From 94dd4ce2f7b7fdb28c2f790d5f16c38d64ccc358 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Sun, 26 May 2024 21:49:24 +0530 Subject: [PATCH 1/5] feat: add validation of required fields in the bundle Signed-off-by: Vishal Choudhary --- go.mod | 1 + go.sum | 4 +++ pkg/bundle/bundle.go | 10 +++++-- pkg/bundle/bundle_test.go | 60 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 72 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 4ec87895..17ddab53 100644 --- a/go.mod +++ b/go.mod @@ -19,6 +19,7 @@ require ( github.com/sigstore/timestamp-authority v1.2.2 github.com/stretchr/testify v1.9.0 github.com/theupdateframework/go-tuf/v2 v2.0.0 + go.einride.tech/aip v0.67.1 golang.org/x/crypto v0.25.0 golang.org/x/mod v0.19.0 google.golang.org/protobuf v1.34.2 diff --git a/go.sum b/go.sum index 9d4e093d..c3991588 100644 --- a/go.sum +++ b/go.sum @@ -307,6 +307,8 @@ github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= github.com/zalando/go-keyring v0.2.3 h1:v9CUu9phlABObO4LPWycf+zwMG7nlbb3t/B5wa97yms= github.com/zalando/go-keyring v0.2.3/go.mod h1:HL4k+OXQfJUWaMnqyuSOc0drfGPX2b51Du6K+MRgZMk= +go.einride.tech/aip v0.67.1 h1:d/4TW92OxXBngkSOwWS2CH5rez869KpKMaN44mdxkFI= +go.einride.tech/aip v0.67.1/go.mod h1:ZGX4/zKw8dcgzdLsrvpOOGxfxI2QSk12SlP7d6c0/XI= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= @@ -371,6 +373,8 @@ gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= +gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= diff --git a/pkg/bundle/bundle.go b/pkg/bundle/bundle.go index ef4afaab..53a46d4a 100644 --- a/pkg/bundle/bundle.go +++ b/pkg/bundle/bundle.go @@ -26,11 +26,11 @@ import ( protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" protodsse "github.com/sigstore/protobuf-specs/gen/pb-go/dsse" - "golang.org/x/mod/semver" - "google.golang.org/protobuf/encoding/protojson" - "github.com/sigstore/sigstore-go/pkg/tlog" "github.com/sigstore/sigstore-go/pkg/verify" + "go.einride.tech/aip/fieldbehavior" + "golang.org/x/mod/semver" + "google.golang.org/protobuf/encoding/protojson" ) var ErrValidation = errors.New("validation error") @@ -112,6 +112,10 @@ func (b *ProtobufBundle) validate() error { return fmt.Errorf("%w: bundle version %s is not yet supported", ErrUnsupportedMediaType, bundleVersion) } + if err := fieldbehavior.ValidateRequiredFields(b.Bundle); err != nil { + return fmt.Errorf("bundle validation failed: %w", err) + } + return nil } diff --git a/pkg/bundle/bundle_test.go b/pkg/bundle/bundle_test.go index 162c3ff6..d9cb3914 100644 --- a/pkg/bundle/bundle_test.go +++ b/pkg/bundle/bundle_test.go @@ -25,6 +25,7 @@ import ( protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" rekorv1 "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v1" _ "github.com/sigstore/rekor/pkg/types/hashedrekord" "github.com/stretchr/testify/require" @@ -749,3 +750,62 @@ func TestTimestamps(t *testing.T) { }) } } + +func Test_BundleValidation(t *testing.T) { + tests := []struct { + name string + bundle *ProtobufBundle + errMsg string + wantErr bool + }{ + { + name: "Empty verification material", + bundle: &ProtobufBundle{ + Bundle: &protobundle.Bundle{ + MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", + VerificationMaterial: &protobundle.VerificationMaterial{}, + Content: nil, + }, + }, + errMsg: "bundle validation failed: missing required field: verification_material.public_key", + wantErr: true, + }, + { + name: "No verification material", + bundle: &ProtobufBundle{ + Bundle: &protobundle.Bundle{ + MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", + Content: nil, + }, + }, + errMsg: "bundle validation failed: missing required field: verification_material", + wantErr: true, + }, + { + name: "Valid protobuf bundle", + bundle: &ProtobufBundle{ + Bundle: &protobundle.Bundle{ + MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", + Content: nil, + VerificationMaterial: &protobundle.VerificationMaterial{ + Content: &protobundle.VerificationMaterial_PublicKey{ + PublicKey: &v1.PublicKeyIdentifier{}, + }, + TimestampVerificationData: &protobundle.TimestampVerificationData{}, + }, + }, + }, + errMsg: "", + wantErr: false, + }, + } + for _, tt := range tests { + t.Run(fmt.Sprintf("name:%s", tt.name), func(t *testing.T) { + err := tt.bundle.validate() + if (err != nil) != tt.wantErr || (err != nil && tt.errMsg != err.Error()) { + t.Errorf("Protobuf.Bundle() error = %v, wantErr %v", err, tt.errMsg) + return + } + }) + } +} From b726ea7e49f95448ec62a9a95a671124224b0279 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Sat, 1 Jun 2024 22:48:42 +0530 Subject: [PATCH 2/5] feat: add function for validating bundle Signed-off-by: Vishal Choudhary --- go.mod | 16 ++++++++++++++- go.sum | 27 ++++++++++++++++++++------ pkg/bundle/bundle.go | 41 ++++++++++++++++++++++++++++++++++----- pkg/bundle/bundle_test.go | 28 +++++++++++++++++++------- 4 files changed, 93 insertions(+), 19 deletions(-) diff --git a/go.mod b/go.mod index 17ddab53..37dd7c13 100644 --- a/go.mod +++ b/go.mod @@ -23,6 +23,10 @@ require ( golang.org/x/crypto v0.25.0 golang.org/x/mod v0.19.0 google.golang.org/protobuf v1.34.2 + github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 + golang.org/x/crypto v0.23.0 + golang.org/x/mod v0.17.0 + google.golang.org/protobuf v1.34.1 ) require ( @@ -31,6 +35,7 @@ require ( github.com/blang/semver v3.5.1+incompatible // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect + github.com/fatih/color v1.16.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-jose/go-jose/v4 v4.0.2 // indirect @@ -57,11 +62,12 @@ require ( github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect - github.com/pelletier/go-toml/v2 v2.1.0 // indirect + github.com/pelletier/go-toml/v2 v2.1.1 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect @@ -93,6 +99,14 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5 // indirect google.golang.org/grpc v1.64.1 // indirect + golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 // indirect + golang.org/x/net v0.23.0 // indirect + golang.org/x/sync v0.6.0 // indirect + golang.org/x/sys v0.20.0 // indirect + golang.org/x/term v0.20.0 // indirect + golang.org/x/text v0.15.0 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect + gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/klog/v2 v2.120.1 // indirect diff --git a/go.sum b/go.sum index c3991588..c7cdac35 100644 --- a/go.sum +++ b/go.sum @@ -222,8 +222,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= -github.com/pelletier/go-toml/v2 v2.1.0 h1:FnwAJ4oYMvbT/34k9zzHuZNrhlz48GB3/s6at6/MHO4= -github.com/pelletier/go-toml/v2 v2.1.0/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc= +github.com/pelletier/go-toml/v2 v2.1.1 h1:LWAJwfNvjQZCFIDKWYQaM62NcYeYViCmWIwmOStowAI= +github.com/pelletier/go-toml/v2 v2.1.1/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -307,8 +307,6 @@ github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= github.com/zalando/go-keyring v0.2.3 h1:v9CUu9phlABObO4LPWycf+zwMG7nlbb3t/B5wa97yms= github.com/zalando/go-keyring v0.2.3/go.mod h1:HL4k+OXQfJUWaMnqyuSOc0drfGPX2b51Du6K+MRgZMk= -go.einride.tech/aip v0.67.1 h1:d/4TW92OxXBngkSOwWS2CH5rez869KpKMaN44mdxkFI= -go.einride.tech/aip v0.67.1/go.mod h1:ZGX4/zKw8dcgzdLsrvpOOGxfxI2QSk12SlP7d6c0/XI= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= @@ -351,6 +349,25 @@ golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= +golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= +golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 h1:LfspQV/FYTatPTr/3HzIcmiUFH7PGP+OQ6mgDYo3yuQ= +golang.org/x/exp v0.0.0-20240222234643-814bf88cf225/go.mod h1:CxmFvTBINI24O/j8iY7H1xHzx2i4OsyguNBmN/uPtqc= +golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= +golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= +golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI= +golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8= +golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= +golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= +golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= +golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= +golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= +golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= google.golang.org/api v0.172.0 h1:/1OcMZGPmW1rX2LCu2CmGUD1KXK1+pfzxotxyRUCCdk= @@ -373,8 +390,6 @@ gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= -gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= diff --git a/pkg/bundle/bundle.go b/pkg/bundle/bundle.go index 53a46d4a..746e5c30 100644 --- a/pkg/bundle/bundle.go +++ b/pkg/bundle/bundle.go @@ -28,7 +28,6 @@ import ( protodsse "github.com/sigstore/protobuf-specs/gen/pb-go/dsse" "github.com/sigstore/sigstore-go/pkg/tlog" "github.com/sigstore/sigstore-go/pkg/verify" - "go.einride.tech/aip/fieldbehavior" "golang.org/x/mod/semver" "google.golang.org/protobuf/encoding/protojson" ) @@ -70,6 +69,10 @@ func NewProtobufBundle(pbundle *protobundle.Bundle) (*ProtobufBundle, error) { } func (b *ProtobufBundle) validate() error { + err := validateBundle(b.Bundle) + if err != nil { + return fmt.Errorf("invalid bundle: %w", err) + } bundleVersion, err := getBundleVersion(b.Bundle.MediaType) if err != nil { return fmt.Errorf("error getting bundle version: %w", err) @@ -112,10 +115,6 @@ func (b *ProtobufBundle) validate() error { return fmt.Errorf("%w: bundle version %s is not yet supported", ErrUnsupportedMediaType, bundleVersion) } - if err := fieldbehavior.ValidateRequiredFields(b.Bundle); err != nil { - return fmt.Errorf("bundle validation failed: %w", err) - } - return nil } @@ -162,6 +161,38 @@ func getBundleVersion(mediaType string) (string, error) { return "", fmt.Errorf("%w: %s", ErrUnsupportedMediaType, mediaType) } +func validateBundle(b *protobundle.Bundle) error { + if b == nil { + return fmt.Errorf("empty protobuf bundle") + } + + if b.Content == nil { + return fmt.Errorf("missing bundle content") + } + + switch b.Content.(type) { + case *protobundle.Bundle_DsseEnvelope, *protobundle.Bundle_MessageSignature: + default: + return fmt.Errorf("invalid bundle content: bundle content must be either a message signature or dsse envelope") + } + + if b.VerificationMaterial == nil { + return fmt.Errorf("missing verification material") + } + + if b.VerificationMaterial.Content == nil { + return fmt.Errorf("missing verification material content") + } + + switch b.VerificationMaterial.Content.(type) { + case *protobundle.VerificationMaterial_PublicKey, *protobundle.VerificationMaterial_Certificate, *protobundle.VerificationMaterial_X509CertificateChain: + default: + return fmt.Errorf("invalid verififcation material content: verification material must be one of public key, x509 certificate and x509 certificate chain") + } + + return nil +} + func LoadJSONFromPath(path string) (*ProtobufBundle, error) { var bundle ProtobufBundle bundle.Bundle = new(protobundle.Bundle) diff --git a/pkg/bundle/bundle_test.go b/pkg/bundle/bundle_test.go index d9cb3914..f5037c9a 100644 --- a/pkg/bundle/bundle_test.go +++ b/pkg/bundle/bundle_test.go @@ -762,23 +762,37 @@ func Test_BundleValidation(t *testing.T) { name: "Empty verification material", bundle: &ProtobufBundle{ Bundle: &protobundle.Bundle{ - MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", - VerificationMaterial: &protobundle.VerificationMaterial{}, - Content: nil, + MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", + VerificationMaterial: &protobundle.VerificationMaterial{ + Content: nil, + }, + Content: &protobundle.Bundle_MessageSignature{}, }, }, - errMsg: "bundle validation failed: missing required field: verification_material.public_key", + errMsg: "invalid bundle: missing verification material content", wantErr: true, }, { - name: "No verification material", + name: "No bundle content", bundle: &ProtobufBundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", Content: nil, }, }, - errMsg: "bundle validation failed: missing required field: verification_material", + errMsg: "invalid bundle: missing bundle content", + wantErr: true, + }, + { + name: "Nil verification material", + bundle: &ProtobufBundle{ + Bundle: &protobundle.Bundle{ + MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", + Content: &protobundle.Bundle_MessageSignature{}, + VerificationMaterial: nil, + }, + }, + errMsg: "invalid bundle: missing verification material", wantErr: true, }, { @@ -786,7 +800,7 @@ func Test_BundleValidation(t *testing.T) { bundle: &ProtobufBundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", - Content: nil, + Content: &protobundle.Bundle_DsseEnvelope{}, VerificationMaterial: &protobundle.VerificationMaterial{ Content: &protobundle.VerificationMaterial_PublicKey{ PublicKey: &v1.PublicKeyIdentifier{}, From 8b3f34a23a61eeaa2fb6d29ae3d166b9c042f63e Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Sat, 1 Jun 2024 22:53:54 +0530 Subject: [PATCH 3/5] fix: go mod Signed-off-by: Vishal Choudhary --- go.mod | 19 ++----------------- go.sum | 27 ++++----------------------- pkg/bundle/bundle.go | 5 +++-- 3 files changed, 9 insertions(+), 42 deletions(-) diff --git a/go.mod b/go.mod index 37dd7c13..4c809f9d 100644 --- a/go.mod +++ b/go.mod @@ -19,14 +19,9 @@ require ( github.com/sigstore/timestamp-authority v1.2.2 github.com/stretchr/testify v1.9.0 github.com/theupdateframework/go-tuf/v2 v2.0.0 - go.einride.tech/aip v0.67.1 golang.org/x/crypto v0.25.0 golang.org/x/mod v0.19.0 google.golang.org/protobuf v1.34.2 - github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 - golang.org/x/crypto v0.23.0 - golang.org/x/mod v0.17.0 - google.golang.org/protobuf v1.34.1 ) require ( @@ -35,7 +30,6 @@ require ( github.com/blang/semver v3.5.1+incompatible // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect - github.com/fatih/color v1.16.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/go-chi/chi v4.1.2+incompatible // indirect github.com/go-jose/go-jose/v4 v4.0.2 // indirect @@ -62,12 +56,11 @@ require ( github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect - github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect - github.com/pelletier/go-toml/v2 v2.1.1 // indirect + github.com/pelletier/go-toml/v2 v2.1.0 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect @@ -90,7 +83,7 @@ require ( go.opentelemetry.io/otel/trace v1.27.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect + golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 // indirect golang.org/x/net v0.26.0 // indirect golang.org/x/sync v0.7.0 // indirect golang.org/x/sys v0.22.0 // indirect @@ -99,14 +92,6 @@ require ( google.golang.org/genproto/googleapis/api v0.0.0-20240520151616-dc85e6b867a5 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240520151616-dc85e6b867a5 // indirect google.golang.org/grpc v1.64.1 // indirect - golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 // indirect - golang.org/x/net v0.23.0 // indirect - golang.org/x/sync v0.6.0 // indirect - golang.org/x/sys v0.20.0 // indirect - golang.org/x/term v0.20.0 // indirect - golang.org/x/text v0.15.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect - gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/klog/v2 v2.120.1 // indirect diff --git a/go.sum b/go.sum index c7cdac35..bf446c76 100644 --- a/go.sum +++ b/go.sum @@ -222,8 +222,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs= github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc= -github.com/pelletier/go-toml/v2 v2.1.1 h1:LWAJwfNvjQZCFIDKWYQaM62NcYeYViCmWIwmOStowAI= -github.com/pelletier/go-toml/v2 v2.1.1/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc= +github.com/pelletier/go-toml/v2 v2.1.0 h1:FnwAJ4oYMvbT/34k9zzHuZNrhlz48GB3/s6at6/MHO4= +github.com/pelletier/go-toml/v2 v2.1.0/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= @@ -333,8 +333,8 @@ go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= -golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 h1:hNQpMuAJe5CtcUqCXaWga3FHu+kQvCqcsoVaQgSV60o= -golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= +golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 h1:LfspQV/FYTatPTr/3HzIcmiUFH7PGP+OQ6mgDYo3yuQ= +golang.org/x/exp v0.0.0-20240222234643-814bf88cf225/go.mod h1:CxmFvTBINI24O/j8iY7H1xHzx2i4OsyguNBmN/uPtqc= golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= @@ -349,25 +349,6 @@ golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk= golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4= golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4= golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= -golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= -golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= -golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 h1:LfspQV/FYTatPTr/3HzIcmiUFH7PGP+OQ6mgDYo3yuQ= -golang.org/x/exp v0.0.0-20240222234643-814bf88cf225/go.mod h1:CxmFvTBINI24O/j8iY7H1xHzx2i4OsyguNBmN/uPtqc= -golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= -golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= -golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= -golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI= -golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8= -golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= -golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= -golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= -golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= -golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= -golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= -golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk= golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= google.golang.org/api v0.172.0 h1:/1OcMZGPmW1rX2LCu2CmGUD1KXK1+pfzxotxyRUCCdk= diff --git a/pkg/bundle/bundle.go b/pkg/bundle/bundle.go index 746e5c30..efaaa985 100644 --- a/pkg/bundle/bundle.go +++ b/pkg/bundle/bundle.go @@ -26,10 +26,11 @@ import ( protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" protodsse "github.com/sigstore/protobuf-specs/gen/pb-go/dsse" - "github.com/sigstore/sigstore-go/pkg/tlog" - "github.com/sigstore/sigstore-go/pkg/verify" "golang.org/x/mod/semver" "google.golang.org/protobuf/encoding/protojson" + + "github.com/sigstore/sigstore-go/pkg/tlog" + "github.com/sigstore/sigstore-go/pkg/verify" ) var ErrValidation = errors.New("validation error") From f8671324c4041a3c8c102b4c363e47775d932d29 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Mon, 29 Jul 2024 09:54:57 +0530 Subject: [PATCH 4/5] fix: go mod tidy Signed-off-by: Vishal Choudhary --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 4c809f9d..4ec87895 100644 --- a/go.mod +++ b/go.mod @@ -83,7 +83,7 @@ require ( go.opentelemetry.io/otel/trace v1.27.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 // indirect + golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect golang.org/x/net v0.26.0 // indirect golang.org/x/sync v0.7.0 // indirect golang.org/x/sys v0.22.0 // indirect diff --git a/go.sum b/go.sum index bf446c76..9d4e093d 100644 --- a/go.sum +++ b/go.sum @@ -333,8 +333,8 @@ go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= -golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 h1:LfspQV/FYTatPTr/3HzIcmiUFH7PGP+OQ6mgDYo3yuQ= -golang.org/x/exp v0.0.0-20240222234643-814bf88cf225/go.mod h1:CxmFvTBINI24O/j8iY7H1xHzx2i4OsyguNBmN/uPtqc= +golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 h1:hNQpMuAJe5CtcUqCXaWga3FHu+kQvCqcsoVaQgSV60o= +golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8= golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ= From f352540d2dfe596f43db3af233f8c9964b433f40 Mon Sep 17 00:00:00 2001 From: Vishal Choudhary Date: Mon, 29 Jul 2024 12:01:18 +0530 Subject: [PATCH 5/5] fix: bundle validation tests Signed-off-by: Vishal Choudhary --- pkg/bundle/bundle.go | 8 ++++---- pkg/bundle/bundle_test.go | 15 +++++++++++++++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/pkg/bundle/bundle.go b/pkg/bundle/bundle.go index efaaa985..5fcf949f 100644 --- a/pkg/bundle/bundle.go +++ b/pkg/bundle/bundle.go @@ -70,10 +70,6 @@ func NewProtobufBundle(pbundle *protobundle.Bundle) (*ProtobufBundle, error) { } func (b *ProtobufBundle) validate() error { - err := validateBundle(b.Bundle) - if err != nil { - return fmt.Errorf("invalid bundle: %w", err) - } bundleVersion, err := getBundleVersion(b.Bundle.MediaType) if err != nil { return fmt.Errorf("error getting bundle version: %w", err) @@ -116,6 +112,10 @@ func (b *ProtobufBundle) validate() error { return fmt.Errorf("%w: bundle version %s is not yet supported", ErrUnsupportedMediaType, bundleVersion) } + err = validateBundle(b.Bundle) + if err != nil { + return fmt.Errorf("invalid bundle: %w", err) + } return nil } diff --git a/pkg/bundle/bundle_test.go b/pkg/bundle/bundle_test.go index f5037c9a..9fddc318 100644 --- a/pkg/bundle/bundle_test.go +++ b/pkg/bundle/bundle_test.go @@ -229,6 +229,7 @@ func Test_validate(t *testing.T) { MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.1", }, }, + wantErr: true, }, { name: "v0.1 with no inclusion promise", @@ -278,7 +279,11 @@ func Test_validate(t *testing.T) { }, }, }, + Content: &protobundle.VerificationMaterial_PublicKey{ + PublicKey: &v1.PublicKeyIdentifier{}, + }, }, + Content: &protobundle.Bundle_MessageSignature{}, }, }, }, @@ -302,7 +307,11 @@ func Test_validate(t *testing.T) { CanonicalizedBody: canonicalTlogBody, }, }, + Content: &protobundle.VerificationMaterial_PublicKey{ + PublicKey: &v1.PublicKeyIdentifier{}, + }, }, + Content: &protobundle.Bundle_MessageSignature{}, }, }, wantErr: true, @@ -332,7 +341,11 @@ func Test_validate(t *testing.T) { }, }, }, + Content: &protobundle.VerificationMaterial_PublicKey{ + PublicKey: &v1.PublicKeyIdentifier{}, + }, }, + Content: &protobundle.Bundle_MessageSignature{}, }, }, }, @@ -365,6 +378,7 @@ func Test_validate(t *testing.T) { X509CertificateChain: &protocommon.X509CertificateChain{}, }, }, + Content: &protobundle.Bundle_MessageSignature{}, }, }, wantErr: true, @@ -398,6 +412,7 @@ func Test_validate(t *testing.T) { Certificate: &protocommon.X509Certificate{}, }, }, + Content: &protobundle.Bundle_MessageSignature{}, }, }, },