From b0600215a63757f580e1cc0656f94458ae7c24f8 Mon Sep 17 00:00:00 2001 From: Dmitry Savintsev Date: Fri, 21 Feb 2025 20:10:55 +0100 Subject: [PATCH] Add TSA certificate flag/fields for cosign attest-blob Signed-off-by: Dmitry Savintsev --- cmd/cosign/cli/attest/attest_blob.go | 17 +++++++++++++---- cmd/cosign/cli/attest_blob.go | 4 ++++ cmd/cosign/cli/options/attest_blob.go | 16 ++++++++++++++++ doc/cosign_attest-blob.md | 4 ++++ doc/cosign_attest.md | 4 ++++ 5 files changed, 41 insertions(+), 4 deletions(-) diff --git a/cmd/cosign/cli/attest/attest_blob.go b/cmd/cosign/cli/attest/attest_blob.go index be4369f87d3..528da7916be 100644 --- a/cmd/cosign/cli/attest/attest_blob.go +++ b/cmd/cosign/cli/attest/attest_blob.go @@ -40,7 +40,7 @@ import ( "github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor" "github.com/sigstore/cosign/v2/cmd/cosign/cli/sign" "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa" - "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" + tsaclient "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client" "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/cosign/v2/pkg/cosign/attestation" cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle" @@ -165,7 +165,16 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error var timestampBytes []byte var rekorEntry *models.LogEntryAnon - if c.TSAServerURL != "" { + if c.KeyOpts.TSAServerURL != "" { + tc := tsaclient.NewTSAClient(c.KeyOpts.TSAServerURL) + if c.TSAClientCert != "" { + tc = tsaclient.NewTSAClientMTLS(c.KeyOpts.TSAServerURL, + c.KeyOpts.TSAClientCACert, + c.KeyOpts.TSAClientCert, + c.KeyOpts.TSAClientKey, + c.KeyOpts.TSAServerName, + ) + } // We need to decide what signature to send to the timestamp authority. // // Historically, cosign sent `sig`, which is the entire JSON DSSE @@ -186,12 +195,12 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error return err } - timestampBytes, err = tsa.GetTimestampedSignature(envelopeSigBytes, client.NewTSAClient(c.TSAServerURL)) + timestampBytes, err = tsa.GetTimestampedSignature(envelopeSigBytes, tc) if err != nil { return err } } else { - timestampBytes, err = tsa.GetTimestampedSignature(sig, client.NewTSAClient(c.TSAServerURL)) + timestampBytes, err = tsa.GetTimestampedSignature(sig, tc) if err != nil { return err } diff --git a/cmd/cosign/cli/attest_blob.go b/cmd/cosign/cli/attest_blob.go index d9a7108b458..2340b792e08 100644 --- a/cmd/cosign/cli/attest_blob.go +++ b/cmd/cosign/cli/attest_blob.go @@ -70,6 +70,10 @@ func AttestBlob() *cobra.Command { OIDCRedirectURL: o.OIDC.RedirectURL, OIDCProvider: o.OIDC.Provider, SkipConfirmation: o.SkipConfirmation, + TSAClientCACert: o.TSAClientCACert, + TSAClientKey: o.TSAClientKey, + TSAClientCert: o.TSAClientCert, + TSAServerName: o.TSAServerName, TSAServerURL: o.TSAServerURL, RFC3161TimestampPath: o.RFC3161TimestampPath, BundlePath: o.BundlePath, diff --git a/cmd/cosign/cli/options/attest_blob.go b/cmd/cosign/cli/options/attest_blob.go index b641c5b328e..22e876b264e 100644 --- a/cmd/cosign/cli/options/attest_blob.go +++ b/cmd/cosign/cli/options/attest_blob.go @@ -26,6 +26,10 @@ type AttestBlobOptions struct { SkipConfirmation bool TlogUpload bool + TSAClientCACert string + TSAClientCert string + TSAClientKey string + TSAServerName string TSAServerURL string RFC3161TimestampPath string @@ -103,6 +107,18 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.RekorEntryType, "rekor-entry-type", "dsse", "specifies the type to be used for a rekor entry upload. Options are intoto or dsse (default). ") + cmd.Flags().StringVar(&o.TSAClientCACert, "timestamp-client-cacert", "", + "path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server") + + cmd.Flags().StringVar(&o.TSAClientCert, "timestamp-client-cert", "", + "path to the X.509 certificate file in PEM format to be used for the connection to the TSA Server") + + cmd.Flags().StringVar(&o.TSAClientKey, "timestamp-client-key", "", + "path to the X.509 private key file in PEM format to be used, together with the 'timestamp-client-cert' value, for the connection to the TSA Server") + + cmd.Flags().StringVar(&o.TSAServerName, "timestamp-server-name", "", + "SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server") + cmd.Flags().StringVar(&o.TSAServerURL, "timestamp-server-url", "", "url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr") diff --git a/doc/cosign_attest-blob.md b/doc/cosign_attest-blob.md index 4849bb93287..37b94b1fa85 100644 --- a/doc/cosign_attest-blob.md +++ b/doc/cosign_attest-blob.md @@ -59,6 +59,10 @@ cosign attest-blob [flags] --rfc3161-timestamp-bundle string path to an RFC 3161 timestamp bundle FILE --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) + --timestamp-client-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server + --timestamp-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the TSA Server + --timestamp-client-key string path to the X.509 private key file in PEM format to be used, together with the 'timestamp-client-cert' value, for the connection to the TSA Server + --timestamp-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr --tlog-upload whether or not to upload to the tlog (default true) --type string specify a predicate type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom) or an URI (default "custom") diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index d31fb8fd8a5..2a1171c32a8 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -79,6 +79,10 @@ cosign attest [flags] --replace --sk whether to use a hardware security key --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) + --timestamp-client-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server + --timestamp-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the TSA Server + --timestamp-client-key string path to the X.509 private key file in PEM format to be used, together with the 'timestamp-client-cert' value, for the connection to the TSA Server + --timestamp-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server --timestamp-server-url string url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr --tlog-upload whether or not to upload to the tlog (default true) --type string specify a predicate type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom) or an URI (default "custom")