-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add COSE support to Rekor #867
Conversation
Looks like there's a merge conflict, and github isn't running for some reason. Maybe fixing the merge conflict will poke actions? |
Yes, will do. Some merge conflicts I have to resolve first 👍 |
30fcf43
to
c3180ed
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One main question on algorithm checking.
pkg/types/cose/v0.0.1/entry.go
Outdated
switch t := cryptoPub.(type) { | ||
case *rsa.PublicKey: | ||
alg = gocose.AlgorithmPS256 | ||
case *ecdsa.PublicKey: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to be a bit more careful here to avoid curve mismatches? Is there a possibility someone actually used PS384 or PS512?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, good catch. I can play around a bit more early next week to see if we can tighten up this.
} | ||
|
||
// If payload is an in-toto statement, let's grab the subjects. | ||
if rawContentType, ok := v.sign1Msg.Headers.Protected[gocose.HeaderLabelContentType]; ok { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This part is interesting, I'm not sure I've seen in-toto statements embedded into COSE envelopes before. I think it makes sense overall though.
Codecov Report
@@ Coverage Diff @@
## main #867 +/- ##
==========================================
+ Coverage 46.24% 46.93% +0.69%
==========================================
Files 60 62 +2
Lines 5138 5414 +276
==========================================
+ Hits 2376 2541 +165
- Misses 2487 2590 +103
- Partials 275 283 +8
Continue to review full report at Codecov.
|
Overall LGTM. I'll wait for @bobcallaway to take a look before merging. |
1 similar comment
Overall LGTM. I'll wait for @bobcallaway to take a look before merging. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looking good overall, just a few questions/nits
pkg/types/cose/v0.0.1/entry.go
Outdated
|
||
alg, pk, err := getPublicKey(v.keyObj) | ||
if err != nil { | ||
return nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
did you mean to return err
here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Of course, will go over some test coverage here to make sure we got it covered.
pkg/types/cose/v0.0.1/entry.go
Outdated
v.sign1Msg = gocose.NewSign1Message() | ||
if err := v.sign1Msg.UnmarshalCBOR(v.CoseObj.Message); err != nil { | ||
return err | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we ensure unmarshaling is successful before assigning the output to v.sign1Msg
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You mean like this:
coseMsg := gocose.NewSign1Message()
if err := coseMsg.UnmarshalCBOR(v.CoseObj.Message); err != nil {
return err
}
v.sign1Msg = coseMsg
I think that makes sense, we can even wait until the signature is verified until we assign it to v.sign1Msg
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, ideally I wouldn't want to partially change the pointer receiver unless all validation is successful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, would like one more test case to ensure we have coverage for non-base64 encoded input on the aad
cmd line argument
The sharding e2e test failed ( |
Oh, found a script, will try that. |
I have run the sharding-e2e test now locally three times and am not able to reproduce, the execution succeeds all the time for me. Anyone having an idea? |
Hm, this seems to be the issue:
The shard id gets a white space ( Running the printf/awk on my machine (macOS) I get a different output
Running same command on Ubuntu:
I'll prepare a patch for the awk script. |
I'll push up a separate PR to fix that, and also add log collection to
sharding-e2e-test.sh since if there is a failure right now we don't capture
the docker-compose logs.
…On Tue, Jun 14, 2022 at 8:49 AM Fredrik Skogman ***@***.***> wrote:
Hm, this seems to be the issue:
++ printf %x 7051007558037933689
++ Awk '{printf "%016s", $0}'
+ HEX_INITIAL_TREE_ID=61da360425720e79
++ printf %x 151938258151519870
++ awk '{printf "%016s", $0}'
+ HEX_INITIAL_SHARD_ID=' 21bcb0a70e9b67e'
+ ENTRY_ID_1=61da360425720e79d2f305428d7c222d7b77f56453dd4b6e6851752ecacc78e5992779c8f9b61dd9
+ ENTRY_ID_2=' 21bcb0a70e9b67e59a575f157274702c38de3ab1e1784226f391fb79500ebf9f02b4439fb77574c'
++ curl -f http://localhost:3000/api/v1/log/entries/retrieve -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{ "entryUUIDs": ["61da360425720e79d2f305428d7c222d7b77f56453dd4b6e6851752ecacc78e5992779c8f9b61dd9", " 21bcb0a70e9b67e59a575f157274702c38de3ab1e1784226f391fb79500ebf9f02b4439fb77574c"]}'
++ jq '. | length'
The shard id gets a white space ( ) as the first character, which is then
input to the UUIDs: "
21bcb0a70e9b67e59a575f157274702c38de3ab1e1784226f391fb79500ebf9f02b4439fb77574c"
.
Running the printf/awk on my (mac I get a different error)
printf %x 151938258151519870 | awk '{printf "%016s", $0}'
021bcb0a70e9b67e
Running same command on Ubuntu:
# printf %x 151938258151519870 | awk '{printf "%016s", $0}'
21bcb0a70e9b67e
I'll prepare a patch for the awk script.
—
Reply to this email directly, view it on GitHub
<#867 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAVWTJKRWNAPOKIW33RKHVDVPB5V5ANCNFSM5YJHEAIA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
From the GNU awk manual (https://www.gnu.org/software/gawk/manual/html_node/Format-Modifiers.html): (emphasis mine)
|
Shamelessly copied this from stackoverflow (some minor modification to work with
Tested on both Ubuntu and macOS |
@priyawadhwa @lkatalin is the intent for the value to be left-padded with zeros? |
@bobcallaway |
This commit adds COSE Sign1 support to rekor via a new data type. COSE is defined in RFC8152, and provides a signing message envelope. This is supported in rekor using the veraison/go-cose library. The new API type requires the signed content, the signature envelope, and the public key. The public key is in the standard rekor PKI format, at the moment only ECDSA P256 with SHA256 is supported. The signed message only supports in-line bodies (no URL fetching), and there is no support for pre-hashed entries. Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>
This adds some more functionality related to COSE enveleopes. Features added are: - Support for specifying Additional Authentincated Data (AAD) - The entire CBOR envelope is stored as an attestation - If the payload type is an in-toto statement, subject is indexed What's not optimal is that the COSE envelope is using the regular `Attestion()` functionality, which means that rekor cli tries to print it during `rekor-cli get` and the response record from Rekor looks a bit awkward. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
The biggest change is adapting the new interface where attestation func is split to two, one to get the key and a nother to get key/val. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
…stdlib errors package. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Also increas the general test coverage. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
…ing. This gives the caller the possibility to decide how to decode the data. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
…dation is done. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
142be5b
to
9e8f869
Compare
Summary
Basic support for COSE envelopes.
Added is functionality to upload COSE records, optionally signed with AAD. The AAD is not stored in Rekor.
The COSE envelope is stored as an attestation if attestation storage is enabled, and can so be retrieved via Rekor. The returned envelope is returned in the
attestation
field, not within thebody
field.What's stored is the hash of the payload and the entire envelope. If the content type of the COSE envelope is an in-toto statement, the payload is parsed and the subject hashes are extracted and indexed for searching.
Ticket Link
This pull requests completes #731.
Release Note