sigstore 0.1.1

data/lib/sigstore/models.rb

@@ -0,0 +1,272 @@
+# frozen_string_literal: true
+
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "error"
+
+require_relative "trusted_root"
+
+module Sigstore
+  VerificationResult = Struct.new(:success, keyword_init: true) do
+    # @implements VerificationResult
+
+    alias_method :verified?, :success
+  end
+
+  class VerificationSuccess < VerificationResult
+    # @implements VerificationSuccess
+    def initialize
+      super(success: true)
+    end
+  end
+
+  class VerificationFailure < VerificationResult
+    # @implements VerificationFailure
+    attr_reader :reason
+
+    def initialize(reason)
+      @reason = reason
+      super(success: false)
+    end
+  end
+
+  class BundleType
+    include Comparable
+
+    attr_reader :media_type
+
+    def initialize(media_type)
+      @media_type = media_type
+    end
+
+    BUNDLE_0_1 = new("application/vnd.dev.sigstore.bundle+json;version=0.1")
+    BUNDLE_0_2 = new("application/vnd.dev.sigstore.bundle+json;version=0.2")
+    BUNDLE_0_3 = new("application/vnd.dev.sigstore.bundle.v0.3+json")
+
+    VERSIONS = [BUNDLE_0_1, BUNDLE_0_2, BUNDLE_0_3].freeze
+
+    def self.from_media_type(media_type)
+      case media_type
+      when BUNDLE_0_1.media_type
+        BUNDLE_0_1
+      when BUNDLE_0_2.media_type
+        BUNDLE_0_2
+      when BUNDLE_0_3.media_type, "application/vnd.dev.sigstore.bundle+json;version=0.3"
+        BUNDLE_0_3
+      else
+        raise Error::InvalidBundle, "Unsupported bundle format: #{media_type.inspect}"
+      end
+    end
+
+    def <=>(other)
+      VERSIONS.index(self) <=> VERSIONS.index(other)
+    end
+  end
+
+  class VerificationInput < DelegateClass(Verification::V1::Input)
+    attr_reader :trusted_root, :sbundle, :hashed_input
+
+    def initialize(*)
+      super
+      @trusted_root = TrustedRoot.new(artifact_trust_root)
+      @sbundle = SBundle.new(bundle)
+      if sbundle.message_signature? && !artifact
+        raise Error::InvalidVerificationInput, "bundle with message_signature requires an artifact"
+      end
+
+      case artifact.data
+      when :artifact_uri
+        unless artifact.artifact_uri.start_with?("sha256:")
+          raise Error::InvalidVerificationInput,
+                "artifact_uri must be prefixed with 'sha256:'"
+        end
+
+        @hashed_input = Common::V1::HashOutput.new.tap do |hash_output|
+          hash_output.algorithm = Common::V1::HashAlgorithm::SHA2_256
+          hexdigest = artifact.artifact_uri.split(":", 2).last
+          hash_output.digest = Internal::Util.hex_decode(hexdigest)
+        end
+      when :artifact
+        @hashed_input = Common::V1::HashOutput.new.tap do |hash_output|
+          hash_output.algorithm = Common::V1::HashAlgorithm::SHA2_256
+          hash_output.digest = OpenSSL::Digest.new("SHA256").update(artifact.artifact).digest
+        end
+      else
+        raise Error::InvalidVerificationInput, "Unsupported artifact data: #{artifact.data}"
+      end
+
+      freeze
+    end
+  end
+
+  class SBundle < DelegateClass(Bundle::V1::Bundle)
+    attr_reader :bundle_type, :leaf_certificate
+
+    def initialize(*)
+      super
+      @bundle_type = BundleType.from_media_type(media_type)
+      validate_version!
+      freeze
+    end
+
+    def self.for_cert_bytes_and_signature(cert_bytes, signature)
+      bundle = Bundle::V1::Bundle.new
+      bundle.media_type = BundleType::BUNDLE_0_3.media_type
+      bundle.verification_material = Bundle::V1::VerificationMaterial.new
+      bundle.verification_material.certificate = Common::V1::X509Certificate.new
+      bundle.verification_material.certificate.raw_bytes = cert_bytes
+      bundle.message_signature = Common::V1::MessageSignature.new
+      bundle.message_signature.signature = signature
+      new(bundle)
+    end
+
+    def expected_tlog_entry(hashed_input)
+      case content
+      when :message_signature
+        expected_hashed_rekord_tlog_entry(hashed_input)
+      when :dsse_envelope
+        rekor_entry = verification_material.tlog_entries.first
+        case JSON.parse(rekor_entry.canonicalized_body).values_at("kind", "apiVersion")
+        when %w[dsse 0.0.1]
+          expected_dsse_0_0_1_tlog_entry
+        when %w[intoto 0.0.2]
+          expected_intoto_0_0_2_tlog_entry
+        else
+          raise Error::InvalidRekorEntry, "Unhandled rekor entry kind/version: #{t.inspect}"
+        end
+      else
+        raise Error::InvalidBundle, "expected either message_signature or dsse_envelope"
+      end
+    end
+
+    private
+
+    def validate_version!
+      case bundle_type
+      when BundleType::BUNDLE_0_1
+        unless verification_material.tlog_entries.all?(&:inclusion_promise)
+          raise Error::InvalidBundle,
+                "bundle v0.1 requires an inclusion promise"
+        end
+        if verification_material.tlog_entries.any? { |t| t.inclusion_proof&.checkpoint.nil? }
+          raise Error::InvalidBundle,
+                "0.1 bundle contains an inclusion proof without checkpoint"
+        end
+      else
+        unless verification_material.tlog_entries.all?(&:inclusion_proof)
+          raise Error::InvalidBundle,
+                "must contain an inclusion proof"
+        end
+        unless verification_material.tlog_entries.all? { |t| t.inclusion_proof.checkpoint.envelope }
+          raise Error::InvalidBundle,
+                "inclusion proof must contain a checkpoint"
+        end
+      end
+
+      raise Error::InvalidBundle, "Expected one tlog entry" if verification_material.tlog_entries.size > 1
+
+      case verification_material.content
+      when :public_key
+        raise Error::Unimplemented, "public_key content of bundle"
+      when :x509_certificate_chain
+        certs = verification_material.x509_certificate_chain.certificates.map do |cert|
+          Internal::X509::Certificate.read(cert.raw_bytes)
+        end
+
+        @leaf_certificate = certs.first
+        certs.each do |cert|
+          raise Error::InvalidBundle, "Root CA in chain" if cert.ca?
+        end
+      when :certificate
+        @leaf_certificate = Internal::X509::Certificate.read(verification_material.certificate.raw_bytes)
+      else
+        raise Error::InvalidBundle, "Unsupported bundle content: #{content}"
+      end
+      raise Error::InvalidBundle, "Expected leaf certificate" unless @leaf_certificate.leaf?
+    end
+
+    def expected_hashed_rekord_tlog_entry(hashed_input)
+      {
+        "spec" => {
+          "signature" => {
+            "content" => Internal::Util.base64_encode(message_signature.signature),
+            "publicKey" => {
+              "content" => Internal::Util.base64_encode(leaf_certificate.to_pem)
+            }
+          },
+          "data" => {
+            "hash" => {
+              "algorithm" => Internal::Util.hash_algorithm_name(hashed_input.algorithm),
+              "value" => Internal::Util.hex_encode(hashed_input.digest)
+            }
+          }
+        },
+        "kind" => "hashedrekord",
+        "apiVersion" => "0.0.1"
+      }
+    end
+
+    def expected_intoto_0_0_2_tlog_entry
+      {
+        "apiVersion" => "0.0.2",
+        "kind" => "intoto",
+        "spec" => {
+          "content" => {
+            "envelope" => {
+              "payloadType" => dsse_envelope.payloadType,
+              "payload" => Internal::Util.base64_encode(Internal::Util.base64_encode(dsse_envelope.payload)),
+              "signatures" => dsse_envelope.signatures.map do |sig|
+                {
+                  "publicKey" =>
+                    # needed because #to_pem packs the key in base64 with m*
+                    Internal::Util.base64_encode(
+                      "-----BEGIN CERTIFICATE-----\n" \
+                      "#{Internal::Util.base64_encode(leaf_certificate.to_der)}\n" \
+                      "-----END CERTIFICATE-----\n"
+                    ),
+                  "sig" => Internal::Util.base64_encode(Internal::Util.base64_encode(sig.sig))
+                }
+              end
+            },
+            "payloadHash" => {
+              "algorithm" => "sha256",
+              "value" => OpenSSL::Digest::SHA256.hexdigest(dsse_envelope.payload)
+            }
+          }
+        }
+      }
+    end
+
+    def expected_dsse_0_0_1_tlog_entry
+      {
+        "apiVersion" => "0.0.1",
+        "kind" => "dsse",
+        "spec" => {
+          "payloadHash" => {
+            "algorithm" => "sha256",
+            "value" => OpenSSL::Digest::SHA256.hexdigest(dsse_envelope.payload)
+          },
+          "signatures" =>
+            dsse_envelope.signatures.map do |sig|
+              {
+                "signature" => Internal::Util.base64_encode(sig.sig),
+                "verifier" => Internal::Util.base64_encode(leaf_certificate.to_pem)
+              }
+            end
+        }
+      }
+    end
+  end
+end

data/lib/sigstore/oidc.rb

@@ -0,0 +1,149 @@
+# frozen_string_literal: true
+
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Sigstore
+  module OIDC
+    KNOWN_OIDC_ISSUERS = {
+      "https://accounts.google.com" => "email",
+      "https://oauth2.sigstore.dev/auth" => "email",
+      "https://oauth2.sigstage.dev/auth" => "email",
+      "https://token.actions.githubusercontent.com" => "job_workflow_ref"
+    }.freeze
+    private_constant :KNOWN_OIDC_ISSUERS
+
+    DEFAULT_AUDIENCE = "sigstore"
+    private_constant :DEFAULT_AUDIENCE
+
+    class IdentityToken
+      attr_reader :raw_token, :identity
+
+      def initialize(raw_token)
+        @raw_token = raw_token
+
+        @unverified_claims = self.class.decode_jwt(raw_token)
+        @iss = @unverified_claims["iss"]
+        @nbf = @unverified_claims["nbf"]
+        @exp = @unverified_claims["exp"]
+
+        # fail early if this token isn't within its validity period
+        raise Error::InvalidIdentityToken, "identity token is not within its validity period" unless in_validity_period?
+
+        if (identity_claim = KNOWN_OIDC_ISSUERS[issuer])
+          unless @unverified_claims[identity_claim]
+            raise Error::InvalidIdentityToken, "identity token is missing required claim: #{identity_claim}"
+          end
+
+          @identity = @unverified_claims[identity_claim]
+          # https://github.com/sigstore/fulcio/blob/8311f93c01ea5b068a86d37c4bb51573289bfd69/pkg/identity/github/principal.go#L92
+          @identity = "https://github.com/#{@identity}" if issuer == "https://token.actions.githubusercontent.com"
+        else
+          @identity = @unverified_claims["sub"]
+        end
+      end
+
+      def issuer
+        @iss
+      end
+
+      def self.decode_jwt(raw_token)
+        # These claims are required by OpenID Connect, so
+        # we can strongly enforce their presence.
+        # See: https://openid.net/specs/openid-connect-basic-1_0.html#IDToken
+        required = %w[aud sub iat exp iss]
+        audience = DEFAULT_AUDIENCE
+        leeway = 5
+
+        _header, payload, _signature =
+          raw_token
+          .split(".", 3)
+          .tap do |parts|
+            raise Error::InvalidIdentityToken, "identity token is not a JWT" unless parts.length == 3
+          end.map! do |part| # rubocop:disable Style/MultilineBlockChain
+            part.unpack1("m*")
+          rescue ArgumentError
+            raise Error::InvalidIdentityToken, "Invalid base64 in identity token"
+          end
+
+        begin
+          payload = JSON.parse(payload)
+        rescue JSON::ParserError
+          raise Error::InvalidIdentityToken, "Invalid JSON in identity token"
+        end
+        unless payload.is_a?(Hash)
+          raise Error::InvalidIdentityToken,
+                "Invalid JSON in identity token: must be a json object"
+        end
+        time = Time.now.to_i
+        validate_required_claims(payload, required)
+        validate_iat(payload["iat"], time, leeway)
+        validate_nbf(payload["nbf"], time, leeway)
+        validate_exp(payload["exp"], time, leeway)
+        validate_aud(payload["aud"], audience)
+
+        payload
+      end
+
+      private
+
+      # Returns whether or not this `Identity` is currently within its self-stated validity period.
+      def in_validity_period?
+        now = Time.now.utc.to_i
+        return false if @nbf && @nbf > now
+
+        now < @exp
+      end
+
+      class << self
+        private
+
+        def validate_required_claims(payload, required)
+          required.each do |claim|
+            next if payload[claim]
+
+            raise Error::InvalidIdentityToken, "Missing required claim in identity token: #{claim}"
+          end
+        end
+
+        def validate_iat(iat, now, leeway)
+          raise Error::InvalidIdentityToken, "iat claim must be an integer" unless iat.is_a?(Integer)
+          raise Error::InvalidIdentityToken, "iat claim is in the future" if iat > now + leeway
+        end
+
+        def validate_nbf(nbf, now, leeway)
+          raise Error::InvalidIdentityToken, "nbf claim must be an integer" unless nbf.is_a?(Integer)
+          raise Error::InvalidIdentityToken, "nbf claim is in the future" if nbf > now + leeway
+        end
+
+        def validate_exp(exp, now, leeway)
+          raise Error::InvalidIdentityToken, "exp claim must be an integer" unless exp.is_a?(Integer)
+          raise Error::InvalidIdentityToken, "exp claim is in the past" if exp <= now - leeway
+        end
+
+        def validate_aud(aud, audience)
+          aud = Array(aud)
+
+          raise Error::InvalidIdentityToken, "aud claim must not be empty" if aud.empty?
+          raise Error::InvalidIdentityToken, "aud claim must be strings" unless aud.all?(String)
+
+          return if aud.include?(audience)
+
+          raise Error::InvalidIdentityToken,
+                "aud claim does not contain the expected audience #{audience.inspect}"
+        end
+      end
+    end
+  end
+end

data/lib/sigstore/policy.rb

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Sigstore
+  module Policy
+    class SingleX509ExtPolicy
+      def initialize(value)
+        @value = value
+      end
+
+      def verify(cert)
+        ext = cert.openssl.find_extension(oid)
+        unless ext
+          return VerificationFailure.new("Certificate does not contain #{self.class.name&.[](/::([^:]+)$/, 1)} " \
+                                         "(#{oid}) extension")
+        end
+
+        value = ext_value(ext)
+        verified = value == @value
+        unless verified
+          return VerificationFailure.new("Certificate's #{self.class.name&.[](/::([^:]+)$/, 1)} does not match " \
+                                         "(got #{value}, expected #{@value})")
+        end
+
+        VerificationSuccess.new
+      end
+
+      def ext_value(ext)
+        ext.value
+      end
+
+      def oid
+        self.class::OID # : String
+      end
+    end
+
+    class OIDCIssuer < SingleX509ExtPolicy
+      OID = "1.3.6.1.4.1.57264.1.1"
+    end
+
+    class OIDCIssuerV2 < SingleX509ExtPolicy
+      OID = "1.3.6.1.4.1.57264.1.8"
+
+      def ext_value(ext)
+        OpenSSL::ASN1.decode(ext.value_der).value
+      end
+    end
+
+    class AnyOf
+      def initialize(*policies)
+        @policies = policies
+      end
+
+      def verify(cert)
+        failures = []
+        @policies.each do |policy|
+          result = policy.verify(cert)
+          return result if result.verified?
+
+          failures << result.reason
+        end
+
+        VerificationFailure.new("No policy matched: #{failures.join(", ")}")
+      end
+    end
+
+    class Identity
+      def initialize(identity:, issuer:)
+        @identity = identity
+        @issuer = AnyOf.new(OIDCIssuer.new(issuer), OIDCIssuerV2.new(issuer))
+      end
+
+      def verify(cert)
+        issuer_verified = @issuer.verify(cert)
+        return issuer_verified unless issuer_verified.verified?
+
+        san_ext = cert.extension(Sigstore::Internal::X509::Extension::SubjectAlternativeName)
+        raise Error::InvalidCertificate, "Certificate does not contain subjectAltName extension" unless san_ext
+
+        verified = san_ext.general_names.any? { |_, id| id == @identity }
+        unless verified
+          return VerificationFailure.new(
+            "Certificate's SANs do not match #{@identity}; actual SANs: #{san_ext.general_names}"
+          )
+        end
+
+        VerificationSuccess.new
+      end
+    end
+  end
+end

data/lib/sigstore/rekor/checkpoint.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Sigstore
+  module Rekor
+    module Checkpoint
+      Signature = Struct.new(:name, :sig_hash, :signature, keyword_init: true)
+
+      SignedCheckpoint = Struct.new(:signed_note, :checkpoint, keyword_init: true) do
+        # @implements SignedCheckpoint
+
+        def self.from_text(text)
+          signed_note = SignedNote.from_text(text)
+          checkpoint = LogCheckpoint.from_text(signed_note.note)
+
+          new(signed_note:, checkpoint:)
+        end
+      end
+
+      SignedNote = Struct.new(:note, :signatures, keyword_init: true) do
+        # @implements SignedNote
+
+        def self.from_text(text)
+          separator = "\n\n"
+
+          raise Error::InvalidCheckpoint, "Note must include double newline separator" unless text.include?(separator)
+
+          note, signatures = text.split(separator, 2)
+          raise Error::InvalidCheckpoint, "must contain at least one signature" if signatures.empty?
+          raise Error::InvalidCheckpoint, "signatures must end with a newline" unless signatures.end_with?("\n")
+
+          note << "\n"
+
+          sig_parser = %r{^\u2014 (?<name>[^[[:space:]]+]+) (?<signature>[0-9A-Za-z+/=-]+)\n}
+
+          signatures = signatures.lines.map! do |line|
+            raise Error::InvalidCertificate, "Invalid signature line: #{line.inspect}" unless sig_parser =~ line
+
+            name = Regexp.last_match[:name]
+            signature = Regexp.last_match[:signature]
+
+            signature_bytes = signature.unpack1("m0")
+            raise Error::InvalidCheckpoint, "too few bytes in signature" if signature_bytes.bytesize < 5
+
+            sig_hash = signature_bytes.slice!(0, 4).unpack1("a4")
+
+            Signature.new(name:, sig_hash:, signature: signature_bytes)
+          end
+
+          new(note:, signatures:)
+        end
+
+        def verify(rekor_keyring, key_id)
+          data = note.encode("utf-8")
+          signatures.each do |signature|
+            sig_hash = key_id[0, 4]
+            if signature.sig_hash != sig_hash
+              raise Error::InvalidCheckpoint,
+                    "sig_hash hint #{signature.sig_hash.inspect} does not match key_id #{sig_hash.inspect}"
+            end
+
+            rekor_keyring.verify(key_id: key_id.unpack1("H*"), signature: signature.signature, data:)
+          end
+        end
+      end
+
+      LogCheckpoint = Struct.new(:origin, :log_size, :log_hash, :other_content, keyword_init: true) do
+        # @implements LogCheckpoint
+
+        def self.from_text(text)
+          lines = text.strip.split("\n")
+
+          raise Error::InvalidCheckpoint, "too few items in header" if lines.size < 3
+
+          origin = lines.shift
+          log_size = lines.shift.to_i
+          root_hash = lines.shift.unpack1("m0")
+
+          raise Error::InvalidCheckpoint, "empty origin" if origin.empty?
+
+          new(origin:, log_size:, log_hash: root_hash, other_content: lines)
+        end
+      end
+
+      def self.verify_checkpoint(rekor_keyring, entry)
+        raise Error::InvalidRekorEntry, "Rekor entry has no inclusion proof" unless entry.inclusion_proof
+
+        signed_checkpoint = SignedCheckpoint.from_text(entry.inclusion_proof.checkpoint.envelope)
+        signed_checkpoint.signed_note.verify(rekor_keyring, entry.log_id.key_id)
+
+        checkpoint_hash = signed_checkpoint.checkpoint.log_hash
+        root_hash = entry.inclusion_proof.root_hash
+
+        return if checkpoint_hash == root_hash
+
+        raise Error::InvalidRekorEntry, "Inclusion proof contains invalid root hash: " \
+                                        "expected #{checkpoint_hash.inspect}, calculated #{root_hash.inspect}"
+      end
+    end
+  end
+end