-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
COSE envelope signature spec updates #148
Conversation
* cbor payload * cose envelope * finalize payload * remove JWS * refine notations * refine datetime Signed-off-by: Shiwei Zhang <[email protected]> Merging into the remote-siging branch for further iteration, addressing the PR feedback with additional PRs into this branch.
Signed-off-by: Steve Lasker <[email protected]>
Updates to signature specification * Moves signed attributes out of payload * Defines new signed attributes and marks them as critical/informational * Introduces signature scheme to support different trust models Signed-off-by: Milind Gokarn <[email protected]>
With the go-cose v1.0.0-rc.1 release, with a security review completed, we'll be prioritizing this work. There are a few updates that we'll incorporate that include multiple content types that support registry descriptors, hashes of files that may not be store in a registry and direct wrapping of content. |
d18dc4c
to
3e93835
Compare
* Update signature-envelope-cose.md (#153) The `crit` header should be optional, not required. The spec already defines `cty` and `signingtime` as required, so a compliant verifier should reject any signature that does not include them, irrespective of whether or not the envelope also declares them as critical. An appropriate use of `crit` would be if a signer intends to include a new header not defined in the spec, to instruct verifiers that they must understand and process that header in order for the signature to be successfully validated. Another scenario is if a signer intends to mandate processing of an otherwise optional header (e.g., `expiry`). In other words, `crit` can be used by a signer to add requirements to the verification flow, but it is unnecessary and redundant if the verifier already has the same requirements. Signed-off-by: Brian Krell <[email protected]> * `cose-envelope`: merge changes from `main` (#177) * Align COSE spec with JWS Signed-off-by: letmaik <[email protected]> Co-authored-by: Steve Lasker <[email protected]> Co-authored-by: Quim Muntal <[email protected]> Co-authored-by: Quim Muntal <[email protected]> Co-authored-by: Milind Gokarn <[email protected]> Co-authored-by: Milind Gokarn <[email protected]> Co-authored-by: Shiwei Zhang <[email protected]> Co-authored-by: Pritesh Bandi <[email protected]> Co-authored-by: Sajay Antony <[email protected]> * update CBOR spec Co-authored-by: Steve Lasker <[email protected]> Co-authored-by: qmuntal <[email protected]> Co-authored-by: Milind Gokarn <[email protected]> Co-authored-by: Pritesh Bandi <[email protected]> Co-authored-by: Sajay Antony <[email protected]> Signed-off-by: Shiwei Zhang <[email protected]> Co-authored-by: Brian Krell <[email protected]> Co-authored-by: Maik Riechert <[email protected]> Co-authored-by: Steve Lasker <[email protected]> Co-authored-by: Quim Muntal <[email protected]> Co-authored-by: Quim Muntal <[email protected]> Co-authored-by: Milind Gokarn <[email protected]> Co-authored-by: Milind Gokarn <[email protected]> Co-authored-by: Pritesh Bandi <[email protected]> Co-authored-by: Sajay Antony <[email protected]> Co-authored-by: Pritesh Bandi <[email protected]> Co-authored-by: Sajay Antony <[email protected]>
…t into cose-envelope
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A really nice work. I have left a few flyby comments for your consideration.
signature-specification.md
Outdated
|
||
**Implementation Constraints**: Notary v2 implementation MUST enforce the following constraints on signature generation and verification: | ||
|
||
1. `alg` header value MUST NOT be `none` or any symmetric-key algorithm such as `HMAC`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
re: prohibition on HMAC. This may be redundant since I don't think one can use symmetric key algorithms with COSE Sign/Sign1. Those should be only available for Mac or Mac0 COSEs.
Co-authored-by: Thomas Fossati <[email protected]> Signed-off-by: David Tesar <[email protected]>
Co-authored-by: Thomas Fossati <[email protected]> Signed-off-by: David Tesar <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good, except for few specific details about COSE envelope and outdated content from merge, which should be resolved.
Signed-off-by: David Tesar <[email protected]>
signature-envelope-cose.md
Outdated
'io.cncf.notary.signingScheme', | ||
'io.cncf.notary.expiry' | ||
], | ||
/ cty / 3: 'application/vnd.cncf.notary.payload.v1+json', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this header struct looks good to me.
signature-envelope-cose.md
Outdated
{ | ||
/ x5chain / 33: [ | ||
<< DER(leafCert) >>, | ||
<< DER(intermediate CACert) >>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am still a bit nervous about exactly what this means, but the approach seems reasonable... I would just want to see a complete example.
signature-envelope-cose.md
Outdated
| RSASSA-PSS with SHA-256 | -37 | | ||
| RSASSA-PSS with SHA-384 | -38 | | ||
| RSASSA-PSS with SHA-512 | -39 | | ||
| ECDSA on secp256r1 with SHA-256 | -7 | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume lack of EdDSA is intentional here.
specs/signature-specification.md
Outdated
@@ -43,6 +43,7 @@ Signature Manifest Example | |||
- **`blobs`** (*array of objects*): This REQUIRED property contains collection of only one [artifact descriptor][artifact-descriptor] referencing signature envelope. | |||
- **`mediaType`** (*string*): This REQUIRED property contains media type of signature envelope blob. Following values are supported | |||
- `application/jose+json` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems like maybe not correct? are you saying that compact representation is NOT allowed? thats how i read them.
specs/signature-specification.md
Outdated
|
||
```json | ||
{ | ||
"subject": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good call, since sub
is a string... maybe you want to make it clear that this is a "private claim", that is not part of the original RFC.
@gokarnm All your comments are resolved now. Could you give a final check and approve it if there are no further issues? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! @priteshbandi could you review and approve as well.
* spec: update according to review comments * update to RFC for the fields of the sig_structure * update description for field context Signed-off-by: Yi Zha <[email protected]>
6fc8e1d
to
cf533b8
Compare
+1 to merging, with incremental improvements. |
specs/signature-envelope-cose.md
Outdated
Note: `<<` and `>>` are used to notate the CBOR byte string resulting from encoding the data item. | ||
|
||
- **[`x5chain`](https://datatracker.ietf.org/doc/html/draft-ietf-cose-x509-08#section-2)** (*array of bstr*): This REQUIRED parameter (label `33` by [IANA](https://www.iana.org/assignments/cose/cose.xhtml#header-parameters)) contains the ordered list of X.509 certificate or certificate chain ([RFC5280](https://datatracker.ietf.org/doc/html/rfc5280)) corresponding to the key used to digitally sign the COSE. The certificate chain is represented as an array of certificate, each certificate in the array is DER encoded and then wrapped in a CBOR byte string. The certificate containing the public key corresponding to the key used to digitally sign the COSE MUST be the first certificate, followed by the intermediate and root certificates in the correct order. Refer [*Certificate Chain* unsigned attribute](signature-specification.md#unsigned-attributes) for more details. Optionally, this header can be presented in the protected header. | ||
- **TODO** update signature specification to allow chains in protected header |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the motivation behind this? can we remove it from spec and open it as issue for discussion ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@letmaik, @shizhMSFT can you comment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The motivation is that the signing key of a signer may have multiple organizations associated. How to determine which organization that the signer represents at the signing time is an issue.
Here's an example, the signer has two cert chains Company A -> Signer
and Company B -> Signer
.
graph TD;
a["CA (Company A)"] --> s["Signer Cert"]
b["CA (Company B)"] --> s
Consider the following scenario:
- Signer signs the artifact and associates cert chain
Company A -> Signer
to the resulted signature. In other words, the signer signs the artifact representing the company A. - Signer publishes the artifact and the signature.
- Adversary sees the signature and replaces the cert chain in the unprotected header with a cert chain
Company B -> Signer
. - Now, from the view of verifiers, the signature is signed by the Signer, representing the company B.
This kind of attack can be mitigated by never reusing the signing key but it is better if we can sign the signing identity in the signature itself.
@yizha1 Let's remove it from spec and open it as issue for discussion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ianjmcm, can you provide some 👀 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM with one comment
* move certificate chain discussion to a new issue Signed-off-by: Yi Zha <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks @shizhMSFT, @qmuntal, @letmaik, @yogeshbdeshpande, @thomas-fossati and everyone else that completed this baseline, including all the updates to https://github.com/veraison/go-cose Great work! |
Tracking the merger of the cose-envelope branch into main.