Cosign | Add support for client to configure a proxy to pull signatures

Cargo.toml

@@ -109,7 +109,7 @@ elliptic-curve = { version = "0.13", features = ["arithmetic", "pem"] }
 futures = "0.3"
 futures-util = { version = "0.3", optional = true }
 lazy_static = "1.5"
-oci-distribution = { version = "0.11", default-features = false, optional = true }
+oci-distribution = { default-features = false, optional = true, package = "oci-client", git = "https://github.com/oras-project/rust-oci-client.git", rev = "8be4688" }
 olpc-cjson = { version = "0.1", optional = true }
 openidconnect = { version = "3.5", default-features = false, features = [
   "reqwest",

examples/cosign/verify/main.rs

@@ -24,15 +24,14 @@ use sigstore::errors::SigstoreVerifyConstraintsError;
 use sigstore::registry::{ClientConfig, ClientProtocol, OciReference};
 use sigstore::trust::sigstore::SigstoreTrustRoot;
 use std::time::Instant;
+use std::{collections::BTreeMap, fs};
 
 extern crate anyhow;
 use anyhow::{anyhow, Result};
 
 extern crate clap;
 use clap::Parser;
 
-use std::{collections::HashMap, fs};
-
 extern crate tracing_subscriber;
 use tracing::{info, warn};
 use tracing_subscriber::prelude::*;
@@ -199,7 +198,7 @@ async fn run_app(
     }
 
     if !cli.annotations.is_empty() {
-        let mut values: HashMap<String, String> = HashMap::new();
+        let mut values: BTreeMap<String, String> = BTreeMap::new();
         for annotation in &cli.annotations {
             let tmp: Vec<_> = annotation.splitn(2, '=').collect();
             if tmp.len() == 2 {

src/cosign/client.rs

@@ -13,7 +13,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-use std::collections::HashMap;
+use std::collections::BTreeMap;
 use std::ops::Add;
 
 use async_trait::async_trait;
@@ -96,7 +96,7 @@ impl CosignCapabilities for Client {
 
     async fn push_signature(
         &mut self,
-        annotations: Option<HashMap<String, String>>,
+        annotations: Option<BTreeMap<String, String>>,
         auth: &Auth,
         target_reference: &OciReference,
         signature_layers: Vec<SignatureLayer>,
@@ -108,7 +108,7 @@ impl CosignCapabilities for Client {
                     Ok(data) => {
                         let annotations = match &sl.signature {
                             Some(sig) => [(SIGSTORE_SIGNATURE_ANNOTATION.into(), sig.clone())].into(),
-                            None => HashMap::new(),
+                            None => BTreeMap::new(),
                         };
                         let image_layer = oci_distribution::client::ImageLayer::new(data, SIGSTORE_OCI_MEDIA_TYPE.into(), Some(annotations));
                         Some(image_layer)

src/cosign/constraint/annotation.rs

@@ -13,7 +13,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-use std::collections::HashMap;
+use std::collections::{BTreeMap, HashMap};
 
 use serde_json::Value;
 use tracing::warn;
@@ -50,7 +50,7 @@ impl Constraint for AnnotationMarker {
                 warn!(optional = ?opt, "already has an annotation field");
                 opt.extra.clone()
             }
-            None => HashMap::new(),
+            None => BTreeMap::new(),
         };
 
         for (k, v) in &self.annotations {

src/cosign/mod.rs

@@ -36,7 +36,7 @@
 //! In case you want to mock sigstore interactions inside of your own code, you
 //! can implement the [`CosignCapabilities`] trait inside of your test suite.
 
-use std::collections::HashMap;
+use std::collections::BTreeMap;
 
 use async_trait::async_trait;
 use tracing::warn;
@@ -146,7 +146,7 @@ pub trait CosignCapabilities {
     /// - `signature_layers`: [`SignatureLayer`] objects containing signature information
     async fn push_signature(
         &mut self,
-        annotations: Option<HashMap<String, String>>,
+        annotations: Option<BTreeMap<String, String>>,
         auth: &Auth,
         target_reference: &OciReference,
         signature_layers: Vec<SignatureLayer>,
@@ -356,7 +356,7 @@ TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ
         let email = "[email protected]".to_string();
         let issuer = "an issuer".to_string();
 
-        let mut annotations: HashMap<String, String> = HashMap::new();
+        let mut annotations: BTreeMap<String, String> = BTreeMap::new();
         annotations.insert("key1".into(), "value1".into());
         annotations.insert("key2".into(), "value2".into());
 
@@ -369,7 +369,7 @@ TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ
             cert_signature.subject = cert_subj;
             sl.certificate_signature = Some(cert_signature);
 
-            let mut extra: HashMap<String, serde_json::Value> = annotations
+            let mut extra: BTreeMap<String, serde_json::Value> = annotations
                 .iter()
                 .map(|(k, v)| (k.clone(), json!(v)))
                 .collect();
@@ -421,7 +421,7 @@ TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ
             cert_signature.subject = cert_subj;
             sl.certificate_signature = Some(cert_signature);
 
-            let mut extra: HashMap<String, serde_json::Value> = HashMap::new();
+            let mut extra: BTreeMap<String, serde_json::Value> = BTreeMap::new();
             extra.insert("something extra".into(), json!("value extra"));
 
             let mut simple_signing = sl.simple_signing;
@@ -469,7 +469,7 @@ TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ
             cert_signature.subject = cert_subj;
             sl.certificate_signature = Some(cert_signature);
 
-            let mut extra: HashMap<String, serde_json::Value> = HashMap::new();
+            let mut extra: BTreeMap<String, serde_json::Value> = BTreeMap::new();
             extra.insert("something extra".into(), json!("value extra"));
 
             let mut simple_signing = sl.simple_signing;

src/cosign/payload/simple_signing.rs

@@ -21,7 +21,7 @@ use crate::registry::OciReference;
 
 use serde::{Deserialize, Serialize};
 use serde_json::Value;
-use std::{collections::HashMap, fmt};
+use std::{collections::BTreeMap, fmt};
 use tracing::{debug, error, info};
 
 /// Default type name of [`Critical`] when doing cosign signing
@@ -65,7 +65,7 @@ impl SimpleSigning {
     }
 
     /// Checks whether all the provided `annotations` are satisfied
-    pub fn satisfies_annotations(&self, annotations: &HashMap<String, String>) -> bool {
+    pub fn satisfies_annotations(&self, annotations: &BTreeMap<String, String>) -> bool {
         if annotations.is_empty() {
             debug!("no annotations have been provided -> returning true");
             return true;
@@ -128,12 +128,12 @@ pub struct Optional {
     pub timestamp: Option<i64>,
 
     #[serde(flatten)]
-    pub extra: HashMap<String, Value>,
+    pub extra: BTreeMap<String, Value>,
 }
 
 impl Optional {
     /// Checks whether all the provided `annotations` are satisfied
-    pub fn satisfies_annotations(&self, annotations: &HashMap<String, String>) -> bool {
+    pub fn satisfies_annotations(&self, annotations: &BTreeMap<String, String>) -> bool {
         if self.extra.is_empty() {
             info!(?annotations, "Annotations are not satisfied, no annotations are part of the Simple Signing object");
             return false;
@@ -221,7 +221,7 @@ mod tests {
         });
         let ss: SimpleSigning = serde_json::from_value(ss_json).unwrap();
 
-        let mut annotations: HashMap<String, String> = HashMap::new();
+        let mut annotations: BTreeMap<String, String> = BTreeMap::new();
         annotations.insert(String::from("env"), String::from("prod"));
 
         assert!(!ss.satisfies_annotations(&annotations));
@@ -241,14 +241,14 @@ mod tests {
             }
         });
         let ss: SimpleSigning = serde_json::from_value(ss_json).unwrap();
-        let annotations: HashMap<String, String> = HashMap::new();
+        let annotations: BTreeMap<String, String> = BTreeMap::new();
 
         assert!(ss.satisfies_annotations(&annotations));
     }
 
     #[test]
     fn optional_has_all_the_required_annotations() {
-        let mut annotations: HashMap<String, String> = HashMap::new();
+        let mut annotations: BTreeMap<String, String> = BTreeMap::new();
         annotations.insert(String::from("env"), String::from("prod"));
         annotations.insert(String::from("number"), String::from("1"));
         annotations.insert(String::from("bool"), String::from("true"));
@@ -265,7 +265,7 @@ mod tests {
 
     #[test]
     fn optional_does_not_satisfy_annotations_because_one_annotation_is_missing() {
-        let mut annotations: HashMap<String, String> = HashMap::new();
+        let mut annotations: BTreeMap<String, String> = BTreeMap::new();
         annotations.insert(String::from("env"), String::from("prod"));
         annotations.insert(String::from("owner"), String::from("flavio"));
 
@@ -280,7 +280,7 @@ mod tests {
 
     #[test]
     fn optional_does_not_satisfy_annotations_because_one_annotation_has_different_value() {
-        let mut annotations: HashMap<String, String> = HashMap::new();
+        let mut annotations: BTreeMap<String, String> = BTreeMap::new();
         annotations.insert(String::from("env"), String::from("prod"));
         annotations.insert(String::from("owner"), String::from("flavio"));
 
@@ -296,7 +296,7 @@ mod tests {
 
     #[test]
     fn optional_satisfies_annotations_when_no_annotation_is_provided() {
-        let annotations: HashMap<String, String> = HashMap::new();
+        let annotations: BTreeMap<String, String> = BTreeMap::new();
 
         let optional_json = json!({
             "env": "prod",

src/cosign/signature_layers.rs

@@ -17,7 +17,8 @@ use const_oid::ObjectIdentifier;
 use digest::Digest;
 use oci_distribution::client::ImageLayer;
 use serde::Serialize;
-use std::{collections::HashMap, fmt};
+use std::collections::BTreeMap;
+use std::fmt;
 use tracing::{debug, info, warn};
 use x509_cert::der::DecodePem;
 use x509_cert::ext::pkix::name::GeneralName;
@@ -289,7 +290,7 @@ impl SignatureLayer {
         })
     }
 
-    fn get_signature_from_annotations(annotations: &HashMap<String, String>) -> Result<String> {
+    fn get_signature_from_annotations(annotations: &BTreeMap<String, String>) -> Result<String> {
         let signature: String = annotations
             .get(SIGSTORE_SIGNATURE_ANNOTATION)
             .cloned()
@@ -298,7 +299,7 @@ impl SignatureLayer {
     }
 
     fn get_bundle_from_annotations(
-        annotations: &HashMap<String, String>,
+        annotations: &BTreeMap<String, String>,
         rekor_pub_key: Option<&CosignVerificationKey>,
     ) -> Result<Option<Bundle>> {
         let bundle = match annotations.get(SIGSTORE_BUNDLE_ANNOTATION) {
@@ -315,7 +316,7 @@ impl SignatureLayer {
     }
 
     fn get_certificate_signature_from_annotations(
-        annotations: &HashMap<String, String>,
+        annotations: &BTreeMap<String, String>,
         fulcio_cert_pool: Option<&CertificatePool>,
         bundle: Option<&Bundle>,
     ) -> Option<CertificateSignature> {
@@ -767,7 +768,7 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ==
 
     #[test]
     fn get_signature_from_annotations_success() {
-        let mut annotations: HashMap<String, String> = HashMap::new();
+        let mut annotations: BTreeMap<String, String> = BTreeMap::new();
         annotations.insert(SIGSTORE_SIGNATURE_ANNOTATION.into(), "foo".into());
 
         let actual = SignatureLayer::get_signature_from_annotations(&annotations);
@@ -776,7 +777,7 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ==
 
     #[test]
     fn get_signature_from_annotations_failure() {
-        let annotations: HashMap<String, String> = HashMap::new();
+        let annotations: BTreeMap<String, String> = BTreeMap::new();
 
         let actual = SignatureLayer::get_signature_from_annotations(&annotations);
         assert!(actual.is_err());
@@ -790,7 +791,7 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ==
         //
         // We care only about the only case not tested: to not
         // fail when no bundle is specified.
-        let annotations: HashMap<String, String> = HashMap::new();
+        let annotations: BTreeMap<String, String> = BTreeMap::new();
         let rekor_pub_key = get_rekor_public_key();
 
         let actual =
@@ -801,7 +802,7 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ==
 
     #[test]
     fn get_certificate_signature_from_annotations_returns_none() {
-        let annotations: HashMap<String, String> = HashMap::new();
+        let annotations: BTreeMap<String, String> = BTreeMap::new();
         let fulcio_cert_pool = get_fulcio_cert_pool();
 
         let actual = SignatureLayer::get_certificate_signature_from_annotations(
@@ -815,7 +816,7 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ==
 
     #[test]
     fn get_certificate_signature_from_annotations_fails_when_no_bundle_is_given() {
-        let mut annotations: HashMap<String, String> = HashMap::new();
+        let mut annotations: BTreeMap<String, String> = BTreeMap::new();
 
         // add a fake cert, contents are not relevant
         annotations.insert(SIGSTORE_CERT_ANNOTATION.to_string(), "a cert".to_string());
@@ -832,7 +833,7 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ==
 
     #[test]
     fn get_certificate_signature_from_annotations_fails_when_no_fulcio_pub_key_is_given() {
-        let mut annotations: HashMap<String, String> = HashMap::new();
+        let mut annotations: BTreeMap<String, String> = BTreeMap::new();
 
         // add a fake cert, contents are not relevant
         annotations.insert(SIGSTORE_CERT_ANNOTATION.to_string(), "a cert".to_string());

src/cosign/verification_constraint/annotation_verifier.rs

@@ -1,4 +1,4 @@
-use std::collections::HashMap;
+use std::collections::BTreeMap;
 
 use super::VerificationConstraint;
 use crate::cosign::signature_layers::SignatureLayer;
@@ -16,7 +16,7 @@ use crate::errors::Result;
 /// These will be simply be ignored by the verifier.
 #[derive(Default, Debug)]
 pub struct AnnotationVerifier {
-    pub annotations: HashMap<String, String>,
+    pub annotations: BTreeMap<String, String>,
 }
 
 impl VerificationConstraint for AnnotationVerifier {

src/lib.rs

@@ -73,7 +73,7 @@
 //! use sigstore::errors::SigstoreVerifyConstraintsError;
 //!
 //! use std::boxed::Box;
-//! use std::collections::HashMap;
+//! use std::collections::BTreeMap;
 //! use std::fs;
 //!
 //! #[tokio::main]
@@ -118,7 +118,7 @@
 //!   ).await.expect("Could not obtain signature layers");
 //!
 //!   // Define verification constraints
-//!   let mut annotations: HashMap<String, String> = HashMap::new();
+//!   let mut annotations: BTreeMap<String, String> = BTreeMap::new();
 //!   annotations.insert("env".to_string(), "prod".to_string());
 //!   let annotation_verifier = AnnotationVerifier{
 //!     annotations,

src/registry/config.rs

@@ -157,6 +157,16 @@ pub struct ClientConfig {
     /// A list of extra root certificate to trust. This can be used to connect
     /// to servers using self-signed certificates
     pub extra_root_certificates: Vec<Certificate>,
+
+    /// Set the `HTTPS PROXY` used by the client.
+    ///
+    /// This defaults to `None`.
+    pub https_proxy: Option<String>,
+
+    /// Set the `NO PROXY` used by the client.
+    ///
+    /// This defaults to `None`.
+    pub no_proxy: Option<String>,
 }
 
 impl Default for ClientConfig {
@@ -167,6 +177,8 @@ impl Default for ClientConfig {
             accept_invalid_hostnames: false,
             accept_invalid_certificates: false,
             extra_root_certificates: Vec::new(),
+            https_proxy: None,
+            no_proxy: None,
         }
     }
 }
@@ -183,6 +195,8 @@ impl From<ClientConfig> for oci_distribution::client::ClientConfig {
                 .iter()
                 .map(|c| c.into())
                 .collect(),
+            https_proxy: config.https_proxy,
+            no_proxy: config.no_proxy,
             ..Default::default()
         }
     }

src/trust/sigstore/mod.rs

@@ -306,8 +306,8 @@ mod tests {
     fn test_is_timerange_valid() {
         fn range_from(start: i64, end: i64) -> TimeRange {
             let base = chrono::Utc::now();
-            let start: SystemTime = (base + chrono::TimeDelta::seconds(start)).into();
-            let end: SystemTime = (base + chrono::TimeDelta::seconds(end)).into();
+            let start: SystemTime = (base + chrono::TimeDelta::try_seconds(start).unwrap()).into();
+            let end: SystemTime = (base + chrono::TimeDelta::try_seconds(end).unwrap()).into();
 
             TimeRange {
                 start: Some(start.into()),