diff --git a/attestation/policyverify/policyverify.go b/attestation/policyverify/policyverify.go new file mode 100644 index 00000000..c956512c --- /dev/null +++ b/attestation/policyverify/policyverify.go @@ -0,0 +1,213 @@ +package policyverify + +import ( + "crypto" + "crypto/x509" + "encoding/json" + "fmt" + "time" + + "github.com/testifysec/go-witness/attestation" + "github.com/testifysec/go-witness/cryptoutil" + "github.com/testifysec/go-witness/dsse" + "github.com/testifysec/go-witness/log" + "github.com/testifysec/go-witness/policy" + "github.com/testifysec/go-witness/slsa" + "github.com/testifysec/go-witness/source" + "github.com/testifysec/go-witness/timestamp" +) + +const ( + Name = "policyverify" + Type = slsa.VerificationSummaryPredicate +) + +var ( + _ attestation.Subjecter = &Attestor{} + _ attestation.Attestor = &Attestor{} +) + +type Attestor struct { + slsa.VerificationSummary + + policyEnvelope dsse.Envelope + policyVerifiers []cryptoutil.Verifier + collectionSource source.Sourcer + subjectDigests []string +} + +type Option func(*Attestor) + +func VerifyWithPolicyEnvelope(policyEnvelope dsse.Envelope) Option { + return func(vo *Attestor) { + vo.policyEnvelope = policyEnvelope + } +} + +func VerifyWithPolicyVerifiers(policyVerifiers []cryptoutil.Verifier) Option { + return func(vo *Attestor) { + vo.policyVerifiers = append(vo.policyVerifiers, policyVerifiers...) + } +} + +func VerifyWithSubjectDigests(subjectDigests []cryptoutil.DigestSet) Option { + return func(vo *Attestor) { + for _, set := range subjectDigests { + for _, digest := range set { + vo.subjectDigests = append(vo.subjectDigests, digest) + } + } + } +} + +func VerifyWithCollectionSource(source source.Sourcer) Option { + return func(vo *Attestor) { + vo.collectionSource = source + } +} + +func New(opts ...Option) *Attestor { + a := &Attestor{} + for _, opt := range opts { + opt(a) + } + + return a +} + +func (vs *Attestor) Name() string { + return Name +} + +func (vs *Attestor) Type() string { + return Type +} + +func (vs *Attestor) RunType() attestation.RunType { + return attestation.ExecuteRunType +} + +func (vs *Attestor) Subjects() map[string]cryptoutil.DigestSet { + subjects := map[string]cryptoutil.DigestSet{} + for _, digest := range vs.subjectDigests { + subjects[fmt.Sprintf("artifact:%v", digest)] = cryptoutil.DigestSet{ + cryptoutil.DigestValue{Hash: crypto.SHA256, GitOID: false}: digest, + } + } + + subjects[fmt.Sprintf("policy:%v", vs.VerificationSummary.Policy.URI)] = vs.VerificationSummary.Policy.Digest + return subjects +} + +func (vo *Attestor) Attest(ctx *attestation.AttestationContext) error { + if _, err := vo.policyEnvelope.Verify(dsse.VerifyWithVerifiers(vo.policyVerifiers...)); err != nil { + return fmt.Errorf("could not verify policy: %w", err) + } + + pol := policy.Policy{} + if err := json.Unmarshal(vo.policyEnvelope.Payload, &pol); err != nil { + return fmt.Errorf("failed to unmarshal policy from envelope: %w", err) + } + + pubKeysById, err := pol.PublicKeyVerifiers() + if err != nil { + return fmt.Errorf("failed to get public keys from policy: %w", err) + } + + pubkeys := make([]cryptoutil.Verifier, 0) + for _, pubkey := range pubKeysById { + pubkeys = append(pubkeys, pubkey) + } + + trustBundlesById, err := pol.TrustBundles() + if err != nil { + return fmt.Errorf("failed to load policy trust bundles: %w", err) + } + + roots := make([]*x509.Certificate, 0) + intermediates := make([]*x509.Certificate, 0) + for _, trustBundle := range trustBundlesById { + roots = append(roots, trustBundle.Root) + intermediates = append(intermediates, trustBundle.Intermediates...) + } + + timestampAuthoritiesById, err := pol.TimestampAuthorityTrustBundles() + if err != nil { + return fmt.Errorf("failed to load policy timestamp authorities: %w", err) + } + + timestampVerifiers := make([]dsse.TimestampVerifier, 0) + for _, timestampAuthority := range timestampAuthoritiesById { + certs := []*x509.Certificate{timestampAuthority.Root} + certs = append(certs, timestampAuthority.Intermediates...) + timestampVerifiers = append(timestampVerifiers, timestamp.NewVerifier(timestamp.VerifyWithCerts(certs))) + } + + verifiedSource := source.NewVerifiedSource( + vo.collectionSource, + dsse.VerifyWithVerifiers(pubkeys...), + dsse.VerifyWithRoots(roots...), + dsse.VerifyWithIntermediates(intermediates...), + dsse.VerifyWithTimestampVerifiers(timestampVerifiers...), + ) + + accepted := true + policyResult, policyErr := pol.Verify(ctx.Context(), policy.WithSubjectDigests(vo.subjectDigests), policy.WithVerifiedSource(verifiedSource)) + if _, ok := policyErr.(policy.ErrPolicyDenied); ok { + accepted = false + } else if policyErr != nil { + return fmt.Errorf("failed to verify policy: %w", err) + } + + vo.VerificationSummary, err = verificationSummaryFromResults(vo.policyEnvelope, policyResult, accepted) + if err != nil { + return fmt.Errorf("failed to generate verification summary: %w", err) + } + + return policyErr +} + +func calculateDigest(b []byte) (cryptoutil.DigestSet, error) { + return cryptoutil.CalculateDigestSetFromBytes(b, []crypto.Hash{crypto.SHA256}) +} + +func verificationSummaryFromResults(policyEnvelope dsse.Envelope, policyResult policy.PolicyResult, accepted bool) (slsa.VerificationSummary, error) { + inputAttestations := make([]slsa.ResourceDescriptor, 0, len(policyResult.EvidenceByStep)) + for _, input := range policyResult.EvidenceByStep { + for _, attestation := range input { + digest, err := calculateDigest(attestation.Envelope.Payload) + if err != nil { + log.Debugf("failed to calculate evidence hash: %v", err) + continue + } + + inputAttestations = append(inputAttestations, slsa.ResourceDescriptor{ + URI: attestation.Reference, + Digest: digest, + }) + } + } + + policyDigest, err := calculateDigest(policyEnvelope.Payload) + if err != nil { + return slsa.VerificationSummary{}, fmt.Errorf("failed to calculate policy digest: %w", err) + } + + verificationResult := slsa.FailedVerificationResult + if accepted { + verificationResult = slsa.PassedVerificationResult + } + + return slsa.VerificationSummary{ + Verifier: slsa.Verifier{ + ID: "witness", + }, + TimeVerified: time.Now(), + Policy: slsa.ResourceDescriptor{ + URI: policyDigest[cryptoutil.DigestValue{Hash: crypto.SHA256, GitOID: false}], //TODO: find a better value for this... + Digest: policyDigest, + }, + InputAttestations: inputAttestations, + VerificationResult: verificationResult, + }, nil +} diff --git a/attestation/policyverify/policyverify_test.go b/attestation/policyverify/policyverify_test.go new file mode 100644 index 00000000..a48573a1 --- /dev/null +++ b/attestation/policyverify/policyverify_test.go @@ -0,0 +1,61 @@ +// Copyright 2023 The Witness Contributors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package policyverify + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "github.com/testifysec/go-witness/attestation" +) + +func TestAttestorName(t *testing.T) { + a := New() + assert.Equal(t, a.Name(), "Expected Attestor Name Here") +} + +func TestAttestorType(t *testing.T) { + a := New() + assert.Equal(t, a.Type(), "Expected Attestor Type Here") +} + +func TestAttestorRunType(t *testing.T) { + a := New() + assert.Equal(t, a.RunType(), "Expected RunType Here") +} + +func TestAttestorAttest(t *testing.T) { + // Arrange + a := New() + ctx := &attestation.AttestationContext{} + + // Act + err := a.Attest(ctx) + + // Assert + require.NoError(t, err) +} + +func TestYourFunctionHere(t *testing.T) { + // Arrange + // Setup variables here + + // Act + // Perform function to be tested here + + // Assert + // Assert whether the expected result and actual result match or not. +} diff --git a/dsse/sign.go b/dsse/sign.go index 570934a3..43c29d2a 100644 --- a/dsse/sign.go +++ b/dsse/sign.go @@ -68,6 +68,10 @@ func Sign(bodyType string, body io.Reader, opts ...SignOption) (Envelope, error) env.Signatures = make([]Signature, 0) pae := preauthEncode(bodyType, bodyBytes) for _, signer := range so.signers { + if signer == nil { + continue + } + sig, err := signer.Sign(bytes.NewReader(pae)) if err != nil { return env, err diff --git a/policy/policy.go b/policy/policy.go index c4f57deb..a77b4e8c 100644 --- a/policy/policy.go +++ b/policy/policy.go @@ -168,7 +168,11 @@ func checkVerifyOpts(vo *verifyOptions) error { return nil } -func (p Policy) Verify(ctx context.Context, opts ...VerifyOption) (map[string][]source.VerifiedCollection, error) { +type PolicyResult struct { + EvidenceByStep map[string][]source.VerifiedCollection +} + +func (p Policy) Verify(ctx context.Context, opts ...VerifyOption) (PolicyResult, error) { vo := &verifyOptions{ searchDepth: 3, } @@ -178,16 +182,16 @@ func (p Policy) Verify(ctx context.Context, opts ...VerifyOption) (map[string][] } if err := checkVerifyOpts(vo); err != nil { - return nil, err + return PolicyResult{}, err } if time.Now().After(p.Expires.Time) { - return nil, ErrPolicyExpired(p.Expires.Time) + return PolicyResult{}, ErrPolicyExpired(p.Expires.Time) } trustBundles, err := p.TrustBundles() if err != nil { - return nil, err + return PolicyResult{}, err } attestationsByStep := make(map[string][]string) @@ -202,7 +206,7 @@ func (p Policy) Verify(ctx context.Context, opts ...VerifyOption) (map[string][] for stepName, step := range p.Steps { statements, err := vo.verifiedSource.Search(ctx, stepName, vo.subjectDigests, attestationsByStep[stepName]) if err != nil { - return nil, err + return PolicyResult{}, err } approvedCollections := step.checkFunctionaries(statements, trustBundles) @@ -218,11 +222,11 @@ func (p Policy) Verify(ctx context.Context, opts ...VerifyOption) (map[string][] } if accepted, err := p.verifyArtifacts(passedByStep); err == nil { - return accepted, nil + return PolicyResult{EvidenceByStep: accepted}, nil } } - return nil, ErrPolicyDenied{Reasons: []string{"failed to find set of attestations that satisfies the policy"}} + return PolicyResult{}, ErrPolicyDenied{Reasons: []string{"failed to find set of attestations that satisfies the policy"}} } // checkFunctionaries checks to make sure the signature on each statement corresponds to a trusted functionary for diff --git a/run.go b/run.go index d9c489b3..9121b7d0 100644 --- a/run.go +++ b/run.go @@ -29,41 +29,65 @@ import ( type runOptions struct { stepName string - signer cryptoutil.Signer + signers []cryptoutil.Signer attestors []attestation.Attestor attestationOpts []attestation.AttestationContextOption timestampers []dsse.Timestamper + insecure bool } type RunOption func(ro *runOptions) +// RunWithInsecure will allow attestations to be generated unsigned. If insecure is true, RunResult will not +// contain a signed DSSE envelope +func RunWithInsecure(insecure bool) RunOption { + return func(ro *runOptions) { + ro.insecure = insecure + } +} + +// RunWithAttestors defines which attestors should be run and added to the resulting AttestationCollection func RunWithAttestors(attestors []attestation.Attestor) RunOption { return func(ro *runOptions) { - ro.attestors = attestors + ro.attestors = append(ro.attestors, attestors...) } } +// RunWithAttestationOpts takes in any AttestationContextOptions and forwards them to the context that Run +// creates func RunWithAttestationOpts(opts ...attestation.AttestationContextOption) RunOption { return func(ro *runOptions) { ro.attestationOpts = opts } } +// RunWithTimestampers will timestamp any signatures created on the DSSE time envelope with the provided +// timestampers func RunWithTimestampers(ts ...dsse.Timestamper) RunOption { return func(ro *runOptions) { ro.timestampers = ts } } +// RunWithSigners configures the signers that will be used to sign the DSSE envelope containing the generated +// attestation collection. +func RunWithSigners(signers ...cryptoutil.Signer) RunOption { + return func(ro *runOptions) { + ro.signers = append(ro.signers, signers...) + } +} + +// RunResult contains the generated attestation collection as well as the signed DSSE envelope, if one was +// created. type RunResult struct { Collection attestation.Collection SignedEnvelope dsse.Envelope } -func Run(stepName string, signer cryptoutil.Signer, opts ...RunOption) (RunResult, error) { +func Run(stepName string, opts ...RunOption) (RunResult, error) { ro := runOptions{ stepName: stepName, - signer: signer, + insecure: false, attestors: []attestation.Attestor{environment.New(), git.New()}, } @@ -86,9 +110,12 @@ func Run(stepName string, signer cryptoutil.Signer, opts ...RunOption) (RunResul } result.Collection = attestation.NewCollection(ro.stepName, runCtx.CompletedAttestors()) - result.SignedEnvelope, err = signCollection(result.Collection, dsse.SignWithSigners(ro.signer), dsse.SignWithTimestampers(ro.timestampers...)) - if err != nil { - return result, fmt.Errorf("failed to sign collection: %w", err) + + if !ro.insecure { + result.SignedEnvelope, err = signCollection(result.Collection, dsse.SignWithSigners(ro.signers...), dsse.SignWithTimestampers(ro.timestampers...)) + if err != nil { + return result, fmt.Errorf("failed to sign collection: %w", err) + } } return result, nil @@ -99,8 +126,8 @@ func validateRunOpts(ro runOptions) error { return fmt.Errorf("step name is required") } - if ro.signer == nil { - return fmt.Errorf("signer is required") + if len(ro.signers) == 0 && !ro.insecure { + return fmt.Errorf("at lease one signer is required if not in insecure mode") } return nil diff --git a/slsa/verificationsummary.go b/slsa/verificationsummary.go new file mode 100644 index 00000000..827e9f47 --- /dev/null +++ b/slsa/verificationsummary.go @@ -0,0 +1,32 @@ +package slsa + +import ( + "time" + + "github.com/testifysec/go-witness/cryptoutil" +) + +const ( + VerificationSummaryPredicate = "https://slsa.dev/verification_summary/v1" + PassedVerificationResult VerificationResult = "PASSED" + FailedVerificationResult VerificationResult = "FAILED" +) + +type VerificationResult string + +type Verifier struct { + ID string `json:"id"` +} + +type ResourceDescriptor struct { + URI string `json:"uri"` + Digest cryptoutil.DigestSet `json:"digest"` +} + +type VerificationSummary struct { + Verifier Verifier `json:"verifier"` + TimeVerified time.Time `json:"timeVerified"` + Policy ResourceDescriptor `json:"policy"` + InputAttestations []ResourceDescriptor `json:"inputAttestations"` + VerificationResult VerificationResult `json:"verificationResult"` +} diff --git a/verify.go b/verify.go index daa91902..5bfc6799 100644 --- a/verify.go +++ b/verify.go @@ -16,16 +16,16 @@ package witness import ( "context" - "crypto/x509" "encoding/json" "fmt" "io" + "github.com/testifysec/go-witness/attestation" + "github.com/testifysec/go-witness/attestation/policyverify" "github.com/testifysec/go-witness/cryptoutil" "github.com/testifysec/go-witness/dsse" - "github.com/testifysec/go-witness/policy" + "github.com/testifysec/go-witness/slsa" "github.com/testifysec/go-witness/source" - "github.com/testifysec/go-witness/timestamp" ) func VerifySignature(r io.Reader, verifiers ...cryptoutil.Verifier) (dsse.Envelope, error) { @@ -40,96 +40,100 @@ func VerifySignature(r io.Reader, verifiers ...cryptoutil.Verifier) (dsse.Envelo } type verifyOptions struct { - policyEnvelope dsse.Envelope - policyVerifiers []cryptoutil.Verifier - collectionSource source.Sourcer - subjectDigests []string + attestorOptions []policyverify.Option + runOptions []RunOption + signers []cryptoutil.Signer } type VerifyOption func(*verifyOptions) +// VerifyWithSigners will configure the provided signers to be used to sign a DSSE envelope with the resulting +// policyverify attestor. See VerifyWithRunOptions for additional options. +func VerifyWithSigners(signers ...cryptoutil.Signer) VerifyOption { + return func(vo *verifyOptions) { + vo.signers = append(vo.signers, signers...) + } +} + +// VerifyWithSubjectDigests configured the "seed" subject digests to start evaluating a policy. This is typically +// the digest of the software artifact or some other identifying digest. func VerifyWithSubjectDigests(subjectDigests []cryptoutil.DigestSet) VerifyOption { return func(vo *verifyOptions) { - for _, set := range subjectDigests { - for _, digest := range set { - vo.subjectDigests = append(vo.subjectDigests, digest) - } - } + vo.attestorOptions = append(vo.attestorOptions, policyverify.VerifyWithSubjectDigests(subjectDigests)) } } +// VerifyWithCollectionSource configures the policy engine's sources for signed attestation collections. +// For example: disk or archivista are two typical sources. func VerifyWithCollectionSource(source source.Sourcer) VerifyOption { return func(vo *verifyOptions) { - vo.collectionSource = source + vo.attestorOptions = append(vo.attestorOptions, policyverify.VerifyWithCollectionSource(source)) } } -// Verify verifies a set of attestations against a provided policy. The set of attestations that satisfy the policy will be returned -// if verifiation is successful. -func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers []cryptoutil.Verifier, opts ...VerifyOption) (map[string][]source.VerifiedCollection, error) { - vo := verifyOptions{ - policyEnvelope: policyEnvelope, - policyVerifiers: policyVerifiers, +// VerifyWithAttestorOptions forwards the provided options to the policyverify attestor. +func VerifyWithAttestorOptions(opts ...policyverify.Option) VerifyOption { + return func(vo *verifyOptions) { + vo.attestorOptions = append(vo.attestorOptions, opts...) } +} - for _, opt := range opts { - opt(&vo) +// VerifyWithRunOptions forwards the provided RunOptions to the Run function that Verify calls. +func VerifyWithRunOptions(opts ...RunOption) VerifyOption { + return func(vo *verifyOptions) { + vo.runOptions = append(vo.runOptions, opts...) } +} - if _, err := vo.policyEnvelope.Verify(dsse.VerifyWithVerifiers(vo.policyVerifiers...)); err != nil { - return nil, fmt.Errorf("could not verify policy: %w", err) - } +type VerifyResult struct { + RunResult + VerificationSummary slsa.VerificationSummary +} - pol := policy.Policy{} - if err := json.Unmarshal(vo.policyEnvelope.Payload, &pol); err != nil { - return nil, fmt.Errorf("failed to unmarshal policy from envelope: %w", err) +// Verify verifies a set of attestations against a provided policy. The set of attestations that satisfy the policy will be returned +// if verifiation is successful. +func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers []cryptoutil.Verifier, opts ...VerifyOption) (VerifyResult, error) { + vo := verifyOptions{} + for _, opt := range opts { + opt(&vo) } - pubKeysById, err := pol.PublicKeyVerifiers() - if err != nil { - return nil, fmt.Errorf("failed to get pulic keys from policy: %w", err) + vo.attestorOptions = append(vo.attestorOptions, policyverify.VerifyWithPolicyEnvelope(policyEnvelope), policyverify.VerifyWithPolicyVerifiers(policyVerifiers)) + if len(vo.signers) > 0 { + vo.runOptions = append(vo.runOptions, RunWithSigners(vo.signers...)) + } else { + vo.runOptions = append(vo.runOptions, RunWithInsecure(true)) } - pubkeys := make([]cryptoutil.Verifier, 0) - for _, pubkey := range pubKeysById { - pubkeys = append(pubkeys, pubkey) - } + // hacky solution to ensure the verification attestor is run through the attestation context + vo.runOptions = append(vo.runOptions, + RunWithAttestors( + []attestation.Attestor{ + policyverify.New(vo.attestorOptions...), + }, + ), + ) - trustBundlesById, err := pol.TrustBundles() + runResult, err := Run("policyverify", vo.runOptions...) if err != nil { - return nil, fmt.Errorf("failed to load policy trust bundles: %w", err) + return VerifyResult{}, err } - roots := make([]*x509.Certificate, 0) - intermediates := make([]*x509.Certificate, 0) - for _, trustBundle := range trustBundlesById { - roots = append(roots, trustBundle.Root) - intermediates = append(intermediates, intermediates...) + vr := VerifyResult{ + RunResult: runResult, } - timestampAuthoritiesById, err := pol.TimestampAuthorityTrustBundles() - if err != nil { - return nil, fmt.Errorf("failed to load policy timestamp authorities: %w", err) - } - - timestampVerifiers := make([]dsse.TimestampVerifier, 0) - for _, timestampAuthority := range timestampAuthoritiesById { - certs := []*x509.Certificate{timestampAuthority.Root} - certs = append(certs, timestampAuthority.Intermediates...) - timestampVerifiers = append(timestampVerifiers, timestamp.NewVerifier(timestamp.VerifyWithCerts(certs))) - } + for _, att := range runResult.Collection.Attestations { + if att.Type == slsa.VerificationSummaryPredicate { + verificationAttestor, ok := att.Attestation.(*policyverify.Attestor) + if !ok { + return VerifyResult{}, fmt.Errorf("unknown attestor %T", att.Attestation) + } - verifiedSource := source.NewVerifiedSource( - vo.collectionSource, - dsse.VerifyWithVerifiers(pubkeys...), - dsse.VerifyWithRoots(roots...), - dsse.VerifyWithIntermediates(intermediates...), - dsse.VerifyWithTimestampVerifiers(timestampVerifiers...), - ) - accepted, err := pol.Verify(ctx, policy.WithSubjectDigests(vo.subjectDigests), policy.WithVerifiedSource(verifiedSource)) - if err != nil { - return nil, fmt.Errorf("failed to verify policy: %w", err) + vr.VerificationSummary = verificationAttestor.VerificationSummary + break + } } - return accepted, nil + return vr, nil }