey 

func (t *TrustedTransparencyLogPubKeys) AddTransparencyLogPubKey(pemBytes []byte, status tuf.StatusKind) error

constructRekorPubkey returns a log ID and RekorPubKey from a given byte-array representing the PEM-encoded Rekor key and a status.

type VerificationError 

type VerificationError struct {
	// contains filtered or unexported fields
}

VerificationError is the type of Go error that is used by cosign to surface errors actually related to verification (vs. transient, misconfiguration, transport, or authentication related issues).

func (*VerificationError) Error 

func (ve *VerificationError) Error() string

Error implements error

func (*VerificationError) ErrorType 

func (ve *VerificationError) ErrorType() string

Error implements error

func (*VerificationError) SetErrorType 

func (ve *VerificationError) SetErrorType(errorType string)

Source Files

View all Source files

Directories

Path Synopsis
fulcioverifier
ctutil
Package ctutil contains utilities for Certificate Transparency.
 Package ctutil contains utilities for Certificate Transparency.
git
github
gitlab

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.