Add COSE support to Rekor (sigstore#867)

* WIP: Add COSE support to Rekor

This commit adds COSE Sign1 support to rekor via a new data type.
COSE is defined in RFC8152, and provides a signing message envelope.

This is supported in rekor using the veraison/go-cose library. The new
API type requires the signed content, the signature envelope, and the public key.

The public key is in the standard rekor PKI format, at the moment only ECDSA P256
with SHA256 is supported. The signed message only supports in-line bodies (no URL fetching),
and there is no support for pre-hashed entries.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

* Completed basic support for COSE records.

This adds some more functionality related to COSE enveleopes.
Features added are:

 - Support for specifying Additional Authentincated Data (AAD)

 - The entire CBOR envelope is stored as an attestation

 - If the payload type is an in-toto statement, subject is indexed

What's not optimal is that the COSE envelope is using the regular
`Attestion()` functionality, which means that rekor cli tries to
print it during `rekor-cli get` and the response record from Rekor
looks a bit awkward.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Updated the documentation for COSE envelopes.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Resolved merge conflicts with main.

The biggest change is adapting the new interface where attestation func
is split to two, one to get the key and a nother to get key/val.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Ran go mod tidy after resolving merge committs.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Added check to see that provided EC key uses the P256 curve.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Spelled out aad when printing the help message.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Updated copyright notice to have current (2022) year.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Removed direct dependency on github.com/pkg/errors and replaced with stdlib
errors package.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Fixed a bug where nil was wrongfully returned instead of err.
Also increas the general test coverage.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Changed aad in artifact properties struct to be []byte instead of string.
This gives the caller the possibility to decide how to decode the data.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Fixed a warning from the linter.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* Added test case for malformed base64 aad parameter.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

* During signature validation, do not store any state until entire validation
is done.

Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>

Co-authored-by: Dan Lorenc <lorenc.d@gmail.com>

Author: kommendorkapten

Makefile

@@ -47,6 +47,7 @@ KO_PREFIX ?= gcr.io/projectsigstore
 export KO_DOCKER_REPO=$(KO_PREFIX)
 REKOR_YAML ?= rekor-$(GIT_TAG).yaml
 GHCR_PREFIX ?= ghcr.io/sigstore/rekor
+GOBIN ?= $(shell go env GOPATH)/bin
 
 # Binaries
 SWAGGER := $(TOOLS_BIN_DIR)/swagger

cmd/rekor-cli/app/pflag_groups.go

@@ -16,6 +16,7 @@
 package app
 
 import (
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"net/url"
@@ -87,6 +88,11 @@ func addArtifactPFlags(cmd *cobra.Command) error {
 			"path or URL to pre-formatted entry file",
 			false,
 		},
+		"aad": {
+			base64Flag,
+			"base64 encoded additional authenticated data",
+			false,
+		},
 	}
 
 	for flag, flagVal := range flags {
@@ -152,6 +158,10 @@ func CreatePropsFromPflags() *types.ArtifactProperties {
 	}
 
 	props.PKIFormat = viper.GetString("pki-format")
+	b64aad := viper.GetString("aad")
+	if b64aad != "" {
+		props.AdditionalAuthenticatedData, _ = base64.StdEncoding.DecodeString(b64aad)
+	}
 
 	return props
 }

cmd/rekor-cli/app/pflags.go

@@ -16,6 +16,7 @@
 package app
 
 import (
+	"encoding/base64"
 	"fmt"
 	"log"
 	"strconv"
@@ -46,6 +47,7 @@ const (
 	oidFlag       FlagType = "oid"
 	formatFlag    FlagType = "format"
 	timeoutFlag   FlagType = "timeout"
+	base64Flag    FlagType = "base64"
 )
 
 type newPFlagValueFunc func() pflag.Value
@@ -105,6 +107,10 @@ func initializePFlagMap() {
 			// this validates the timeout is >= 0
 			return valueFactory(formatFlag, validateTimeout, "")
 		},
+		base64Flag: func() pflag.Value {
+			// This validates the string is in base64 format
+			return valueFactory(base64Flag, validateBase64, "")
+		},
 	}
 }
 
@@ -239,6 +245,13 @@ func validateTimeout(v string) error {
 	return useValidator(timeoutFlag, d)
 }
 
+// validateBase64 ensures that the supplied string is valid base64 encoded data
+func validateBase64(v string) error {
+	_, err := base64.StdEncoding.DecodeString(v)
+
+	return err
+}
+
 // validateTypeFlag ensures that the string is in the format type(\.version)? and
 // that one of the types requested is implemented
 func validateTypeFlag(v string) error {

cmd/rekor-cli/app/pflags_test.go

@@ -38,6 +38,7 @@ func TestArtifactPFlags(t *testing.T) {
 		signature             string
 		publicKey             string
 		uuid                  string
+		aad                   string
 		uuidRequired          bool
 		logIndex              string
 		logIndexRequired      bool
@@ -346,6 +347,32 @@ func TestArtifactPFlags(t *testing.T) {
 			expectParseSuccess:    true,
 			expectValidateSuccess: false,
 		},
+		{
+			caseDesc:              "valid cose, with aad",
+			typeStr:               "cose",
+			artifact:              "../../../tests/test_cose.cbor",
+			publicKey:             "../../../tests/test_cose.pub",
+			expectParseSuccess:    true,
+			expectValidateSuccess: true,
+			aad:                   "dGVzdCBhYWQ=",
+		},
+		{
+			caseDesc:              "valid cose, malformed base64 aad",
+			typeStr:               "cose",
+			artifact:              "../../../tests/test_cose.cbor",
+			publicKey:             "../../../tests/test_cose.pub",
+			expectParseSuccess:    false,
+			expectValidateSuccess: true,
+			aad:                   "dGVzdCBhYWQ]",
+		},
+		{
+			caseDesc:              "valid cose, missing aad",
+			typeStr:               "cose",
+			artifact:              "../../../tests/test_cose.cbor",
+			publicKey:             "../../../tests/test_cose.pub",
+			expectParseSuccess:    true,
+			expectValidateSuccess: false,
+		},
 	}
 
 	for _, tc := range tests {
@@ -384,6 +411,9 @@ func TestArtifactPFlags(t *testing.T) {
 		if tc.logIndex != "" {
 			args = append(args, "--log-index", tc.logIndex)
 		}
+		if tc.aad != "" {
+			args = append(args, "--aad", tc.aad)
+		}
 
 		if err := blankCmd.ParseFlags(args); (err == nil) != tc.expectParseSuccess {
 			t.Errorf("unexpected result parsing '%v': %v", tc.caseDesc, err)

cmd/rekor-cli/app/root.go

@@ -28,6 +28,7 @@ import (
 
 	// these imports are to call the packages' init methods
 	_ "github.com/sigstore/rekor/pkg/types/alpine/v0.0.1"
+	_ "github.com/sigstore/rekor/pkg/types/cose/v0.0.1"
 	_ "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
 	_ "github.com/sigstore/rekor/pkg/types/helm/v0.0.1"
 	_ "github.com/sigstore/rekor/pkg/types/intoto/v0.0.1"

cmd/rekor-server/app/serve.go

@@ -31,6 +31,8 @@ import (
 	"github.com/sigstore/rekor/pkg/log"
 	"github.com/sigstore/rekor/pkg/types/alpine"
 	alpine_v001 "github.com/sigstore/rekor/pkg/types/alpine/v0.0.1"
+	"github.com/sigstore/rekor/pkg/types/cose"
+	cose_v001 "github.com/sigstore/rekor/pkg/types/cose/v0.0.1"
 	hashedrekord "github.com/sigstore/rekor/pkg/types/hashedrekord"
 	hashedrekord_v001 "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
 	"github.com/sigstore/rekor/pkg/types/helm"
@@ -87,6 +89,7 @@ var serveCmd = &cobra.Command{
 			rpm.KIND:          rpm_v001.APIVERSION,
 			jar.KIND:          jar_v001.APIVERSION,
 			intoto.KIND:       intoto_v001.APIVERSION,
+			cose.KIND:         cose_v001.APIVERSION,
 			rfc3161.KIND:      rfc3161_v001.APIVERSION,
 			alpine.KIND:       alpine_v001.APIVERSION,
 			helm.KIND:         helm_v001.APIVERSION,

go.mod

@@ -25,6 +25,7 @@ require (
 	github.com/mediocregopher/radix/v4 v4.1.0
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/mapstructure v1.5.0
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_golang v1.12.2
 	github.com/rs/cors v1.8.2
 	github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74
@@ -37,6 +38,8 @@ require (
 	github.com/theupdateframework/go-tuf v0.3.0
 	github.com/transparency-dev/merkle v0.0.1
 	github.com/urfave/negroni v1.0.0
+	github.com/veraison/go-cose v1.0.0-alpha.1
+	github.com/zalando/go-keyring v0.1.1 // indirect
 	go.uber.org/goleak v1.1.12
 	go.uber.org/zap v1.21.0
 	gocloud.dev v0.24.1-0.20211119014450-028788aaaa4c
@@ -66,6 +69,7 @@ require (
 	github.com/danieljoos/wincred v1.1.1 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.4 // indirect
+	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/go-openapi/analysis v0.21.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.5 // indirect
 	github.com/go-openapi/jsonreference v0.20.0 // indirect
@@ -95,7 +99,6 @@ require (
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.34.0 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
@@ -108,7 +111,7 @@ require (
 	github.com/tilinna/clock v1.1.0 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	github.com/ulikunitz/xz v0.5.10 // indirect
-	github.com/zalando/go-keyring v0.1.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	go.mongodb.org/mongo-driver v1.8.3 // indirect
 	go.opencensus.io v0.23.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect

go.sum

@@ -475,6 +475,8 @@ github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3n
 github.com/fullstorydev/grpcurl v1.8.0/go.mod h1:Mn2jWbdMrQGJQ8UD62uNyMumT2acsZUCkZIqFxsQf1o=
 github.com/fullstorydev/grpcurl v1.8.1/go.mod h1:3BWhvHZwNO7iLXaQlojdg5NA6SxUDePli4ecpK1N7gw=
 github.com/fullstorydev/grpcurl v1.8.6/go.mod h1:WhP7fRQdhxz2TkL97u+TCb505sxfH78W1usyoB3tepw=
+github.com/fxamacker/cbor/v2 v2.4.0 h1:ri0ArlOR+5XunOP8CRUowT0pSJOwhW098ZCUyskZD88=
+github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
 github.com/fzipp/gocyclo v0.3.1/go.mod h1:DJHO6AUmbdqj2ET4Z9iArSuwWgYDRryYt2wASxc7x3E=
 github.com/getsentry/raven-go v0.2.0/go.mod h1:KungGk8q33+aIAZUIVWZDr2OfAEBsO49PX4NzFV5kcQ=
 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
@@ -1582,13 +1584,17 @@ github.com/valyala/fasttemplate v1.2.1/go.mod h1:KHLXt3tVN2HBp8eijSv/kGJopbvo7S+
 github.com/valyala/quicktemplate v1.7.0/go.mod h1:sqKJnoaOF88V07vkO+9FL8fb9uZg/VPSJnLYn+LmLk8=
 github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
 github.com/vbatts/tar-split v0.11.2/go.mod h1:vV3ZuO2yWSVsz+pfFzDG/upWH1JhjOiEaWq6kXyQ3VI=
+github.com/veraison/go-cose v1.0.0-alpha.1 h1:W5AhenQOS3ZDsJH2rdDMffLuuFOIoZw6VfIAkPatsRs=
+github.com/veraison/go-cose v1.0.0-alpha.1/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
 github.com/viki-org/dnscache v0.0.0-20130720023526-c70c1f23c5d8/go.mod h1:dniwbG03GafCjFohMDmz6Zc6oCuiqgH6tGNyXTkHzXE=
 github.com/vmihailenco/msgpack/v4 v4.3.12 h1:07s4sz9IReOgdikxLTKNbBdqDMLsjPKXwvCazn8G65U=
 github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
 github.com/vmihailenco/tagparser v0.1.1 h1:quXMXlA39OCbd2wAdTsGDlK9RkOk6Wuw+x37wVyIuWY=
 github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
 github.com/weppos/publicsuffix-go v0.15.1-0.20210807195340-dc689ff0bb59/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
 github.com/weppos/publicsuffix-go v0.15.1-0.20220329081811-9a40b608a236/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xanzy/go-gitlab v0.31.0/go.mod h1:sPLojNBn68fMUWSxIJtdVVIP8uSBYqesTfDUseX11Ug=
 github.com/xanzy/ssh-agent v0.2.1/go.mod h1:mLlQY/MoOhWBj+gOGMQkOeiEvkx+8pJSI+0Bx9h2kr4=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=

openapi.yaml

@@ -378,6 +378,23 @@ definitions:
         - spec
       additionalProperties: false
 
+  cose:
+    type: object
+    description: COSE object
+    allOf:
+    - $ref: '#/definitions/ProposedEntry'
+    - properties:
+        apiVersion:
+          type: string
+          pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
+        spec:
+          type: object
+          $ref: 'pkg/types/cose/cose_schema.json'
+      required:
+        - apiVersion
+        - spec
+      additionalProperties: false
+
   jar:
     type: object
     description: Java Archive (JAR)