From 58652e30f986e5b06de362dc65c20fddcd5c2570 Mon Sep 17 00:00:00 2001
From: Aditya Sirish <8928778+adityasaky@users.noreply.github.com>
Date: Sun, 3 Oct 2021 15:37:51 -0400
Subject: [PATCH] Multiple fixes: (#442)

1. Switch DSSE provider to go-securesystemslib
2. Update in-toto and use newly renamed SLSA provenance predicate

Signed-off-by: Aditya Sirish <aditya@saky.in>
---
 go.mod                                |  3 ++-
 go.sum                                |  8 ++++++--
 pkg/types/intoto/v0.0.1/entry.go      |  8 ++++----
 pkg/types/intoto/v0.0.1/entry_test.go | 12 ++++++------
 tests/e2e_test.go                     |  7 ++++---
 tests/x509.go                         |  5 +++--
 6 files changed, 25 insertions(+), 18 deletions(-)

diff --git a/go.mod b/go.mod
index 0d6938d..5791c27 100644
--- a/go.mod
+++ b/go.mod
@@ -25,7 +25,7 @@ require (
 	github.com/google/go-cmp v0.5.6
 	github.com/google/rpmpack v0.0.0-20210518075352-dc539ef4f2ea
 	github.com/google/trillian v1.3.14-0.20210713114448-df474653733c
-	github.com/in-toto/in-toto-golang v0.2.1-0.20210627200632-886210ae2ab9
+	github.com/in-toto/in-toto-golang v0.3.2
 	github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
@@ -38,6 +38,7 @@ require (
 	github.com/prometheus/procfs v0.7.1 // indirect
 	github.com/rs/cors v1.8.0
 	github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74
+	github.com/secure-systems-lab/go-securesystemslib v0.1.0
 	github.com/sigstore/sigstore v0.0.0-20210729211320-56a91f560f44
 	github.com/spf13/cobra v1.2.1
 	github.com/spf13/pflag v1.0.5
diff --git a/go.sum b/go.sum
index d2398c4..4b3755f 100644
--- a/go.sum
+++ b/go.sum
@@ -782,8 +782,9 @@ github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:
 github.com/imdario/mergo v0.3.4/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/in-toto/in-toto-golang v0.2.1-0.20210627200632-886210ae2ab9 h1:j7klXz5kh0ydPmHkBtJ/Al27G1/au4sH7OkGhkgRJWg=
 github.com/in-toto/in-toto-golang v0.2.1-0.20210627200632-886210ae2ab9/go.mod h1:Skbg04kmfB7IAnEIsspKPg/ny1eiFt/TgPr9SDCHusA=
+github.com/in-toto/in-toto-golang v0.3.2 h1:8qaEsqLzRpdV+XPA1nFCWI2hrE9x+og7QwXhyfOxhVA=
+github.com/in-toto/in-toto-golang v0.3.2/go.mod h1:xhKHGL6hqxBTdADHOnoxyhY5AiKuXfTtN+8SUs7LHTE=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo=
@@ -1087,6 +1088,8 @@ github.com/sassoftware/relic v0.0.0-20210427151427-dfb082b79b74/go.mod h1:YlB8wF
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sclevine/spec v1.2.0/go.mod h1:W4J29eT/Kzv7/b9IWLB055Z+qvVC9vt0Arko24q7p+U=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
+github.com/secure-systems-lab/go-securesystemslib v0.1.0 h1:wZNQ7t1UTOQtDL/+PBPzxI52gLQGyC7qfXyJh6Lgf1Y=
+github.com/secure-systems-lab/go-securesystemslib v0.1.0/go.mod h1:eIjBmIP8LD2MLBL/DkQWayLiz006Q4p+hCu79rvWleY=
 github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
@@ -1578,8 +1581,9 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e h1:XMgFehsDnnLGtjvjOfqWSUzt0alpTR1RSEuznObga2c=
 golang.org/x/sys v0.0.0-20210831042530-f4d43177bf5e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210909193231-528a39cd75f3 h1:3Ad41xy2WCESpufXwgs7NpDSu+vjxqLt2UFqUV+20bI=
+golang.org/x/sys v0.0.0-20210909193231-528a39cd75f3/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b h1:9zKuko04nR4gjZ4+DNjHqRlAJqbJETHwiNKDqTfOjfE=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
diff --git a/pkg/types/intoto/v0.0.1/entry.go b/pkg/types/intoto/v0.0.1/entry.go
index d62a2dc..6fe25d3 100644
--- a/pkg/types/intoto/v0.0.1/entry.go
+++ b/pkg/types/intoto/v0.0.1/entry.go
@@ -29,7 +29,7 @@ import (
 	"path/filepath"
 
 	"github.com/in-toto/in-toto-golang/in_toto"
-	"github.com/in-toto/in-toto-golang/pkg/ssl"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/spf13/viper"
 
 	"github.com/go-openapi/strfmt"
@@ -59,7 +59,7 @@ func init() {
 type V001Entry struct {
 	IntotoObj models.IntotoV001Schema
 	keyObj    pki.PublicKey
-	env       ssl.Envelope
+	env       dsse.Envelope
 }
 
 func (v V001Entry) APIVersion() string {
@@ -179,7 +179,7 @@ func (v *V001Entry) validate() error {
 	if err != nil {
 		return err
 	}
-	sslVerifier, err := ssl.NewEnvelopeSigner(&verifier{v: vfr})
+	dsseVerifier, err := dsse.NewEnvelopeSigner(&verifier{v: vfr})
 	if err != nil {
 		return err
 	}
@@ -192,7 +192,7 @@ func (v *V001Entry) validate() error {
 		return err
 	}
 
-	if err := sslVerifier.Verify(&v.env); err != nil {
+	if err := dsseVerifier.Verify(&v.env); err != nil {
 		return err
 	}
 	return nil
diff --git a/pkg/types/intoto/v0.0.1/entry_test.go b/pkg/types/intoto/v0.0.1/entry_test.go
index 1744d9e..8b695ff 100644
--- a/pkg/types/intoto/v0.0.1/entry_test.go
+++ b/pkg/types/intoto/v0.0.1/entry_test.go
@@ -32,7 +32,7 @@ import (
 
 	"github.com/go-openapi/strfmt"
 	"github.com/in-toto/in-toto-golang/in_toto"
-	"github.com/in-toto/in-toto-golang/pkg/ssl"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"go.uber.org/goleak"
@@ -64,11 +64,11 @@ func envelope(t *testing.T, k *ecdsa.PrivateKey, payload, payloadType string) st
 	if err != nil {
 		t.Fatal(err)
 	}
-	sslEnv, err := signer.SignPayload([]byte(payload))
+	dsseEnv, err := signer.SignPayload([]byte(payload))
 	if err != nil {
 		t.Fatal(err)
 	}
-	b, err := json.Marshal(sslEnv)
+	b, err := json.Marshal(dsseEnv)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -90,9 +90,9 @@ func TestV001Entry_Unmarshal(t *testing.T) {
 		Type:  "PUBLIC KEY",
 	})
 
-	invalid, err := json.Marshal(ssl.Envelope{
+	invalid, err := json.Marshal(dsse.Envelope{
 		Payload: "hello",
-		Signatures: []ssl.Signature{
+		Signatures: []dsse.Signature{
 			{
 				Sig: string(strfmt.Base64("foobar")),
 			},
@@ -228,7 +228,7 @@ func TestV001Entry_IndexKeys(t *testing.T) {
 			}
 			payload := base64.StdEncoding.EncodeToString(b)
 			v := V001Entry{
-				env: ssl.Envelope{
+				env: dsse.Envelope{
 					Payload:     payload,
 					PayloadType: in_toto.PayloadType,
 				},
diff --git a/tests/e2e_test.go b/tests/e2e_test.go
index bb7dc67..4a2344b 100644
--- a/tests/e2e_test.go
+++ b/tests/e2e_test.go
@@ -13,6 +13,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build e2e
 // +build e2e
 
 package e2e
@@ -46,7 +47,7 @@ import (
 	"github.com/go-openapi/swag"
 	"github.com/google/go-cmp/cmp"
 	"github.com/in-toto/in-toto-golang/in_toto"
-	"github.com/in-toto/in-toto-golang/pkg/ssl"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/rekor/pkg/client"
 	genclient "github.com/sigstore/rekor/pkg/generated/client"
 	"github.com/sigstore/rekor/pkg/generated/client/entries"
@@ -347,7 +348,7 @@ func TestIntoto(t *testing.T) {
 	it := in_toto.ProvenanceStatement{
 		StatementHeader: in_toto.StatementHeader{
 			Type:          in_toto.StatementInTotoV01,
-			PredicateType: in_toto.PredicateProvenanceV01,
+			PredicateType: in_toto.PredicateSLSAProvenanceV01,
 			Subject: []in_toto.Subject{
 				{
 					Name: "foobar",
@@ -374,7 +375,7 @@ func TestIntoto(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	signer, err := ssl.NewEnvelopeSigner(&IntotoSigner{
+	signer, err := dsse.NewEnvelopeSigner(&IntotoSigner{
 		priv: priv.(*ecdsa.PrivateKey),
 	})
 	if err != nil {
diff --git a/tests/x509.go b/tests/x509.go
index 7586108..2b7a13e 100644
--- a/tests/x509.go
+++ b/tests/x509.go
@@ -13,6 +13,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+//go:build e2e
 // +build e2e
 
 package e2e
@@ -29,7 +30,7 @@ import (
 	"io/ioutil"
 	"testing"
 
-	"github.com/in-toto/in-toto-golang/pkg/ssl"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )
 
 // Generated with:
@@ -159,7 +160,7 @@ type IntotoSigner struct {
 	priv *ecdsa.PrivateKey
 }
 
-var _ ssl.SignVerifier = &IntotoSigner{}
+var _ dsse.SignVerifier = &IntotoSigner{}
 
 func (it *IntotoSigner) Sign(data []byte) ([]byte, string, error) {
 	h := sha256.Sum256(data)
-- 
GitLab