Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

COSE envelope signature spec updates #148

Merged
merged 15 commits into from
Nov 22, 2022
Merged

COSE envelope signature spec updates #148

merged 15 commits into from
Nov 22, 2022

Conversation

SteveLasker
Copy link
Contributor

Tracking the merger of the cose-envelope branch into main.

shizhMSFT and others added 3 commits March 25, 2022 11:36
* cbor payload
* cose envelope
* finalize payload
* remove JWS
* refine notations
* refine datetime

Signed-off-by: Shiwei Zhang <[email protected]>

Merging into the remote-siging branch for further iteration, addressing the PR feedback with additional PRs into this branch.
Updates to signature specification
* Moves signed attributes out of payload
* Defines new signed attributes and marks them as critical/informational
* Introduces signature scheme to support different trust models

Signed-off-by: Milind Gokarn <[email protected]>
@SteveLasker SteveLasker added this to the RC-1 milestone Apr 20, 2022
signature-envelope-jws.md Outdated Show resolved Hide resolved
signature-envelope-jws.md Outdated Show resolved Hide resolved
signature-envelope-jws.md Outdated Show resolved Hide resolved
signature-envelope-jws.md Outdated Show resolved Hide resolved
signature-envelope-jws.md Outdated Show resolved Hide resolved
signature-envelope-cose.md Outdated Show resolved Hide resolved
signature-envelope-jws.md Outdated Show resolved Hide resolved
signature-envelope-cose.md Outdated Show resolved Hide resolved
signature-envelope-cose.md Outdated Show resolved Hide resolved
signature-envelope-cose.md Outdated Show resolved Hide resolved
letmaik added a commit to letmaik/notaryproject that referenced this pull request May 4, 2022
@iamsamirzon iamsamirzon modified the milestones: RC-1, RC-2 May 26, 2022
@SteveLasker
Copy link
Contributor Author

With the go-cose v1.0.0-rc.1 release, with a security review completed, we'll be prioritizing this work.

There are a few updates that we'll incorporate that include multiple content types that support registry descriptors, hashes of files that may not be store in a registry and direct wrapping of content.

@SteveLasker SteveLasker modified the milestones: RC-2, RC-1 Jul 14, 2022
@SteveLasker SteveLasker force-pushed the cose-envelope branch 2 times, most recently from d18dc4c to 3e93835 Compare August 2, 2022 18:18
shizhMSFT and others added 2 commits August 2, 2022 15:19
* Update signature-envelope-cose.md (#153)

The `crit` header should be optional, not required. The spec already defines `cty` and `signingtime` as required, so a compliant verifier should reject any signature that does not include them, irrespective of whether or not the envelope also declares them as critical.

An appropriate use of `crit` would be if a signer intends to include a new header not defined in the spec, to instruct verifiers that they must understand and process that header in order for the signature to be successfully validated. Another scenario is if a signer intends to mandate processing of an otherwise optional header (e.g., `expiry`).

In other words, `crit` can be used by a signer to add requirements to the verification flow, but it is unnecessary and redundant if the verifier already has the same requirements.

Signed-off-by: Brian Krell <[email protected]>

* `cose-envelope`: merge changes from `main` (#177)

* Align COSE spec with JWS

Signed-off-by: letmaik <[email protected]>
Co-authored-by: Steve Lasker <[email protected]>
Co-authored-by: Quim Muntal <[email protected]>
Co-authored-by: Quim Muntal <[email protected]>
Co-authored-by: Milind Gokarn <[email protected]>
Co-authored-by: Milind Gokarn <[email protected]>
Co-authored-by: Shiwei Zhang <[email protected]>
Co-authored-by: Pritesh Bandi <[email protected]>
Co-authored-by: Sajay Antony <[email protected]>

* update CBOR spec

Co-authored-by: Steve Lasker <[email protected]>
Co-authored-by: qmuntal <[email protected]>
Co-authored-by: Milind Gokarn <[email protected]>
Co-authored-by: Pritesh Bandi <[email protected]>
Co-authored-by: Sajay Antony <[email protected]>
Signed-off-by: Shiwei Zhang <[email protected]>

Co-authored-by: Brian Krell <[email protected]>
Co-authored-by: Maik Riechert <[email protected]>
Co-authored-by: Steve Lasker <[email protected]>
Co-authored-by: Quim Muntal <[email protected]>
Co-authored-by: Quim Muntal <[email protected]>
Co-authored-by: Milind Gokarn <[email protected]>
Co-authored-by: Milind Gokarn <[email protected]>
Co-authored-by: Pritesh Bandi <[email protected]>
Co-authored-by: Sajay Antony <[email protected]>
Co-authored-by: Pritesh Bandi <[email protected]>
Co-authored-by: Sajay Antony <[email protected]>
Copy link
Contributor

@thomas-fossati thomas-fossati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A really nice work. I have left a few flyby comments for your consideration.

signature-envelope-cose.md Outdated Show resolved Hide resolved
signature-envelope-cose.md Outdated Show resolved Hide resolved
signature-envelope-cose.md Outdated Show resolved Hide resolved
signature-specification.md Outdated Show resolved Hide resolved

**Implementation Constraints**: Notary v2 implementation MUST enforce the following constraints on signature generation and verification:

1. `alg` header value MUST NOT be `none` or any symmetric-key algorithm such as `HMAC`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re: prohibition on HMAC. This may be redundant since I don't think one can use symmetric key algorithms with COSE Sign/Sign1. Those should be only available for Mac or Mac0 COSEs.

dtzar and others added 2 commits September 22, 2022 16:15
Co-authored-by: Thomas Fossati <[email protected]>
Signed-off-by: David Tesar <[email protected]>
Co-authored-by: Thomas Fossati <[email protected]>
Signed-off-by: David Tesar <[email protected]>
Copy link
Contributor

@gokarnm gokarnm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall looks good, except for few specific details about COSE envelope and outdated content from merge, which should be resolved.

signature-envelope-cose.md Outdated Show resolved Hide resolved
signature-envelope-cose.md Outdated Show resolved Hide resolved
signature-envelope-cose.md Outdated Show resolved Hide resolved
signature-envelope-cose.md Outdated Show resolved Hide resolved
signature-envelope-cose.md Outdated Show resolved Hide resolved
signature-envelope-cose.md Outdated Show resolved Hide resolved
signature-envelope-cose.md Outdated Show resolved Hide resolved
signature-envelope-cose.md Outdated Show resolved Hide resolved
signature-specification.md Outdated Show resolved Hide resolved
signature-specification.md Outdated Show resolved Hide resolved
specs/signature-specification.md Outdated Show resolved Hide resolved
specs/signature-specification.md Outdated Show resolved Hide resolved
specs/signature-specification.md Show resolved Hide resolved
specs/signature-specification.md Show resolved Hide resolved
'io.cncf.notary.signingScheme',
'io.cncf.notary.expiry'
],
/ cty / 3: 'application/vnd.cncf.notary.payload.v1+json',
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this header struct looks good to me.

{
/ x5chain / 33: [
<< DER(leafCert) >>,
<< DER(intermediate CACert) >>,
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am still a bit nervous about exactly what this means, but the approach seems reasonable... I would just want to see a complete example.

| RSASSA-PSS with SHA-256 | -37 |
| RSASSA-PSS with SHA-384 | -38 |
| RSASSA-PSS with SHA-512 | -39 |
| ECDSA on secp256r1 with SHA-256 | -7 |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume lack of EdDSA is intentional here.

@@ -43,6 +43,7 @@ Signature Manifest Example
- **`blobs`** (*array of objects*): This REQUIRED property contains collection of only one [artifact descriptor][artifact-descriptor] referencing signature envelope.
- **`mediaType`** (*string*): This REQUIRED property contains media type of signature envelope blob. Following values are supported
- `application/jose+json`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like maybe not correct? are you saying that compact representation is NOT allowed? thats how i read them.


```json
{
"subject": {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good call, since sub is a string... maybe you want to make it clear that this is a "private claim", that is not part of the original RFC.

@yizha1
Copy link
Contributor

yizha1 commented Nov 17, 2022

@gokarnm All your comments are resolved now. Could you give a final check and approve it if there are no further issues?

Copy link
Contributor

@gokarnm gokarnm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! @priteshbandi could you review and approve as well.

@gokarnm gokarnm requested a review from priteshbandi November 17, 2022 06:46
* spec: update according to review comments
* update to RFC for the fields of the sig_structure
* update description for field context

Signed-off-by: Yi Zha <[email protected]>
@SteveLasker
Copy link
Contributor Author

+1 to merging, with incremental improvements.

Note: `<<` and `>>` are used to notate the CBOR byte string resulting from encoding the data item.

- **[`x5chain`](https://datatracker.ietf.org/doc/html/draft-ietf-cose-x509-08#section-2)** (*array of bstr*): This REQUIRED parameter (label `33` by [IANA](https://www.iana.org/assignments/cose/cose.xhtml#header-parameters)) contains the ordered list of X.509 certificate or certificate chain ([RFC5280](https://datatracker.ietf.org/doc/html/rfc5280)) corresponding to the key used to digitally sign the COSE. The certificate chain is represented as an array of certificate, each certificate in the array is DER encoded and then wrapped in a CBOR byte string. The certificate containing the public key corresponding to the key used to digitally sign the COSE MUST be the first certificate, followed by the intermediate and root certificates in the correct order. Refer [*Certificate Chain* unsigned attribute](signature-specification.md#unsigned-attributes) for more details. Optionally, this header can be presented in the protected header.
- **TODO** update signature specification to allow chains in protected header
Copy link
Contributor

@priteshbandi priteshbandi Nov 17, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the motivation behind this? can we remove it from spec and open it as issue for discussion ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@letmaik, @shizhMSFT can you comment?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The motivation is that the signing key of a signer may have multiple organizations associated. How to determine which organization that the signer represents at the signing time is an issue.

Here's an example, the signer has two cert chains Company A -> Signer and Company B -> Signer.

graph TD;

a["CA (Company A)"] --> s["Signer Cert"]
b["CA (Company B)"] --> s
Loading

Consider the following scenario:

  1. Signer signs the artifact and associates cert chain Company A -> Signer to the resulted signature. In other words, the signer signs the artifact representing the company A.
  2. Signer publishes the artifact and the signature.
  3. Adversary sees the signature and replaces the cert chain in the unprotected header with a cert chain Company B -> Signer.
  4. Now, from the view of verifiers, the signature is signed by the Signer, representing the company B.

This kind of attack can be mitigated by never reusing the signing key but it is better if we can sign the signing identity in the signature itself.

@yizha1 Let's remove it from spec and open it as issue for discussion.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ianjmcm, can you provide some 👀 ?

Copy link
Contributor

@priteshbandi priteshbandi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with one comment

Copy link
Contributor

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@SteveLasker
Copy link
Contributor Author

SteveLasker commented Nov 22, 2022

Thanks @shizhMSFT, @qmuntal, @letmaik, @yogeshbdeshpande, @thomas-fossati and everyone else that completed this baseline, including all the updates to https://github.com/veraison/go-cose

Great work!

@SteveLasker SteveLasker merged commit efc8282 into main Nov 22, 2022
@yizha1 yizha1 deleted the cose-envelope branch November 23, 2022 02:08
@yizha1 yizha1 restored the cose-envelope branch November 23, 2022 02:09
@yizha1 yizha1 deleted the cose-envelope branch April 2, 2024 00:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.