fixed the hello-signing workflow with self-generated certificate chain

cmd/notation/cert.go

@@ -103,7 +103,7 @@ func certGenerateTestCommand(opts *certGenerateTestOpts) *cobra.Command {
 	}
 	command := &cobra.Command{
 		Use:   "generate-test [host]...",
-		Short: "Generates a test RSA key and a corresponding self-signed certificate",
+		Short: "Generates a test RSA key and a corresponding self-generated certificate chain",
 		Args: func(cmd *cobra.Command, args []string) error {
 			if len(args) == 0 {
 				return errors.New("missing certificate hosts")

cmd/notation/cert_gen.go

@@ -1,17 +1,14 @@
 package main
 
 import (
-	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
-	"crypto/x509/pkix"
 	"encoding/pem"
 	"fmt"
-	"math/big"
-	"net"
 	"time"
 
+	"github.com/notaryproject/notation-core-go/testhelper"
 	"github.com/notaryproject/notation/internal/osutil"
 	"github.com/notaryproject/notation/pkg/config"
 )
@@ -32,12 +29,16 @@ func generateTestCert(opts *certGenerateTestOpts) error {
 		return err
 	}
 
-	// generate self-signed certificate
-	cert, certBytes, err := generateTestSelfSignedCert(key, hosts, opts.expiry)
+	// generate self-created certificate chain
+	rsaRootCertTuple, rootBytes, err := generateTestRootCert(hosts, bits)
 	if err != nil {
 		return err
 	}
-	fmt.Println("generated certificates expiring on", cert.NotAfter.Format(time.RFC3339))
+	rsaLeafCertTuple, leafBytes, err := generateTestLeafCert(&rsaRootCertTuple, key, hosts)
+	if err != nil {
+		return err
+	}
+	fmt.Println("generated certificates expiring on", rsaLeafCertTuple.Cert.NotAfter.Format(time.RFC3339))
 
 	// write private key
 	keyPath := config.KeyPath(name)
@@ -48,7 +49,7 @@ func generateTestCert(opts *certGenerateTestOpts) error {
 
 	// write self-signed certificate
 	certPath := config.CertificatePath(name)
-	if err := osutil.WriteFileWithPermission(certPath, certBytes, 0644, false); err != nil {
+	if err := osutil.WriteFileWithPermission(certPath, append(leafBytes, rootBytes...), 0644, false); err != nil {
 		return fmt.Errorf("failed to write certificate file: %v", err)
 	}
 	fmt.Println("wrote certificate:", certPath)
@@ -91,7 +92,7 @@ func generateTestCert(opts *certGenerateTestOpts) error {
 	return nil
 }
 
-func generateTestKey(bits int) (crypto.Signer, []byte, error) {
+func generateTestKey(bits int) (*rsa.PrivateKey, []byte, error) {
 	key, err := rsa.GenerateKey(rand.Reader, bits)
 	if err != nil {
 		return nil, nil, err
@@ -104,39 +105,22 @@ func generateTestKey(bits int) (crypto.Signer, []byte, error) {
 	return key, keyPEM, nil
 }
 
-func generateTestSelfSignedCert(key crypto.Signer, hosts []string, expiry time.Duration) (*x509.Certificate, []byte, error) {
-	now := time.Now()
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to generate serial number: %v", err)
-	}
-	template := x509.Certificate{
-		SerialNumber: serialNumber,
-		Subject: pkix.Name{
-			CommonName: hosts[0],
-		},
-		NotBefore:             now,
-		NotAfter:              now.Add(expiry),
-		KeyUsage:              x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
-		BasicConstraintsValid: true,
-	}
-	for _, host := range hosts {
-		if ip := net.ParseIP(host); ip != nil {
-			template.IPAddresses = append(template.IPAddresses, ip)
-		} else {
-			template.DNSNames = append(template.DNSNames, host)
-		}
-	}
-	certBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, key.Public(), key)
-	if err != nil {
-		return nil, nil, fmt.Errorf("failed to create certificate: %v", err)
-	}
-	cert, err := x509.ParseCertificate(certBytes)
+func generateCertPEM(rsaCertTuple *testhelper.RSACertTuple) []byte {
+	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rsaCertTuple.Cert.Raw})
+}
+
+// generateTestRootCert generates a self-signed root certificate
+func generateTestRootCert(hosts []string, bits int) (testhelper.RSACertTuple, []byte, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, bits)
 	if err != nil {
-		return nil, nil, fmt.Errorf("generated invalid certificate: %v", err)
+		return testhelper.RSACertTuple{}, nil, fmt.Errorf("failed to generate root key: %v", err)
 	}
-	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certBytes})
-	return cert, certPEM, nil
+	rsaRootCertTuple := testhelper.GetRSACertTupleWithPK(priv, hosts[0]+" CA", nil)
+	return rsaRootCertTuple, generateCertPEM(&rsaRootCertTuple), nil
+}
+
+// generateTestLeafCert generates the leaf certificate
+func generateTestLeafCert(rsaRootCertTuple *testhelper.RSACertTuple, privateKey *rsa.PrivateKey, hosts []string) (testhelper.RSACertTuple, []byte, error) {
+	rsaLeafCertTuple := testhelper.GetRSACertTupleWithPK(privateKey, hosts[0], rsaRootCertTuple)
+	return rsaLeafCertTuple, generateCertPEM(&rsaLeafCertTuple), nil
 }

cmd/notation/pull.go

@@ -74,7 +74,7 @@ func runPull(command *cobra.Command, opts *pullOpts) error {
 		sigDigest := sigManifest.Blob.Digest
 		if path != "" {
 			outputPath := filepath.Join(path, sigDigest.Encoded()+config.SignatureExtension)
-			sig, err := sigRepo.Get(command.Context(), sigDigest)
+			sig, err := sigRepo.GetBlob(command.Context(), sigDigest)
 			if err != nil {
 				return fmt.Errorf("get signature failure: %v: %v", sigDigest, err)
 			}
@@ -102,7 +102,7 @@ func pullSignatureStrict(ctx context.Context, opts *pullOpts, sigRepo notationre
 		return fmt.Errorf("invalid signature digest: %v", err)
 	}
 
-	sig, err := sigRepo.Get(ctx, sigDigest)
+	sig, err := sigRepo.GetBlob(ctx, sigDigest)
 	if err != nil {
 		return fmt.Errorf("get signature failure: %v: %v", sigDigest, err)
 	}

go.mod

@@ -3,10 +3,10 @@ module github.com/notaryproject/notation
 go 1.18
 
 require (
-	github.com/distribution/distribution/v3 v3.0.0-20210804104954-38ab4c606ee3
+	github.com/distribution/distribution/v3 v3.0.0-20220729163034-26163d82560f
 	github.com/docker/docker-credential-helpers v0.6.4
-	github.com/notaryproject/notation-core-go v0.0.0-20220712013708-3c4b3efa03c5
-	github.com/notaryproject/notation-go v0.9.0-alpha.1.0.20220727090134-7af715044cfd
+	github.com/notaryproject/notation-core-go v0.0.0-20220728174113-1d963fd57141
+	github.com/notaryproject/notation-go v0.9.0-alpha.1.0.20220802200409-6312370a3526
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/spf13/cobra v1.5.0
 	github.com/spf13/pflag v1.0.5
@@ -19,6 +19,6 @@ require (
 	github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86 // indirect
 	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
 	github.com/oras-project/artifacts-spec v1.0.0-rc.2 // indirect
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
-	golang.org/x/sys v0.0.0-20211019181941-9d821ace8654 // indirect
+	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
+	golang.org/x/sys v0.0.0-20220731174439-a90be440212d // indirect
 )