config: sign Azure versions on upload & verify on fetch (#1836)

* add SignContent() + integrate into configAPI * use static client for upload versions tool; fix staticupload calleeReference bug * use version to get proper cosign pub key. * mock fetcher in CLI tests * only provide config.New constructor with fetcher Co-authored-by: Otto Bittner <cobittner@posteo.net> Co-authored-by: Daniel Weiße <66256922+daniel-weisse@users.noreply.github.com>
2025-05-02 06:16:08 -04:00 · 2023-06-01 13:55:46 +02:00 · 2023-06-01 13:55:46 +02:00 · b51cc52945
commit b51cc52945
parent e0285c122e
55 changed files with 752 additions and 308 deletions
--- a/internal/sigstore/BUILD.bazel
+++ b/internal/sigstore/BUILD.bazel
@ -5,6 +5,7 @@ go_library(
    name = "sigstore",
    srcs = [
        "rekor.go",
+        "sign.go",
        "sigstore.go",
        "verify.go",
    ],
@ -22,6 +23,7 @@ go_library(
        "@com_github_sigstore_rekor//pkg/verify",
        "@com_github_sigstore_sigstore//pkg/cryptoutils",
        "@com_github_sigstore_sigstore//pkg/signature",
+        "@com_github_theupdateframework_go_tuf//encrypted",
    ],
 )

@ -29,6 +31,7 @@ go_test(
    name = "sigstore_test",
    srcs = [
        "rekor_test.go",
+        "sign_test.go",
        "verify_test.go",
    ],
    embed = [":sigstore"],
--- a/internal/sigstore/sign.go
+++ b/internal/sigstore/sign.go
@ -0,0 +1,71 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+package sigstore
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"errors"
+	"fmt"
+
+	"github.com/sigstore/sigstore/pkg/signature"
+	"github.com/theupdateframework/go-tuf/encrypted"
+)
+
+const (
+	cosignPrivateKeyPemType   = "ENCRYPTED COSIGN PRIVATE KEY"
+	sigstorePrivateKeyPemType = "ENCRYPTED SIGSTORE PRIVATE KEY"
+)
+
+// SignContent signs the content with the cosign encrypted private key and corresponding cosign password.
+func SignContent(password, encryptedPrivateKey, content []byte) ([]byte, error) {
+	sv, err := loadPrivateKey(encryptedPrivateKey, password)
+	if err != nil {
+		return nil, fmt.Errorf("loading private key: %w", err)
+	}
+	sig, err := sv.SignMessage(bytes.NewReader(content))
+	if err != nil {
+		return nil, fmt.Errorf("signing message: %w", err)
+	}
+	return []byte(base64.StdEncoding.EncodeToString(sig)), nil
+}
+
+func loadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error) {
+	// Decrypt first
+	p, _ := pem.Decode(key)
+	if p == nil {
+		return nil, errors.New("invalid pem block")
+	}
+	if p.Type != cosignPrivateKeyPemType && p.Type != sigstorePrivateKeyPemType {
+		return nil, fmt.Errorf("unsupported pem type: %s", p.Type)
+	}
+
+	x509Encoded, err := encrypted.Decrypt(p.Bytes, pass)
+	if err != nil {
+		return nil, fmt.Errorf("decrypt: %w", err)
+	}
+
+	pk, err := x509.ParsePKCS8PrivateKey(x509Encoded)
+	if err != nil {
+		return nil, fmt.Errorf("parsing private key: %w", err)
+	}
+	switch pk := pk.(type) {
+	case *rsa.PrivateKey:
+		return signature.LoadRSAPKCS1v15SignerVerifier(pk, crypto.SHA256)
+	case *ecdsa.PrivateKey:
+		return signature.LoadECDSASignerVerifier(pk, crypto.SHA256)
+	case ed25519.PrivateKey:
+		return signature.LoadED25519SignerVerifier(pk)
+	default:
+		return nil, errors.New("unsupported key type")
+	}
+}
--- a/internal/sigstore/sign_test.go
+++ b/internal/sigstore/sign_test.go
@ -0,0 +1,59 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+package sigstore
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSignSignature(t *testing.T) {
+	assert := assert.New(t)
+	// Generated with: cosign generate-key-pair
+	privateKey := []byte("-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----\neyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjozMjc2OCwiciI6\nOCwicCI6MX0sInNhbHQiOiJlRHVYMWRQMGtIWVRnK0xkbjcxM0tjbFVJaU92eFVX\nVXgvNi9BbitFVk5BPSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94\nIiwibm9uY2UiOiJwaWhLL2txNmFXa2hqSVVHR3RVUzhTVkdHTDNIWWp4TCJ9LCJj\naXBoZXJ0ZXh0Ijoidm81SHVWRVFWcUZ2WFlQTTVPaTVaWHM5a255bndZU2dvcyth\nVklIeHcrOGFPamNZNEtvVjVmL3lHRHR0K3BHV2toanJPR1FLOWdBbmtsazFpQ0c5\na2czUXpPQTZsU2JRaHgvZlowRVRZQ0hLeElncEdPRVRyTDlDenZDemhPZXVSOXJ6\nTDcvRjBBVy9vUDVqZXR3dmJMNmQxOEhjck9kWE8yVmYxY2w0YzNLZjVRcnFSZzlN\ndlRxQWFsNXJCNHNpY1JaMVhpUUJjb0YwNHc9PSJ9\n-----END ENCRYPTED COSIGN PRIVATE KEY-----")
+	password := []byte("")
+	content := []byte(`["2021-01-01-01-01.json"]\n`)
+	publicKey := []byte("-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEu78QgxOOcao6U91CSzEXxrKhvFTt\nJHNy+eX6EMePtDm8CnDF9HSwnTlD0itGJ/XHPQA5YX10fJAqI1y+ehlFMw==\n-----END PUBLIC KEY-----")
+
+	testCases := map[string]struct {
+		content    []byte
+		password   []byte
+		privateKey []byte
+		wantErr    bool
+	}{
+		"sign content with matching password and private key": {
+			content:    content,
+			password:   password,
+			privateKey: privateKey,
+		},
+		"fail with wrong password": {
+			content:    content,
+			password:   []byte("wrong"),
+			privateKey: privateKey,
+			wantErr:    true,
+		},
+		"fail with wrong private key": {
+			content:    content,
+			password:   password,
+			privateKey: []byte("wrong"),
+			wantErr:    true,
+		},
+	}
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			signature, err := SignContent(tc.password, tc.privateKey, tc.content)
+			if tc.wantErr {
+				assert.Error(err)
+			} else {
+				assert.NoError(err)
+				verifier := CosignVerifier{}
+				assert.NoError(verifier.VerifySignature(tc.content, signature, publicKey))
+
+			}
+		})
+	}
+}