feat: gcb v1.0 support (#691)

closes #683

This is a large PR, but there is not much new code.

The code adding support for v1.0 is under:
- verifiers/internal/gcb/slsaprovenance/v1.0/*
- verifiers/internal/gcb/slsaprovenance/provenance.go

The rest is mostly some re-factoring needed

Remaining is regression tests, tracked in
#690

---------

Signed-off-by: laurentsimon <laurentsimon@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Ian Lewis <ianlewis@google.com>

go.mod

@@ -171,7 +171,7 @@ require (
 	go.uber.org/multierr v1.9.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
 	golang.org/x/crypto v0.9.0 // indirect
-	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
+	golang.org/x/exp v0.0.0-20230321023759-10a507213a29
 	golang.org/x/net v0.10.0 // indirect
 	golang.org/x/oauth2 v0.7.0 // indirect
 	golang.org/x/sync v0.2.0 // indirect

verifiers/internal/gcb/keys/keys.go

@@ -19,8 +19,20 @@ import (
 //go:embed materials/*
 var publicKeys embed.FS
 
-const GlobalPAEKeyID = "projects/verified-builder/locations/global/keyRings/attestor/cryptoKeys/provenanceSigner/cryptoKeyVersions/1"
-const GlobalPAEPublicKeyName = "global-pae"
+const (
+	// v1.0 global keys.
+	// Run command `gcloud kms keys versions get-public-key 1 --keyring attestor --key google-hosted-worker --project verified-builder --location global`.
+	V10GlobalPAEKeyID = "projects/verified-builder/locations/global/keyRings/attestor/cryptoKeys/google-hosted-worker/cryptoKeyVersions/1"
+
+	// v0.1 global keys.
+	// Run command `gcloud kms keys versions get-public-key 1 --keyring attestor --key provenanceSigner --project verified-builder --location global`.
+	V01GlobalPAEKeyID = "projects/verified-builder/locations/global/keyRings/attestor/cryptoKeys/provenanceSigner/cryptoKeyVersions/1"
+)
+
+var globalKeyNames = map[string]string{
+	V10GlobalPAEKeyID: "global-pae-google-hosted-worker_1",
+	V01GlobalPAEKeyID: "global-pae-provenanceSigner_1",
+}
 
 type PublicKey struct {
 	value  []byte
@@ -69,18 +81,31 @@ func (p *PublicKey) VerifySignature(digest [32]byte, sig []byte) error {
 	return nil
 }
 
+func (p *PublicKey) Name() string {
+	return p.region
+}
+
 type GlobalPAEKey struct {
 	publicKey *PublicKey
+	id        string
 	Verifier  *dsselib.EnvelopeVerifier
 }
 
-func NewGlobalPAEKey() (*GlobalPAEKey, error) {
-	publicKey, err := NewPublicKey(GlobalPAEPublicKeyName)
+func NewGlobalPAEKey(id string) (*GlobalPAEKey, error) {
+	name, ok := globalKeyNames[id]
+	if !ok {
+		return nil, fmt.Errorf("%w: unknown key %v", serrors.ErrorInternal, id)
+	}
+
+	publicKey, err := NewPublicKey(name)
 	if err != nil {
-		return nil, fmt.Errorf("unable to create public key for Global PAE key: %w", err)
+		return nil, fmt.Errorf("%w: unable to create public key for Global PAE key %v", err, name)
 	}
 
-	globalPaeKey := &GlobalPAEKey{publicKey: publicKey}
+	globalPaeKey := &GlobalPAEKey{
+		publicKey: publicKey,
+		id:        id,
+	}
 	envVerifier, err := dsselib.NewEnvelopeVerifier(globalPaeKey)
 	if err != nil {
 		return nil, err
@@ -104,10 +129,14 @@ func (v *GlobalPAEKey) Verify(_ context.Context, data, sig []byte) error {
 
 // KeyID implements dsse.Verifier.KeyID.
 func (v *GlobalPAEKey) KeyID() (string, error) {
-	return GlobalPAEKeyID, nil
+	return v.id, nil
 }
 
 // Public implements dsse.Verifier.Public.
 func (v *GlobalPAEKey) Public() crypto.PublicKey {
 	return v.publicKey
 }
+
+func (v *GlobalPAEKey) Name() string {
+	return v.publicKey.Name()
+}

verifiers/internal/gcb/keys/materials/global-pae-google-hosted-worker_1.key

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEg9KII7kzr/30HBluf00y9WwtMFkE
+qc3oCcFVH3QJ37IBLUv/MUApbnNHFfD75ayJ/a0F45xa+MLv5zoep+GxsA==
+-----END PUBLIC KEY-----

verifiers/internal/gcb/keys/materials/global-pae-provenanceSigner_1.key

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdMcJUyKbmarf6dydhfmAjgmK6c42
+oCCNRR1se3Bi3VO65KcGk6qyci6/bsu2s4u+dLKWrsUQomEw4v3FtVctoA==
+-----END PUBLIC KEY-----