diff --git a/go.mod b/go.mod index c4fff554e7..ddba269758 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/Microsoft/hcsshim go 1.21 require ( - github.com/Microsoft/cosesign1go v1.1.0 + github.com/Microsoft/cosesign1go v1.2.0 github.com/Microsoft/didx509go v0.0.3 github.com/Microsoft/go-winio v0.6.2 github.com/blang/semver/v4 v4.0.0 @@ -82,7 +82,7 @@ require ( github.com/lestrrat-go/blackmagic v1.0.2 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect github.com/lestrrat-go/iter v1.0.2 // indirect - github.com/lestrrat-go/jwx v1.2.28 // indirect + github.com/lestrrat-go/jwx v1.2.29 // indirect github.com/lestrrat-go/option v1.0.1 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect @@ -98,7 +98,7 @@ require ( github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/tchap/go-patricia/v2 v2.3.1 // indirect github.com/vbatts/tar-split v0.11.3 // indirect - github.com/veraison/go-cose v1.2.0 // indirect + github.com/veraison/go-cose v1.1.0 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect diff --git a/go.sum b/go.sum index 6c651614d9..9eeda24b80 100644 --- a/go.sum +++ b/go.sum @@ -4,8 +4,8 @@ github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg6 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= -github.com/Microsoft/cosesign1go v1.1.0 h1:JnHY2wQkIK4HmstaK5rMdM4S83nIC7fJmD1phOLj9qo= -github.com/Microsoft/cosesign1go v1.1.0/go.mod h1:o+sw7nhlGE6twhfjXQDWmBJO8zmfQXEmCcXEi3zha8I= +github.com/Microsoft/cosesign1go v1.2.0 h1:Hpj/mI6kP1eBkaOv9XEBRwO+Ju24k8XIo/A+OQyjmlw= +github.com/Microsoft/cosesign1go v1.2.0/go.mod h1:1La/HcGw19rRLhPW0S6u55K6LKfti+GQSgGCtrfhVe8= github.com/Microsoft/didx509go v0.0.3 h1:n/owuFOXVzCEzSyzivMEolKEouBm9G0NrEDgoTekM8A= github.com/Microsoft/didx509go v0.0.3/go.mod h1:wWt+iQsLzn3011+VfESzznLIp/Owhuj7rLF7yLglYbk= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= @@ -185,8 +185,8 @@ github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZ github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= -github.com/lestrrat-go/jwx v1.2.28 h1:uadI6o0WpOVrBSf498tRXZIwPpEtLnR9CvqPFXeI5sA= -github.com/lestrrat-go/jwx v1.2.28/go.mod h1:nF+91HEMh/MYFVwKPl5HHsBGMPscqbQb+8IDQdIazP8= +github.com/lestrrat-go/jwx v1.2.29 h1:QT0utmUJ4/12rmsVQrJ3u55bycPkKqGYuGT4tyRhxSQ= +github.com/lestrrat-go/jwx v1.2.29/go.mod h1:hU8k2l6WF0ncx20uQdOmik/Gjg6E3/wIRtXSNFeZuB8= github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= @@ -265,8 +265,8 @@ github.com/urfave/cli v1.22.15 h1:nuqt+pdC/KqswQKhETJjo7pvn/k4xMUxgW6liI7XpnM= github.com/urfave/cli v1.22.15/go.mod h1:wSan1hmo5zeyLGBjRJbzRTNk8gwoYa2B9n4q9dmRIc0= github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck= github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY= -github.com/veraison/go-cose v1.2.0 h1:Ok0Hr3GMAf8K/1NB4sV65QGgCiukG1w1QD+H5tmt0Ow= -github.com/veraison/go-cose v1.2.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= +github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4o= +github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs= github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= @@ -312,7 +312,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -342,6 +343,7 @@ golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qx golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -375,14 +377,16 @@ golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM= golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= diff --git a/test/go.mod b/test/go.mod index 011d244632..6f493cbe45 100644 --- a/test/go.mod +++ b/test/go.mod @@ -50,7 +50,7 @@ require ( require ( github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect - github.com/Microsoft/cosesign1go v1.1.0 // indirect + github.com/Microsoft/cosesign1go v1.2.0 // indirect github.com/Microsoft/didx509go v0.0.3 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/agnivade/levenshtein v1.1.1 // indirect @@ -85,7 +85,7 @@ require ( github.com/lestrrat-go/blackmagic v1.0.2 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect github.com/lestrrat-go/iter v1.0.2 // indirect - github.com/lestrrat-go/jwx v1.2.28 // indirect + github.com/lestrrat-go/jwx v1.2.29 // indirect github.com/lestrrat-go/option v1.0.1 // indirect github.com/linuxkit/virtsock v0.0.0-20201010232012-f8cee7dfc7a3 // indirect github.com/mattn/go-shellwords v1.0.12 // indirect @@ -102,7 +102,7 @@ require ( github.com/pelletier/go-toml v1.9.5 // indirect github.com/prometheus/client_golang v1.19.1 // indirect github.com/prometheus/client_model v0.6.1 // indirect - github.com/veraison/go-cose v1.2.0 // indirect + github.com/veraison/go-cose v1.1.0 // indirect github.com/vishvananda/netlink v1.2.1-beta.2 // indirect github.com/vishvananda/netns v0.0.4 // indirect github.com/x448/float16 v0.8.4 // indirect diff --git a/test/go.sum b/test/go.sum index 060c1fc92a..b26346ab8e 100644 --- a/test/go.sum +++ b/test/go.sum @@ -5,8 +5,8 @@ github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 h1:59M github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= -github.com/Microsoft/cosesign1go v1.1.0 h1:JnHY2wQkIK4HmstaK5rMdM4S83nIC7fJmD1phOLj9qo= -github.com/Microsoft/cosesign1go v1.1.0/go.mod h1:o+sw7nhlGE6twhfjXQDWmBJO8zmfQXEmCcXEi3zha8I= +github.com/Microsoft/cosesign1go v1.2.0 h1:Hpj/mI6kP1eBkaOv9XEBRwO+Ju24k8XIo/A+OQyjmlw= +github.com/Microsoft/cosesign1go v1.2.0/go.mod h1:1La/HcGw19rRLhPW0S6u55K6LKfti+GQSgGCtrfhVe8= github.com/Microsoft/didx509go v0.0.3 h1:n/owuFOXVzCEzSyzivMEolKEouBm9G0NrEDgoTekM8A= github.com/Microsoft/didx509go v0.0.3/go.mod h1:wWt+iQsLzn3011+VfESzznLIp/Owhuj7rLF7yLglYbk= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= @@ -189,8 +189,8 @@ github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZ github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= -github.com/lestrrat-go/jwx v1.2.28 h1:uadI6o0WpOVrBSf498tRXZIwPpEtLnR9CvqPFXeI5sA= -github.com/lestrrat-go/jwx v1.2.28/go.mod h1:nF+91HEMh/MYFVwKPl5HHsBGMPscqbQb+8IDQdIazP8= +github.com/lestrrat-go/jwx v1.2.29 h1:QT0utmUJ4/12rmsVQrJ3u55bycPkKqGYuGT4tyRhxSQ= +github.com/lestrrat-go/jwx v1.2.29/go.mod h1:hU8k2l6WF0ncx20uQdOmik/Gjg6E3/wIRtXSNFeZuB8= github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU= github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= @@ -261,6 +261,7 @@ github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVs github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= +github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= @@ -279,8 +280,8 @@ github.com/urfave/cli v1.19.1/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijb github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8= github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck= github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY= -github.com/veraison/go-cose v1.2.0 h1:Ok0Hr3GMAf8K/1NB4sV65QGgCiukG1w1QD+H5tmt0Ow= -github.com/veraison/go-cose v1.2.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= +github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4o= +github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= github.com/vishvananda/netlink v1.2.1-beta.2 h1:Llsql0lnQEbHj0I1OuKyp8otXp0r3q0mPkuhwHfStVs= github.com/vishvananda/netlink v1.2.1-beta.2/go.mod h1:twkDnbuQxJYemMlGd4JFIcuhgX83tXhKS2B/PRMpOho= github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0= @@ -322,7 +323,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30= golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -350,6 +352,7 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys= golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -381,14 +384,16 @@ golang.org/x/sys v0.0.0-20220906165534-d0df966e6959/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM= golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= -golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= +golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= +golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= diff --git a/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/Makefile b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/Makefile index de2f703bc7..8c982132c2 100644 --- a/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/Makefile +++ b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/Makefile @@ -23,11 +23,29 @@ # will print the new fingerprint of the intermediate cert as part of the did:x509 generated # + +# note test-fail is expected to fail + +AUTOPARSE_CHAIN:=0 +ISSUER_DID:="TestIssuer" +FEED:="TestFeed" +DID_FINGERPRINT:="" + +all: chain.pem cose test-fail test-pass + cose: infra.rego.cose +%.pem: + $(MAKE) -f Makefile.certs chain.pem + +ifeq "$(AUTOPARSE_CHAIN)" "1" +ISSUER_DID = $(shell ./sign1util did-x509 -chain chain.pem -policy cn) +DID_FINGERPRINT = $(shell ./sign1util did-x509 -chain chain.pem -policy cn | cut -d: -f5) +endif + # from these media types have to match containerd. The also need to change and the security policy one ought to be x-ms-ccepolicy-frag # fragment atrifact type = application/x-ms-ccepolicy-frag -# fragment media type = application/cose_x509+rego +# fragment media type = application/cose-x509+rego # Use a local linux build of the tool for the purposes of this Makefile - ie assume using in wsl. # Usually sign1util.exe is a windows exe in /mnt/c/ContainerPlat aka c:\ContainerPlat but that is not certain. @@ -35,9 +53,14 @@ cose: infra.rego.cose sign1util: ../../cmd/sign1util/main.go *.go go build ../../cmd/sign1util -infra.rego.cose: infra.rego.base64 chain.pem leaf.private.pem sign1util - ./sign1util create -algo ES384 -chain chain.pem -claims infra.rego.base64 -key leaf.private.pem -out $@ -issuer TestIssuer -feed TestFeed -salt zero - ./sign1util check -in $@ +#infra.rego.cose: infra.rego chain.pem leaf.private.pem sign1util +# ./sign1util create -algo ES384 -chain chain.pem -claims infra.rego -key leaf.private.pem -out $@ -issuer TestIssuer -feed TestFeed -salt zero +# ./sign1util check -in $@ + +%.rego.cose: %.rego chain.pem leaf.private.pem sign1util + ./sign1util create -algo ES384 -chain chain.pem -claims $< -key leaf.private.pem -out $@ -salt zero \ + -feed $(FEED) -content-type application/unknown+rego \ + -issuer $(ISSUER_DID) print: infra.rego.cose sign1util ./sign1util chain -in $< > tmp.chain.pem @@ -51,9 +74,13 @@ show: sign1util didx509: chain.pem sign1util ./sign1util did-x509 -chain chain.pem -i 1 -policy "subject:CN:Test Leaf (DO NOT TRUST)" -verbose +info: chain.pem sign1util + @echo "ISSUER_DID: $(ISSUER_DID)" + @echo "DID_FINGERPRINT: $(DID_FINGERPRINT)" + # for this to pass the did:x509 fingerprint (RgpNsHOK5hPlCAfTtiGY_BcDhFRxQbJnhlxNDhxps6U here) needs to be the one output from make print -did-check: chain.pem infra.rego.cose sign1util - ./sign1util check -in infra.rego.cose -did did:x509:0:sha256:RgpNsHOK5hPlCAfTtiGY_BcDhFRxQbJnhlxNDhxps6U::subject:CN:Test%20Leaf%20%28DO%20NOT%20TRUST%29 +did-check: chain.pem infra.rego.cose sign1util info + ./sign1util check -in infra.rego.cose -did $(ISSUER_DID) # For normal workflow start from the chain.pem, here we'd take the chain from inside the cose sign1 doc, eg to manually confirm it is # as otherwise expected (ie that the issuer DID matches the chain) or to shortcut getting a DID from a cose document. @@ -61,13 +88,29 @@ did-check: chain.pem infra.rego.cose sign1util did-from-cose: sign1util infra.rego.cose ./sign1util did-x509 -in infra.rego.cose -policy cn -did-fail-fingerprint: chain.pem sign1util - ./sign1util check -chain chain.pem -in infra.rego.cose -did did:x509:0:sha256:XXXi_nuWegx4NiLaeGabiz36bDUhDDiHEFl8HXMA_4o::subject:CN:Test+Leaf+%28DO+NOT+TRUST%29 +# these test changing the fingerprint/sublect to prove failure when the DID is checked against the chain +# note that since the infra.rego.cose is actually good the first part of the check will report a pass "checkCoseSign1 passed" -did-fail-subject: chain.pem sign1util - ./sign1util check -chain chain.pem -in infra.rego.cose -did did:x509:0:sha256:RgpNsHOK5hPlCAfTtiGY_BcDhFRxQbJnhlxNDhxps6U::subject:CN:Test+XXXX+%28DO+NOT+TRUST%29 +# expect "DID resolvers failed: err: DID verification failed: unexpected certificate fingerprint" +did-fail-fingerprint: chain.pem sign1util infra.rego.cose + ./sign1util check -in infra.rego.cose -did did:x509:0:sha256:XXXi_nuWegx4NiLaeGabiz36bDUhDDiHEFl8HXMA_4o::subject:CN:Test+Leaf+%28DO+NOT+TRUST%29 -did-fail: did-fail-subject did-fail-fingerprint +# expect "DID resolvers failed: err: DID verification failed: invalid subject value: CN=Test XXXX (DO NOT TRUST)" +did-fail-subject: chain.pem sign1util infra.rego.cose + ./sign1util check -in infra.rego.cose -did did:x509:0:sha256:$(DID_FINGERPRINT)::subject:CN:Test+XXXX+%28DO+NOT+TRUST%29 + +did-fail: did-fail-subject did-fail-fingerprint + +# can be confusing +test: test-pass test-fail + +test-all: test + +# positive tests +test-pass: print show didx509 did-check did-from-cose + +# negative tests +test-fail: did-fail # beyond the scope of this repo @@ -80,17 +123,10 @@ did-fail: did-fail-subject did-fail-fingerprint # --artifact-type application/x-ms-ccepolicy-frag \ # --manifest-config /dev/null:application/vnd.unknown.config.v1+json \ # --subject ${INFRA_IMAGE} \ -# ./infra.rego.cose:application/cose_x509+rego - -%.pem: - $(MAKE) -f Makefile.certs chain.pem - +# ./infra.rego.cose:application/cose-x509+rego -infra.rego.base64: infra.rego - base64 infra.rego > infra.rego.base64 -test-all: print show didx509 did-check did-from-cose did-fail clean: $(MAKE) -f Makefile.certs $@ - rm -f infra.rego.base64 infra.rego.cose sign1util + rm -f infra.rego.cose sign1util diff --git a/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/bob.rego b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/bob.rego new file mode 100644 index 0000000000..fbc8073f6f --- /dev/null +++ b/vendor/github.com/Microsoft/cosesign1go/pkg/cosesign1/bob.rego @@ -0,0 +1,17 @@ +package infra + +svn := "1" +framework_version := "0.1.0" + +containers := [ + { + "command": ["python3","infra.py"], + "env_rules": [{"pattern": "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "strategy": "string", "required": false},{"pattern": "PYTHONUNBUFFERED=1", "strategy": "string", "required": false},{"pattern": "TERM=xterm", "strategy": "string", "required": false}], + "layers": ["37e9dcf799048b7d35ce53584e0984198e1bc3366c3bb5582fd97553d31beb4e","97112ba1d4a2c86c1c15a3e13f606e8fcc0fb1b49154743cadd1f065c42fee5a","1e66649e162d99c4d675d8d8c3af90ece3799b33d24671bc83fe9ea5143daf2f","3413e98a178646d4703ea70b9bff2d4410e606a22062046992cda8c8aedaa387","b99a9ced77c45fc4dc96bac8ea1e4d9bc1d2a66696cc057d3f3cca79dc999702","e7fbe653352d546497c534c629269c4c04f1997f6892bd66c273f0c9753a4de3","04c110e9406d2b57079f1eac4c9c5247747caa3bcaab6d83651de6e7da97cb40","92e50344671ca5a960887b64c545dbc6d5ca3be82d105c486aabbd381db67578","0a91a3c8a3e80e31a0692609a39e74469119ba071cb0c450a04c86a480345484"], + "mounts": [], + "exec_processes": [], + "signals": [], + "allow_elevated": true, + "working_dir": "/infra" + }, +] diff --git a/vendor/github.com/veraison/go-cose/algorithm.go b/vendor/github.com/veraison/go-cose/algorithm.go index 7e68535594..7b95ed72c7 100644 --- a/vendor/github.com/veraison/go-cose/algorithm.go +++ b/vendor/github.com/veraison/go-cose/algorithm.go @@ -2,7 +2,6 @@ package cose import ( "crypto" - "fmt" "strconv" ) @@ -37,12 +36,10 @@ const ( // PureEdDSA by RFC 8152. AlgorithmEd25519 Algorithm = -8 - - // An invalid/unrecognised algorithm. - AlgorithmInvalid Algorithm = 0 ) // Algorithm represents an IANA algorithm entry in the COSE Algorithms registry. +// Algorithms with string values are not supported. // // # See Also // @@ -75,35 +72,6 @@ func (a Algorithm) String() string { } } -// MarshalCBOR marshals the Algorithm as a CBOR int. -func (a Algorithm) MarshalCBOR() ([]byte, error) { - return encMode.Marshal(int64(a)) -} - -// UnmarshalCBOR populates the Algorithm from the provided CBOR value (must be -// int or tstr). -func (a *Algorithm) UnmarshalCBOR(data []byte) error { - var raw intOrStr - - if err := raw.UnmarshalCBOR(data); err != nil { - return fmt.Errorf("invalid algorithm value: %w", err) - } - - if raw.IsString() { - v := algorithmFromString(raw.String()) - if v == AlgorithmInvalid { - return fmt.Errorf("unknown algorithm value %q", raw.String()) - } - - *a = v - } else { - v := raw.Int() - *a = Algorithm(v) - } - - return nil -} - // hashFunc returns the hash associated with the algorithm supported by this // library. func (a Algorithm) hashFunc() crypto.Hash { @@ -135,8 +103,3 @@ func computeHash(h crypto.Hash, data []byte) ([]byte, error) { } return hh.Sum(nil), nil } - -// NOTE: there are currently no registered string values for an algorithm. -func algorithmFromString(v string) Algorithm { - return AlgorithmInvalid -} diff --git a/vendor/github.com/veraison/go-cose/common.go b/vendor/github.com/veraison/go-cose/common.go deleted file mode 100644 index 32294a57d7..0000000000 --- a/vendor/github.com/veraison/go-cose/common.go +++ /dev/null @@ -1,96 +0,0 @@ -package cose - -import ( - "errors" - "fmt" -) - -// intOrStr is a value that can be either an int or a tstr when serialized to -// CBOR. -type intOrStr struct { - intVal int64 - strVal string - isString bool -} - -func newIntOrStr(v interface{}) *intOrStr { - var ios intOrStr - if err := ios.Set(v); err != nil { - return nil - } - return &ios -} - -func (ios intOrStr) Int() int64 { - return ios.intVal -} - -func (ios intOrStr) String() string { - if ios.IsString() { - return ios.strVal - } - return fmt.Sprint(ios.intVal) -} - -func (ios intOrStr) IsInt() bool { - return !ios.isString -} - -func (ios intOrStr) IsString() bool { - return ios.isString -} - -func (ios intOrStr) Value() interface{} { - if ios.IsInt() { - return ios.intVal - } - - return ios.strVal -} - -func (ios *intOrStr) Set(v interface{}) error { - switch t := v.(type) { - case int64: - ios.intVal = t - ios.strVal = "" - ios.isString = false - case int: - ios.intVal = int64(t) - ios.strVal = "" - ios.isString = false - case string: - ios.strVal = t - ios.intVal = 0 - ios.isString = true - default: - return fmt.Errorf("must be int or string, found %T", t) - } - - return nil -} - -// MarshalCBOR returns the encoded CBOR representation of the intOrString, as -// either int or tstr, depending on the value. If no value has been set, -// intOrStr is encoded as a zero-length tstr. -func (ios intOrStr) MarshalCBOR() ([]byte, error) { - if ios.IsInt() { - return encMode.Marshal(ios.intVal) - } - - return encMode.Marshal(ios.strVal) -} - -// UnmarshalCBOR unmarshals the provided CBOR encoded data (must be an int, -// uint, or tstr). -func (ios *intOrStr) UnmarshalCBOR(data []byte) error { - if len(data) == 0 { - return errors.New("zero length buffer") - } - - var val interface{} - if err := decMode.Unmarshal(data, &val); err != nil { - return err - } - - return ios.Set(val) -} diff --git a/vendor/github.com/veraison/go-cose/errors.go b/vendor/github.com/veraison/go-cose/errors.go index 7d1674147d..8c240e2854 100644 --- a/vendor/github.com/veraison/go-cose/errors.go +++ b/vendor/github.com/veraison/go-cose/errors.go @@ -14,8 +14,4 @@ var ( ErrUnavailableHashFunc = errors.New("hash function is not available") ErrVerification = errors.New("verification error") ErrInvalidPubKey = errors.New("invalid public key") - ErrInvalidPrivKey = errors.New("invalid private key") - ErrNotPrivKey = errors.New("not a private key") - ErrSignOpNotSupported = errors.New("sign key_op not supported by key") - ErrVerifyOpNotSupported = errors.New("verify key_op not supported by key") ) diff --git a/vendor/github.com/veraison/go-cose/headers.go b/vendor/github.com/veraison/go-cose/headers.go index 4218eee7a4..7074936f23 100644 --- a/vendor/github.com/veraison/go-cose/headers.go +++ b/vendor/github.com/veraison/go-cose/headers.go @@ -53,8 +53,7 @@ func (h ProtectedHeader) MarshalCBOR() ([]byte, error) { // UnmarshalCBOR decodes a CBOR bstr object into ProtectedHeader. // // ProtectedHeader is an empty_or_serialized_map where -// -// empty_or_serialized_map = bstr .cbor header_map / bstr .size 0 +// empty_or_serialized_map = bstr .cbor header_map / bstr .size 0 func (h *ProtectedHeader) UnmarshalCBOR(data []byte) error { if h == nil { return errors.New("cbor: UnmarshalCBOR on nil ProtectedHeader pointer") @@ -118,17 +117,8 @@ func (h ProtectedHeader) Algorithm() (Algorithm, error) { return Algorithm(alg), nil case int64: return Algorithm(alg), nil - case string: - v := algorithmFromString(alg) - - var err error - if v == AlgorithmInvalid { - err = fmt.Errorf("unknown algorithm value %q", alg) - } - - return v, err default: - return AlgorithmInvalid, ErrInvalidAlgorithm + return 0, ErrInvalidAlgorithm } } @@ -222,22 +212,22 @@ func (h *UnprotectedHeader) UnmarshalCBOR(data []byte) error { // // It is represented by CDDL fragments: // -// Headers = ( -// protected : empty_or_serialized_map, -// unprotected : header_map -// ) +// Headers = ( +// protected : empty_or_serialized_map, +// unprotected : header_map +// ) // -// header_map = { -// Generic_Headers, -// * label => values -// } +// header_map = { +// Generic_Headers, +// * label => values +// } // -// label = int / tstr -// values = any +// label = int / tstr +// values = any // -// empty_or_serialized_map = bstr .cbor header_map / bstr .size 0 +// empty_or_serialized_map = bstr .cbor header_map / bstr .size 0 // -// # See Also +// See Also // // https://tools.ietf.org/html/rfc8152#section-3 type Headers struct { @@ -563,7 +553,7 @@ func (discardedCBORMessage) UnmarshalCBOR(data []byte) error { // validateHeaderLabelCBOR validates if all header labels are integers or // strings of a CBOR map object. // -// label = int / tstr +// label = int / tstr // // Reference: https://datatracker.ietf.org/doc/html/rfc8152#section-1.4 func validateHeaderLabelCBOR(data []byte) error { diff --git a/vendor/github.com/veraison/go-cose/key.go b/vendor/github.com/veraison/go-cose/key.go deleted file mode 100644 index 741eaf37e5..0000000000 --- a/vendor/github.com/veraison/go-cose/key.go +++ /dev/null @@ -1,802 +0,0 @@ -package cose - -import ( - "crypto" - "crypto/ecdsa" - "crypto/ed25519" - "crypto/elliptic" - "errors" - "fmt" - "math/big" - "strconv" - - cbor "github.com/fxamacker/cbor/v2" -) - -const ( - // An inviald key_op value - KeyOpInvalid KeyOp = 0 - - // The key is used to create signatures. Requires private key fields. - KeyOpSign KeyOp = 1 - - // The key is used for verification of signatures. - KeyOpVerify KeyOp = 2 - - // The key is used for key transport encryption. - KeyOpEncrypt KeyOp = 3 - - // The key is used for key transport decryption. Requires private key fields. - KeyOpDecrypt KeyOp = 4 - - // The key is used for key wrap encryption. - KeyOpWrapKey KeyOp = 5 - - // The key is used for key wrap decryption. - KeyOpUnwrapKey KeyOp = 6 - - // The key is used for deriving keys. Requires private key fields. - KeyOpDeriveKey KeyOp = 7 - - // The key is used for deriving bits not to be used as a key. Requires - // private key fields. - KeyOpDeriveBits KeyOp = 8 - - // The key is used for creating MACs. - KeyOpMACCreate KeyOp = 9 - - // The key is used for validating MACs. - KeyOpMACVerify KeyOp = 10 -) - -// KeyOp represents a key_ops value used to restrict purposes for which a Key -// may be used. -type KeyOp int64 - -// KeyOpFromString returns the KeyOp corresponding to the specified name. -// The values are taken from https://www.rfc-editor.org/rfc/rfc7517#section-4.3 -func KeyOpFromString(val string) (KeyOp, error) { - switch val { - case "sign": - return KeyOpSign, nil - case "verify": - return KeyOpVerify, nil - case "encrypt": - return KeyOpEncrypt, nil - case "decrypt": - return KeyOpDecrypt, nil - case "wrapKey": - return KeyOpWrapKey, nil - case "unwrapKey": - return KeyOpUnwrapKey, nil - case "deriveKey": - return KeyOpDeriveKey, nil - case "deriveBits": - return KeyOpDeriveBits, nil - default: - return KeyOpInvalid, fmt.Errorf("unknown key_ops value %q", val) - } -} - -// String returns a string representation of the KeyType. Note does not -// represent a valid value of the corresponding serialized entry, and must not -// be used as such. (The values returned _mostly_ correspond to those accepted -// by KeyOpFromString, except for MAC create/verify, which are not defined by -// RFC7517). -func (ko KeyOp) String() string { - switch ko { - case KeyOpSign: - return "sign" - case KeyOpVerify: - return "verify" - case KeyOpEncrypt: - return "encrypt" - case KeyOpDecrypt: - return "decrypt" - case KeyOpWrapKey: - return "wrapKey" - case KeyOpUnwrapKey: - return "unwrapKey" - case KeyOpDeriveKey: - return "deriveKey" - case KeyOpDeriveBits: - return "deriveBits" - case KeyOpMACCreate: - return "MAC create" - case KeyOpMACVerify: - return "MAC verify" - default: - return "unknown key_op value " + strconv.Itoa(int(ko)) - } -} - -// IsSupported returnns true if the specified value is represents one of the -// key_ops defined in -// https://www.rfc-editor.org/rfc/rfc9052.html#name-cose-key-common-parameters -func (ko KeyOp) IsSupported() bool { - return ko >= 1 && ko <= 10 -} - -// MarshalCBOR marshals the KeyOp as a CBOR int. -func (ko KeyOp) MarshalCBOR() ([]byte, error) { - return encMode.Marshal(int64(ko)) -} - -// UnmarshalCBOR populates the KeyOp from the provided CBOR value (must be int -// or tstr). -func (ko *KeyOp) UnmarshalCBOR(data []byte) error { - var raw intOrStr - - if err := raw.UnmarshalCBOR(data); err != nil { - return fmt.Errorf("invalid key_ops value %w", err) - } - - if raw.IsString() { - v, err := KeyOpFromString(raw.String()) - if err != nil { - return err - } - - *ko = v - } else { - v := raw.Int() - *ko = KeyOp(v) - - if !ko.IsSupported() { - return fmt.Errorf("unknown key_ops value %d", v) - } - } - - return nil -} - -// KeyType identifies the family of keys represented by the associated Key. -// This determines which files within the Key must be set in order for it to be -// valid. -type KeyType int64 - -const ( - // Invlaid key type - KeyTypeInvalid KeyType = 0 - // Octet Key Pair - KeyTypeOKP KeyType = 1 - // Elliptic Curve Keys w/ x- and y-coordinate pair - KeyTypeEC2 KeyType = 2 - // Symmetric Keys - KeyTypeSymmetric KeyType = 4 -) - -// String returns a string representation of the KeyType. Note does not -// represent a valid value of the corresponding serialized entry, and must -// not be used as such. -func (kt KeyType) String() string { - switch kt { - case KeyTypeOKP: - return "OKP" - case KeyTypeEC2: - return "EC2" - case KeyTypeSymmetric: - return "Symmetric" - default: - return "unknown key type value " + strconv.Itoa(int(kt)) - } -} - -// MarshalCBOR marshals the KeyType as a CBOR int. -func (kt KeyType) MarshalCBOR() ([]byte, error) { - return encMode.Marshal(int(kt)) -} - -// UnmarshalCBOR populates the KeyType from the provided CBOR value (must be -// int or tstr). -func (kt *KeyType) UnmarshalCBOR(data []byte) error { - var raw intOrStr - - if err := raw.UnmarshalCBOR(data); err != nil { - return fmt.Errorf("invalid key type value: %w", err) - } - - if raw.IsString() { - v, err := keyTypeFromString(raw.String()) - - if err != nil { - return err - } - - *kt = v - } else { - v := raw.Int() - - if v == 0 { - // 0 is reserved, and so can never be valid - return fmt.Errorf("invalid key type value 0") - } - - if v > 4 || v < 0 || v == 3 { - return fmt.Errorf("unknown key type value %d", v) - } - - *kt = KeyType(v) - } - - return nil -} - -// NOTE: there are currently no registered string key type values. -func keyTypeFromString(v string) (KeyType, error) { - return KeyTypeInvalid, fmt.Errorf("unknown key type value %q", v) -} - -const ( - - // Invalid/unrecognised curve - CurveInvalid Curve = 0 - - // NIST P-256 also known as secp256r1 - CurveP256 Curve = 1 - - // NIST P-384 also known as secp384r1 - CurveP384 Curve = 2 - - // NIST P-521 also known as secp521r1 - CurveP521 Curve = 3 - - // X25519 for use w/ ECDH only - CurveX25519 Curve = 4 - - // X448 for use w/ ECDH only - CurveX448 Curve = 5 - - // Ed25519 for use /w EdDSA only - CurveEd25519 Curve = 6 - - // Ed448 for use /w EdDSA only - CurveEd448 Curve = 7 -) - -// Curve represents the EC2/OKP key's curve. See: -// https://datatracker.ietf.org/doc/html/rfc8152#section-13.1 -type Curve int64 - -// String returns a string representation of the Curve. Note does not -// represent a valid value of the corresponding serialized entry, and must -// not be used as such. -func (c Curve) String() string { - switch c { - case CurveP256: - return "P-256" - case CurveP384: - return "P-384" - case CurveP521: - return "P-521" - case CurveX25519: - return "X25519" - case CurveX448: - return "X448" - case CurveEd25519: - return "Ed25519" - case CurveEd448: - return "Ed448" - default: - return "unknown curve value " + strconv.Itoa(int(c)) - } -} - -// MarshalCBOR marshals the KeyType as a CBOR int. -func (c Curve) MarshalCBOR() ([]byte, error) { - return encMode.Marshal(int(c)) -} - -// UnmarshalCBOR populates the KeyType from the provided CBOR value (must be -// int or tstr). -func (c *Curve) UnmarshalCBOR(data []byte) error { - var raw intOrStr - - if err := raw.UnmarshalCBOR(data); err != nil { - return fmt.Errorf("invalid curve value: %w", err) - } - - if raw.IsString() { - v, err := curveFromString(raw.String()) - - if err != nil { - return err - } - - *c = v - } else { - v := raw.Int() - - if v < 1 || v > 7 { - return fmt.Errorf("unknown curve value %d", v) - } - - *c = Curve(v) - } - - return nil -} - -// NOTE: there are currently no registered string values for curves. -func curveFromString(v string) (Curve, error) { - return CurveInvalid, fmt.Errorf("unknown curve value %q", v) -} - -// Key represents a COSE_Key structure, as defined by RFC8152. -// Note: currently, this does NOT support RFC8230 (RSA algorithms). -type Key struct { - // Common parameters. These are independent of the key type. Only - // KeyType common parameter MUST be set. - - // KeyType identifies the family of keys for this structure, and thus, - // which of the key-type-specific parameters need to be set. - KeyType KeyType `cbor:"1,keyasint"` - // KeyID is the identification value matched to the kid in the message. - KeyID []byte `cbor:"2,keyasint,omitempty"` - // KeyOps can be set to restrict the set of operations that the Key is used for. - KeyOps []KeyOp `cbor:"4,keyasint,omitempty"` - // BaseIV is the Base IV to be xor-ed with Partial IVs. - BaseIV []byte `cbor:"5,keyasint,omitempty"` - - // Algorithm is used to restrict the algorithm that is used with the - // key. If it is set, the application MUST verify that it matches the - // algorithm for which the Key is being used. - Algorithm Algorithm `cbor:"-"` - // Curve is EC identifier -- taken form "COSE Elliptic Curves" IANA registry. - // Populated from keyStruct.RawKeyParam when key type is EC2 or OKP. - Curve Curve `cbor:"-"` - // K is the key value. Populated from keyStruct.RawKeyParam when key - // type is Symmetric. - K []byte `cbor:"-"` - - // EC2/OKP params - - // X is the x-coordinate - X []byte `cbor:"-2,keyasint,omitempty"` - // Y is the y-coordinate (sign bits are not supported) - Y []byte `cbor:"-3,keyasint,omitempty"` - // D is the private key - D []byte `cbor:"-4,keyasint,omitempty"` -} - -// NewOKPKey returns a Key created using the provided Octet Key Pair data. -func NewOKPKey(alg Algorithm, x, d []byte) (*Key, error) { - if alg != AlgorithmEd25519 { - return nil, fmt.Errorf("unsupported algorithm %q", alg) - } - - key := &Key{ - KeyType: KeyTypeOKP, - Algorithm: alg, - Curve: CurveEd25519, - X: x, - D: d, - } - return key, key.Validate() -} - -// NewEC2Key returns a Key created using the provided elliptic curve key -// data. -func NewEC2Key(alg Algorithm, x, y, d []byte) (*Key, error) { - var curve Curve - - switch alg { - case AlgorithmES256: - curve = CurveP256 - case AlgorithmES384: - curve = CurveP384 - case AlgorithmES512: - curve = CurveP521 - default: - return nil, fmt.Errorf("unsupported algorithm %q", alg) - } - - key := &Key{ - KeyType: KeyTypeEC2, - Algorithm: alg, - Curve: curve, - X: x, - Y: y, - D: d, - } - return key, key.Validate() -} - -// NewSymmetricKey returns a Key created using the provided Symmetric key -// bytes. -func NewSymmetricKey(k []byte) (*Key, error) { - key := &Key{ - KeyType: KeyTypeSymmetric, - K: k, - } - return key, key.Validate() -} - -// NewKeyFromPublic returns a Key created using the provided crypto.PublicKey -// and Algorithm. -func NewKeyFromPublic(alg Algorithm, pub crypto.PublicKey) (*Key, error) { - switch alg { - case AlgorithmES256, AlgorithmES384, AlgorithmES512: - vk, ok := pub.(*ecdsa.PublicKey) - if !ok { - return nil, fmt.Errorf("%v: %w", alg, ErrInvalidPubKey) - } - - return NewEC2Key(alg, vk.X.Bytes(), vk.Y.Bytes(), nil) - case AlgorithmEd25519: - vk, ok := pub.(ed25519.PublicKey) - if !ok { - return nil, fmt.Errorf("%v: %w", alg, ErrInvalidPubKey) - } - - return NewOKPKey(alg, []byte(vk), nil) - default: - return nil, ErrAlgorithmNotSupported - } -} - -// NewKeyFromPrivate returns a Key created using provided crypto.PrivateKey -// and Algorithm. -func NewKeyFromPrivate(alg Algorithm, priv crypto.PrivateKey) (*Key, error) { - switch alg { - case AlgorithmES256, AlgorithmES384, AlgorithmES512: - sk, ok := priv.(*ecdsa.PrivateKey) - if !ok { - return nil, fmt.Errorf("%v: %w", alg, ErrInvalidPrivKey) - } - - return NewEC2Key(alg, sk.X.Bytes(), sk.Y.Bytes(), sk.D.Bytes()) - case AlgorithmEd25519: - sk, ok := priv.(ed25519.PrivateKey) - if !ok { - return nil, fmt.Errorf("%v: %w", alg, ErrInvalidPrivKey) - } - return NewOKPKey(alg, []byte(sk[32:]), []byte(sk[:32])) - default: - return nil, ErrAlgorithmNotSupported - } -} - -// Validate ensures that the parameters set inside the Key are internally -// consistent (e.g., that the key type is appropriate to the curve.) -func (k Key) Validate() error { - switch k.KeyType { - case KeyTypeEC2: - switch k.Curve { - case CurveP256, CurveP384, CurveP521: - // ok - default: - return fmt.Errorf( - "EC2 curve must be P-256, P-384, or P-521; found %q", - k.Curve.String(), - ) - } - case KeyTypeOKP: - switch k.Curve { - case CurveX25519, CurveX448, CurveEd25519, CurveEd448: - // ok - default: - return fmt.Errorf( - "OKP curve must be X25519, X448, Ed25519, or Ed448; found %q", - k.Curve.String(), - ) - } - case KeyTypeSymmetric: - default: - return errors.New(k.KeyType.String()) - } - - // If Algorithm is set, it must match the specified key parameters. - if k.Algorithm != AlgorithmInvalid { - expectedAlg, err := k.deriveAlgorithm() - if err != nil { - return err - } - - if k.Algorithm != expectedAlg { - return fmt.Errorf( - "found algorithm %q (expected %q)", - k.Algorithm.String(), - expectedAlg.String(), - ) - } - } - - return nil -} - -type keyalias Key - -type marshaledKey struct { - keyalias - - // RawAlgorithm contains the raw Algorithm value, this is necessary - // because cbor library ignores omitempty on types that implement the - // cbor.Marshaler interface. - RawAlgorithm cbor.RawMessage `cbor:"3,keyasint,omitempty"` - - // RawKeyParam contains the raw CBOR encoded data for the label -1. - // Depending on the KeyType this is used to populate either Curve or K - // below. - RawKeyParam cbor.RawMessage `cbor:"-1,keyasint,omitempty"` -} - -// MarshalCBOR encodes Key into a COSE_Key object. -func (k *Key) MarshalCBOR() ([]byte, error) { - tmp := marshaledKey{ - keyalias: keyalias(*k), - } - var err error - - switch k.KeyType { - case KeyTypeSymmetric: - if tmp.RawKeyParam, err = encMode.Marshal(k.K); err != nil { - return nil, err - } - case KeyTypeEC2, KeyTypeOKP: - if tmp.RawKeyParam, err = encMode.Marshal(k.Curve); err != nil { - return nil, err - } - default: - return nil, fmt.Errorf("invalid key type: %q", k.KeyType.String()) - } - - if k.Algorithm != AlgorithmInvalid { - if tmp.RawAlgorithm, err = encMode.Marshal(k.Algorithm); err != nil { - return nil, err - } - } - - return encMode.Marshal(tmp) -} - -// UnmarshalCBOR decodes a COSE_Key object into Key. -func (k *Key) UnmarshalCBOR(data []byte) error { - var tmp marshaledKey - - if err := decMode.Unmarshal(data, &tmp); err != nil { - return err - } - *k = Key(tmp.keyalias) - - if tmp.RawAlgorithm != nil { - if err := decMode.Unmarshal(tmp.RawAlgorithm, &k.Algorithm); err != nil { - return err - } - } - - switch k.KeyType { - case KeyTypeEC2: - if tmp.RawKeyParam == nil { - return errors.New("missing Curve parameter (required for EC2 key type)") - } - - if err := decMode.Unmarshal(tmp.RawKeyParam, &k.Curve); err != nil { - return err - } - case KeyTypeOKP: - if tmp.RawKeyParam == nil { - return errors.New("missing Curve parameter (required for OKP key type)") - } - - if err := decMode.Unmarshal(tmp.RawKeyParam, &k.Curve); err != nil { - return err - } - case KeyTypeSymmetric: - if tmp.RawKeyParam == nil { - return errors.New("missing K parameter (required for Symmetric key type)") - } - - if err := decMode.Unmarshal(tmp.RawKeyParam, &k.K); err != nil { - return err - } - default: - // this should not be reachable as KeyType.UnmarshalCBOR would - // result in an error during decMode.Unmarshal() above, if the - // value in the data doesn't correspond to one of the above - // types. - return fmt.Errorf("unexpected key type %q", k.KeyType.String()) - } - - return k.Validate() -} - -// PublicKey returns a crypto.PublicKey generated using Key's parameters. -func (k *Key) PublicKey() (crypto.PublicKey, error) { - alg, err := k.deriveAlgorithm() - if err != nil { - return nil, err - } - - switch alg { - case AlgorithmES256, AlgorithmES384, AlgorithmES512: - var curve elliptic.Curve - - switch alg { - case AlgorithmES256: - curve = elliptic.P256() - case AlgorithmES384: - curve = elliptic.P384() - case AlgorithmES512: - curve = elliptic.P521() - } - - pub := &ecdsa.PublicKey{Curve: curve, X: new(big.Int), Y: new(big.Int)} - pub.X.SetBytes(k.X) - pub.Y.SetBytes(k.Y) - - return pub, nil - case AlgorithmEd25519: - return ed25519.PublicKey(k.X), nil - default: - return nil, ErrAlgorithmNotSupported - } -} - -// PrivateKey returns a crypto.PrivateKey generated using Key's parameters. -func (k *Key) PrivateKey() (crypto.PrivateKey, error) { - alg, err := k.deriveAlgorithm() - if err != nil { - return nil, err - } - - if len(k.D) == 0 { - return nil, ErrNotPrivKey - } - - switch alg { - case AlgorithmES256, AlgorithmES384, AlgorithmES512: - var curve elliptic.Curve - - switch alg { - case AlgorithmES256: - curve = elliptic.P256() - case AlgorithmES384: - curve = elliptic.P384() - case AlgorithmES512: - curve = elliptic.P521() - } - - priv := &ecdsa.PrivateKey{ - PublicKey: ecdsa.PublicKey{Curve: curve, X: new(big.Int), Y: new(big.Int)}, - D: new(big.Int), - } - priv.X.SetBytes(k.X) - priv.Y.SetBytes(k.Y) - priv.D.SetBytes(k.D) - - return priv, nil - case AlgorithmEd25519: - buf := make([]byte, ed25519.PrivateKeySize) - - copy(buf, k.D) - copy(buf[32:], k.X) - - return ed25519.PrivateKey(buf), nil - default: - return nil, ErrAlgorithmNotSupported - } -} - -// AlgorithmOrDefault returns the Algorithm associated with Key. If Key.Algorithm is -// set, that is what is returned. Otherwise, the algorithm is inferred using -// Key.Curve. This method does NOT validate that Key.Algorithm, if set, aligns -// with Key.Curve. -func (k *Key) AlgorithmOrDefault() (Algorithm, error) { - if k.Algorithm != AlgorithmInvalid { - return k.Algorithm, nil - } - - return k.deriveAlgorithm() -} - -// Signer returns a Signer created using Key. -func (k *Key) Signer() (Signer, error) { - if err := k.Validate(); err != nil { - return nil, err - } - - if k.KeyOps != nil { - signFound := false - - for _, kop := range k.KeyOps { - if kop == KeyOpSign { - signFound = true - break - } - } - - if !signFound { - return nil, ErrSignOpNotSupported - } - } - - priv, err := k.PrivateKey() - if err != nil { - return nil, err - } - - alg, err := k.AlgorithmOrDefault() - if err != nil { - return nil, err - } - - var signer crypto.Signer - var ok bool - - switch alg { - case AlgorithmES256, AlgorithmES384, AlgorithmES512: - signer, ok = priv.(*ecdsa.PrivateKey) - if !ok { - return nil, ErrInvalidPrivKey - } - case AlgorithmEd25519: - signer, ok = priv.(ed25519.PrivateKey) - if !ok { - return nil, ErrInvalidPrivKey - } - default: - return nil, ErrAlgorithmNotSupported - } - - return NewSigner(alg, signer) -} - -// Verifier returns a Verifier created using Key. -func (k *Key) Verifier() (Verifier, error) { - if err := k.Validate(); err != nil { - return nil, err - } - - if k.KeyOps != nil { - verifyFound := false - - for _, kop := range k.KeyOps { - if kop == KeyOpVerify { - verifyFound = true - break - } - } - - if !verifyFound { - return nil, ErrVerifyOpNotSupported - } - } - - pub, err := k.PublicKey() - if err != nil { - return nil, err - } - - alg, err := k.AlgorithmOrDefault() - if err != nil { - return nil, err - } - - return NewVerifier(alg, pub) -} - -// deriveAlgorithm derives the intended algorithm for the key from its curve. -// The deriviation is based on the recommendation in RFC8152 that SHA-256 is -// only used with P-256, etc. For other combinations, the Algorithm in the Key -// must be explicitly set,so that this derivation is not used. -func (k *Key) deriveAlgorithm() (Algorithm, error) { - switch k.KeyType { - case KeyTypeEC2, KeyTypeOKP: - switch k.Curve { - case CurveP256: - return AlgorithmES256, nil - case CurveP384: - return AlgorithmES384, nil - case CurveP521: - return AlgorithmES512, nil - case CurveEd25519: - return AlgorithmEd25519, nil - default: - return AlgorithmInvalid, fmt.Errorf("unsupported curve %q", k.Curve.String()) - } - default: - // Symmetric algorithms are not supported in the current inmplementation. - return AlgorithmInvalid, fmt.Errorf("unexpected key type %q", k.KeyType.String()) - } -} diff --git a/vendor/modules.txt b/vendor/modules.txt index 57ce53a439..b93bedbbda 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,6 +1,6 @@ # github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 ## explicit; go 1.16 -# github.com/Microsoft/cosesign1go v1.1.0 +# github.com/Microsoft/cosesign1go v1.2.0 ## explicit; go 1.20 github.com/Microsoft/cosesign1go/pkg/cosesign1 # github.com/Microsoft/didx509go v0.0.3 @@ -290,7 +290,7 @@ github.com/lestrrat-go/httpcc ## explicit; go 1.13 github.com/lestrrat-go/iter/arrayiter github.com/lestrrat-go/iter/mapiter -# github.com/lestrrat-go/jwx v1.2.28 +# github.com/lestrrat-go/jwx v1.2.29 ## explicit; go 1.15 github.com/lestrrat-go/jwx/internal/base64 github.com/lestrrat-go/jwx/internal/ecutil @@ -466,7 +466,7 @@ github.com/urfave/cli # github.com/vbatts/tar-split v0.11.3 ## explicit; go 1.15 github.com/vbatts/tar-split/archive/tar -# github.com/veraison/go-cose v1.2.0 +# github.com/veraison/go-cose v1.1.0 ## explicit; go 1.18 github.com/veraison/go-cose # github.com/vishvananda/netlink v1.2.1-beta.2