cosign

package
v1.13.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 21, 2024 License: Apache-2.0 Imports: 62 Imported by: 56

Documentation

Index

Constants

View Source
const (
	Signature   = "signature"
	SBOM        = "sbom"
	Attestation = "attestation"
)
View Source
const (
	CosignPrivateKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY"
	// PEM-encoded PKCS #1 RSA private key
	RSAPrivateKeyPemType = "RSA PRIVATE KEY"
	// PEM-encoded ECDSA private key
	ECPrivateKeyPemType = "EC PRIVATE KEY"
	// PEM-encoded PKCS #8 RSA, ECDSA or ED25519 private key
	PrivateKeyPemType = "PRIVATE KEY"
	BundleKey         = static.BundleAnnotationKey
)

Variables

View Source
var (
	// Fulcio cert-extensions, documented here: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md
	CertExtensionOIDCIssuer               = "1.3.6.1.4.1.57264.1.1"
	CertExtensionGithubWorkflowTrigger    = "1.3.6.1.4.1.57264.1.2"
	CertExtensionGithubWorkflowSha        = "1.3.6.1.4.1.57264.1.3"
	CertExtensionGithubWorkflowName       = "1.3.6.1.4.1.57264.1.4"
	CertExtensionGithubWorkflowRepository = "1.3.6.1.4.1.57264.1.5"
	CertExtensionGithubWorkflowRef        = "1.3.6.1.4.1.57264.1.6"

	OIDOtherName = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 7}

	CertExtensionMap = map[string]string{
		CertExtensionOIDCIssuer:               "oidcIssuer",
		CertExtensionGithubWorkflowTrigger:    "githubWorkflowTrigger",
		CertExtensionGithubWorkflowSha:        "githubWorkflowSha",
		CertExtensionGithubWorkflowName:       "githubWorkflowName",
		CertExtensionGithubWorkflowRepository: "githubWorkflowRepository",
		CertExtensionGithubWorkflowRef:        "githubWorkflowRef",
	}

	// OID for Subject Alternative Name
	SANOID = asn1.ObjectIdentifier{2, 5, 29, 17}
)
View Source
var (
	// ErrNoMatchingSignatures is the error returned when there are no matching
	// signatures during verification.
	ErrNoMatchingSignatures = &VerificationError{"no matching signatures"}

	// ErrNoMatchingAttestations is the error returned when there are no
	// matching attestations during verification.
	ErrNoMatchingAttestations = &VerificationError{"no matching attestations"}
)

Functions

func CheckCertificatePolicy added in v1.9.0

func CheckCertificatePolicy(cert *x509.Certificate, co *CheckOpts) error

CheckCertificatePolicy checks that the certificate subject and issuer match the expected values.

func CheckExpiry added in v1.5.0

func CheckExpiry(cert *x509.Certificate, it time.Time) error

CheckExpiry confirms the time provided is within the valid period of the cert

func ComputeLeafHash added in v1.7.0

func ComputeLeafHash(e *models.LogEntryAnon) ([]byte, error)

func ConfirmPrompt added in v1.7.0

func ConfirmPrompt(msg string, skipConfirmation bool) (bool, error)

ConfirmPrompt prompts the user for confirmation for an action. Supports skipping the confirmation prompt when skipConfirmation is set. TODO(jason): Move this to an internal package.

func FindTLogEntriesByPayload added in v1.3.1

func FindTLogEntriesByPayload(ctx context.Context, rekorClient *client.Rekor, payload []byte) (uuids []string, err error)

func FindTlogEntry

func FindTlogEntry(ctx context.Context, rekorClient *client.Rekor,
	b64Sig string, payload, pubKey []byte) ([]models.LogEntryAnon, error)

func GeneratePrivateKey

func GeneratePrivateKey() (*ecdsa.PrivateKey, error)

TODO(jason): Move this to an internal package.

func Get added in v1.10.0

func Get(ctx context.Context) *client.Rekor

Get extracts the Rekor client from the context. TODO(jason): Rename this to something better than pkg/cosign.Get.

func GetPassFromTerm added in v1.5.0

func GetPassFromTerm(confirm bool) ([]byte, error)

TODO(jason): Move this to an internal package.

func GetRekorPubs added in v1.6.0

func GetRekorPubs(ctx context.Context, _ *client.Rekor) (map[string]RekorPubKey, error)

GetRekorPubs retrieves trusted Rekor public keys from the embedded or cached TUF root. If expired, makes a network call to retrieve the updated targets. There are two Env variable that can be used to override this behaviour: SIGSTORE_REKOR_PUBLIC_KEY - If specified, location of the file that contains the Rekor Public Key on local filesystem

func GetTlogEntry added in v1.3.1

func GetTlogEntry(ctx context.Context, rekorClient *client.Rekor, entryUUID string) (*models.LogEntryAnon, error)

func IntotoSubjectClaimVerifier added in v1.0.0

func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error

IntotoSubjectClaimVerifier verifies that sig.Payload() is an Intoto statement which references the given image digest.

func IsTerminal added in v1.5.0

func IsTerminal() bool

TODO(jason): Move this to an internal package.

func LoadPrivateKey

func LoadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error)

TODO(jason): Move this to pkg/signature, the only place it's used, and unimport it.

func MarshalOtherNameSAN added in v1.13.0

func MarshalOtherNameSAN(name string, critical bool) (*pkix.Extension, error)

MarshalOtherNameSAN creates a Subject Alternative Name extension with an OtherName sequence. RFC 5280, 4.2.1.6:

SubjectAltName ::= GeneralNames GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE {

otherName                       [0]     OtherName,
... }

func NewVerificationError added in v1.10.1

func NewVerificationError(msg string, args ...interface{}) error

NewVerificationError constructs a new VerificationError in a manner similar to fmt.Errorf

func PemToECDSAKey added in v0.4.0

func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error)

TODO(jason): Move this to an internal package.

func Set added in v1.10.0

func Set(ctx context.Context, rekorClient *client.Rekor) context.Context

TODO(jason): Rename this to something better than pkg/cosign.Set.

func SimpleClaimVerifier added in v1.0.0

func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error

SimpleClaimVerifier verifies that sig.Payload() is a SimpleContainerImage payload which references the given image digest and contains the given annotations.

func TLogUpload added in v1.0.1

func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUpload will upload the signature, public key and payload to the transparency log.

func TLogUploadInTotoAttestation added in v1.0.1

func TLogUploadInTotoAttestation(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)

TLogUploadInTotoAttestation will upload and in-toto entry for the signature and public key to the transparency log.

func TrustedCert

func TrustedCert(cert *x509.Certificate, roots *x509.CertPool, intermediates *x509.CertPool) ([][]*x509.Certificate, error)

func UnmarshalOtherNameSAN added in v1.13.0

func UnmarshalOtherNameSAN(exts []pkix.Extension) (string, error)

UnmarshalOtherNameSAN extracts a UTF-8 string from the OtherName field in the Subject Alternative Name extension.

func ValidateAndUnpackCert added in v1.5.0

func ValidateAndUnpackCert(cert *x509.Certificate, co *CheckOpts) (signature.Verifier, error)

ValidateAndUnpackCert creates a Verifier from a certificate. Veries that the certificate chains up to a trusted root. Optionally verifies the subject and issuer of the certificate.

func ValidateAndUnpackCertWithChain added in v1.7.0

func ValidateAndUnpackCertWithChain(cert *x509.Certificate, chain []*x509.Certificate, co *CheckOpts) (signature.Verifier, error)

ValidateAndUnpackCertWithChain creates a Verifier from a certificate. Verifies that the certificate chains up to the provided root. Chain should start with the parent of the certificate and end with the root. Optionally verifies the subject and issuer of the certificate.

func VerifyBundle added in v1.3.0

func VerifyBundle(ctx context.Context, sig oci.Signature, rekorClient *client.Rekor) (bool, error)

func VerifyImageAttestations added in v1.3.1

func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)

VerifyImageAttestations does all the main cosign checks in a loop, returning the verified attestations. If there were no valid attestations, we return an error.

func VerifyImageSignature added in v1.5.0

func VerifyImageSignature(ctx context.Context, sig oci.Signature, h v1.Hash, co *CheckOpts) (bundleVerified bool, err error)

VerifyImageSignature verifies a signature

func VerifyImageSignatures added in v1.3.1

func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)

VerifyImageSignatures does all the main cosign checks in a loop, returning the verified signatures. If there were no valid signatures, we return an error.

func VerifyLocalImageAttestations added in v1.4.1

func VerifyLocalImageAttestations(ctx context.Context, path string, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)

VerifyLocalImageAttestations verifies attestations from a saved, local image, without any network calls, returning the verified attestations. If there were no valid signatures, we return an error.

func VerifyLocalImageSignatures added in v1.4.1

func VerifyLocalImageSignatures(ctx context.Context, path string, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)

VerifyLocalImageSignatures verifies signatures from a saved, local image, without any network calls, returning the verified signatures. If there were no valid signatures, we return an error.

func VerifySET added in v0.6.0

func VerifySET(bundlePayload cbundle.RekorPayload, signature []byte, pub *ecdsa.PublicKey) error

func VerifyTLogEntry added in v0.4.0

func VerifyTLogEntry(ctx context.Context, _ *client.Rekor, e *models.LogEntryAnon) error

VerityTLogEntry verifies a TLog entry. The argument *client.Rekor is unused and may be nil.

Types

type AttestationPayload added in v1.5.0

type AttestationPayload struct {
	PayloadType string       `json:"payloadType"`
	PayLoad     string       `json:"payload"`
	Signatures  []Signatures `json:"signatures"`
}

func FetchAttestationsForReference added in v1.5.0

func FetchAttestationsForReference(ctx context.Context, ref name.Reference, opts ...ociremote.Option) ([]AttestationPayload, error)

type CertExtensions added in v1.10.0

type CertExtensions struct {
	Cert *x509.Certificate
}

func (*CertExtensions) GetCertExtensionGithubWorkflowName added in v1.10.0

func (ce *CertExtensions) GetCertExtensionGithubWorkflowName() string

GetCertExtensionGithubWorkflowName returns the GitHub Workflow Name for a Certificate

func (*CertExtensions) GetCertExtensionGithubWorkflowRef added in v1.10.0

func (ce *CertExtensions) GetCertExtensionGithubWorkflowRef() string

GetCertExtensionGithubWorkflowRef returns the GitHub Workflow Ref for a Certificate

func (*CertExtensions) GetCertExtensionGithubWorkflowRepository added in v1.10.0

func (ce *CertExtensions) GetCertExtensionGithubWorkflowRepository() string

GetCertExtensionGithubWorkflowRepository returns the GitHub Workflow Repository for a Certificate

func (*CertExtensions) GetCertExtensionGithubWorkflowTrigger added in v1.10.0

func (ce *CertExtensions) GetCertExtensionGithubWorkflowTrigger() string

GetCertExtensionGithubWorkflowTrigger returns the GitHub Workflow Trigger for a Certificate

func (*CertExtensions) GetExtensionGithubWorkflowSha added in v1.10.0

func (ce *CertExtensions) GetExtensionGithubWorkflowSha() string

GetExtensionGithubWorkflowSha returns the GitHub Workflow SHA for a Certificate

func (*CertExtensions) GetIssuer added in v1.10.0

func (ce *CertExtensions) GetIssuer() string

GetIssuer returns the issuer for a Certificate

type CheckOpts

type CheckOpts struct {
	// RegistryClientOpts are the options for interacting with the container registry.
	RegistryClientOpts []ociremote.Option

	// Annotations optionally specifies image signature annotations to verify.
	Annotations map[string]interface{}

	// ClaimVerifier, if provided, verifies claims present in the oci.Signature.
	ClaimVerifier func(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error

	// RekorClient, if set, is used to use to verify signatures and public keys.
	RekorClient *client.Rekor

	// SigVerifier is used to verify signatures.
	SigVerifier signature.Verifier
	// PKOpts are the options provided to `SigVerifier.PublicKey()`.
	PKOpts []signature.PublicKeyOption

	// RootCerts are the root CA certs used to verify a signature's chained certificate.
	RootCerts *x509.CertPool
	// IntermediateCerts are the optional intermediate CA certs used to verify a certificate chain.
	IntermediateCerts *x509.CertPool
	// CertEmail is the email expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertEmail string
	// CertIdentity is the identity expected for a certificate to be valid.
	CertIdentity string
	// CertOidcIssuer is the OIDC issuer expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertOidcIssuer string

	// CertGithubWorkflowTrigger is the GitHub Workflow Trigger name expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertGithubWorkflowTrigger string
	// CertGithubWorkflowSha is the GitHub Workflow SHA expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertGithubWorkflowSha string
	// CertGithubWorkflowName is the GitHub Workflow Name expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertGithubWorkflowName string
	// CertGithubWorkflowRepository is the GitHub Workflow Repository  expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertGithubWorkflowRepository string
	// CertGithubWorkflowRef is the GitHub Workflow Ref expected for a certificate to be valid. The empty string means any certificate can be valid.
	CertGithubWorkflowRef string

	// EnforceSCT requires that a certificate contain an embedded SCT during verification. An SCT is proof of inclusion in a
	// certificate transparency log.
	EnforceSCT bool

	// SignatureRef is the reference to the signature file
	SignatureRef string

	// Identities is an array of Identity (Subject, Issuer) matchers that have
	// to be met for the signature to ve valid.
	// Supercedes CertEmail / CertOidcIssuer
	Identities []Identity
}

CheckOpts are the options for checking signatures.

type Identity

type Identity struct {
	Issuer        string
	Subject       string
	IssuerRegExp  string
	SubjectRegExp string
}

Identity specifies an issuer/subject to verify a signature against. Both IssuerRegExp/SubjectRegExp support regexp while Issuer/Subject are for strict matching.

type Keys

type Keys struct {
	// contains filtered or unexported fields
}

type KeysBytes added in v1.5.0

type KeysBytes struct {
	PrivateBytes []byte
	PublicBytes  []byte
	// contains filtered or unexported fields
}

TODO(jason): Move this to an internal package.

func GenerateKeyPair

func GenerateKeyPair(pf PassFunc) (*KeysBytes, error)

TODO(jason): Move this to an internal package.

func ImportKeyPair added in v1.5.0

func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error)

TODO(jason): Move this to the only place it's used in cmd/cosign/cli/importkeypair, and unexport it.

func (*KeysBytes) Password added in v1.5.0

func (k *KeysBytes) Password() []byte

type LocalSignedPayload added in v1.5.0

type LocalSignedPayload struct {
	Base64Signature string              `json:"base64Signature"`
	Cert            string              `json:"cert,omitempty"`
	Bundle          *bundle.RekorBundle `json:"rekorBundle,omitempty"`
}

func FetchLocalSignedPayloadFromPath added in v1.5.0

func FetchLocalSignedPayloadFromPath(path string) (*LocalSignedPayload, error)

FetchLocalSignedPayloadFromPath fetches a local signed payload from a path to a file

type OtherName added in v1.13.0

type OtherName struct {
	ID    asn1.ObjectIdentifier
	Value string `asn1:"utf8,explicit,tag:0"`
}

TODO: Move (un)marshalling to sigstore/sigstore OtherName describes a name related to a certificate which is not in one of the standard name formats. RFC 5280, 4.2.1.6:

OtherName ::= SEQUENCE {
     type-id    OBJECT IDENTIFIER,
     value      [0] EXPLICIT ANY DEFINED BY type-id }

OtherName for Fulcio-issued certificates only supports UTF-8 strings as values.

type PassFunc

type PassFunc func(bool) ([]byte, error)

PassFunc is the function to be called to retrieve the signer password. If nil, then it assumes that no password is provided.

type RekorPubKey added in v1.6.0

type RekorPubKey struct {
	PubKey *ecdsa.PublicKey
	Status tuf.StatusKind
}

RekorPubKey contains the ECDSA verification key and the current status of the key according to TUF metadata, whether it's active or expired.

type Signatures added in v1.5.0

type Signatures struct {
	KeyID string `json:"keyid"`
	Sig   string `json:"sig"`
}

type SignedPayload

type SignedPayload struct {
	Base64Signature string
	Payload         []byte
	Cert            *x509.Certificate
	Chain           []*x509.Certificate
	Bundle          *bundle.RekorBundle
}

func FetchSignaturesForReference added in v1.2.1

func FetchSignaturesForReference(ctx context.Context, ref name.Reference, opts ...ociremote.Option) ([]SignedPayload, error)

type VerificationError added in v1.10.1

type VerificationError struct {
	// contains filtered or unexported fields
}

VerificationError is the type of Go error that is used by cosign to surface errors actually related to verification (vs. transient, misconfiguration, transport, or authentication related issues).

func (*VerificationError) Error added in v1.10.1

func (ve *VerificationError) Error() string

Error implements error

Directories

Path Synopsis
git

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL