Skip to content

Commit a75fe3f

Browse files
prabhuprabhu
committed
Sign the generated BOMs
Signed-off-by: Prabhu Subramanian <[email protected]>
1 parent 9e5e0a0 commit a75fe3f

File tree

2 files changed

+27
-22
lines changed

2 files changed

+27
-22
lines changed

bin/cdxgen.js

Lines changed: 15 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,9 @@
11
#!/usr/bin/env node
2-
2+
import { Buffer } from "node:buffer";
33
import crypto from "node:crypto";
44
import fs from "node:fs";
55
import { basename, dirname, join, resolve } from "node:path";
66
import process from "node:process";
7-
import { URL } from "node:url";
87
import { findUpSync } from "find-up";
98
import globalAgent from "global-agent";
109
import { load as _load } from "js-yaml";
@@ -781,6 +780,13 @@ const checkPermissions = (filePath, options) => {
781780
return true;
782781
};
783782

783+
const needsBomSigning = ({ generateKeyAndSign }) =>
784+
generateKeyAndSign ||
785+
(process.env.SBOM_SIGN_ALGORITHM &&
786+
process.env.SBOM_SIGN_ALGORITHM !== "none" &&
787+
process.env.SBOM_SIGN_PRIVATE_KEY &&
788+
safeExistsSync(process.env.SBOM_SIGN_PRIVATE_KEY));
789+
784790
/**
785791
* Method to start the bom creation process
786792
*/
@@ -838,14 +844,7 @@ const checkPermissions = (filePath, options) => {
838844
thoughtLog(`Let's save the file to "${jsonFile}".`);
839845
}
840846
}
841-
if (
842-
jsonPayload &&
843-
(options.generateKeyAndSign ||
844-
(process.env.SBOM_SIGN_ALGORITHM &&
845-
process.env.SBOM_SIGN_ALGORITHM !== "none" &&
846-
process.env.SBOM_SIGN_PRIVATE_KEY &&
847-
safeExistsSync(process.env.SBOM_SIGN_PRIVATE_KEY)))
848-
) {
847+
if (jsonPayload && needsBomSigning(options)) {
849848
let alg = process.env.SBOM_SIGN_ALGORITHM || "RS512";
850849
if (alg.includes("none")) {
851850
alg = "RS512";
@@ -857,6 +856,7 @@ const checkPermissions = (filePath, options) => {
857856
const jdirName = dirname(jsonFile);
858857
publicKeyFile = join(jdirName, "public.key");
859858
const privateKeyFile = join(jdirName, "private.key");
859+
const privateKeyB64File = join(jdirName, "private.key.base64");
860860
const { privateKey, publicKey } = crypto.generateKeyPairSync("rsa", {
861861
modulusLength: 4096,
862862
publicKeyEncoding: {
@@ -870,10 +870,15 @@ const checkPermissions = (filePath, options) => {
870870
});
871871
fs.writeFileSync(publicKeyFile, publicKey);
872872
fs.writeFileSync(privateKeyFile, privateKey);
873+
fs.writeFileSync(
874+
privateKeyB64File,
875+
Buffer.from(privateKey, "utf8").toString("base64"),
876+
);
873877
console.log(
874878
"Created public/private key pairs for testing purposes",
875879
publicKeyFile,
876880
privateKeyFile,
881+
privateKeyB64File,
877882
);
878883
privateKeyToUse = privateKey;
879884
jwkPublicKey = crypto

contrib/bom-signer/public.key

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,14 @@
11
-----BEGIN PUBLIC KEY-----
2-
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtcQyHqd3UHoZixi/cRTs
3-
bdrsBpf31aGlcsRF6hfnFRSw2JvSI//JzAngheVymIbq+KNHI31t7oR6oOHqORap
4-
FlIgRhR03ftNMzi0+VpRR8ztWha5eU7+7eDV3QsRVePninVr3MxzOczprEdqcOuO
5-
CAlflRjw67FoRLMZCJBRbRNbw95GBhBdsHCfbPSMA+5xhiPywYOc3Z1D+k8s3dBh
6-
42kjCNBl3RwCNsocW1eTcEIFV+sZfVxT3kOwZ+EN9BfU6mcBW8eFMLtTzmT9wdpY
7-
r6CEE+eaCpbi7X/rD674WdDa5QaOUO/Bu/mnuRlQ7tAP9/jAVOidVvkLWMXuIpMB
8-
w/YEDgGa6qeVikrQmZdkMF3vaLmnXcRtgfUd7PmTp3K9yjEajP6CtNbfIigz4yWD
9-
KGp6nYalW1Bl3w+qKNmGWCVqjE6RlktxaZYJlXuA0l9RWL/YMtTxOvf+s+4GQru0
10-
T3RMZfpSS2V1dRBwllEaDI5lupmqUpuX2wHAFRKAKAXh4DAcg+sR5UXzXOxzfuxf
11-
Rt0AtbaoWFALUR6BpwJW1fcaBCYAakNe6aZgdWCa7lldI6fepyEq5wiyjE+7W5xm
12-
r+irUPeENIDvz4Tf8GWJ8CELT7VkZaY4SntcXhi+HF4Yk+n+ziESj/ZO+7r3A9mF
13-
H6fu+s5F5YkZESJ3FGkKt1MCAwEAAQ==
2+
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkPc49A6w2obDpm29JKc8
3+
r3iWn8eyujTF9bBwe2Y265GRvEENvdU1/7r2w2pU3xFF7AXOZZPWO3FBxLZZ5ZLr
4+
8SCdLjI7XibkA1qxPgH+nE2p8HB3V4SROyOhl37jedvLyUr9oWMGn+cdj8p9D4mW
5+
om7j+sjH+r25juNrAkT0FeDna0nNS27pTqlE8KSAn+xOt01IMBC3JZYvJyf/8Mpe
6+
CJgrnTDUjeRF4cDJEOHTgZVP9NRy9h5YFz6FCJXbEIJxfS8YifnubIIKaJv/KikS
7+
LoDTmb5w3hf8laD0dkBSWxD2DI/sMs+Ck+aQcU9W+9aJpAzsO5N8+1O9l6UsYlOG
8+
68xBdWRbLGdN3uWy2BNanpmIMbYp6SFFzeXveELNIxgseVAV8EjndbtfQ6kGYJYP
9+
i5aRVQmuHCCNgxDMjqi0unh6k5baavq/kTqklA6qjdbXRF5Uwzs+qc/+UAm6TuO1
10+
TsjoINNMwYx+PYF2Y/6poZSMYjH7PkxON1ZYABvWXGcL+oWj8k+w+hc8EbnKup2w
11+
sm9T+6nrQWvjeib6omHdpBj8Fu+Q2/LbEb/ZDIFiGgffKaJZwnido+GXMyPzZpCY
12+
m2YS72WlOd0Sn5m28Bz1DNrLkIBUeyfEtEnoqw7XpxWWV58KZGZFP1vlMu4qeNMV
13+
lpS+IhgUFSX2HY/mr8rsAbsCAwEAAQ==
1414
-----END PUBLIC KEY-----

0 commit comments

Comments
 (0)