-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
COSE Signature Envelope #139
Conversation
Signed-off-by: Shiwei Zhang <[email protected]>
Signed-off-by: Shiwei Zhang <[email protected]>
Signed-off-by: Shiwei Zhang <[email protected]>
Signed-off-by: Shiwei Zhang <[email protected]>
Signed-off-by: Shiwei Zhang <[email protected]>
Signed-off-by: Shiwei Zhang <[email protected]>
Signed-off-by: Shiwei Zhang <[email protected]>
Signed-off-by: Shiwei Zhang <[email protected]>
The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate. | ||
- **`x5chain`** (*array of byte strings*): This REQUIRED property (label: `33` by [IANA](https://www.iana.org/assignments/cose/cose.xhtml#header-parameters)) contains the list of X.509 certificate or certificate chain ([RFC5280](https://datatracker.ietf.org/doc/html/rfc5280)) corresponding to the key used to digitally sign the COSE. | ||
The certificate containing the public key corresponding to the key used to digitally sign the COSE MUST be the first certificate. | ||
Optionally, this header can be presented in the protected header. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If x5chain is not protected, should require that x5t/34 is. There may also be value in simply requiring that x5chain is protected. This guards against a potential cert substitution attack, at the expense of requiring a larger signature envelope size because the header can't be stripped in environments where the value is known externally.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@priteshbandi Should we move Certificates
attribute from Unsigned Attributes to Signed Attributes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@briankr-ms , @shizhMSFT what's the call here? I can make changes if we can conclude on a decision.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@briankr-ms could you provide more details for cert substitution attack. Notation will use x5chain in conjunction with trust store configured by the user. As part of verification, the cert chain is checked to terminate in one of the certs in trust store. @shizhMSFT are we using x5t/thumbprint in any other context, other than signature manifest attributes, for matching signature to policy for evaluation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shizhMSFT The certs in chain are already signed by the next cert in the chain, and is expected to be authenticated against the trust store. Open to discussing if moving it to signed attributes protects us against certain attacks.
If we adopt\moving to a Ledger type system, why would we keep the certificate chain anywhere? Is this a hold over from threat? Refers to: signature-specification.md:25 in 644c8cd. [](commit_id = 644c8cd, deletion_comment = False) |
Why do we need this? Refers to: signature-specification.md:59 in 644c8cd. [](commit_id = 644c8cd, deletion_comment = False) |
Why do we keep the expiration time in its own field. Is this part of the support for extending life based on Secure TimeStamp data? Refers to: signature-specification.md:67 in 644c8cd. [](commit_id = 644c8cd, deletion_comment = False) |
In the case of our other scenarios, the key thing that we store in unprotected headers is another signed message. How much of this is true here? Refers to: signature-specification.md:68 in 644c8cd. [](commit_id = 644c8cd, deletion_comment = False) Edit from @SteveLasker Updated to reflect:
|
It would be nice to show something under io.cncf.notary Refers to: signature-specification.md:91 in 644c8cd. [](commit_id = 644c8cd, deletion_comment = False) @SteveLasker Commenting in an edit: We could switch to a CNCF project. Within the notary project, we use two companies as representative users
|
Media type is usually text\plain, multipart\related, image\jpg . Did we really define a type sbom/example? Refers to: signature-specification.md:98 in 644c8cd. [](commit_id = 644c8cd, deletion_comment = False) Inlined edit from @SteveLasker To avoid referencing specific projects, we use |
Is it the time it was signed or the time the payload was created? Thus in a disaster scenario when things come back up is it the time the "operation happened" or the time when we requested a signature? Refers to: signature-specification.md:109 in 644c8cd. [](commit_id = 644c8cd, deletion_comment = False) |
Isn't this also expected to be > than Creation Time? Or is it truly free form and thus can be earlier than or equal to creation time? Refers to: signature-specification.md:111 in 644c8cd. [](commit_id = 644c8cd, deletion_comment = False) |
Why are all the intermediaries here and does it include the root? Refers to: signature-specification.md:116 in 644c8cd. [](commit_id = 644c8cd, deletion_comment = False) |
Signed-off-by: Shiwei Zhang <[email protected]>
@priteshbandi @SteveLasker Could you also take a look at @roywill 's comment since his comment is mainly for the |
Signed-off-by: Shiwei Zhang <[email protected]>
updated to In reply to: 1067416112 Refers to: signature-specification.md:33 in 644c8cd. [](commit_id = 644c8cd, deletion_comment = False) |
Keeping |
The |
The array MUST contain `3` (`cty`), and `signingtime`. If `expiry` is presented, the array MUST also contain `expiry`. | ||
- **`cty`** (*string*): The REQUIRED property content-type (label: `3`) is used to declare the media type of the secured content (the payload). | ||
- **`signingtime`** (*datetime*): The REQUIRED property identifies the time at which the signature was generated. | ||
- **`expiry`** (*datetime*): This OPTIONAL property contains the expiration time on or after which the signature must not be considered valid. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add iss
(string) to this list as optional property indicating the issuer of the signature? If it follows a well-known scheme like DID (starting with did:
) then it may be used for key discovery, together with kid
which is also missing here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently, Notary v2 only supports certs. Other key discovery systems like kid
or iss
or others are not supported, and are not covered in this PR. This PR focuses on changing what we have for JWS to COSE and nothing else. BTW, iss
makes it more like a CWT.
@letmaik Could you follow up #95 or open a new issue in case we need to support other key discovery systems so that the community can review?
@shizhMSFT, you’re correct this PR is focused on COSE and x509. And, we’re looking to use DiD for where to discover the public key. Knowing we’ll add other key and identity types, is there anything we would add now to make that support less of a breaking change? |
From today's Notary call, we agreed to keep both the current JWT, adding COSE. We’re hoping to land the COSE format for the initial release, but we’ve said notary will support multiple signature formats over time, for instance, different governments (China has been the common example, but also support for newer fomats over time). If we add multiples now, we validate the spec supports multiples. If we land COSE for v1, we can pull JWT out, knowing the spec supports multiple formats. |
To move the spec forward, aleviating Shiwei to focus on the go-cose work, suggesting we merge this into cose-envelope branch. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM to merge into the cose-envelope branch, and we'll continue to iterate the feedback there.
LGTM to merge into the cose-envelope branch, to unblock work. @priteshbandi and me have yet to review this PR completely. |
@shizhMSFT, @roywill, @briankr-ms what's the final call here? |
Need a call here: @roywill, @shizhMSFT, @gokarnm |
@shizhMSFT, @gokarnm, @priteshbandi, what would you like to make this? |
@shizhMSFT, @gokarnm, @priteshbandi, same question here ^ |
Notary doesn't support multiple signatures in the same payload. You can create multiple detached signatures, each with their own However, this does call out "signing certificate", which we've since said is not required. Should this be updated to say root certificate as the first entry? |
@@ -17,7 +17,7 @@ The signature manifest has an artifact type that specifies it's a Notary V2 sign | |||
|
|||
- **`artifactType`** (*string*): This REQUIRED property references the Notary version of the signature: `application/vnd.cncf.notary.v2.signature`. | |||
- **`blobs`** (*array of objects*): This REQUIRED property contains collection of only one [artifact descriptor](https://github.com/oras-project/artifacts-spec/blob/main/descriptor.md) referencing signature envelope. | |||
- **`mediaType`** (*string*): This REQUIRED property contains media type of signature envelope blob. The supported value is `application/jose+json` | |||
- **`mediaType`** (*string*): This REQUIRED property contains media type of signature envelope blob. The supported value is `application/cose`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the intent to disregard any optional parameter e.g. application/cose; cose-type="cose-sign1"
? Notation should probably include code-type
param to be more specific.
"exp": 1234567891011 | ||
/ crit / 2: [ | ||
/ cty / 3, | ||
'signingtime', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason to use headers of type string instead of int? Do we plan to followup and include these in IANA?
https://www.iana.org/assignments/cose/cose.xhtml#header-parameters
The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate. | ||
- **`x5chain`** (*array of byte strings*): This REQUIRED property (label: `33` by [IANA](https://www.iana.org/assignments/cose/cose.xhtml#header-parameters)) contains the list of X.509 certificate or certificate chain ([RFC5280](https://datatracker.ietf.org/doc/html/rfc5280)) corresponding to the key used to digitally sign the COSE. | ||
The certificate containing the public key corresponding to the key used to digitally sign the COSE MUST be the first certificate. | ||
Optionally, this header can be presented in the protected header. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@briankr-ms could you provide more details for cert substitution attack. Notation will use x5chain in conjunction with trust store configured by the user. As part of verification, the cert chain is checked to terminate in one of the certs in trust store. @shizhMSFT are we using x5t/thumbprint in any other context, other than signature manifest attributes, for matching signature to policy for evaluation?
The certificate containing the public key corresponding to the key used to digitally sign the JWS MUST be the first certificate. | ||
- **`x5chain`** (*array of byte strings*): This REQUIRED property (label: `33` by [IANA](https://www.iana.org/assignments/cose/cose.xhtml#header-parameters)) contains the list of X.509 certificate or certificate chain ([RFC5280](https://datatracker.ietf.org/doc/html/rfc5280)) corresponding to the key used to digitally sign the COSE. | ||
The certificate containing the public key corresponding to the key used to digitally sign the COSE MUST be the first certificate. | ||
Optionally, this header can be presented in the protected header. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shizhMSFT The certs in chain are already signed by the next cert in the chain, and is expected to be authenticated against the trust store. Open to discussing if moving it to signed attributes protects us against certain attacks.
|
||
```json | ||
**ProtectedHeaders**: Notary v2 supports the following protected headers. Other header fields can be included but will be ignored. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd explicitly mention that alg
if included will not be considered by Notation during verification.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: Capture the intent for x5chain.
Multiple signatures can be associated with and OCI artifact, which are can be queried through the ORAS references API. This field is used to filter down signatures that will be considered for signature verification against the customer configured Trust store. More context in #131 |
The signature can be generated by ephemeral keys, the optional signature expiry field allows the signatures to be valid beyond key expiry without relying on TSA. Can be renamed to signature-expiry. Clarify that signature-expiry can be shorter or larger than key expiry. |
Updates to signature specification * Moves signed attributes out of payload * Defines new signed attributes and marks them as critical/informational * Introduces signature scheme to support different trust models * cbor payload * cose envelope * finalize payload * refine notations * refine datetime * Align COSE spec with JWS * update CBOR spec * spec: update data type of signingTime to data/time * Update signature-envelope-cose.md * Update signature-envelope-cose.md * update to RFC for the fields of the sig_structure * update description for field context * COSE Signature Envelope (#139) * Support for JWT and COSE envelopes (#145) * Updates to signature specification (#147) * Update COSE spec (#179) * Update signature-envelope-cose.md (#153) * `cose-envelope`: merge changes from `main` (#177) * spec: update data type of signingTime to date/time (#199) * spec: update cose and signature spec according to review comments (#204) Co-authored-by: letmaik <[email protected]> Co-authored-by: Quim Muntal <[email protected]> Co-authored-by: Milind Gokarn <[email protected]> Co-authored-by: Shiwei Zhang <[email protected]> Co-authored-by: Pritesh Bandi <[email protected]> Co-authored-by: Sajay Antony <[email protected]> Co-authored-by: Brian Krell <[email protected]> Co-authored-by: Maik Riechert <[email protected]> Co-authored-by: Thomas Fossati <[email protected]> Co-authored-by: David Tesar <[email protected]> Co-authored-by: Yi Zha <[email protected]> Signed-off-by: Steve Lasker <[email protected]>
Replace JWS with COSE for the envelope format.
Highlight: Unlike JWS,
alg
is not a required header in COSE. Therefore, we can remove it completely, making the signature envelope more secure.Resolves #117