COSE envelope signature spec updates #148
Conversation
* cbor payload * cose envelope * finalize payload * remove JWS * refine notations * refine datetime Signed-off-by: Shiwei Zhang <[email protected]> Merging into the remote-siging branch for further iteration, addressing the PR feedback with additional PRs into this branch.
Signed-off-by: Steve Lasker <[email protected]>
Updates to signature specification * Moves signed attributes out of payload * Defines new signed attributes and marks them as critical/informational * Introduces signature scheme to support different trust models Signed-off-by: Milind Gokarn <[email protected]>
|
With the go-cose v1.0.0-rc.1 release, with a security review completed, we'll be prioritizing this work. There are a few updates that we'll incorporate that include multiple content types that support registry descriptors, hashes of files that may not be store in a registry and direct wrapping of content. |
SteveLasker
force-pushed
the
cose-envelope
branch
2 times, most recently
from
d18dc4c to
3e93835
Compare
* Update signature-envelope-cose.md (#153) The `crit` header should be optional, not required. The spec already defines `cty` and `signingtime` as required, so a compliant verifier should reject any signature that does not include them, irrespective of whether or not the envelope also declares them as critical. An appropriate use of `crit` would be if a signer intends to include a new header not defined in the spec, to instruct verifiers that they must understand and process that header in order for the signature to be successfully validated. Another scenario is if a signer intends to mandate processing of an otherwise optional header (e.g., `expiry`). In other words, `crit` can be used by a signer to add requirements to the verification flow, but it is unnecessary and redundant if the verifier already has the same requirements. Signed-off-by: Brian Krell <[email protected]> * `cose-envelope`: merge changes from `main` (#177) * Align COSE spec with JWS Signed-off-by: letmaik <[email protected]> Co-authored-by: Steve Lasker <[email protected]> Co-authored-by: Quim Muntal <[email protected]> Co-authored-by: Quim Muntal <[email protected]> Co-authored-by: Milind Gokarn <[email protected]> Co-authored-by: Milind Gokarn <[email protected]> Co-authored-by: Shiwei Zhang <[email protected]> Co-authored-by: Pritesh Bandi <[email protected]> Co-authored-by: Sajay Antony <[email protected]> * update CBOR spec Co-authored-by: Steve Lasker <[email protected]> Co-authored-by: qmuntal <[email protected]> Co-authored-by: Milind Gokarn <[email protected]> Co-authored-by: Pritesh Bandi <[email protected]> Co-authored-by: Sajay Antony <[email protected]> Signed-off-by: Shiwei Zhang <[email protected]> Co-authored-by: Brian Krell <[email protected]> Co-authored-by: Maik Riechert <[email protected]> Co-authored-by: Steve Lasker <[email protected]> Co-authored-by: Quim Muntal <[email protected]> Co-authored-by: Quim Muntal <[email protected]> Co-authored-by: Milind Gokarn <[email protected]> Co-authored-by: Milind Gokarn <[email protected]> Co-authored-by: Pritesh Bandi <[email protected]> Co-authored-by: Sajay Antony <[email protected]> Co-authored-by: Pritesh Bandi <[email protected]> Co-authored-by: Sajay Antony <[email protected]>
…t into cose-envelope
signature-specification.md
Outdated
|
|
||
| **Implementation Constraints**: Notary v2 implementation MUST enforce the following constraints on signature generation and verification: | ||
|
|
||
| 1. `alg` header value MUST NOT be `none` or any symmetric-key algorithm such as `HMAC`. |
There was a problem hiding this comment.
re: prohibition on HMAC. This may be redundant since I don't think one can use symmetric key algorithms with COSE Sign/Sign1. Those should be only available for Mac or Mac0 COSEs.
Co-authored-by: Thomas Fossati <[email protected]> Signed-off-by: David Tesar <[email protected]>
Co-authored-by: Thomas Fossati <[email protected]> Signed-off-by: David Tesar <[email protected]>
Signed-off-by: David Tesar <[email protected]>
signature-envelope-cose.md
Outdated
| 'io.cncf.notary.signingScheme', | ||
| 'io.cncf.notary.expiry' | ||
| ], | ||
| / cty / 3: 'application/vnd.cncf.notary.payload.v1+json', |
signature-envelope-cose.md
Outdated
| { | ||
| / x5chain / 33: [ | ||
| << DER(leafCert) >>, | ||
| << DER(intermediate CACert) >>, |
There was a problem hiding this comment.
I am still a bit nervous about exactly what this means, but the approach seems reasonable... I would just want to see a complete example.
signature-envelope-cose.md
Outdated
| | RSASSA-PSS with SHA-256 | -37 | | ||
| | RSASSA-PSS with SHA-384 | -38 | | ||
| | RSASSA-PSS with SHA-512 | -39 | | ||
| | ECDSA on secp256r1 with SHA-256 | -7 | |
There was a problem hiding this comment.
I assume lack of EdDSA is intentional here.
specs/signature-specification.md
Outdated
| @@ -43,6 +43,7 @@ Signature Manifest Example | |||
| - **`blobs`** (*array of objects*): This REQUIRED property contains collection of only one [artifact descriptor][artifact-descriptor] referencing signature envelope. | |||
| - **`mediaType`** (*string*): This REQUIRED property contains media type of signature envelope blob. Following values are supported | |||
| - `application/jose+json` | |||
There was a problem hiding this comment.
This seems like maybe not correct? are you saying that compact representation is NOT allowed? thats how i read them.
specs/signature-specification.md
Outdated
|
|
||
| ```json | ||
| { | ||
| "subject": { |
There was a problem hiding this comment.
good call, since sub is a string... maybe you want to make it clear that this is a "private claim", that is not part of the original RFC.
|
@gokarnm All your comments are resolved now. Could you give a final check and approve it if there are no further issues? |
* spec: update according to review comments * update to RFC for the fields of the sig_structure * update description for field context Signed-off-by: Yi Zha <[email protected]>
yizha1
force-pushed
the
cose-envelope
branch
from
6fc8e1d to
cf533b8
Compare
|
+1 to merging, with incremental improvements. |
specs/signature-envelope-cose.md
Outdated
| Note: `<<` and `>>` are used to notate the CBOR byte string resulting from encoding the data item. | ||
|
|
||
| - **[`x5chain`](https://datatracker.ietf.org/doc/html/draft-ietf-cose-x509-08#section-2)** (*array of bstr*): This REQUIRED parameter (label `33` by [IANA](https://www.iana.org/assignments/cose/cose.xhtml#header-parameters)) contains the ordered list of X.509 certificate or certificate chain ([RFC5280](https://datatracker.ietf.org/doc/html/rfc5280)) corresponding to the key used to digitally sign the COSE. The certificate chain is represented as an array of certificate, each certificate in the array is DER encoded and then wrapped in a CBOR byte string. The certificate containing the public key corresponding to the key used to digitally sign the COSE MUST be the first certificate, followed by the intermediate and root certificates in the correct order. Refer [*Certificate Chain* unsigned attribute](signature-specification.md#unsigned-attributes) for more details. Optionally, this header can be presented in the protected header. | ||
| - **TODO** update signature specification to allow chains in protected header |
There was a problem hiding this comment.
What's the motivation behind this? can we remove it from spec and open it as issue for discussion ?
There was a problem hiding this comment.
@letmaik, @shizhMSFT can you comment?
There was a problem hiding this comment.
The motivation is that the signing key of a signer may have multiple organizations associated. How to determine which organization that the signer represents at the signing time is an issue.
Here's an example, the signer has two cert chains Company A -> Signer and Company B -> Signer.
graph TD;
a["CA (Company A)"] --> s["Signer Cert"]
b["CA (Company B)"] --> s
Consider the following scenario:
- Signer signs the artifact and associates cert chain
Company A -> Signerto the resulted signature. In other words, the signer signs the artifact representing the company A. - Signer publishes the artifact and the signature.
- Adversary sees the signature and replaces the cert chain in the unprotected header with a cert chain
Company B -> Signer. - Now, from the view of verifiers, the signature is signed by the Signer, representing the company B.
This kind of attack can be mitigated by never reusing the signing key but it is better if we can sign the signing identity in the signature itself.
@yizha1 Let's remove it from spec and open it as issue for discussion.
There was a problem hiding this comment.
@ianjmcm, can you provide some 👀 ?
* move certificate chain discussion to a new issue Signed-off-by: Yi Zha <[email protected]>
|
Thanks @shizhMSFT, @qmuntal, @letmaik, @yogeshbdeshpande, @thomas-fossati and everyone else that completed this baseline, including all the updates to https://github.com/veraison/go-cose Great work! |
Tracking the merger of the cose-envelope branch into main.