Skip to content

Commit

Permalink
add fulcio.DSSEAttestor
Browse files Browse the repository at this point in the history
Signed-off-by: Jake Sanders <[email protected]>
  • Loading branch information
Jake Sanders committed Dec 16, 2021
1 parent acf5900 commit a5f7495
Showing 1 changed file with 61 additions and 0 deletions.
61 changes: 61 additions & 0 deletions internal/pkg/cosign/fulcio/attestor.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
// Copyright 2021 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package fulcio

import (
"context"
"crypto"
"io"

"github.com/sigstore/cosign/internal/pkg/cosign"
"github.com/sigstore/cosign/pkg/oci"
"github.com/sigstore/cosign/pkg/oci/mutate"
)

// fulcioAttestor still needs to actually upload keys to Fulcio and receive
// the resulting `Cert` and `Chain`, which are added to the returned `oci.Signature`
type fulcioAttestor struct {
inner cosign.DSSEAttestor

cert, chain []byte
}

var _ cosign.DSSEAttestor = (*fulcioAttestor)(nil)

// Attest implements `cosign.DSSEAttestor`
func (fa *fulcioAttestor) DSSEAttest(ctx context.Context, payload io.Reader) (oci.Signature, crypto.PublicKey, error) {
att, pub, err := fa.inner.DSSEAttest(ctx, payload)
if err != nil {
return nil, nil, err
}

// TODO(dekkagaijin): move the fulcio SignerVerififer logic here
newAtt, err := mutate.Signature(att, mutate.WithCertChain(fa.cert, fa.chain))
if err != nil {
return nil, nil, err
}

return newAtt, pub, nil
}

// WrapAttestor returns a `cosign.DSSEAttestor` which leverages Fulcio to create
// a Cert and Chain for the attestation's signature created by the inner `Attestor`
func WrapAttestor(inner cosign.DSSEAttestor, cert, chain []byte) cosign.DSSEAttestor {
return &fulcioAttestor{
inner: inner,
cert: cert,
chain: chain,
}
}

0 comments on commit a5f7495

Please sign in to comment.