1 package cmd
2
3 import (
4 "context"
5 "encoding/pem"
6 "fmt"
7 "os"
8 "path/filepath"
9
10 intoto "github.com/in-toto/in-toto-golang/in_toto"
11 "github.com/in-toto/in-toto-golang/internal/spiffe"
12 "github.com/spf13/cobra"
13 )
14
15 var (
16 spiffeUDS string
17 layoutPath string
18 keyPath string
19 certPath string
20 key intoto.Key
21 cert intoto.Key
22 lStripPaths []string
23 exclude []string
24 outDir string
25 lineNormalization bool
26 followSymlinkDirs bool
27 useDSSE bool
28 )
29
30 var rootCmd = &cobra.Command{
31 Use: "in-toto",
32 Short: "Framework to secure integrity of software supply chains",
33 Long: `A framework to secure the integrity of software supply chains https://in-toto.io/`,
34 SilenceUsage: true,
35 SilenceErrors: true,
36 DisableAutoGenTag: true,
37 }
38
39 func loadKeyFromSpireSocket() error {
40 ctx := context.Background()
41 var err error
42 spireClient, err := spiffe.NewClient(ctx, spiffeUDS)
43 if err != nil {
44 return fmt.Errorf("failed to create spire client: %w", err)
45 }
46
47 svidDetails, err := spiffe.GetSVID(ctx, spireClient)
48 if err != nil {
49 return fmt.Errorf("failed to get spiffe x.509 SVID: %w", err)
50 }
51
52 key, err = svidDetails.InTotoKey()
53 if err != nil {
54 return fmt.Errorf("failed to convert svid to in-toto key: %w", err)
55 }
56
57
58
59 for i, c := range svidDetails.Intermediates {
60 certFileName := fmt.Sprintf("%v-intermediate-%v.cert.pem", stepName, i)
61 certFile := filepath.Join(outDir, certFileName)
62 certOut, err := os.Create(certFile)
63 if err != nil {
64 return fmt.Errorf("failed to write spiffe intermediate cert to %s: %w", certFile, err)
65 }
66
67 defer certOut.Close()
68 if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: c.Raw}); err != nil {
69 return fmt.Errorf("failed to encode spiffe intermediate cert: %w", err)
70 }
71 }
72
73 return nil
74 }
75
76 func loadKeyFromDisk() error {
77 key = intoto.Key{}
78 cert = intoto.Key{}
79
80 if keyPath == "" && certPath == "" {
81 return fmt.Errorf("key or cert must be provided")
82 }
83
84 if len(keyPath) > 0 {
85 if _, err := os.Stat(keyPath); err == nil {
86 if err := key.LoadKeyDefaults(keyPath); err != nil {
87 return fmt.Errorf("invalid key at %s: %w", keyPath, err)
88 }
89 } else {
90 return fmt.Errorf("key not found at %s: %w", keyPath, err)
91 }
92 }
93
94 if len(certPath) > 0 {
95 if _, err := os.Stat(certPath); err == nil {
96 if err := cert.LoadKeyDefaults(certPath); err != nil {
97 return fmt.Errorf("invalid cert at %s: %w", certPath, err)
98 }
99 key.KeyVal.Certificate = cert.KeyVal.Certificate
100 } else {
101 return fmt.Errorf("cert not found at %s: %w", certPath, err)
102 }
103 }
104 return nil
105 }
106
107 func getKeyCert(cmd *cobra.Command, args []string) error {
108 if spiffeUDS != "" {
109 return loadKeyFromSpireSocket()
110 }
111 return loadKeyFromDisk()
112 }
113
114
115 func Execute() {
116 if err := rootCmd.Execute(); err != nil {
117 fmt.Fprintln(os.Stderr, err)
118 os.Exit(1)
119 }
120 }
121
View as plain text