sigstore 0.1.1

data/lib/sigstore/tuf/file.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "error"
+
+module Sigstore::TUF
+  module BaseFile
+    def self.included(base)
+      base.extend(ClassMethods)
+      super
+    end
+
+    module ClassMethods
+      def verify_hashes(data, expected_hashed)
+        expected_hashed.each do |algorithm, expected_hash|
+          actual_hash = Digest(algorithm.upcase).hexdigest(data)
+          unless actual_hash == expected_hash
+            raise Error::LengthOrHashMismatch,
+                  "observed hash #{actual_hash} does not match expected hash #{expected_hash}"
+          end
+        end
+      end
+
+      def verify_length(data, expected_length)
+        actual_length = data.bytesize
+        return if actual_length == expected_length
+
+        raise Error::LengthOrHashMismatch,
+              "Observed length #{actual_length} does not match expected length #{expected_length}"
+      end
+
+      def validate_hashes(hashes)
+        raise ArgumentError, "hashes must be non-empty" if hashes.empty?
+
+        hashes.each do |algorithm, hash|
+          raise TypeError, "hashes items must be strings" unless algorithm.is_a?(String) && hash.is_a?(String)
+        end
+      end
+
+      def validate_length(length)
+        return unless length.negative?
+
+        raise ArgumentError, "length must be a non-negative integer, got #{length.inspect}"
+      end
+    end
+  end
+
+  module MetaFile
+    def self.included(base)
+      base.include(BaseFile)
+      base.extend(ClassMethods)
+      super
+    end
+
+    def initialize(version: 1, length: nil, hashes: nil, unrecognized_fields: {})
+      @version = version
+      @length = length
+      @hashes = hashes
+      @unrecognized_fields = unrecognized_fields
+
+      raise ArgumentError, "Metafile version must be positive, got #{@version}" if @version <= 0
+
+      self.class.validate_length(@length) unless @length.nil?
+      self.class.validate_hashes(@hashes) unless @hashes.nil?
+    end
+
+    def verify_length_and_hashes(data)
+      self.class.verify_length(data, @length) if @length
+      self.class.verify_hashes(data, @hashes) if @hashes
+    end
+
+    module ClassMethods
+      def from_hash(meta_dict)
+        version = meta_dict.fetch("version") { raise KeyError, "version is required, given #{meta_dict.inspect}" }
+        length = meta_dict.fetch("length", nil)
+        hashes = meta_dict.fetch("hashes", nil)
+
+        new(version:, length:, hashes:,
+            unrecognized_fields: meta_dict.slice(*(meta_dict.keys - %w[version length hashes])))
+      end
+    end
+  end
+end

data/lib/sigstore/tuf/keys.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Sigstore::TUF
+  class Keys
+    include Enumerable
+
+    def initialize(keys)
+      @keys = keys.to_h do |key_id, key_data|
+        key_type = key_data.fetch("keytype")
+        scheme = key_data.fetch("scheme")
+        keyval = key_data.fetch("keyval")
+        public_key_data = keyval.fetch("public")
+
+        key = Sigstore::Internal::Key.read(key_type, scheme, public_key_data, key_id:)
+
+        [key_id, key]
+      end
+    end
+
+    def fetch(key_id)
+      @keys.fetch(key_id)
+    end
+
+    def each(&)
+      @keys.each(&)
+    end
+  end
+end

data/lib/sigstore/tuf/roles.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Sigstore::TUF
+  class Roles
+    include Enumerable
+
+    def initialize(data, keys)
+      @roles =
+        case data
+        when Hash # root roles
+          data.to_h do |role_name, role_data|
+            role_data = role_data.merge("name" => role_name, "paths" => nil)
+            role = Role.new(role_data, keys)
+            [role.name, role]
+          end
+        when Array # targets roles
+          data.to_h do |role_data|
+            role = Role.new(role_data, keys)
+            [role.name, role]
+          end
+        else
+          raise ArgumentError, "Unexpected data: #{data.inspect}"
+        end
+    end
+
+    def each(&)
+      @roles.each(&)
+    end
+
+    def verify_delegate(type, bytes, signatures)
+      role = fetch(type)
+      role.verify_delegate(type, bytes, signatures)
+    end
+
+    def fetch(name)
+      @roles.fetch(name)
+    end
+
+    def for_target(target_path)
+      select do |_, role|
+        # TODO: this needs to be tested
+        role.paths.any? { |path| File.fnmatch?(path, target_path, File::FNM_PATHNAME) }
+      end.to_h
+    end
+  end
+
+  class Role
+    include Sigstore::Loggable
+
+    attr_reader :keys, :name, :paths, :threshold
+
+    def initialize(data, keys)
+      @name = data.fetch("name")
+      @paths = data.fetch("paths")
+      @threshold = data.fetch("threshold")
+      @keys = data.fetch("keyids").to_h { |key_id| [key_id, keys.fetch(key_id)] }
+      @terminating = data.fetch("terminating", false)
+    end
+
+    def terminating?
+      @terminating
+    end
+
+    def verify_delegate(type, bytes, signatures)
+      if (duplicate_keys = signatures.map { |sig| sig.fetch("keyid") }.tally.select { |_, count| count > 1 }).any?
+        raise Error::DuplicateKeys, "Duplicate keys found in signatures: #{duplicate_keys.inspect}"
+      end
+
+      count = signatures.count do |signature|
+        key_id = signature.fetch("keyid")
+        unless @keys.include?(key_id)
+          logger.warn "Unknown key_id=#{key_id.inspect} in signatures for #{type}"
+          next
+        end
+
+        key = @keys.fetch(key_id)
+        signature_bytes = [signature.fetch("sig")].pack("H*")
+        verified = key.verify("sha256", signature_bytes, bytes)
+
+        logger.debug do
+          "key_id=#{key_id.inspect} type=#{type} verified=#{verified}"
+        end
+        verified
+      end
+
+      return unless count < @threshold
+
+      raise Error::TooFewSignatures,
+            "Not enough signatures: found #{count} out of threshold=#{@threshold} for #{type}"
+    end
+  end
+end

data/lib/sigstore/tuf/root.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "time"
+
+require_relative "keys"
+require_relative "roles"
+require_relative "../internal/key"
+
+module Sigstore::TUF
+  class Root
+    include Sigstore::Loggable
+
+    TYPE = "root"
+    attr_reader :version, :consistent_snapshot, :expires
+
+    def initialize(data)
+      type = data.fetch("_type")
+      raise Error::InvalidData, "Expected type to be #{TYPE}, got #{type.inspect}" unless type == TYPE
+
+      @spec_version = data.fetch("spec_version") { raise Error::InvalidData, "root missing spec_version" }
+      @consistent_snapshot = data.fetch("consistent_snapshot") do
+        raise Error::InvalidData, "root missing consistent_snapshot"
+      end
+      @version = data.fetch("version") { raise Error::InvalidData, "root missing version" }
+      @expires = Time.iso8601(data.fetch("expires") { raise Error::InvalidData, "root missing expires" })
+      keys = Keys.new data.fetch("keys")
+      @roles = Roles.new data.fetch("roles"), keys
+      @unrecognized_fields = data.fetch("unrecognized_fields", {})
+    end
+
+    def verify_delegate(type, bytes, signatures)
+      @roles.verify_delegate(type, bytes, signatures)
+    end
+
+    def expired?(reference_time)
+      @expires < reference_time
+    end
+  end
+end

data/lib/sigstore/tuf/snapshot.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "file"
+
+module Sigstore::TUF
+  # The class for the Snapshot role
+  class Snapshot
+    TYPE = "snapshot"
+
+    attr_reader :version, :meta
+
+    def initialize(data)
+      type = data.fetch("_type")
+      raise Error::InvalidData, "Expected type to be #{TYPE}, got #{type.inspect}" unless type == TYPE
+
+      @version = data.fetch("version")
+      @expires = Time.iso8601 data.fetch("expires")
+      @meta = data.fetch("meta").transform_values { Meta.from_hash(_1) }
+    end
+
+    def expired?(reference_time)
+      @expires < reference_time
+    end
+
+    class Meta
+      include MetaFile
+
+      attr_reader :version
+    end
+  end
+end

data/lib/sigstore/tuf/targets.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "file"
+require_relative "keys"
+require_relative "roles"
+
+module Sigstore::TUF
+  class Targets
+    TYPE = "targets"
+
+    attr_reader :version, :targets, :delegations
+
+    def initialize(data)
+      type = data.fetch("_type")
+      raise Error::InvalidData, "Expected type to be #{TYPE}, got #{type.inspect}" unless type == TYPE
+
+      @version = data.fetch("version")
+      @expires = Time.iso8601 data.fetch("expires")
+      @targets = data.fetch("targets").to_h { |k, v| [k, Target.new(v, k)] }
+      @delegations = Delegations.new(data.fetch("delegations", {}))
+
+      @unrecognized_fields = data.fetch("unrecognized_fields", {})
+    end
+
+    def expired?(reference_time)
+      @expires < reference_time
+    end
+
+    def verify_delegate(type, bytes, signatures)
+      role = @delegations.fetch(type)
+      role.verify_delegate(type, bytes, signatures)
+    end
+
+    class Target
+      attr_reader :path, :hashes
+
+      include BaseFile
+
+      def initialize(data, path)
+        @path = path
+        @length = data.fetch("length")
+        @hashes = data.fetch("hashes")
+      end
+
+      def verify_length_and_hashes(data)
+        self.class.verify_length(data, @length)
+        self.class.verify_hashes(data, @hashes)
+      end
+    end
+
+    class Delegations
+      def initialize(data)
+        keys = Keys.new data.fetch("keys", {})
+        @roles = Roles.new data.fetch("roles", []), keys
+      end
+
+      def roles_for_target(target_path)
+        @roles.for_target(target_path)
+      end
+
+      def any?
+        @roles.any?
+      end
+
+      def fetch(name)
+        @roles.fetch(name)
+      end
+    end
+  end
+end

data/lib/sigstore/tuf/timestamp.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module Sigstore::TUF
+  class Timestamp
+    TYPE = "timestamp"
+
+    attr_reader :version, :spec_version, :expires, :snapshot_meta, :unrecognized_fields
+
+    def initialize(data)
+      type = data.fetch("_type")
+      raise Error::InvalidData, "Expected type to be #{TYPE}, got #{type.inspect}" unless type == TYPE
+
+      @version = data.fetch("version")
+      @spec_version = data.fetch("spec_version")
+      @expires = Time.iso8601 data.fetch("expires")
+      meta_dict = data.fetch("meta")
+      @snapshot_meta = Snapshot::Meta.from_hash(meta_dict["snapshot.json"])
+      @unrecognized_fields = data.fetch("unrecognized_fields", {})
+    end
+
+    def expired?(reference_time)
+      @expires < reference_time
+    end
+  end
+end

data/lib/sigstore/tuf/trusted_metadata_set.rb

@@ -0,0 +1,193 @@
+# frozen_string_literal: true
+
+# Copyright 2024 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require_relative "error"
+require_relative "root"
+require_relative "../internal/json"
+
+require "json"
+
+module Sigstore::TUF
+  class TrustedMetadataSet
+    include Sigstore::Loggable
+
+    def initialize(root_data, envelope_type, reference_time: Time.now.utc)
+      @trusted_set = {}
+      @reference_time = reference_time
+      @envelope_type = envelope_type
+
+      logger.debug { "Loading trusted root" }
+      load_trusted_root(root_data)
+    end
+
+    def root
+      @trusted_set.fetch("root") { raise Error::InvalidData, "missing root metadata" }
+    end
+
+    def root=(data)
+      raise Error::BadUpdateOrder, "cannot update root after timestamp" if @trusted_set.key?("timestamp")
+
+      metadata, canonical_signed, signatures = load_data(Root, data, root)
+      metadata.verify_delegate("root", canonical_signed, signatures)
+      raise Error::BadVersionNumber, "root version did not increment by one" if metadata.version != root.version + 1
+
+      @trusted_set["root"] = metadata
+
+      logger.debug { "Updated root v#{metadata.version}" }
+    end
+
+    def snapshot
+      @trusted_set.fetch("snapshot")
+    end
+
+    def timestamp
+      @trusted_set.fetch("timestamp")
+    end
+
+    def timestamp=(data)
+      raise Error::BadUpdateOrder, "cannot update timestamp after snapshot" if @trusted_set.key?("snapshot")
+
+      if root.expired?(@reference_time)
+        raise Error::ExpiredMetadata,
+              "final root.json expired at #{root.expires}, is #{@reference_time}"
+      end
+
+      metadata, = load_data(Timestamp, data, root)
+
+      if include?(Timestamp::TYPE)
+        if metadata.version < timestamp.version
+          raise Error::BadVersionNumber,
+                "timestamp version less than metadata version"
+        end
+        raise Error::EqualVersionNumber if metadata.version == timestamp.version
+
+        snapshot_meta = timestamp.snapshot_meta
+        new_snapshot_meta = metadata.snapshot_meta
+        if new_snapshot_meta.version < snapshot_meta.version
+          raise Error::BadVersionNumber, "snapshot version did not increase"
+        end
+      end
+
+      @trusted_set["timestamp"] = metadata
+      check_final_timestamp
+    end
+
+    def snapshot=(data, trusted: false)
+      raise Error::BadUpdateOrder, "cannot update snapshot before timestamp" unless @trusted_set.key?("timestamp")
+      raise Error::BadUpdateOrder, "cannot update snapshot after targets" if @trusted_set.key?("targets")
+
+      check_final_timestamp
+
+      snapshot_meta = timestamp.snapshot_meta
+
+      snapshot_meta.verify_length_and_hashes(data) unless trusted
+
+      new_snapshot, = load_data(Snapshot, data, root)
+
+      # If an existing trusted snapshot is updated, check for rollback attack
+      if include?(Snapshot::TYPE)
+        snapshot.meta.each do |filename, file_info|
+          new_file_info = new_snapshot.meta[filename]
+          raise Error::RepositoryError, "new snapshot is missing info for #{filename}" unless new_file_info
+
+          if new_file_info.version < file_info.version
+            raise Error::BadVersionNumber, "expected #{filename} v#{new_file_info.version}, got v#{file_info.version}"
+          end
+        end
+      end
+
+      @trusted_set["snapshot"] = new_snapshot
+      logger.debug { "Updated snapshot v#{new_snapshot.version}" }
+      check_final_snapshot
+    end
+
+    def include?(type)
+      @trusted_set.key?(type)
+    end
+
+    def [](role)
+      @trusted_set.fetch(role)
+    end
+
+    def update_delegated_targets(data, role, parent_role)
+      raise Error::BadUpdateOrder, "cannot update targets before snapshot" unless @trusted_set.key?("snapshot")
+
+      check_final_snapshot
+
+      delegator = @trusted_set[parent_role]
+      logger.debug { "Updating #{role} delegated by #{parent_role.inspect} to #{delegator.class}" }
+      raise Error::BadUpdateOrder, "cannot load targets before delegator" unless delegator
+
+      meta = snapshot.meta["#{role}.json"]
+      raise Error::RepositoryError, "no metadata for role #{role} in snapshot" unless meta
+
+      meta.verify_length_and_hashes(data)
+
+      new_delegate, = load_data(Targets, data, delegator, role)
+      version = new_delegate.version
+      raise Error::BadVersionNumber, "expected #{role} v#{meta.version}, got v#{version}" if version != meta.version
+
+      raise Error::ExpiredMetadata, "new #{role} is expired" if new_delegate.expired?(@reference_time)
+
+      @trusted_set[role] = new_delegate
+      logger.debug { "Updated #{role} v#{version}" }
+      new_delegate
+    end
+
+    private
+
+    def load_trusted_root(data)
+      root, canonical_signed, signatures = load_data(Root, data, nil)
+      # verify the new root is signed by itself
+      root.verify_delegate("root", canonical_signed, signatures)
+
+      @trusted_set["root"] = root
+    end
+
+    def load_data(type, data, delegator, role_name = nil)
+      metadata = JSON.parse(data)
+      signed = metadata.fetch("signed")
+      unless signed["_type"] == type::TYPE
+        raise Error::InvalidData,
+              "Expected type to be #{type::TYPE}, got #{signed["_type"].inspect}"
+      end
+
+      signatures = metadata.fetch("signatures")
+      metadata = type.new(signed)
+      canonical_signed = Sigstore::Internal::JSON.canonical_generate(signed)
+      delegator&.verify_delegate(role_name || type::TYPE, canonical_signed, signatures)
+      [metadata, canonical_signed, signatures]
+    rescue JSON::ParserError => e
+      raise Error::InvalidData, "Failed to parse #{type}: #{e.message}"
+    end
+
+    def check_final_timestamp
+      return unless timestamp.expired?(@reference_time)
+
+      raise Error::ExpiredMetadata,
+            "final timestamp.json is expired (expired at #{timestamp.expires} vs reference time #{@reference_time})"
+    end
+
+    def check_final_snapshot
+      raise Error::ExpiredMetadata, "final snapshot.json is expired" if snapshot.expired?(@reference_time)
+
+      snapshot_meta = timestamp.snapshot_meta
+      return if snapshot.version == snapshot_meta.version
+
+      raise Error::BadVersionNumber, "expected snapshot version #{snapshot_meta.version}, got #{snapshot.version}"
+    end
+  end
+end