Merge pull request #18 from alopez-suse/main

becitsthere · web-flow · commit e7ef42844717 · 2024-02-07T09:09:01.000-08:00
NVSHAS-8377: implement RootlessKeypairsOnly flag
diff --git a/main.go b/main.go
@@ -30,11 +30,12 @@ type Configuration struct {
 }
 
 type RootOfTrust struct {
-	Name           string     `json:"Name"`
-	RekorPublicKey string     `json:"RekorPublicKey"`
-	RootCert       string     `json:"RootCert"`
-	SCTPublicKey   string     `json:"SCTPublicKey"`
-	Verifiers      []Verifier `json:"Verifiers"`
+	Name                 string     `json:"Name"`
+	RootlessKeypairsOnly bool       `json:"RootlessKeypairsOnly"`
+	RekorPublicKey       string     `json:"RekorPublicKey"`
+	RootCert             string     `json:"RootCert"`
+	SCTPublicKey         string     `json:"SCTPublicKey"`
+	Verifiers            []Verifier `json:"Verifiers"`
 }
 
 func (r *RootOfTrust) IsPublic() bool {
@@ -191,10 +192,14 @@ func verify(imgDigest v1.Hash, rootOfTrust RootOfTrust, sigs []oci.Signature, pr
 }
 
 func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust RootOfTrust, proxy Proxy, ctx context.Context) (err error) {
+	if rootOfTrust.RootlessKeypairsOnly {
+		return nil
+	}
+
 	// rekor public keys
 	rekorKeyCollection := cosign.NewTrustedTransparencyLogPubKeys()
-	if rootOfTrust.RekorPublicKey == "" {
-		rekorKeyTargets, err := GetTargets(sigtuf.Rekor, proxy)
+	if rootOfTrust.IsPublic() {
+		rekorKeyTargets, err := GetSigstorePublicTufTargets(sigtuf.Rekor, proxy)
 		if err != nil {
 			return fmt.Errorf("could not retrieve rekor tuf targets: %s", err.Error())
 		}
@@ -203,7 +208,7 @@ func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust Ro
 				return fmt.Errorf("could not add public root of trust rekor public key to collection: %w", err)
 			}
 		}
-	} else {
+	} else if rootOfTrust.RekorPublicKey != "" {
 		if err := rekorKeyCollection.AddTransparencyLogPubKey([]byte(rootOfTrust.RekorPublicKey), sigtuf.Active); err != nil {
 			return fmt.Errorf("could not add custom root of trust rekor public key to collection: %w", err)
 		}
@@ -233,8 +238,8 @@ func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust Ro
 		}
 		cosignOptions.RootCerts = rootPool
 		cosignOptions.IntermediateCerts = intermediatePool
-	} else {
-		targetCertificates, err := GetTargets(sigtuf.Fulcio, proxy)
+	} else if rootOfTrust.IsPublic() {
+		targetCertificates, err := GetSigstorePublicTufTargets(sigtuf.Fulcio, proxy)
 		// certificates, err := GetPublicRootOfTrustFulcioCertificates(proxy)
 		if err != nil {
 			return fmt.Errorf("could not retrieve public root of trust fulcio certificates: %s", err.Error())
@@ -263,8 +268,8 @@ func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust Ro
 
 	// sct public keys
 	sctKeyCollection := cosign.NewTrustedTransparencyLogPubKeys()
-	if rootOfTrust.SCTPublicKey == "" {
-		sctKeyTargets, err := GetTargets(sigtuf.CTFE, proxy)
+	if rootOfTrust.IsPublic() {
+		sctKeyTargets, err := GetSigstorePublicTufTargets(sigtuf.CTFE, proxy)
 		if err != nil {
 			return fmt.Errorf("could not retrieve ctfe tuf targets: %s", err.Error())
 		}
@@ -273,7 +278,7 @@ func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust Ro
 				return fmt.Errorf("could not add public root of trust sct public key to collection: %w", err)
 			}
 		}
-	} else {
+	} else if rootOfTrust.SCTPublicKey != "" {
 		if err := sctKeyCollection.AddTransparencyLogPubKey([]byte(rootOfTrust.SCTPublicKey), sigtuf.Active); err != nil {
 			return fmt.Errorf("could not add custom root of trust sct public key to collection: %w", err)
 		}
@@ -291,6 +296,12 @@ func setVerifierCosignOptions(cosignOptions *cosign.CheckOpts, verifier Verifier
 			return fmt.Errorf("could not load PEM encoded public key of verifier %s under %s: %s", verifier.Name, rootOfTrust.Name, err.Error())
 		}
 	case "keyless":
+		if rootOfTrust.RootlessKeypairsOnly {
+			return fmt.Errorf("cannot use keyless verifier for root of trust with field RootlessKeypairsOnly set to true")
+		}
+		if rootOfTrust.RootCert == "" && !rootOfTrust.IsPublic() {
+			return fmt.Errorf("cannot use keyless verifier %s with private root of trust without root cert", verifier.Name)
+		}
 		cosignOptions.Identities = []cosign.Identity{
 			{
 				Issuer:  verifier.KeylessOptions.CertIssuer,
@@ -309,5 +320,9 @@ func setVerifierCosignOptions(cosignOptions *cosign.CheckOpts, verifier Verifier
 			cosignOptions.IgnoreSCT = true
 		}
 	}
+	if rootOfTrust.RootlessKeypairsOnly {
+		cosignOptions.IgnoreSCT = true
+		cosignOptions.IgnoreTlog = true
+	}
 	return nil
 }
diff --git a/public_root_of_trust.go b/public_root_of_trust.go
@@ -25,7 +25,7 @@ func (d inMemoryDest) Delete() error {
 	panic("inMemoryDest delete function should not run")
 }
 
-func GetTargets(usage sigtuf.UsageKind, proxy Proxy) ([]sigtuf.TargetFile, error) {
+func GetSigstorePublicTufTargets(usage sigtuf.UsageKind, proxy Proxy) ([]sigtuf.TargetFile, error) {
 	// client initialization
 	httpClient := &http.Client{
 		Timeout: 20 * time.Second,

Original file line number	Diff line number	Diff line change
`@@ -30,11 +30,12 @@ type Configuration struct {`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`type RootOfTrust struct {`
`33`		- Name string `json:"Name"`
`34`		- RekorPublicKey string `json:"RekorPublicKey"`
`35`		- RootCert string `json:"RootCert"`
`36`		- SCTPublicKey string `json:"SCTPublicKey"`
`37`		- Verifiers []Verifier `json:"Verifiers"`
	`33`	+ Name string `json:"Name"`
	`34`	+ RootlessKeypairsOnly bool `json:"RootlessKeypairsOnly"`
	`35`	+ RekorPublicKey string `json:"RekorPublicKey"`
	`36`	+ RootCert string `json:"RootCert"`
	`37`	+ SCTPublicKey string `json:"SCTPublicKey"`
	`38`	+ Verifiers []Verifier `json:"Verifiers"`
`38`	`39`	`}`
`39`	`40`
`40`	`41`	`func (r *RootOfTrust) IsPublic() bool {`
`@@ -191,10 +192,14 @@ func verify(imgDigest v1.Hash, rootOfTrust RootOfTrust, sigs []oci.Signature, pr`
`191`	`192`	`}`
`192`	`193`
`193`	`194`	`func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust RootOfTrust, proxy Proxy, ctx context.Context) (err error) {`
	`195`	`+ if rootOfTrust.RootlessKeypairsOnly {`
	`196`	`+ return nil`
	`197`	`+ }`
	`198`	`+`
`194`	`199`	`// rekor public keys`
`195`	`200`	`rekorKeyCollection := cosign.NewTrustedTransparencyLogPubKeys()`
`196`		`- if rootOfTrust.RekorPublicKey == "" {`
`197`		`- rekorKeyTargets, err := GetTargets(sigtuf.Rekor, proxy)`
	`201`	`+ if rootOfTrust.IsPublic() {`
	`202`	`+ rekorKeyTargets, err := GetSigstorePublicTufTargets(sigtuf.Rekor, proxy)`
`198`	`203`	`if err != nil {`
`199`	`204`	`return fmt.Errorf("could not retrieve rekor tuf targets: %s", err.Error())`
`200`	`205`	`}`
`@@ -203,7 +208,7 @@ func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust Ro`
`203`	`208`	`return fmt.Errorf("could not add public root of trust rekor public key to collection: %w", err)`
`204`	`209`	`}`
`205`	`210`	`}`
`206`		`- } else {`
	`211`	`+ } else if rootOfTrust.RekorPublicKey != "" {`
`207`	`212`	`if err := rekorKeyCollection.AddTransparencyLogPubKey([]byte(rootOfTrust.RekorPublicKey), sigtuf.Active); err != nil {`
`208`	`213`	`return fmt.Errorf("could not add custom root of trust rekor public key to collection: %w", err)`
`209`	`214`	`}`
`@@ -233,8 +238,8 @@ func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust Ro`
`233`	`238`	`}`
`234`	`239`	`cosignOptions.RootCerts = rootPool`
`235`	`240`	`cosignOptions.IntermediateCerts = intermediatePool`
`236`		`- } else {`
`237`		`- targetCertificates, err := GetTargets(sigtuf.Fulcio, proxy)`
	`241`	`+ } else if rootOfTrust.IsPublic() {`
	`242`	`+ targetCertificates, err := GetSigstorePublicTufTargets(sigtuf.Fulcio, proxy)`
`238`	`243`	`// certificates, err := GetPublicRootOfTrustFulcioCertificates(proxy)`
`239`	`244`	`if err != nil {`
`240`	`245`	`return fmt.Errorf("could not retrieve public root of trust fulcio certificates: %s", err.Error())`
`@@ -263,8 +268,8 @@ func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust Ro`
`263`	`268`
`264`	`269`	`// sct public keys`
`265`	`270`	`sctKeyCollection := cosign.NewTrustedTransparencyLogPubKeys()`
`266`		`- if rootOfTrust.SCTPublicKey == "" {`
`267`		`- sctKeyTargets, err := GetTargets(sigtuf.CTFE, proxy)`
	`271`	`+ if rootOfTrust.IsPublic() {`
	`272`	`+ sctKeyTargets, err := GetSigstorePublicTufTargets(sigtuf.CTFE, proxy)`
`268`	`273`	`if err != nil {`
`269`	`274`	`return fmt.Errorf("could not retrieve ctfe tuf targets: %s", err.Error())`
`270`	`275`	`}`
`@@ -273,7 +278,7 @@ func setRootOfTrustCosignOptions(cosignOptions *cosign.CheckOpts, rootOfTrust Ro`
`273`	`278`	`return fmt.Errorf("could not add public root of trust sct public key to collection: %w", err)`
`274`	`279`	`}`
`275`	`280`	`}`
`276`		`- } else {`
	`281`	`+ } else if rootOfTrust.SCTPublicKey != "" {`
`277`	`282`	`if err := sctKeyCollection.AddTransparencyLogPubKey([]byte(rootOfTrust.SCTPublicKey), sigtuf.Active); err != nil {`
`278`	`283`	`return fmt.Errorf("could not add custom root of trust sct public key to collection: %w", err)`
`279`	`284`	`}`
`@@ -291,6 +296,12 @@ func setVerifierCosignOptions(cosignOptions *cosign.CheckOpts, verifier Verifier`
`291`	`296`	`return fmt.Errorf("could not load PEM encoded public key of verifier %s under %s: %s", verifier.Name, rootOfTrust.Name, err.Error())`
`292`	`297`	`}`
`293`	`298`	`case "keyless":`
	`299`	`+ if rootOfTrust.RootlessKeypairsOnly {`
	`300`	`+ return fmt.Errorf("cannot use keyless verifier for root of trust with field RootlessKeypairsOnly set to true")`
	`301`	`+ }`
	`302`	`+ if rootOfTrust.RootCert == "" && !rootOfTrust.IsPublic() {`
	`303`	`+ return fmt.Errorf("cannot use keyless verifier %s with private root of trust without root cert", verifier.Name)`
	`304`	`+ }`
`294`	`305`	`cosignOptions.Identities = []cosign.Identity{`
`295`	`306`	`{`
`296`	`307`	`Issuer: verifier.KeylessOptions.CertIssuer,`
`@@ -309,5 +320,9 @@ func setVerifierCosignOptions(cosignOptions *cosign.CheckOpts, verifier Verifier`
`309`	`320`	`cosignOptions.IgnoreSCT = true`
`310`	`321`	`}`
`311`	`322`	`}`
	`323`	`+ if rootOfTrust.RootlessKeypairsOnly {`
	`324`	`+ cosignOptions.IgnoreSCT = true`
	`325`	`+ cosignOptions.IgnoreTlog = true`
	`326`	`+ }`
`312`	`327`	`return nil`
`313`	`328`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ func (d inMemoryDest) Delete() error {`
`25`	`25`	`panic("inMemoryDest delete function should not run")`
`26`	`26`	`}`
`27`	`27`
`28`		`-func GetTargets(usage sigtuf.UsageKind, proxy Proxy) ([]sigtuf.TargetFile, error) {`
	`28`	`+func GetSigstorePublicTufTargets(usage sigtuf.UsageKind, proxy Proxy) ([]sigtuf.TargetFile, error) {`
`29`	`29`	`// client initialization`
`30`	`30`	`httpClient := &http.Client{`
`31`	`31`	`Timeout: 20 * time.Second,`