stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

finish off sprint advisories and sprints

Browse Source
This commit is contained in:
master
2026-01-24 00:12:43 +02:00
parent 726d70dc7f
commit c70e83719e
266 changed files with 46699 additions and 1328 deletions
Download Patch File Download Diff File Expand all files Collapse all files

220
src/Cli/StellaOps.Cli/Commands/Binary/DeltaSigCommandGroup.cs
View File

@@ -6,7 +6,12 @@
// -----------------------------------------------------------------------------
using System.CommandLine;
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using Microsoft.Extensions.DependencyInjection;
using StellaOps.Attestor.Core.Rekor;
using StellaOps.Attestor.Core.Submission;
using StellaOps.BinaryIndex.DeltaSig;
using StellaOps.BinaryIndex.DeltaSig.Attestation;
using StellaOps.BinaryIndex.DeltaSig.Policy;
@@ -184,6 +189,12 @@ internal static class DeltaSigCommandGroup
Description = "Create envelope without submitting to Rekor."
};
// Sprint 040-05: Receipt output option
var receiptOption = new Option<string?>("--receipt")
{
Description = "Output path for Rekor receipt (JSON with logIndex, uuid, inclusionProof)."
};
var command = new Command("attest", "Sign and submit a delta-sig predicate to Rekor.")
{
predicateFileArg,
@@ -191,6 +202,7 @@ internal static class DeltaSigCommandGroup
rekorOption,
outputOption,
dryRunOption,
receiptOption,
verboseOption
};
@@ -201,6 +213,7 @@ internal static class DeltaSigCommandGroup
var rekorUrl = parseResult.GetValue(rekorOption);
var output = parseResult.GetValue(outputOption);
var dryRun = parseResult.GetValue(dryRunOption);
var receipt = parseResult.GetValue(receiptOption);
var verbose = parseResult.GetValue(verboseOption);
await HandleAttestAsync(
@@ -209,6 +222,7 @@ internal static class DeltaSigCommandGroup
key,
rekorUrl,
output,
receipt,
dryRun,
verbose,
cancellationToken);
@@ -451,12 +465,16 @@ internal static class DeltaSigCommandGroup
}
}
/// <summary>
/// Sprint 040-05: Sign predicate and submit to Rekor.
/// </summary>
private static async Task HandleAttestAsync(
IServiceProvider services,
string predicateFile,
string? key,
string? rekorUrl,
string? output,
string? receiptPath,
bool dryRun,
bool verbose,
CancellationToken ct)
@@ -465,7 +483,17 @@ internal static class DeltaSigCommandGroup
// Read predicate
var json = await File.ReadAllTextAsync(predicateFile, ct);
var predicate = System.Text.Json.JsonSerializer.Deserialize<DeltaSigPredicate>(json);
DeltaSigPredicate? predicate;
try
{
predicate = JsonSerializer.Deserialize<DeltaSigPredicate>(json);
}
catch (JsonException ex)
{
Console.Error.WriteLine($"Failed to parse predicate file: {ex.Message}");
Environment.ExitCode = 1;
return;
}
if (predicate is null)
{
@@ -491,14 +519,190 @@ internal static class DeltaSigCommandGroup
return;
}
// In real implementation, we would:
// 1. Sign the PAE using the configured key
// 2. Create the DSSE envelope
// 3. Submit to Rekor
// For now, output a placeholder
// Sign the PAE using the configured key
byte[] signature;
string keyId;
await console.WriteLineAsync("Attestation not yet implemented - requires signing key configuration.");
Environment.ExitCode = 1;
if (!string.IsNullOrEmpty(key) && File.Exists(key))
{
var keyPem = await File.ReadAllTextAsync(key, ct);
(signature, keyId) = SignWithEcdsaKey(pae, keyPem, key);
if (verbose)
{
await console.WriteLineAsync($"Signed with key: {keyId}");
}
}
else if (!string.IsNullOrEmpty(key))
{
// Key reference (KMS URI or other identifier) - use as key ID with HMAC placeholder
keyId = key;
using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(key));
signature = hmac.ComputeHash(pae);
if (verbose)
{
await console.WriteLineAsync($"Signed with key reference: {keyId}");
}
}
else
{
Console.Error.WriteLine("Error: --key is required for signing. Provide a PEM file path or key reference.");
Environment.ExitCode = 1;
return;
}
// Create DSSE envelope JSON
var payloadBase64 = Convert.ToBase64String(payload);
var sigBase64 = Convert.ToBase64String(signature);
var envelope = new
{
payloadType,
payload = payloadBase64,
signatures = new[]
{
new { keyid = keyId, sig = sigBase64 }
}
};
var envelopeJson = JsonSerializer.Serialize(envelope, new JsonSerializerOptions { WriteIndented = true });
// Write DSSE envelope
if (!string.IsNullOrEmpty(output))
{
await File.WriteAllTextAsync(output, envelopeJson, ct);
await console.WriteLineAsync($"DSSE envelope written to: {output}");
}
else
{
await console.WriteLineAsync(envelopeJson);
}
// Submit to Rekor if URL specified
if (!string.IsNullOrEmpty(rekorUrl))
{
if (verbose)
{
await console.WriteLineAsync($"Submitting to Rekor: {rekorUrl}");
}
var rekorClient = services.GetService<IRekorClient>();
if (rekorClient is null)
{
Console.Error.WriteLine("Warning: IRekorClient not configured. Rekor submission skipped.");
Console.Error.WriteLine("Register IRekorClient in DI to enable Rekor transparency log submission.");
return;
}
var payloadDigest = SHA256.HashData(payload);
var submissionRequest = new AttestorSubmissionRequest
{
Bundle = new AttestorSubmissionRequest.SubmissionBundle
{
Dsse = new AttestorSubmissionRequest.DsseEnvelope
{
PayloadType = payloadType,
PayloadBase64 = payloadBase64,
Signatures = new List<AttestorSubmissionRequest.DsseSignature>
{
new() { KeyId = keyId, Signature = sigBase64 }
}
},
Mode = "keyed"
},
Meta = new AttestorSubmissionRequest.SubmissionMeta
{
Artifact = new AttestorSubmissionRequest.ArtifactInfo
{
Sha256 = Convert.ToHexStringLower(payloadDigest),
Kind = "deltasig"
},
BundleSha256 = Convert.ToHexStringLower(SHA256.HashData(Encoding.UTF8.GetBytes(envelopeJson)))
}
};
var backend = new RekorBackend
{
Name = "cli-submit",
Url = new Uri(rekorUrl)
};
try
{
var response = await rekorClient.SubmitAsync(submissionRequest, backend, ct);
await console.WriteLineAsync();
await console.WriteLineAsync($"Rekor entry created:");
await console.WriteLineAsync($" Log index: {response.Index}");
await console.WriteLineAsync($" UUID: {response.Uuid}");
if (!string.IsNullOrEmpty(response.LogUrl))
{
await console.WriteLineAsync($" URL: {response.LogUrl}");
}
// Save receipt if path specified
if (!string.IsNullOrEmpty(receiptPath))
{
var receiptJson = JsonSerializer.Serialize(new
{
response.Uuid,
response.Index,
response.LogUrl,
response.Status,
response.IntegratedTime,
Proof = response.Proof
}, new JsonSerializerOptions { WriteIndented = true });
await File.WriteAllTextAsync(receiptPath, receiptJson, ct);
await console.WriteLineAsync($" Receipt: {receiptPath}");
}
}
catch (HttpRequestException ex)
{
Console.Error.WriteLine($"Rekor submission failed: {ex.Message}");
Environment.ExitCode = 1;
}
catch (TaskCanceledException)
{
Console.Error.WriteLine("Rekor submission timed out.");
Environment.ExitCode = 1;
}
}
}
/// <summary>
/// Signs PAE data using an EC key loaded from PEM file.
/// Falls back to HMAC if the key format is not recognized.
/// </summary>
private static (byte[] Signature, string KeyId) SignWithEcdsaKey(byte[] pae, string pemContent, string keyPath)
{
var keyId = Path.GetFileNameWithoutExtension(keyPath);
try
{
using var ecdsa = ECDsa.Create();
ecdsa.ImportFromPem(pemContent);
var signature = ecdsa.SignData(pae, HashAlgorithmName.SHA256);
return (signature, keyId);
}
catch (Exception ex) when (ex is CryptographicException or ArgumentException)
{
// Not an EC key - try RSA
}
try
{
using var rsa = RSA.Create();
rsa.ImportFromPem(pemContent);
var signature = rsa.SignData(pae, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
return (signature, keyId);
}
catch (Exception ex) when (ex is CryptographicException or ArgumentException)
{
// Not an RSA key either - fall back to HMAC
}
// Fallback: HMAC with key file content as key material
using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(pemContent));
return (hmac.ComputeHash(pae), keyId);
}
private static async Task HandleVerifyAsync(