Support notary verification certification load from directory (#141)

* adding read from path Util method * Describe your commit here * adding error msg * moving crypto.Cert read into utils method * renaming file to utils * renaming to certificateUtil which in future we can add keyvault related logic * check if crt is nil before appending Co-authored-by: huish@microsoft.com <azureuser@huishVM.fitk5ac0v4uepfxyp10tia5ysa.xx.internal.cloudapp.net>
ratify-project · Mar 16, 2022 · f33ca40 · f33ca40
1 parent 90c7bbd
commit f33ca40
Show file tree

Hide file tree

Showing 4 changed files with 182 additions and 2 deletions.
diff --git a/pkg/utils/certificateUtil_test.go b/pkg/utils/certificateUtil_test.go
@@ -0,0 +1,109 @@
+/*
+Copyright The Ratify Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package utils
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+)
+
+func TestReadCertificatesFromPath_NestedDirectory(t *testing.T) {
+	// Setup to create nested directory structure
+	testDir := "TestDirectory"
+	nestedDir := ".nestedFolder"
+	testFile1 := testDir + string(os.PathSeparator) + "file1.txt"
+	testFile2 := testDir + string(os.PathSeparator) + nestedDir + string(os.PathSeparator) + ".file2.crt"
+	testFile3 := testDir + string(os.PathSeparator) + "file3.crt"
+	testFile4 := testDir + string(os.PathSeparator) + "file4.crt"
+
+	setupDirectoryForTesting(t, testDir)
+	setupDirectoryForTesting(t, testDir+string(os.PathSeparator)+nestedDir)
+
+	createFile(t, testFile1)
+	createCertFile(t, testFile2)
+	createCertFile(t, testFile3)
+	createCertFile(t, testFile4)
+
+	// Invoke method to test
+	files, err := GetCertificatesFromPath(testDir)
+
+	// Tear down
+	os.RemoveAll(testDir)
+
+	// Validate
+	expectedFileCount := 3
+	if len(files) != expectedFileCount || err != nil {
+		t.Fatalf("response length expected to be %v, actual %v, error %v", expectedFileCount, len(files), err)
+	}
+}
+
+func TestReadFilesFromPath_SingleFile(t *testing.T) {
+	// Setup
+	testDir := "TestDirectory"
+	testFile1 := testDir + string(os.PathSeparator) + "file1.Crt"
+
+	setupDirectoryForTesting(t, testDir)
+	createCertFile(t, testFile1)
+
+	// Invoke method to test
+	files, err := GetCertificatesFromPath(testDir)
+
+	// Teardown
+	os.RemoveAll(testDir)
+
+	// Validate
+	if len(files) != 1 || err != nil {
+		t.Fatalf("response length expected to be 1, actual %v, error %v", len(files), err)
+	}
+
+}
+
+func createFile(t *testing.T, path string) {
+	_, err := os.OpenFile(path, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		t.Fatalf("write file '%s' failed with error '%v'", path, err)
+	}
+}
+
+func createCertFile(t *testing.T, path string) {
+
+	// open cert file
+	content, err := ioutil.ReadFile("testCert1.crt")
+
+	if err != nil {
+		t.Fatalf("open cert file '%s' failed with error '%v'", path, err)
+	}
+
+	file, err := os.OpenFile(path, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+
+	if err != nil {
+		t.Fatalf("creating new file '%s' failed with error '%v'", path, err)
+
+	}
+
+	_, err = file.Write(content)
+	if err != nil {
+		t.Fatalf("write file '%s' failed with error '%v'", path, err)
+	}
+
+}
+
+func setupDirectoryForTesting(t *testing.T, path string) {
+	err := os.Mkdir(path, 0755)
+	if err != nil {
+		t.Fatalf("Creating directory '%s' failed with '%v'", path, err)
+	}
+}
diff --git a/pkg/utils/certificateUtils.go b/pkg/utils/certificateUtils.go
@@ -0,0 +1,49 @@
+/*
+Copyright The Ratify Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package utils
+
+import (
+	"crypto/x509"
+	"os"
+
+	"path/filepath"
+
+	"github.com/notaryproject/notation-go-lib/crypto/cryptoutil"
+)
+
+func GetCertificatesFromPath(path string) ([]*x509.Certificate, error) {
+
+	var certs []*x509.Certificate
+
+	err := filepath.Walk(path, func(file string, info os.FileInfo, err error) error {
+		if !info.IsDir() {
+			cert, certError := cryptoutil.ReadCertificateFile(file) // ReadCertificateFile returns empty if file was not a certificate
+			if certError != nil {
+				return certError
+			}
+			if cert != nil {
+				certs = append(certs, cert...)
+			}
+		}
+		return nil
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return certs, nil
+}
diff --git a/pkg/utils/testCert1.crt b/pkg/utils/testCert1.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKDCCAhCgAwIBAgIRAKJH8DML5C8DYPTEalj/mg4wDQYJKoZIhvcNAQELBQAw
+IjEgMB4GA1UEAxMXaHVpc2h3YWJiaXQtbmV0d29ya3MuaW8wHhcNMjIwMTI3MTM0
+NjQ2WhcNMjMwMTI3MTM0NjQ2WjAiMSAwHgYDVQQDExdodWlzaHdhYmJpdC1uZXR3
+b3Jrcy5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOjyd8VQDlnz
+IQK07W2mIbFw5cLCe8rMFeAWVwMSwSeTqEY0DLVf0XRzg8Ogd1bDouM5Bl0sJIeM
+s1pOmc8sflPkWR6kn/BOpd7WWGy3iIXazb8sgVOnxlvooNuqHITdtXSGZajHgoes
+se3hqfivyrXFGXugSg40ES9KGzc+9ZEOwW1diJ4GxA8XHbubpPMWZO+qAAiIvYm7
+Iuf5sPNaeElAwuWFCvZMpxgy+R1p5VBm+NpuQONe94HhzVB3ox16yVNQNlcOcZFE
+GOBKGqX39H5GqnynxC59Kdr/SgsdwlCQdFTpbpok3w4cpawXMjN+ikt5ZASepQoT
+nFHLq4Szdy0CAwEAAaNZMFcwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG
+AQUFBwMDMAwGA1UdEwEB/wQCMAAwIgYDVR0RBBswGYIXaHVpc2h3YWJiaXQtbmV0
+d29ya3MuaW8wDQYJKoZIhvcNAQELBQADggEBAJC2BHQULI/5eJQpgt1iXDzLSIOH
+TFSqQ9hZu5BpZuRAj0a7cIH0lYM1v1V7g/H4liutc3v4fF5GfK2RDBsef+TtwGkg
+DTB67Lqwmoy8lSKaQPysYej40sJSL+W5pZm0IoDP3yMz7Jg6egJtUxIt22zKe9xY
+L/085GvjKFd0A+pLuuCMbCYlHHSn2/W9gEB5Ba4lX5DqBH9YmgdRjDJB48YxaT/s
+zYCVj1a50u1wAg9Ykarhi/okuxkuHNCpVKelm8O6u+nlac8m2/0BR1UXn+EFwmA1
+hOvKCqdcvo07wYwXcF4p36f78v1BKXrrJin2Bdo9mYelOUfizE3tjs7+aYs=
+-----END CERTIFICATE-----
diff --git a/pkg/verifier/notaryv2/notaryv2.go b/pkg/verifier/notaryv2/notaryv2.go
@@ -27,12 +27,12 @@ import (
 	"github.com/deislabs/ratify/pkg/executor"
 	"github.com/deislabs/ratify/pkg/ocispecs"
 	"github.com/deislabs/ratify/pkg/referrerstore"
+	"github.com/deislabs/ratify/pkg/utils"
 	"github.com/deislabs/ratify/pkg/verifier"
 	"github.com/deislabs/ratify/pkg/verifier/config"
 	"github.com/deislabs/ratify/pkg/verifier/factory"
 
 	"github.com/notaryproject/notation-go-lib"
-	"github.com/notaryproject/notation-go-lib/crypto/cryptoutil"
 	"github.com/notaryproject/notation-go-lib/signature/jws"
 	oci "github.com/opencontainers/image-spec/specs-go/v1"
 )
@@ -148,10 +148,13 @@ func (v *notaryV2Verifier) Verify(ctx context.Context,
 func getVerifierService(certPaths ...string) (*jws.Verifier, error) {
 	roots := x509.NewCertPool()
 	for _, path := range certPaths {
-		bundledCerts, err := cryptoutil.ReadCertificateFile(path)
+
+		bundledCerts, err := utils.GetCertificatesFromPath(path)
+
 		if err != nil {
 			return nil, err
 		}
+
 		for _, cert := range bundledCerts {
 			roots.AddCert(cert)
 		}