Bump sigstore/sigstore-conformance from 0.0.10 to 0.0.11 (#126)

* Bump sigstore/sigstore-conformance from 0.0.10 to 0.0.11 Bumps [sigstore/sigstore-conformance](https://github.com/sigstore/sigstore-conformance) from 0.0.10 to 0.0.11. - [Release notes](https://github.com/sigstore/sigstore-conformance/releases) - [Commits](sigstore/sigstore-conformance@7375951...ee4de0e) --- updated-dependencies: - dependency-name: sigstore/sigstore-conformance dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Add `--staging` support to conformance CLI This is a little silly, as all the staging conformance tests today require the ability to sign, but in the future their could be a verify-only test that uses `--staging`. Adds the staging conformance tests (even though they are all skipped today, see above). Also adds ctlog support for PKCS1_RSA_PKCS1V5, because staging has one! Signed-off-by: Zach Steindler <[email protected]> * Update conformance test driver to better handle bare sigs and certs - Actually perform ctlog verification (like we do for bundles) - Do online verification if trusted root has Rekor entries (again, like we do for bundles) - This isn't strictly necessary for the existing conformance tests to pass, but seems like a good idea Signed-off-by: Zach Steindler <[email protected]> --------- Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Zach Steindler <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Zach Steindler <[email protected]>
sigstore · Mar 27, 2024 · 28ec3ea · 28ec3ea
1 parent bb1c453
commit 28ec3ea
Show file tree

Hide file tree

Showing 4 changed files with 172 additions and 18 deletions.
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
@@ -39,7 +39,13 @@ jobs:
 
       - run: go build -o conformance cmd/conformance/main.go
 
-      - uses: sigstore/sigstore-conformance@7375951316d6b28d07f7406c01e1dc7de2a75ce7 # v0.0.10
+      - uses: sigstore/sigstore-conformance@ee4de0e602873beed74cf9e49d5332529fe69bf6 # v0.0.11
         with:
           entrypoint: ${{ github.workspace }}/conformance
           skip-signing: true
+
+      - uses: sigstore/sigstore-conformance@ee4de0e602873beed74cf9e49d5332529fe69bf6 # v0.0.11
+        with:
+          entrypoint: ${{ github.workspace }}/conformance
+          skip-signing: true
+          environment: staging
diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go
@@ -42,11 +42,11 @@ var trustedRootPath *string
 
 func usage() {
 	fmt.Println("Usage:")
-	fmt.Printf("\t%s verify --signature FILE --certificate FILE --certificate-identity IDENTITY --certificate-oidc-issuer URL [--trusted-root FILE] FILE\n", os.Args[0])
-	fmt.Printf("\t%s verify-bundle --bundle FILE --certificate-identity IDENTITY --certificate-oidc-issuer URL [--trusted-root FILE] FILE\n", os.Args[0])
+	fmt.Printf("\t%s verify --signature FILE --certificate FILE --certificate-identity IDENTITY --certificate-oidc-issuer URL [--trusted-root FILE] [--staging] FILE\n", os.Args[0])
+	fmt.Printf("\t%s verify-bundle --bundle FILE --certificate-identity IDENTITY --certificate-oidc-issuer URL [--trusted-root FILE] [--staging] FILE\n", os.Args[0])
 }
 
-func getTrustedRoot() root.TrustedMaterial {
+func getTrustedRoot(staging bool) root.TrustedMaterial {
 	var trustedRootJSON []byte
 	var err error
 
@@ -59,6 +59,18 @@ func getTrustedRoot() root.TrustedMaterial {
 		}
 		opts := tuf.DefaultOptions()
 		opts.CachePath = path.Join(path.Dir(filename), "tufdata")
+
+		if staging {
+			rootPath := path.Join(opts.CachePath, "tuf-repo-cdn.sigstage.dev", "root.json")
+			rootJSON, err := os.ReadFile(rootPath)
+			if err != nil {
+				log.Fatal(err)
+			}
+
+			opts.Root = rootJSON
+			opts.RepositoryBaseURL = "https://tuf-repo-cdn.sigstage.dev"
+		}
+
 		client, err := tuf.New(opts)
 		if err != nil {
 			log.Fatal(err)
@@ -87,6 +99,8 @@ func main() {
 		os.Exit(1)
 	}
 
+	staging := false
+
 	switch os.Args[1] {
 	case "verify":
 		for i := 2; i < len(os.Args); i += 2 {
@@ -101,6 +115,8 @@ func main() {
 				signaturePath = &os.Args[i+1]
 			case "--trusted-root":
 				trustedRootPath = &os.Args[i+1]
+			case "--staging":
+				staging = true
 			}
 		}
 
@@ -169,10 +185,16 @@ func main() {
 		}
 
 		// Load trust root
-		tr := getTrustedRoot()
+		tr := getTrustedRoot(staging)
+
+		verifierConfig := []verify.VerifierOption{}
+		verifierConfig = append(verifierConfig, verify.WithoutAnyObserverTimestampsInsecure(), verify.WithSignedCertificateTimestamps(1))
+		if len(tr.RekorLogs()) > 0 {
+			verifierConfig = append(verifierConfig, verify.WithOnlineVerification())
+		}
 
 		// Verify bundle
-		sev, err := verify.NewSignedEntityVerifier(tr, verify.WithoutAnyObserverTimestampsInsecure())
+		sev, err := verify.NewSignedEntityVerifier(tr, verifierConfig...)
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -197,6 +219,8 @@ func main() {
 				certSAN = &os.Args[i+1]
 			case "--trusted-root":
 				trustedRootPath = &os.Args[i+1]
+			case "--staging":
+				staging = true
 			}
 		}
 
@@ -225,7 +249,7 @@ func main() {
 		}
 
 		// Load trust root
-		tr := getTrustedRoot()
+		tr := getTrustedRoot(staging)
 
 		verifierConfig := []verify.VerifierOption{}
 		verifierConfig = append(verifierConfig, verify.WithSignedCertificateTimestamps(1))

diff --git a/cmd/conformance/tufdata/tuf-repo-cdn.sigstage.dev/root.json b/cmd/conformance/tufdata/tuf-repo-cdn.sigstage.dev/root.json
@@ -0,0 +1,111 @@
+{
+ "signatures": [
+  {
+   "keyid": "c8e09a68b5821b75462ae0df52151c81deb7f1838246dc1da8c34cc91ec12bda",
+   "sig": ""
+  },
+  {
+   "keyid": "762cb22caca65de5e9b7b6baecb84ca989d337280ce6914b6440aea95769ad93",
+   "sig": "3046022100c406bf33445e40cca35bbefacf68d6fa9ba21261b7654b911143e9ff84868b4302210097c21c9f6365f9a5d2e2ee8a2ef497399b9543fbc68e5edd4df1a1a656f20215"
+  },
+  {
+   "keyid": "d7d2d47a3f644fc3a685bac7b39c81ed9f9cee48ff861b44fbd86b91e34e7829",
+   "sig": "3046022100d9a533a8f8f795d2e9c13c2fc72236ba96c507cd7e849e98765a56ff7d70f8c40221008df378c7a8bd405f8f9f049a72ba9ec068d248fe7a2c7bf99df1c84caee8b237"
+  },
+  {
+   "keyid": "b78c9e4ff9048a1d9876a20f97fa1b3cb03223a0c520c7de730cfa9f5c7b77e5",
+   "sig": "30450220368096120d71d4960100b8aff7bd510b76cdfebd09efb6393cb536c7c9b5a9c0022100c833f941a4d5e670315d7d232c524be72d7d5247d617925417e9fdb887029188"
+  },
+  {
+   "keyid": "afd6a6ebad62a0dd091db368c1806eeb172c893c80bece1098fed116e985ba35",
+   "sig": "3045022100ea35c34bae4878eeeb0954d80d8b4db4a23ae15cf210ed39322a74a6e92d607c02207519dd67f5b76dbcafb0f6cb8322c48fd3fa7284c8a741ebec73f35089042046"
+  }
+ ],
+ "signed": {
+  "_type": "root",
+  "consistent_snapshot": true,
+  "expires": "2034-02-25T17:28:20Z",
+  "keys": {
+   "5416a7a35ef827abc651e200ac11f3d23e9db74ef890b1fedb69fb2a152ebac5": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExxmEtmhF5U+i+v/6he4BcSLzCgMx\n/0qSrvDg6bUWwUrkSKS2vDpcJrhGy5fmmhRrGawjPp1ALpC3y1kqFTpXDg==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-online-uri": "gcpkms:projects/projectsigstore-staging/locations/global/keyRings/tuf-keyring/cryptoKeys/tuf-key/cryptoKeyVersions/2"
+   },
+   "762cb22caca65de5e9b7b6baecb84ca989d337280ce6914b6440aea95769ad93": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEohqIdE+yTl4OxpX8ZxNUPrg3SL9H\nBDnhZuceKkxy2oMhUOxhWweZeG3bfM1T4ZLnJimC6CAYVU5+F5jZCoftRw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@jku"
+   },
+   "afd6a6ebad62a0dd091db368c1806eeb172c893c80bece1098fed116e985ba35": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoxkvDOmtGEknB3M+ZkPts8joDM0X\nIH5JZwPlgC2CXs/eqOuNF8AcEWwGYRiDhV/IMlQw5bg8PLICQcgsbrDiKg==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@mnm678"
+   },
+   "b78c9e4ff9048a1d9876a20f97fa1b3cb03223a0c520c7de730cfa9f5c7b77e5": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFHDb85JH+JYR1LQmxiz4UMokVMnP\nxKoWpaEnFCKXH8W4Fc/DfIxMnkpjCuvWUBdJXkO0aDIxwsij8TOFh2R7dw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@joshuagl"
+   },
+   "d7d2d47a3f644fc3a685bac7b39c81ed9f9cee48ff861b44fbd86b91e34e7829": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE++Wv+DcLRk+mfkmlpCwl1GUi9EMh\npBUTz8K0fH7bE4mQuViGSyWA/eyMc0HvzZi6Xr0diHw0/lUPBvok214YQw==\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp256",
+    "x-tuf-on-ci-keyowner": "@kommendorkapten"
+   }
+  },
+  "roles": {
+   "root": {
+    "keyids": [
+     "762cb22caca65de5e9b7b6baecb84ca989d337280ce6914b6440aea95769ad93",
+     "d7d2d47a3f644fc3a685bac7b39c81ed9f9cee48ff861b44fbd86b91e34e7829",
+     "b78c9e4ff9048a1d9876a20f97fa1b3cb03223a0c520c7de730cfa9f5c7b77e5",
+     "afd6a6ebad62a0dd091db368c1806eeb172c893c80bece1098fed116e985ba35"
+    ],
+    "threshold": 2
+   },
+   "snapshot": {
+    "keyids": [
+     "5416a7a35ef827abc651e200ac11f3d23e9db74ef890b1fedb69fb2a152ebac5"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 3650,
+    "x-tuf-on-ci-signing-period": 365
+   },
+   "targets": {
+    "keyids": [
+     "762cb22caca65de5e9b7b6baecb84ca989d337280ce6914b6440aea95769ad93",
+     "d7d2d47a3f644fc3a685bac7b39c81ed9f9cee48ff861b44fbd86b91e34e7829",
+     "b78c9e4ff9048a1d9876a20f97fa1b3cb03223a0c520c7de730cfa9f5c7b77e5",
+     "afd6a6ebad62a0dd091db368c1806eeb172c893c80bece1098fed116e985ba35"
+    ],
+    "threshold": 1
+   },
+   "timestamp": {
+    "keyids": [
+     "5416a7a35ef827abc651e200ac11f3d23e9db74ef890b1fedb69fb2a152ebac5"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 7,
+    "x-tuf-on-ci-signing-period": 4
+   }
+  },
+  "spec_version": "1.0",
+  "version": 6,
+  "x-tuf-on-ci-expiry-period": 3650,
+  "x-tuf-on-ci-signing-period": 365
+ }
+}
diff --git a/pkg/root/trusted_root.go b/pkg/root/trusted_root.go
@@ -154,21 +154,34 @@ func ParseTransparencyLogs(tlogs []*prototrustroot.TransparencyLogInstance) (tra
 				PublicKey:         ecKey,
 				SignatureHashFunc: crypto.SHA256,
 			}
-			if validFor := tlog.GetPublicKey().GetValidFor(); validFor != nil {
-				if validFor.GetStart() != nil {
-					transparencyLogs[encodedKeyID].ValidityPeriodStart = validFor.GetStart().AsTime()
-				} else {
-					return nil, fmt.Errorf("tlog missing public key validity period start time")
-				}
-				if validFor.GetEnd() != nil {
-					transparencyLogs[encodedKeyID].ValidityPeriodEnd = validFor.GetEnd().AsTime()
-				}
-			} else {
-				return nil, fmt.Errorf("tlog missing public key validity period")
+		case protocommon.PublicKeyDetails_PKCS1_RSA_PKCS1V5:
+			key, err := x509.ParsePKCS1PublicKey(tlog.GetPublicKey().GetRawBytes())
+			if err != nil {
+				return nil, err
+			}
+			transparencyLogs[encodedKeyID] = &TransparencyLog{
+				BaseURL:           tlog.GetBaseUrl(),
+				ID:                tlog.GetLogId().GetKeyId(),
+				HashFunc:          hashFunc,
+				PublicKey:         key,
+				SignatureHashFunc: crypto.SHA256,
 			}
 		default:
 			return nil, fmt.Errorf("unsupported tlog public key type: %s", tlog.GetPublicKey().GetKeyDetails())
 		}
+
+		if validFor := tlog.GetPublicKey().GetValidFor(); validFor != nil {
+			if validFor.GetStart() != nil {
+				transparencyLogs[encodedKeyID].ValidityPeriodStart = validFor.GetStart().AsTime()
+			} else {
+				return nil, fmt.Errorf("tlog missing public key validity period start time")
+			}
+			if validFor.GetEnd() != nil {
+				transparencyLogs[encodedKeyID].ValidityPeriodEnd = validFor.GetEnd().AsTime()
+			}
+		} else {
+			return nil, fmt.Errorf("tlog missing public key validity period")
+		}
 	}
 	return transparencyLogs, nil
 }