kyverno/pkg/imageverifiers/cosign/certs.go

package cosign

import (
	"bytes"
	"crypto"
	"crypto/x509"
	"encoding/base64"
	"fmt"

	"github.com/sigstore/cosign/v2/pkg/oci"
	"github.com/sigstore/sigstore/pkg/cryptoutils"
	"github.com/sigstore/sigstore/pkg/signature"
)

var signatureAlgorithmMap = map[string]crypto.Hash{
	"":       crypto.SHA256,
	"sha224": crypto.SHA224,
	"sha256": crypto.SHA256,
	"sha384": crypto.SHA384,
	"sha512": crypto.SHA512,
}

func certPoolFromBytes(roots []byte) (*x509.CertPool, error) {
	cp := x509.NewCertPool()
	if !cp.AppendCertsFromPEM(roots) {
		return nil, fmt.Errorf("error creating root cert pool")
	}

	return cp, nil
}

func certFromBytes(pem []byte) (*x509.Certificate, error) {
	var out []byte
	out, err := base64.StdEncoding.DecodeString(string(pem))
	if err != nil {
		// not a base64
		out = pem
	}

	certs, err := cryptoutils.UnmarshalCertificatesFromPEM(out)
	if err != nil {
		return nil, fmt.Errorf("failed to unmarshal certificate from PEM format: %w", err)
	}
	if len(certs) == 0 {
		return nil, fmt.Errorf("no certs found in pem file")
	}
	return certs[0], nil
}

func certChainFromBytes(pem []byte) ([]*x509.Certificate, error) {
	return cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(pem))
}

func splitCertChain(pem []byte) (leaves, intermediates, roots []*x509.Certificate, err error) {
	certs, err := cryptoutils.UnmarshalCertificatesFromPEM(pem)
	if err != nil {
		return nil, nil, nil, err
	}

	for _, cert := range certs {
		if !cert.IsCA {
			leaves = append(leaves, cert)
		} else {
			// root certificates are self-signed
			if bytes.Equal(cert.RawSubject, cert.RawIssuer) {
				roots = append(roots, cert)
			} else {
				intermediates = append(intermediates, cert)
			}
		}
	}

	return leaves, intermediates, roots, nil
}

func decodePEM(raw []byte, signatureAlgorithm crypto.Hash) (signature.Verifier, error) {
	// PEM encoded file.
	pubKey, err := cryptoutils.UnmarshalPEMToPublicKey(raw)
	if err != nil {
		return nil, fmt.Errorf("pem to public key: %w", err)
	}

	return signature.LoadVerifier(pubKey, signatureAlgorithm)
}

func checkSignatureAnnotations(sig oci.Signature, annotations map[string]string) error {
	sigAnnotations, err := sig.Annotations()
	if err != nil {
		return fmt.Errorf("failed to fetch annotation from signature")
	}
	for key, val := range annotations {
		if val != sigAnnotations[key] {
			return fmt.Errorf("annotations mismatch: %s does not match expected value %s for key %s",
				sigAnnotations[key], val, key)
		}
	}
	return nil
}
feat: cosign verifier for new image verifier crd (#12196) * feat: cosign verifier for new image verifier crd Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#12170) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) from 1.8.12 to 1.8.14. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.12...v1.8.14) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> * feat: add MutatingPolicies CRD (#12150) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> * README: fix markdown syntax (#12176) Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> Co-authored-by: shuting <shuting@nirmata.com> * chore(deps): bump sigs.k8s.io/controller-runtime from 0.20.1 to 0.20.2 (#12180) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.20.1 to 0.20.2. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.20.1...v0.20.2) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: cel policies nits (#12184) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * use serviceAccountName instead of deprecated serviceAccount (#12158) Signed-off-by: Francesco Ilario <filario@redhat.com> Co-authored-by: shuting <shuting@nirmata.com> * chore(deps): bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#12179) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) from 1.8.12 to 1.8.14. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.12...v1.8.14) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore(deps): bump github.com/awslabs/amazon-ecr-credential-helper/ecr-login (#12178) Bumps [github.com/awslabs/amazon-ecr-credential-helper/ecr-login](https://github.com/awslabs/amazon-ecr-credential-helper) from 0.0.0-20241227172826-c97b94eac159 to 0.9.1. - [Release notes](https://github.com/awslabs/amazon-ecr-credential-helper/releases) - [Changelog](https://github.com/awslabs/amazon-ecr-credential-helper/blob/main/CHANGELOG.md) - [Commits](https://github.com/awslabs/amazon-ecr-credential-helper/commits/v0.9.1) --- updated-dependencies: - dependency-name: github.com/awslabs/amazon-ecr-credential-helper/ecr-login dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: add notary verifier with tsa support (#12160) * feat: add notary repository Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: add notary verifier Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: more tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: more tests Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * fix: ci Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> * feat: update types Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> * fix: codegen (#12195) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat(gctx): add jmespath caching through projections (#11833) feat(gctx): move ready check to runtime Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> * fix: publish codecov reports (#12197) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * chore: format conformance.yaml workflow file (#12194) Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix: add result count for VPs in the CLI (#12193) Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * feat: implement functions Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> --------- Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Signed-off-by: Koichi Shiraishi <zchee.io@gmail.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Francesco Ilario <filario@redhat.com> Signed-off-by: Khaled Emara <khaled.emara@nirmata.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: Mariam Fahmy <mariam.fahmy@nirmata.com> Co-authored-by: Koichi Shiraishi <zchee.io@gmail.com> Co-authored-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: Francesco Ilario <filario@redhat.com> Co-authored-by: Khaled Emara <khaled.emara@nirmata.com> 2025-02-21 06:33:53 +05:30			`package cosign`

			`import (`
			`"bytes"`
			`"crypto"`
			`"crypto/x509"`
			`"encoding/base64"`
			`"fmt"`

			`"github.com/sigstore/cosign/v2/pkg/oci"`
			`"github.com/sigstore/sigstore/pkg/cryptoutils"`
			`"github.com/sigstore/sigstore/pkg/signature"`
			`)`

			`var signatureAlgorithmMap = map[string]crypto.Hash{`
			`"": crypto.SHA256,`
			`"sha224": crypto.SHA224,`
			`"sha256": crypto.SHA256,`
			`"sha384": crypto.SHA384,`
			`"sha512": crypto.SHA512,`
			`}`

			`func certPoolFromBytes(roots []byte) (*x509.CertPool, error) {`
			`cp := x509.NewCertPool()`
			`if !cp.AppendCertsFromPEM(roots) {`
			`return nil, fmt.Errorf("error creating root cert pool")`
			`}`

			`return cp, nil`
			`}`

			`func certFromBytes(pem []byte) (*x509.Certificate, error) {`
			`var out []byte`
			`out, err := base64.StdEncoding.DecodeString(string(pem))`
			`if err != nil {`
			`// not a base64`
			`out = pem`
			`}`

			`certs, err := cryptoutils.UnmarshalCertificatesFromPEM(out)`
			`if err != nil {`
			`return nil, fmt.Errorf("failed to unmarshal certificate from PEM format: %w", err)`
			`}`
			`if len(certs) == 0 {`
			`return nil, fmt.Errorf("no certs found in pem file")`
			`}`
			`return certs[0], nil`
			`}`

			`func certChainFromBytes(pem []byte) ([]*x509.Certificate, error) {`
			`return cryptoutils.LoadCertificatesFromPEM(bytes.NewReader(pem))`
			`}`

			`func splitCertChain(pem []byte) (leaves, intermediates, roots []*x509.Certificate, err error) {`
			`certs, err := cryptoutils.UnmarshalCertificatesFromPEM(pem)`
			`if err != nil {`
			`return nil, nil, nil, err`
			`}`

			`for _, cert := range certs {`
			`if !cert.IsCA {`
			`leaves = append(leaves, cert)`
			`} else {`
			`// root certificates are self-signed`
			`if bytes.Equal(cert.RawSubject, cert.RawIssuer) {`
			`roots = append(roots, cert)`
			`} else {`
			`intermediates = append(intermediates, cert)`
			`}`
			`}`
			`}`

			`return leaves, intermediates, roots, nil`
			`}`

			`func decodePEM(raw []byte, signatureAlgorithm crypto.Hash) (signature.Verifier, error) {`
			`// PEM encoded file.`
			`pubKey, err := cryptoutils.UnmarshalPEMToPublicKey(raw)`
			`if err != nil {`
			`return nil, fmt.Errorf("pem to public key: %w", err)`
			`}`

			`return signature.LoadVerifier(pubKey, signatureAlgorithm)`
			`}`

			`func checkSignatureAnnotations(sig oci.Signature, annotations map[string]string) error {`
			`sigAnnotations, err := sig.Annotations()`
			`if err != nil {`
			`return fmt.Errorf("failed to fetch annotation from signature")`
			`}`
			`for key, val := range annotations {`
			`if val != sigAnnotations[key] {`
			`return fmt.Errorf("annotations mismatch: %s does not match expected value %s for key %s",`
			`sigAnnotations[key], val, key)`
			`}`
			`}`
			`return nil`
			`}`