...

Source file src/github.com/sigstore/cosign/v2/pkg/oci/signature/layer.go

Documentation: github.com/sigstore/cosign/v2/pkg/oci/signature 

     1  //
     2  // Copyright 2021 The Sigstore Authors.
     3  //
     4  // Licensed under the Apache License, Version 2.0 (the "License");
     5  // you may not use this file except in compliance with the License.
     6  // You may obtain a copy of the License at
     7  //
     8  //     http://www.apache.org/licenses/LICENSE-2.0
     9  //
    10  // Unless required by applicable law or agreed to in writing, software
    11  // distributed under the License is distributed on an "AS IS" BASIS,
    12  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  // See the License for the specific language governing permissions and
    14  // limitations under the License.
    15  
    16  package signature
    17  
    18  import (
    19  	"crypto/x509"
    20  	"encoding/base64"
    21  	"encoding/json"
    22  	"fmt"
    23  	"io"
    24  	"strings"
    25  
    26  	v1 "github.com/google/go-containerregistry/pkg/v1"
    27  	payloadsize "github.com/sigstore/cosign/v2/internal/pkg/cosign/payload/size"
    28  	"github.com/sigstore/cosign/v2/pkg/cosign/bundle"
    29  	"github.com/sigstore/cosign/v2/pkg/oci"
    30  	"github.com/sigstore/sigstore/pkg/cryptoutils"
    31  )
    32  
    33  const (
    34  	sigkey              = "dev.cosignproject.cosign/signature"
    35  	certkey             = "dev.sigstore.cosign/certificate"
    36  	chainkey            = "dev.sigstore.cosign/chain"
    37  	BundleKey           = "dev.sigstore.cosign/bundle"
    38  	RFC3161TimestampKey = "dev.sigstore.cosign/rfc3161timestamp"
    39  )
    40  
    41  type sigLayer struct {
    42  	v1.Layer
    43  	desc v1.Descriptor
    44  }
    45  
    46  func New(l v1.Layer, desc v1.Descriptor) oci.Signature {
    47  	return &sigLayer{
    48  		Layer: l,
    49  		desc:  desc,
    50  	}
    51  }
    52  
    53  var _ oci.Signature = (*sigLayer)(nil)
    54  
    55  // Annotations implements oci.Signature
    56  func (s *sigLayer) Annotations() (map[string]string, error) {
    57  	return s.desc.Annotations, nil
    58  }
    59  
    60  // Payload implements oci.Signature
    61  func (s *sigLayer) Payload() ([]byte, error) {
    62  	size, err := s.Layer.Size()
    63  	if err != nil {
    64  		return nil, err
    65  	}
    66  	err = payloadsize.CheckSize(uint64(size))
    67  	if err != nil {
    68  		return nil, err
    69  	}
    70  	// Compressed is a misnomer here, we just want the raw bytes from the registry.
    71  	r, err := s.Layer.Compressed()
    72  	if err != nil {
    73  		return nil, err
    74  	}
    75  	defer r.Close()
    76  	payload, err := io.ReadAll(r)
    77  	if err != nil {
    78  		return nil, err
    79  	}
    80  	return payload, nil
    81  }
    82  
    83  // Signature implements oci.Signature
    84  func (s *sigLayer) Signature() ([]byte, error) {
    85  	b64sig, err := s.Base64Signature()
    86  	if err != nil {
    87  		return nil, err
    88  	}
    89  	return base64.StdEncoding.DecodeString(b64sig)
    90  }
    91  
    92  // Base64Signature implements oci.Signature
    93  func (s *sigLayer) Base64Signature() (string, error) {
    94  	b64sig, ok := s.desc.Annotations[sigkey]
    95  	if !ok {
    96  		return "", fmt.Errorf("signature layer %s is missing %q annotation", s.desc.Digest, sigkey)
    97  	}
    98  	return b64sig, nil
    99  }
   100  
   101  // Cert implements oci.Signature
   102  func (s *sigLayer) Cert() (*x509.Certificate, error) {
   103  	certPEM := s.desc.Annotations[certkey]
   104  	if certPEM == "" {
   105  		return nil, nil
   106  	}
   107  	certs, err := cryptoutils.LoadCertificatesFromPEM(strings.NewReader(certPEM))
   108  	if err != nil {
   109  		return nil, err
   110  	}
   111  	return certs[0], nil
   112  }
   113  
   114  // Chain implements oci.Signature
   115  func (s *sigLayer) Chain() ([]*x509.Certificate, error) {
   116  	chainPEM := s.desc.Annotations[chainkey]
   117  	if chainPEM == "" {
   118  		return nil, nil
   119  	}
   120  	certs, err := cryptoutils.LoadCertificatesFromPEM(strings.NewReader(chainPEM))
   121  	if err != nil {
   122  		return nil, err
   123  	}
   124  	return certs, nil
   125  }
   126  
   127  // Bundle implements oci.Signature
   128  func (s *sigLayer) Bundle() (*bundle.RekorBundle, error) {
   129  	val := s.desc.Annotations[BundleKey]
   130  	if val == "" {
   131  		return nil, nil
   132  	}
   133  	var b bundle.RekorBundle
   134  	if err := json.Unmarshal([]byte(val), &b); err != nil {
   135  		return nil, fmt.Errorf("unmarshaling bundle: %w", err)
   136  	}
   137  	return &b, nil
   138  }
   139  
   140  // RFC3161Timestamp implements oci.Signature
   141  func (s *sigLayer) RFC3161Timestamp() (*bundle.RFC3161Timestamp, error) {
   142  	val := s.desc.Annotations[RFC3161TimestampKey]
   143  	if val == "" {
   144  		return nil, nil
   145  	}
   146  	var b bundle.RFC3161Timestamp
   147  	if err := json.Unmarshal([]byte(val), &b); err != nil {
   148  		return nil, fmt.Errorf("unmarshaling RFC3161 timestamp bundle: %w", err)
   149  	}
   150  	return &b, nil
   151  }
   152  

View as plain text