diff --git a/cmd/root.go b/cmd/root.go index f9e37b0..b858736 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -12,7 +12,7 @@ import ( ) var rootCmd = &cobra.Command{ - Use: "ite-10-verifier", + Use: "attestation-verifier", RunE: verify, } @@ -20,6 +20,7 @@ var ( layoutPath string attestationsDir string parametersPath string + withResolver bool ) func Execute() { @@ -53,6 +54,14 @@ func init() { "Path to JSON file containing key-value string pairs for parameter substitution in the layout", ) + rootCmd.Flags().BoolVarP( + &withResolver, + "with-rd-resolver", + "r", + false, + "Enable resource descriptor (RD) resolver needed for cross-attestation checks", + ) + rootCmd.MarkFlagRequired("layout") rootCmd.MarkFlagRequired("attestations-directory") } @@ -107,5 +116,5 @@ func verify(cmd *cobra.Command, args []string) error { } } - return verifier.Verify(layout, attestations, parameters) + return verifier.Verify(layout, attestations, parameters, withResolver) } diff --git a/layouts/rd-resolution.yml b/layouts/rd-resolution.yml new file mode 100644 index 0000000..87aef18 --- /dev/null +++ b/layouts/rd-resolution.yml @@ -0,0 +1,50 @@ +# Run Command: cd test-data-rd-resolver; attestation-verifier -a . --layout ../layouts/rd-resolution.yml -r + +expires: "2024-10-10T12:23:22Z" +functionaries: + 1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6: + keyType: "rsa" + scheme: "rsassa-pss-sha256" + keyIDHashAlgorithms: + - "sha256" + - "sha512" + keyVal: + public: "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA0o+jumXN3tE2Xqx1qKjC\ngzCCvAPoOlzQlg+7OLGHnJbQgDxOyhFYMNqJ6cztb26NettmEpPtLDSnM5fPvHuH\nPVoPctzLqE9MiXdD1C7RHbjeSaUBxJV6wSGdAGzNa+8oxxG1ex4H7KHOXD8Mo61o\nitzViEw8knQNDhKHA/JWMnnhX07J1wF+EBWHpBsquAxZMLwy9h4uSlJjbK6TVZS8\nzLEtChVHLqF71px3/rRLlx6gyvSfqsVUd86JDrZtC+MHiq72nnx6N7+4wmSFB6ZQ\naBJvEemP9f54KgSMPLH4fZ63noQKUj9dnOZ+N4f0SGRIIvhN03/LlVA9ifkJBQml\nLKbiNWGAk92+C6NEp2Tj7olNsQ1zOTLzC27CJSWlDq9hSiS7LuaZUy7Gb3acX6Zf\nGZkwYXpXQPp/vM66InJcr5/T1iW/XhtmCHiRd7T24R4qDvS+Xuqv9+pJtHemCUpz\nWhn7N5L7Hr/t0b0SIUNd1PZzD4+lKElcAt99vCVlKQmVAgMBAAE=\n-----END PUBLIC KEY-----" + keyID: "1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6" + 452e628a9a052784761275fe2eed15d7c0c8c8599bf1977879f130a568af5d8c: + keyType: "ecdsa" + scheme: "ecdsa-sha2-nistp256" + keyIDHashAlgorithms: + - "sha256" + - "sha512" + keyVal: + public: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEB0TVhLF/u/aDcn+3ncIW2lfOKFn4\niCY36NC3k/oPa8sJ8X25H//mhY8/6fNyUh4PzjIEyHPOcr8CAi8dWyuRFQ==\n-----END PUBLIC KEY-----" + keyID: "452e628a9a052784761275fe2eed15d7c0c8c8599bf1977879f130a568af5d8c" +steps: + - name: "build" + expectedMaterials: + - "ALLOW git+https://github.com/marcelamelara/private-data-objects@refs/heads/generate-swsc-build-metadata" + - "DISALLOW *" + expectedProducts: + - "CREATE pdo_client_wawaka" + - "DISALLOW *" + expectedPredicates: + - predicateType: "https://slsa.dev/provenance/v0.2" + expectedAttributes: + - rule: "predicate.builder.id == 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0'" + - rule: "predicate.invocation.configSource.uri == 'git+https://github.com/marcelamelara/private-data-objects@refs/heads/generate-swsc-build-metadata'" + - rule: "predicate.invocation.configSource.digest.sha1 == '87b74378e8c9ccf335a27ffcdc16636990254e1e'" + functionaries: + - "452e628a9a052784761275fe2eed15d7c0c8c8599bf1977879f130a568af5d8c" + - name: "evidence-collection" + expectedMaterials: + - "MATCH pdo_client_wawaka WITH products FROM build" + - "DISALLOW *" + expectedPredicates: + - predicateType: "https://in-toto.io/attestation/scai/attribute-report/v0.2" + expectedAttributes: + - rule: "size(predicate.attributes) >= 2" + - rule: "predicate.attributes.exists(a, a.attribute == 'HasSBOM')" + - rule: "predicate.attributes.exists(a, a.attribute == 'HasSLSA' && get_attestation(a.evidence) == 'https://slsa.dev/provenance/v0.2')" + functionaries: + - "1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6" diff --git a/test-data-rd-resolver/build.452e628a.json b/test-data-rd-resolver/build.452e628a.json new file mode 100644 index 0000000..5eaa780 --- /dev/null +++ b/test-data-rd-resolver/build.452e628a.json @@ -0,0 +1 @@ +{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJwZG9fY2xpZW50X3dhd2FrYSIsImRpZ2VzdCI6eyJzaGEyNTYiOiI5ZmI3ZWY1NTIyOThmOGZiYWQ4NDYwNGQwNjEwMGU3NjBiN2I4YzRjYjRkNmM0YjcyNzg2NWYxZjI4NWQwNmFjIn19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL2dpdGh1Yi5jb20vc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29ya2Zsb3dzL2dlbmVyYXRvcl9nZW5lcmljX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEuNy4wIn0sImJ1aWxkVHlwZSI6Imh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1ld29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvZ2VuZXJpY0B2MSIsImludm9jYXRpb24iOnsiY29uZmlnU291cmNlIjp7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0c0ByZWZzL2hlYWRzL2dlbmVyYXRlLXN3c2MtYnVpbGQtbWV0YWRhdGEiLCJkaWdlc3QiOnsic2hhMSI6Ijg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUifSwiZW50cnlQb2ludCI6Ii5naXRodWIvd29ya2Zsb3dzL2NpLXN3c2MueWFtbCJ9LCJwYXJhbWV0ZXJzIjp7fSwiZW52aXJvbm1lbnQiOnsiZ2l0aHViX2FjdG9yIjoibWFyY2VsYW1lbGFyYSIsImdpdGh1Yl9hY3Rvcl9pZCI6IjkzNzk3ODk4IiwiZ2l0aHViX2Jhc2VfcmVmIjoiIiwiZ2l0aHViX2V2ZW50X25hbWUiOiJwdXNoIiwiZ2l0aHViX2V2ZW50X3BheWxvYWQiOnsiYWZ0ZXIiOiI4N2I3NDM3OGU4YzljY2YzMzVhMjdmZmNkYzE2NjM2OTkwMjU0ZTFlIiwiYmFzZV9yZWYiOm51bGwsImJlZm9yZSI6Ijg5ZWE1M2I4ODM1NzNjNjI5NWQ4ZWU2M2VkN2FhMWUwZDE0Yzc4ZTEiLCJjb21taXRzIjpbeyJhdXRob3IiOnsiZW1haWwiOiJtYXJjZWxhLm1lbGFyYUBpbnRlbC5jb20iLCJuYW1lIjoiTWFyY2VsYSBNZWxhcmEiLCJ1c2VybmFtZSI6Im1hcmNlbGFtZWxhcmEifSwiY29tbWl0dGVyIjp7ImVtYWlsIjoibWFyY2VsYS5tZWxhcmFAaW50ZWwuY29tIiwibmFtZSI6Ik1hcmNlbGEgTWVsYXJhIiwidXNlcm5hbWUiOiJtYXJjZWxhbWVsYXJhIn0sImRpc3RpbmN0Ijp0cnVlLCJpZCI6Ijg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUiLCJtZXNzYWdlIjoiTWVyZ2Ugc3dzYyBtZXRhZGF0YSB3b3JrZmxvd3NcblxuU2lnbmVkLW9mZi1ieTogTWFyY2VsYSBNZWxhcmEgXHUwMDNjbWFyY2VsYS5tZWxhcmFAaW50ZWwuY29tXHUwMDNlIiwidGltZXN0YW1wIjoiMjAyMy0wOC0yM1QxNjo1NToyMC0wNzowMCIsInRyZWVfaWQiOiIzNDY5OWE1NTQyMTBmZjkzZmM4NjBmNzBlNGExODNlNjY0YjM3MjVlIiwidXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29tbWl0Lzg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUifV0sImNvbXBhcmUiOiJodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9jb21wYXJlLzg5ZWE1M2I4ODM1Ny4uLjg3Yjc0Mzc4ZThjOSIsImNyZWF0ZWQiOmZhbHNlLCJkZWxldGVkIjpmYWxzZSwiZm9yY2VkIjpmYWxzZSwiaGVhZF9jb21taXQiOnsiYXV0aG9yIjp7ImVtYWlsIjoibWFyY2VsYS5tZWxhcmFAaW50ZWwuY29tIiwibmFtZSI6Ik1hcmNlbGEgTWVsYXJhIiwidXNlcm5hbWUiOiJtYXJjZWxhbWVsYXJhIn0sImNvbW1pdHRlciI6eyJlbWFpbCI6Im1hcmNlbGEubWVsYXJhQGludGVsLmNvbSIsIm5hbWUiOiJNYXJjZWxhIE1lbGFyYSIsInVzZXJuYW1lIjoibWFyY2VsYW1lbGFyYSJ9LCJkaXN0aW5jdCI6dHJ1ZSwiaWQiOiI4N2I3NDM3OGU4YzljY2YzMzVhMjdmZmNkYzE2NjM2OTkwMjU0ZTFlIiwibWVzc2FnZSI6Ik1lcmdlIHN3c2MgbWV0YWRhdGEgd29ya2Zsb3dzXG5cblNpZ25lZC1vZmYtYnk6IE1hcmNlbGEgTWVsYXJhIFx1MDAzY21hcmNlbGEubWVsYXJhQGludGVsLmNvbVx1MDAzZSIsInRpbWVzdGFtcCI6IjIwMjMtMDgtMjNUMTY6NTU6MjAtMDc6MDAiLCJ0cmVlX2lkIjoiMzQ2OTlhNTU0MjEwZmY5M2ZjODYwZjcwZTRhMTgzZTY2NGIzNzI1ZSIsInVybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2NvbW1pdC84N2I3NDM3OGU4YzljY2YzMzVhMjdmZmNkYzE2NjM2OTkwMjU0ZTFlIn0sInB1c2hlciI6eyJlbWFpbCI6Im1hcmNlbGEubWVsYXJhQGludGVsLmNvbSIsIm5hbWUiOiJtYXJjZWxhbWVsYXJhIn0sInJlZiI6InJlZnMvaGVhZHMvZ2VuZXJhdGUtc3dzYy1idWlsZC1tZXRhZGF0YSIsInJlcG9zaXRvcnkiOnsiYWxsb3dfZm9ya2luZyI6dHJ1ZSwiYXJjaGl2ZV91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMve2FyY2hpdmVfZm9ybWF0fXsvcmVmfSIsImFyY2hpdmVkIjpmYWxzZSwiYXNzaWduZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9hc3NpZ25lZXN7L3VzZXJ9IiwiYmxvYnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2dpdC9ibG9ic3svc2hhfSIsImJyYW5jaGVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9icmFuY2hlc3svYnJhbmNofSIsImNsb25lX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzLmdpdCIsImNvbGxhYm9yYXRvcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2NvbGxhYm9yYXRvcnN7L2NvbGxhYm9yYXRvcn0iLCJjb21tZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29tbWVudHN7L251bWJlcn0iLCJjb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9jb21taXRzey9zaGF9IiwiY29tcGFyZV91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29tcGFyZS97YmFzZX0uLi57aGVhZH0iLCJjb250ZW50c191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29udGVudHMveytwYXRofSIsImNvbnRyaWJ1dG9yc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvY29udHJpYnV0b3JzIiwiY3JlYXRlZF9hdCI6MTU4MDE1ODUzNCwiZGVmYXVsdF9icmFuY2giOiJtYWluIiwiZGVwbG95bWVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2RlcGxveW1lbnRzIiwiZGVzY3JpcHRpb24iOiJUaGUgUHJpdmF0ZSBEYXRhIE9iamVjdHMgbGFiIHByb3ZpZGVzIHRlY2hub2xvZ3kgZm9yIGNvbmZpZGVudGlhbGl0eS1wcmVzZXJ2aW5nLCBvZmYtY2hhaW4gc21hcnQgY29udHJhY3RzLiIsImRpc2FibGVkIjpmYWxzZSwiZG93bmxvYWRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9kb3dubG9hZHMiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2V2ZW50cyIsImZvcmsiOnRydWUsImZvcmtzIjoxLCJmb3Jrc19jb3VudCI6MSwiZm9ya3NfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2ZvcmtzIiwiZnVsbF9uYW1lIjoibWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cyIsImdpdF9jb21taXRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9naXQvY29tbWl0c3svc2hhfSIsImdpdF9yZWZzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9naXQvcmVmc3svc2hhfSIsImdpdF90YWdzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9naXQvdGFnc3svc2hhfSIsImdpdF91cmwiOiJnaXQ6Ly9naXRodWIuY29tL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMuZ2l0IiwiaGFzX2Rpc2N1c3Npb25zIjpmYWxzZSwiaGFzX2Rvd25sb2FkcyI6dHJ1ZSwiaGFzX2lzc3VlcyI6ZmFsc2UsImhhc19wYWdlcyI6ZmFsc2UsImhhc19wcm9qZWN0cyI6dHJ1ZSwiaGFzX3dpa2kiOnRydWUsImhvbWVwYWdlIjpudWxsLCJob29rc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvaG9va3MiLCJodG1sX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzIiwiaWQiOjIzNjU5MjkwOCwiaXNfdGVtcGxhdGUiOmZhbHNlLCJpc3N1ZV9jb21tZW50X3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9pc3N1ZXMvY29tbWVudHN7L251bWJlcn0iLCJpc3N1ZV9ldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2lzc3Vlcy9ldmVudHN7L251bWJlcn0iLCJpc3N1ZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2lzc3Vlc3svbnVtYmVyfSIsImtleXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2tleXN7L2tleV9pZH0iLCJsYWJlbHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL2xhYmVsc3svbmFtZX0iLCJsYW5ndWFnZSI6IkMrKyIsImxhbmd1YWdlc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvbGFuZ3VhZ2VzIiwibGljZW5zZSI6eyJrZXkiOiJhcGFjaGUtMi4wIiwibmFtZSI6IkFwYWNoZSBMaWNlbnNlIDIuMCIsIm5vZGVfaWQiOiJNRGM2VEdsalpXNXpaVEk9Iiwic3BkeF9pZCI6IkFwYWNoZS0yLjAiLCJ1cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL2xpY2Vuc2VzL2FwYWNoZS0yLjAifSwibWFzdGVyX2JyYW5jaCI6Im1haW4iLCJtZXJnZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL21lcmdlcyIsIm1pbGVzdG9uZXNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS9yZXBvcy9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL21pbGVzdG9uZXN7L251bWJlcn0iLCJtaXJyb3JfdXJsIjpudWxsLCJuYW1lIjoicHJpdmF0ZS1kYXRhLW9iamVjdHMiLCJub2RlX2lkIjoiTURFd09sSmxjRzl6YVhSdmNua3lNelkxT1RJNU1EZz0iLCJub3RpZmljYXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9ub3RpZmljYXRpb25zez9zaW5jZSxhbGwscGFydGljaXBhdGluZ30iLCJvcGVuX2lzc3VlcyI6MCwib3Blbl9pc3N1ZXNfY291bnQiOjAsIm93bmVyIjp7ImF2YXRhcl91cmwiOiJodHRwczovL2F2YXRhcnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tL3UvOTM3OTc4OTg/dj00IiwiZW1haWwiOiJtYXJjZWxhLm1lbGFyYUBpbnRlbC5jb20iLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL2V2ZW50c3svcHJpdmFjeX0iLCJmb2xsb3dlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9naXN0c3svZ2lzdF9pZH0iLCJncmF2YXRhcl9pZCI6IiIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL21hcmNlbGFtZWxhcmEiLCJpZCI6OTM3OTc4OTgsImxvZ2luIjoibWFyY2VsYW1lbGFyYSIsIm5hbWUiOiJtYXJjZWxhbWVsYXJhIiwibm9kZV9pZCI6IlVfa2dET0JaYy1DZyIsIm9yZ2FuaXphdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL29yZ3MiLCJyZWNlaXZlZF9ldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL3JlY2VpdmVkX2V2ZW50cyIsInJlcG9zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9yZXBvcyIsInNpdGVfYWRtaW4iOmZhbHNlLCJzdGFycmVkX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9zdGFycmVkey9vd25lcn17L3JlcG99Iiwic3Vic2NyaXB0aW9uc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvc3Vic2NyaXB0aW9ucyIsInR5cGUiOiJVc2VyIiwidXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhIn0sInByaXZhdGUiOmZhbHNlLCJwdWxsc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvcHVsbHN7L251bWJlcn0iLCJwdXNoZWRfYXQiOjE2OTI4MzQ5MjMsInJlbGVhc2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9yZWxlYXNlc3svaWR9Iiwic2l6ZSI6MzQzNiwic3NoX3VybCI6ImdpdEBnaXRodWIuY29tOm1hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMuZ2l0Iiwic3RhcmdhemVycyI6MCwic3RhcmdhemVyc19jb3VudCI6MCwic3RhcmdhemVyc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvc3RhcmdhemVycyIsInN0YXR1c2VzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9zdGF0dXNlcy97c2hhfSIsInN1YnNjcmliZXJzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9zdWJzY3JpYmVycyIsInN1YnNjcmlwdGlvbl91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvc3Vic2NyaXB0aW9uIiwic3ZuX3VybCI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzIiwidGFnc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3JlcG9zL21hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMvdGFncyIsInRlYW1zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy90ZWFtcyIsInRvcGljcyI6W10sInRyZWVzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vcmVwb3MvbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9naXQvdHJlZXN7L3NoYX0iLCJ1cGRhdGVkX2F0IjoiMjAyMi0wMS0xMVQwMTowNDozNFoiLCJ1cmwiOiJodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cyIsInZpc2liaWxpdHkiOiJwdWJsaWMiLCJ3YXRjaGVycyI6MCwid2F0Y2hlcnNfY291bnQiOjAsIndlYl9jb21taXRfc2lnbm9mZl9yZXF1aXJlZCI6ZmFsc2V9LCJzZW5kZXIiOnsiYXZhdGFyX3VybCI6Imh0dHBzOi8vYXZhdGFycy5naXRodWJ1c2VyY29udGVudC5jb20vdS85Mzc5Nzg5OD92PTQiLCJldmVudHNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL2V2ZW50c3svcHJpdmFjeX0iLCJmb2xsb3dlcnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL2ZvbGxvd2VycyIsImZvbGxvd2luZ191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvZm9sbG93aW5ney9vdGhlcl91c2VyfSIsImdpc3RzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9naXN0c3svZ2lzdF9pZH0iLCJncmF2YXRhcl9pZCI6IiIsImh0bWxfdXJsIjoiaHR0cHM6Ly9naXRodWIuY29tL21hcmNlbGFtZWxhcmEiLCJpZCI6OTM3OTc4OTgsImxvZ2luIjoibWFyY2VsYW1lbGFyYSIsIm5vZGVfaWQiOiJVX2tnRE9CWmMtQ2ciLCJvcmdhbml6YXRpb25zX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9vcmdzIiwicmVjZWl2ZWRfZXZlbnRzX3VybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYS9yZWNlaXZlZF9ldmVudHMiLCJyZXBvc191cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvcmVwb3MiLCJzaXRlX2FkbWluIjpmYWxzZSwic3RhcnJlZF91cmwiOiJodHRwczovL2FwaS5naXRodWIuY29tL3VzZXJzL21hcmNlbGFtZWxhcmEvc3RhcnJlZHsvb3duZXJ9ey9yZXBvfSIsInN1YnNjcmlwdGlvbnNfdXJsIjoiaHR0cHM6Ly9hcGkuZ2l0aHViLmNvbS91c2Vycy9tYXJjZWxhbWVsYXJhL3N1YnNjcmlwdGlvbnMiLCJ0eXBlIjoiVXNlciIsInVybCI6Imh0dHBzOi8vYXBpLmdpdGh1Yi5jb20vdXNlcnMvbWFyY2VsYW1lbGFyYSJ9fSwiZ2l0aHViX2hlYWRfcmVmIjoiIiwiZ2l0aHViX3JlZiI6InJlZnMvaGVhZHMvZ2VuZXJhdGUtc3dzYy1idWlsZC1tZXRhZGF0YSIsImdpdGh1Yl9yZWZfdHlwZSI6ImJyYW5jaCIsImdpdGh1Yl9yZXBvc2l0b3J5X2lkIjoiMjM2NTkyOTA4IiwiZ2l0aHViX3JlcG9zaXRvcnlfb3duZXIiOiJtYXJjZWxhbWVsYXJhIiwiZ2l0aHViX3JlcG9zaXRvcnlfb3duZXJfaWQiOiI5Mzc5Nzg5OCIsImdpdGh1Yl9ydW5fYXR0ZW1wdCI6IjEiLCJnaXRodWJfcnVuX2lkIjoiNTk1NzY3MjU4MCIsImdpdGh1Yl9ydW5fbnVtYmVyIjoiMTAiLCJnaXRodWJfc2hhMSI6Ijg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUifX0sIm1ldGFkYXRhIjp7ImJ1aWxkSW52b2NhdGlvbklEIjoiNTk1NzY3MjU4MC0xIiwiY29tcGxldGVuZXNzIjp7InBhcmFtZXRlcnMiOnRydWUsImVudmlyb25tZW50IjpmYWxzZSwibWF0ZXJpYWxzIjpmYWxzZX0sInJlcHJvZHVjaWJsZSI6ZmFsc2V9LCJtYXRlcmlhbHMiOlt7InVyaSI6ImdpdCtodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0c0ByZWZzL2hlYWRzL2dlbmVyYXRlLXN3c2MtYnVpbGQtbWV0YWRhdGEiLCJkaWdlc3QiOnsic2hhMSI6Ijg3Yjc0Mzc4ZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUifX1dfX0=","signatures":[{"keyid":"","sig":"MEUCIBtd37BUemlRGSAtupB5MUNpuoY3M8sjizO8vNoF/XRzAiEA6MbwPr+GkoQ7O/gAzGqMO3YVRfnOn2CSrme14Y/Vq7g=","cert":"-----BEGIN CERTIFICATE-----\nMIIHnjCCBySgAwIBAgIUdt3q/jeQLjQLrp9xhKPIodrsiFEwCgYIKoZIzj0EAwMw\nNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRl\ncm1lZGlhdGUwHhcNMjMwODI0MDAxMzQxWhcNMjMwODI0MDAyMzQxWjAAMFkwEwYH\nKoZIzj0CAQYIKoZIzj0DAQcDQgAEB0TVhLF/u/aDcn+3ncIW2lfOKFn4iCY36NC3\nk/oPa8sJ8X25H//mhY8/6fNyUh4PzjIEyHPOcr8CAi8dWyuRFaOCBkMwggY/MA4G\nA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUYUr0\ngD1Frvh23NrGG+OeTrkO+fgwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4Y\nZD8wgYQGA1UdEQEB/wR6MHiGdmh0dHBzOi8vZ2l0aHViLmNvbS9zbHNhLWZyYW1l\nd29yay9zbHNhLWdpdGh1Yi1nZW5lcmF0b3IvLmdpdGh1Yi93b3JrZmxvd3MvZ2Vu\nZXJhdG9yX2dlbmVyaWNfc2xzYTMueW1sQHJlZnMvdGFncy92MS43LjAwOQYKKwYB\nBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50\nLmNvbTASBgorBgEEAYO/MAECBARwdXNoMDYGCisGAQQBg78wAQMEKDg3Yjc0Mzc4\nZThjOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUwMgYKKwYBBAGDvzABBAQk\nUERPIENJIHdpdGggU1cgc3VwcGx5IGNoYWluIG1ldGFkYXRhMDAGCisGAQQBg78w\nAQUEIm1hcmNlbGFtZWxhcmEvcHJpdmF0ZS1kYXRhLW9iamVjdHMwNQYKKwYBBAGD\nvzABBgQncmVmcy9oZWFkcy9nZW5lcmF0ZS1zd3NjLWJ1aWxkLW1ldGFkYXRhMDsG\nCisGAQQBg78wAQgELQwraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJj\nb250ZW50LmNvbTCBhgYKKwYBBAGDvzABCQR4DHZodHRwczovL2dpdGh1Yi5jb20v\nc2xzYS1mcmFtZXdvcmsvc2xzYS1naXRodWItZ2VuZXJhdG9yLy5naXRodWIvd29y\na2Zsb3dzL2dlbmVyYXRvcl9nZW5lcmljX3Nsc2EzLnltbEByZWZzL3RhZ3MvdjEu\nNy4wMDgGCisGAQQBg78wAQoEKgwoZTU1Yjc2Y2U0MjEwODJkZmE0YjM0YTZhYzNj\nNWU1OWRlMGYzYmI1ODAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwRQYK\nKwYBBAGDvzABDAQ3DDVodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9w\ncml2YXRlLWRhdGEtb2JqZWN0czA4BgorBgEEAYO/MAENBCoMKDg3Yjc0Mzc4ZThj\nOWNjZjMzNWEyN2ZmY2RjMTY2MzY5OTAyNTRlMWUwNwYKKwYBBAGDvzABDgQpDCdy\nZWZzL2hlYWRzL2dlbmVyYXRlLXN3c2MtYnVpbGQtbWV0YWRhdGEwGQYKKwYBBAGD\nvzABDwQLDAkyMzY1OTI5MDgwMAYKKwYBBAGDvzABEAQiDCBodHRwczovL2dpdGh1\nYi5jb20vbWFyY2VsYW1lbGFyYTAYBgorBgEEAYO/MAERBAoMCDkzNzk3ODk4MIGM\nBgorBgEEAYO/MAESBH4MfGh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJh\nL3ByaXZhdGUtZGF0YS1vYmplY3RzLy5naXRodWIvd29ya2Zsb3dzL2NpLXN3c2Mu\neWFtbEByZWZzL2hlYWRzL2dlbmVyYXRlLXN3c2MtYnVpbGQtbWV0YWRhdGEwOAYK\nKwYBBAGDvzABEwQqDCg4N2I3NDM3OGU4YzljY2YzMzVhMjdmZmNkYzE2NjM2OTkw\nMjU0ZTFlMBQGCisGAQQBg78wARQEBgwEcHVzaDBoBgorBgEEAYO/MAEVBFoMWGh0\ndHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmpl\nY3RzL2FjdGlvbnMvcnVucy81OTU3NjcyNTgwL2F0dGVtcHRzLzEwFgYKKwYBBAGD\nvzABFgQIDAZwdWJsaWMwgYsGCisGAQQB1nkCBAIEfQR7AHkAdwDdPTBqxscRMmMZ\nHhyZZzcCokpeuN48rf+HinKALynujgAAAYok48Y6AAAEAwBIMEYCIQDlB6pBRLqz\nOVzWrWDyAKjqbj/+In4R1ZIV1ZpPBOibpgIhAOD0US5lEsq/jbd6+TFuCNGAwSmT\njLX6qaZM51mil8GAMAoGCCqGSM49BAMDA2gAMGUCMQCobhDekCwGfSHneSK9wVlo\nlm+5HAzWWCXP0MqB+z3BKrlncSTvfTtLT6Ai0uylV48CMBr+qUk5b34MOr3AfkFL\nwZPYsMpbWP4k8SXbi6NaBqwAAnAl3s+w3qbR/Nt2wtoPwA==\n-----END CERTIFICATE-----\n"}]} \ No newline at end of file diff --git a/test-data-rd-resolver/evidence-collection.1f575092.json b/test-data-rd-resolver/evidence-collection.1f575092.json new file mode 100644 index 0000000..e8b2cd2 --- /dev/null +++ b/test-data-rd-resolver/evidence-collection.1f575092.json @@ -0,0 +1 @@ +{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjEiLCJzdWJqZWN0IjpbeyJuYW1lIjoicGRvX2NsaWVudF93YXdha2EiLCJkaWdlc3QiOnsic2hhMjU2IjoiOWZiN2VmNTUyMjk4ZjhmYmFkODQ2MDRkMDYxMDBlNzYwYjdiOGM0Y2I0ZDZjNGI3Mjc4NjVmMWYyODVkMDZhYyJ9fV0sInByZWRpY2F0ZVR5cGUiOiJodHRwczovL2luLXRvdG8uaW8vYXR0ZXN0YXRpb24vc2NhaS9hdHRyaWJ1dGUtcmVwb3J0L3YwLjIiLCJwcmVkaWNhdGUiOnsiYXR0cmlidXRlcyI6W3siYXR0cmlidXRlIjoiSGFzU0JPTSIsImV2aWRlbmNlIjp7ImRpZ2VzdCI6eyJzaGEyNTYiOiJkOTVjMjAyZTBlNDAyMTQ0ZDYzNjM4MGU5ODJlYWZmNTRiZTU1OWI1NTU5OGZkMTgwNzFlOTZkNmYzYTdlYjAzIn0sImRvd25sb2FkTG9jYXRpb24iOiJodHRwczovL2dpdGh1Yi5jb20vbWFyY2VsYW1lbGFyYS9wcml2YXRlLWRhdGEtb2JqZWN0cy9zdWl0ZXMvMTU0MTc3MjYxNDIvYXJ0aWZhY3RzLzg4MDQwMzM5NSIsIm1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3NwZHgranNvbiIsIm5hbWUiOiJwZG9fY2xpZW50X3dhd2FrYS5zcGR4Lmpzb24ifX0seyJhdHRyaWJ1dGUiOiJIYXNTTFNBIiwiZXZpZGVuY2UiOnsiZGlnZXN0Ijp7InNoYTI1NiI6Ijk0ZDE4NzE2ZWU0NDEyMTc1YzVkOWRhMWNlNTA5NDcxNTNlMDljNDc2MmY5MDQ0YWY2ZjJkNjgyOGIxMmZlNWIifSwiZG93bmxvYWRMb2NhdGlvbiI6Imh0dHBzOi8vZ2l0aHViLmNvbS9tYXJjZWxhbWVsYXJhL3ByaXZhdGUtZGF0YS1vYmplY3RzL3N1aXRlcy8xNTQxNzcyNjE0Mi9hcnRpZmFjdHMvODgwNDAzMzkyL3Bkb19jbGllbnRfd2F3YWthLnNsc2EuaW50b3RvLmpzb25sIiwibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmluLXRvdG8rZHNzZSIsIm5hbWUiOiJidWlsZC40NTJlNjI4YS5qc29uIn19XX19","signatures":[{"keyid":"1f57509240de3e7921e29a896553e7cf912441e17fe8cbd675457c7ba45bcee6","sig":"W5terKjmGajjJLl1mXNgPzIamE0omBDUkXzmrAVZMI51FTvv2a4ixCRAMSvT8qxcs/ZvqMXxMGQV5RR2x1aF1JkBLSP9nY7mQLcl7GYJ6E+KltLMgO3Bw9b4vXDp/JZ1y8Dby+rUEt0umehFJYj0Yl8/ndhWVK6QNMzrCDghK8TdZ8N1+HhyxewOYdP2i+yrM0Ll0Q0DiXO4r5SPGgGTY6BWe5Sjc2HNrt+J6fJcnXpvfCBlTAuG0pGNDbIS9jtimsh+AKAlpdcgJUPGpL3baTRW/1liyzVmtJtIrTl1kDDm/rzKmFi/OaMS6Vwm4RkaEkXaLPYpzz6pBaCHm8JxNJVjijtoTrNyuhEyHuvZW3o/p9/TmW9O6kyDc8Sybk5S8iWca0N3sLAfIsQw4968PHo4p7jf/bWWPFhSag2nIz4fKdiLXSzaDvxKtuuMfa6BG15j45Nwqq6qcKf2ZssYP4sjyuzYcJe912HFPPo8ZasQmFBcuBMhpu7NHU6yP/19"}]} \ No newline at end of file diff --git a/verifier/resolver.go b/verifier/resolver.go new file mode 100644 index 0000000..6333c69 --- /dev/null +++ b/verifier/resolver.go @@ -0,0 +1,160 @@ +package verifier + +import ( + "bytes" + "crypto/sha256" + "encoding/hex" + "encoding/json" + "fmt" + "os" + + "github.com/google/cel-go/cel" + "github.com/google/cel-go/common/types" + "github.com/google/cel-go/common/types/ref" + attestationv1 "github.com/in-toto/attestation/go/v1" + "github.com/secure-systems-lab/go-securesystemslib/dsse" + log "github.com/sirupsen/logrus" + "google.golang.org/protobuf/encoding/protojson" + "google.golang.org/protobuf/types/known/structpb" +) + +func addResourceDescriptorResolver(env *cel.Env) (*cel.Env, error) { + return env.Extend( + cel.Types(&attestationv1.ResourceDescriptor{}), + cel.Variable("rd", cel.ObjectType("in_toto_attestation.v1.ResourceDescriptor")), + cel.Function("get_attestation", + cel.Overload("get_attestation_resourcedescriptor", + []*cel.Type{cel.ObjectType("google.protobuf.Struct")}, + cel.StringType, + cel.UnaryBinding(func(pbStruct ref.Val) ref.Val { + st, err := getDSSEStatementPayload(pbStruct.Value().(*structpb.Struct)) + if err != nil { + log.Infof("get_attestation failed: %s", err) + return types.String("") + } + + log.Infof("Got attestation. Returning to rule eval...") + + // FIXME: want to return any Statement field for rule eval + return types.String(st.GetPredicateType()) + }, // func + ), // Binding + ), // Overload + ), // Function + ) // Extend +} + +func pbStructToRD(s *structpb.Struct) (*attestationv1.ResourceDescriptor, error) { + structJSON, err := protojson.Marshal(s) + if err != nil { + return nil, err + } + + rd := &attestationv1.ResourceDescriptor{} + err = protojson.Unmarshal(structJSON, rd) + if err != nil { + return nil, err + } + + if err := rd.Validate(); err != nil { + return nil, fmt.Errorf("parsed invalid RD: %w", err) + } + + return rd, nil +} + +func resolveResourceDescriptor(s *structpb.Struct, expectedType string) (bytes, error) { + rd, err := pbStructToRD(s) + if err != nil { + log.Infof("Conversion from structpb.Struct failed: %s", err) + return nil, err + } + + // FIXME: don't assume the full filepath is described in the RD name field + name := rd.GetName() + + log.Infof("Resolving file resource '%s' of type '%s'...", name, rd.GetMediaType()) + + fileBytes, err := os.ReadFile(name) + if err != nil { + return nil, err + } + + // check that the opened file matches the expected attestation + if len(rd.GetDigest()) > 0 { + // FIXME: support other algorithms + if !matchDigest(rd.GetDigest()["sha256"], fileBytes) { + return nil, fmt.Errorf("opened file does not match expected attestation in resource descriptor") + } + + log.Info("File resource integrity verified.") + } + + if rd.GetMediaType() != expectedType { + return nil, fmt.Errorf("resolved rd mediaType does not match expected type") + } + + return fileBytes, nil +} + +// copied from https://github.com/in-toto/scai-demos/blob/main/scai-gen/cmd/check.go +func getDSSEStatementPayload(s *structpb.Struct) (*attestationv1.Statement, error) { + envBytes, err := resolveResourceDescriptor(s, "application/vnd.in-toto+dsse") + if err != nil { + return nil, fmt.Errorf("resolver failed: %w", err) + } + + // TODO: check envelope signature + + // now, let's get the Statement + envelope := &dsse.Envelope{} + if err := json.Unmarshal(envBytes, envelope); err != nil { + return nil, err + } + + stBytes, err := envelope.DecodeB64Payload() + if err != nil { + return nil, fmt.Errorf("failed to decode DSSE payload: %w", err) + } + + statement := &attestationv1.Statement{} + if err = protojson.Unmarshal(stBytes, statement); err != nil { + return nil, fmt.Errorf("failed to unmarshal Statement: %w", err) + } + + /* FIXME: add back in + Fails with current test data because of outdated SLSA Provenance generation. + if err = statement.Validate(); err != nil { + return nil, fmt.Errorf("invalid Statement: %w", err) + } + */ + + return statement, nil +} + +func getJsonData() { + mediaType, envBytes, err := resolveResourceDescriptor(s, "application/json") + if err != nil { + return nil, fmt.Errorf("resolver failed: %w", err) + } +} + +// copied from https://github.com/in-toto/scai-demos/blob/main/scai-gen/policy/checks.go +func matchDigest(hexDigest string, blob []byte) bool { + digest := genSHA256(blob) + + decoded, err := hex.DecodeString(hexDigest) + if err != nil { + log.Info("Problem decoding hex-encoded digest to match") + return false + } + + return bytes.Equal(decoded, digest) +} + +// copied from https://github.com/in-toto/scai-demos/blob/main/scai-gen/policy/checks.go +func genSHA256(bytes []byte) []byte { + h := sha256.New() + h.Write(bytes) + return h.Sum(nil) +} diff --git a/verifier/verifier.go b/verifier/verifier.go index 13bc4ba..63e21a7 100644 --- a/verifier/verifier.go +++ b/verifier/verifier.go @@ -17,7 +17,7 @@ import ( "google.golang.org/protobuf/encoding/protojson" ) -func Verify(layout *Layout, attestations map[string]*dsse.Envelope, parameters map[string]string) error { +func Verify(layout *Layout, attestations map[string]*dsse.Envelope, parameters map[string]string, withRDResolver bool) error { log.Info("Verifying layout expiry...") expiry, err := time.Parse(time.RFC3339, layout.Expires) if err != nil { @@ -83,6 +83,14 @@ func Verify(layout *Layout, attestations map[string]*dsse.Envelope, parameters m return err } + // Once stable merge with getCELEnv() + if withRDResolver { + if env, err = addResourceDescriptorResolver(env); err != nil { + return fmt.Errorf("failed to add RD resolver: %w", err) + } + log.Info("Enabled RD resolver.") + } + for _, step := range layout.Steps { stepStatements, ok := claims[step.Name] if !ok {