1#
2# This makefile lets us exercise the library via the sign1util tool and shows various examples of
3# creating and checking COSE Sign1 documents as well as getting DID:x509 documents out of them
4# Note that today the PEM files that match are not checked in as the github/ADO credential checker will trigger.
5# I may fix that with some head/tail magic. Meanwhile, you need to build fresh certs with make -f Makefile.certs
6# and these checks below (for infra.rego.cose, not the EPRS one) will fail. You will need to update the certificate
7# fingerprints to match the fresh ones.
8#
9# eg change the following
10#
11#did-check: chain.pem infra.rego.cose sign1util
12# ./sign1util check -in infra.rego.cose -did did:x509:0:sha256:RgpNsHOK5hPlCAfTtiGY_BcDhFRxQbJnhlxNDhxps6U::subject:CN:Test%20Leaf%20%28DO%20NOT%20TRUST%29
13#
14# to
15#
16#did-check: chain.pem infra.rego.cose sign1util
17# ./sign1util check -in infra.rego.cose -did did:x509:0:sha256:my-new-cert-fingerprint::subject:CN:Test%20Leaf%20%28DO%20NOT%20TRUST%29
18#
19# where
20#
21# ./sign1util did:x509 -chain chain.pem -i 1 -policy "subject:CN:Test Leaf (DO NOT TRUST)"
22#
23# will print the new fingerprint of the intermediate cert as part of the did:x509 generated
24#
25
26cose: infra.rego.cose
27
28# from these media types have to match containerd. The also need to change and the security policy one ought to be x-ms-ccepolicy-frag
29# fragment atrifact type = application/x-ms-ccepolicy-frag
30# fragment media type = application/cose_x509+rego
31
32# Use a local linux build of the tool for the purposes of this Makefile - ie assume using in wsl.
33# Usually sign1util.exe is a windows exe in /mnt/c/ContainerPlat aka c:\ContainerPlat but that is not certain.
34
35sign1util: ../../internal/tools/sign1util/main.go *.go
36 go build ../../internal/tools/sign1util
37
38infra.rego.cose: infra.rego.base64 chain.pem leaf.private.pem sign1util
39 ./sign1util create -algo ES384 -chain chain.pem -claims infra.rego.base64 -key leaf.private.pem -out $@ -issuer TestIssuer -feed TestFeed -salt zero
40 ./sign1util check -in $@
41
42print: infra.rego.cose sign1util
43 ./sign1util chain -in $< > tmp.chain.pem
44 ./sign1util did:x509 -chain tmp.chain.pem --policy cn
45
46show: sign1util
47 ./sign1util chain -in esrp.test.cose > tmp.chain.pem
48 ./sign1util did:x509 -chain tmp.chain.pem -policy cn
49
50
51didx509: chain.pem sign1util
52 ./sign1util did:x509 -chain chain.pem -i 1 -policy "subject:CN:Test Leaf (DO NOT TRUST)" -verbose
53
54# for this to pass the did:x509 fingerprint (RgpNsHOK5hPlCAfTtiGY_BcDhFRxQbJnhlxNDhxps6U here) needs to be the one output from make print
55did-check: chain.pem infra.rego.cose sign1util
56 ./sign1util check -in infra.rego.cose -did did:x509:0:sha256:RgpNsHOK5hPlCAfTtiGY_BcDhFRxQbJnhlxNDhxps6U::subject:CN:Test%20Leaf%20%28DO%20NOT%20TRUST%29
57
58# For normal workflow start from the chain.pem, here we'd take the chain from inside the cose sign1 doc, eg to manually confirm it is
59# as otherwise expected (ie that the issuer DID matches the chain) or to shortcut getting a DID from a cose document.
60
61did-from-cose: sign1util infra.rego.cose
62 ./sign1util did:x509 -in infra.rego.cose -policy cn
63
64did-fail-fingerprint: chain.pem sign1util
65 ./sign1util check -chain chain.pem -in infra.rego.cose -did did:x509:0:sha256:XXXi_nuWegx4NiLaeGabiz36bDUhDDiHEFl8HXMA_4o::subject:CN:Test+Leaf+%28DO+NOT+TRUST%29
66
67did-fail-subject: chain.pem sign1util
68 ./sign1util check -chain chain.pem -in infra.rego.cose -did did:x509:0:sha256:RgpNsHOK5hPlCAfTtiGY_BcDhFRxQbJnhlxNDhxps6U::subject:CN:Test+XXXX+%28DO+NOT+TRUST%29
69
70did-fail: did-fail-subject did-fail-fingerprint
71
72
73# beyond the scope of this repo
74#infra.rego.base64: infra-fragment.toml
75# /mnt/c/ContainerPlat/securitypolicy.exe -c infra-fragment.toml -n infra -v 1.0.0 -t fragment > infra.rego.base64
76
77# this would push the COSE Sign1 fragment given the appropriate env variables
78#oras: infra.rego.cose
79# oras push ${REGISTRY}/${INFRA_REPO}:latest \
80# --artifact-type application/x-ms-ccepolicy-frag \
81# --manifest-config /dev/null:application/vnd.unknown.config.v1+json \
82# --subject ${INFRA_IMAGE} \
83# ./infra.rego.cose:application/cose_x509+rego
84
85%.pem:
86 $(MAKE) -f Makefile.certs chain.pem
87
88
89infra.rego.base64: infra.rego
90 base64 infra.rego > infra.rego.base64
91
92clean:
93 $(MAKE) -f Makefile.certs $@
94 rm -f infra.rego.base64 infra.rego.cose sign1util
View as plain text