Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cmd/notation/cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ func certGenerateTestCommand(opts *certGenerateTestOpts) *cobra.Command {
}
command := &cobra.Command{
Use: "generate-test [host]...",
Short: "Generates a test RSA key and a corresponding self-signed certificate",
Short: "Generates a test RSA key and a corresponding self-generated certificate chain",
Args: func(cmd *cobra.Command, args []string) error {
if len(args) == 0 {
return errors.New("missing certificate hosts")
Expand Down
68 changes: 26 additions & 42 deletions cmd/notation/cert_gen.go
Original file line number Diff line number Diff line change
@@ -1,17 +1,14 @@
package main

import (
"crypto"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"fmt"
"math/big"
"net"
"time"

"github.com/notaryproject/notation-core-go/testhelper"
"github.com/notaryproject/notation/internal/osutil"
"github.com/notaryproject/notation/pkg/config"
)
Expand All @@ -32,12 +29,16 @@ func generateTestCert(opts *certGenerateTestOpts) error {
return err
}

// generate self-signed certificate
cert, certBytes, err := generateTestSelfSignedCert(key, hosts, opts.expiry)
// generate self-created certificate chain
rsaRootCertTuple, rootBytes, err := generateTestRootCert(hosts, bits)
if err != nil {
return err
}
fmt.Println("generated certificates expiring on", cert.NotAfter.Format(time.RFC3339))
rsaLeafCertTuple, leafBytes, err := generateTestLeafCert(&rsaRootCertTuple, key, hosts)
if err != nil {
return err
}
fmt.Println("generated certificates expiring on", rsaLeafCertTuple.Cert.NotAfter.Format(time.RFC3339))

// write private key
keyPath := config.KeyPath(name)
Expand All @@ -48,7 +49,7 @@ func generateTestCert(opts *certGenerateTestOpts) error {

// write self-signed certificate
certPath := config.CertificatePath(name)
if err := osutil.WriteFileWithPermission(certPath, certBytes, 0644, false); err != nil {
if err := osutil.WriteFileWithPermission(certPath, append(leafBytes, rootBytes...), 0644, false); err != nil {
return fmt.Errorf("failed to write certificate file: %v", err)
}
fmt.Println("wrote certificate:", certPath)
Expand Down Expand Up @@ -91,7 +92,7 @@ func generateTestCert(opts *certGenerateTestOpts) error {
return nil
}

func generateTestKey(bits int) (crypto.Signer, []byte, error) {
func generateTestKey(bits int) (*rsa.PrivateKey, []byte, error) {
key, err := rsa.GenerateKey(rand.Reader, bits)
if err != nil {
return nil, nil, err
Expand All @@ -104,39 +105,22 @@ func generateTestKey(bits int) (crypto.Signer, []byte, error) {
return key, keyPEM, nil
}

func generateTestSelfSignedCert(key crypto.Signer, hosts []string, expiry time.Duration) (*x509.Certificate, []byte, error) {
now := time.Now()
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return nil, nil, fmt.Errorf("failed to generate serial number: %v", err)
}
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
CommonName: hosts[0],
},
NotBefore: now,
NotAfter: now.Add(expiry),
KeyUsage: x509.KeyUsageDigitalSignature,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
BasicConstraintsValid: true,
}
for _, host := range hosts {
if ip := net.ParseIP(host); ip != nil {
template.IPAddresses = append(template.IPAddresses, ip)
} else {
template.DNSNames = append(template.DNSNames, host)
}
}
certBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, key.Public(), key)
if err != nil {
return nil, nil, fmt.Errorf("failed to create certificate: %v", err)
}
cert, err := x509.ParseCertificate(certBytes)
func generateCertPEM(rsaCertTuple *testhelper.RSACertTuple) []byte {
return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: rsaCertTuple.Cert.Raw})
}

// generateTestRootCert generates a self-signed root certificate
func generateTestRootCert(hosts []string, bits int) (testhelper.RSACertTuple, []byte, error) {
priv, err := rsa.GenerateKey(rand.Reader, bits)
if err != nil {
return nil, nil, fmt.Errorf("generated invalid certificate: %v", err)
return testhelper.RSACertTuple{}, nil, fmt.Errorf("failed to generate root key: %v", err)
}
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certBytes})
return cert, certPEM, nil
rsaRootCertTuple := testhelper.GetRSACertTupleWithPK(priv, hosts[0]+" CA", nil)
return rsaRootCertTuple, generateCertPEM(&rsaRootCertTuple), nil
}

// generateTestLeafCert generates the leaf certificate
func generateTestLeafCert(rsaRootCertTuple *testhelper.RSACertTuple, privateKey *rsa.PrivateKey, hosts []string) (testhelper.RSACertTuple, []byte, error) {
rsaLeafCertTuple := testhelper.GetRSACertTupleWithPK(privateKey, hosts[0], rsaRootCertTuple)
return rsaLeafCertTuple, generateCertPEM(&rsaLeafCertTuple), nil
}
4 changes: 2 additions & 2 deletions cmd/notation/pull.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ func runPull(command *cobra.Command, opts *pullOpts) error {
sigDigest := sigManifest.Blob.Digest
if path != "" {
outputPath := filepath.Join(path, sigDigest.Encoded()+config.SignatureExtension)
sig, err := sigRepo.Get(command.Context(), sigDigest)
sig, err := sigRepo.GetBlob(command.Context(), sigDigest)
if err != nil {
return fmt.Errorf("get signature failure: %v: %v", sigDigest, err)
}
Expand Down Expand Up @@ -102,7 +102,7 @@ func pullSignatureStrict(ctx context.Context, opts *pullOpts, sigRepo notationre
return fmt.Errorf("invalid signature digest: %v", err)
}

sig, err := sigRepo.Get(ctx, sigDigest)
sig, err := sigRepo.GetBlob(ctx, sigDigest)
if err != nil {
return fmt.Errorf("get signature failure: %v: %v", sigDigest, err)
}
Expand Down
10 changes: 5 additions & 5 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ module github.com/notaryproject/notation
go 1.18

require (
github.com/distribution/distribution/v3 v3.0.0-20210804104954-38ab4c606ee3
github.com/distribution/distribution/v3 v3.0.0-20220729163034-26163d82560f
github.com/docker/docker-credential-helpers v0.6.4
github.com/notaryproject/notation-core-go v0.0.0-20220712013708-3c4b3efa03c5
github.com/notaryproject/notation-go v0.9.0-alpha.1.0.20220727090134-7af715044cfd
github.com/notaryproject/notation-core-go v0.0.0-20220728174113-1d963fd57141
github.com/notaryproject/notation-go v0.9.0-alpha.1.0.20220802200409-6312370a3526
github.com/opencontainers/go-digest v1.0.0
github.com/spf13/cobra v1.5.0
github.com/spf13/pflag v1.0.5
Expand All @@ -19,6 +19,6 @@ require (
github.com/opencontainers/distribution-spec/specs-go v0.0.0-20220620172159-4ab4752c3b86 // indirect
github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect
github.com/oras-project/artifacts-spec v1.0.0-rc.2 // indirect
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
golang.org/x/sys v0.0.0-20211019181941-9d821ace8654 // indirect
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
golang.org/x/sys v0.0.0-20220731174439-a90be440212d // indirect
)
Loading