Skip to content

Commit

Permalink
Support more signature algorithms (kyverno#9102)
Browse files Browse the repository at this point in the history 
* Support more signature algorithms

Signed-off-by: Hongxin Liang <[email protected]>

* Fix codegen

Signed-off-by: Hongxin Liang <[email protected]>

* Fail loudly for unsupported algorithm

Signed-off-by: Hongxin Liang <[email protected]>

* Fix codegen

Signed-off-by: Hongxin Liang <[email protected]>

* Fix more

Signed-off-by: Hongxin Liang <[email protected]>

---------

Signed-off-by: Hongxin Liang <[email protected]>
Co-authored-by: Vishal Choudhary <[email protected]>
Co-authored-by: shuting <[email protected]>
  • Loading branch information
@honnix @vishal-chdhry @realshuting
3 people authored Dec 21, 2023
1 parent 9507a65 commit 47cafaa
Show file tree
Hide file tree
Showing 11 changed files with 242 additions and 125 deletions.
52 changes: 51 additions & 1 deletion api/kyverno/v1/image_verification_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,24 @@ func Test_ImageVerification(t *testing.T) {
},
},
{
name: "valid static key attestor",
name: "static key invalid signature algorithm attestor",
subject: ImageVerification{
ImageReferences: []string{"*"},
Attestors: []AttestorSet{
{Entries: []Attestor{{
Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha1"},
}}},
},
},
errors: func(i *ImageVerification) field.ErrorList {
return field.ErrorList{
field.Invalid(path.Child("attestors").Index(0).Child("entries").Index(0).Child("keys"),
i.Attestors[0].Entries[0].Keys, "Invalid signature algorithm provided"),
}
},
},
{
name: "valid static key default signature algorithm attestor",
subject: ImageVerification{
ImageReferences: []string{"*"},
Attestors: []AttestorSet{
Expand All @@ -136,6 +153,39 @@ func Test_ImageVerification(t *testing.T) {
},
},
},
{
name: "valid static key sha224 signature algorithm attestor",
subject: ImageVerification{
ImageReferences: []string{"*"},
Attestors: []AttestorSet{
{Entries: []Attestor{{
Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha224"},
}}},
},
},
},
{
name: "valid static key sah256 signature algorithm attestor",
subject: ImageVerification{
ImageReferences: []string{"*"},
Attestors: []AttestorSet{
{Entries: []Attestor{{
Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha256"},
}}},
},
},
},
{
name: "valid static key sha384 signature algorithm attestor",
subject: ImageVerification{
ImageReferences: []string{"*"},
Attestors: []AttestorSet{
{Entries: []Attestor{{
Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha384"},
}}},
},
},
},
{
name: "invalid keyless attestor",
subject: ImageVerification{
Expand Down
16 changes: 13 additions & 3 deletions api/kyverno/v1/image_verification_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,14 @@ const (
GHCR ImageRegistryCredentialsProvidersType = "github"
)

var signatureAlgorithmMap = map[string]bool{
"": true,
"sha224": true,
"sha256": true,
"sha384": true,
"sha512": true,
}

// ImageVerification validates that images that match the specified pattern
// are signed with the supplied public key. Once the image is verified it is
// mutated to include the SHA digest retrieved during the registration.
Expand Down Expand Up @@ -166,7 +174,7 @@ type StaticKeyAttestor struct {
// (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"`

// Specify signature algorithm for public keys. Supported values are sha256 and sha512.
// Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.
// +kubebuilder:default=sha256
SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`

Expand Down Expand Up @@ -450,8 +458,10 @@ func (ska *StaticKeyAttestor) Validate(path *field.Path) (errs field.ErrorList)
if ska.PublicKeys == "" && ska.KMS == "" && ska.Secret == nil {
errs = append(errs, field.Invalid(path, ska, "A public key, kms key or secret is required"))
}
if ska.PublicKeys != "" && ska.SignatureAlgorithm != "" && ska.SignatureAlgorithm != "sha256" && ska.SignatureAlgorithm != "sha512" {
errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided"))
if ska.PublicKeys != "" {
if _, ok := signatureAlgorithmMap[ska.SignatureAlgorithm]; !ok {
errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided"))
}
}
return errs
}
Expand Down
64 changes: 36 additions & 28 deletions charts/kyverno/charts/crds/templates/crds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9663,7 +9663,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -10120,7 +10120,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -10536,7 +10537,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -14153,7 +14154,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -14639,8 +14641,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -15078,7 +15080,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -18417,7 +18419,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -18863,7 +18865,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -19279,7 +19282,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -22881,7 +22884,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -23367,8 +23371,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -23806,7 +23810,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -27419,7 +27423,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -27876,7 +27880,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -28292,7 +28297,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -31910,7 +31915,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -32396,8 +32402,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -32835,7 +32841,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -36175,7 +36181,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -36621,7 +36627,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -37037,7 +37044,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values are
sha256 and sha512.
sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -40639,7 +40646,8 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and
sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -41125,8 +41133,8 @@ spec:
default: sha256
description: Specify signature
algorithm for public keys.
Supported values are sha256
and sha512.
Supported values are sha224,
sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down Expand Up @@ -41564,7 +41572,7 @@ spec:
default: sha256
description: Specify signature algorithm
for public keys. Supported values
are sha256 and sha512.
are sha224, sha256, sha384 and sha512.
type: string
type: object
repository:
Expand Down
Loading

0 comments on commit 47cafaa

Please sign in to comment.