diff --git a/internal/mock/mocks.go b/internal/mock/mocks.go index 9494587f..1efb882d 100644 --- a/internal/mock/mocks.go +++ b/internal/mock/mocks.go @@ -1,6 +1,9 @@ package mock -import _ "embed" +import ( + _ "embed" + nsigner "github.com/notaryproject/notation-core-go/signer" +) import ( "context" @@ -20,6 +23,9 @@ var MockCaInvalidSigEnv []byte //go:embed testdata/sa_valid_sig_env.json var MockSaValidSigEnv []byte +//go:embed testdata/ca_plugin_sig_env.json +var MockCaPluginSigEnv []byte // extended attributes are "SomeKey":"SomeValue", "io.cncf.notary.verificationPlugin":"plugin-name" + //go:embed testdata/sa_invalid_sig_env.json var MockSaInvalidSigEnv []byte @@ -29,16 +35,30 @@ var MockCaExpiredSigEnv []byte //go:embed testdata/sa_expired_sig_env.json var MockSaExpiredSigEnv []byte +//go:embed testdata/sa_plugin_sig_env.json +var MockSaPluginSigEnv []byte // extended attributes are "SomeKey":"SomeValue", "io.cncf.notary.verificationPlugin":"plugin-name" + var ( - SampleArtifactUri = "registry.acme-rockets.io/software/net-monitor@sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333" - SampleDigest = digest.FromString("sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333") - Annotations = map[string]string{"key": "value"} + SampleArtifactUri = "registry.acme-rockets.io/software/net-monitor@sha256:60043cf45eaebc4c0867fea485a039b598f52fd09fd5b07b0b2d2f88fad9d74e" + SampleDigest = digest.Digest("sha256:60043cf45eaebc4c0867fea485a039b598f52fd09fd5b07b0b2d2f88fad9d74e") + Annotations = map[string]string{"key": "value"} + ImageDescriptor = notation.Descriptor{ + MediaType: "application/vnd.docker.distribution.manifest.v2+json", + Digest: SampleDigest, + Size: 528, + Annotations: nil, + } JwsSigEnvDescriptor = notation.Descriptor{ MediaType: "application/jose+json", Digest: SampleDigest, Size: 100, Annotations: Annotations, } + PluginExtendedCriticalAttribute = nsigner.Attribute{ + Key: "SomeKey", + Critical: true, + Value: "SomeValue", + } ) type Repository struct { @@ -52,7 +72,7 @@ type Repository struct { func NewRepository() Repository { return Repository{ - ResolveResponse: JwsSigEnvDescriptor, + ResolveResponse: ImageDescriptor, ListSignatureManifestsResponse: []registry.SignatureManifest{{ Blob: JwsSigEnvDescriptor, Annotations: Annotations, @@ -77,15 +97,40 @@ func (t Repository) PutSignatureManifest(ctx context.Context, signature []byte, return notation.Descriptor{}, registry.SignatureManifest{}, nil } -type PluginManager struct{} +type PluginManager struct { + PluginCapabilities []plugin.Capability + GetPluginError error + PluginRunnerLoadError error + PluginRunnerExecuteResponse interface{} + PluginRunnerExecuteError error +} + +type PluginRunner struct { + Response interface{} + Error error +} -func NewPluginManager() PluginManager { - return PluginManager{} +func (pr PluginRunner) Run(ctx context.Context, req plugin.Request) (interface{}, error) { + return pr.Response, pr.Error } -func (t PluginManager) Get(ctx context.Context, name string) (*manager.Plugin, error) { - return nil, nil +func (pm PluginManager) Get(ctx context.Context, name string) (*manager.Plugin, error) { + return &manager.Plugin{ + Metadata: plugin.Metadata{ + Name: "plugin-name", + Description: "for mocking in unit tests", + Version: "1.0.0", + URL: ".", + SupportedContractVersions: []string{"1.0"}, + Capabilities: pm.PluginCapabilities, + }, + Path: ".", + Err: nil, + }, pm.GetPluginError } -func (t PluginManager) Runner(name string) (plugin.Runner, error) { - return nil, nil +func (pm PluginManager) Runner(name string) (plugin.Runner, error) { + return PluginRunner{ + Response: pm.PluginRunnerExecuteResponse, + Error: pm.PluginRunnerExecuteError, + }, pm.PluginRunnerLoadError } diff --git a/internal/mock/testdata/ca_expired_sig_env.json b/internal/mock/testdata/ca_expired_sig_env.json index 35dd9e1d..9d629269 100644 --- a/internal/mock/testdata/ca_expired_sig_env.json +++ b/internal/mock/testdata/ca_expired_sig_env.json @@ -1,12 +1,12 @@ { "payload": "eyJ0YXJnZXRBcnRpZmFjdCI6eyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiZGlnZXN0Ijoic2hhMjU2OjYwMDQzY2Y0NWVhZWJjNGMwODY3ZmVhNDg1YTAzOWI1OThmNTJmZDA5ZmQ1YjA3YjBiMmQyZjg4ZmFkOWQ3NGUiLCJzaXplIjo1Mjh9fQ", - "protected": "eyJhbGciOiJQUzM4NCIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSIsImlvLmNuY2Yubm90YXJ5LmV4cGlyeSJdLCJjdHkiOiJhcHBsaWNhdGlvbi92bmQuY25jZi5ub3RhcnkucGF5bG9hZC52MStqc29uIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5IjoiMjAyMi0wNy0yOVQyMzo1OTowMFoiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nU2NoZW1lIjoibm90YXJ5Lng1MDkiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nVGltZSI6IjIwMjItMDctMjlUMjM6NTg6MDBaIn0", + "protected": "eyJhbGciOiJQUzM4NCIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSIsImlvLmNuY2Yubm90YXJ5LmV4cGlyeSJdLCJjdHkiOiJhcHBsaWNhdGlvbi92bmQuY25jZi5ub3RhcnkucGF5bG9hZC52MStqc29uIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5IjoiMjAyMi0wNy0yOVQyMzo1OTowMFoiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nU2NoZW1lIjoibm90YXJ5Lng1MDkiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nVGltZSI6IjIwMjItMDctMjlUMDA6MDA6MDBaIn0", "header": { "x5c": [ - "MIIEVjCCAr6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIzMDIwMVoXDTIyMDczMDIzMDIwMVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRlc3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMiYbKR+FvRlMvlAA0xDwutU613MzfGZTX9L3eLjhC++CpPb7mULy0J77JxEzVNer2JCwcFl3yjO2/uMAh20Ler0IDQtVsH5LEDlB+4GPWcEeCbiRUx2d9ImT6Kuo/yOeUptrhcW0978KmBSaNUKRx4OgHwPSg9rh6m4WKCOE56cnAUB2aY0t4RhbAPF+8NK8UTGa3YNYVvlawEF31rJVdyhqGZErFpD54VCXpEe6u4gL7jsIKEfMA0bOLQMtYGD+USspFVnHE+EnEEMpsmtT1s/Tv7EambxX8y5fPV/oNytsUnFBxLxc922OkK5v2JUXaFjctHGaKsuk4LTmg9yO8L1VXTms5e8gQupFNNSlbzY8zswSY1gUxwHL4rUrtEI6x2eqf5wVmBbeidwYjItySgPyUT2GNR+Wg5rFzQD2/ikF7h7kQdryq3T0/r2Kgo24paDVHR+Mt1xa2iXAxhs0eKwPx3N/AOvaT6qN3NDaDSXFTgIf4VeUYUNUDxFcFrbHwIDAQABoycwJTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggGBAI/gys4fpygZVa2ajYjeZoEg2HLEI5DukGVuAmv+zBMdevf9rCHQJUrgQ4FgFo4CAKMfZYQ7XUaEUvQFdQnbDWnUXTTMW/x5/QZmh8ArDNY2D1oof0+ndo1wdhzue7MjEYvC/NMGUOoKsYzds67wwA4xnu5tjIpMXcMMS38IxI+XIQkgQ4lIPE+2/8zUMBnQANTfHlIcznDwL5Xq/6PoCN9XOYfJZuHvzRJIvAttZnalHfGM3l44qh4F1Amb5ScQJN7PTbJM1LDQqEDpreevEVgHnG7AnYFyaHjXkOmgoEma+QmUypZSqVCVzdyJNntEaebhMmDij11lszN/yiUS2Ywl5deHhE/kAb8xPBd3WlfR2XeA3Ery9GXda5zoxTAu9ALormhbD6nU5GrsV6MTpCLIdMrXzOOjrPii7Xcxrna48MOkL+CeTrNG8/6/jT4MSoisyfur26bHSuOLrNXwhe/Gx3Rm/xLZmPkx78hyATBJGnMg4XpT0wseOalUAIZ51g==", - "MIIEiTCCAvGgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIzMDIwMFoXDTIyMDgyOTIzMDIwMFowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRlc3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALbo3jsPh/LGmpLlbsxlTgqcyYXrxP07UzwpVkGIginXahSpnDYavk/b4vdRtSm0I/bRnrdWRTOufgsDeocWhcqgorWmiI/fg9SP9InLdVT33aqTiMlcpi+SP1AMMeESLrOSnI41lLSKl6KmV94nF7rIBL/8uSwSrzTdSOoM63fzeO5QMG+Y/ux5s4BxGbqX/SraCGrap6RXHuazmQ8getp8lq7HTUHx2AEF0DzloZbEj+AJD68DqlEvPh8lytUdYR9ou1aNt6o4dj6kcr06bjwVLNrIquE0whWi4o+6dXK9CS0t40MgGy8hu16uYDZ01HzsHenHkcgn7yqwEqCxz5Ba0U7iRf3qbdZ9KX7ImTWKR0Uwqpix2RVBNWGCVJAtfEnV94KytFmb8AibEnjhFwjA7QM9F6WlykeGAjVqG3OMssVCv6NaufDJQOpx+yGLuaESBYtMvoqAfmltY5j+ATj7GMsZ1NzA292lVSOnxuh9M1pcCmIPXl7Aty08A16FfQIDAQABo1owWDAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU3cTJUV7Q1AFpJXvj1lK3CYzCD4QwDQYJKoZIhvcNAQELBQADggGBAAjHRe/IlWXhr4mDVcrPSTJtNiyU0GdlGoYqs2w81JPFjlB5TGFPb6WfYPQZo6V4MFO3NxY1Hyx/dJ5oFpglaQw2ouhAcqmPsvUoVCGNSfNgNjfq73GlZQbcgMtEYk57gUAJj1j1pdoalLLRL4Q98R92UNAtqx9qcRWX5MAdblKYlxATJ/tnbxQ6GQOmkpN6aWj2EXIlQ9aI5gc0tdRIOK7LKA3o4XK7hHj6rofpVZ0caLd05mcfNLUeuaDScu0q+5TABhGfk4Q//C0WR/bDouqV5/9zs0ye23RAh1CNKGf+ZrmqiHTo0Z0RzzzWlPkOiHHeJB+KLTFbBFz+p6KRvqkLxEMVTt1igP7DWbLQwvIVMtgFabqrR0k5Iex9ejSpP0FJniVVANNRRw1+setBRu5CdejDPO3Z5TbwcDy5bKZswgY0lVmeNr9BfNHW/wh+ttErf3zP2iObOAJUAlyDDTpVW5mmfG9ihr1gQHQ+bVCxbBLehvCnrTYTPbKNE8oHVA==" + "MIIEWDCCAsCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMTAwOTA3MDAwMFoYDzIxMjIwODA2MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwE8YkFUAA0R7aUkRYxHKYoVbFPx9xhuNovLKDy72/7X0+j4XdGP4C0aAX2KLfgy9OR1RIUwtpMyI7k7ZFRd+ljcMW/FgbirfhkY/8axjamOYMBO0Qg+w93oaI6HA1gvZ/WZem4PHu68LlZhLQ2BrQwCz/F/3Ft0IZ2S1aF6N6vajx2le8xTI5hQS+UZFPQGrBUqrjcYc6GkL8XqL+rLGZaKGfh3c7bF9cEbA1H2Tm6MDFnfoFemerbP3v19JoUH+EtOnvYmNZWEU51RaLsNGkC3E/unXAnIfXrNxHDcbehyfa5y3AT10Shiron6O4Bc9S0MvwtXyLT6qein3Nh0VKBFUMSdthu5ZrSR28T9wDWHMXngpa115VjHOQDY3gDPwfzZ0xitN3NpMnivxculGUCkEQpst957tqQNJpS/zipI5Mtej0YOAhVKGQMjDIJekZ2DXDNd1X3xfahrR5VEQF0gnRFhA3vhycDqFj4E6Hoc5y3SxnFqrhX3w2wyFt/xRAgMBAAGjJzAlMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAYEAAdONCAJxdB7H0uFDw6H+8Z5MtoRdJe6ZhlM2O5WMzkC1DLSyrF7arPnUMTeSyNS2Fx1BU38n5R1wvdgSfWtjm7o2ZyR8JQ+AngPklUCTNeL18kxNNXpmjDuMvsRlfHcr5hherjiQ49jWlpFqGRrNtZQWiVEI0r9Qz8DtZTw3GYF4MSuotA6wuUjolI1V2oMn/gdt8FFo0XUTDyiA12qpZzkUHY1rg3zJxKq3pIk04E7k6rFakHyZL91ipV2UeSbNq9vwLL7cglfPJ8+J+9AKvIPDstDF5k0ivUCYH5fIFZBGoceLiNfHSMcqA/qWfErqLBWAkACRUNyCWpAEv3DfDRbTHId0n6QQwOXj5d9YnDrmOLvQcn/sa+ZBfFMK7RdG9uVwMRyo+sRUnxo+v2lcvYwWymL7ONQqVWZbTJCxuG90Unxa3cQHZiKB5mgKweMft+vp6C3IQFhFfP8j1kvRTJq8ZqSEBADppUuBZJ1KWalwauK0AE4jpHlE0KsYDXiP", + "MIIEizCCAvOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMDkwOTA3MDAwMFoYDzIxMjIwOTA1MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxxAZ8VZegqBUctz3BkwhObZKnW+KsN5/N1/u2vPLmEzHDj6xgd8Hn0JoughDaxeQCV66NC2obqPnPp4+68G/qZnxkXVXdFyqVodu4FgPUjiqcJjft7bh45BVgLFpOqSqDQ3ko30B7gdGfIIkoBj/8gz3tHnmIvl3MywtOhDeGnlLNzBY52wVmhPIdKOaW/7WkMrXKFCkLkNICGnIpWuyBtC+7RfM8hG6eRW1KCm5xrkRmn5ptonjxix/JTGj4me/NMkwdVkz6wcCSAJnqTgHi2oqk73qqNu0LHsEMFBF8IGqmVkn2MOHkFamPBokzQ6HXXfvR4nbcWQZCUgRinPTVg9CF0B6XSCEMCSH5kveZxTQtAFRB6NosbzuU5jDmJgpbDfauev7Eg/6bZzphcugRkVuwulymzsake5Jbvs9Kyw3CNPYH2G3Kli1FNhfc46ugXHbIfXgNQcou3xabcu+r6cFRqqK6NmV9ouMQRj8Ri95Gp2BUlpTEFhcvMb9d4nXAgMBAAGjWjBYMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDAzASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBS5FZjt9UsEPkcKrStrnjSpTq4kDTANBgkqhkiG9w0BAQsFAAOCAYEAKtxfv12LzM85bxOMp5++pIDa6eMcBaurYbAM2yC9B6LuHf0JGeFdNqt4Fw38Ajooj2vWMWBrARVEZRVqTC5+ZSN2meGBXBXlT4n8FdEdmv+05iwVYdmDFp8FKeoOZZZF23u+r2OrazJo1ufWmoSI2P0lEfZQQFQElltWu3QH+OLOWXJmB7KbLKyheelGK5XhtAYYapRdW4sKJ398ybpv5C1oALCcTwoSmvH8wW5J4/gjmhKICYh2goMauf0lesdxj+0His7E8blOWrUmfOB5dp73XawLKcd/UxHN8zAPC08LDL9NMcihn3ZHKi7/dtkiV2iSaDPD1ChSGdqfXIysYqOhYoktgAfBZ43CWnqQhgB8NezRKdOStYC3P2AGJW18irxxTRp2CO+gnXEcyhyr+cvyf0j8MkRSaHLXzjIrECu8BUitB6sKughdN13fs5t5SIiO6foeFdvIpZFFKO8s+4oTOSDCos2WFoC+8TZS6r583OtFLmywl1HRgQkobGgw" ], "io.cncf.notary.SigningAgent": "Notation/1.0.0" }, - "signature": "mj-c1cVKCDUl9811YMvY5uRweSL1JeRBAVreAHJoBfULmbF2pMB3vVQOKYkY2rDnlUIqIrh6GiBG65tgr0ZCXeGvGWvL651FtCXhqwx3sJpqOLmoxZMV_Nbom0VBoQWAyyPNCn5j0Z4Gp8o4KMsbv2DseIC9nsli9VZaNJkXU2rLZquQALYUI-InxsHM2hCjo-HG_U9zZlm9XH4bZl9fDIg-O-Id78JBP2ugdn2WW4XshFmWJiuJbHN59gDaW5HPHzPpj1VvUS-sScKTm3juH2fImgyysgtX2uw8c79sEf4uO007cVgHXrKeSwtNiDP3qQZaEzHCHcFsucUQKTIz1dcA519s3rYFAMegL-Ki8Vv-OGVQwIc_17zCrQl0QklFZCRvwdEGkKPysPmZVghAuoJ1kD58FwEYHCiT1IKJ2RN2liwHvZwkTGBpzQRTZQe1oKkSiyFLnHE2WkrCudvGv61qswA3_dMmpm3w6tYm-oseFPUnf8iXOOM5ZS-_VBjZ" + "signature": "RZtqCD4KGh5_CD8wjG69TJIzzB4Cr-cxQhKTvZJYsRVIJyl3s5D0215GhBrggomVk9-LGD2FdWd2VfuaLd4bmhW3rSV3ltmAext7DNQFg2xtMeYSeCL2U_ygN2j4bc80RDaX8w_zOTVOmuhW6i2jgwRjWXdDaJeYTbZA2syA5R38tYYewVcZJ6U057Wsflt5yPWJCdxZLuTago5CkbLASL8HHnmlUkDvKKB1Y9SNDOQ3AmGP4-XJykcX_MfPo5RGRvZE-zHUJOEKj3ryfC0UTUT7V1ISTagqOt7zOa1BEzgQ-1GQk1MbaPPZWkiOZX4RqMXMV3hVqtDuZxlpT25KzZPm1USwWwJkycv7YB69fc2aoHJAPo-39uEV9fdAz_03whnrQSpfJbmHHTXMJkWKrZ5ozU-8zlEttWyL5D85zAouSMVXWm22zMrDW-XxST9QoeV4b1_BedW1PwJDbeU6P1hhobnQh3jHmSueVl_WZ5_g8_iVepSmSBcR1e4WpoPi" } \ No newline at end of file diff --git a/internal/mock/testdata/ca_invalid_sig_env.json b/internal/mock/testdata/ca_invalid_sig_env.json index a56f473d..255eb32e 100644 --- a/internal/mock/testdata/ca_invalid_sig_env.json +++ b/internal/mock/testdata/ca_invalid_sig_env.json @@ -1,12 +1,12 @@ { "payload": "eyJ0YXJnZXRBcnRpZmFjdCI6eyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiZGlnZXN0Ijoic2hhMjU2OjYwMDQzY2Y0NWVhZWJjNGMwODY3ZmVhNDg1YTAzOWI1OThmNTJmZDA5ZmQ1YjA3YjBiMmQyZjg4ZmFkOWQ3NGUiLCJzaXplIjo1Mjh9fQ=", - "protected": "eyJhbGciOiJQUzM4NCIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSIsImlvLmNuY2Yubm90YXJ5LmV4cGlyeSJdLCJjdHkiOiJhcHBsaWNhdGlvbi92bmQuY25jZi5ub3RhcnkucGF5bG9hZC52MStqc29uIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5IjoiMjEyMi0wMS0wMVQxMjowMDowMFoiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nU2NoZW1lIjoibm90YXJ5Lng1MDkiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nVGltZSI6IjIwMjItMDctMjlUMTU6NTU6MTAtMDc6MDAifQ", + "protected": "eyJhbGciOiJQUzM4NCIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSIsImlvLmNuY2Yubm90YXJ5LmV4cGlyeSJdLCJjdHkiOiJhcHBsaWNhdGlvbi92bmQuY25jZi5ub3RhcnkucGF5bG9hZC52MStqc29uIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5IjoiMjEyMC0xMS0wOVQwNzowMDowMFoiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nU2NoZW1lIjoibm90YXJ5Lng1MDkiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nVGltZSI6IjIwMjAtMTEtMDlUMDc6MDA6MDBaIn0", "header": { "x5c": [ - "MIIEVjCCAr6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIyNTUxMFoXDTIyMDczMDIyNTUxMFowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRlc3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJo7D/NdCJ/aLQRUv9sIVYAkarsaw9majcp9ohqBH21NJSTx9+n3CnPu1HI2oF/ZQA6Io07IqYaEglaFvxZduUsUZbQTI1iku9q7ssDY0BOOr/PX0paVmlcSamcsCsTwWEshULCXerEVhNMGkelL5MlgCTOwJntBEQ3duZmQzTBfUOM3WTljSbySj1czi8PWYzKOy3nr39dCNaCLTIohYi65dIV4F6b4jLkBkY7U+qu1Bf8bDpkth6S1RbKyB6pCSoUZaoIZFNwdGcYT+BnXqAISuoVa5kkgzaaX/bpppTqpCObCfxIOU4H/O6J/AIlqspIyNnDcoFcxwoO0vIuj8ZzVFE/dCsh2Lq0aqGWKyxKuapUNBJm+7l+1+LQ5x68r3UclYBRqeHkbX2RwN5al27c3JN97arWCoEHKxPO+RgHF0xf9sb5LreCk1eM1ZWVzCRq7ILQN1c8vV4V6t5iaUN/Wo3Onul3ZBM+aMDXfogTx/zkt6PNae/982xgV7MgfbwIDAQABoycwJTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggGBAC8Q1Rbj0fC4pQ8BLvJpnV+9WlPsrbQDOS+f9Q7QSc3bptu/osUwZKBe4a6aGN8Br1X44v63eoYpYFfCIIP7x+Is2MIliD23Iy/uCgOL8HWOPEVwrfW4cXOFvCnR82ohm4sqrrPXP7yQZOcQOikyumlEb9qJztPEjkmXf66d2byrLTrbryuBMTJ7KwTaH4SBx2L1UfVvy1qKel5UPFnA1Akf6r/9Feu+X+HjbEXYIQomTms9T3JzIk9KASt+72YJpmTXhBh/piYeuBtCN0cQWbTuGRL1LtC3Ry4xboP/op69paQU87rkh1ZLgSP7go8RI/2JUKlRManwIjKP1vjGEEbo0nZXx4n8+zx7GzQ4q18YESFM5+i8J0XTathF1QYjzhAhafGsO0MWpMc1rcKhV7S5rZuRdGJU7QQa8MYzZ3kEWO1dPKzg0IiQaFHoojbJmEWP7FqCn/P4VY00+YO6CKZb8C6KoftPqA4IvFQftSzWXcFJCOAW0lTaEyxRyAv4mw==", - "MIIEiTCCAvGgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIyNTUwOVoXDTIyMDgyOTIyNTUwOVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRlc3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMIU/fV6+CuajN4Y9psrWvuMa2khFRoNh3B4UnIONWFQFuacMNvN+ylKXZNJ4lZxf29JYZhowXknM6rOYE4xstTZSh7qDSA+Q42fbsZnPQb+Yn2XKvDUFdorBnZX2CmHscPKhae1tlVJm52MLGCxyycH0gTv8hezglaOhOT9ScVDet+B9sQY0EMcC22/orYS/lGim0F86XO6RGxWuOaOxs/4msBJZoIxI07dFoQuWAtRHD6RlKaQZ9+r0XtpEZX+58LmL54ZXggSMGtNZPZT04eeG4xB2+QCmZM7VzLdSeTNHwoDNskE8FRaiburX1NQrGlhUjLXAjvz6LE6N3AKKbqJGzxsAbJwBfxkSTumRuQL7sIkxOLY6eEkEbZWxCUvYXejexj7IzFO4Z07dM1ne4lBe5kU6Af2ZrnLqTUFB/jdJWCRnbbQ4NHRElKvulDUxhmp8ECcgN3SeU5b11Bzwayl6OKAsz4ZtuEcTaPh0N1lL+DxBG7iJDxrxl1WW9LcrwIDAQABo1owWDAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUwLYj6kXXSwMn6f6zbGRic/5xSlgwDQYJKoZIhvcNAQELBQADggGBAIcIJGI3xJvdivu4/uyV+1c5ZH6B/yieE44XLGWGQU3qWJOLTpNDgBaK+14sIb7VnAtTrtQerozZKbL1gETcYEcmLhdWkIUHY8xRSCEgDIpiw5Gi1D3Asm+HsCFE9zHu0vutWQ47RHIJruy6aM5/AGkIbMXEB8A5YVXWaFfkgZMJc3tlS7Ml5QT4/Jh3K8lMo51RiNCyjURt8gDHkFRrs8FBTWwPZtCg93YbxHHbdjZiIJ+IL8n+ORsSHQdJC0tVKcIIWaBkt1h34gwgSP1XPEa4TQYgt4dFlLapOefNSH2KSfgMm72USVXzIfGAokcbr6CkxhBuZj3hvZ/H742gFoxaC53LfRvV0yTNqnSn2NG8aN5Qw9LG2xuYuGPTz2bVOyxi0QeNr2kOqTOwO5wSG9f/JQH52TfaLjX0rL7PPv2HrJlR27ErISccu9xobfNwrjVa14bhoToDoy3vHr4BAwILsL7PRSk+bPQ680H8UfRxglNptkpcUNRV/0gzY98qCw==" + "MIIEWDCCAsCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMTAwOTA3MDAwMFoYDzIxMjIwODA2MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwE8YkFUAA0R7aUkRYxHKYoVbFPx9xhuNovLKDy72/7X0+j4XdGP4C0aAX2KLfgy9OR1RIUwtpMyI7k7ZFRd+ljcMW/FgbirfhkY/8axjamOYMBO0Qg+w93oaI6HA1gvZ/WZem4PHu68LlZhLQ2BrQwCz/F/3Ft0IZ2S1aF6N6vajx2le8xTI5hQS+UZFPQGrBUqrjcYc6GkL8XqL+rLGZaKGfh3c7bF9cEbA1H2Tm6MDFnfoFemerbP3v19JoUH+EtOnvYmNZWEU51RaLsNGkC3E/unXAnIfXrNxHDcbehyfa5y3AT10Shiron6O4Bc9S0MvwtXyLT6qein3Nh0VKBFUMSdthu5ZrSR28T9wDWHMXngpa115VjHOQDY3gDPwfzZ0xitN3NpMnivxculGUCkEQpst957tqQNJpS/zipI5Mtej0YOAhVKGQMjDIJekZ2DXDNd1X3xfahrR5VEQF0gnRFhA3vhycDqFj4E6Hoc5y3SxnFqrhX3w2wyFt/xRAgMBAAGjJzAlMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAYEAAdONCAJxdB7H0uFDw6H+8Z5MtoRdJe6ZhlM2O5WMzkC1DLSyrF7arPnUMTeSyNS2Fx1BU38n5R1wvdgSfWtjm7o2ZyR8JQ+AngPklUCTNeL18kxNNXpmjDuMvsRlfHcr5hherjiQ49jWlpFqGRrNtZQWiVEI0r9Qz8DtZTw3GYF4MSuotA6wuUjolI1V2oMn/gdt8FFo0XUTDyiA12qpZzkUHY1rg3zJxKq3pIk04E7k6rFakHyZL91ipV2UeSbNq9vwLL7cglfPJ8+J+9AKvIPDstDF5k0ivUCYH5fIFZBGoceLiNfHSMcqA/qWfErqLBWAkACRUNyCWpAEv3DfDRbTHId0n6QQwOXj5d9YnDrmOLvQcn/sa+ZBfFMK7RdG9uVwMRyo+sRUnxo+v2lcvYwWymL7ONQqVWZbTJCxuG90Unxa3cQHZiKB5mgKweMft+vp6C3IQFhFfP8j1kvRTJq8ZqSEBADppUuBZJ1KWalwauK0AE4jpHlE0KsYDXiP", + "MIIEizCCAvOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMDkwOTA3MDAwMFoYDzIxMjIwOTA1MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxxAZ8VZegqBUctz3BkwhObZKnW+KsN5/N1/u2vPLmEzHDj6xgd8Hn0JoughDaxeQCV66NC2obqPnPp4+68G/qZnxkXVXdFyqVodu4FgPUjiqcJjft7bh45BVgLFpOqSqDQ3ko30B7gdGfIIkoBj/8gz3tHnmIvl3MywtOhDeGnlLNzBY52wVmhPIdKOaW/7WkMrXKFCkLkNICGnIpWuyBtC+7RfM8hG6eRW1KCm5xrkRmn5ptonjxix/JTGj4me/NMkwdVkz6wcCSAJnqTgHi2oqk73qqNu0LHsEMFBF8IGqmVkn2MOHkFamPBokzQ6HXXfvR4nbcWQZCUgRinPTVg9CF0B6XSCEMCSH5kveZxTQtAFRB6NosbzuU5jDmJgpbDfauev7Eg/6bZzphcugRkVuwulymzsake5Jbvs9Kyw3CNPYH2G3Kli1FNhfc46ugXHbIfXgNQcou3xabcu+r6cFRqqK6NmV9ouMQRj8Ri95Gp2BUlpTEFhcvMb9d4nXAgMBAAGjWjBYMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDAzASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBS5FZjt9UsEPkcKrStrnjSpTq4kDTANBgkqhkiG9w0BAQsFAAOCAYEAKtxfv12LzM85bxOMp5++pIDa6eMcBaurYbAM2yC9B6LuHf0JGeFdNqt4Fw38Ajooj2vWMWBrARVEZRVqTC5+ZSN2meGBXBXlT4n8FdEdmv+05iwVYdmDFp8FKeoOZZZF23u+r2OrazJo1ufWmoSI2P0lEfZQQFQElltWu3QH+OLOWXJmB7KbLKyheelGK5XhtAYYapRdW4sKJ398ybpv5C1oALCcTwoSmvH8wW5J4/gjmhKICYh2goMauf0lesdxj+0His7E8blOWrUmfOB5dp73XawLKcd/UxHN8zAPC08LDL9NMcihn3ZHKi7/dtkiV2iSaDPD1ChSGdqfXIysYqOhYoktgAfBZ43CWnqQhgB8NezRKdOStYC3P2AGJW18irxxTRp2CO+gnXEcyhyr+cvyf0j8MkRSaHLXzjIrECu8BUitB6sKughdN13fs5t5SIiO6foeFdvIpZFFKO8s+4oTOSDCos2WFoC+8TZS6r583OtFLmywl1HRgQkobGgw" ], "io.cncf.notary.SigningAgent": "Notation/1.0.0" }, - "signature": "LOLkqjLQJxswpcgDDgtHdliq0Q-HnrFPdmkdMlCRF2-rXdQYndDWFtOgQzezBW62erM_1bJVs_hA07ZTBel40059udaeiWQghkdn6rHEZ4WIAXHhPK3b-m7SDOSseTEWozRk8Pr1U2l7ctyhafVdmtn01bxdkB5nu0BuEff4mYv1r9PoNhv8qSf6-Ieqd4ifwXJj5aa2U4Frz9rweovxmHdHOEXMlaj64nvcCsdnuJxubXuYzY80nU526S2U5dO1SBXdAim0iu35T7r0ionBYt4Z94cnBYahD_8YsNOWfZ1q8qi8X3myOH_fjd47f746WJo05E4tCbss6uiDWRsdPiCzdKN_FRc2hPFvDnN036bqbk1WCFfnGNDysXbgurBHNfYzfL2UMt1D4CFwszvWXCSmXHtmIflBONrgUduNACFFcxQOBWi3OM6VxXW_sa7hnEgnZkMPZJMkiVF-yH1iO08FEhIGPaoXucyaxtNQM862V_sZdLl-nK67VMNDiqDMg1DLOL" -} + "signature": "ZvsxyaSqDzS7mY_jKpnq2XtBcmyWmSE461BHL6q2pAx_-Rxr8Fvs2oIfZdSG2o3qugPDjzZDMhKdYdnrW1AIEkVIG_QUmeyGj28PVXxsC5NKpXwrPUMOzrXSFLHIvBNZ2q87wRYInsgCPtv5ZPv0IgA2sAW6y7NlVM2D0vJax55ITsJO5aEaEUlAdi_H7-TCD48DHuFpnJdNkVB_hZkwYfxuqIKU2C__Z2hLLHxaS2LzuzhqOnYlbqn4e225uZt9odXq3qmZ_44Vx3DYL_-ZuV0S9jEk7NW8-dO0T0MeQn6VXDyfT1rjc6IVPnLxAnELFyLn121GYulYC8V2D1_MLcv8sDHY23rHb3-R-WCLMDSfaIvReY89vQfxcfpdCRC0F3N2CcnrgsrUC6Fplm5Uy45Gn9--b7x5cdSzOzQsefCH1GpixW7YyNs1xZQ17WqdYyWD2EBrB5vqVFzkzDYnQ4H-p9G3AzM4HTrjWqHX-0cYHlpmTS4AjVxn0UV80Jn9" +} \ No newline at end of file diff --git a/internal/mock/testdata/ca_plugin_sig_env.json b/internal/mock/testdata/ca_plugin_sig_env.json new file mode 100644 index 00000000..8b14bef8 --- /dev/null +++ b/internal/mock/testdata/ca_plugin_sig_env.json @@ -0,0 +1,12 @@ +{ + "payload": "eyJ0YXJnZXRBcnRpZmFjdCI6eyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiZGlnZXN0Ijoic2hhMjU2OjYwMDQzY2Y0NWVhZWJjNGMwODY3ZmVhNDg1YTAzOWI1OThmNTJmZDA5ZmQ1YjA3YjBiMmQyZjg4ZmFkOWQ3NGUiLCJzaXplIjo1Mjh9fQ", + "protected": "eyJTb21lS2V5IjoiU29tZVZhbHVlIiwiYWxnIjoiUFMzODQiLCJjcml0IjpbImlvLmNuY2Yubm90YXJ5LnNpZ25pbmdTY2hlbWUiLCJTb21lS2V5IiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5IiwiaW8uY25jZi5ub3RhcnkudmVyaWZpY2F0aW9uUGx1Z2luIl0sImN0eSI6ImFwcGxpY2F0aW9uL3ZuZC5jbmNmLm5vdGFyeS5wYXlsb2FkLnYxK2pzb24iLCJpby5jbmNmLm5vdGFyeS5leHBpcnkiOiIyMTIwLTExLTA5VDA3OjAwOjAwWiIsImlvLmNuY2Yubm90YXJ5LnNpZ25pbmdTY2hlbWUiOiJub3RhcnkueDUwOSIsImlvLmNuY2Yubm90YXJ5LnNpZ25pbmdUaW1lIjoiMjAyMC0xMS0wOVQwNzowMDowMFoiLCJpby5jbmNmLm5vdGFyeS52ZXJpZmljYXRpb25QbHVnaW4iOiJwbHVnaW4tbmFtZSJ9", + "header": { + "x5c": [ + "MIIEWDCCAsCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMTAwOTA3MDAwMFoYDzIxMjIwODA2MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwE8YkFUAA0R7aUkRYxHKYoVbFPx9xhuNovLKDy72/7X0+j4XdGP4C0aAX2KLfgy9OR1RIUwtpMyI7k7ZFRd+ljcMW/FgbirfhkY/8axjamOYMBO0Qg+w93oaI6HA1gvZ/WZem4PHu68LlZhLQ2BrQwCz/F/3Ft0IZ2S1aF6N6vajx2le8xTI5hQS+UZFPQGrBUqrjcYc6GkL8XqL+rLGZaKGfh3c7bF9cEbA1H2Tm6MDFnfoFemerbP3v19JoUH+EtOnvYmNZWEU51RaLsNGkC3E/unXAnIfXrNxHDcbehyfa5y3AT10Shiron6O4Bc9S0MvwtXyLT6qein3Nh0VKBFUMSdthu5ZrSR28T9wDWHMXngpa115VjHOQDY3gDPwfzZ0xitN3NpMnivxculGUCkEQpst957tqQNJpS/zipI5Mtej0YOAhVKGQMjDIJekZ2DXDNd1X3xfahrR5VEQF0gnRFhA3vhycDqFj4E6Hoc5y3SxnFqrhX3w2wyFt/xRAgMBAAGjJzAlMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAYEAAdONCAJxdB7H0uFDw6H+8Z5MtoRdJe6ZhlM2O5WMzkC1DLSyrF7arPnUMTeSyNS2Fx1BU38n5R1wvdgSfWtjm7o2ZyR8JQ+AngPklUCTNeL18kxNNXpmjDuMvsRlfHcr5hherjiQ49jWlpFqGRrNtZQWiVEI0r9Qz8DtZTw3GYF4MSuotA6wuUjolI1V2oMn/gdt8FFo0XUTDyiA12qpZzkUHY1rg3zJxKq3pIk04E7k6rFakHyZL91ipV2UeSbNq9vwLL7cglfPJ8+J+9AKvIPDstDF5k0ivUCYH5fIFZBGoceLiNfHSMcqA/qWfErqLBWAkACRUNyCWpAEv3DfDRbTHId0n6QQwOXj5d9YnDrmOLvQcn/sa+ZBfFMK7RdG9uVwMRyo+sRUnxo+v2lcvYwWymL7ONQqVWZbTJCxuG90Unxa3cQHZiKB5mgKweMft+vp6C3IQFhFfP8j1kvRTJq8ZqSEBADppUuBZJ1KWalwauK0AE4jpHlE0KsYDXiP", + "MIIEizCCAvOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMDkwOTA3MDAwMFoYDzIxMjIwOTA1MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxxAZ8VZegqBUctz3BkwhObZKnW+KsN5/N1/u2vPLmEzHDj6xgd8Hn0JoughDaxeQCV66NC2obqPnPp4+68G/qZnxkXVXdFyqVodu4FgPUjiqcJjft7bh45BVgLFpOqSqDQ3ko30B7gdGfIIkoBj/8gz3tHnmIvl3MywtOhDeGnlLNzBY52wVmhPIdKOaW/7WkMrXKFCkLkNICGnIpWuyBtC+7RfM8hG6eRW1KCm5xrkRmn5ptonjxix/JTGj4me/NMkwdVkz6wcCSAJnqTgHi2oqk73qqNu0LHsEMFBF8IGqmVkn2MOHkFamPBokzQ6HXXfvR4nbcWQZCUgRinPTVg9CF0B6XSCEMCSH5kveZxTQtAFRB6NosbzuU5jDmJgpbDfauev7Eg/6bZzphcugRkVuwulymzsake5Jbvs9Kyw3CNPYH2G3Kli1FNhfc46ugXHbIfXgNQcou3xabcu+r6cFRqqK6NmV9ouMQRj8Ri95Gp2BUlpTEFhcvMb9d4nXAgMBAAGjWjBYMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDAzASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBS5FZjt9UsEPkcKrStrnjSpTq4kDTANBgkqhkiG9w0BAQsFAAOCAYEAKtxfv12LzM85bxOMp5++pIDa6eMcBaurYbAM2yC9B6LuHf0JGeFdNqt4Fw38Ajooj2vWMWBrARVEZRVqTC5+ZSN2meGBXBXlT4n8FdEdmv+05iwVYdmDFp8FKeoOZZZF23u+r2OrazJo1ufWmoSI2P0lEfZQQFQElltWu3QH+OLOWXJmB7KbLKyheelGK5XhtAYYapRdW4sKJ398ybpv5C1oALCcTwoSmvH8wW5J4/gjmhKICYh2goMauf0lesdxj+0His7E8blOWrUmfOB5dp73XawLKcd/UxHN8zAPC08LDL9NMcihn3ZHKi7/dtkiV2iSaDPD1ChSGdqfXIysYqOhYoktgAfBZ43CWnqQhgB8NezRKdOStYC3P2AGJW18irxxTRp2CO+gnXEcyhyr+cvyf0j8MkRSaHLXzjIrECu8BUitB6sKughdN13fs5t5SIiO6foeFdvIpZFFKO8s+4oTOSDCos2WFoC+8TZS6r583OtFLmywl1HRgQkobGgw" + ], + "io.cncf.notary.SigningAgent": "Notation/1.0.0" + }, + "signature": "cyB34qtMss9N1E_2XAQ_71c6j1fOcamenm7YrYsXn562XOhFgJKUjmDYWkz9mmdLN-GqQNKA8MhAfKt2ipXxsWldrb3a-6AZ-y4jIkY5XIY_s7Sndz58DPtez0X4kAehvKiyUtDVPbqIJQ5Hwgj8tC_f0Yva6pdrSD7xwenxwiCZmxM6N_LV9d1oYSDQi9890XRrFK4M1YRlOZquJ19HrhADLVJXS-ZfqcTE_tceoU2Hq82pqd2MnazAtJiWZm0cxwt-OsGlgGrkvHoNcMYS8K6BSBvL-vVtOuSpca89QrLsTCnKnmvUlw3wrWTDf83qhPyfw-2ASrE2V57vunpxSNyoA_70fNgOuhWUZZUTi9eXxutp0GCcGTem7MzZRBJVOVdw9OgR3pClGiRxP3BE2Atn3EUXs2HgQHEiE1KZvVHFeObB6asMqfbAMMNDgZCsZi7Yah7NaYg1NH9YwrJgAtNFW0p2trxiQ6uqICD2m54yGtRmvw_O9kt5HnUaBQJX" +} \ No newline at end of file diff --git a/internal/mock/testdata/ca_valid_sig_env.json b/internal/mock/testdata/ca_valid_sig_env.json index f5f5dde6..e547a13f 100644 --- a/internal/mock/testdata/ca_valid_sig_env.json +++ b/internal/mock/testdata/ca_valid_sig_env.json @@ -1,12 +1,12 @@ { "payload": "eyJ0YXJnZXRBcnRpZmFjdCI6eyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiZGlnZXN0Ijoic2hhMjU2OjYwMDQzY2Y0NWVhZWJjNGMwODY3ZmVhNDg1YTAzOWI1OThmNTJmZDA5ZmQ1YjA3YjBiMmQyZjg4ZmFkOWQ3NGUiLCJzaXplIjo1Mjh9fQ", - "protected": "eyJhbGciOiJQUzM4NCIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSIsImlvLmNuY2Yubm90YXJ5LmV4cGlyeSJdLCJjdHkiOiJhcHBsaWNhdGlvbi92bmQuY25jZi5ub3RhcnkucGF5bG9hZC52MStqc29uIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5IjoiMjEyMi0wMS0wMVQxMjowMDowMFoiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nU2NoZW1lIjoibm90YXJ5Lng1MDkiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nVGltZSI6IjIwMjItMDctMjlUMTU6NTU6MTAtMDc6MDAifQ", + "protected": "eyJhbGciOiJQUzM4NCIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSIsImlvLmNuY2Yubm90YXJ5LmV4cGlyeSJdLCJjdHkiOiJhcHBsaWNhdGlvbi92bmQuY25jZi5ub3RhcnkucGF5bG9hZC52MStqc29uIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5IjoiMjEyMC0xMS0wOVQwNzowMDowMFoiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nU2NoZW1lIjoibm90YXJ5Lng1MDkiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nVGltZSI6IjIwMjAtMTEtMDlUMDc6MDA6MDBaIn0", "header": { "x5c": [ - "MIIEVjCCAr6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIyNTUxMFoXDTIyMDczMDIyNTUxMFowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRlc3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJo7D/NdCJ/aLQRUv9sIVYAkarsaw9majcp9ohqBH21NJSTx9+n3CnPu1HI2oF/ZQA6Io07IqYaEglaFvxZduUsUZbQTI1iku9q7ssDY0BOOr/PX0paVmlcSamcsCsTwWEshULCXerEVhNMGkelL5MlgCTOwJntBEQ3duZmQzTBfUOM3WTljSbySj1czi8PWYzKOy3nr39dCNaCLTIohYi65dIV4F6b4jLkBkY7U+qu1Bf8bDpkth6S1RbKyB6pCSoUZaoIZFNwdGcYT+BnXqAISuoVa5kkgzaaX/bpppTqpCObCfxIOU4H/O6J/AIlqspIyNnDcoFcxwoO0vIuj8ZzVFE/dCsh2Lq0aqGWKyxKuapUNBJm+7l+1+LQ5x68r3UclYBRqeHkbX2RwN5al27c3JN97arWCoEHKxPO+RgHF0xf9sb5LreCk1eM1ZWVzCRq7ILQN1c8vV4V6t5iaUN/Wo3Onul3ZBM+aMDXfogTx/zkt6PNae/982xgV7MgfbwIDAQABoycwJTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggGBAC8Q1Rbj0fC4pQ8BLvJpnV+9WlPsrbQDOS+f9Q7QSc3bptu/osUwZKBe4a6aGN8Br1X44v63eoYpYFfCIIP7x+Is2MIliD23Iy/uCgOL8HWOPEVwrfW4cXOFvCnR82ohm4sqrrPXP7yQZOcQOikyumlEb9qJztPEjkmXf66d2byrLTrbryuBMTJ7KwTaH4SBx2L1UfVvy1qKel5UPFnA1Akf6r/9Feu+X+HjbEXYIQomTms9T3JzIk9KASt+72YJpmTXhBh/piYeuBtCN0cQWbTuGRL1LtC3Ry4xboP/op69paQU87rkh1ZLgSP7go8RI/2JUKlRManwIjKP1vjGEEbo0nZXx4n8+zx7GzQ4q18YESFM5+i8J0XTathF1QYjzhAhafGsO0MWpMc1rcKhV7S5rZuRdGJU7QQa8MYzZ3kEWO1dPKzg0IiQaFHoojbJmEWP7FqCn/P4VY00+YO6CKZb8C6KoftPqA4IvFQftSzWXcFJCOAW0lTaEyxRyAv4mw==", - "MIIEiTCCAvGgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIyNTUwOVoXDTIyMDgyOTIyNTUwOVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRlc3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMIU/fV6+CuajN4Y9psrWvuMa2khFRoNh3B4UnIONWFQFuacMNvN+ylKXZNJ4lZxf29JYZhowXknM6rOYE4xstTZSh7qDSA+Q42fbsZnPQb+Yn2XKvDUFdorBnZX2CmHscPKhae1tlVJm52MLGCxyycH0gTv8hezglaOhOT9ScVDet+B9sQY0EMcC22/orYS/lGim0F86XO6RGxWuOaOxs/4msBJZoIxI07dFoQuWAtRHD6RlKaQZ9+r0XtpEZX+58LmL54ZXggSMGtNZPZT04eeG4xB2+QCmZM7VzLdSeTNHwoDNskE8FRaiburX1NQrGlhUjLXAjvz6LE6N3AKKbqJGzxsAbJwBfxkSTumRuQL7sIkxOLY6eEkEbZWxCUvYXejexj7IzFO4Z07dM1ne4lBe5kU6Af2ZrnLqTUFB/jdJWCRnbbQ4NHRElKvulDUxhmp8ECcgN3SeU5b11Bzwayl6OKAsz4ZtuEcTaPh0N1lL+DxBG7iJDxrxl1WW9LcrwIDAQABo1owWDAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUwLYj6kXXSwMn6f6zbGRic/5xSlgwDQYJKoZIhvcNAQELBQADggGBAIcIJGI3xJvdivu4/uyV+1c5ZH6B/yieE44XLGWGQU3qWJOLTpNDgBaK+14sIb7VnAtTrtQerozZKbL1gETcYEcmLhdWkIUHY8xRSCEgDIpiw5Gi1D3Asm+HsCFE9zHu0vutWQ47RHIJruy6aM5/AGkIbMXEB8A5YVXWaFfkgZMJc3tlS7Ml5QT4/Jh3K8lMo51RiNCyjURt8gDHkFRrs8FBTWwPZtCg93YbxHHbdjZiIJ+IL8n+ORsSHQdJC0tVKcIIWaBkt1h34gwgSP1XPEa4TQYgt4dFlLapOefNSH2KSfgMm72USVXzIfGAokcbr6CkxhBuZj3hvZ/H742gFoxaC53LfRvV0yTNqnSn2NG8aN5Qw9LG2xuYuGPTz2bVOyxi0QeNr2kOqTOwO5wSG9f/JQH52TfaLjX0rL7PPv2HrJlR27ErISccu9xobfNwrjVa14bhoToDoy3vHr4BAwILsL7PRSk+bPQ680H8UfRxglNptkpcUNRV/0gzY98qCw==" + "MIIEWDCCAsCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMTAwOTA3MDAwMFoYDzIxMjIwODA2MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwE8YkFUAA0R7aUkRYxHKYoVbFPx9xhuNovLKDy72/7X0+j4XdGP4C0aAX2KLfgy9OR1RIUwtpMyI7k7ZFRd+ljcMW/FgbirfhkY/8axjamOYMBO0Qg+w93oaI6HA1gvZ/WZem4PHu68LlZhLQ2BrQwCz/F/3Ft0IZ2S1aF6N6vajx2le8xTI5hQS+UZFPQGrBUqrjcYc6GkL8XqL+rLGZaKGfh3c7bF9cEbA1H2Tm6MDFnfoFemerbP3v19JoUH+EtOnvYmNZWEU51RaLsNGkC3E/unXAnIfXrNxHDcbehyfa5y3AT10Shiron6O4Bc9S0MvwtXyLT6qein3Nh0VKBFUMSdthu5ZrSR28T9wDWHMXngpa115VjHOQDY3gDPwfzZ0xitN3NpMnivxculGUCkEQpst957tqQNJpS/zipI5Mtej0YOAhVKGQMjDIJekZ2DXDNd1X3xfahrR5VEQF0gnRFhA3vhycDqFj4E6Hoc5y3SxnFqrhX3w2wyFt/xRAgMBAAGjJzAlMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAYEAAdONCAJxdB7H0uFDw6H+8Z5MtoRdJe6ZhlM2O5WMzkC1DLSyrF7arPnUMTeSyNS2Fx1BU38n5R1wvdgSfWtjm7o2ZyR8JQ+AngPklUCTNeL18kxNNXpmjDuMvsRlfHcr5hherjiQ49jWlpFqGRrNtZQWiVEI0r9Qz8DtZTw3GYF4MSuotA6wuUjolI1V2oMn/gdt8FFo0XUTDyiA12qpZzkUHY1rg3zJxKq3pIk04E7k6rFakHyZL91ipV2UeSbNq9vwLL7cglfPJ8+J+9AKvIPDstDF5k0ivUCYH5fIFZBGoceLiNfHSMcqA/qWfErqLBWAkACRUNyCWpAEv3DfDRbTHId0n6QQwOXj5d9YnDrmOLvQcn/sa+ZBfFMK7RdG9uVwMRyo+sRUnxo+v2lcvYwWymL7ONQqVWZbTJCxuG90Unxa3cQHZiKB5mgKweMft+vp6C3IQFhFfP8j1kvRTJq8ZqSEBADppUuBZJ1KWalwauK0AE4jpHlE0KsYDXiP", + "MIIEizCCAvOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMDkwOTA3MDAwMFoYDzIxMjIwOTA1MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxxAZ8VZegqBUctz3BkwhObZKnW+KsN5/N1/u2vPLmEzHDj6xgd8Hn0JoughDaxeQCV66NC2obqPnPp4+68G/qZnxkXVXdFyqVodu4FgPUjiqcJjft7bh45BVgLFpOqSqDQ3ko30B7gdGfIIkoBj/8gz3tHnmIvl3MywtOhDeGnlLNzBY52wVmhPIdKOaW/7WkMrXKFCkLkNICGnIpWuyBtC+7RfM8hG6eRW1KCm5xrkRmn5ptonjxix/JTGj4me/NMkwdVkz6wcCSAJnqTgHi2oqk73qqNu0LHsEMFBF8IGqmVkn2MOHkFamPBokzQ6HXXfvR4nbcWQZCUgRinPTVg9CF0B6XSCEMCSH5kveZxTQtAFRB6NosbzuU5jDmJgpbDfauev7Eg/6bZzphcugRkVuwulymzsake5Jbvs9Kyw3CNPYH2G3Kli1FNhfc46ugXHbIfXgNQcou3xabcu+r6cFRqqK6NmV9ouMQRj8Ri95Gp2BUlpTEFhcvMb9d4nXAgMBAAGjWjBYMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDAzASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBS5FZjt9UsEPkcKrStrnjSpTq4kDTANBgkqhkiG9w0BAQsFAAOCAYEAKtxfv12LzM85bxOMp5++pIDa6eMcBaurYbAM2yC9B6LuHf0JGeFdNqt4Fw38Ajooj2vWMWBrARVEZRVqTC5+ZSN2meGBXBXlT4n8FdEdmv+05iwVYdmDFp8FKeoOZZZF23u+r2OrazJo1ufWmoSI2P0lEfZQQFQElltWu3QH+OLOWXJmB7KbLKyheelGK5XhtAYYapRdW4sKJ398ybpv5C1oALCcTwoSmvH8wW5J4/gjmhKICYh2goMauf0lesdxj+0His7E8blOWrUmfOB5dp73XawLKcd/UxHN8zAPC08LDL9NMcihn3ZHKi7/dtkiV2iSaDPD1ChSGdqfXIysYqOhYoktgAfBZ43CWnqQhgB8NezRKdOStYC3P2AGJW18irxxTRp2CO+gnXEcyhyr+cvyf0j8MkRSaHLXzjIrECu8BUitB6sKughdN13fs5t5SIiO6foeFdvIpZFFKO8s+4oTOSDCos2WFoC+8TZS6r583OtFLmywl1HRgQkobGgw" ], "io.cncf.notary.SigningAgent": "Notation/1.0.0" }, - "signature": "kqjLQJxswpcgDDgtHdliq0Q-HnrFPdmkdMlCRF2-rXdQYndDWFtOgQzezBW62erM_1bJVs_hA07ZTBel40059udaeiWQghkdn6rHEZ4WIAXHhPK3b-m7SDOSseTEWozRk8Pr1U2l7ctyhafVdmtn01bxdkB5nu0BuEff4mYv1r9PoNhv8qSf6-Ieqd4ifwXJj5aa2U4Frz9rweovxmHdHOEXMlaj64nvcCsdnuJxubXuYzY80nU526S2U5dO1SBXdAim0iu35T7r0ionBYt4Z94cnBYahD_8YsNOWfZ1q8qi8X3myOH_fjd47f746WJo05E4tCbss6uiDWRsdPiCzdKN_FRc2hPFvDnN036bqbk1WCFfnGNDysXbgurBHNfYzfL2UMt1D4CFwszvWXCSmXHtmIflBONrgUduNACFFcxQOBWi3OM6VxXW_sa7hnEgnZkMPZJMkiVF-yH1iO08FEhIGPaoXucyaxtNQM862V_sZdLl-nK67VMNDiqDMg1D" -} + "signature": "ZvsxyaSqDzS7mY_jKpnq2XtBcmyWmSE461BHL6q2pAx_-Rxr8Fvs2oIfZdSG2o3qugPDjzZDMhKdYdnrW1AIEkVIG_QUmeyGj28PVXxsC5NKpXwrPUMOzrXSFLHIvBNZ2q87wRYInsgCPtv5ZPv0IgA2sAW6y7NlVM2D0vJax55ITsJO5aEaEUlAdi_H7-TCD48DHuFpnJdNkVB_hZkwYfxuqIKU2C__Z2hLLHxaS2LzuzhqOnYlbqn4e225uZt9odXq3qmZ_44Vx3DYL_-ZuV0S9jEk7NW8-dO0T0MeQn6VXDyfT1rjc6IVPnLxAnELFyLn121GYulYC8V2D1_MLcv8sDHY23rHb3-R-WCLMDSfaIvReY89vQfxcfpdCRC0F3N2CcnrgsrUC6Fplm5Uy45Gn9--b7x5cdSzOzQsefCH1GpixW7YyNs1xZQ17WqdYyWD2EBrB5vqVFzkzDYnQ4H-p9G3AzM4HTrjWqHX-0cYHlpmTS4AjVxn0UV80Jn9" +} \ No newline at end of file diff --git a/internal/mock/testdata/sa_expired_sig_env.json b/internal/mock/testdata/sa_expired_sig_env.json index d714d3de..19a316c0 100644 --- a/internal/mock/testdata/sa_expired_sig_env.json +++ b/internal/mock/testdata/sa_expired_sig_env.json @@ -1,12 +1,12 @@ { "payload": "eyJ0YXJnZXRBcnRpZmFjdCI6eyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiZGlnZXN0Ijoic2hhMjU2OjYwMDQzY2Y0NWVhZWJjNGMwODY3ZmVhNDg1YTAzOWI1OThmNTJmZDA5ZmQ1YjA3YjBiMmQyZjg4ZmFkOWQ3NGUiLCJzaXplIjo1Mjh9fQ", - "protected": "eyJhbGciOiJQUzM4NCIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSIsImlvLmNuY2Yubm90YXJ5LmF1dGhlbnRpY1NpZ25pbmdUaW1lIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5Il0sImN0eSI6ImFwcGxpY2F0aW9uL3ZuZC5jbmNmLm5vdGFyeS5wYXlsb2FkLnYxK2pzb24iLCJpby5jbmNmLm5vdGFyeS5hdXRoZW50aWNTaWduaW5nVGltZSI6IjIwMjItMDctMjlUMjM6NTg6MDBaIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5IjoiMjAyMi0wNy0yOVQyMzo1OTowMFoiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nU2NoZW1lIjoibm90YXJ5Lng1MDkuc2lnbmluZ0F1dGhvcml0eSJ9", + "protected": "eyJhbGciOiJQUzM4NCIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSIsImlvLmNuY2Yubm90YXJ5LmF1dGhlbnRpY1NpZ25pbmdUaW1lIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5Il0sImN0eSI6ImFwcGxpY2F0aW9uL3ZuZC5jbmNmLm5vdGFyeS5wYXlsb2FkLnYxK2pzb24iLCJpby5jbmNmLm5vdGFyeS5hdXRoZW50aWNTaWduaW5nVGltZSI6IjIwMjItMDctMjlUMDA6MDA6MDBaIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5IjoiMjAyMi0wNy0yOVQyMzo1OTowMFoiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nU2NoZW1lIjoibm90YXJ5Lng1MDkuc2lnbmluZ0F1dGhvcml0eSJ9", "header": { "x5c": [ - "MIIEVjCCAr6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIzMDA0NFoXDTIyMDczMDIzMDA0NFowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRlc3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAL2FPTiVkfxhq+CWzuYloio/iFly6vYe23+sQOAmpTzKHGB+kj72TMHj3Iwm/+sVs7BfTmtsnH4H2uA+z8oATLSy81jHvcG/w6zQ+OfjoNqSVMspJLPN17xhz/yJs8qKNE3jwHo6oV0C69WxGltdOcFXjBN4sSbIkXtlLj1TNXadBbyFa3hKg6cGNL0+d5EcRBSEGWS3+3Xkg9HcxL5rx21pVv8FccO6d15DIh4JZkuzP4wFj1fr1s3c8aWQ+SiGiju90mq1KU+pBwlGv2X4eDoJRDh06Xhk3Ax95LHkEQGuPXJAoDnNnuNUHEnwdDhBok0DaDHvo//Iurt31Qv+7xIfHlOgwRxaH9uie3HBwx3xWg36Zsi2Ia4IgHSG3TPP7szdDbFYASgcjGhr6pHmQsP5R3V4aL4gwXBh90IR4+ofkUEzoYI+oMvbgQRxxfsbCMER/39n0BRyqht1Wn1/ntsp0jPyJWSnd31NnCTAWltENtFgorMzkqMK4nXq+qNq4wIDAQABoycwJTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggGBAKMNAGO+wtsqJtdqxOHHjivGYvwGdLN7yAVE+u5oiaQLRNox+ks35KH7yRFeS6pa6CwNWNEMTgXWuluSzb1I+UGHN/h5rr5gXlt/cweheaLsVSDXhwnzSK0WbFZS7DYxVjENS5rriP0DRtsG4xTdOd7MyVvb8+pGpBHy//KuvF63eRYQvRUxOxxHWoYj6uqPtLHMVGjEaAbUz2iIZfC47HAsAqZ4XJFiFoog9xeyCY2tg9ybRNcbtuSpztIAyhh7zZV13qqmsi3SW+7tJfwE+H5GLsQp79FTjrYAq41Oywv9CRIIlzrkp4H9zFUnLCJDIwm+hZ3nZjnKdUMqQxHYD6kSYla7GM4S+bcriNr1AO6ILPZ7NmXstzNtWDxzaXkO+LMUxfMqTK4HZwzWZA0ZqBk35p8BsEHl6GnWDa3QIuduAMZ+BL4e+obt4y3CH1kxxLbsq2fesTzMYeBaxEYka/lO8gqZ/5ghLSHaeH4OLrfhdZfphe/F9LiFhBsnZKlunQ==", - "MIIEiTCCAvGgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIzMDA0NFoXDTIyMDgyOTIzMDA0NFowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRlc3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBANRIQ3m0T9doruDIaS04YI52LPZLFLImSXgsw1DtlRNJmxyy7bZ9odU7KOeKh9pni+PV4iCVs/6Bhdu0N/kWsWGG38a63xou5R8VV5GU6ENSIrJiBjIurdm+JgxEV7m8aLbkMN1++Eoamzqljl2PnfA8nPQmEWx77g38hQko/ZVgRWnPWcdSi0naiaxHct0eYXIHKpoe0piQ2dnIfs5S8A+u57vEBmM//espCmnmhPu23cG8IOwVH2+bhY7UQ/akwpn7IaSa2ycv4vIajspwXaOYkT1xHfeaSfJmp5aSXrIfNabw7jJ9E3TXISIX9TWTZjdki34asrBUJqV6ETxBaD4eH3iQcVz5BUnariJesGg/tibyng3AdjGCKGy9uzjtPZl59QGG9TSsBIx1alvMvVkVkIDhAkIiYzlraBlL5Egzv3Uu3ffRgsi14VxKcczqCoRYrtNKNwFoGIbmFJ2jyFpZChXaKVRKSVpD1YCdTAfUm3/29IVaf8tjxVnsOi2q9QIDAQABo1owWDAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUsgxNJ9n8ERBSzVK+Nno2V2McQt0wDQYJKoZIhvcNAQELBQADggGBADYdkwiZXc33HsawYYelYWgyPKtKKNm/DXNL1dOgjMIwAmCCtG0/EX4okOpFeJJwLZjD8hbwEVR6NnG+9Bk79LT3IY8bbdO8kmELbjdZWGTb9WOP3UNnQq7zTCvxGTohlfdGviSoPA+ZpPZ8raqZ3kkOIYaGvrusCyhl8L/pj1rIUca7YKv1txbNtVTKBgk6Cnur4kUfe6nmQ99Legz5REUbOA5/8SJjcgqu9wIpIH48zEEAr3j3pWcOzCACR+xdT6gy7286ZyCePIGeIoWugZO/x19GFAkA7CQ2Q4sOLbZwY4x0pgZCFpas0kKEM4laLUnxd8yyCib7WkY1WyDQLWJgvY/FT60tTOzY1Bjw/KPt0TgeaTjCYmXpPe14JailjqqgG69h4lEd6wn3JSGmaEOOJHU22u0/AHrPF0ealKgub7SRxiyJ5xiXvT/98Sqbvd4MLQPu+HfhoqTNu9OfAVRQKnvM8u03LCX0uRQthA9aRjXO5t9XePykz/ZzKqpnKg==" + "MIIEWDCCAsCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMTAwOTA3MDAwMFoYDzIxMjIwODA2MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwE8YkFUAA0R7aUkRYxHKYoVbFPx9xhuNovLKDy72/7X0+j4XdGP4C0aAX2KLfgy9OR1RIUwtpMyI7k7ZFRd+ljcMW/FgbirfhkY/8axjamOYMBO0Qg+w93oaI6HA1gvZ/WZem4PHu68LlZhLQ2BrQwCz/F/3Ft0IZ2S1aF6N6vajx2le8xTI5hQS+UZFPQGrBUqrjcYc6GkL8XqL+rLGZaKGfh3c7bF9cEbA1H2Tm6MDFnfoFemerbP3v19JoUH+EtOnvYmNZWEU51RaLsNGkC3E/unXAnIfXrNxHDcbehyfa5y3AT10Shiron6O4Bc9S0MvwtXyLT6qein3Nh0VKBFUMSdthu5ZrSR28T9wDWHMXngpa115VjHOQDY3gDPwfzZ0xitN3NpMnivxculGUCkEQpst957tqQNJpS/zipI5Mtej0YOAhVKGQMjDIJekZ2DXDNd1X3xfahrR5VEQF0gnRFhA3vhycDqFj4E6Hoc5y3SxnFqrhX3w2wyFt/xRAgMBAAGjJzAlMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAYEAAdONCAJxdB7H0uFDw6H+8Z5MtoRdJe6ZhlM2O5WMzkC1DLSyrF7arPnUMTeSyNS2Fx1BU38n5R1wvdgSfWtjm7o2ZyR8JQ+AngPklUCTNeL18kxNNXpmjDuMvsRlfHcr5hherjiQ49jWlpFqGRrNtZQWiVEI0r9Qz8DtZTw3GYF4MSuotA6wuUjolI1V2oMn/gdt8FFo0XUTDyiA12qpZzkUHY1rg3zJxKq3pIk04E7k6rFakHyZL91ipV2UeSbNq9vwLL7cglfPJ8+J+9AKvIPDstDF5k0ivUCYH5fIFZBGoceLiNfHSMcqA/qWfErqLBWAkACRUNyCWpAEv3DfDRbTHId0n6QQwOXj5d9YnDrmOLvQcn/sa+ZBfFMK7RdG9uVwMRyo+sRUnxo+v2lcvYwWymL7ONQqVWZbTJCxuG90Unxa3cQHZiKB5mgKweMft+vp6C3IQFhFfP8j1kvRTJq8ZqSEBADppUuBZJ1KWalwauK0AE4jpHlE0KsYDXiP", + "MIIEizCCAvOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMDkwOTA3MDAwMFoYDzIxMjIwOTA1MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxxAZ8VZegqBUctz3BkwhObZKnW+KsN5/N1/u2vPLmEzHDj6xgd8Hn0JoughDaxeQCV66NC2obqPnPp4+68G/qZnxkXVXdFyqVodu4FgPUjiqcJjft7bh45BVgLFpOqSqDQ3ko30B7gdGfIIkoBj/8gz3tHnmIvl3MywtOhDeGnlLNzBY52wVmhPIdKOaW/7WkMrXKFCkLkNICGnIpWuyBtC+7RfM8hG6eRW1KCm5xrkRmn5ptonjxix/JTGj4me/NMkwdVkz6wcCSAJnqTgHi2oqk73qqNu0LHsEMFBF8IGqmVkn2MOHkFamPBokzQ6HXXfvR4nbcWQZCUgRinPTVg9CF0B6XSCEMCSH5kveZxTQtAFRB6NosbzuU5jDmJgpbDfauev7Eg/6bZzphcugRkVuwulymzsake5Jbvs9Kyw3CNPYH2G3Kli1FNhfc46ugXHbIfXgNQcou3xabcu+r6cFRqqK6NmV9ouMQRj8Ri95Gp2BUlpTEFhcvMb9d4nXAgMBAAGjWjBYMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDAzASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBS5FZjt9UsEPkcKrStrnjSpTq4kDTANBgkqhkiG9w0BAQsFAAOCAYEAKtxfv12LzM85bxOMp5++pIDa6eMcBaurYbAM2yC9B6LuHf0JGeFdNqt4Fw38Ajooj2vWMWBrARVEZRVqTC5+ZSN2meGBXBXlT4n8FdEdmv+05iwVYdmDFp8FKeoOZZZF23u+r2OrazJo1ufWmoSI2P0lEfZQQFQElltWu3QH+OLOWXJmB7KbLKyheelGK5XhtAYYapRdW4sKJ398ybpv5C1oALCcTwoSmvH8wW5J4/gjmhKICYh2goMauf0lesdxj+0His7E8blOWrUmfOB5dp73XawLKcd/UxHN8zAPC08LDL9NMcihn3ZHKi7/dtkiV2iSaDPD1ChSGdqfXIysYqOhYoktgAfBZ43CWnqQhgB8NezRKdOStYC3P2AGJW18irxxTRp2CO+gnXEcyhyr+cvyf0j8MkRSaHLXzjIrECu8BUitB6sKughdN13fs5t5SIiO6foeFdvIpZFFKO8s+4oTOSDCos2WFoC+8TZS6r583OtFLmywl1HRgQkobGgw" ], "io.cncf.notary.SigningAgent": "Notation/1.0.0" }, - "signature": "Fg4CBWTx2jfuUTE33roQZxlGRnZ9812USiJQm630PZekYdOSu9dQ9gk1GuXfSnGkScRROqJfO-pB1ch-FssliF-LcXweA7EKbH6fgXG2L-VgN5VmLyiCLXXQwVBtSYbo_z4xSzfEr4XikmpnVAk3QF_Yw2HJ0G5DysLCrOO5NoNCsVgzpOmjCbsuiTQJDAmROD-2hwsXB8XQdzR-JGhWJTJ_fgww4Bsi1MuFT6S4Qx-43QbnfQ9MalaCqInEqwq8u3OQqECZJV9mGoT6pFV5ekYgzaxlJlqmjuL0joFUNwHCrFnyvu2HFOG3uaqokDFPtmSvxawSLUeh6HQovdOsdIiu-UR4_TKg57cXIwkkXOImLtI2Cm0-zEFrZdvG2x8JQQjT-fe9z1_22t0Gy5hFbfAl1CnGlx8kPe52S_dvv6iQvw9S5Sn24IBASXj4NhztpALX5e1A91Y9rFzi4dOzaXfq1km4YannHDUyFkAY5HVdHs6PqqCZZ29okGMgoowt" -} + "signature": "nDpYiwd536V2krjmxH2FCk6QgUTRyA6AFL9D5sDBJ3JwS9q9znsefSIg9rz6PMskVO9GUzUSG0ZIna5izrVR9pctLw4yQrWIZz3fp-lc3orK4w1nmHG_pCdpasH4FxpvXa0-4dllJmX2Yc3GrdeFaxJhcgtr2iiArabKnOFh5DbfOpeyMGDEa2XVRnrcS4VRgc5UdewFkq2NslMw1Y9loQwrNr3JGTQQpvZHOR4yBtnfCWFJ7G8AYDUb4H1Us8iaIlyp-jSIVSOT9HQzizDzZgn-Gtv90pq9xqAEtrW4thkPUOOJP_P0-_huAH3475UEPi-Yc7ekyt7PH6PazyI9yuTsJlkM_eWDsNLDARRfgygzr9DJHPkYQG3S8MRfNGqskob6Lcfl8nPaXnTfAhLNl-JiWvzMpwq1af2sWek-NVcGf5-81hRF9GTCE1IAtjQ0ITR86zq_G8pEj4JfI-H0c0yXTDUilUHzwzXV_7zE0gEB8UFHHg9VHGflYRdbWuS9" +} \ No newline at end of file diff --git a/internal/mock/testdata/sa_invalid_sig_env.json b/internal/mock/testdata/sa_invalid_sig_env.json index 4468a567..ec86ab8a 100644 --- a/internal/mock/testdata/sa_invalid_sig_env.json +++ b/internal/mock/testdata/sa_invalid_sig_env.json @@ -1,12 +1,12 @@ { "payload": "eyJ0YXJnZXRBcnRpZmFjdCI6eyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiZGlnZXN0Ijoic2hhMjU2OjYwMDQzY2Y0NWVhZWJjNGMwODY3ZmVhNDg1YTAzOWI1OThmNTJmZDA5ZmQ1YjA3YjBiMmQyZjg4ZmFkOWQ3NGUiLCJzaXplIjo1Mjh9fQ=", - "protected": "eyJhbGciOiJQUzM4NCIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSIsImlvLmNuY2Yubm90YXJ5LmF1dGhlbnRpY1NpZ25pbmdUaW1lIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5Il0sImN0eSI6ImFwcGxpY2F0aW9uL3ZuZC5jbmNmLm5vdGFyeS5wYXlsb2FkLnYxK2pzb24iLCJpby5jbmNmLm5vdGFyeS5hdXRoZW50aWNTaWduaW5nVGltZSI6IjIwMjItMDctMjlUMTU6NTY6NTEtMDc6MDAiLCJpby5jbmNmLm5vdGFyeS5leHBpcnkiOiIyMTIyLTAxLTAxVDEyOjAwOjAwWiIsImlvLmNuY2Yubm90YXJ5LnNpZ25pbmdTY2hlbWUiOiJub3RhcnkueDUwOS5zaWduaW5nQXV0aG9yaXR5In0", + "protected": "eyJhbGciOiJQUzM4NCIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSIsImlvLmNuY2Yubm90YXJ5LmF1dGhlbnRpY1NpZ25pbmdUaW1lIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5Il0sImN0eSI6ImFwcGxpY2F0aW9uL3ZuZC5jbmNmLm5vdGFyeS5wYXlsb2FkLnYxK2pzb24iLCJpby5jbmNmLm5vdGFyeS5hdXRoZW50aWNTaWduaW5nVGltZSI6IjIwMjAtMTEtMDlUMDc6MDA6MDBaIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5IjoiMjEyMC0xMS0wOVQwNzowMDowMFoiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nU2NoZW1lIjoibm90YXJ5Lng1MDkuc2lnbmluZ0F1dGhvcml0eSJ9", "header": { "x5c": [ - "MIIEVjCCAr6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIyNTY1MVoXDTIyMDczMDIyNTY1MVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRlc3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALU/rKq73sjfZniYD2nxPy1Nt1/gVR+KmFmgkpCa5UBJxSQ8McpJxyl/oiSi6sFNn5CnQ2/uqyS9Voru/M5jJh4oBwKV6bnLkq7wyzRC5vDceb1D1Or5C9R8DQ8l0Tgyizp/HV4+kVpTcgnxr54QtP/60K1hTU6N4RSKBHBzOfbP9Om8S6NVrORBXpWLSOhZpNpRnCnEh/+I/DEBqUTuiL/0Xtjc/lIn4qVa3hvIOQeh618ebWAcDlJmScg5cFaTvXeFlPcecMu2QGYXK5ULq4Z7kjowptGdbGtYPFDYhRb7g/NIHj2ovsJvYb0/eaEQJrt61+kKdIJKRU4DCtxVqtZZZWa7zKNFJJgA2t7Fkv65UiVywT1Fz8icOn6G3Ej2yGoLbfQyGrxkzfx1i63v+Mtog6DXsW9VnnjdvbOlIdYF/7oNcYz6NhMbgDZzAdQzKF3lu+qDndu8PrVLukEy8LOAW5rKTLUUq2cHZKnZD9E9K4PJ7P6N+Ko90QA7mptWFwIDAQABoycwJTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggGBAKs/Xph0Fv7ZMqAqhZa/YiiCccEFN99Kltms/UjzMwW8nxPeg/pFnNFLVaX1E6ht6fbSWFFvM9uhqe/n702eUfUnqeL9DknUe314HQIsqZ3curq70ATYmtAFcugJ656sR264hkMHiTy+c6RdIrbxKOUKuRIC149Zns/c7LHOakAKJ7QOA0/6dvlYeU1s8zH8J6l//pW+bhJENCm4QWpaeavwHoGKn6V1T4TVeKVnZp8zZCfpnwqB19cF1LSqWDHpVGNyKVGwFiJQhE3E5b3YrebvsLh27JjOixDOi/J8mpgfX5ol0/+jrduj9l7Pwl/DVur6S8Ym80Y5fDTLmfx5NAAGLkYLJaUUdDnYJre0c/Fe/Ki/fGUJIYuSmxJyK+rsBJ38kiTPr9orHBCgChcVQgIzHc2fIP9OQf8ENdKTsQc1BdHyv0uFr2EvSrsj6tdZaYyNXWX7DpyGxK0vH132mOMytwwes0a5KLIo5Ur5/JoRBzKeffcc3BQAwNliHbILIg==", - "MIIEiTCCAvGgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIyNTY1MVoXDTIyMDgyOTIyNTY1MVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRlc3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMRDEsYE+H1GFLfX3z3giNsJqvsqc5E+/B4lpkxUY44XQ5kR4sYjtAgpDdRyJd+P6zTZBtzrQpNDZNMKTBK36lMGazmvXKzvvVdelS9CYeLvsJu7SZILn3k400umUWOSkzUsMHsevkjA5EmkYW6BrPStLeO7nTFhHVLiWAtNCQ0teeeGpShXVJ3Xk9Hytx4kADkFaeQf8Sh4MjDoPb5Zla8EGgQO0ceXJy/HwuWg5DsvLWiUs6lNKYvp2S59SKIwaD8ZF0Q9Tw98OilvdzmWg1JQAplTQ0RdOdWy54teiE3bKcH4xloTA/iD6JdZfN5PxIXPok+X7a06kONDR3mQb4RqfcAas4zvPj0du8HLinqi/YL6IMXv9eQWUY9axYVIabYtd8xk+aI6s+lCWirceWah+DGxiFezdHsOgvNWSI2jZtceY1Kpmy6gINUgObs9C9gCaZry7K6UpN6tMAXEgV9Py+XFY44KB97oEc9b88y68FX6LkKAzzSdNpHtMoJ8+QIDAQABo1owWDAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU/4iwABBrFwEJ8/W9cPpQPB/o1iIwDQYJKoZIhvcNAQELBQADggGBAEklAJBr1DOl3CWcSA5xvoCgQVEoAXS/TAxsC85aSWcSNvr9s30VONM5/uYBfD38aLjBsfOTQPkisVbjQe0kxVfq2GH8SsHpY2172iBJyek++JofXfrHTaUn/I8Y2Nv3Zgqv9ewTwIgcFcSLGf8/QfvKeSK3kFWaangzyUf+5F4xX9Ez4tPpqhZiJ9N7iaRnk2QVIvMi0qm91oJ8thdAKyqX4xenpSR7W2aS/oOAGlUagKSmjbmqiiDfSfmr8A5fe55QOdBTvHu0haj44XdcRDtIB8fphPFOaIgBrDlWjDGnmBuSk2NxVCy8GRAb1b5XPv25vJDwhlx/X0tZnMriODjmc2ex3FJg/nn5DzjjWGWzZ+F8O0WjskeEzu8YJTzyyIY2YxypmwcSoswRQZ5IQ7OPxS2rmV47/l2toaHBOo9sPVJGJxgiXR5bCtwhVLA0T0RS1f7V3FvGySG1FAKldLep7vc4v0Oi4xjNiHZYKqubKGi5xpks+L1e+nPXcmrk+g==" + "MIIEWDCCAsCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMTAwOTA3MDAwMFoYDzIxMjIwODA2MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwE8YkFUAA0R7aUkRYxHKYoVbFPx9xhuNovLKDy72/7X0+j4XdGP4C0aAX2KLfgy9OR1RIUwtpMyI7k7ZFRd+ljcMW/FgbirfhkY/8axjamOYMBO0Qg+w93oaI6HA1gvZ/WZem4PHu68LlZhLQ2BrQwCz/F/3Ft0IZ2S1aF6N6vajx2le8xTI5hQS+UZFPQGrBUqrjcYc6GkL8XqL+rLGZaKGfh3c7bF9cEbA1H2Tm6MDFnfoFemerbP3v19JoUH+EtOnvYmNZWEU51RaLsNGkC3E/unXAnIfXrNxHDcbehyfa5y3AT10Shiron6O4Bc9S0MvwtXyLT6qein3Nh0VKBFUMSdthu5ZrSR28T9wDWHMXngpa115VjHOQDY3gDPwfzZ0xitN3NpMnivxculGUCkEQpst957tqQNJpS/zipI5Mtej0YOAhVKGQMjDIJekZ2DXDNd1X3xfahrR5VEQF0gnRFhA3vhycDqFj4E6Hoc5y3SxnFqrhX3w2wyFt/xRAgMBAAGjJzAlMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAYEAAdONCAJxdB7H0uFDw6H+8Z5MtoRdJe6ZhlM2O5WMzkC1DLSyrF7arPnUMTeSyNS2Fx1BU38n5R1wvdgSfWtjm7o2ZyR8JQ+AngPklUCTNeL18kxNNXpmjDuMvsRlfHcr5hherjiQ49jWlpFqGRrNtZQWiVEI0r9Qz8DtZTw3GYF4MSuotA6wuUjolI1V2oMn/gdt8FFo0XUTDyiA12qpZzkUHY1rg3zJxKq3pIk04E7k6rFakHyZL91ipV2UeSbNq9vwLL7cglfPJ8+J+9AKvIPDstDF5k0ivUCYH5fIFZBGoceLiNfHSMcqA/qWfErqLBWAkACRUNyCWpAEv3DfDRbTHId0n6QQwOXj5d9YnDrmOLvQcn/sa+ZBfFMK7RdG9uVwMRyo+sRUnxo+v2lcvYwWymL7ONQqVWZbTJCxuG90Unxa3cQHZiKB5mgKweMft+vp6C3IQFhFfP8j1kvRTJq8ZqSEBADppUuBZJ1KWalwauK0AE4jpHlE0KsYDXiP", + "MIIEizCCAvOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMDkwOTA3MDAwMFoYDzIxMjIwOTA1MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxxAZ8VZegqBUctz3BkwhObZKnW+KsN5/N1/u2vPLmEzHDj6xgd8Hn0JoughDaxeQCV66NC2obqPnPp4+68G/qZnxkXVXdFyqVodu4FgPUjiqcJjft7bh45BVgLFpOqSqDQ3ko30B7gdGfIIkoBj/8gz3tHnmIvl3MywtOhDeGnlLNzBY52wVmhPIdKOaW/7WkMrXKFCkLkNICGnIpWuyBtC+7RfM8hG6eRW1KCm5xrkRmn5ptonjxix/JTGj4me/NMkwdVkz6wcCSAJnqTgHi2oqk73qqNu0LHsEMFBF8IGqmVkn2MOHkFamPBokzQ6HXXfvR4nbcWQZCUgRinPTVg9CF0B6XSCEMCSH5kveZxTQtAFRB6NosbzuU5jDmJgpbDfauev7Eg/6bZzphcugRkVuwulymzsake5Jbvs9Kyw3CNPYH2G3Kli1FNhfc46ugXHbIfXgNQcou3xabcu+r6cFRqqK6NmV9ouMQRj8Ri95Gp2BUlpTEFhcvMb9d4nXAgMBAAGjWjBYMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDAzASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBS5FZjt9UsEPkcKrStrnjSpTq4kDTANBgkqhkiG9w0BAQsFAAOCAYEAKtxfv12LzM85bxOMp5++pIDa6eMcBaurYbAM2yC9B6LuHf0JGeFdNqt4Fw38Ajooj2vWMWBrARVEZRVqTC5+ZSN2meGBXBXlT4n8FdEdmv+05iwVYdmDFp8FKeoOZZZF23u+r2OrazJo1ufWmoSI2P0lEfZQQFQElltWu3QH+OLOWXJmB7KbLKyheelGK5XhtAYYapRdW4sKJ398ybpv5C1oALCcTwoSmvH8wW5J4/gjmhKICYh2goMauf0lesdxj+0His7E8blOWrUmfOB5dp73XawLKcd/UxHN8zAPC08LDL9NMcihn3ZHKi7/dtkiV2iSaDPD1ChSGdqfXIysYqOhYoktgAfBZ43CWnqQhgB8NezRKdOStYC3P2AGJW18irxxTRp2CO+gnXEcyhyr+cvyf0j8MkRSaHLXzjIrECu8BUitB6sKughdN13fs5t5SIiO6foeFdvIpZFFKO8s+4oTOSDCos2WFoC+8TZS6r583OtFLmywl1HRgQkobGgw" ], "io.cncf.notary.SigningAgent": "Notation/1.0.0" }, - "signature": "LOLKgz2HaaU2eJNaeDvtWlYKSuPiPlkCDGGeaj5P_3VjI-bV4zZr2CiZZ8KcwnGHEol68VKwrqiPzXJHQL76vX6sT9lnR7UdPVjjAJqE3SBlCAnO3yTiCbAWzqsvt0H6E45qvD8stvQNIs5nJFtLWcwWpUNpx-xtCYKF2weLyzXEjRS8W0kafpqwvPLHYG873NOk4f2QI4-PyftdB2vsTwBVjSCmQ__JR1DiBVqyHhnKufb7id0NSTK0Iin_Va0dt08IBTuf2oHD169e0XDYgqtEEVIna4vdTPk66RrtZMovKWDVuZtF9ZU79CItTPwhnxh0JZ2FSVe1lxMf6Lk-3PZdO3uccygSuho83FrhsNFKt5nKDbhuut_dPO2S3Cb-LRuT1vHYg-SrarkOq-fcVWqsTbEWgRI7nAFd2T4-cQikT-w9NeW3oaQ_kybW7mh45dD15F6nC1qOT9a9r2Yk1IMSAYu9Y_DXgmlPLahOH8482VtDeJKfXXj68x7CUGns9W-LOL" + "signature": "kqt4plYZgCdPkoVmC-1_JfH7dPUjIQOMaONP6pEucnKC1QiTa7peN83Ka8_0kAvAT3BIZ8CFjVuazioZpjHw-ydRlL3-pgagnENS8Fz2Vfwj9nKJF7mmFGi3R0t6fFFyx_Tw9rtxi4Nsv8y4k-2XLFLeSm1_EEDThHPVMbWE6XJpOIdvr2w3Iq1PsEOVo9QqVOd3FYcGLQAbiAAi_jREYpEKImFqQeY8noUCDOtULPwxbslrglOOBtKouI4OUT0ZtG3tDCBdoZUOAfNgKSlHQutlA0-G6GdBuytCz0ku45DTnGAPS11WwsuPBJfouYlusJuZHmqJTodwEnu2B2AZpLu5wxRUwWOpSyc8ftnSBkiHJWIT3bwatPjlaHoIgwcEsGPRwvFCq7V7yH2yW2uHI1FsiMUHYuWx-hDpLf4Nzag5oc-PyaV3lzsvZZHwy43ilFO-WJOZeDQCWjIZ_U1f4hGsoDkqvoRn-aFZ-pE7Nn99buVRHDjQ6-8-jfJncJaB" } diff --git a/internal/mock/testdata/sa_plugin_sig_env.json b/internal/mock/testdata/sa_plugin_sig_env.json new file mode 100644 index 00000000..966082a8 --- /dev/null +++ b/internal/mock/testdata/sa_plugin_sig_env.json @@ -0,0 +1,12 @@ +{ + "payload": "eyJ0YXJnZXRBcnRpZmFjdCI6eyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiZGlnZXN0Ijoic2hhMjU2OjYwMDQzY2Y0NWVhZWJjNGMwODY3ZmVhNDg1YTAzOWI1OThmNTJmZDA5ZmQ1YjA3YjBiMmQyZjg4ZmFkOWQ3NGUiLCJzaXplIjo1Mjh9fQ", + "protected": "eyJTb21lS2V5IjoiU29tZVZhbHVlIiwiYWxnIjoiUFMzODQiLCJjcml0IjpbImlvLmNuY2Yubm90YXJ5LnNpZ25pbmdTY2hlbWUiLCJTb21lS2V5IiwiaW8uY25jZi5ub3RhcnkuYXV0aGVudGljU2lnbmluZ1RpbWUiLCJpby5jbmNmLm5vdGFyeS5leHBpcnkiLCJpby5jbmNmLm5vdGFyeS52ZXJpZmljYXRpb25QbHVnaW4iXSwiY3R5IjoiYXBwbGljYXRpb24vdm5kLmNuY2Yubm90YXJ5LnBheWxvYWQudjEranNvbiIsImlvLmNuY2Yubm90YXJ5LmF1dGhlbnRpY1NpZ25pbmdUaW1lIjoiMjAyMC0xMS0wOVQwNzowMDowMFoiLCJpby5jbmNmLm5vdGFyeS5leHBpcnkiOiIyMTIwLTExLTA5VDA3OjAwOjAwWiIsImlvLmNuY2Yubm90YXJ5LnNpZ25pbmdTY2hlbWUiOiJub3RhcnkueDUwOS5zaWduaW5nQXV0aG9yaXR5IiwiaW8uY25jZi5ub3RhcnkudmVyaWZpY2F0aW9uUGx1Z2luIjoicGx1Z2luLW5hbWUifQ", + "header": { + "x5c": [ + "MIIEWDCCAsCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMTAwOTA3MDAwMFoYDzIxMjIwODA2MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwE8YkFUAA0R7aUkRYxHKYoVbFPx9xhuNovLKDy72/7X0+j4XdGP4C0aAX2KLfgy9OR1RIUwtpMyI7k7ZFRd+ljcMW/FgbirfhkY/8axjamOYMBO0Qg+w93oaI6HA1gvZ/WZem4PHu68LlZhLQ2BrQwCz/F/3Ft0IZ2S1aF6N6vajx2le8xTI5hQS+UZFPQGrBUqrjcYc6GkL8XqL+rLGZaKGfh3c7bF9cEbA1H2Tm6MDFnfoFemerbP3v19JoUH+EtOnvYmNZWEU51RaLsNGkC3E/unXAnIfXrNxHDcbehyfa5y3AT10Shiron6O4Bc9S0MvwtXyLT6qein3Nh0VKBFUMSdthu5ZrSR28T9wDWHMXngpa115VjHOQDY3gDPwfzZ0xitN3NpMnivxculGUCkEQpst957tqQNJpS/zipI5Mtej0YOAhVKGQMjDIJekZ2DXDNd1X3xfahrR5VEQF0gnRFhA3vhycDqFj4E6Hoc5y3SxnFqrhX3w2wyFt/xRAgMBAAGjJzAlMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAYEAAdONCAJxdB7H0uFDw6H+8Z5MtoRdJe6ZhlM2O5WMzkC1DLSyrF7arPnUMTeSyNS2Fx1BU38n5R1wvdgSfWtjm7o2ZyR8JQ+AngPklUCTNeL18kxNNXpmjDuMvsRlfHcr5hherjiQ49jWlpFqGRrNtZQWiVEI0r9Qz8DtZTw3GYF4MSuotA6wuUjolI1V2oMn/gdt8FFo0XUTDyiA12qpZzkUHY1rg3zJxKq3pIk04E7k6rFakHyZL91ipV2UeSbNq9vwLL7cglfPJ8+J+9AKvIPDstDF5k0ivUCYH5fIFZBGoceLiNfHSMcqA/qWfErqLBWAkACRUNyCWpAEv3DfDRbTHId0n6QQwOXj5d9YnDrmOLvQcn/sa+ZBfFMK7RdG9uVwMRyo+sRUnxo+v2lcvYwWymL7ONQqVWZbTJCxuG90Unxa3cQHZiKB5mgKweMft+vp6C3IQFhFfP8j1kvRTJq8ZqSEBADppUuBZJ1KWalwauK0AE4jpHlE0KsYDXiP", + "MIIEizCCAvOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMDkwOTA3MDAwMFoYDzIxMjIwOTA1MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxxAZ8VZegqBUctz3BkwhObZKnW+KsN5/N1/u2vPLmEzHDj6xgd8Hn0JoughDaxeQCV66NC2obqPnPp4+68G/qZnxkXVXdFyqVodu4FgPUjiqcJjft7bh45BVgLFpOqSqDQ3ko30B7gdGfIIkoBj/8gz3tHnmIvl3MywtOhDeGnlLNzBY52wVmhPIdKOaW/7WkMrXKFCkLkNICGnIpWuyBtC+7RfM8hG6eRW1KCm5xrkRmn5ptonjxix/JTGj4me/NMkwdVkz6wcCSAJnqTgHi2oqk73qqNu0LHsEMFBF8IGqmVkn2MOHkFamPBokzQ6HXXfvR4nbcWQZCUgRinPTVg9CF0B6XSCEMCSH5kveZxTQtAFRB6NosbzuU5jDmJgpbDfauev7Eg/6bZzphcugRkVuwulymzsake5Jbvs9Kyw3CNPYH2G3Kli1FNhfc46ugXHbIfXgNQcou3xabcu+r6cFRqqK6NmV9ouMQRj8Ri95Gp2BUlpTEFhcvMb9d4nXAgMBAAGjWjBYMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDAzASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBS5FZjt9UsEPkcKrStrnjSpTq4kDTANBgkqhkiG9w0BAQsFAAOCAYEAKtxfv12LzM85bxOMp5++pIDa6eMcBaurYbAM2yC9B6LuHf0JGeFdNqt4Fw38Ajooj2vWMWBrARVEZRVqTC5+ZSN2meGBXBXlT4n8FdEdmv+05iwVYdmDFp8FKeoOZZZF23u+r2OrazJo1ufWmoSI2P0lEfZQQFQElltWu3QH+OLOWXJmB7KbLKyheelGK5XhtAYYapRdW4sKJ398ybpv5C1oALCcTwoSmvH8wW5J4/gjmhKICYh2goMauf0lesdxj+0His7E8blOWrUmfOB5dp73XawLKcd/UxHN8zAPC08LDL9NMcihn3ZHKi7/dtkiV2iSaDPD1ChSGdqfXIysYqOhYoktgAfBZ43CWnqQhgB8NezRKdOStYC3P2AGJW18irxxTRp2CO+gnXEcyhyr+cvyf0j8MkRSaHLXzjIrECu8BUitB6sKughdN13fs5t5SIiO6foeFdvIpZFFKO8s+4oTOSDCos2WFoC+8TZS6r583OtFLmywl1HRgQkobGgw" + ], + "io.cncf.notary.SigningAgent": "Notation/1.0.0" + }, + "signature": "DwrGzND2JgpkeFASatpp-kBKpgrlt1Io3fbetSB3VUnRb0zWkj3vreKzAFpNBI6MN0lTuIWA3_igTqkYcFq8VFW2VSvWGidARJnzd4WDrCFp7n-Qp9TQPqbkLknZUxT2pFsTw1EF_plyAdJmRwbJikwvc2RkxW1Bz6fAcagJEul4lm6j2Yq4iTE8xThjn1ih7_9XMQ9I1f79CK3CTdu9jCrlQbyC1wEI9btyx-91OJ2V1oeGVtasNvRhA1ttVS3h7EQvzcJ9eKdEHPCVK6j5X7xvbjz40Z2kouZAb3ve9jsYZquMx6krrwAh4JPwUDJGT2x6ujdIIU6QioJgbOqRLdyYYERHqhO3P3FAsIJqIwtupMkcSJZJrMlzdi_nuHPHvy9ToQTW5z98LSQHqHtmWf4JdfVGq5iOWwrwLO4QINi716wcqiVp8srd2VdpoxvA5nnT2zzukzSXXVFj3V7XcqWutQoM3ihfw-aWDLU_OBo7aaSLaZUXhYkLsB3pHX1G" +} diff --git a/internal/mock/testdata/sa_valid_sig_env.json b/internal/mock/testdata/sa_valid_sig_env.json index d1cd0bc3..e1d49a6c 100644 --- a/internal/mock/testdata/sa_valid_sig_env.json +++ b/internal/mock/testdata/sa_valid_sig_env.json @@ -1,12 +1,12 @@ { "payload": "eyJ0YXJnZXRBcnRpZmFjdCI6eyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiZGlnZXN0Ijoic2hhMjU2OjYwMDQzY2Y0NWVhZWJjNGMwODY3ZmVhNDg1YTAzOWI1OThmNTJmZDA5ZmQ1YjA3YjBiMmQyZjg4ZmFkOWQ3NGUiLCJzaXplIjo1Mjh9fQ", - "protected": "eyJhbGciOiJQUzM4NCIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSIsImlvLmNuY2Yubm90YXJ5LmF1dGhlbnRpY1NpZ25pbmdUaW1lIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5Il0sImN0eSI6ImFwcGxpY2F0aW9uL3ZuZC5jbmNmLm5vdGFyeS5wYXlsb2FkLnYxK2pzb24iLCJpby5jbmNmLm5vdGFyeS5hdXRoZW50aWNTaWduaW5nVGltZSI6IjIwMjItMDctMjlUMTU6NTY6NTEtMDc6MDAiLCJpby5jbmNmLm5vdGFyeS5leHBpcnkiOiIyMTIyLTAxLTAxVDEyOjAwOjAwWiIsImlvLmNuY2Yubm90YXJ5LnNpZ25pbmdTY2hlbWUiOiJub3RhcnkueDUwOS5zaWduaW5nQXV0aG9yaXR5In0", + "protected": "eyJhbGciOiJQUzM4NCIsImNyaXQiOlsiaW8uY25jZi5ub3Rhcnkuc2lnbmluZ1NjaGVtZSIsImlvLmNuY2Yubm90YXJ5LmF1dGhlbnRpY1NpZ25pbmdUaW1lIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5Il0sImN0eSI6ImFwcGxpY2F0aW9uL3ZuZC5jbmNmLm5vdGFyeS5wYXlsb2FkLnYxK2pzb24iLCJpby5jbmNmLm5vdGFyeS5hdXRoZW50aWNTaWduaW5nVGltZSI6IjIwMjAtMTEtMDlUMDc6MDA6MDBaIiwiaW8uY25jZi5ub3RhcnkuZXhwaXJ5IjoiMjEyMC0xMS0wOVQwNzowMDowMFoiLCJpby5jbmNmLm5vdGFyeS5zaWduaW5nU2NoZW1lIjoibm90YXJ5Lng1MDkuc2lnbmluZ0F1dGhvcml0eSJ9", "header": { "x5c": [ - "MIIEVjCCAr6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIyNTY1MVoXDTIyMDczMDIyNTY1MVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRlc3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALU/rKq73sjfZniYD2nxPy1Nt1/gVR+KmFmgkpCa5UBJxSQ8McpJxyl/oiSi6sFNn5CnQ2/uqyS9Voru/M5jJh4oBwKV6bnLkq7wyzRC5vDceb1D1Or5C9R8DQ8l0Tgyizp/HV4+kVpTcgnxr54QtP/60K1hTU6N4RSKBHBzOfbP9Om8S6NVrORBXpWLSOhZpNpRnCnEh/+I/DEBqUTuiL/0Xtjc/lIn4qVa3hvIOQeh618ebWAcDlJmScg5cFaTvXeFlPcecMu2QGYXK5ULq4Z7kjowptGdbGtYPFDYhRb7g/NIHj2ovsJvYb0/eaEQJrt61+kKdIJKRU4DCtxVqtZZZWa7zKNFJJgA2t7Fkv65UiVywT1Fz8icOn6G3Ej2yGoLbfQyGrxkzfx1i63v+Mtog6DXsW9VnnjdvbOlIdYF/7oNcYz6NhMbgDZzAdQzKF3lu+qDndu8PrVLukEy8LOAW5rKTLUUq2cHZKnZD9E9K4PJ7P6N+Ko90QA7mptWFwIDAQABoycwJTAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggGBAKs/Xph0Fv7ZMqAqhZa/YiiCccEFN99Kltms/UjzMwW8nxPeg/pFnNFLVaX1E6ht6fbSWFFvM9uhqe/n702eUfUnqeL9DknUe314HQIsqZ3curq70ATYmtAFcugJ656sR264hkMHiTy+c6RdIrbxKOUKuRIC149Zns/c7LHOakAKJ7QOA0/6dvlYeU1s8zH8J6l//pW+bhJENCm4QWpaeavwHoGKn6V1T4TVeKVnZp8zZCfpnwqB19cF1LSqWDHpVGNyKVGwFiJQhE3E5b3YrebvsLh27JjOixDOi/J8mpgfX5ol0/+jrduj9l7Pwl/DVur6S8Ym80Y5fDTLmfx5NAAGLkYLJaUUdDnYJre0c/Fe/Ki/fGUJIYuSmxJyK+rsBJ38kiTPr9orHBCgChcVQgIzHc2fIP9OQf8ENdKTsQc1BdHyv0uFr2EvSrsj6tdZaYyNXWX7DpyGxK0vH132mOMytwwes0a5KLIo5Ur5/JoRBzKeffcc3BQAwNliHbILIg==", - "MIIEiTCCAvGgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIyNTY1MVoXDTIyMDgyOTIyNTY1MVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRlc3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMRDEsYE+H1GFLfX3z3giNsJqvsqc5E+/B4lpkxUY44XQ5kR4sYjtAgpDdRyJd+P6zTZBtzrQpNDZNMKTBK36lMGazmvXKzvvVdelS9CYeLvsJu7SZILn3k400umUWOSkzUsMHsevkjA5EmkYW6BrPStLeO7nTFhHVLiWAtNCQ0teeeGpShXVJ3Xk9Hytx4kADkFaeQf8Sh4MjDoPb5Zla8EGgQO0ceXJy/HwuWg5DsvLWiUs6lNKYvp2S59SKIwaD8ZF0Q9Tw98OilvdzmWg1JQAplTQ0RdOdWy54teiE3bKcH4xloTA/iD6JdZfN5PxIXPok+X7a06kONDR3mQb4RqfcAas4zvPj0du8HLinqi/YL6IMXv9eQWUY9axYVIabYtd8xk+aI6s+lCWirceWah+DGxiFezdHsOgvNWSI2jZtceY1Kpmy6gINUgObs9C9gCaZry7K6UpN6tMAXEgV9Py+XFY44KB97oEc9b88y68FX6LkKAzzSdNpHtMoJ8+QIDAQABo1owWDAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQU/4iwABBrFwEJ8/W9cPpQPB/o1iIwDQYJKoZIhvcNAQELBQADggGBAEklAJBr1DOl3CWcSA5xvoCgQVEoAXS/TAxsC85aSWcSNvr9s30VONM5/uYBfD38aLjBsfOTQPkisVbjQe0kxVfq2GH8SsHpY2172iBJyek++JofXfrHTaUn/I8Y2Nv3Zgqv9ewTwIgcFcSLGf8/QfvKeSK3kFWaangzyUf+5F4xX9Ez4tPpqhZiJ9N7iaRnk2QVIvMi0qm91oJ8thdAKyqX4xenpSR7W2aS/oOAGlUagKSmjbmqiiDfSfmr8A5fe55QOdBTvHu0haj44XdcRDtIB8fphPFOaIgBrDlWjDGnmBuSk2NxVCy8GRAb1b5XPv25vJDwhlx/X0tZnMriODjmc2ex3FJg/nn5DzjjWGWzZ+F8O0WjskeEzu8YJTzyyIY2YxypmwcSoswRQZ5IQ7OPxS2rmV47/l2toaHBOo9sPVJGJxgiXR5bCtwhVLA0T0RS1f7V3FvGySG1FAKldLep7vc4v0Oi4xjNiHZYKqubKGi5xpks+L1e+nPXcmrk+g==" + "MIIEWDCCAsCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMTAwOTA3MDAwMFoYDzIxMjIwODA2MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAwE8YkFUAA0R7aUkRYxHKYoVbFPx9xhuNovLKDy72/7X0+j4XdGP4C0aAX2KLfgy9OR1RIUwtpMyI7k7ZFRd+ljcMW/FgbirfhkY/8axjamOYMBO0Qg+w93oaI6HA1gvZ/WZem4PHu68LlZhLQ2BrQwCz/F/3Ft0IZ2S1aF6N6vajx2le8xTI5hQS+UZFPQGrBUqrjcYc6GkL8XqL+rLGZaKGfh3c7bF9cEbA1H2Tm6MDFnfoFemerbP3v19JoUH+EtOnvYmNZWEU51RaLsNGkC3E/unXAnIfXrNxHDcbehyfa5y3AT10Shiron6O4Bc9S0MvwtXyLT6qein3Nh0VKBFUMSdthu5ZrSR28T9wDWHMXngpa115VjHOQDY3gDPwfzZ0xitN3NpMnivxculGUCkEQpst957tqQNJpS/zipI5Mtej0YOAhVKGQMjDIJekZ2DXDNd1X3xfahrR5VEQF0gnRFhA3vhycDqFj4E6Hoc5y3SxnFqrhX3w2wyFt/xRAgMBAAGjJzAlMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAYEAAdONCAJxdB7H0uFDw6H+8Z5MtoRdJe6ZhlM2O5WMzkC1DLSyrF7arPnUMTeSyNS2Fx1BU38n5R1wvdgSfWtjm7o2ZyR8JQ+AngPklUCTNeL18kxNNXpmjDuMvsRlfHcr5hherjiQ49jWlpFqGRrNtZQWiVEI0r9Qz8DtZTw3GYF4MSuotA6wuUjolI1V2oMn/gdt8FFo0XUTDyiA12qpZzkUHY1rg3zJxKq3pIk04E7k6rFakHyZL91ipV2UeSbNq9vwLL7cglfPJ8+J+9AKvIPDstDF5k0ivUCYH5fIFZBGoceLiNfHSMcqA/qWfErqLBWAkACRUNyCWpAEv3DfDRbTHId0n6QQwOXj5d9YnDrmOLvQcn/sa+ZBfFMK7RdG9uVwMRyo+sRUnxo+v2lcvYwWymL7ONQqVWZbTJCxuG90Unxa3cQHZiKB5mgKweMft+vp6C3IQFhFfP8j1kvRTJq8ZqSEBADppUuBZJ1KWalwauK0AE4jpHlE0KsYDXiP", + "MIIEizCCAvOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMDkwOTA3MDAwMFoYDzIxMjIwOTA1MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxxAZ8VZegqBUctz3BkwhObZKnW+KsN5/N1/u2vPLmEzHDj6xgd8Hn0JoughDaxeQCV66NC2obqPnPp4+68G/qZnxkXVXdFyqVodu4FgPUjiqcJjft7bh45BVgLFpOqSqDQ3ko30B7gdGfIIkoBj/8gz3tHnmIvl3MywtOhDeGnlLNzBY52wVmhPIdKOaW/7WkMrXKFCkLkNICGnIpWuyBtC+7RfM8hG6eRW1KCm5xrkRmn5ptonjxix/JTGj4me/NMkwdVkz6wcCSAJnqTgHi2oqk73qqNu0LHsEMFBF8IGqmVkn2MOHkFamPBokzQ6HXXfvR4nbcWQZCUgRinPTVg9CF0B6XSCEMCSH5kveZxTQtAFRB6NosbzuU5jDmJgpbDfauev7Eg/6bZzphcugRkVuwulymzsake5Jbvs9Kyw3CNPYH2G3Kli1FNhfc46ugXHbIfXgNQcou3xabcu+r6cFRqqK6NmV9ouMQRj8Ri95Gp2BUlpTEFhcvMb9d4nXAgMBAAGjWjBYMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDAzASBgNVHRMBAf8ECDAGAQH/AgEBMB0GA1UdDgQWBBS5FZjt9UsEPkcKrStrnjSpTq4kDTANBgkqhkiG9w0BAQsFAAOCAYEAKtxfv12LzM85bxOMp5++pIDa6eMcBaurYbAM2yC9B6LuHf0JGeFdNqt4Fw38Ajooj2vWMWBrARVEZRVqTC5+ZSN2meGBXBXlT4n8FdEdmv+05iwVYdmDFp8FKeoOZZZF23u+r2OrazJo1ufWmoSI2P0lEfZQQFQElltWu3QH+OLOWXJmB7KbLKyheelGK5XhtAYYapRdW4sKJ398ybpv5C1oALCcTwoSmvH8wW5J4/gjmhKICYh2goMauf0lesdxj+0His7E8blOWrUmfOB5dp73XawLKcd/UxHN8zAPC08LDL9NMcihn3ZHKi7/dtkiV2iSaDPD1ChSGdqfXIysYqOhYoktgAfBZ43CWnqQhgB8NezRKdOStYC3P2AGJW18irxxTRp2CO+gnXEcyhyr+cvyf0j8MkRSaHLXzjIrECu8BUitB6sKughdN13fs5t5SIiO6foeFdvIpZFFKO8s+4oTOSDCos2WFoC+8TZS6r583OtFLmywl1HRgQkobGgw" ], "io.cncf.notary.SigningAgent": "Notation/1.0.0" }, - "signature": "Kgz2HaaU2eJNaeDvtWlYKSuPiPlkCDGGeaj5P_3VjI-bV4zZr2CiZZ8KcwnGHEol68VKwrqiPzXJHQL76vX6sT9lnR7UdPVjjAJqE3SBlCAnO3yTiCbAWzqsvt0H6E45qvD8stvQNIs5nJFtLWcwWpUNpx-xtCYKF2weLyzXEjRS8W0kafpqwvPLHYG873NOk4f2QI4-PyftdB2vsTwBVjSCmQ__JR1DiBVqyHhnKufb7id0NSTK0Iin_Va0dt08IBTuf2oHD169e0XDYgqtEEVIna4vdTPk66RrtZMovKWDVuZtF9ZU79CItTPwhnxh0JZ2FSVe1lxMf6Lk-3PZdO3uccygSuho83FrhsNFKt5nKDbhuut_dPO2S3Cb-LRuT1vHYg-SrarkOq-fcVWqsTbEWgRI7nAFd2T4-cQikT-w9NeW3oaQ_kybW7mh45dD15F6nC1qOT9a9r2Yk1IMSAYu9Y_DXgmlPLahOH8482VtDeJKfXXj68x7CUGns9W-" + "signature": "kqt4plYZgCdPkoVmC-1_JfH7dPUjIQOMaONP6pEucnKC1QiTa7peN83Ka8_0kAvAT3BIZ8CFjVuazioZpjHw-ydRlL3-pgagnENS8Fz2Vfwj9nKJF7mmFGi3R0t6fFFyx_Tw9rtxi4Nsv8y4k-2XLFLeSm1_EEDThHPVMbWE6XJpOIdvr2w3Iq1PsEOVo9QqVOd3FYcGLQAbiAAi_jREYpEKImFqQeY8noUCDOtULPwxbslrglOOBtKouI4OUT0ZtG3tDCBdoZUOAfNgKSlHQutlA0-G6GdBuytCz0ku45DTnGAPS11WwsuPBJfouYlusJuZHmqJTodwEnu2B2AZpLu5wxRUwWOpSyc8ftnSBkiHJWIT3bwatPjlaHoIgwcEsGPRwvFCq7V7yH2yW2uHI1FsiMUHYuWx-hDpLf4Nzag5oc-PyaV3lzsvZZHwy43ilFO-WJOZeDQCWjIZ_U1f4hGsoDkqvoRn-aFZ-pE7Nn99buVRHDjQ6-8-jfJncJaB" } diff --git a/plugin/plugin.go b/plugin/plugin.go index 68f16a15..6416372b 100644 --- a/plugin/plugin.go +++ b/plugin/plugin.go @@ -46,6 +46,16 @@ const ( // Capability is a feature available in the plugin contract. type Capability string +// In returns true if the Capability is present in the given array of capabilities +func (c Capability) In(capabilities []Capability) bool { + for _, capability := range capabilities { + if c == capability { + return true + } + } + return false +} + const ( // CapabilitySignatureGenerator is the name of the capability // for a plugin to support generating raw signatures. @@ -184,10 +194,13 @@ type Signature struct { // CriticalAttributes contains all Notary V2 defined critical // attributes and their values in the signature envelope type CriticalAttributes struct { - ContentType string `json:"contentType"` - SigningScheme string `json:"signingScheme"` - Expiry *time.Time `json:"expiry,omitempty"` - ExtendedAttributes map[string]interface{} `json:"extendedAttributes,omitempty"` + ContentType string `json:"contentType"` + SigningScheme string `json:"signingScheme"` + Expiry *time.Time `json:"expiry,omitempty"` + AuthenticSigningTime *time.Time `json:"authenticSigningTime,omitempty"` + VerificationPlugin string `json:"verificationPlugin,omitempty"` + VerificationPluginMinVersion string `json:"verificationPluginMinVersion,omitempty"` + ExtendedAttributes map[string]interface{} `json:"extendedAttributes,omitempty"` } // TrustPolicy represents trusted identities that sign the artifacts @@ -200,10 +213,10 @@ func (VerifySignatureRequest) Command() Command { return CommandVerifySignature } -// VerifySignatureResponse is the response of a generate-envelope request. +// VerifySignatureResponse is the response of a verify-signature request. type VerifySignatureResponse struct { - VerificationResults map[VerificationCapability]VerificationResult `json:"verificationResults"` - ProcessedAttributes []string `json:"processedAttributes"` + VerificationResults map[VerificationCapability]*VerificationResult `json:"verificationResults"` + ProcessedAttributes []string `json:"processedAttributes"` } // VerificationResult is the result of a verification performed by the plugin diff --git a/signature/plugin.go b/signature/plugin.go index 04c9ee68..80760967 100644 --- a/signature/plugin.go +++ b/signature/plugin.go @@ -120,7 +120,7 @@ func (s *pluginSigner) generateSignature(ctx context.Context, desc notation.Desc SigningTime: time.Now(), ExtendedSignedAttrs: nil, SigningScheme: signer.SigningSchemeX509, - SigningAgent: "Notation/1.0.0", // TODO: include external signing plugin's name and version. https://github.com/notaryproject/notation-go/issues/80 + SigningAgent: "Notation/1.0.0", // TODO: include external signing plugin's name and version. https://github.com/notaryproject/notation-go/issues/80 } if !opts.Expiry.IsZero() { signReq.Expiry = opts.Expiry diff --git a/signature/plugin_test.go b/signature/plugin_test.go index a40cd309..63bb20e9 100644 --- a/signature/plugin_test.go +++ b/signature/plugin_test.go @@ -37,11 +37,11 @@ func (r *mockRunner) Run(_ context.Context, _ plugin.Request) (interface{}, erro } type mockSignerPlugin struct { - KeyID string - KeySpec signer.KeySpec - Sign func(payload []byte) []byte - Certs [][]byte - n int + KeyID string + KeySpec signer.KeySpec + Sign func(payload []byte) []byte + Certs [][]byte + n int } func (s *mockSignerPlugin) Run(_ context.Context, req plugin.Request) (interface{}, error) { @@ -163,8 +163,8 @@ func TestSigner_Sign_UnsuportedKeySpec(t *testing.T) { func TestSigner_Sign_NoCertChain(t *testing.T) { signer := pluginSigner{ runner: &mockSignerPlugin{ - KeyID: "1", - KeySpec: signer.RSA_2048, + KeyID: "1", + KeySpec: signer.RSA_2048, }, keyID: "1", } @@ -174,9 +174,9 @@ func TestSigner_Sign_NoCertChain(t *testing.T) { func TestSigner_Sign_MalformedCert(t *testing.T) { signer := pluginSigner{ runner: &mockSignerPlugin{ - KeyID: "1", - KeySpec: signer.RSA_2048, - Certs: [][]byte{[]byte("mocked")}, + KeyID: "1", + KeySpec: signer.RSA_2048, + Certs: [][]byte{[]byte("mocked")}, }, keyID: "1", } @@ -255,7 +255,6 @@ func TestSigner_Sign_Valid(t *testing.T) { t.Errorf("Signer.Sign() payload changed") } - if !reflect.DeepEqual(sigInfo.CertificateChain, cert) { t.Errorf("Signer.Sign() cert chain changed") } @@ -307,13 +306,13 @@ func (s *mockEnvelopePlugin) Run(_ context.Context, req plugin.Request) (interfa req1 := req.(*plugin.GenerateEnvelopeRequest) data, err := env.Sign(signer.SignRequest{ - Payload: req1.Payload, - PayloadContentType: signer.PayloadContentType(req1.PayloadType), - SignatureProvider: lsp, - SigningTime: time.Now(), - Expiry: time.Now().AddDate(2,0,0), - SigningScheme: signer.SigningSchemeX509SigningAuthority, - SigningAgent: "", + Payload: req1.Payload, + PayloadContentType: signer.PayloadContentType(req1.PayloadType), + SignatureProvider: lsp, + SigningTime: time.Now(), + Expiry: time.Now().AddDate(2, 0, 0), + SigningScheme: signer.SigningSchemeX509SigningAuthority, + SigningAgent: "", }) if err != nil { return nil, err diff --git a/signature/signer.go b/signature/signer.go index 1c5c0559..5dbc1b0f 100644 --- a/signature/signer.go +++ b/signature/signer.go @@ -56,7 +56,7 @@ func NewSigner(key crypto.PrivateKey, certChain []*x509.Certificate) (notation.S } return &pluginSigner{ - runner: &builtinPlugin{ localSignatureProvider: lsp }, + runner: &builtinPlugin{localSignatureProvider: lsp}, }, nil } diff --git a/verification/helpers.go b/verification/helpers.go index 5d5509c3..c31769cd 100644 --- a/verification/helpers.go +++ b/verification/helpers.go @@ -3,6 +3,7 @@ package verification import ( "encoding/json" "fmt" + nsigner "github.com/notaryproject/notation-core-go/signer" "github.com/notaryproject/notation-go/dir" "os" "regexp" @@ -25,7 +26,16 @@ func loadPolicyDocument(policyDocumentPath string) (*PolicyDocument, error) { return policyDocument, nil } -func loadX509TrustStores(policy *TrustPolicy, pathManager *dir.PathManager) (map[string]*X509TrustStore, error) { +func loadX509TrustStores(scheme nsigner.SigningScheme, policy *TrustPolicy, pathManager *dir.PathManager) (map[string]*X509TrustStore, error) { + var prefixToLoad TrustStorePrefix + if scheme == nsigner.SigningSchemeX509 { + prefixToLoad = TrustStorePrefixCA + } else if scheme == nsigner.SigningSchemeX509SigningAuthority { + prefixToLoad = TrustStorePrefixSigningAuthority + } else { + return nil, fmt.Errorf("unrecognized signing scheme %q", scheme) + } + var result = make(map[string]*X509TrustStore) for _, trustStore := range policy.TrustStores { if result[trustStore] != nil { @@ -34,6 +44,10 @@ func loadX509TrustStores(policy *TrustPolicy, pathManager *dir.PathManager) (map } i := strings.Index(trustStore, ":") prefix := trustStore[:i] + if prefixToLoad != TrustStorePrefix(prefix) { + continue + } + name := trustStore[i+1:] x509TrustStore, err := LoadX509TrustStore(pathManager.X509TrustStore(prefix, name)) if err != nil { diff --git a/verification/helpers_test.go b/verification/helpers_test.go index 0cf4568b..9a6e800d 100644 --- a/verification/helpers_test.go +++ b/verification/helpers_test.go @@ -2,6 +2,7 @@ package verification import ( "encoding/json" + nsigner "github.com/notaryproject/notation-core-go/signer" "github.com/notaryproject/notation-go/dir" "io/ioutil" "path/filepath" @@ -73,14 +74,12 @@ func TestLoadX509TrustStore(t *testing.T) { dir.NewRootedFS("testdata", nil), ), } - trustStores, err := loadX509TrustStores(&dummyPolicy, path) + caTrustStores, err := loadX509TrustStores(nsigner.SigningSchemeX509, &dummyPolicy, path) + saTrustStores, err := loadX509TrustStores(nsigner.SigningSchemeX509SigningAuthority, &dummyPolicy, path) if err != nil { t.Fatalf("TestLoadX509TrustStore should not throw error for a valid trust store. Error: %v", err) } - if (len(trustStores)) != 2 { - t.Fatalf("TestLoadX509TrustStore must load two trust stores") - } - if trustStores[caStore] == nil || trustStores[signingAuthorityStore] == nil { - t.Fatalf("TestLoadX509TrustStore must load trust store associated with \"ca\" and \"signingAuthority\"") + if len(caTrustStores) != 1 || len(saTrustStores) != 1 { + t.Fatalf("TestLoadX509TrustStore must load one trust store of each 'ca' and 'signingAuthority' prefixes") } } diff --git a/verification/policy_test.go b/verification/policy_test.go index deaa8ccf..38a9d3dc 100644 --- a/verification/policy_test.go +++ b/verification/policy_test.go @@ -10,7 +10,7 @@ func dummyPolicyStatement() (policyStatement TrustPolicy) { Name: "test-statement-name", RegistryScopes: []string{"registry.acme-rockets.io/software/net-monitor"}, SignatureVerification: SignatureVerification{Level: "strict"}, - TrustStores: []string{"ca:valid-trust-store"}, + TrustStores: []string{"ca:valid-trust-store", "signingAuthority:valid-trust-store"}, TrustedIdentities: []string{"x509.subject:CN=Notation Test Root,O=Notary,L=Seattle,ST=WA,C=US"}, } return diff --git a/verification/store_test.go b/verification/store_test.go index 7c128dae..ba21712f 100644 --- a/verification/store_test.go +++ b/verification/store_test.go @@ -13,8 +13,8 @@ func TestLoadValidTrustStore(t *testing.T) { if err != nil { t.Fatalf("could not load a valid trust store. %q", err) } - if len(trustStore.Certificates) != 4 { - t.Fatalf("unexpected number of certificates in the trust store, expected: %d, got: %d", 4, len(trustStore.Certificates)) + if len(trustStore.Certificates) != 3 { + t.Fatalf("unexpected number of certificates in the trust store, expected: %d, got: %d", 3, len(trustStore.Certificates)) } if trustStore.Prefix != "ca" { t.Fatalf("trust store prefix should be \"ca\"") diff --git a/verification/testdata/truststore/x509/ca/valid-trust-store/NotationTestRoot.pem b/verification/testdata/truststore/x509/ca/valid-trust-store/NotationTestRoot.pem index 27e9615e..aa23820d 100644 --- a/verification/testdata/truststore/x509/ca/valid-trust-store/NotationTestRoot.pem +++ b/verification/testdata/truststore/x509/ca/valid-trust-store/NotationTestRoot.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEiTCCAvGgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzEL +MIIEizCCAvOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEb -MBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIyNTUwOVoXDTIy -MDgyOTIyNTUwOVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQH -EwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRl -c3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMIU/fV6+Cua -jN4Y9psrWvuMa2khFRoNh3B4UnIONWFQFuacMNvN+ylKXZNJ4lZxf29JYZhowXkn -M6rOYE4xstTZSh7qDSA+Q42fbsZnPQb+Yn2XKvDUFdorBnZX2CmHscPKhae1tlVJ -m52MLGCxyycH0gTv8hezglaOhOT9ScVDet+B9sQY0EMcC22/orYS/lGim0F86XO6 -RGxWuOaOxs/4msBJZoIxI07dFoQuWAtRHD6RlKaQZ9+r0XtpEZX+58LmL54ZXggS -MGtNZPZT04eeG4xB2+QCmZM7VzLdSeTNHwoDNskE8FRaiburX1NQrGlhUjLXAjvz -6LE6N3AKKbqJGzxsAbJwBfxkSTumRuQL7sIkxOLY6eEkEbZWxCUvYXejexj7IzFO -4Z07dM1ne4lBe5kU6Af2ZrnLqTUFB/jdJWCRnbbQ4NHRElKvulDUxhmp8ECcgN3S -eU5b11Bzwayl6OKAsz4ZtuEcTaPh0N1lL+DxBG7iJDxrxl1WW9LcrwIDAQABo1ow -WDAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/ -BAgwBgEB/wIBATAdBgNVHQ4EFgQUwLYj6kXXSwMn6f6zbGRic/5xSlgwDQYJKoZI -hvcNAQELBQADggGBAIcIJGI3xJvdivu4/uyV+1c5ZH6B/yieE44XLGWGQU3qWJOL -TpNDgBaK+14sIb7VnAtTrtQerozZKbL1gETcYEcmLhdWkIUHY8xRSCEgDIpiw5Gi -1D3Asm+HsCFE9zHu0vutWQ47RHIJruy6aM5/AGkIbMXEB8A5YVXWaFfkgZMJc3tl -S7Ml5QT4/Jh3K8lMo51RiNCyjURt8gDHkFRrs8FBTWwPZtCg93YbxHHbdjZiIJ+I -L8n+ORsSHQdJC0tVKcIIWaBkt1h34gwgSP1XPEa4TQYgt4dFlLapOefNSH2KSfgM -m72USVXzIfGAokcbr6CkxhBuZj3hvZ/H742gFoxaC53LfRvV0yTNqnSn2NG8aN5Q -w9LG2xuYuGPTz2bVOyxi0QeNr2kOqTOwO5wSG9f/JQH52TfaLjX0rL7PPv2HrJlR -27ErISccu9xobfNwrjVa14bhoToDoy3vHr4BAwILsL7PRSk+bPQ680H8UfRxglNp -tkpcUNRV/0gzY98qCw== +MBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMDkwOTA3MDAwMFoYDzIx +MjIwOTA1MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNV +BAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24g +VGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxxAZ8VZe +gqBUctz3BkwhObZKnW+KsN5/N1/u2vPLmEzHDj6xgd8Hn0JoughDaxeQCV66NC2o +bqPnPp4+68G/qZnxkXVXdFyqVodu4FgPUjiqcJjft7bh45BVgLFpOqSqDQ3ko30B +7gdGfIIkoBj/8gz3tHnmIvl3MywtOhDeGnlLNzBY52wVmhPIdKOaW/7WkMrXKFCk +LkNICGnIpWuyBtC+7RfM8hG6eRW1KCm5xrkRmn5ptonjxix/JTGj4me/NMkwdVkz +6wcCSAJnqTgHi2oqk73qqNu0LHsEMFBF8IGqmVkn2MOHkFamPBokzQ6HXXfvR4nb +cWQZCUgRinPTVg9CF0B6XSCEMCSH5kveZxTQtAFRB6NosbzuU5jDmJgpbDfauev7 +Eg/6bZzphcugRkVuwulymzsake5Jbvs9Kyw3CNPYH2G3Kli1FNhfc46ugXHbIfXg +NQcou3xabcu+r6cFRqqK6NmV9ouMQRj8Ri95Gp2BUlpTEFhcvMb9d4nXAgMBAAGj +WjBYMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDAzASBgNVHRMB +Af8ECDAGAQH/AgEBMB0GA1UdDgQWBBS5FZjt9UsEPkcKrStrnjSpTq4kDTANBgkq +hkiG9w0BAQsFAAOCAYEAKtxfv12LzM85bxOMp5++pIDa6eMcBaurYbAM2yC9B6Lu +Hf0JGeFdNqt4Fw38Ajooj2vWMWBrARVEZRVqTC5+ZSN2meGBXBXlT4n8FdEdmv+0 +5iwVYdmDFp8FKeoOZZZF23u+r2OrazJo1ufWmoSI2P0lEfZQQFQElltWu3QH+OLO +WXJmB7KbLKyheelGK5XhtAYYapRdW4sKJ398ybpv5C1oALCcTwoSmvH8wW5J4/gj +mhKICYh2goMauf0lesdxj+0His7E8blOWrUmfOB5dp73XawLKcd/UxHN8zAPC08L +DL9NMcihn3ZHKi7/dtkiV2iSaDPD1ChSGdqfXIysYqOhYoktgAfBZ43CWnqQhgB8 +NezRKdOStYC3P2AGJW18irxxTRp2CO+gnXEcyhyr+cvyf0j8MkRSaHLXzjIrECu8 +BUitB6sKughdN13fs5t5SIiO6foeFdvIpZFFKO8s+4oTOSDCos2WFoC+8TZS6r58 +3OtFLmywl1HRgQkobGgw -----END CERTIFICATE----- diff --git a/verification/testdata/truststore/x509/ca/valid-trust-store/NotationTestRootExpiredSig.pem b/verification/testdata/truststore/x509/ca/valid-trust-store/NotationTestRootExpiredSig.pem deleted file mode 100644 index 3bea9574..00000000 --- a/verification/testdata/truststore/x509/ca/valid-trust-store/NotationTestRootExpiredSig.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEiTCCAvGgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzEL -MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEb -MBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIzMDIwMFoXDTIy -MDgyOTIzMDIwMFowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQH -EwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRl -c3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALbo3jsPh/LG -mpLlbsxlTgqcyYXrxP07UzwpVkGIginXahSpnDYavk/b4vdRtSm0I/bRnrdWRTOu -fgsDeocWhcqgorWmiI/fg9SP9InLdVT33aqTiMlcpi+SP1AMMeESLrOSnI41lLSK -l6KmV94nF7rIBL/8uSwSrzTdSOoM63fzeO5QMG+Y/ux5s4BxGbqX/SraCGrap6RX -HuazmQ8getp8lq7HTUHx2AEF0DzloZbEj+AJD68DqlEvPh8lytUdYR9ou1aNt6o4 -dj6kcr06bjwVLNrIquE0whWi4o+6dXK9CS0t40MgGy8hu16uYDZ01HzsHenHkcgn -7yqwEqCxz5Ba0U7iRf3qbdZ9KX7ImTWKR0Uwqpix2RVBNWGCVJAtfEnV94KytFmb -8AibEnjhFwjA7QM9F6WlykeGAjVqG3OMssVCv6NaufDJQOpx+yGLuaESBYtMvoqA -fmltY5j+ATj7GMsZ1NzA292lVSOnxuh9M1pcCmIPXl7Aty08A16FfQIDAQABo1ow -WDAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/ -BAgwBgEB/wIBATAdBgNVHQ4EFgQU3cTJUV7Q1AFpJXvj1lK3CYzCD4QwDQYJKoZI -hvcNAQELBQADggGBAAjHRe/IlWXhr4mDVcrPSTJtNiyU0GdlGoYqs2w81JPFjlB5 -TGFPb6WfYPQZo6V4MFO3NxY1Hyx/dJ5oFpglaQw2ouhAcqmPsvUoVCGNSfNgNjfq -73GlZQbcgMtEYk57gUAJj1j1pdoalLLRL4Q98R92UNAtqx9qcRWX5MAdblKYlxAT -J/tnbxQ6GQOmkpN6aWj2EXIlQ9aI5gc0tdRIOK7LKA3o4XK7hHj6rofpVZ0caLd0 -5mcfNLUeuaDScu0q+5TABhGfk4Q//C0WR/bDouqV5/9zs0ye23RAh1CNKGf+Zrmq -iHTo0Z0RzzzWlPkOiHHeJB+KLTFbBFz+p6KRvqkLxEMVTt1igP7DWbLQwvIVMtgF -abqrR0k5Iex9ejSpP0FJniVVANNRRw1+setBRu5CdejDPO3Z5TbwcDy5bKZswgY0 -lVmeNr9BfNHW/wh+ttErf3zP2iObOAJUAlyDDTpVW5mmfG9ihr1gQHQ+bVCxbBLe -hvCnrTYTPbKNE8oHVA== ------END CERTIFICATE----- diff --git a/verification/testdata/truststore/x509/signingAuthority/valid-trust-store/NotationTestRoot.pem b/verification/testdata/truststore/x509/signingAuthority/valid-trust-store/NotationTestRoot.pem index d593bd3a..aa23820d 100644 --- a/verification/testdata/truststore/x509/signingAuthority/valid-trust-store/NotationTestRoot.pem +++ b/verification/testdata/truststore/x509/signingAuthority/valid-trust-store/NotationTestRoot.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEiTCCAvGgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzEL +MIIEizCCAvOgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEb -MBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MB4XDTIyMDcyOTIyNTY1MVoXDTIy -MDgyOTIyNTY1MVowWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQH -EwdTZWF0dGxlMQ8wDQYDVQQKEwZOb3RhcnkxGzAZBgNVBAMTEk5vdGF0aW9uIFRl -c3QgUm9vdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAMRDEsYE+H1G -FLfX3z3giNsJqvsqc5E+/B4lpkxUY44XQ5kR4sYjtAgpDdRyJd+P6zTZBtzrQpND -ZNMKTBK36lMGazmvXKzvvVdelS9CYeLvsJu7SZILn3k400umUWOSkzUsMHsevkjA -5EmkYW6BrPStLeO7nTFhHVLiWAtNCQ0teeeGpShXVJ3Xk9Hytx4kADkFaeQf8Sh4 -MjDoPb5Zla8EGgQO0ceXJy/HwuWg5DsvLWiUs6lNKYvp2S59SKIwaD8ZF0Q9Tw98 -OilvdzmWg1JQAplTQ0RdOdWy54teiE3bKcH4xloTA/iD6JdZfN5PxIXPok+X7a06 -kONDR3mQb4RqfcAas4zvPj0du8HLinqi/YL6IMXv9eQWUY9axYVIabYtd8xk+aI6 -s+lCWirceWah+DGxiFezdHsOgvNWSI2jZtceY1Kpmy6gINUgObs9C9gCaZry7K6U -pN6tMAXEgV9Py+XFY44KB97oEc9b88y68FX6LkKAzzSdNpHtMoJ8+QIDAQABo1ow -WDAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/ -BAgwBgEB/wIBATAdBgNVHQ4EFgQU/4iwABBrFwEJ8/W9cPpQPB/o1iIwDQYJKoZI -hvcNAQELBQADggGBAEklAJBr1DOl3CWcSA5xvoCgQVEoAXS/TAxsC85aSWcSNvr9 -s30VONM5/uYBfD38aLjBsfOTQPkisVbjQe0kxVfq2GH8SsHpY2172iBJyek++Jof -XfrHTaUn/I8Y2Nv3Zgqv9ewTwIgcFcSLGf8/QfvKeSK3kFWaangzyUf+5F4xX9Ez -4tPpqhZiJ9N7iaRnk2QVIvMi0qm91oJ8thdAKyqX4xenpSR7W2aS/oOAGlUagKSm -jbmqiiDfSfmr8A5fe55QOdBTvHu0haj44XdcRDtIB8fphPFOaIgBrDlWjDGnmBuS -k2NxVCy8GRAb1b5XPv25vJDwhlx/X0tZnMriODjmc2ex3FJg/nn5DzjjWGWzZ+F8 -O0WjskeEzu8YJTzyyIY2YxypmwcSoswRQZ5IQ7OPxS2rmV47/l2toaHBOo9sPVJG -JxgiXR5bCtwhVLA0T0RS1f7V3FvGySG1FAKldLep7vc4v0Oi4xjNiHZYKqubKGi5 -xpks+L1e+nPXcmrk+g== +MBkGA1UEAxMSTm90YXRpb24gVGVzdCBSb290MCAXDTIwMDkwOTA3MDAwMFoYDzIx +MjIwOTA1MjAzODQ1WjBaMQswCQYDVQQGEwJVUzELMAkGA1UECBMCV0ExEDAOBgNV +BAcTB1NlYXR0bGUxDzANBgNVBAoTBk5vdGFyeTEbMBkGA1UEAxMSTm90YXRpb24g +VGVzdCBSb290MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAxxAZ8VZe +gqBUctz3BkwhObZKnW+KsN5/N1/u2vPLmEzHDj6xgd8Hn0JoughDaxeQCV66NC2o +bqPnPp4+68G/qZnxkXVXdFyqVodu4FgPUjiqcJjft7bh45BVgLFpOqSqDQ3ko30B +7gdGfIIkoBj/8gz3tHnmIvl3MywtOhDeGnlLNzBY52wVmhPIdKOaW/7WkMrXKFCk +LkNICGnIpWuyBtC+7RfM8hG6eRW1KCm5xrkRmn5ptonjxix/JTGj4me/NMkwdVkz +6wcCSAJnqTgHi2oqk73qqNu0LHsEMFBF8IGqmVkn2MOHkFamPBokzQ6HXXfvR4nb +cWQZCUgRinPTVg9CF0B6XSCEMCSH5kveZxTQtAFRB6NosbzuU5jDmJgpbDfauev7 +Eg/6bZzphcugRkVuwulymzsake5Jbvs9Kyw3CNPYH2G3Kli1FNhfc46ugXHbIfXg +NQcou3xabcu+r6cFRqqK6NmV9ouMQRj8Ri95Gp2BUlpTEFhcvMb9d4nXAgMBAAGj +WjBYMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEFBQcDAzASBgNVHRMB +Af8ECDAGAQH/AgEBMB0GA1UdDgQWBBS5FZjt9UsEPkcKrStrnjSpTq4kDTANBgkq +hkiG9w0BAQsFAAOCAYEAKtxfv12LzM85bxOMp5++pIDa6eMcBaurYbAM2yC9B6Lu +Hf0JGeFdNqt4Fw38Ajooj2vWMWBrARVEZRVqTC5+ZSN2meGBXBXlT4n8FdEdmv+0 +5iwVYdmDFp8FKeoOZZZF23u+r2OrazJo1ufWmoSI2P0lEfZQQFQElltWu3QH+OLO +WXJmB7KbLKyheelGK5XhtAYYapRdW4sKJ398ybpv5C1oALCcTwoSmvH8wW5J4/gj +mhKICYh2goMauf0lesdxj+0His7E8blOWrUmfOB5dp73XawLKcd/UxHN8zAPC08L +DL9NMcihn3ZHKi7/dtkiV2iSaDPD1ChSGdqfXIysYqOhYoktgAfBZ43CWnqQhgB8 +NezRKdOStYC3P2AGJW18irxxTRp2CO+gnXEcyhyr+cvyf0j8MkRSaHLXzjIrECu8 +BUitB6sKughdN13fs5t5SIiO6foeFdvIpZFFKO8s+4oTOSDCos2WFoC+8TZS6r58 +3OtFLmywl1HRgQkobGgw -----END CERTIFICATE----- diff --git a/verification/types.go b/verification/types.go index e9e5ff31..1f33c6da 100644 --- a/verification/types.go +++ b/verification/types.go @@ -1,6 +1,7 @@ package verification import ( + "context" "fmt" nsigner "github.com/notaryproject/notation-core-go/signer" ) @@ -211,3 +212,19 @@ func GetVerificationLevel(signatureVerification SignatureVerification) (*Verific } return customVerificationLevel, nil } + +type pluginConfigCtxKey struct{} + +// WithPluginConfig is used by callers to set the plugin config in the context. +func WithPluginConfig(ctx context.Context, config map[string]string) context.Context { + return context.WithValue(ctx, pluginConfigCtxKey{}, config) +} + +// getPluginConfig used to retrieve the config from the context. +func getPluginConfig(ctx context.Context, config map[string]string) map[string]string { + config, ok := ctx.Value(pluginConfigCtxKey{}).(map[string]string) + if !ok { + return nil + } + return config +} diff --git a/verification/verifier.go b/verification/verifier.go index b71a8c94..28760f11 100644 --- a/verification/verifier.go +++ b/verification/verifier.go @@ -43,8 +43,23 @@ func NewVerifier(repository registry.Repository) (*Verifier, error) { } /* -Verify performs verification for each of the verification types supported in notation -See https://github.com/notaryproject/notaryproject/blob/main/trust-store-trust-policy-specification.md#signature-verification +Verify performs signature verification on each of the notation supported verification types (like integrity, authenticity, etc.) and return the verification outcomes. + +Given an artifact URI, Verify will retrieve all the signatures associated with the URI and perform signature verification. +A signature is considered not valid if verification fails due to any one of the following reasons + +1. Artifact URI is not associated with a signature i.e. unsigned +2. Registry is unavailable to retrieve the signature +3. Signature does not satisfy the verification rules configured in the trust policy +4. Signature specifies a plugin for extended verification and that throws an error +5. Digest in the signature does not match the digest present in the URI + +If each and every signature associated with the URI fail the verification, then Verify will return `ErrorVerificationFailed` error +along with an array of `SignatureVerificationOutcome`. + +Callers can pass the verification plugin config in context.Context using "verification.WithPluginConfig()" + +For more details on signature verification, see https://github.com/notaryproject/notaryproject/blob/main/trust-store-trust-policy-specification.md#signature-verification */ func (v *Verifier) Verify(ctx context.Context, artifactUri string) ([]*SignatureVerificationOutcome, error) { var verificationOutcomes []*SignatureVerificationOutcome @@ -66,7 +81,6 @@ func (v *Verifier) Verify(ctx context.Context, artifactUri string) ([]*Signature if err != nil { return nil, ErrorSignatureRetrievalFailed{msg: err.Error()} } - artifactDescriptor, err := v.Repository.Resolve(ctx, artifactDigest) if err != nil { return nil, ErrorSignatureRetrievalFailed{msg: err.Error()} @@ -124,30 +138,158 @@ func (v *Verifier) Verify(ctx context.Context, artifactUri string) ([]*Signature } func (v *Verifier) processSignature(ctx context.Context, sigBlob []byte, sigManifest registry.SignatureManifest, trustPolicy *TrustPolicy, outcome *SignatureVerificationOutcome) error { + // verify integrity first. notation will always verify integrity no matter what the signing scheme is - signerInfo, result := v.verifyIntegrity(sigBlob, sigManifest, outcome) + signerInfo, integrityResult := v.verifyIntegrity(sigBlob, sigManifest, outcome) outcome.SignerInfo = signerInfo - outcome.VerificationResults = append(outcome.VerificationResults, result) - if result.Error != nil { - return result.Error + outcome.VerificationResults = append(outcome.VerificationResults, integrityResult) + if integrityResult.Error != nil { + return integrityResult.Error } - // verify x509 and trust identity based authenticity - result = v.verifyAuthenticity(TrustStorePrefixCA, trustPolicy, outcome) - outcome.VerificationResults = append(outcome.VerificationResults, result) - if isCriticalFailure(result) { - return result.Error + // check if we need to verify using a plugin + var pluginCapabilities []plugin.Capability + verificationPluginName := outcome.SignerInfo.SignedAttributes.VerificationPlugin + if verificationPluginName != "" { + installedPlugin, err := v.PluginManager.Get(ctx, verificationPluginName) + if err != nil { + return ErrorVerificationInconclusive{msg: fmt.Sprintf("error while locating the verification plugin %q, make sure the plugin is installed successfully before verifying the signature. error: %s", verificationPluginName, err)} + } + + // TODO verify the plugin's version is equal to or greater than `outcome.SignerInfo.SignedAttributes.VerificationPluginMinVersion` + // https://github.com/notaryproject/notation-go/issues/102 + + // filter the "verification" capabilities supported by the installed plugin + for _, capability := range installedPlugin.Capabilities { + if capability == plugin.CapabilityRevocationCheckVerifier || capability == plugin.CapabilityTrustedIdentityVerifier { + pluginCapabilities = append(pluginCapabilities, capability) + } + } + + if len(pluginCapabilities) == 0 { + return ErrorVerificationInconclusive{msg: fmt.Sprintf("digital signature requires plugin %q with signature verification capabilities (%q and/or %q) installed", verificationPluginName, plugin.CapabilityTrustedIdentityVerifier, plugin.CapabilityRevocationCheckVerifier)} + } + } + + // verify x509 trust store based authenticity + authenticityResult := v.verifyAuthenticity(trustPolicy, outcome) + outcome.VerificationResults = append(outcome.VerificationResults, authenticityResult) + if isCriticalFailure(authenticityResult) { + return authenticityResult.Error + } + + // verify x509 trusted identity based authenticity (only if notation needs to perform this verification rather than a plugin) + if !plugin.CapabilityTrustedIdentityVerifier.In(pluginCapabilities) { + v.verifyX509TrustedIdentities(trustPolicy, outcome, authenticityResult) + if isCriticalFailure(authenticityResult) { + return authenticityResult.Error + } } // verify expiry - result = v.verifyExpiry(outcome) - outcome.VerificationResults = append(outcome.VerificationResults, result) - if isCriticalFailure(result) { - return result.Error + expiryResult := v.verifyExpiry(outcome) + outcome.VerificationResults = append(outcome.VerificationResults, expiryResult) + if isCriticalFailure(expiryResult) { + return expiryResult.Error + } + + // verify authentic timestamp + authenticTimestampResult := v.verifyAuthenticTimestamp(outcome) + outcome.VerificationResults = append(outcome.VerificationResults, authenticTimestampResult) + if isCriticalFailure(authenticTimestampResult) { + return authenticTimestampResult.Error + } + + // verify revocation + // check if we need to bypass the revocation check, since revocation can be skipped using a trust policy or a plugin may override the check + if outcome.VerificationLevel.VerificationMap[Revocation] != Skipped && + !plugin.CapabilityRevocationCheckVerifier.In(pluginCapabilities) { + // TODO perform X509 revocation check (not in RC1) + // https://github.com/notaryproject/notation-go/issues/110 + } + + // perform extended verification using verification plugin if present + if verificationPluginName != "" { + var capabilitiesToVerify []plugin.VerificationCapability + for _, pc := range pluginCapabilities { + // skip the revocation capability if the trust policy is configured to skip it + if outcome.VerificationLevel.VerificationMap[Revocation] == Skipped && pc == plugin.CapabilityRevocationCheckVerifier { + continue + } + capabilitiesToVerify = append(capabilitiesToVerify, plugin.VerificationCapability(pc)) + } + + if len(capabilitiesToVerify) > 0 { + response, err := v.executePlugin(ctx, trustPolicy, capabilitiesToVerify, outcome.SignerInfo) + if err != nil { + return err + } + return v.processPluginResponse(capabilitiesToVerify, response, outcome) + } + } + + return nil +} + +func (v *Verifier) processPluginResponse(capabilitiesToVerify []plugin.VerificationCapability, response *plugin.VerifySignatureResponse, outcome *SignatureVerificationOutcome) error { + verificationPluginName := outcome.SignerInfo.SignedAttributes.VerificationPlugin + + // verify all extended critical attributes are processed by the plugin + for _, attr := range outcome.SignerInfo.SignedAttributes.ExtendedAttributes { + if attr.Critical { + if !isPresent(attr.Key, response.ProcessedAttributes) { + return fmt.Errorf("extended critical attribute %q was not processed by the verification plugin %q (all extended critical attributes must be processed by the verification plugin)", attr.Key, verificationPluginName) + } + } + } + + for _, capability := range capabilitiesToVerify { + pluginResult := response.VerificationResults[capability] + if pluginResult == nil { + // verification result is empty for this capability + return ErrorVerificationInconclusive{msg: fmt.Sprintf("verification plugin %q failed to verify %q", verificationPluginName, capability)} + } + switch capability { + case plugin.VerificationCapabilityTrustedIdentity: + if !pluginResult.Success { + // find the Authenticity VerificationResult that we already created during x509 trust store verification + var authenticityResult *VerificationResult + for _, r := range outcome.VerificationResults { + if r.Type == Authenticity { + authenticityResult = r + break + } + } + + authenticityResult.Success = false + authenticityResult.Error = fmt.Errorf("trusted identify verification by plugin %q failed with reason %q", verificationPluginName, pluginResult.Reason) + + if isCriticalFailure(authenticityResult) { + return authenticityResult.Error + } + } + case plugin.VerificationCapabilityRevocationCheck: + var revocationResult *VerificationResult + if !pluginResult.Success { + revocationResult = &VerificationResult{ + Success: false, + Error: fmt.Errorf("revocation check by verification plugin %q failed with reason %q", verificationPluginName, pluginResult.Reason), + Type: Revocation, + Action: outcome.VerificationLevel.VerificationMap[Revocation], + } + } else { + revocationResult = &VerificationResult{ + Success: true, + Type: Revocation, + Action: outcome.VerificationLevel.VerificationMap[Revocation], + } + } + outcome.VerificationResults = append(outcome.VerificationResults, revocationResult) + if isCriticalFailure(revocationResult) { + return revocationResult.Error + } + } } - // Verify timestamping signature if present - Not in RC1 - // Verify revocation - Not in RC1 - // no error return nil } diff --git a/verification/verifier_helpers.go b/verification/verifier_helpers.go index bb92061e..c090bf72 100644 --- a/verification/verifier_helpers.go +++ b/verification/verifier_helpers.go @@ -1,9 +1,11 @@ package verification import ( + "context" "crypto/x509" "fmt" nsigner "github.com/notaryproject/notation-core-go/signer" + "github.com/notaryproject/notation-go/plugin" "github.com/notaryproject/notation-go/registry" "strings" "time" @@ -57,9 +59,9 @@ func (v *Verifier) verifyIntegrity(sigBlob []byte, sigManifest registry.Signatur } } -func (v *Verifier) verifyAuthenticity(trustStorePrefix TrustStorePrefix, trustPolicy *TrustPolicy, outcome *SignatureVerificationOutcome) *VerificationResult { +func (v *Verifier) verifyAuthenticity(trustPolicy *TrustPolicy, outcome *SignatureVerificationOutcome) *VerificationResult { // verify authenticity - trustStores, err := loadX509TrustStores(trustPolicy, v.PathManager) + trustStores, err := loadX509TrustStores(outcome.SignerInfo.SigningScheme, trustPolicy, v.PathManager) if err != nil { return &VerificationResult{ @@ -70,13 +72,20 @@ func (v *Verifier) verifyAuthenticity(trustStorePrefix TrustStorePrefix, trustPo } } - // filter trust certificates based on trust store prefix var trustCerts []*x509.Certificate for _, v := range trustStores { - if v.Prefix == string(trustStorePrefix) { - trustCerts = append(trustCerts, v.Certificates...) + trustCerts = append(trustCerts, v.Certificates...) + } + + if len(trustCerts) < 1 { + return &VerificationResult{ + Success: false, + Error: ErrorVerificationInconclusive{msg: "no trusted certificates are found to verify authenticity"}, + Type: Authenticity, + Action: outcome.VerificationLevel.VerificationMap[Authenticity], } } + _, err = nsigner.VerifyAuthenticity(outcome.SignerInfo, trustCerts) if err != nil { switch err.(type) { @@ -96,8 +105,11 @@ func (v *Verifier) verifyAuthenticity(trustStorePrefix TrustStorePrefix, trustPo } } } else { - // if X509 authenticity passes, then perform Trusted Identity based authenticity - return v.verifyTrustedIdentities(trustPolicy, outcome) + return &VerificationResult{ + Success: true, + Type: Authenticity, + Action: outcome.VerificationLevel.VerificationMap[Authenticity], + } } } @@ -118,25 +130,68 @@ func (v *Verifier) verifyExpiry(outcome *SignatureVerificationOutcome) *Verifica } } -func (v *Verifier) verifyTrustedIdentities(trustPolicy *TrustPolicy, outcome *SignatureVerificationOutcome) *VerificationResult { - // verify trusted identities - err := verifyX509TrustedIdentities(outcome.SignerInfo.CertificateChain, trustPolicy) - if err != nil { +func (v *Verifier) verifyAuthenticTimestamp(outcome *SignatureVerificationOutcome) *VerificationResult { + invalidTimestamp := false + var err error + + if outcome.SignerInfo.SigningScheme == nsigner.SigningSchemeX509 { + // TODO verify RFC3161 TSA signature if present (not in RC1) + // https://github.com/notaryproject/notation-go/issues/78 + if len(outcome.SignerInfo.TimestampSignature) == 0 { + // if there is no TSA signature, then every certificate should be valid at the time of verification + now := time.Now() + for _, cert := range outcome.SignerInfo.CertificateChain { + if now.Before(cert.NotBefore) { + invalidTimestamp = true + err = fmt.Errorf("certificate %q is not valid yet, it will be valid from %q", cert.Subject, cert.NotBefore.Format(time.RFC1123Z)) + break + } + if now.After(cert.NotAfter) { + invalidTimestamp = true + err = fmt.Errorf("certificate %q is not valid anymore, it was expired at %q", cert.Subject, cert.NotAfter.Format(time.RFC1123Z)) + break + } + } + } + } else if outcome.SignerInfo.SigningScheme == nsigner.SigningSchemeX509SigningAuthority { + authenticSigningTime := outcome.SignerInfo.SignedAttributes.SigningTime + // TODO use authenticSigningTime from signerInfo + // https://github.com/notaryproject/notation-core-go/issues/38 + for _, cert := range outcome.SignerInfo.CertificateChain { + if authenticSigningTime.Before(cert.NotBefore) || authenticSigningTime.After(cert.NotAfter) { + invalidTimestamp = true + err = fmt.Errorf("certificate %q was not valid when the digital signature was produced at %q", cert.Subject, authenticSigningTime.Format(time.RFC1123Z)) + break + } + } + } + + if invalidTimestamp { return &VerificationResult{ Success: false, Error: err, - Type: Authenticity, - Action: outcome.VerificationLevel.VerificationMap[Authenticity], + Type: AuthenticTimestamp, + Action: outcome.VerificationLevel.VerificationMap[AuthenticTimestamp], } } else { return &VerificationResult{ Success: true, - Type: Authenticity, - Action: outcome.VerificationLevel.VerificationMap[Authenticity], + Type: AuthenticTimestamp, + Action: outcome.VerificationLevel.VerificationMap[AuthenticTimestamp], } } } +// verifyX509TrustedIdentities verified x509 trusted identities. This functions uses the VerificationResult from x509 trust store verification and modifies it +func (v *Verifier) verifyX509TrustedIdentities(trustPolicy *TrustPolicy, outcome *SignatureVerificationOutcome, authenticityResult *VerificationResult) { + // verify trusted identities + err := verifyX509TrustedIdentities(outcome.SignerInfo.CertificateChain, trustPolicy) + if err != nil { + authenticityResult.Success = false + authenticityResult.Error = err + } +} + func verifyX509TrustedIdentities(certs []*x509.Certificate, trustPolicy *TrustPolicy) error { if isPresent(wildcard, trustPolicy.TrustedIdentities) { return nil @@ -176,3 +231,70 @@ func verifyX509TrustedIdentities(certs []*x509.Certificate, trustPolicy *TrustPo return fmt.Errorf("signing certificate from the digital signature does not match the X.509 trusted identities %q defined in the trust policy %q", trustedX509Identities, trustPolicy.Name) } + +func (v *Verifier) executePlugin(ctx context.Context, trustPolicy *TrustPolicy, capabilitiesToVerify []plugin.VerificationCapability, signerInfo *nsigner.SignerInfo) (*plugin.VerifySignatureResponse, error) { + verificationPluginName := signerInfo.SignedAttributes.VerificationPlugin + var attributesToProcess []string + extendedAttributes := make(map[string]interface{}) + + // pass extended critical attributes to the plugin's verify-signature command + for _, attr := range signerInfo.SignedAttributes.ExtendedAttributes { + if attr.Critical { + extendedAttributes[attr.Key] = attr.Value + attributesToProcess = append(attributesToProcess, attr.Key) + } + } + + var certChain [][]byte + for _, cert := range signerInfo.CertificateChain { + certChain = append(certChain, cert.Raw) + } + var authenticSigningTime *time.Time + if signerInfo.SigningScheme == nsigner.SigningSchemeX509SigningAuthority { + authenticSigningTime = &signerInfo.SignedAttributes.SigningTime + // TODO use authenticSigningTime from signerInfo + // https://github.com/notaryproject/notation-core-go/issues/38 + } + + signature := plugin.Signature{ + CriticalAttributes: plugin.CriticalAttributes{ + ContentType: string(signerInfo.PayloadContentType), + SigningScheme: string(signerInfo.SigningScheme), + Expiry: &signerInfo.SignedAttributes.Expiry, + AuthenticSigningTime: authenticSigningTime, + VerificationPlugin: signerInfo.SignedAttributes.VerificationPlugin, + VerificationPluginMinVersion: signerInfo.SignedAttributes.VerificationPluginMinVersion, + ExtendedAttributes: extendedAttributes, + }, + UnprocessedAttributes: attributesToProcess, + CertificateChain: certChain, + } + + policy := plugin.TrustPolicy{ + TrustedIdentities: trustPolicy.TrustedIdentities, + SignatureVerification: capabilitiesToVerify, + } + + pluginConfig := map[string]string{} + request := &plugin.VerifySignatureRequest{ + ContractVersion: plugin.ContractVersion, + Signature: signature, + TrustPolicy: policy, + PluginConfig: getPluginConfig(ctx, pluginConfig), + } + pluginRunner, err := v.PluginManager.Runner(verificationPluginName) + if err != nil { + return nil, ErrorVerificationInconclusive{msg: fmt.Sprintf("error while loading the verification plugin %q: %s", verificationPluginName, err)} + } + out, err := pluginRunner.Run(ctx, request) + if err != nil { + return nil, ErrorVerificationInconclusive{msg: fmt.Sprintf("error while running the verification plugin %q: %s", verificationPluginName, err)} + } + + response, ok := out.(*plugin.VerifySignatureResponse) + if !ok { + return nil, ErrorVerificationInconclusive{msg: fmt.Sprintf("verification plugin %q returned unexpected response : %q", verificationPluginName, out)} + } + + return response, nil +} diff --git a/verification/verifier_test.go b/verification/verifier_test.go index b23b396b..d4d7af70 100644 --- a/verification/verifier_test.go +++ b/verification/verifier_test.go @@ -4,9 +4,12 @@ import ( "context" "errors" "fmt" + nsigner "github.com/notaryproject/notation-core-go/signer" "github.com/notaryproject/notation-go" "github.com/notaryproject/notation-go/dir" "github.com/notaryproject/notation-go/internal/mock" + "github.com/notaryproject/notation-go/plugin" + "github.com/notaryproject/notation-go/plugin/manager" "github.com/notaryproject/notation-go/registry" "strconv" "testing" @@ -16,8 +19,11 @@ func verifyResult(outcome *SignatureVerificationOutcome, expectedResult Verifica var actualResult *VerificationResult for _, r := range outcome.VerificationResults { if r.Type == expectedResult.Type { - actualResult = r - break + if actualResult == nil { + actualResult = r + } else { + t.Fatalf("expected only one VerificatiionResult for %q but found one more. first: %+v second: %+v", r.Type, actualResult, r) + } } } @@ -38,7 +44,7 @@ func TestInvalidArtifactUriValidations(t *testing.T) { verifier := Verifier{ PolicyDocument: &policyDocument, Repository: mock.NewRepository(), - PluginManager: mock.NewPluginManager(), + PluginManager: mock.PluginManager{}, } tests := []struct { @@ -70,7 +76,7 @@ func TestErrorNoApplicableTrustPolicy_Error(t *testing.T) { verifier := Verifier{ PolicyDocument: &policyDocument, Repository: mock.NewRepository(), - PluginManager: mock.NewPluginManager(), + PluginManager: mock.PluginManager{}, } _, err := verifier.Verify(context.Background(), "non-existent-domain.com/repo@sha256:73c803930ea3ba1e54bc25c2bdc53edd0284c62ed651fe7b00369da519a3c333") @@ -85,7 +91,7 @@ func TestSkippedSignatureVerification(t *testing.T) { verifier := Verifier{ PolicyDocument: &policyDocument, Repository: mock.NewRepository(), - PluginManager: mock.NewPluginManager(), + PluginManager: mock.PluginManager{}, } outcomes, err := verifier.Verify(context.Background(), mock.SampleArtifactUri) @@ -101,7 +107,7 @@ func TestRegistryResolveError(t *testing.T) { verifier := Verifier{ PolicyDocument: &policyDocument, Repository: &repo, - PluginManager: mock.NewPluginManager(), + PluginManager: mock.PluginManager{}, } errorMessage := "network error" expectedErr := ErrorSignatureRetrievalFailed{msg: errorMessage} @@ -121,7 +127,7 @@ func TestRegistryListSignatureManifestsError(t *testing.T) { verifier := Verifier{ PolicyDocument: &policyDocument, Repository: &repo, - PluginManager: mock.NewPluginManager(), + PluginManager: mock.PluginManager{}, } errorMessage := fmt.Sprintf("unable to retrieve digital signature(s) associated with %q from the registry, error : network error", mock.SampleArtifactUri) expectedErr := ErrorSignatureRetrievalFailed{msg: errorMessage} @@ -141,7 +147,7 @@ func TestRegistryNoSignatureManifests(t *testing.T) { verifier := Verifier{ PolicyDocument: &policyDocument, Repository: &repo, - PluginManager: mock.NewPluginManager(), + PluginManager: mock.PluginManager{}, } errorMessage := fmt.Sprintf("no signatures are associated with %q, make sure the image was signed successfully", mock.SampleArtifactUri) expectedErr := ErrorSignatureRetrievalFailed{msg: errorMessage} @@ -161,7 +167,7 @@ func TestRegistryGetBlobError(t *testing.T) { verifier := Verifier{ PolicyDocument: &policyDocument, Repository: &repo, - PluginManager: mock.NewPluginManager(), + PluginManager: mock.PluginManager{}, } errorMessage := fmt.Sprintf("unable to retrieve digital signature with digest %q associated with %q from the registry, error : network error", mock.SampleDigest, mock.SampleArtifactUri) expectedErr := ErrorSignatureRetrievalFailed{msg: errorMessage} @@ -175,7 +181,26 @@ func TestRegistryGetBlobError(t *testing.T) { } } -func TestVerificationCombinations(t *testing.T) { +func TestNotationVerificationCombinations(t *testing.T) { + assertNotationVerification(t, nsigner.SigningSchemeX509) + assertNotationVerification(t, nsigner.SigningSchemeX509SigningAuthority) +} + +func assertNotationVerification(t *testing.T, scheme nsigner.SigningScheme) { + var validSigEnv []byte + var invalidSigEnv []byte + var expiredSigEnv []byte + + if scheme == nsigner.SigningSchemeX509 { + validSigEnv = mock.MockCaValidSigEnv + invalidSigEnv = mock.MockCaInvalidSigEnv + expiredSigEnv = mock.MockCaExpiredSigEnv + } else if scheme == nsigner.SigningSchemeX509SigningAuthority { + validSigEnv = mock.MockSaValidSigEnv + invalidSigEnv = mock.MockSaInvalidSigEnv + expiredSigEnv = mock.MockSaExpiredSigEnv + } + type testCase struct { verificationType VerificationType verificationLevel *VerificationLevel @@ -214,7 +239,8 @@ func TestVerificationCombinations(t *testing.T) { // Integrity Success for _, level := range verificationLevels { policyDocument := dummyPolicyDocument() - repo := mock.NewRepository() // repository returns a valid signature by default + repo := mock.NewRepository() + repo.GetResponse = validSigEnv testCases = append(testCases, testCase{ verificationType: Integrity, verificationLevel: level, @@ -227,7 +253,7 @@ func TestVerificationCombinations(t *testing.T) { for _, level := range verificationLevels { policyDocument := dummyPolicyDocument() repo := mock.NewRepository() - repo.GetResponse = mock.MockCaInvalidSigEnv + repo.GetResponse = invalidSigEnv expectedErr := fmt.Errorf("signature is invalid. Error: illegal base64 data at input byte 242") testCases = append(testCases, testCase{ verificationType: Integrity, @@ -308,7 +334,7 @@ func TestVerificationCombinations(t *testing.T) { for _, level := range verificationLevels { policyDocument := dummyPolicyDocument() repo := mock.NewRepository() - repo.GetResponse = mock.MockCaExpiredSigEnv + repo.GetResponse = expiredSigEnv expectedErr := fmt.Errorf("digital signature has expired on \"Fri, 29 Jul 2022 23:59:00 +0000\"") testCases = append(testCases, testCase{ verificationType: Expiry, @@ -336,10 +362,14 @@ func TestVerificationCombinations(t *testing.T) { ), } + pluginManager := mock.PluginManager{} + pluginManager.GetPluginError = errors.New("plugin should not be invoked when verification plugin is not specified in the signature") + pluginManager.PluginRunnerLoadError = errors.New("plugin should not be invoked when verification plugin is not specified in the signature") + verifier := Verifier{ PolicyDocument: &tt.policyDocument, Repository: &tt.repository, - PluginManager: mock.NewPluginManager(), + PluginManager: pluginManager, PathManager: path, } outcomes, _ := verifier.Verify(context.Background(), mock.SampleArtifactUri) @@ -350,3 +380,252 @@ func TestVerificationCombinations(t *testing.T) { }) } } + +func TestVerificationPluginInteractions(t *testing.T) { + assertPluginVerification(nsigner.SigningSchemeX509, t) + assertPluginVerification(nsigner.SigningSchemeX509SigningAuthority, t) +} + +func assertPluginVerification(scheme nsigner.SigningScheme, t *testing.T) { + var pluginSigEnv []byte + if scheme == nsigner.SigningSchemeX509 { + pluginSigEnv = mock.MockCaPluginSigEnv + } else if scheme == nsigner.SigningSchemeX509SigningAuthority { + pluginSigEnv = mock.MockSaPluginSigEnv + } + + policyDocument := dummyPolicyDocument() + repo := mock.NewRepository() + repo.GetResponse = pluginSigEnv + path := &dir.PathManager{ + ConfigFS: dir.NewUnionDirFS( + dir.NewRootedFS("testdata", nil), + ), + } + + // verification plugin is not installed + pluginManager := mock.PluginManager{} + pluginManager.GetPluginError = manager.ErrNotFound + + verifier := Verifier{ + PolicyDocument: &policyDocument, + Repository: repo, + PluginManager: pluginManager, + PathManager: path, + } + outcomes, err := verifier.Verify(context.Background(), mock.SampleArtifactUri) + if err == nil || outcomes[0].Error == nil || outcomes[0].Error.Error() != "error while locating the verification plugin \"plugin-name\", make sure the plugin is installed successfully before verifying the signature. error: plugin not found" { + t.Fatalf("verification should fail if the verification plugin is not found") + } + + // plugin is installed but without verification capabilities + pluginManager = mock.PluginManager{} + pluginManager.PluginCapabilities = []plugin.Capability{plugin.CapabilitySignatureGenerator} + + verifier = Verifier{ + PolicyDocument: &policyDocument, + Repository: repo, + PluginManager: pluginManager, + PathManager: path, + } + outcomes, err = verifier.Verify(context.Background(), mock.SampleArtifactUri) + if err == nil || outcomes[0].Error == nil || outcomes[0].Error.Error() != "digital signature requires plugin \"plugin-name\" with signature verification capabilities (\"SIGNATURE_VERIFIER.TRUSTED_IDENTITY\" and/or \"SIGNATURE_VERIFIER.REVOCATION_CHECK\") installed" { + t.Fatalf("verification should fail if the verification plugin is not found") + } + + // plugin interactions with trusted identity verification success + pluginManager = mock.PluginManager{} + pluginManager.PluginCapabilities = []plugin.Capability{plugin.CapabilityTrustedIdentityVerifier} + pluginManager.PluginRunnerExecuteResponse = &plugin.VerifySignatureResponse{ + VerificationResults: map[plugin.VerificationCapability]*plugin.VerificationResult{ + plugin.VerificationCapabilityTrustedIdentity: { + Success: true, + }, + }, + ProcessedAttributes: []string{mock.PluginExtendedCriticalAttribute.Key}, + } + + verifier = Verifier{ + PolicyDocument: &policyDocument, + Repository: repo, + PluginManager: pluginManager, + PathManager: path, + } + outcomes, err = verifier.Verify(context.Background(), mock.SampleArtifactUri) + if err != nil || outcomes[0].Error != nil { + t.Fatalf("verification should succeed when the verification plugin succeeds for trusted identity verification. error : %v", outcomes[0].Error) + } + + // plugin interactions with trusted identity verification failure + pluginManager = mock.PluginManager{} + pluginManager.PluginCapabilities = []plugin.Capability{plugin.CapabilityTrustedIdentityVerifier} + pluginManager.PluginRunnerExecuteResponse = &plugin.VerifySignatureResponse{ + VerificationResults: map[plugin.VerificationCapability]*plugin.VerificationResult{ + plugin.VerificationCapabilityTrustedIdentity: { + Success: false, + Reason: "i feel like failing today", + }, + }, + ProcessedAttributes: []string{mock.PluginExtendedCriticalAttribute.Key}, + } + + verifier = Verifier{ + PolicyDocument: &policyDocument, + Repository: repo, + PluginManager: pluginManager, + PathManager: path, + } + outcomes, err = verifier.Verify(context.Background(), mock.SampleArtifactUri) + if err == nil || outcomes[0].Error == nil || outcomes[0].Error.Error() != "trusted identify verification by plugin \"plugin-name\" failed with reason \"i feel like failing today\"" { + t.Fatalf("verification should fail when the verification plugin fails for trusted identity verification. error : %v", outcomes[0].Error) + } + + // plugin interactions with revocation verification success + pluginManager = mock.PluginManager{} + pluginManager.PluginCapabilities = []plugin.Capability{plugin.CapabilityRevocationCheckVerifier} + pluginManager.PluginRunnerExecuteResponse = &plugin.VerifySignatureResponse{ + VerificationResults: map[plugin.VerificationCapability]*plugin.VerificationResult{ + plugin.VerificationCapabilityRevocationCheck: { + Success: true, + }, + }, + ProcessedAttributes: []string{mock.PluginExtendedCriticalAttribute.Key}, + } + + verifier = Verifier{ + PolicyDocument: &policyDocument, + Repository: repo, + PluginManager: pluginManager, + PathManager: path, + } + outcomes, err = verifier.Verify(context.Background(), mock.SampleArtifactUri) + if err != nil || outcomes[0].Error != nil { + t.Fatalf("verification should succeed when the verification plugin succeeds for revocation verification. error : %v", outcomes[0].Error) + } + + // plugin interactions with trusted revocation failure + pluginManager = mock.PluginManager{} + pluginManager.PluginCapabilities = []plugin.Capability{plugin.CapabilityRevocationCheckVerifier} + pluginManager.PluginRunnerExecuteResponse = &plugin.VerifySignatureResponse{ + VerificationResults: map[plugin.VerificationCapability]*plugin.VerificationResult{ + plugin.VerificationCapabilityRevocationCheck: { + Success: false, + Reason: "i feel like failing today", + }, + }, + ProcessedAttributes: []string{mock.PluginExtendedCriticalAttribute.Key}, + } + + verifier = Verifier{ + PolicyDocument: &policyDocument, + Repository: repo, + PluginManager: pluginManager, + PathManager: path, + } + outcomes, err = verifier.Verify(context.Background(), mock.SampleArtifactUri) + if err == nil || outcomes[0].Error == nil || outcomes[0].Error.Error() != "revocation check by verification plugin \"plugin-name\" failed with reason \"i feel like failing today\"" { + t.Fatalf("verification should fail when the verification plugin fails for revocation check verification. error : %v", outcomes[0].Error) + } + + // plugin interactions with both trusted identity & revocation verification + pluginManager = mock.PluginManager{} + pluginManager.PluginCapabilities = []plugin.Capability{plugin.CapabilityRevocationCheckVerifier, plugin.CapabilityTrustedIdentityVerifier} + pluginManager.PluginRunnerExecuteResponse = &plugin.VerifySignatureResponse{ + VerificationResults: map[plugin.VerificationCapability]*plugin.VerificationResult{ + plugin.VerificationCapabilityRevocationCheck: { + Success: true, + }, + plugin.VerificationCapabilityTrustedIdentity: { + Success: true, + }, + }, + ProcessedAttributes: []string{mock.PluginExtendedCriticalAttribute.Key}, + } + + verifier = Verifier{ + PolicyDocument: &policyDocument, + Repository: repo, + PluginManager: pluginManager, + PathManager: path, + } + outcomes, err = verifier.Verify(context.Background(), mock.SampleArtifactUri) + if err != nil || outcomes[0].Error != nil { + t.Fatalf("verification should succeed when the verification plugin succeeds for both trusted identity and revocation check verifications. error : %v", outcomes[0].Error) + } + + // plugin interactions with skipped revocation + policyDocument.TrustPolicies[0].SignatureVerification.Override = map[string]string{"revocation": "skip"} + pluginManager = mock.PluginManager{} + pluginManager.PluginCapabilities = []plugin.Capability{plugin.CapabilityRevocationCheckVerifier} + pluginManager.PluginRunnerExecuteError = errors.New("revocation plugin should not be invoked when the trust policy skips revocation check") + + verifier = Verifier{ + PolicyDocument: &policyDocument, + Repository: repo, + PluginManager: pluginManager, + PathManager: path, + } + outcomes, err = verifier.Verify(context.Background(), mock.SampleArtifactUri) + if err != nil || outcomes[0].Error != nil { + t.Fatalf("revocation plugin should not be invoked when the trust policy skips the revocation check. error : %v", outcomes[0].Error) + } + + // plugin unexpected response + pluginManager = mock.PluginManager{} + pluginManager.PluginCapabilities = []plugin.Capability{plugin.CapabilityTrustedIdentityVerifier} + pluginManager.PluginRunnerExecuteResponse = "invalid plugin response" + + verifier = Verifier{ + PolicyDocument: &policyDocument, + Repository: repo, + PluginManager: pluginManager, + PathManager: path, + } + outcomes, err = verifier.Verify(context.Background(), mock.SampleArtifactUri) + outcomes, err = verifier.Verify(context.Background(), mock.SampleArtifactUri) + if err == nil || outcomes[0].Error == nil || outcomes[0].Error.Error() != "verification plugin \"plugin-name\" returned unexpected response : \"invalid plugin response\"" { + t.Fatalf("verification should fail when the verification plugin returns unexpected response. error : %v", outcomes[0].Error) + } + + // plugin did not process all extended critical attributes + pluginManager = mock.PluginManager{} + pluginManager.PluginCapabilities = []plugin.Capability{plugin.CapabilityTrustedIdentityVerifier} + pluginManager.PluginRunnerExecuteResponse = &plugin.VerifySignatureResponse{ + VerificationResults: map[plugin.VerificationCapability]*plugin.VerificationResult{ + plugin.VerificationCapabilityTrustedIdentity: { + Success: true, + }, + }, + ProcessedAttributes: []string{}, // exclude the critical attribute + } + + verifier = Verifier{ + PolicyDocument: &policyDocument, + Repository: repo, + PluginManager: pluginManager, + PathManager: path, + } + outcomes, err = verifier.Verify(context.Background(), mock.SampleArtifactUri) + if err == nil || outcomes[0].Error == nil || outcomes[0].Error.Error() != "extended critical attribute \"SomeKey\" was not processed by the verification plugin \"plugin-name\" (all extended critical attributes must be processed by the verification plugin)" { + t.Fatalf("verification should fail when the verification plugin fails to process an extended critical attribute. error : %v", outcomes[0].Error) + } + + // plugin returned empty result for a capability + pluginManager = mock.PluginManager{} + pluginManager.PluginCapabilities = []plugin.Capability{plugin.CapabilityTrustedIdentityVerifier} + pluginManager.PluginRunnerExecuteResponse = &plugin.VerifySignatureResponse{ + VerificationResults: map[plugin.VerificationCapability]*plugin.VerificationResult{}, + ProcessedAttributes: []string{mock.PluginExtendedCriticalAttribute.Key}, + } + + verifier = Verifier{ + PolicyDocument: &policyDocument, + Repository: repo, + PluginManager: pluginManager, + PathManager: path, + } + outcomes, err = verifier.Verify(context.Background(), mock.SampleArtifactUri) + if err == nil || outcomes[0].Error == nil || outcomes[0].Error.Error() != "verification plugin \"plugin-name\" failed to verify \"SIGNATURE_VERIFIER.TRUSTED_IDENTITY\"" { + t.Fatalf("verification should fail when the verification plugin does not return response for a capability. error : %v", outcomes[0].Error) + } +}