github.com/boxboat/in-toto-golang@v0.0.3-0.20210303203820-2fa16ecbe6f6/README.md (about) 1 # in-toto-spiffe Proof Of Concept -- Not for Prod 2 3 in-toto is a specification to provide policy and attestations for software supply chains. 4 Managing the PKI around in-toto has been a major reason cited as lack of adoption. 5 The project aims to provide a non-production proof of concept on integrating SPIRE PKI orchestration 6 with in-toto build chain attestation. 7 8 The integration effort required support for CA based validation of functionaries. In-toto currently 9 requires the corresponding public key for each private key used in the build attestation process. This schema 10 does not fit within most oranization PKI policy. Validation of signatures based on certificate 11 constraints will allow end-users to integrate in-toto with existing enterprise PKI. 12 13 ## Running the Demo 14 15 To run the demo, pull down the source code, install Go, and run `make test-verify` 16 This will use openssl to gerate a certificate chain. 17 18 SPIFFE compliant Leaf certificates are generated with SVIDs corresponding to functionaries. These certificates are consumed 19 by in-toto to sign link-meta data and the layout policy. 20 21 During the in-toto verification process, `certificate constraints` are checked to ensure 22 the build step link meta-data was signed with the correct SVID. 23 24 25 ## Building 26 27 Download the source, run `make build` 28 29 ## CLI 30 31 ``` 32 Usage: 33 in-toto [command] 34 35 Available Commands: 36 help Help about any command 37 record Creates a signed link metadata file in two steps, in order to provide 38 evidence for supply chain steps that cannot be carried out by a single command 39 run Executes the passed command and records paths and hashes of 'materials' 40 sign Provides command line interface to sign in-toto link or layout metadata 41 verify Verify that the software supply chain of the delivered product 42 43 Flags: 44 -h, --help help for in-toto 45 --spiffe-workload-api-path string uds path for spiffe workload api 46 47 Use "in-toto [command] --help" for more information about a command. 48 ``` 49 50 ### run 51 ``` 52 Executes the passed command and records paths and hashes of 'materials' (i.e. 53 files before command execution) and 'products' (i.e. files after command 54 execution) and stores them together with other information (executed command, 55 return value, stdout, stderr, ...) to a link metadata file, which is signed 56 with the passed key. Returns nonzero value on failure and zero otherwise. 57 58 Usage: 59 in-toto run [flags] 60 61 Flags: 62 -c, --cert string Path to a PEM formatted certificate that corresponds with 63 the provided key. 64 -h, --help help for run 65 -k, --key string Path to a PEM formatted private key file used to sign 66 the resulting link metadata. (passing one of '--key' 67 or '--gpg' is required) 68 --lstrip-paths stringArray path prefixes used to left-strip artifact paths before storing 69 them to the resulting link metadata. If multiple prefixes 70 are specified, only a single prefix can match the path of 71 any artifact and that is then left-stripped. All prefixes 72 are checked to ensure none of them are a left substring 73 of another. 74 -m, --materials stringArray Paths to files or directories, whose paths and hashes 75 are stored in the resulting link metadata before the 76 command is executed. Symlinks are followed. 77 -n, --name string Name used to associate the resulting link metadata 78 with the corresponding step defined in an in-toto 79 layout. 80 -d, --output-directory string directory to store link metadata (default "./") 81 -p, --products stringArray Paths to files or directories, whose paths and hashes 82 are stored in the resulting link metadata after the 83 command is executed. Symlinks are followed. 84 85 Global Flags: 86 --spiffe-workload-api-path string uds path for spiffe workload api 87 ``` 88 ### sign 89 ``` 90 Provides command line interface to sign in-toto link or layout metadata 91 92 Usage: 93 in-toto sign [flags] 94 95 Flags: 96 -f, --file string Path to link or layout file to be signed or verified. 97 -h, --help help for sign 98 -k, --key string Path to PEM formatted private key used to sign the passed 99 root layout's signature(s). Passing exactly one key using 100 '--layout-key' is required. 101 -o, --output string Path to store metadata file to be signed 102 103 Global Flags: 104 --spiffe-workload-api-path string uds path for spiffe workload api 105 ``` 106 ### verify 107 ``` 108 in-toto-verify is the main verification tool of the suite, and 109 it is used to verify that the software supply chain of the delivered 110 product was carried out as defined in the passed in-toto supply chain 111 layout. Evidence for supply chain steps must be available in the form 112 of link metadata files named ‘<step name>.<functionary keyid prefix>.link’. 113 114 Usage: 115 in-toto verify [flags] 116 117 Flags: 118 -h, --help help for verify 119 -i, --intermediate-certs strings Path(s) to PEM formatted certificates, used as intermediaetes to verify 120 the chain of trust to the layout's trusted root. These will be used in 121 addition to any intermediates in the layout. 122 -l, --layout string Path to root layout specifying the software supply chain to be verified 123 -k, --layout-keys strings Path(s) to PEM formatted public key(s), used to verify the passed 124 root layout's signature(s). Passing at least one key using 125 '--layout-keys' is required. For each passed key the layout 126 must carry a valid signature. 127 -d, --link-dir string Path to directory where link metadata files for steps defined in 128 the root layout should be loaded from. If not passed links are 129 loaded from the current working directory. 130 131 Global Flags: 132 --spiffe-workload-api-path string uds path for spiffe workload api 133 ``` 134 ### record 135 ``` 136 Creates a signed link metadata file in two steps, in order to provide 137 evidence for supply chain steps that cannot be carried out by a single command 138 (for which ‘in-toto-run’ should be used). It returns a non-zero value on 139 failure and zero otherwise. 140 141 Usage: 142 in-toto record [command] 143 144 Available Commands: 145 start Creates a preliminary link file recording the paths and hashes of the passed materials and signs it with the passed functionary’s key. 146 stop Records and adds the paths and hashes of the passed products to the link metadata file and updates the signature. 147 148 Flags: 149 -c, --cert string Path to a PEM formatted certificate that corresponds with the provided key. 150 -h, --help help for record 151 -k, --key string Path to a private key file to sign the resulting link metadata. 152 The keyid prefix is used as an infix for the link metadata filename, 153 i.e. ‘<name>.<keyid prefix>.link’. See ‘–key-type’ for available 154 formats. Passing one of ‘–key’ or ‘–gpg’ is required. 155 -n, --name string name for the resulting link metadata file. 156 It is also used to associate the link with a step defined 157 in an in-toto layout. 158 159 Global Flags: 160 --spiffe-workload-api-path string uds path for spiffe workload api 161 162 Use "in-toto record [command] --help" for more information about a command. 163 ``` 164 165 ## Layout Certificate Constraints 166 167 Currently only URIs and common name constraints supported 168 ``` 169 { 170 "cert_constraints": [{ 171 "uris": ["spiffe://example.com/Something"], 172 "common_name": "*" 173 }, { 174 "uris": [], 175 "common_names": ["Some User"] 176 }] 177 } 178 ``` 179 180 ## Certificate Authority 181 182 The CA for the signing keys must be included in the layout. See example 183 184 ## Example Layout 185 ``` 186 { 187 "signatures": [ 188 ], 189 "signed": { 190 "_type": "layout", 191 "expires": "2021-04-03T00:00:00Z", 192 "inspect": [], 193 "intermediatecas": [], 194 "keys": {}, 195 "readme": "", 196 "rootcas": ["-----BEGIN CERTIFICATE-----\nMIIBkTCCATegAwIBAgIBADAKBggqhkjOPQQDAjAdMQswCQYDVQQGEwJVUzEOMAwG\nA1UEChMFU1BJUkUwHhcNMjEwMzAzMTUwMjQzWhcNMjEwNDAyMTUwMjUzWjAdMQsw\nCQYDVQQGEwJVUzEOMAwGA1UEChMFU1BJUkUwWTATBgcqhkjOPQIBBggqhkjOPQMB\nBwNCAAQ3L4PJvxT4hflEMcEcsOuvyvnOkXCH+Z5gCtDW0j6EOIBSCnFvbCf60xdF\n3jfIbVV0OVCGPRQ7QwRd5kP8vM4Jo2gwZjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0T\nAQH/BAUwAwEB/zAdBgNVHQ4EFgQUhH+7do7BgZFg5oNTqTQhVmnfzG0wJAYDVR0R\nBB0wG4YZc3BpZmZlOi8vc3BpcmUuYm94Ym9hdC5pbzAKBggqhkjOPQQDAgNIADBF\nAiAsmHvUqQnni2OijlyCl/XONrY9C+PRjpZrVfYguBenTwIhAKsLAJHHn5MDJV+E\nYzx35oSRRRGTyM3yreDoB9G/JOPi\n-----END CERTIFICATE-----\n"], 197 "steps": [ 198 { 199 "_type": "step", 200 "cert_constraints": [ 201 { 202 "common_name": "*", 203 "uris": [ 204 "spiffe://spire.boxboat.io/intoto-builder" 205 ] 206 } 207 ], 208 "expected_command": [ 209 "git", 210 "clone", 211 "https://gitlab.com/boxboat/demos/intoto-spire/go-hello-world" 212 ], 213 "expected_materials": [ 214 [ 215 "DISALLOW", 216 "*" 217 ] 218 ], 219 "expected_products": [ 220 [ 221 "CREATE", 222 "*" 223 ] 224 ], 225 "name": "clone", 226 "pubkeys": [], 227 "threshold": 1 228 }, 229 { 230 "_type": "step", 231 "cert_constraints": [ 232 { 233 "common_name": "*", 234 "uris": [ 235 "spiffe://spire.boxboat.io/intoto-builder" 236 ] 237 } 238 ], 239 "expected_command": [ 240 "/bin/sh", 241 "-c", 242 "trivy --exit-code 0 --no-progress --output ./trivy-scanning-report.json --input ./go-hello-world.tar --format json" 243 ], 244 "expected_materials": [ 245 [ 246 "MATCH", 247 "*", 248 "WITH", 249 "PRODUCTS", 250 "FROM", 251 "build-image" 252 ] 253 ], 254 "expected_products": [ 255 [ 256 "CREATE", 257 "trivy-scanning-report.json" 258 ] 259 ], 260 "name": "scan-image", 261 "pubkeys": [], 262 "threshold": 1 263 }, 264 { 265 "_type": "step", 266 "cert_constraints": [ 267 { 268 "common_name": "*", 269 "uris": [ 270 "spiffe://spire.boxboat.io/intoto-builder" 271 ] 272 } 273 ], 274 "expected_command": [ 275 "go", 276 "build", 277 "./..." 278 ], 279 "expected_materials": [ 280 [ 281 "MATCH", 282 "*", 283 "WITH", 284 "PRODUCTS", 285 "FROM", 286 "clone" 287 ], 288 [ 289 "DISALLOW", 290 "*" 291 ] 292 ], 293 "expected_products": [ 294 [ 295 "CREATE", 296 "go-hello-world" 297 ], 298 [ 299 "DISALLOW", 300 "*" 301 ] 302 ], 303 "name": "build", 304 "pubkeys": [], 305 "threshold": 1 306 }, 307 { 308 "_type": "step", 309 "cert_constraints": [ 310 { 311 "common_name": "*", 312 "uris": [ 313 "spiffe://spire.boxboat.io/intoto-builder" 314 ] 315 } 316 ], 317 "expected_command": ["/bin/sh", "-c", "docker", "build", ".", "-t", "registry.gitlab.com/boxboat/demos/intoto-spire/go-hello-world", "--iidfile", "image-id", "&&", "docker", "save", "--output", "go-hello-world.tar", "registry.gitlab.com/boxboat/demos/intoto-spire/go-hello-world"], 318 "expected_materials": [ 319 [ 320 "MATCH", 321 "*", 322 "WITH", 323 "PRODUCTS", 324 "FROM", 325 "clone" 326 ], 327 [ 328 "DISALLOW", 329 "*" 330 ] 331 ], 332 "expected_products": [ 333 [ 334 "CREATE", 335 "image-id" 336 ], 337 [ 338 "CREATE", 339 "go-hello-world.tar" 340 ], 341 [ 342 "DISALLOW", 343 "*" 344 ] 345 ], 346 "name": "build-image", 347 "pubkeys": [], 348 "threshold": 1 349 } 350 ] 351 } 352 } 353 ``` 354