feat: Verification for when sha1 is specified in BYOB TRW

errors/errors.go

@@ -9,6 +9,7 @@ var (
 	ErrorMismatchPackageName       = errors.New("package name does not match provenance")
 	ErrorMismatchBuilderID         = errors.New("builderID does not match provenance")
 	ErrorInvalidBuilderID          = errors.New("builderID is invalid")
+	ErrorInvalidBuildType          = errors.New("buildType is invalid")
 	ErrorMismatchSource            = errors.New("source used to generate the binary does not match provenance")
 	ErrorMismatchWorkflowInputs    = errors.New("workflow input does not match")
 	ErrorMalformedURI              = errors.New("URI is malformed")

verifiers/internal/gha/builder.go

@@ -7,8 +7,10 @@
 	"strings"
 
 	fulcio "github.com/sigstore/fulcio/pkg/certificate"
+
 	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
 	"github.com/slsa-framework/slsa-verifier/v2/options"
+	ghacommon "github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/common"
 	"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils"
 )
 
@@ -24,23 +26,23 @@
 )
 
 var defaultArtifactTrustedReusableWorkflows = map[string]bool{
-	trustedBuilderRepository + "/.github/workflows/generator_generic_slsa3.yml":       true,
-	trustedBuilderRepository + "/.github/workflows/builder_go_slsa3.yml":              true,
-	trustedBuilderRepository + "/.github/workflows/builder_container-based_slsa3.yml": true,
+	ghacommon.GenericGeneratorBuilderID: true,
+	ghacommon.GoBuilderID:               true,
+	ghacommon.ContainerBasedBuilderID:   true,
 }
 
 var defaultContainerTrustedReusableWorkflows = map[string]bool{
-	trustedBuilderRepository + "/.github/workflows/generator_container_slsa3.yml": true,
+	ghacommon.ContainerGeneratorBuilderID: true,
 }
 
 var (
 	delegatorGenericReusableWorkflow         = trustedBuilderRepository + "/.github/workflows/delegator_generic_slsa3.yml"
 	delegatorLowPermsGenericReusableWorkflow = trustedBuilderRepository + "/.github/workflows/delegator_lowperms-generic_slsa3.yml"
 )
 
 var defaultBYOBReusableWorkflows = map[string]bool{
-	delegatorGenericReusableWorkflow:         true,
-	delegatorLowPermsGenericReusableWorkflow: true,
+	ghacommon.GenericDelegatorBuilderID:         true,
+	ghacommon.GenericLowPermsDelegatorBuilderID: true,
 }
 
 // VerifyCertficateSourceRepository verifies the source repository.

verifiers/internal/gha/npm.go

@@ -15,6 +15,7 @@ import (
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
+	"github.com/slsa-framework/slsa-verifier/v2/options"
 	"github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance"
 	"github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/common"
 	"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils"
@@ -25,13 +26,8 @@ type hosted string
 const (
 	hostedSelf   hosted = "self-hosted"
 	hostedGitHub hosted = "github-hosted"
-)
 
-const (
-	publishAttestationV01       = "https://github.com/npm/attestation/tree/main/specs/publish/"
-	builderLegacyGitHubRunnerID = "https://github.com/actions/runner"
-	builderGitHubHostedRunnerID = builderLegacyGitHubRunnerID + "/" + string(hostedGitHub)
-	builderSelfHostedRunnerID   = builderLegacyGitHubRunnerID + "/" + string(hostedSelf)
+	publishAttestationV01 = "https://github.com/npm/attestation/tree/main/specs/publish/"
 )
 
 var errrorInvalidAttestations = errors.New("invalid npm attestations")
@@ -73,6 +69,7 @@ func (b *BundleBytes) UnmarshalJSON(data []byte) error {
 type Npm struct {
 	ctx                   context.Context
 	root                  *TrustedRoot
+	verifiedBuilderID     *utils.TrustedBuilderID
 	verifiedProvenanceAtt *SignedAttestation
 	verifiedPublishAtt    *SignedAttestation
 	provenanceAttestation *attestation
@@ -98,8 +95,9 @@ func NpmNew(ctx context.Context, root *TrustedRoot, attestationBytes []byte) (*N
 		return nil, err
 	}
 	return &Npm{
-		ctx:                   ctx,
-		root:                  root,
+		ctx:  ctx,
+		root: root,
+
 		provenanceAttestation: prov,
 		publishAttestation:    pub,
 	}, nil
@@ -256,7 +254,7 @@ func (n *Npm) verifyPackageName(name *string) error {
 	}
 
 	// Verify subject name in provenance.
-	if err := verifyProvenanceSubjectName(n.verifiedProvenanceAtt, *name); err != nil {
+	if err := verifyProvenanceSubjectName(n.verifiedBuilderID, n.verifiedProvenanceAtt, *name); err != nil {
 		return err
 	}
 
@@ -279,7 +277,7 @@ func (n *Npm) verifyPackageVersion(version *string) error {
 	}
 
 	// Verify subject version in provenance.
-	if err := verifyProvenanceSubjectVersion(n.verifiedProvenanceAtt, *version); err != nil {
+	if err := verifyProvenanceSubjectVersion(n.verifiedBuilderID, n.verifiedProvenanceAtt, *version); err != nil {
 		return err
 	}
 
@@ -296,6 +294,25 @@ func (n *Npm) verifyPackageVersion(version *string) error {
 	return nil
 }
 
+func (n *Npm) verifyBuilderID(
+	provenanceOpts *options.ProvenanceOpts,
+	builderOpts *options.BuilderOpts,
+	defaultBuilders map[string]bool,
+) (*utils.TrustedBuilderID, error) {
+	// Verify certificate information.
+	builder, err := verifyNpmEnvAndCert(
+		n.ProvenanceEnvelope(),
+		n.ProvenanceLeafCertificate(),
+		provenanceOpts, builderOpts,
+		defaultBuilders,
+	)
+	if err != nil {
+		return nil, err
+	}
+	n.verifiedBuilderID = builder
+	return builder, err
+}
+
 func verifyPublishPredicateVersion(att *SignedAttestation, expectedVersion string) error {
 	_, version, err := getPublishPredicateData(att)
 	if err != nil {
@@ -341,8 +358,8 @@ func getPublishPredicateData(att *SignedAttestation) (string, string, error) {
 	return statement.Predicate.Name, statement.Predicate.Version, nil
 }
 
-func verifyProvenanceSubjectVersion(att *SignedAttestation, expectedVersion string) error {
-	subject, err := getSubject(att)
+func verifyProvenanceSubjectVersion(b *utils.TrustedBuilderID, att *SignedAttestation, expectedVersion string) error {
+	subject, err := getSubject(b, att)
 	if err != nil {
 		return err
 	}
@@ -383,15 +400,15 @@ func verifyPublishSubjectName(att *SignedAttestation, expectedName string) error
 	return verifyName(name, expectedName)
 }
 
-func verifyProvenanceSubjectName(att *SignedAttestation, expectedName string) error {
-	prov, err := slsaprovenance.ProvenanceFromEnvelope(att.Envelope)
+func verifyProvenanceSubjectName(b *utils.TrustedBuilderID, att *SignedAttestation, expectedName string) error {
+	prov, err := slsaprovenance.ProvenanceFromEnvelope(b.Name(), att.Envelope)
 	if err != nil {
-		return nil
+		return fmt.Errorf("reading provenance: %w", err)
 	}
 
 	subjects, err := prov.Subjects()
 	if err != nil {
-		return fmt.Errorf("%w", serrors.ErrorInvalidDssePayload)
+		return fmt.Errorf("%w: %w", serrors.ErrorInvalidDssePayload, err)
 	}
 	if len(subjects) != 1 {
 		return fmt.Errorf("%w: expected 1 subject, got %v", serrors.ErrorInvalidDssePayload, len(subjects))
@@ -448,8 +465,8 @@ func getPackageNameAndVersion(name string) (string, string, error) {
 	return pkgname, pkgtag, nil
 }
 
-func getSubject(att *SignedAttestation) (string, error) {
-	prov, err := slsaprovenance.ProvenanceFromEnvelope(att.Envelope)
+func getSubject(b *utils.TrustedBuilderID, att *SignedAttestation) (string, error) {
+	prov, err := slsaprovenance.ProvenanceFromEnvelope(b.Name(), att.Envelope)