Try   HackMD

[OLD] Trust Anchors

This is outdated and content has been moved to https://github.com/notaryproject/notaryproject/pull/132

Update trust policy to support verification of OCI artifact signed using publicly trusted codesigning certificates. The certificates issued by CAs that are publicly trusted(abides by CAB forum guidelines and trusted by many operating systems) are referred to as publicly trusted certificates.

Why do we need this change

The user MUST be able to use a codesigning certificate issued from publicly trusted CAs e.g. Digicert, Entrust, Verisign, etc to sign and verify OCI artifacts.

Publicly trusted CAs issue codesigning certificates to various entities from the same CA, the only way for a consumer to verify that the artifact came from a specific publisher is to pin(in trust-policy) on the publisher's signing certificate. Signing certificates have limited validity and it's recommended to rotate keys periodically. If consumer pins on the publisher's signing certificate, the rotation of the publisher's singing certificate will require all consumers to update the trust policy to pin on the new certificate.

Since there can be thousands of consumers for an artifact, asking each and every consumer to update their trust store is not scalable. Thus we need a scalable mechanism where a consumer can reliably trust an artifact signed using a publicly trusted certificate.

PR BEGINS

Trust Policy

{
    "version": "1.0",
    "trustPolicies": [
        {
            "name": "aws-tp",
            "trustStores": [ "PUBLIC_TRUST_TS" ],
            "trustAnchors": [
                    "subject: C=US, ST=WA, L=Seattle, O=acme-rockets.io",
                    "Subject: C=US, ST=WA, L=Seattle, O=wabbit-networks Name, OU=java-client"
            ],
            "expiryValidations": {...},
            "revocationValidations": {...}
        }
    ]
}
  • version(string):
  • trustPolicies(string-object map):
    • trustAnchors(array of strings): This OPTIONAL property specifies a list of elements/attributes of the signing certificate's subject. If present, the collection MUST contain at least one value.

Certificate Anchors Constraints

  • A distinguished name(usually just shortened to "DN") uniquely identifies an entry and in the case of certificate subject DN uniquely identifies the requestor/holder of the certificate. DNs are comprised of zero or more comma-separated components called relative distinguished names, or RDNs. For example, the DN C=US, ST=WA, O=wabbit-network.io, OU=org1"` has four RDNs. RDN consists of an attribute type name followed by an equal sign and the string representation of the corresponding attribute value. However, there are special cases in which it is necessary to escape one or more characters in an RDN. Those cases are:
    • If a value starts or ends with a space, then that space character MUST be escaped as \ .
    • All occurrences of the comma character (,) MUST be escaped as \,.
    • All occurrences of the semicolon character (;) MUST be escaped as \;. This is required for backward compatibility, in case Notary v2 allows anchoring on multiple attributes, ; MUST be used as delimiter.
    • All occurrences of the backslash character (\) MUST be escaped as \\.
  • Signing certificate anchors MUST Support a full and partial list of all the attribute types present in x509 certificate's subject DN.
  • The values of trustAnchors MUST begin with subject: followed by comma-separated one or more RDNs. For example, subject: C=${country}, ST=${state}, L=${locallity}, O={organization}, OU=${organization-unit}, CN=${common-name}.
  • The anchor MUST contain country(CN), state Or province (ST), and organization(O) RDNs. All other RDNs are optional. The minimal anchor is subject: C=${country}, ST=${state}, O={organization},
  • Signing certificate anchors MUST support overlapping values. Signing certificate anchors are considered overlapping if there exists a certificate for which multiple trust anchors evaluate true. For example, the following two certificate anchors are overlapping:
    • subject: C=US, ST=WA, O=wabbit-network.io, OU=org1
    • subject: C=US, ST=WA, O=wabbit-network.io

Signature Evaluation

  1. Validate that the signature envelope format is supported.
  2. Validate the signature envelope integrity.
  3. Validate the signature against trust policy and trust store.
    1. Using the scopes configured in trust policies, get the applicable trust policy. (Implementations might have this value precomputed, added it for completeness)
    2. For the applicable trust policy, validate trust store:
    3. For the applicable trust policy, validate trust anchor (if present):
      1. If trust anchors are present, validate that the signing certificate complies with trustAnchors i.e. the value of subject attributes configured in trustAnchors matches with the value of corresponding attributes in the signing certificate’s subject. If trust anchors are not present continue to step 4.
      2. If the above verification succeeds then continue to the next step else iterate over the next set of trust stores. If all of the trust stores have been evaluated then fail the signature validation and exit.
    4. Validate trust policy:

PR ENDS

FAQ

Q. Why trust anchor is not scoped to a trusted certificate. A. If a user added certificates in the trusted roots, it means they trust those CAs to do the right thing(validations) when issuing certificates thus we don't need to tie trust anchor to trust root.

Q. Why notary v2 supports only certificate subject in trust anchor? A. The Signing certificate's subject can uniquely identify an organization and none of the other mandatory attributes have this capability. Also, the specification is extensible to support other attributes.

References

tags: notary
Last changed by 
Pritesh Bandi
8
395

Read more

Untitled

// Verifier is a generic interface for verifying an artifact.type Verifier interface {// Verify verifies the signature blob signature against the target OCI// artifact with manifest descriptor desc, and returns the outcome upon// successful verification.// If nil signature is present and the verification level is not 'skip',// an error will be returned.Verify(ctx context.Context, desc ocispec.Descriptor, signature []byte, opts VerifierVerifyOptions) (*VerificationOutcome, error)}

Mar 18, 2024
Sign arbitrary data

To support signing of

Oct 28, 2023
Notation Debug Logs

➜ ./notation verify $IMAGE -d Warning: Always sign the artifact using digest(`@sha256:...`) rather than a tag(`:v1`) because tags are mutable and a tag reference can point to a different artifact than the one signed Resolved artifact tag `v1` to digest `sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47` before signing INFO[2022-12-02T13:14:39+08:00] passing a nil signature to check 'skip' level DEBU[2022-12-02T13:14:39+08:00] verify signature against artifact referenced as localhost:5000/net-monitor@sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47 DEBU[2022-12-02T13:14:39+08:00] verification level: &{Name:strict Enforcement:map[authenticTimestamp:enforce authenticity:enforce expiry:enforce integrity:enforce revocation:enforce]} ERRO[2022-12-02T13:14:39+08:00] integrity validation failed. Failure reason: unable to parse the digital signature, error : signature envelope format with media type "" is not supported INFO[2022-12-02T13:14:39+08:00] check over. not 'skip' level DEBU[2022-12-02T13:14:39+08:00] Request URL: "http://localhost:5000/v2/net-monitor/manifests/sha256:cd5eef6b6a6750c9850a8d7b1a5435f35f1a1808d66c74e265f6b7ec290bea47" DEBU[2022-12-02T13:14:39+08:00] Request method: "HEAD"

Mar 14, 2023
[Draft] Verification extensibility

This is a continuation of [Draft] Notation Extensibility for Signing and Verification doc. Requirements The plugin's verification API MUST be signature envelope format agnostic and MUST work seamlessly with different signature envelope formats. If signature needs plugin for verification then the signature MUST convey plugin name and version required for verification. During signature verification, if the required plugin is unavailable then Notary v2 MUST fails the signature verification. :::info PR Begins - This is in early brainstorming stage

Feb 5, 2022
Read more from Pritesh Bandi
Published on HackMD