Implement signed images verification (#215)

* [#67] Implement signed images verification
---------

Signed-off-by: Dimitar Dimitrov <[email protected]>

NOTICE.md

@@ -40,6 +40,12 @@ alibaba/pouch (1.3.0)
 * Project: https://github.com/alibaba/pouch
 * Source:  https://github.com/alibaba/pouch/releases/tag/1.3.0
 
+Azure/go-ntlmssp (0.0.0-20221128193559-754e69321358)
+
+* License: MIT License
+* Project: https://github.com/Azure/go-ntlmssp
+* Source:  https://github.com/Azure/go-ntlmssp/tree/754e69321358ada85ce213a4ec971d3e4d1bfdf7
+
 armon/go-metrics (0.0.0-20180917152333-f0300d1749da)
 
 * License: MIT License
@@ -142,6 +148,24 @@ eclipse/paho.mqtt.golang (1.4.1)
 * Project: https://github.com/eclipse/paho.mqtt.golang
 * Source:  https://github.com/eclipse/paho.mqtt.golang/releases/tag/v1.4.1
 
+fxamacker/cbor (2.5.0)
+
+* License: MIT License
+* Project: https://github.com/fxamacker/cbor
+* Source:  https://github.com/fxamacker/cbor/releases/tag/v2.5.0
+
+go-asn1-ber/asn1-ber (1.5.5)
+
+* License: MIT License
+* Project: https://github.com/go-asn1-ber/asn1-ber
+* Source:  https://github.com/go-asn1-ber/asn1-ber/releases/tag/v1.5.5
+
+go-ldap/ldap (3.4.6)
+
+* License: MIT License
+* Project: https://github.com/go-ldap/ldap
+* Source:  https://github.com/go-ldap/ldap/releases/tag/v3.4.6
+
 godbus/dbus (5.0.6)
 
 * License: BSD 2-Clause "Simplified" License
@@ -160,6 +184,12 @@ gogo/protobuf (1.3.2)
 * Project: https://github.com/gogo/protobuf
 * Source:  https://github.com/gogo/protobuf/releases/tag/v1.3.2
 
+golang-jwt/jwt (4.5.0)
+
+* License: MIT License
+* Project: https://github.com/golang-jwt/jwt
+* Source:  https://github.com/golang-jwt/jwt/releases/tag/v4.5.0
+
 golang/mock (1.6.0)
 
 * License: Apache License 2.0
@@ -286,17 +316,29 @@ moby/sys/signal (0.6.0)
 * Project: https://github.com/moby/sys/signal
 * Source:  https://github.com/moby/sys/tree/signal/v0.6.0
 
+notaryproject/notation-core-go (1.0.1)
+
+* License: Apache License 2.0
+* Project: https://github.com/notaryproject/notation-core-go
+* Source:  https://github.com/notaryproject/notation-core-go/releases/tag/v1.0.1
+
+notaryproject/notation-go (1.0.1)
+
+* License: Apache License 2.0
+* Project: https://github.com/notaryproject/notation-go
+* Source:  https://github.com/notaryproject/notation-go/releases/tag/v1.0.1
+
 opencontainers/go-digest (1.0.0)
 
 * License: Apache License 2.0
 * Project: https://github.com/opencontainers/go-digest
 * Source:  https://github.com/opencontainers/go-digest/releases/tag/v1.0.0
 
-opencontainers/image-spec (1.0.3-0.20220114050600-8b9d41f48198)
+opencontainers/image-spec (1.1.0-rc5)
 
 * License: Apache License 2.0
 * Project: https://github.com/opencontainers/image-spec
-* Source:  https://github.com/opencontainers/image-spec/tree/8b9d41f48198a7d6d0a5c1a12dc2d1f7f47fc97f
+* Source:  https://github.com/opencontainers/image-spec/tree/v1.1.0-rc5
 
 opencontainers/runc (1.1.5)
 
@@ -340,17 +382,17 @@ sean-/seed (0.0.0-20170313163322-e2103e2c3529)
 * Project: https://github.com/sean-/seed
 * Source:  https://github.com/sean-/seed/tree/e2103e2c35297fb7e17febb81e49b312087a2372
 
-sirupsen/logrus (v1.9.0)
+sirupsen/logrus (v1.9.3)
 
 * License: MIT License
 * Project: https://github.com/sirupsen/logrus
-* Source:  https://github.com/sirupsen/logrus/releases/tag/v1.9.0
+* Source:  https://github.com/sirupsen/logrus/releases/tag/v1.9.3
 
-spf13/cobra (1.2.1)
+spf13/cobra (1.7.0)
 
 * License: Apache License 2.0
 * Project: https://github.com/spf13/cobra
-* Source:  https://github.com/spf13/cobra/releases/tag/v1.2.1
+* Source:  https://github.com/spf13/cobra/releases/tag/v1.7.0
 
 spf13/pflag (1.0.5)
 
@@ -376,6 +418,12 @@ tklauser/numcpus (0.4.0)
 * Project: https://github.com/tklauser/numcpus
 * Source:  https://github.com/tklauser/numcpus/releases/tag/v0.4.0
 
+veraison/go-cose (1.1.0)
+
+* License: Mozilla Public License 2.0
+* Project: https://github.com/veraison/go-cose
+* Source:  https://github.com/veraison/go-cose/releases/tag/v1.1.0
+
 vishvananda/netlink (v1.2.1-beta.2)
 
 * License: Apache License 2.0
@@ -388,23 +436,35 @@ vishvananda/netns (0.0.0-20210104183010-2eb08e3e575f)
 * Project: https://github.com/vishvananda/netns
 * Source:  https://github.com/vishvananda/netns/tree/2eb08e3e575f00733a612d25cc5d7470f8db6f35
 
+x448/float16 (0.8.4)
+
+* License: MIT License
+* Project: https://github.com/x448/float16
+* Source:  https://github.com/x448/float16/releases/tag/v0.8.4
+
 golang.org/x/crypto (0.14.0)
 
 * License: BSD 3-Clause "New" or "Revised" License
 * Project: https://github.com/golang/crypto
 * Source:  https://github.com/golang/crypto/releases/tag/v0.14.0
 
+golang.org/x/mod (0.13.0)
+
+* License: BSD 3-Clause "New" or "Revised" License
+* Project: https://github.com/golang/mod
+* Source:  https://github.com/golang/net/releases/tag/v0.13.0
+
 golang.org/x/net (0.17.0)
 
 * License: BSD 3-Clause "New" or "Revised" License
 * Project: https://github.com/golang/net
 * Source:  https://github.com/golang/net/releases/tag/v0.17.0
 
-golang.org/x/sync (0.3.0)
+golang.org/x/sync (0.4.0)
 
 * License: BSD 3-Clause "New" or "Revised" License
 * Project: https://github.com/golang/sync
-* Source:  https://github.com/golang/sync/releases/tag/v0.3.0
+* Source:  https://github.com/golang/sync/releases/tag/v0.4.0
 
 golang.org/x/sys (0.13.0)
 
@@ -466,6 +526,12 @@ go-yaml/yaml (3.0.1)
 * Project: https://github.com/go-yaml/yaml
 * Source:  https://github.com/go-yaml/yaml/releases/tag/v3.0.1
 
+oras-project/oras-go (2.3.1)
+
+* License: Apache License 2.0
+* Project: https://github.com/oras-project/oras-go
+* Source:  https://github.com/oras-project/oras-go/releases/tag/v2.3.1
+
 golang/go (1.21.0)
 
 * License: BSD 3-Clause "New" or "Revised" License

containerm/ctr/ctr_client_opts.go

@@ -13,26 +13,29 @@
 package ctr
 
 import (
+	"time"
+
 	"github.com/eclipse-kanto/container-management/containerm/containers/types"
 	"github.com/eclipse-kanto/container-management/containerm/log"
-	"time"
 )
 
 // ContainerOpts represents container engine client's configuration options.
 type ContainerOpts func(ctrOptions *ctrOpts) error
 
 type ctrOpts struct {
-	namespace          string
-	connectionPath     string
-	registryConfigs    map[string]*RegistryConfig
-	rootExec           string
-	metaPath           string
-	imageDecKeys       []string
-	imageDecRecipients []string
-	runcRuntime        types.Runtime
-	imageExpiry        time.Duration
-	imageExpiryDisable bool
-	leaseID            string
+	namespace           string
+	connectionPath      string
+	registryConfigs     map[string]*RegistryConfig
+	rootExec            string
+	metaPath            string
+	imageDecKeys        []string
+	imageDecRecipients  []string
+	runcRuntime         types.Runtime
+	imageExpiry         time.Duration
+	imageExpiryDisable  bool
+	leaseID             string
+	imageVerifierType   VerifierType
+	imageVerifierConfig map[string]string
 }
 
 // RegistryConfig represents a single registry's access configuration.
@@ -156,3 +159,24 @@ func WithCtrdLeaseID(leaseID string) ContainerOpts {
 		return nil
 	}
 }
+
+// WithCtrImageVerifierType sets the image verifier type of the container client instance.
+func WithCtrImageVerifierType(imageVerifierType string) ContainerOpts {
+	return func(ctrOptions *ctrOpts) error {
+		switch imageVerifierType {
+		case string(VerifierNone), string(VerifierNotation):
+			ctrOptions.imageVerifierType = VerifierType(imageVerifierType)
+		default:
+			return log.NewErrorf("unexpected image verifier type = %s", imageVerifierType)
+		}
+		return nil
+	}
+}
+
+// WithCtrImageVerifierConfig sets the image verifier config of the container client instance.
+func WithCtrImageVerifierConfig(imageVerifierConfig map[string]string) ContainerOpts {
+	return func(ctrOptions *ctrOpts) error {
+		ctrOptions.imageVerifierConfig = imageVerifierConfig
+		return nil
+	}
+}

containerm/ctr/ctr_tls_util.go

@@ -16,6 +16,8 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"io/ioutil"
+	"net"
+	"net/http"
 	"path/filepath"
 	"runtime"
 
@@ -111,6 +113,33 @@ func validateTLSConfigFile(file, expectedFileExt string) error {
 	return nil
 }
 
+func getTransport(isInsecure bool, config *TLSConfig, host string) *http.Transport {
+	tlsConfig := createDefaultTLSConfig(isInsecure)
+	if !isInsecure && config != nil {
+		if err := applyLocalTLSConfig(config, tlsConfig); err != nil {
+			log.WarnErr(err, "could not process provided TLS configuration - default will be used for registry host %s", host)
+			tlsConfig = createDefaultTLSConfig(isInsecure)
+		} else {
+			log.Debug("successfully applied TLS configuration for registry host %s", host)
+		}
+	}
+
+	tr := &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		DialContext: (&net.Dialer{
+			Timeout:   registryResolverDialContextTimeout,
+			KeepAlive: registryResolverDialContextKeepAlive,
+			DualStack: true,
+		}).DialContext,
+		MaxIdleConns:          registryResolverTransportMaxIdeConns,
+		IdleConnTimeout:       registryResolverTransportIdleConnTimeout,
+		TLSHandshakeTimeout:   registryResolverTransportTLSHandshakeTimeout,
+		TLSClientConfig:       tlsConfig,
+		ExpectContinueTimeout: registryResolverTransportExpectContinueTimeout,
+	}
+	return tr
+}
+
 // excludes cipher suites with security issues
 func supportedCipherSuites() []uint16 {
 	cs := tls.CipherSuites()

containerm/ctr/ctr_verifier.go

@@ -0,0 +1,53 @@
+// Copyright (c) 2023 Contributors to the Eclipse Foundation
+//
+// See the NOTICE file(s) distributed with this work for additional
+// information regarding copyright ownership.
+//
+// This program and the accompanying materials are made available under the
+// terms of the Eclipse Public License 2.0 which is available at
+// https://www.eclipse.org/legal/epl-2.0, or the Apache License, Version 2.0
+// which is available at https://www.apache.org/licenses/LICENSE-2.0.
+//
+// SPDX-License-Identifier: EPL-2.0 OR Apache-2.0
+
+package ctr
+
+import (
+	"context"
+
+	"github.com/eclipse-kanto/container-management/containerm/containers/types"
+	"github.com/eclipse-kanto/container-management/containerm/log"
+)
+
+const (
+	// VerifierNone is a VerifierType denoting that no verification will be performed
+	VerifierNone = VerifierType("none")
+	// VerifierNotation is a VerifierType denoting that verification will be performed with notation
+	VerifierNotation      = VerifierType("notation")
+	notationKeyConfigDir  = "configDir"
+	notationKeyLibexecDir = "libexecDir"
+)
+
+// VerifierType  image verifier type - possible values are none and notation, when set to none image signatures wil not be verified.
+type VerifierType string
+
+type containerVerifier interface {
+	Verify(context.Context, types.Image) error
+}
+
+func newContainerVerifier(verifierType VerifierType, verifierConfig map[string]string, registryConfig map[string]*RegistryConfig) (containerVerifier, error) {
+	switch verifierType {
+	case VerifierNone:
+		return &skipVerifier{}, nil
+	case VerifierNotation:
+		return newNotationVerifier(verifierConfig, registryConfig)
+	default:
+		return nil, log.NewErrorf("unknown verifier type - %s", verifierType)
+	}
+}
+
+type skipVerifier struct{}
+
+func (*skipVerifier) Verify(_ context.Context, _ types.Image) error {
+	return nil
+}