Add COSE support to Rekor #867
Conversation
|
Looks like there's a merge conflict, and github isn't running for some reason. Maybe fixing the merge conflict will poke actions? |
|
Yes, will do. Some merge conflicts I have to resolve first 👍 |
kommendorkapten
force-pushed
the
add_cose
branch
2 times, most recently
from
30fcf43
to
c3180ed
Compare
pkg/types/cose/v0.0.1/entry.go
Outdated
| switch t := cryptoPub.(type) { | ||
| case *rsa.PublicKey: | ||
| alg = gocose.AlgorithmPS256 | ||
| case *ecdsa.PublicKey: |
There was a problem hiding this comment.
Do we need to be a bit more careful here to avoid curve mismatches? Is there a possibility someone actually used PS384 or PS512?
There was a problem hiding this comment.
Yeah, good catch. I can play around a bit more early next week to see if we can tighten up this.
| } | ||
|
|
||
| // If payload is an in-toto statement, let's grab the subjects. | ||
| if rawContentType, ok := v.sign1Msg.Headers.Protected[gocose.HeaderLabelContentType]; ok { |
There was a problem hiding this comment.
This part is interesting, I'm not sure I've seen in-toto statements embedded into COSE envelopes before. I think it makes sense overall though.
Codecov Report
@@ Coverage Diff @@
## main #867 +/- ##
==========================================
+ Coverage 46.24% 46.93% +0.69%
==========================================
Files 60 62 +2
Lines 5138 5414 +276
==========================================
+ Hits 2376 2541 +165
- Misses 2487 2590 +103
- Partials 275 283 +8
Continue to review full report at Codecov.
|
|
Overall LGTM. I'll wait for @bobcallaway to take a look before merging. |
1 similar comment
|
Overall LGTM. I'll wait for @bobcallaway to take a look before merging. |
pkg/types/cose/v0.0.1/entry.go
Outdated
|
|
||
| alg, pk, err := getPublicKey(v.keyObj) | ||
| if err != nil { | ||
| return nil |
There was a problem hiding this comment.
did you mean to return err here?
There was a problem hiding this comment.
Of course, will go over some test coverage here to make sure we got it covered.
pkg/types/cose/v0.0.1/entry.go
Outdated
| v.sign1Msg = gocose.NewSign1Message() | ||
| if err := v.sign1Msg.UnmarshalCBOR(v.CoseObj.Message); err != nil { | ||
| return err | ||
| } | ||
|
|
There was a problem hiding this comment.
should we ensure unmarshaling is successful before assigning the output to v.sign1Msg?
There was a problem hiding this comment.
You mean like this:
coseMsg := gocose.NewSign1Message()
if err := coseMsg.UnmarshalCBOR(v.CoseObj.Message); err != nil {
return err
}
v.sign1Msg = coseMsgI think that makes sense, we can even wait until the signature is verified until we assign it to v.sign1Msg.
There was a problem hiding this comment.
yes, ideally I wouldn't want to partially change the pointer receiver unless all validation is successful.
|
The sharding e2e test failed ( |
|
Oh, found a script, will try that. |
|
I have run the sharding-e2e test now locally three times and am not able to reproduce, the execution succeeds all the time for me. Anyone having an idea? |
|
Hm, this seems to be the issue: The shard id gets a white space ( Running the printf/awk on my machine (macOS) I get a different output Running same command on Ubuntu: I'll prepare a patch for the awk script. |
|
I'll push up a separate PR to fix that, and also add log collection to
sharding-e2e-test.sh since if there is a failure right now we don't capture
the docker-compose logs.
…On Tue, Jun 14, 2022 at 8:49 AM Fredrik Skogman ***@***.***> wrote:
Hm, this seems to be the issue:
++ printf %x 7051007558037933689
++ Awk '{printf "%016s", $0}'
+ HEX_INITIAL_TREE_ID=61da360425720e79
++ printf %x 151938258151519870
++ awk '{printf "%016s", $0}'
+ HEX_INITIAL_SHARD_ID=' 21bcb0a70e9b67e'
+ ENTRY_ID_1=61da360425720e79d2f305428d7c222d7b77f56453dd4b6e6851752ecacc78e5992779c8f9b61dd9
+ ENTRY_ID_2=' 21bcb0a70e9b67e59a575f157274702c38de3ab1e1784226f391fb79500ebf9f02b4439fb77574c'
++ curl -f http://localhost:3000/api/v1/log/entries/retrieve -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{ "entryUUIDs": ["61da360425720e79d2f305428d7c222d7b77f56453dd4b6e6851752ecacc78e5992779c8f9b61dd9", " 21bcb0a70e9b67e59a575f157274702c38de3ab1e1784226f391fb79500ebf9f02b4439fb77574c"]}'
++ jq '. | length'
The shard id gets a white space ( ) as the first character, which is then
input to the UUIDs: "
21bcb0a70e9b67e59a575f157274702c38de3ab1e1784226f391fb79500ebf9f02b4439fb77574c"
.
Running the printf/awk on my (mac I get a different error)
printf %x 151938258151519870 | awk '{printf "%016s", $0}'
021bcb0a70e9b67e
Running same command on Ubuntu:
# printf %x 151938258151519870 | awk '{printf "%016s", $0}'
21bcb0a70e9b67e
I'll prepare a patch for the awk script.
—
Reply to this email directly, view it on GitHub
<#867 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAVWTJKRWNAPOKIW33RKHVDVPB5V5ANCNFSM5YJHEAIA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
From the GNU awk manual (https://www.gnu.org/software/gawk/manual/html_node/Format-Modifiers.html): (emphasis mine)
|
|
Shamelessly copied this from stackoverflow (some minor modification to work with Tested on both Ubuntu and macOS |
@priyawadhwa @lkatalin is the intent for the value to be left-padded with zeros? |
@bobcallaway |
This commit adds COSE Sign1 support to rekor via a new data type. COSE is defined in RFC8152, and provides a signing message envelope. This is supported in rekor using the veraison/go-cose library. The new API type requires the signed content, the signature envelope, and the public key. The public key is in the standard rekor PKI format, at the moment only ECDSA P256 with SHA256 is supported. The signed message only supports in-line bodies (no URL fetching), and there is no support for pre-hashed entries. Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>
This adds some more functionality related to COSE enveleopes. Features added are: - Support for specifying Additional Authentincated Data (AAD) - The entire CBOR envelope is stored as an attestation - If the payload type is an in-toto statement, subject is indexed What's not optimal is that the COSE envelope is using the regular `Attestion()` functionality, which means that rekor cli tries to print it during `rekor-cli get` and the response record from Rekor looks a bit awkward. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
The biggest change is adapting the new interface where attestation func is split to two, one to get the key and a nother to get key/val. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
…stdlib errors package. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Also increas the general test coverage. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
…ing. This gives the caller the possibility to decide how to decode the data. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
…dation is done. Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
kommendorkapten
force-pushed
the
add_cose
branch
from
142be5b
to
9e8f869
Compare
Summary
Basic support for COSE envelopes.
Added is functionality to upload COSE records, optionally signed with AAD. The AAD is not stored in Rekor.
The COSE envelope is stored as an attestation if attestation storage is enabled, and can so be retrieved via Rekor. The returned envelope is returned in the
attestationfield, not within thebodyfield.What's stored is the hash of the payload and the entire envelope. If the content type of the COSE envelope is an in-toto statement, the payload is parsed and the subject hashes are extracted and indexed for searching.
Ticket Link
This pull requests completes #731.
Release Note