convert signature library to implement crypto.Signer interface (#69)

* Refactor Signature library This patch also allows for: - reuse of signers in APIs where a crypto.Signer is needed (e.g. x509.CreateCertificate()) - more flexibility for using different hash functions with different algorithms (not presuming SHA256 everywhere) - passing transaction Context via options.WithContext() for use when leveraging remote KMS - caching of public keys fetched from remote KMS (anticipating that verification will happen more frequently than key rotation occurs) Signed-off-by: Bob Callaway <bob.callaway@gmail.com>
sigstore · Jul 1, 2021 · 1181ca3 · 1181ca3
1 parent a2db3ec
commit 1181ca3
Show file tree

Hide file tree

Showing 43 changed files with 3,190 additions and 986 deletions.
diff --git a/cmd/sign.go b/cmd/sign.go
@@ -16,17 +16,18 @@
 package cmd
 
 import (
-	"context"
-	"crypto/x509"
-	"encoding/pem"
+	"bytes"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"net/http"
 	"os"
+	"strings"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/generated/client/operations"
 	"github.com/sigstore/sigstore/pkg/httpclients"
 	"github.com/sigstore/sigstore/pkg/oauthflow"
@@ -46,8 +47,6 @@ var signCmd = &cobra.Command{
 		}
 	},
 	RunE: func(cmd *cobra.Command, args []string) error {
-		ctx := context.Background()
-
 		payload, err := ioutil.ReadFile(viper.GetString("artifact"))
 		if err != nil {
 			return err
@@ -76,23 +75,21 @@ var signCmd = &cobra.Command{
 		}
 		fmt.Println("\nReceived OpenID Scope retrieved for account:", idToken.Subject)
 
-		signer, err := signature.NewDefaultECDSASignerVerifier()
+		signer, _, err := signature.NewDefaultECDSASignerVerifier()
 		if err != nil {
 			return err
 		}
 
-		pub, err := signer.PublicKey(ctx)
+		pub, err := signer.PublicKey()
 		if err != nil {
 			return err
 		}
-
-		pubBytes, err := x509.MarshalPKIXPublicKey(pub)
-
+		pubBytes, err := cryptoutils.MarshalPublicKeyToDER(pub)
 		if err != nil {
 			return err
 		}
 
-		proof, _, err := signer.Sign(ctx, []byte(idToken.Subject))
+		proof, err := signer.SignMessage(strings.NewReader(idToken.Subject))
 		if err != nil {
 			return err
 		}
@@ -110,44 +107,39 @@ var signCmd = &cobra.Command{
 			os.Exit(1)
 		}
 
-		clientPEM, rootPEM := pem.Decode([]byte(certResp.Payload))
-		certPEM := pem.EncodeToMemory(clientPEM)
-
-		rootBlock, _ := pem.Decode([]byte(rootPEM))
-		if rootBlock == nil {
-			return err
-		}
-
-		certBlock, _ := pem.Decode([]byte(certPEM))
-		if certBlock == nil {
+		certs, err := cryptoutils.UnmarshalCertificatesFromPEM([]byte(certResp.Payload))
+		if err != nil {
 			return err
+		} else if len(certs) == 0 {
+			return errors.New("no certificates were found in response")
 		}
-
-		cert, err := x509.ParseCertificate(certBlock.Bytes)
+		signingCert := certs[0]
+		signingCertPEM, err := cryptoutils.MarshalCertificateToPEM(signingCert)
 		if err != nil {
 			return err
 		}
 
-		fmt.Println("Received signing cerificate with serial number: ", cert.SerialNumber)
+		fmt.Println("Received signing cerificate with serial number: ", signingCert.SerialNumber)
+
+		fmt.Printf("Received signing Cerificate: %+v\n", signingCert.Subject)
 
-		signature, signedVal, err := signer.Sign(ctx, payload)
+		signature, err := signer.SignMessage(bytes.NewReader(payload))
 		if err != nil {
 			panic(fmt.Sprintf("Error occurred while during artifact signing: %s", err))
 		}
 
 		// Send to rekor
 		fmt.Println("Sending entry to transparency log")
 		tlogEntry, err := tlog.UploadToRekor(
-			certPEM,
-			signedVal,
+			signingCertPEM,
 			signature,
 			viper.GetString("rekor-server"),
 			payload,
 		)
 		if err != nil {
 			return err
 		}
-		fmt.Println("Rekor entry successful. Index number: :", tlogEntry)
+		fmt.Println("Rekor entry successful. URL: ", tlogEntry)
 		return nil
 	},
 }

diff --git a/go.mod b/go.mod
@@ -4,17 +4,16 @@ go 1.16
 
 require (
 	cloud.google.com/go v0.81.0
+	github.com/ReneKroon/ttlcache/v2 v2.5.0
 	github.com/coreos/go-oidc/v3 v3.0.0
 	github.com/gabriel-vasile/mimetype v1.2.0
 	github.com/go-openapi/errors v0.20.0
-	github.com/go-openapi/runtime v0.19.28
+	github.com/go-openapi/runtime v0.19.29
 	github.com/go-openapi/strfmt v0.20.1
 	github.com/go-openapi/swag v0.19.15
 	github.com/go-openapi/validate v0.20.2
 	github.com/go-test/deep v1.0.7
-	github.com/golang/snappy v0.0.3 // indirect
 	github.com/google/go-containerregistry v0.4.1
-	github.com/google/trillian v1.3.14-0.20210413093047-5e12fb368c8f
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -25,16 +24,16 @@ require (
 	github.com/pierrec/lz4 v2.6.0+incompatible // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/segmentio/ksuid v1.0.3
-	github.com/sigstore/rekor v0.1.2-0.20210514231425-7e3d950f34c6
+	github.com/sigstore/rekor v0.2.0
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
 	github.com/spf13/cobra v1.1.3
-	github.com/spf13/viper v1.7.1
+	github.com/spf13/viper v1.8.0
 	github.com/stretchr/testify v1.7.0
-	golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b // indirect
-	golang.org/x/net v0.0.0-20210421230115-4e50805a0758 // indirect
-	golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602
-	golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba // indirect
-	google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1
+	github.com/theupdateframework/go-tuf v0.0.0-20201230183259-aee6270feb55
+	golang.org/x/crypto v0.0.0-20210506145944-38f3c27a63bf
+	golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c
+	golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf
+	google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c
 	google.golang.org/protobuf v1.26.0
 	gopkg.in/square/go-jose.v2 v2.5.1
 )