feat: Verification for when sha1 is specified in BYOB TRW (#641)

Fixes #600 --------- Signed-off-by: Ian Lewis <ianlewis@google.com> Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
slsa-framework · Jul 25, 2023 · e7fc7a4 · e7fc7a4
1 parent 66ae6bc
commit e7fc7a4
Show file tree

Hide file tree

Showing 21 changed files with 1,559 additions and 397 deletions.
diff --git a/errors/errors.go b/errors/errors.go
@@ -9,6 +9,7 @@ var (
 	ErrorMismatchPackageName       = errors.New("package name does not match provenance")
 	ErrorMismatchBuilderID         = errors.New("builderID does not match provenance")
 	ErrorInvalidBuilderID          = errors.New("builderID is invalid")
+	ErrorInvalidBuildType          = errors.New("buildType is invalid")
 	ErrorMismatchSource            = errors.New("source used to generate the binary does not match provenance")
 	ErrorMismatchWorkflowInputs    = errors.New("workflow input does not match")
 	ErrorMalformedURI              = errors.New("URI is malformed")

diff --git a/verifiers/internal/gha/builder.go b/verifiers/internal/gha/builder.go
@@ -8,9 +8,10 @@ import (
 	"strings"
 
 	fulcio "github.com/sigstore/fulcio/pkg/certificate"
+
 	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
 	"github.com/slsa-framework/slsa-verifier/v2/options"
-	"github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/common"
+	ghacommon "github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/common"
 	"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils"
 )
 
@@ -27,18 +28,18 @@ var (
 )
 
 var defaultArtifactTrustedReusableWorkflows = map[string]bool{
-	common.GenericGeneratorBuilderID: true,
-	common.GoBuilderID:               true,
-	common.ContainerBasedBuilderID:   true,
+	ghacommon.GenericGeneratorBuilderID: true,
+	ghacommon.GoBuilderID:               true,
+	ghacommon.ContainerBasedBuilderID:   true,
 }
 
 var defaultContainerTrustedReusableWorkflows = map[string]bool{
-	common.ContainerGeneratorBuilderID: true,
+	ghacommon.ContainerGeneratorBuilderID: true,
 }
 
 var defaultBYOBReusableWorkflows = map[string]bool{
-	common.GenericDelegatorBuilderID:         true,
-	common.GenericLowPermsDelegatorBuilderID: true,
+	ghacommon.GenericDelegatorBuilderID:         true,
+	ghacommon.GenericLowPermsDelegatorBuilderID: true,
 }
 
 var JReleaserRepository = httpsGithubCom + jReleaserActionRepository

diff --git a/verifiers/internal/gha/npm.go b/verifiers/internal/gha/npm.go
@@ -15,6 +15,7 @@ import (
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
+	"github.com/slsa-framework/slsa-verifier/v2/options"
 	"github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance"
 	"github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/gha/slsaprovenance/common"
 	"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils"
@@ -68,6 +69,7 @@ func (b *BundleBytes) UnmarshalJSON(data []byte) error {
 type Npm struct {
 	ctx                   context.Context
 	root                  *TrustedRoot
+	verifiedBuilderID     *utils.TrustedBuilderID
 	verifiedProvenanceAtt *SignedAttestation
 	verifiedPublishAtt    *SignedAttestation
 	provenanceAttestation *attestation
@@ -93,8 +95,9 @@ func NpmNew(ctx context.Context, root *TrustedRoot, attestationBytes []byte) (*N
 		return nil, err
 	}
 	return &Npm{
-		ctx:                   ctx,
-		root:                  root,
+		ctx:  ctx,
+		root: root,
+
 		provenanceAttestation: prov,
 		publishAttestation:    pub,
 	}, nil
@@ -251,7 +254,7 @@ func (n *Npm) verifyPackageName(name *string) error {
 	}
 
 	// Verify subject name in provenance.
-	if err := verifyProvenanceSubjectName(n.verifiedProvenanceAtt, *name); err != nil {
+	if err := verifyProvenanceSubjectName(n.verifiedBuilderID, n.verifiedProvenanceAtt, *name); err != nil {
 		return err
 	}
 
@@ -274,7 +277,7 @@ func (n *Npm) verifyPackageVersion(version *string) error {
 	}
 
 	// Verify subject version in provenance.
-	if err := verifyProvenanceSubjectVersion(n.verifiedProvenanceAtt, *version); err != nil {
+	if err := verifyProvenanceSubjectVersion(n.verifiedBuilderID, n.verifiedProvenanceAtt, *version); err != nil {
 		return err
 	}
 
@@ -291,6 +294,25 @@ func (n *Npm) verifyPackageVersion(version *string) error {
 	return nil
 }
 
+func (n *Npm) verifyBuilderID(
+	provenanceOpts *options.ProvenanceOpts,
+	builderOpts *options.BuilderOpts,
+	defaultBuilders map[string]bool,
+) (*utils.TrustedBuilderID, error) {
+	// Verify certificate information.
+	builder, err := verifyNpmEnvAndCert(
+		n.ProvenanceEnvelope(),
+		n.ProvenanceLeafCertificate(),
+		provenanceOpts, builderOpts,
+		defaultBuilders,
+	)
+	if err != nil {
+		return nil, err
+	}
+	n.verifiedBuilderID = builder
+	return builder, err
+}
+
 func verifyPublishPredicateVersion(att *SignedAttestation, expectedVersion string) error {
 	_, version, err := getPublishPredicateData(att)
 	if err != nil {
@@ -336,8 +358,8 @@ func getPublishPredicateData(att *SignedAttestation) (string, string, error) {
 	return statement.Predicate.Name, statement.Predicate.Version, nil
 }
 
-func verifyProvenanceSubjectVersion(att *SignedAttestation, expectedVersion string) error {
-	subject, err := getSubject(att)
+func verifyProvenanceSubjectVersion(b *utils.TrustedBuilderID, att *SignedAttestation, expectedVersion string) error {
+	subject, err := getSubject(b, att)
 	if err != nil {
 		return err
 	}
@@ -378,15 +400,15 @@ func verifyPublishSubjectName(att *SignedAttestation, expectedName string) error
 	return verifyName(name, expectedName)
 }
 
-func verifyProvenanceSubjectName(att *SignedAttestation, expectedName string) error {
-	prov, err := slsaprovenance.ProvenanceFromEnvelope(att.Envelope)
+func verifyProvenanceSubjectName(b *utils.TrustedBuilderID, att *SignedAttestation, expectedName string) error {
+	prov, err := slsaprovenance.ProvenanceFromEnvelope(b.Name(), att.Envelope)
 	if err != nil {
-		return nil
+		return fmt.Errorf("reading provenance: %w", err)
 	}
 
 	subjects, err := prov.Subjects()
 	if err != nil {
-		return fmt.Errorf("%w", serrors.ErrorInvalidDssePayload)
+		return fmt.Errorf("%w: %w", serrors.ErrorInvalidDssePayload, err)
 	}
 	if len(subjects) != 1 {
 		return fmt.Errorf("%w: expected 1 subject, got %v", serrors.ErrorInvalidDssePayload, len(subjects))
@@ -443,8 +465,8 @@ func getPackageNameAndVersion(name string) (string, string, error) {
 	return pkgname, pkgtag, nil
 }
 
-func getSubject(att *SignedAttestation) (string, error) {
-	prov, err := slsaprovenance.ProvenanceFromEnvelope(att.Envelope)
+func getSubject(b *utils.TrustedBuilderID, att *SignedAttestation) (string, error) {
+	prov, err := slsaprovenance.ProvenanceFromEnvelope(b.Name(), att.Envelope)
 	if err != nil {
 		return "", err
 	}