kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Add verification of image manifest digests

Browse source 
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
This commit is contained in:
Josh Hawn 2015-03-17 23:45:30 -07:00
parent d2cb3af75b
commit 9ececa14ba
4 changed files with 60 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
graph/manifest.go
View file

@ -6,8 +6,10 @@ import (
"fmt" "fmt"
log "github.com/Sirupsen/logrus" log "github.com/Sirupsen/logrus"
"github.com/docker/distribution/digest"
"github.com/docker/docker/engine" "github.com/docker/docker/engine"
"github.com/docker/docker/registry" "github.com/docker/docker/registry"
"github.com/docker/docker/utils"
"github.com/docker/libtrust" "github.com/docker/libtrust"
) )
@ -16,7 +18,7 @@ import (
// contains no signatures by a trusted key for the name in the manifest, the // contains no signatures by a trusted key for the name in the manifest, the
// image is not considered verified. The parsed manifest object and a boolean // image is not considered verified. The parsed manifest object and a boolean
// for whether the manifest is verified is returned. // for whether the manifest is verified is returned.
func (s *TagStore) loadManifest(eng *engine.Engine, manifestBytes []byte) (*registry.ManifestData, bool, error) { func (s *TagStore) loadManifest(eng *engine.Engine, manifestBytes []byte, dgst, ref string) (*registry.ManifestData, bool, error) {
sig, err := libtrust.ParsePrettySignature(manifestBytes, "signatures") sig, err := libtrust.ParsePrettySignature(manifestBytes, "signatures")
if err != nil { if err != nil {
return nil, false, fmt.Errorf("error parsing payload: %s", err) return nil, false, fmt.Errorf("error parsing payload: %s", err)
@ -32,6 +34,31 @@ func (s *TagStore) loadManifest(eng *engine.Engine, manifestBytes []byte) (*regi
return nil, false, fmt.Errorf("error retrieving payload: %s", err) return nil, false, fmt.Errorf("error retrieving payload: %s", err)
} }
var manifestDigest digest.Digest
if dgst != "" {
manifestDigest, err = digest.ParseDigest(dgst)
if err != nil {
return nil, false, fmt.Errorf("invalid manifest digest from registry: %s", err)
}
dgstVerifier, err := digest.NewDigestVerifier(manifestDigest)
if err != nil {
return nil, false, fmt.Errorf("unable to verify manifest digest from registry: %s", err)
}
dgstVerifier.Write(payload)
if !dgstVerifier.Verified() {
computedDigest, _ := digest.FromBytes(payload)
return nil, false, fmt.Errorf("unable to verify manifest digest: registry has %q, computed %q", manifestDigest, computedDigest)
}
}
if utils.DigestReference(ref) && ref != manifestDigest.String() {
return nil, false, fmt.Errorf("mismatching image manifest digest: got %q, expected %q", manifestDigest, ref)
}
var manifest registry.ManifestData var manifest registry.ManifestData
if err := json.Unmarshal(payload, &manifest); err != nil { if err := json.Unmarshal(payload, &manifest); err != nil {
return nil, false, fmt.Errorf("error unmarshalling manifest: %s", err) return nil, false, fmt.Errorf("error unmarshalling manifest: %s", err)

7
graph/pull.go
View file

@ -430,12 +430,15 @@ func (s *TagStore) pullV2Repository(eng *engine.Engine, r *registry.Session, out
func (s *TagStore) pullV2Tag(eng *engine.Engine, r *registry.Session, out io.Writer, endpoint *registry.Endpoint, repoInfo *registry.RepositoryInfo, tag string, sf *utils.StreamFormatter, parallel bool, auth *registry.RequestAuthorization) (bool, error) { func (s *TagStore) pullV2Tag(eng *engine.Engine, r *registry.Session, out io.Writer, endpoint *registry.Endpoint, repoInfo *registry.RepositoryInfo, tag string, sf *utils.StreamFormatter, parallel bool, auth *registry.RequestAuthorization) (bool, error) {
log.Debugf("Pulling tag from V2 registry: %q", tag) log.Debugf("Pulling tag from V2 registry: %q", tag)
manifestBytes, manifestDigest, err := r.GetV2ImageManifest(endpoint, repoInfo.RemoteName, tag, auth) manifestBytes, manifestDigest, err := r.GetV2ImageManifest(endpoint, repoInfo.RemoteName, tag, auth)
if err != nil { if err != nil {
return false, err return false, err
} }
manifest, verified, err := s.loadManifest(eng, manifestBytes) // loadManifest ensures that the manifest payload has the expected digest
// if the tag is a digest reference.
manifest, verified, err := s.loadManifest(eng, manifestBytes, manifestDigest, tag)
if err != nil { if err != nil {
return false, fmt.Errorf("error verifying manifest: %s", err) return false, fmt.Errorf("error verifying manifest: %s", err)
} }
@ -605,7 +608,7 @@ func (s *TagStore) pullV2Tag(eng *engine.Engine, r *registry.Session, out io.Wri
out.Write(sf.FormatStatus(utils.ImageReference(repoInfo.CanonicalName, tag), "The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.")) out.Write(sf.FormatStatus(utils.ImageReference(repoInfo.CanonicalName, tag), "The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security."))
} }
if len(manifestDigest) > 0 { if manifestDigest != "" {
out.Write(sf.FormatStatus("", "Digest: %s", manifestDigest)) out.Write(sf.FormatStatus("", "Digest: %s", manifestDigest))
} }

5
graph/push.go
View file

@ -1,7 +1,6 @@
package graph package graph
import ( import (
"bytes"
"crypto/sha256" "crypto/sha256"
"encoding/json" "encoding/json"
"errors" "errors"
@ -432,15 +431,13 @@ func (s *TagStore) pushV2Repository(r *registry.Session, localRepo Repository, o
log.Infof("Signed manifest for %s:%s using daemon's key: %s", repoInfo.LocalName, tag, s.trustKey.KeyID()) log.Infof("Signed manifest for %s:%s using daemon's key: %s", repoInfo.LocalName, tag, s.trustKey.KeyID())
// push the manifest // push the manifest
digest, err := r.PutV2ImageManifest(endpoint, repoInfo.RemoteName, tag, bytes.NewReader(signedBody), auth) digest, err := r.PutV2ImageManifest(endpoint, repoInfo.RemoteName, tag, signedBody, mBytes, auth)
if err != nil { if err != nil {
return err return err
} }
if len(digest) > 0 {
out.Write(sf.FormatStatus("", "Digest: %s", digest)) out.Write(sf.FormatStatus("", "Digest: %s", digest))
} }
}
return nil return nil
} }

30
registry/session_v2.go
View file

@ -1,6 +1,7 @@
package registry package registry
import ( import (
"bytes"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io" "io"
@ -8,6 +9,7 @@ import (
"strconv" "strconv"
log "github.com/Sirupsen/logrus" log "github.com/Sirupsen/logrus"
"github.com/docker/distribution/digest"
"github.com/docker/docker/registry/v2" "github.com/docker/docker/registry/v2"
"github.com/docker/docker/utils" "github.com/docker/docker/utils"
) )
@ -95,11 +97,12 @@ func (r *Session) GetV2ImageManifest(ep *Endpoint, imageName, tagName string, au
return nil, "", utils.NewHTTPRequestError(fmt.Sprintf("Server error: %d trying to fetch for %s:%s", res.StatusCode, imageName, tagName), res) return nil, "", utils.NewHTTPRequestError(fmt.Sprintf("Server error: %d trying to fetch for %s:%s", res.StatusCode, imageName, tagName), res)
} }
buf, err := ioutil.ReadAll(res.Body) manifestBytes, err := ioutil.ReadAll(res.Body)
if err != nil { if err != nil {
return nil, "", fmt.Errorf("Error while reading the http response: %s", err) return nil, "", fmt.Errorf("Error while reading the http response: %s", err)
} }
return buf, res.Header.Get(DockerDigestHeader), nil
return manifestBytes, res.Header.Get(DockerDigestHeader), nil
} }
// - Succeeded to head image blob (already exists) // - Succeeded to head image blob (already exists)
@ -263,7 +266,7 @@ func (r *Session) PutV2ImageBlob(ep *Endpoint, imageName, sumType, sumStr string
} }
// Finally Push the (signed) manifest of the blobs we've just pushed // Finally Push the (signed) manifest of the blobs we've just pushed
func (r *Session) PutV2ImageManifest(ep *Endpoint, imageName, tagName string, manifestRdr io.Reader, auth *RequestAuthorization) (string, error) { func (r *Session) PutV2ImageManifest(ep *Endpoint, imageName, tagName string, signedManifest, rawManifest []byte, auth *RequestAuthorization) (digest.Digest, error) {
routeURL, err := getV2Builder(ep).BuildManifestURL(imageName, tagName) routeURL, err := getV2Builder(ep).BuildManifestURL(imageName, tagName)
if err != nil { if err != nil {
return "", err return "", err
@ -271,7 +274,7 @@ func (r *Session) PutV2ImageManifest(ep *Endpoint, imageName, tagName string, ma
method := "PUT" method := "PUT"
log.Debugf("[registry] Calling %q %s", method, routeURL) log.Debugf("[registry] Calling %q %s", method, routeURL)
req, err := r.reqFactory.NewRequest(method, routeURL, manifestRdr) req, err := r.reqFactory.NewRequest(method, routeURL, bytes.NewReader(signedManifest))
if err != nil { if err != nil {
return "", err return "", err
} }
@ -297,7 +300,24 @@ func (r *Session) PutV2ImageManifest(ep *Endpoint, imageName, tagName string, ma
return "", utils.NewHTTPRequestError(fmt.Sprintf("Server error: %d trying to push %s:%s manifest", res.StatusCode, imageName, tagName), res) return "", utils.NewHTTPRequestError(fmt.Sprintf("Server error: %d trying to push %s:%s manifest", res.StatusCode, imageName, tagName), res)
} }
return res.Header.Get(DockerDigestHeader), nil hdrDigest, err := digest.ParseDigest(res.Header.Get(DockerDigestHeader))
if err != nil {
return "", fmt.Errorf("invalid manifest digest from registry: %s", err)
}
dgstVerifier, err := digest.NewDigestVerifier(hdrDigest)
if err != nil {
return "", fmt.Errorf("invalid manifest digest from registry: %s", err)
}
dgstVerifier.Write(rawManifest)
if !dgstVerifier.Verified() {
computedDigest, _ := digest.FromBytes(rawManifest)
return "", fmt.Errorf("unable to verify manifest digest: registry has %q, computed %q", hdrDigest, computedDigest)
}
return hdrDigest, nil
} }
type remoteTags struct { type remoteTags struct {