Move manifest package to schema1

As we begin our march towards multi-arch, we must prepare for the reality of multiple manifest schemas. This is the beginning of a set of changes to facilitate this. We are both moving this package into its target position where it may live peacefully next to other manfiest versions. Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-08-20 21:24:30 -07:00 · 2015-08-20 21:24:30 -07:00 · 6712e602b0
commit 6712e602b0
parent 8c3fc2619c
22 changed files with 120 additions and 106 deletions
--- a/manifest/schema1/manifest.go
+++ b/manifest/schema1/manifest.go
@ -0,0 +1,125 @@
+package schema1
+
+import (
+	"encoding/json"
+
+	"github.com/docker/distribution/digest"
+	"github.com/docker/distribution/manifest"
+	"github.com/docker/libtrust"
+)
+
+// TODO(stevvooe): When we rev the manifest format, the contents of this
+// package should be moved to manifest/v1.
+
+const (
+	// ManifestMediaType specifies the mediaType for the current version. Note
+	// that for schema version 1, the the media is optionally
+	// "application/json".
+	ManifestMediaType = "application/vnd.docker.distribution.manifest.v1+json"
+)
+
+var (
+	// SchemaVersion provides a pre-initialized version structure for this
+	// packages version of the manifest.
+	SchemaVersion = manifest.Versioned{
+		SchemaVersion: 1,
+	}
+)
+
+// Manifest provides the base accessible fields for working with V2 image
+// format in the registry.
+type Manifest struct {
+	manifest.Versioned
+
+	// Name is the name of the image's repository
+	Name string `json:"name"`
+
+	// Tag is the tag of the image specified by this manifest
+	Tag string `json:"tag"`
+
+	// Architecture is the host architecture on which this image is intended to
+	// run
+	Architecture string `json:"architecture"`
+
+	// FSLayers is a list of filesystem layer blobSums contained in this image
+	FSLayers []FSLayer `json:"fsLayers"`
+
+	// History is a list of unstructured historical data for v1 compatibility
+	History []History `json:"history"`
+}
+
+// SignedManifest provides an envelope for a signed image manifest, including
+// the format sensitive raw bytes. It contains fields to
+type SignedManifest struct {
+	Manifest
+
+	// Raw is the byte representation of the ImageManifest, used for signature
+	// verification. The value of Raw must be used directly during
+	// serialization, or the signature check will fail. The manifest byte
+	// representation cannot change or it will have to be re-signed.
+	Raw []byte `json:"-"`
+}
+
+// UnmarshalJSON populates a new ImageManifest struct from JSON data.
+func (sm *SignedManifest) UnmarshalJSON(b []byte) error {
+	var manifest Manifest
+	if err := json.Unmarshal(b, &manifest); err != nil {
+		return err
+	}
+
+	sm.Manifest = manifest
+	sm.Raw = make([]byte, len(b), len(b))
+	copy(sm.Raw, b)
+
+	return nil
+}
+
+// Payload returns the raw, signed content of the signed manifest. The
+// contents can be used to calculate the content identifier.
+func (sm *SignedManifest) Payload() ([]byte, error) {
+	jsig, err := libtrust.ParsePrettySignature(sm.Raw, "signatures")
+	if err != nil {
+		return nil, err
+	}
+
+	// Resolve the payload in the manifest.
+	return jsig.Payload()
+}
+
+// Signatures returns the signatures as provided by
+// (*libtrust.JSONSignature).Signatures. The byte slices are opaque jws
+// signatures.
+func (sm *SignedManifest) Signatures() ([][]byte, error) {
+	jsig, err := libtrust.ParsePrettySignature(sm.Raw, "signatures")
+	if err != nil {
+		return nil, err
+	}
+
+	// Resolve the payload in the manifest.
+	return jsig.Signatures()
+}
+
+// MarshalJSON returns the contents of raw. If Raw is nil, marshals the inner
+// contents. Applications requiring a marshaled signed manifest should simply
+// use Raw directly, since the the content produced by json.Marshal will be
+// compacted and will fail signature checks.
+func (sm *SignedManifest) MarshalJSON() ([]byte, error) {
+	if len(sm.Raw) > 0 {
+		return sm.Raw, nil
+	}
+
+	// If the raw data is not available, just dump the inner content.
+	return json.Marshal(&sm.Manifest)
+}
+
+// FSLayer is a container struct for BlobSums defined in an image manifest
+type FSLayer struct {
+	// BlobSum is the tarsum of the referenced filesystem image layer
+	BlobSum digest.Digest `json:"blobSum"`
+}
+
+// History stores unstructured v1 compatibility information
+type History struct {
+	// V1Compatibility is the raw v1 compatibility information
+	V1Compatibility string `json:"v1Compatibility"`
+}
--- a/manifest/schema1/manifest_test.go
+++ b/manifest/schema1/manifest_test.go
@ -0,0 +1,108 @@
+package schema1
+
+import (
+	"bytes"
+	"encoding/json"
+	"reflect"
+	"testing"
+
+	"github.com/docker/libtrust"
+)
+
+type testEnv struct {
+	name, tag string
+	manifest  *Manifest
+	signed    *SignedManifest
+	pk        libtrust.PrivateKey
+}
+
+func TestManifestMarshaling(t *testing.T) {
+	env := genEnv(t)
+
+	// Check that the Raw field is the same as json.MarshalIndent with these
+	// parameters.
+	p, err := json.MarshalIndent(env.signed, "", "   ")
+	if err != nil {
+		t.Fatalf("error marshaling manifest: %v", err)
+	}
+
+	if !bytes.Equal(p, env.signed.Raw) {
+		t.Fatalf("manifest bytes not equal: %q != %q", string(env.signed.Raw), string(p))
+	}
+}
+
+func TestManifestUnmarshaling(t *testing.T) {
+	env := genEnv(t)
+
+	var signed SignedManifest
+	if err := json.Unmarshal(env.signed.Raw, &signed); err != nil {
+		t.Fatalf("error unmarshaling signed manifest: %v", err)
+	}
+
+	if !reflect.DeepEqual(&signed, env.signed) {
+		t.Fatalf("manifests are different after unmarshaling: %v != %v", signed, env.signed)
+	}
+}
+
+func TestManifestVerification(t *testing.T) {
+	env := genEnv(t)
+
+	publicKeys, err := Verify(env.signed)
+	if err != nil {
+		t.Fatalf("error verifying manifest: %v", err)
+	}
+
+	if len(publicKeys) == 0 {
+		t.Fatalf("no public keys found in signature")
+	}
+
+	var found bool
+	publicKey := env.pk.PublicKey()
+	// ensure that one of the extracted public keys matches the private key.
+	for _, candidate := range publicKeys {
+		if candidate.KeyID() == publicKey.KeyID() {
+			found = true
+			break
+		}
+	}
+
+	if !found {
+		t.Fatalf("expected public key, %v, not found in verified keys: %v", publicKey, publicKeys)
+	}
+}
+
+func genEnv(t *testing.T) *testEnv {
+	pk, err := libtrust.GenerateECP256PrivateKey()
+	if err != nil {
+		t.Fatalf("error generating test key: %v", err)
+	}
+
+	name, tag := "foo/bar", "test"
+
+	m := Manifest{
+		Versioned: SchemaVersion,
+		Name:      name,
+		Tag:       tag,
+		FSLayers: []FSLayer{
+			{
+				BlobSum: "asdf",
+			},
+			{
+				BlobSum: "qwer",
+			},
+		},
+	}
+
+	sm, err := Sign(&m, pk)
+	if err != nil {
+		t.Fatalf("error signing manifest: %v", err)
+	}
+
+	return &testEnv{
+		name:     name,
+		tag:      tag,
+		manifest: &m,
+		signed:   sm,
+		pk:       pk,
+	}
+}
--- a/manifest/schema1/sign.go
+++ b/manifest/schema1/sign.go
@ -0,0 +1,66 @@
+package schema1
+
+import (
+	"crypto/x509"
+	"encoding/json"
+
+	"github.com/docker/libtrust"
+)
+
+// Sign signs the manifest with the provided private key, returning a
+// SignedManifest. This typically won't be used within the registry, except
+// for testing.
+func Sign(m *Manifest, pk libtrust.PrivateKey) (*SignedManifest, error) {
+	p, err := json.MarshalIndent(m, "", "   ")
+	if err != nil {
+		return nil, err
+	}
+
+	js, err := libtrust.NewJSONSignature(p)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := js.Sign(pk); err != nil {
+		return nil, err
+	}
+
+	pretty, err := js.PrettySignature("signatures")
+	if err != nil {
+		return nil, err
+	}
+
+	return &SignedManifest{
+		Manifest: *m,
+		Raw:      pretty,
+	}, nil
+}
+
+// SignWithChain signs the manifest with the given private key and x509 chain.
+// The public key of the first element in the chain must be the public key
+// corresponding with the sign key.
+func SignWithChain(m *Manifest, key libtrust.PrivateKey, chain []*x509.Certificate) (*SignedManifest, error) {
+	p, err := json.MarshalIndent(m, "", "   ")
+	if err != nil {
+		return nil, err
+	}
+
+	js, err := libtrust.NewJSONSignature(p)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := js.SignWithChain(key, chain); err != nil {
+		return nil, err
+	}
+
+	pretty, err := js.PrettySignature("signatures")
+	if err != nil {
+		return nil, err
+	}
+
+	return &SignedManifest{
+		Manifest: *m,
+		Raw:      pretty,
+	}, nil
+}
--- a/manifest/schema1/verify.go
+++ b/manifest/schema1/verify.go
@ -0,0 +1,32 @@
+package schema1
+
+import (
+	"crypto/x509"
+
+	"github.com/Sirupsen/logrus"
+	"github.com/docker/libtrust"
+)
+
+// Verify verifies the signature of the signed manifest returning the public
+// keys used during signing.
+func Verify(sm *SignedManifest) ([]libtrust.PublicKey, error) {
+	js, err := libtrust.ParsePrettySignature(sm.Raw, "signatures")
+	if err != nil {
+		logrus.WithField("err", err).Debugf("(*SignedManifest).Verify")
+		return nil, err
+	}
+
+	return js.Verify()
+}
+
+// VerifyChains verifies the signature of the signed manifest against the
+// certificate pool returning the list of verified chains. Signatures without
+// an x509 chain are not checked.
+func VerifyChains(sm *SignedManifest, ca *x509.CertPool) ([][]*x509.Certificate, error) {
+	js, err := libtrust.ParsePrettySignature(sm.Raw, "signatures")
+	if err != nil {
+		return nil, err
+	}
+
+	return js.VerifyChains(ca)
+}