Normalisation and Signing of Component Descriptor #47

enrico-kaack-comp · 2021-10-20T09:27:23Z

What this PR does / why we need it:
Introduces normalisation and signing.
Only implements Private Key based signing right now.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

To generate private and public key:

openssl genrsa -out private 4096
openssl rsa -in private -outform PEM -pubout -out public

Release note:

bindings-go/apis/v2/cdutils/normalize.go

bindings-go/apis/v2/componentdescriptor.go

bindings-go/apis/v2/signatures/rsa.go

bindings-go/apis/v2/signatures/types.go

bindings-go/main/main.go

enrico-kaack-comp · 2021-11-04T09:58:02Z

Open Questions:

support more Hash Algorithms other than sha256 (SHA512, SHA3_256, SHA3_512)?
Signing standard RSASSA-PKCS1-V1_5-SIGN suitable or should RSASSA-PSS be used?

bindings-go/apis/v2/componentdescriptor.go

bindings-go/apis/v2/signatures/normalize.go

bindings-go/apis/v2/signatures/rsa.go

bindings-go/apis/v2/signatures/types.go

schrodit · 2021-11-05T11:45:46Z

Open Questions:

support more Hash Algorithms other than sha256 (SHA512, SHA3_256, SHA3_512)?

Signing standard RSASSA-PKCS1-V1_5-SIGN suitable or should RSASSA-PSS be used?

I think we should at least support sha512. But on the otherhand everyone is free to use other algorithms as they can create their own Hasher struct.

Signing standard RSASSA-PKCS1-V1_5-SIGN suitable or should RSASSA-PSS be used?

I'm no security expert so i will forward that question to @ThormaehlenFred

gardener-robot · 2021-11-07T03:06:39Z

@jschicktanz You have pull request review open invite, please check

bindings-go/apis/v2/signatures/normalize.go

bindings-go/apis/v2/componentdescriptor.go

allows ommiting a digest by setting it nil

better types, disable html escaping

bindings-go/apis/v2/componentdescriptor.go

enrico-kaack-comp · 2022-02-15T10:41:12Z

Sugestion: change Digest.Algorithm and Digest.Value to Digest.Digest = sha256:asd @mandelsoft
for consistency.
DONE: As discussed, leave it as two separat values.

enrico-kaack-comp · 2022-02-17T14:17:39Z

DONE: write digest algorithm e.g. sha256 always lowercase

enrico-kaack-comp · 2022-02-25T11:32:08Z

Consider changing rsa test key generation.
Otherwise, merge on monday.

First implementation

a06bf79

enrico-kaack-comp requested a review from schrodit October 20, 2021 09:27

gardener-robot added needs/review Needs review size/l Size of pull request is large (see gardener-robot robot/bots/size.py) needs/second-opinion Needs second review by someone else labels Oct 20, 2021

schrodit suggested changes Oct 21, 2021

View reviewed changes

gardener-robot added the needs/changes Needs (more) changes label Oct 21, 2021

enrico-kaack-comp added 3 commits October 22, 2021 13:36

Feedbacj improvements

ac96863

improvements syntax

f9fc5f5

hash function now exchangeable

946c8c3

gardener-robot added size/xl Size of pull request is huge (see gardener-robot robot/bots/size.py) and removed size/l Size of pull request is large (see gardener-robot robot/bots/size.py) labels Oct 26, 2021

enrico-kaack-comp added 5 commits October 26, 2021 16:53

add context to digestToComponentDescriptor resolvers

6c0da39

add error to componentReference and resourceResolver callbacks

bc2cc68

normalisation type to normalisation version

bdc91cf

adopt example to modified spec

3b38896

check public key to be a rsa public key

5c6836e

enrico-kaack-comp added 4 commits November 4, 2021 10:59

removed unused hash algorithms and todos

8aa01b9

omit signatures in json if empty

67a43fc

add tests

8a942c2

improve example

36b076e

enrico-kaack-comp requested review from schrodit and jschicktanz November 4, 2021 13:50

schrodit suggested changes Nov 5, 2021

View reviewed changes

ccwienk reviewed Nov 9, 2021

View reviewed changes

bindings-go/apis/v2/signatures/normalize.go Outdated Show resolved Hide resolved

ccwienk reviewed Nov 9, 2021

View reviewed changes

bindings-go/apis/v2/signatures/normalize.go Outdated Show resolved Hide resolved

schrodit reviewed Nov 9, 2021

View reviewed changes

bindings-go/apis/v2/componentdescriptor.go Show resolved Hide resolved

enrico-kaack-comp added 11 commits November 10, 2021 09:44

Feedback PR Review

a3c3fc2

make format

0e3c2bd

deepSort fails on unknown type, so does normalising

d0799b8

change digest to pointer

b2d695a

allows ommiting a digest by setting it nil

make SelectSignatureByName public

507e1a6

update to latest spec changes

9435823

improved normalisation

1b370ec

better types, disable html escaping

Add Resource Digster interface and localOciBlobV1 type

1c6ec8c

ignore digest for res.access.type == None

5fa1b73

add s3 types

aa4954d

allow missing res digests in normailsation

f31d5ff

enrico-kaack-comp commented Feb 15, 2022

View reviewed changes

bindings-go/apis/v2/componentdescriptor.go Outdated Show resolved Hide resolved

enrico-kaack-comp added 6 commits February 22, 2022 15:50

hash algorithm to lowercase

7b74c2a

update tests to current logic

5cce38c

changed naming of normalisation algorithms

8f95d2a

addapt python and json schema to new signature properties

ee17899

fix updated python and json schema adoption

ef3ab49

python improvement

8137ce2

enrico-kaack-comp marked this pull request as ready for review February 25, 2022 09:09

enrico-kaack-comp added 6 commits February 25, 2022 10:39

adapt tests to changed normalisation type

4f8daa0

removed unused code

20aeac9

docstring

6ebc5b9

error handlingimprovement

5206bc9

typos

e0968b5

introduced const for hash algorithm

d3ec35e

jschicktanz approved these changes Feb 28, 2022

View reviewed changes

enrico-kaack-comp merged commit 7eb2343 into gardener-attic:master Feb 28, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Normalisation and Signing of Component Descriptor #47

Normalisation and Signing of Component Descriptor #47

enrico-kaack-comp commented Oct 20, 2021 •

edited

Loading

enrico-kaack-comp commented Nov 4, 2021

schrodit commented Nov 5, 2021 •

edited

Loading

gardener-robot commented Nov 7, 2021

enrico-kaack-comp commented Feb 15, 2022 •

edited

Loading

enrico-kaack-comp commented Feb 17, 2022 •

edited

Loading

enrico-kaack-comp commented Feb 25, 2022

Normalisation and Signing of Component Descriptor #47

Normalisation and Signing of Component Descriptor #47

Conversation

enrico-kaack-comp commented Oct 20, 2021 • edited Loading

enrico-kaack-comp commented Nov 4, 2021

schrodit commented Nov 5, 2021 • edited Loading

gardener-robot commented Nov 7, 2021

enrico-kaack-comp commented Feb 15, 2022 • edited Loading

enrico-kaack-comp commented Feb 17, 2022 • edited Loading

enrico-kaack-comp commented Feb 25, 2022

enrico-kaack-comp commented Oct 20, 2021 •

edited

Loading

schrodit commented Nov 5, 2021 •

edited

Loading

enrico-kaack-comp commented Feb 15, 2022 •

edited

Loading

enrico-kaack-comp commented Feb 17, 2022 •

edited

Loading