Normalisation and Signing of Component Descriptor

bindings-go/apis/v2/cdutils/normalize.go

@@ -0,0 +1,232 @@
+package cdutils
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"sort"
+
+	v2 "github.com/gardener/component-spec/bindings-go/apis/v2"
+	"github.com/gardener/component-spec/bindings-go/apis/v2/signatures"
+)
+
+type Entry map[string]interface{}
+
+func AddDigestsToComponentDescriptor(cd *v2.ComponentDescriptor, compRefResolver func(v2.ComponentDescriptor, v2.ComponentReference) v2.DigestSpec,
+	resResolver func(v2.ComponentDescriptor, v2.Resource) v2.DigestSpec) {
+
+	for i, reference := range cd.ComponentReferences {
+		if reference.Digest.Algorithm == "" || reference.Digest.Value == "" {
+			cd.ComponentReferences[i].Digest = compRefResolver(*cd, reference)
+		}
+	}
+
+	for i, res := range cd.Resources {
+		if res.Digest.Algorithm == "" || res.Digest.Value == "" {
+			cd.Resources[i].Digest = resResolver(*cd, res)
+		}
+	}
+}
+
+// HashForComponentDescriptor return the hash for the component-descriptor, if it is normaliseable
+// (= componentReferences and resources contain digest field)
+func HashForComponentDescriptor(cd v2.ComponentDescriptor) (string, error) {
+	normalisedComponentDescriptor, err := normalizeComponentDescriptor(cd)
+	if err != nil {
+		return "", fmt.Errorf("failed normalising component descriptor %w", err)
+	}
+	hash := sha256.Sum256(normalisedComponentDescriptor)
+
+	return hex.EncodeToString(hash[:]), nil
+}
+
+func SignComponentDescriptor(cd *v2.ComponentDescriptor, signer signatures.Signer) error {
+	hashCd, err := HashForComponentDescriptor(*cd)
+	if err != nil {
+		return fmt.Errorf("failed getting hash for cd: %w", err)
+	}
+	decodedHash, err := hex.DecodeString(hashCd)
+	if err != nil {
+		return fmt.Errorf("failed decoding hash to bytes")
+	}
+
+	signature, err := signer.Sign(decodedHash)
+	if err != nil {
+		return fmt.Errorf("failed signing hash of normalised component descriptor, %w", err)
+	}
+	cd.Signatures = append(cd.Signatures, v2.Signature{NormalisationType: v2.NormalisationTypeV1, Digest: v2.DigestSpec{
+		Algorithm: "sha256",
+		Value:     hashCd,
+	},
+		Signature: *signature,
+	})
+	return nil
+}
+
+// VerifySignedComponentDescriptor verifies the signature and hash of the component-descriptor.
+// Returns error if verification fails.
+func VerifySignedComponentDescriptor(cd *v2.ComponentDescriptor, verifier signatures.Verifier) error {
+	//Verify hash with signature
+	err := verifier.Verify(cd.Signatures[0])
+	if err != nil {
+		return fmt.Errorf("failed verifying: %w", err)
+	}
+
+	//Verify normalised cd to given (and verified) hash
+	hashCd, err := HashForComponentDescriptor(*cd)
+	if err != nil {
+		return fmt.Errorf("failed getting hash for cd: %w", err)
+	}
+	if hashCd != cd.Signatures[0].Digest.Value {
+		return fmt.Errorf("normalised component-descriptor does not match signed hash")
+	}
+
+	return nil
+}
+
+func normalizeComponentDescriptor(cd v2.ComponentDescriptor) ([]byte, error) {
+	if err := isNormaliseable(cd); err != nil {
+		return nil, fmt.Errorf("can not normalise component-descriptor %s:%s: %w", cd.Name, cd.Version, err)
+	}
+
+	var normalizedComponentDescriptor []Entry
+
+	meta := []Entry{
+		{"schemaVersion": cd.Metadata.Version},
+	}
+	normalizedComponentDescriptor = append(normalizedComponentDescriptor, Entry{"meta": meta})
+
+	componentReferences := [][]Entry{}
+	for _, ref := range cd.ComponentSpec.ComponentReferences {
+		extraIdentity := buildExtraIdentity(ref.ExtraIdentity)
+
+		digest := []Entry{
+			{"algorithm": ref.Digest.Algorithm},
+			{"value": ref.Digest.Value},
+		}
+
+		componentReference := []Entry{
+			{"name": ref.Name},
+			{"version": ref.Version},
+			{"extraIdentity": extraIdentity},
+			{"digest": digest},
+		}
+		componentReferences = append(componentReferences, componentReference)
+	}
+
+	resources := [][]Entry{}
+	for _, res := range cd.ComponentSpec.Resources {
+		extraIdentity := buildExtraIdentity(res.ExtraIdentity)
+
+		digest := []Entry{
+			{"algorithm": res.Digest.Algorithm},
+			{"value": res.Digest.Value},
+		}
+
+		resource := []Entry{
+			{"name": res.Name},
+			{"version": res.Version},
+			{"extraIdentity": extraIdentity},
+			{"digest": digest},
+		}
+		resources = append(resources, resource)
+	}
+
+	sources := [][]Entry{}
+	for _, src := range cd.ComponentSpec.Sources {
+		extraIdentity := buildExtraIdentity(src.ExtraIdentity)
+
+		source := []Entry{
+			{"name": src.Name},
+			{"version": src.Version},
+			{"extraIdentity": extraIdentity},
+		}
+		sources = append(sources, source)
+	}
+
+	var componentSpec []Entry
+	componentSpec = append(componentSpec, Entry{"name": cd.ComponentSpec.Name})
+	componentSpec = append(componentSpec, Entry{"version": cd.ComponentSpec.Version})
+	componentSpec = append(componentSpec, Entry{"componentReferences": componentReferences})
+	componentSpec = append(componentSpec, Entry{"resources": resources})
+	componentSpec = append(componentSpec, Entry{"sources": sources})
+
+	normalizedComponentDescriptor = append(normalizedComponentDescriptor, Entry{"component": componentSpec})
+	deepSort(normalizedComponentDescriptor)
+	normalizedString, err := json.Marshal(normalizedComponentDescriptor)
+	if err != nil {
+		return nil, err
+	}
+
+	return normalizedString, nil
+}
+
+func buildExtraIdentity(identity v2.Identity) []Entry {
+	var extraIdentities []Entry
+	for k, v := range identity {
+		extraIdentities = append(extraIdentities, Entry{k: v})
+	}
+	return extraIdentities
+}
+
+// deepSort sorts Entry, []Enry and [][]Entry interfaces recursively, lexicographicly by key(Entry).
+func deepSort(in interface{}) {
+	switch castIn := in.(type) {
+	case []Entry:
+		for _, entry := range castIn {
+			var val interface{}
+			for _, v := range entry {
+				val = v
+			}
+			deepSort(val)
+
+		}
+		sort.SliceStable(castIn, func(i, j int) bool {
+			var keyI string
+			for k := range castIn[i] {
+				keyI = k
+			}
+
+			var keyJ string
+			for k := range castIn[j] {
+				keyJ = k
+			}
+
+			return keyI < keyJ
+		})
+	case Entry:
+		var val interface{}
+		for _, v := range castIn {
+			val = v
+		}
+		deepSort(val)
+	case [][]Entry:
+		for _, v := range castIn {
+			deepSort(v)
+		}
+	case string:
+		break
+	default:
+		fmt.Println("unknow type")
+	}
+}
+
+// isNormaliseable checks if componentReferences and resources contain digest.
+// Does NOT verify the digest is correct
+func isNormaliseable(cd v2.ComponentDescriptor) error {
+	// check for digests on component references
+	for _, reference := range cd.ComponentReferences {
+		if reference.Digest.Algorithm == "" || reference.Digest.Value == "" {
+			return fmt.Errorf("missing digest in componentReference for %s:%s", reference.Name, reference.Version)
+		}
+	}
+
+	// check for digests on resources
+	for _, res := range cd.Resources {
+		if res.Digest.Algorithm == "" || res.Digest.Value == "" {
+			return fmt.Errorf("missing digest in resource for %s:%s", res.Name, res.Version)
+		}
+	}
+	return nil
+}

bindings-go/apis/v2/componentdescriptor.go

@@ -71,6 +71,9 @@ type ComponentDescriptor struct {
 	Metadata Metadata `json:"meta"`
 	// Spec contains the specification of the component.
 	ComponentSpec `json:"component"`
+
+	// Signatures contains a list of signatures for the ComponentDescriptor
+	Signatures []Signature `json:"signatures"`
 }
 
 // ComponentSpec defines a virtual component with
@@ -351,6 +354,10 @@ type SourceRef struct {
 type Resource struct {
 	IdentityObjectMeta `json:",inline"`
 
+	// Digest is the optional digest of the referenced component.
+	// +optional
+	Digest DigestSpec `json:"digest,omitempty"`
+
 	// Relation describes the relation of the resource to the component.
 	// Can be a local or external resource
 	Relation ResourceRelation `json:"relation,omitempty"`
@@ -377,6 +384,9 @@ type ComponentReference struct {
 	// ExtraIdentity is the identity of an object.
 	// An additional label with key "name" ist not allowed
 	ExtraIdentity Identity `json:"extraIdentity,omitempty"`
+	// Digest is the optional digest of the referenced component.
+	// +optional
+	Digest DigestSpec `json:"digest,omitempty"`
 	// Labels defines an optional set of additional labels
 	// describing the object.
 	// +optional
@@ -427,3 +437,31 @@ func (o *ComponentReference) GetIdentity() Identity {
 func (o *ComponentReference) GetIdentityDigest() []byte {
 	return o.GetIdentity().Digest()
 }
+
+// DigestSpec defines the digest and algorithm.
+// +k8s:deepcopy-gen=true
+// +k8s:openapi-gen=true
+type DigestSpec struct {
+	Algorithm string `json:"algorithm"`
+	Value     string `json:"value"`
+}
+
+// SignatureSpec defines the signature and algorithm.
+// +k8s:deepcopy-gen=true
+// +k8s:openapi-gen=true
+type SignatureSpec struct {
+	Algorithm string `json:"algorithm"`
+	Data      string `json:"data"`
+}
+
+type NormalisationType string
+
+const (
+	NormalisationTypeV1 NormalisationType = "v1"
+)
+
+type Signature struct {
+	NormalisationType NormalisationType `json:"normalisationType"`
+	Digest            DigestSpec        `json:"digest"`
+	Signature         SignatureSpec     `json:"signature"`
+}

bindings-go/apis/v2/signatures/rsa.go

@@ -0,0 +1,86 @@
+package signatures
+
+import (
+	"crypto"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/hex"
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
+
+	v2 "github.com/gardener/component-spec/bindings-go/apis/v2"
+)
+
+type RsaSigner struct {
+	privateKey rsa.PrivateKey
+}
+
+func CreateRsaSignerFromKeyFile(pathToPrivateKey string) (*RsaSigner, error) {
+	privKeyFile, err := ioutil.ReadFile(pathToPrivateKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed opening private key file %w", err)
+	}
+
+	block, _ := pem.Decode([]byte(privKeyFile))
+	if block == nil {
+		return nil, fmt.Errorf("failed decoding PEM formatted block in key %w", err)
+	}
+	key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed parsing key %w", err)
+	}
+	return &RsaSigner{
+		privateKey: *key,
+	}, nil
+}
+
+func (s RsaSigner) Sign(data []byte) (*v2.SignatureSpec, error) {
+	signature, err := rsa.SignPKCS1v15(nil, &s.privateKey, crypto.SHA256, data)
+	if err != nil {
+		return nil, fmt.Errorf("failed signing hash, %w", err)
+	}
+	return &v2.SignatureSpec{
+		Algorithm: "RSASSA-PKCS1-V1_5-SIGN", //TODO: check
+		Data:      hex.EncodeToString(signature),
+	}, nil
+}
+
+type RsaVerifier struct {
+	publicKey rsa.PublicKey
+}
+
+func CreateRsaVerifierFromKeyFile(pathToPublicKey string) (*RsaVerifier, error) {
+	publicKey, err := ioutil.ReadFile(pathToPublicKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed opening public key file %w", err)
+	}
+	block, _ := pem.Decode([]byte(publicKey))
+	if block == nil {
+		return nil, fmt.Errorf("failed decoding PEM formatted block in key %w", err)
+	}
+	untypedKey, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed parsing key %w", err)
+	}
+	key := untypedKey.(*rsa.PublicKey)
+	return &RsaVerifier{
+		publicKey: *key,
+	}, nil
+}
+
+func (v RsaVerifier) Verify(signature v2.Signature) error {
+	decodedHash, err := hex.DecodeString(signature.Digest.Value)
+	if err != nil {
+		return fmt.Errorf("failed decoding hash %s: %w", signature.Digest.Value, err)
+	}
+	decodedSignature, err := hex.DecodeString(signature.Signature.Data)
+	if err != nil {
+		return fmt.Errorf("failed decoding hash %s: %w", signature.Digest.Value, err)
+	}
+	err = rsa.VerifyPKCS1v15(&v.publicKey, crypto.SHA256, decodedHash, decodedSignature)
+	if err != nil {
+		return fmt.Errorf("signature verification failed, %w", err)
+	}
+	return nil
+}

bindings-go/apis/v2/signatures/types.go

@@ -0,0 +1,11 @@
+package signatures
+
+import v2 "github.com/gardener/component-spec/bindings-go/apis/v2"
+
+type Signer interface {
+	Sign(data []byte) (*v2.SignatureSpec, error)
+}
+
+type Verifier interface {
+	Verify(signature v2.Signature) error
+}