Skip to content

Commit

Permalink
image-rs: get public key from CDH when verifying cosign image signatures
Browse files Browse the repository at this point in the history
Signed-off-by: Xynnn007 <[email protected]>
  • Loading branch information
Xynnn007 committed Nov 16, 2023
1 parent e6b370e commit ef4b4b1
Show file tree
Hide file tree
Showing 7 changed files with 468 additions and 15 deletions.
3 changes: 3 additions & 0 deletions image-rs/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,9 @@ encryption = ["ocicrypt-rs/block-cipher"]
encryption-ring = ["ocicrypt-rs/block-cipher-ring", "encryption"]
encryption-openssl = ["ocicrypt-rs/block-cipher-openssl", "encryption"]

# Get needed image verification keys from Confidential Data Hub
confidential-data-hub = ["dep:ttrpc", "dep:protobuf"]

keywrap-cmd = ["ocicrypt-rs/keywrap-keyprovider-cmd"]
keywrap-grpc = ["ocicrypt-rs/keywrap-keyprovider-grpc", "prost", "tonic", "tonic-build"]
keywrap-native = ["ocicrypt-rs/keywrap-keyprovider-native", "attestation_agent"]
Expand Down
39 changes: 27 additions & 12 deletions image-rs/build.rs
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,33 @@ fn main() -> Result<()> {
tonic_build::compile_protos("./protos/getresource.proto").context("tonic build")?;

#[cfg(feature = "ttrpc-codegen")]
ttrpc_codegen::Codegen::new()
.out_dir("./src/resource/kbs/ttrpc_proto")
.input("./protos/getresource.proto")
.include("./protos")
.rust_protobuf()
.customize(ttrpc_codegen::Customize {
async_all: true,
..Default::default()
})
.rust_protobuf_customize(ttrpc_codegen::ProtobufCustomize::default().gen_mod_rs(false))
.run()
.context("ttrpc build")?;
{
ttrpc_codegen::Codegen::new()
.out_dir("./src/resource/kbs/ttrpc_proto")
.input("./protos/getresource.proto")
.include("./protos")
.rust_protobuf()
.customize(ttrpc_codegen::Customize {
async_all: true,
..Default::default()
})
.rust_protobuf_customize(ttrpc_codegen::ProtobufCustomize::default().gen_mod_rs(false))
.run()
.context("ttrpc build")?;

#[cfg(all(feature = "signature-cosign", feature = "confidential-data-hub"))]
ttrpc_codegen::Codegen::new()
.out_dir("./src/signature/mechanism/cosign")
.input("./protos/cosign_pubkey.proto")
.include("./protos")
.rust_protobuf()
.customize(ttrpc_codegen::Customize {
async_all: true,
..Default::default()
})
.rust_protobuf_customize(ttrpc_codegen::ProtobufCustomize::default().gen_mod_rs(false))
.run()
.context("ttrpc build")?;
}
Ok(())
}
15 changes: 15 additions & 0 deletions image-rs/protos/cosign_pubkey.proto
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
syntax = "proto3";

package api;

message GetPublicKeyRequest {
string KeyId = 1;
}

message GetPublicKeyResponse {
bytes PublicKeyPem = 1;
}

service GetPublicKeyService {
rpc GetPublicKey(GetPublicKeyRequest) returns (GetPublicKeyResponse) {};
}
308 changes: 308 additions & 0 deletions image-rs/src/signature/mechanism/cosign/cosign_pubkey.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,308 @@
// This file is generated by rust-protobuf 3.2.0. Do not edit
// .proto file is parsed by pure
// @generated

// https://github.com/rust-lang/rust-clippy/issues/702
#![allow(unknown_lints)]
#![allow(clippy::all)]

#![allow(unused_attributes)]
#![cfg_attr(rustfmt, rustfmt::skip)]

#![allow(box_pointers)]
#![allow(dead_code)]
#![allow(missing_docs)]
#![allow(non_camel_case_types)]
#![allow(non_snake_case)]
#![allow(non_upper_case_globals)]
#![allow(trivial_casts)]
#![allow(unused_results)]
#![allow(unused_mut)]

//! Generated file from `cosign_pubkey.proto`
/// Generated files are compatible only with the same version
/// of protobuf runtime.
const _PROTOBUF_VERSION_CHECK: () = ::protobuf::VERSION_3_2_0;

#[derive(PartialEq,Clone,Default,Debug)]
// @@protoc_insertion_point(message:api.GetPublicKeyRequest)
pub struct GetPublicKeyRequest {
// message fields
// @@protoc_insertion_point(field:api.GetPublicKeyRequest.KeyId)
pub KeyId: ::std::string::String,
// special fields
// @@protoc_insertion_point(special_field:api.GetPublicKeyRequest.special_fields)
pub special_fields: ::protobuf::SpecialFields,
}

impl<'a> ::std::default::Default for &'a GetPublicKeyRequest {
fn default() -> &'a GetPublicKeyRequest {
<GetPublicKeyRequest as ::protobuf::Message>::default_instance()
}
}

impl GetPublicKeyRequest {
pub fn new() -> GetPublicKeyRequest {
::std::default::Default::default()
}

fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData {
let mut fields = ::std::vec::Vec::with_capacity(1);
let mut oneofs = ::std::vec::Vec::with_capacity(0);
fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>(
"KeyId",
|m: &GetPublicKeyRequest| { &m.KeyId },
|m: &mut GetPublicKeyRequest| { &mut m.KeyId },
));
::protobuf::reflect::GeneratedMessageDescriptorData::new_2::<GetPublicKeyRequest>(
"GetPublicKeyRequest",
fields,
oneofs,
)
}
}

impl ::protobuf::Message for GetPublicKeyRequest {
const NAME: &'static str = "GetPublicKeyRequest";

fn is_initialized(&self) -> bool {
true
}

fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> {
while let Some(tag) = is.read_raw_tag_or_eof()? {
match tag {
10 => {
self.KeyId = is.read_string()?;
},
tag => {
::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?;
},
};
}
::std::result::Result::Ok(())
}

// Compute sizes of nested messages
#[allow(unused_variables)]
fn compute_size(&self) -> u64 {
let mut my_size = 0;
if !self.KeyId.is_empty() {
my_size += ::protobuf::rt::string_size(1, &self.KeyId);
}
my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields());
self.special_fields.cached_size().set(my_size as u32);
my_size
}

fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> {
if !self.KeyId.is_empty() {
os.write_string(1, &self.KeyId)?;
}
os.write_unknown_fields(self.special_fields.unknown_fields())?;
::std::result::Result::Ok(())
}

fn special_fields(&self) -> &::protobuf::SpecialFields {
&self.special_fields
}

fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields {
&mut self.special_fields
}

fn new() -> GetPublicKeyRequest {
GetPublicKeyRequest::new()
}

fn clear(&mut self) {
self.KeyId.clear();
self.special_fields.clear();
}

fn default_instance() -> &'static GetPublicKeyRequest {
static instance: GetPublicKeyRequest = GetPublicKeyRequest {
KeyId: ::std::string::String::new(),
special_fields: ::protobuf::SpecialFields::new(),
};
&instance
}
}

impl ::protobuf::MessageFull for GetPublicKeyRequest {
fn descriptor() -> ::protobuf::reflect::MessageDescriptor {
static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new();
descriptor.get(|| file_descriptor().message_by_package_relative_name("GetPublicKeyRequest").unwrap()).clone()
}
}

impl ::std::fmt::Display for GetPublicKeyRequest {
fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
::protobuf::text_format::fmt(self, f)
}
}

impl ::protobuf::reflect::ProtobufValue for GetPublicKeyRequest {
type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage<Self>;
}

#[derive(PartialEq,Clone,Default,Debug)]
// @@protoc_insertion_point(message:api.GetPublicKeyResponse)
pub struct GetPublicKeyResponse {
// message fields
// @@protoc_insertion_point(field:api.GetPublicKeyResponse.PublicKeyPem)
pub PublicKeyPem: ::std::vec::Vec<u8>,
// special fields
// @@protoc_insertion_point(special_field:api.GetPublicKeyResponse.special_fields)
pub special_fields: ::protobuf::SpecialFields,
}

impl<'a> ::std::default::Default for &'a GetPublicKeyResponse {
fn default() -> &'a GetPublicKeyResponse {
<GetPublicKeyResponse as ::protobuf::Message>::default_instance()
}
}

impl GetPublicKeyResponse {
pub fn new() -> GetPublicKeyResponse {
::std::default::Default::default()
}

fn generated_message_descriptor_data() -> ::protobuf::reflect::GeneratedMessageDescriptorData {
let mut fields = ::std::vec::Vec::with_capacity(1);
let mut oneofs = ::std::vec::Vec::with_capacity(0);
fields.push(::protobuf::reflect::rt::v2::make_simpler_field_accessor::<_, _>(
"PublicKeyPem",
|m: &GetPublicKeyResponse| { &m.PublicKeyPem },
|m: &mut GetPublicKeyResponse| { &mut m.PublicKeyPem },
));
::protobuf::reflect::GeneratedMessageDescriptorData::new_2::<GetPublicKeyResponse>(
"GetPublicKeyResponse",
fields,
oneofs,
)
}
}

impl ::protobuf::Message for GetPublicKeyResponse {
const NAME: &'static str = "GetPublicKeyResponse";

fn is_initialized(&self) -> bool {
true
}

fn merge_from(&mut self, is: &mut ::protobuf::CodedInputStream<'_>) -> ::protobuf::Result<()> {
while let Some(tag) = is.read_raw_tag_or_eof()? {
match tag {
10 => {
self.PublicKeyPem = is.read_bytes()?;
},
tag => {
::protobuf::rt::read_unknown_or_skip_group(tag, is, self.special_fields.mut_unknown_fields())?;
},
};
}
::std::result::Result::Ok(())
}

// Compute sizes of nested messages
#[allow(unused_variables)]
fn compute_size(&self) -> u64 {
let mut my_size = 0;
if !self.PublicKeyPem.is_empty() {
my_size += ::protobuf::rt::bytes_size(1, &self.PublicKeyPem);
}
my_size += ::protobuf::rt::unknown_fields_size(self.special_fields.unknown_fields());
self.special_fields.cached_size().set(my_size as u32);
my_size
}

fn write_to_with_cached_sizes(&self, os: &mut ::protobuf::CodedOutputStream<'_>) -> ::protobuf::Result<()> {
if !self.PublicKeyPem.is_empty() {
os.write_bytes(1, &self.PublicKeyPem)?;
}
os.write_unknown_fields(self.special_fields.unknown_fields())?;
::std::result::Result::Ok(())
}

fn special_fields(&self) -> &::protobuf::SpecialFields {
&self.special_fields
}

fn mut_special_fields(&mut self) -> &mut ::protobuf::SpecialFields {
&mut self.special_fields
}

fn new() -> GetPublicKeyResponse {
GetPublicKeyResponse::new()
}

fn clear(&mut self) {
self.PublicKeyPem.clear();
self.special_fields.clear();
}

fn default_instance() -> &'static GetPublicKeyResponse {
static instance: GetPublicKeyResponse = GetPublicKeyResponse {
PublicKeyPem: ::std::vec::Vec::new(),
special_fields: ::protobuf::SpecialFields::new(),
};
&instance
}
}

impl ::protobuf::MessageFull for GetPublicKeyResponse {
fn descriptor() -> ::protobuf::reflect::MessageDescriptor {
static descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::MessageDescriptor> = ::protobuf::rt::Lazy::new();
descriptor.get(|| file_descriptor().message_by_package_relative_name("GetPublicKeyResponse").unwrap()).clone()
}
}

impl ::std::fmt::Display for GetPublicKeyResponse {
fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
::protobuf::text_format::fmt(self, f)
}
}

impl ::protobuf::reflect::ProtobufValue for GetPublicKeyResponse {
type RuntimeType = ::protobuf::reflect::rt::RuntimeTypeMessage<Self>;
}

static file_descriptor_proto_data: &'static [u8] = b"\
\n\x13cosign_pubkey.proto\x12\x03api\"+\n\x13GetPublicKeyRequest\x12\x14\
\n\x05KeyId\x18\x01\x20\x01(\tR\x05KeyId\":\n\x14GetPublicKeyResponse\
\x12\"\n\x0cPublicKeyPem\x18\x01\x20\x01(\x0cR\x0cPublicKeyPem2Z\n\x13Ge\
tPublicKeyService\x12C\n\x0cGetPublicKey\x12\x18.api.GetPublicKeyRequest\
\x1a\x19.api.GetPublicKeyResponseb\x06proto3\
";

/// `FileDescriptorProto` object which was a source for this generated file
fn file_descriptor_proto() -> &'static ::protobuf::descriptor::FileDescriptorProto {
static file_descriptor_proto_lazy: ::protobuf::rt::Lazy<::protobuf::descriptor::FileDescriptorProto> = ::protobuf::rt::Lazy::new();
file_descriptor_proto_lazy.get(|| {
::protobuf::Message::parse_from_bytes(file_descriptor_proto_data).unwrap()
})
}

/// `FileDescriptor` object which allows dynamic access to files
pub fn file_descriptor() -> &'static ::protobuf::reflect::FileDescriptor {
static generated_file_descriptor_lazy: ::protobuf::rt::Lazy<::protobuf::reflect::GeneratedFileDescriptor> = ::protobuf::rt::Lazy::new();
static file_descriptor: ::protobuf::rt::Lazy<::protobuf::reflect::FileDescriptor> = ::protobuf::rt::Lazy::new();
file_descriptor.get(|| {
let generated_file_descriptor = generated_file_descriptor_lazy.get(|| {
let mut deps = ::std::vec::Vec::with_capacity(0);
let mut messages = ::std::vec::Vec::with_capacity(2);
messages.push(GetPublicKeyRequest::generated_message_descriptor_data());
messages.push(GetPublicKeyResponse::generated_message_descriptor_data());
let mut enums = ::std::vec::Vec::with_capacity(0);
::protobuf::reflect::GeneratedFileDescriptor::new_generated(
file_descriptor_proto(),
deps,
messages,
enums,
)
});
::protobuf::reflect::FileDescriptor::new_generated_2(generated_file_descriptor)
})
}
Loading

0 comments on commit ef4b4b1

Please sign in to comment.