Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" #1798

Merged
merged 1 commit into from Apr 25, 2022
Merged

Revert "Refactor fulcio signer to take in KeyOpts. (#1788)" #1798

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 2 additions & 1 deletion cmd/cosign/cli/attest.go
View file
Open in desktop
Expand Up @@ -22,6 +22,7 @@ import (
"github.com/sigstore/cosign/cmd/cosign/cli/attest"
"github.com/sigstore/cosign/cmd/cosign/cli/generate"
"github.com/sigstore/cosign/cmd/cosign/cli/options"
"github.com/sigstore/cosign/cmd/cosign/cli/sign"
)

func Attest() *cobra.Command {
Expand Down Expand Up @@ -62,7 +63,7 @@ func Attest() *cobra.Command {
if err != nil {
return err
}
ko := options.KeyOpts{
ko := sign.KeyOpts{
KeyRef: o.Key,
PassFunc: generate.GetPass,
Sk: o.SecurityKey.Use,
Expand Down
2 changes: 1 addition & 1 deletion cmd/cosign/cli/attest/attest.go
View file
Open in desktop
Expand Up @@ -74,7 +74,7 @@ func uploadToTlog(ctx context.Context, sv *sign.SignerVerifier, rekorURL string,
}

//nolint
func AttestCmd(ctx context.Context, ko options.KeyOpts, regOpts options.RegistryOptions, imageRef string, certPath string, certChainPath string,
func AttestCmd(ctx context.Context, ko sign.KeyOpts, regOpts options.RegistryOptions, imageRef string, certPath string, certChainPath string,
noUpload bool, predicatePath string, force bool, predicateType string, replace bool, timeout time.Duration) error {
// A key file or token is required unless we're in experimental mode!
if options.EnableExperimental() {
Expand Down
23 changes: 4 additions & 19 deletions cmd/cosign/cli/fulcio/fulcio.go
View file
Open in desktop
Expand Up @@ -30,9 +30,8 @@ import (
"golang.org/x/term"

"github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots"
"github.com/sigstore/cosign/cmd/cosign/cli/options"
clioptions "github.com/sigstore/cosign/cmd/cosign/cli/options"
"github.com/sigstore/cosign/pkg/cosign"
"github.com/sigstore/cosign/pkg/providers"
"github.com/sigstore/fulcio/pkg/api"
"github.com/sigstore/sigstore/pkg/oauthflow"
"github.com/sigstore/sigstore/pkg/signature"
Expand Down Expand Up @@ -111,21 +110,7 @@ type Signer struct {
*signature.ECDSASignerVerifier
}

func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) {
fClient, err := NewClient(ko.FulcioURL)
if err != nil {
return nil, errors.Wrap(err, "creating Fulcio client")
}

idToken := ko.IDToken
// If token is not set in the options, get one from the provders
if idToken == "" && providers.Enabled(ctx) {
idToken, err = providers.Provide(ctx, "sigstore")
if err != nil {
return nil, errors.Wrap(err, "fetching ambient OIDC credentials")
}
}

func NewSigner(ctx context.Context, idToken, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.Client) (*Signer, error) {
priv, err := cosign.GeneratePrivateKey()
if err != nil {
return nil, errors.Wrap(err, "generating cert")
Expand All @@ -146,7 +131,7 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) {
default:
flow = FlowNormal
}
Resp, err := GetCert(ctx, priv, idToken, flow, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient) // TODO, use the chain.
Resp, err := GetCert(ctx, priv, idToken, flow, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL, fClient) // TODO, use the chain.
if err != nil {
return nil, errors.Wrap(err, "retrieving cert")
}
Expand Down Expand Up @@ -181,6 +166,6 @@ func NewClient(fulcioURL string) (api.Client, error) {
if err != nil {
return nil, err
}
fClient := api.NewClient(fulcioServer, api.WithUserAgent(options.UserAgent()))
fClient := api.NewClient(fulcioServer, api.WithUserAgent(clioptions.UserAgent()))
return fClient, nil
}
6 changes: 3 additions & 3 deletions cmd/cosign/cli/fulcio/fulcioverifier/fulcioverifier.go
View file
Open in desktop
Expand Up @@ -24,11 +24,11 @@ import (

"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
"github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctl"
"github.com/sigstore/cosign/cmd/cosign/cli/options"
"github.com/sigstore/fulcio/pkg/api"
)

func NewSigner(ctx context.Context, ko options.KeyOpts) (*fulcio.Signer, error) {
fs, err := fulcio.NewSigner(ctx, ko)
func NewSigner(ctx context.Context, idToken, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.Client) (*fulcio.Signer, error) {
fs, err := fulcio.NewSigner(ctx, idToken, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL, fClient)
if err != nil {
return nil, err
}
Expand Down
37 changes: 0 additions & 37 deletions cmd/cosign/cli/options/key.go
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion cmd/cosign/cli/policy_init.go
View file
Open in desktop
Expand Up @@ -179,7 +179,7 @@ func signPolicy() *cobra.Command {
if err != nil {
return err
}
sv, err := sign.SignerFromKeyOpts(ctx, "", "", options.KeyOpts{
sv, err := sign.SignerFromKeyOpts(ctx, "", "", sign.KeyOpts{
FulcioURL: o.Fulcio.URL,
IDToken: o.Fulcio.IdentityToken,
InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify,
Expand Down
2 changes: 1 addition & 1 deletion cmd/cosign/cli/sign.go
View file
Open in desktop
Expand Up @@ -82,7 +82,7 @@ func Sign() *cobra.Command {
if err != nil {
return err
}
ko := options.KeyOpts{
ko := sign.KeyOpts{
KeyRef: o.Key,
PassFunc: generate.GetPass,
Sk: o.SecurityKey.Use,
Expand Down
32 changes: 22 additions & 10 deletions cmd/cosign/cli/sign/sign.go
View file
Open in desktop
Expand Up @@ -47,6 +47,7 @@ import (
"github.com/sigstore/cosign/pkg/oci/mutate"
ociremote "github.com/sigstore/cosign/pkg/oci/remote"
"github.com/sigstore/cosign/pkg/oci/walk"
providers "github.com/sigstore/cosign/pkg/providers/all"
sigs "github.com/sigstore/cosign/pkg/signature"
"github.com/sigstore/sigstore/pkg/cryptoutils"
"github.com/sigstore/sigstore/pkg/signature"
Expand Down Expand Up @@ -92,7 +93,7 @@ func GetAttachedImageRef(ref name.Reference, attachment string, opts ...ociremot
}

// nolint
func SignCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.RegistryOptions, annotations map[string]interface{},
func SignCmd(ro *options.RootOptions, ko KeyOpts, regOpts options.RegistryOptions, annotations map[string]interface{},
imgs []string, certPath string, certChainPath string, upload bool, outputSignature, outputCertificate string,
payloadPath string, force bool, recursive bool, attachment string) error {
if options.EnableExperimental() {
Expand Down Expand Up @@ -182,7 +183,7 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.Regist
return nil
}

func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko options.KeyOpts,
func signDigest(ctx context.Context, digest name.Digest, payload []byte, ko KeyOpts,
regOpts options.RegistryOptions, annotations map[string]interface{}, upload bool, outputSignature, outputCertificate string, force bool, recursive bool,
dd mutate.DupeDetector, sv *SignerVerifier, se oci.SignedEntity) error {
var err error
Expand Down Expand Up @@ -435,18 +436,29 @@ func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef strin
return certSigner, nil
}

func keylessSigner(ctx context.Context, ko options.KeyOpts) (*SignerVerifier, error) {
var (
k *fulcio.Signer
err error
)
func keylessSigner(ctx context.Context, ko KeyOpts) (*SignerVerifier, error) {
fClient, err := fulcio.NewClient(ko.FulcioURL)
if err != nil {
return nil, errors.Wrap(err, "creating Fulcio client")
}

tok := ko.IDToken
// If token is not set in the options, get one from the provders
if tok == "" && providers.Enabled(ctx) {
tok, err = providers.Provide(ctx, "sigstore")
if err != nil {
return nil, errors.Wrap(err, "fetching ambient OIDC credentials")
}
}

var k *fulcio.Signer

if ko.InsecureSkipFulcioVerify {
if k, err = fulcio.NewSigner(ctx, ko); err != nil {
if k, err = fulcio.NewSigner(ctx, tok, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient); err != nil {
return nil, errors.Wrap(err, "getting key from Fulcio")
}
} else {
if k, err = fulcioverifier.NewSigner(ctx, ko); err != nil {
if k, err = fulcioverifier.NewSigner(ctx, tok, ko.OIDCIssuer, ko.OIDCClientID, ko.OIDCClientSecret, ko.OIDCRedirectURL, fClient); err != nil {
return nil, errors.Wrap(err, "getting key from Fulcio")
}
}
Expand All @@ -458,7 +470,7 @@ func keylessSigner(ctx context.Context, ko options.KeyOpts) (*SignerVerifier, er
}, nil
}

func SignerFromKeyOpts(ctx context.Context, certPath string, certChainPath string, ko options.KeyOpts) (*SignerVerifier, error) {
func SignerFromKeyOpts(ctx context.Context, certPath string, certChainPath string, ko KeyOpts) (*SignerVerifier, error) {
if ko.Sk {
return signerFromSecurityKey(ko.Slot)
}
Expand Down
21 changes: 20 additions & 1 deletion cmd/cosign/cli/sign/sign_blob.go
View file
Open in desktop
Expand Up @@ -34,8 +34,27 @@ import (
signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
)

type KeyOpts struct {
Sk bool
Slot string
KeyRef string
FulcioURL string
RekorURL string
IDToken string
PassFunc cosign.PassFunc
OIDCIssuer string
OIDCClientID string
OIDCClientSecret string
OIDCRedirectURL string
BundlePath string

// Modeled after InsecureSkipVerify in tls.Config, this disables
// verifying the SCT.
InsecureSkipFulcioVerify bool
}

// nolint
func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, outputSignature string, outputCertificate string) ([]byte, error) {
func SignBlobCmd(ro *options.RootOptions, ko KeyOpts, regOpts options.RegistryOptions, payloadPath string, b64 bool, outputSignature string, outputCertificate string) ([]byte, error) {
var payload []byte
var err error
var rekorBytes []byte
Expand Down
2 changes: 1 addition & 1 deletion cmd/cosign/cli/sign/sign_test.go
View file
Open in desktop
Expand Up @@ -110,7 +110,7 @@ func generateCertificateFiles(t *testing.T, tmpDir string, pf cosign.PassFunc) (
func TestSignCmdLocalKeyAndSk(t *testing.T) {
ro := &options.RootOptions{Timeout: options.DefaultTimeout}

for _, ko := range []options.KeyOpts{
for _, ko := range []KeyOpts{
// local and sk keys
{
KeyRef: "testLocalPath",
Expand Down
2 changes: 1 addition & 1 deletion cmd/cosign/cli/signblob.go
View file
Open in desktop
Expand Up @@ -68,7 +68,7 @@ func SignBlob() *cobra.Command {
if err != nil {
return err
}
ko := options.KeyOpts{
ko := sign.KeyOpts{
KeyRef: o.Key,
PassFunc: generate.GetPass,
Sk: o.SecurityKey.Use,
Expand Down
3 changes: 2 additions & 1 deletion cmd/cosign/cli/verify.go
View file
Open in desktop
Expand Up @@ -20,6 +20,7 @@ import (
"github.com/spf13/cobra"

"github.com/sigstore/cosign/cmd/cosign/cli/options"
"github.com/sigstore/cosign/cmd/cosign/cli/sign"
"github.com/sigstore/cosign/cmd/cosign/cli/verify"
)

Expand Down Expand Up @@ -248,7 +249,7 @@ The blob may be specified as a path to a file or - for stdin.`,

Args: cobra.ExactArgs(1),
RunE: func(cmd *cobra.Command, args []string) error {
ko := options.KeyOpts{
ko := sign.KeyOpts{
KeyRef: o.Key,
Sk: o.SecurityKey.Use,
Slot: o.SecurityKey.Slot,
Expand Down
7 changes: 4 additions & 3 deletions cmd/cosign/cli/verify/verify_blob.go
View file
Open in desktop
Expand Up @@ -35,6 +35,7 @@ import (
"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
"github.com/sigstore/cosign/cmd/cosign/cli/options"
"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
"github.com/sigstore/cosign/cmd/cosign/cli/sign"
"github.com/sigstore/cosign/pkg/blob"
"github.com/sigstore/cosign/pkg/cosign"
"github.com/sigstore/cosign/pkg/cosign/pivkey"
Expand All @@ -60,7 +61,7 @@ func isb64(data []byte) bool {
}

// nolint
func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail,
func VerifyBlobCmd(ctx context.Context, ko sign.KeyOpts, certRef, certEmail,
certOidcIssuer, certChain, sigRef, blobRef string, enforceSCT bool) error {
var verifier signature.Verifier
var cert *x509.Certificate
Expand Down Expand Up @@ -185,7 +186,7 @@ func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail,
return nil
}

func verifySigByUUID(ctx context.Context, ko options.KeyOpts, rClient *client.Rekor, certEmail, certOidcIssuer, sig, b64sig string,
func verifySigByUUID(ctx context.Context, ko sign.KeyOpts, rClient *client.Rekor, certEmail, certOidcIssuer, sig, b64sig string,
uuids []string, blobBytes []byte, enforceSCT bool) error {
var validSigExists bool
for _, u := range uuids {
Expand Down Expand Up @@ -288,7 +289,7 @@ func payloadBytes(blobRef string) ([]byte, error) {
return blobBytes, nil
}

func verifyRekorEntry(ctx context.Context, ko options.KeyOpts, e *models.LogEntryAnon, pubKey signature.Verifier, cert *x509.Certificate, b64sig string, blobBytes []byte) error {
func verifyRekorEntry(ctx context.Context, ko sign.KeyOpts, e *models.LogEntryAnon, pubKey signature.Verifier, cert *x509.Certificate, b64sig string, blobBytes []byte) error {
// If we have a bundle with a rekor entry, let's first try to verify offline
if ko.BundlePath != "" {
if err := verifyRekorBundle(ctx, ko.BundlePath, cert); err == nil {
Expand Down