sigstore · dlorenc · Jun 23, 2022 · Mar 13, 2022 · Jun 9, 2022 · Jun 9, 2022
@@ -47,6 +47,7 @@ KO_PREFIX ?= gcr.io/projectsigstore
 export KO_DOCKER_REPO=$(KO_PREFIX)
 REKOR_YAML ?= rekor-$(GIT_TAG).yaml
 GHCR_PREFIX ?= ghcr.io/sigstore/rekor
+GOBIN ?= $(shell go env GOPATH)/bin
 
 # Binaries
 SWAGGER := $(TOOLS_BIN_DIR)/swagger

@@ -16,6 +16,7 @@
 package app
 
 import (
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"net/url"
@@ -87,6 +88,11 @@ func addArtifactPFlags(cmd *cobra.Command) error {
 			"path or URL to pre-formatted entry file",
 			false,
 		},
+		"aad": {
+			base64Flag,
+			"base64 encoded additional authenticated data",
+			false,
+		},
 	}
 
 	for flag, flagVal := range flags {
@@ -152,6 +158,10 @@ func CreatePropsFromPflags() *types.ArtifactProperties {
 	}
 
 	props.PKIFormat = viper.GetString("pki-format")
+	b64aad := viper.GetString("aad")
+	if b64aad != "" {
+		props.AdditionalAuthenticatedData, _ = base64.StdEncoding.DecodeString(b64aad)
+	}
 
 	return props
 }

@@ -16,6 +16,7 @@
 package app
 
 import (
+	"encoding/base64"
 	"fmt"
 	"log"
 	"strconv"
@@ -46,6 +47,7 @@ const (
 	oidFlag       FlagType = "oid"
 	formatFlag    FlagType = "format"
 	timeoutFlag   FlagType = "timeout"
+	base64Flag    FlagType = "base64"
 )
 
 type newPFlagValueFunc func() pflag.Value
@@ -105,6 +107,10 @@ func initializePFlagMap() {
 			// this validates the timeout is >= 0
 			return valueFactory(formatFlag, validateTimeout, "")
 		},
+		base64Flag: func() pflag.Value {
+			// This validates the string is in base64 format
+			return valueFactory(base64Flag, validateBase64, "")
+		},
 	}
 }
 
@@ -239,6 +245,13 @@ func validateTimeout(v string) error {
 	return useValidator(timeoutFlag, d)
 }
 
+// validateBase64 ensures that the supplied string is valid base64 encoded data
+func validateBase64(v string) error {
+	_, err := base64.StdEncoding.DecodeString(v)
+
+	return err
+}
+
 // validateTypeFlag ensures that the string is in the format type(\.version)? and
 // that one of the types requested is implemented
 func validateTypeFlag(v string) error {

@@ -38,6 +38,7 @@ func TestArtifactPFlags(t *testing.T) {
 		signature             string
 		publicKey             string
 		uuid                  string
+		aad                   string
 		uuidRequired          bool
 		logIndex              string
 		logIndexRequired      bool
@@ -346,6 +347,32 @@ func TestArtifactPFlags(t *testing.T) {
 			expectParseSuccess:    true,
 			expectValidateSuccess: false,
 		},
+		{
+			caseDesc:              "valid cose, with aad",
+			typeStr:               "cose",
+			artifact:              "../../../tests/test_cose.cbor",
+			publicKey:             "../../../tests/test_cose.pub",
+			expectParseSuccess:    true,
+			expectValidateSuccess: true,
+			aad:                   "dGVzdCBhYWQ=",
+		},
+		{
+			caseDesc:              "valid cose, malformed base64 aad",
+			typeStr:               "cose",
+			artifact:              "../../../tests/test_cose.cbor",
+			publicKey:             "../../../tests/test_cose.pub",
+			expectParseSuccess:    false,
+			expectValidateSuccess: true,
+			aad:                   "dGVzdCBhYWQ]",
+		},
+		{
+			caseDesc:              "valid cose, missing aad",
+			typeStr:               "cose",
+			artifact:              "../../../tests/test_cose.cbor",
+			publicKey:             "../../../tests/test_cose.pub",
+			expectParseSuccess:    true,
+			expectValidateSuccess: false,
+		},
 	}
 
 	for _, tc := range tests {
@@ -384,6 +411,9 @@ func TestArtifactPFlags(t *testing.T) {
 		if tc.logIndex != "" {
 			args = append(args, "--log-index", tc.logIndex)
 		}
+		if tc.aad != "" {
+			args = append(args, "--aad", tc.aad)
+		}
 
 		if err := blankCmd.ParseFlags(args); (err == nil) != tc.expectParseSuccess {
 			t.Errorf("unexpected result parsing '%v': %v", tc.caseDesc, err)

@@ -28,6 +28,7 @@ import (
 
 	// these imports are to call the packages' init methods
 	_ "github.com/sigstore/rekor/pkg/types/alpine/v0.0.1"
+	_ "github.com/sigstore/rekor/pkg/types/cose/v0.0.1"
 	_ "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
 	_ "github.com/sigstore/rekor/pkg/types/helm/v0.0.1"
 	_ "github.com/sigstore/rekor/pkg/types/intoto/v0.0.1"

@@ -31,6 +31,8 @@ import (
 	"github.com/sigstore/rekor/pkg/log"
 	"github.com/sigstore/rekor/pkg/types/alpine"
 	alpine_v001 "github.com/sigstore/rekor/pkg/types/alpine/v0.0.1"
+	"github.com/sigstore/rekor/pkg/types/cose"
+	cose_v001 "github.com/sigstore/rekor/pkg/types/cose/v0.0.1"
 	hashedrekord "github.com/sigstore/rekor/pkg/types/hashedrekord"
 	hashedrekord_v001 "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
 	"github.com/sigstore/rekor/pkg/types/helm"
@@ -87,6 +89,7 @@ var serveCmd = &cobra.Command{
 			rpm.KIND:          rpm_v001.APIVERSION,
 			jar.KIND:          jar_v001.APIVERSION,
 			intoto.KIND:       intoto_v001.APIVERSION,
+			cose.KIND:         cose_v001.APIVERSION,
 			rfc3161.KIND:      rfc3161_v001.APIVERSION,
 			alpine.KIND:       alpine_v001.APIVERSION,
 			helm.KIND:         helm_v001.APIVERSION,

@@ -25,6 +25,7 @@ require (
 	github.com/mediocregopher/radix/v4 v4.1.0
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/mapstructure v1.5.0
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_golang v1.12.2
 	github.com/rs/cors v1.8.2
 	github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74
@@ -37,6 +38,8 @@ require (
 	github.com/theupdateframework/go-tuf v0.3.0
 	github.com/transparency-dev/merkle v0.0.1
 	github.com/urfave/negroni v1.0.0
+	github.com/veraison/go-cose v1.0.0-alpha.1
+	github.com/zalando/go-keyring v0.1.1 // indirect
 	go.uber.org/goleak v1.1.12
 	go.uber.org/zap v1.21.0
 	gocloud.dev v0.24.1-0.20211119014450-028788aaaa4c
@@ -66,6 +69,7 @@ require (
 	github.com/danieljoos/wincred v1.1.1 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
+	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/go-openapi/analysis v0.21.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
@@ -95,7 +99,6 @@ require (
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.34.0 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
@@ -108,7 +111,7 @@ require (
 	github.com/tilinna/clock v1.1.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/ulikunitz/xz v0.5.10 // indirect
-	github.com/zalando/go-keyring v0.1.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	go.mongodb.org/mongo-driver v1.8.3 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect

@@ -475,6 +475,8 @@ github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3n
 github.com/fullstorydev/grpcurl v1.8.0/go.mod h1:Mn2jWbdMrQGJQ8UD62uNyMumT2acsZUCkZIqFxsQf1o=
 github.com/fullstorydev/grpcurl v1.8.1/go.mod h1:3BWhvHZwNO7iLXaQlojdg5NA6SxUDePli4ecpK1N7gw=
 github.com/fullstorydev/grpcurl v1.8.6/go.mod h1:WhP7fRQdhxz2TkL97u+TCb505sxfH78W1usyoB3tepw=
+github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
+github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
 github.com/fzipp/gocyclo v0.3.1/go.mod h1:DJHO6AUmbdqj2ET4Z9iArSuwWgYDRryYt2wASxc7x3E=
 github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
@@ -1581,13 +1583,17 @@ github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+
 github.com/valyala/quicktemplate v1.7.0/go.mod h1:sqKJnoaOF88V07vkO+9FL8fb9uZg/VPSJnLYn+LmLk8=
 github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
 github.com/vbatts/tar-split v0.11.2/go.mod h1:vV3ZuO2yWSVsz+pfFzDG/upWH1JhjOiEaWq6kXyQ3VI=
+github.com/veraison/go-cose v1.0.0-alpha.1 h1:W5AhenQOS3ZDsJH2rdDMffLuuFOIoZw6VfIAkPatsRs=
+github.com/veraison/go-cose v1.0.0-alpha.1/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
 github.com/viki-org/dnscache v0.0.0-20130720023526-c70c1f23c5d8/go.mod h1:dniwbG03GafCjFohMDmz6Zc6oCuiqgH6tGNyXTkHzXE=
 github.com/vmihailenco/msgpack/v4 v4.3.12 h1:07s4sz9IReOgdikxLTKNbBdqDMLsjPKXwvCazn8G65U=
 github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
 github.com/vmihailenco/tagparser v0.1.1 h1:quXMXlA39OCbd2wAdTsGDlK9RkOk6Wuw+x37wVyIuWY=
 github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
 github.com/weppos/publicsuffix-go v0.15.1-0.20210807195340-dc689ff0bb59/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
 github.com/weppos/publicsuffix-go v0.15.1-0.20220329081811-9a40b608a236/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug=
 github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=

@@ -378,6 +378,23 @@ definitions:
         - spec
       additionalProperties: false
 
+  cose:
+    type: object
+    description: COSE object
+    allOf:
+    - $ref: '#/definitions/ProposedEntry'
+    - properties:
+        apiVersion:
+          type: string
+          pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
+        spec:
+          type: object
+          $ref: 'pkg/types/cose/cose_schema.json'
+      required:
+        - apiVersion
+        - spec
+      additionalProperties: false
+
   jar:
     type: object
     description: Java Archive (JAR)