feat: add support for keyid lookup/resolution

[danbev]

This commit adds support for looking up a public key for a specified keyid.

Closes: https://github.com/seedwing-io/seedwing-policy/issues/170

---

To try this feature in the playground (locally) the following instructions should work: 1) Start the swio server and specify a data directory (-d):

$ cargo r -p swio -- serve -d engine/test-data/

Access the playground using http://0.0.0.0:8080/

In the playground enter the following patterns:

pattern blob = *data::from<"intoto/tekton-example.blob">

pattern attesters = [
    {name: "dan", spki_keyid: "SHA256:caEJWYJSxy1SVF2KObm5Rr3Yt6xIb4T2w56FHtCg8WI"}
]

pattern test-pattern = intoto::verify-envelope<attesters, blob>

For the data, the contents engine/test-data/intoto/tekton-chains-envelope.json can be used:

{"payloadType":"application/vnd.in-toto+json","payload":"eyJfdHlwZSI6Imh0dHBzOi8vaW4tdG90by5pby9TdGF0ZW1lbnQvdjAuMSIsInByZWRpY2F0ZVR5cGUiOiJodHRwczovL3Nsc2EuZGV2L3Byb3ZlbmFuY2UvdjAuMiIsInN1YmplY3QiOlt7Im5hbWUiOiJnY3IuaW8vZm9vL2JhciIsImRpZ2VzdCI6eyJzaGEyNTYiOiJlOTUyNjIwZDgxN2FlMDgzNGZmNTlmYWY4NzE2MTYxNDA3YmI3MzQyZDgxMzY3OGQwMWQxODc3OWRiODJhYjljIn19XSwicHJlZGljYXRlIjp7ImJ1aWxkZXIiOnsiaWQiOiJodHRwczovL3Rla3Rvbi5kZXYvY2hhaW5zL3YyIn0sImJ1aWxkVHlwZSI6InRla3Rvbi5kZXYvdjFiZXRhMS9UYXNrUnVuIiwiaW52b2NhdGlvbiI6eyJjb25maWdTb3VyY2UiOnt9LCJwYXJhbWV0ZXJzIjp7fX0sImJ1aWxkQ29uZmlnIjp7InN0ZXBzIjpbeyJlbnRyeVBvaW50IjoiIyEvdXNyL2Jpbi9lbnYgc2hcbmVjaG8gJ2djci5pby9mb28vYmFyJyB8IHRlZSAvdGVrdG9uL3Jlc3VsdHMvSU1BR0VfVVJMXG5lY2hvIFwiZGFuYmV2LXRla3Rvbi1jaGFpbnMtZXhhbXBsZVwiIHwgc2hhMjU2c3VtIHwgdHIgLWQgJy0nIHwgc2VkICdzL14vc2hhMjU2Oi9nJyB8IHRlZSAvdGVrdG9uL3Jlc3VsdHMvSU1BR0VfRElHRVNUIiwiYXJndW1lbnRzIjpudWxsLCJlbnZpcm9ubWVudCI6eyJjb250YWluZXIiOiJjcmVhdGUtaW1hZ2UiLCJpbWFnZSI6ImRvY2tlci5pby9saWJyYXJ5L2J1c3lib3hAc2hhMjU2OmI1ZDZmZTA3MTI2MzZjZWI3NDMwMTg5ZGUyODgxOWUxOTVlODk2NjM3MmVkZmMyZDk0MDlkNzk0MDJhMGRjMTYifSwiYW5ub3RhdGlvbnMiOm51bGx9XX0sIm1ldGFkYXRhIjp7ImJ1aWxkU3RhcnRlZE9uIjoiMjAyMy0wMy0zMVQxMToyMjoyOFoiLCJidWlsZEZpbmlzaGVkT24iOiIyMDIzLTAzLTMxVDExOjIyOjMzWiIsImNvbXBsZXRlbmVzcyI6eyJwYXJhbWV0ZXJzIjpmYWxzZSwiZW52aXJvbm1lbnQiOmZhbHNlLCJtYXRlcmlhbHMiOmZhbHNlfSwicmVwcm9kdWNpYmxlIjpmYWxzZX19fQ==","signatures":[{"keyid":"SHA256:caEJWYJSxy1SVF2KObm5Rr3Yt6xIb4T2w56FHtCg8WI","sig":"MEQCIGCyfxAYYhLJjGfhVnwxsSPiyvWE7mHBH62qC7QyVDtnAiARSOoEKf031xP1tq0OlvPt2TNmfP/wqmUHEbxhK/4Q7g=="}]}

And the policy to evaluate is test-pattern in this case.

Evaluating the above will output the following

result

[
  {
    "predicate_type": "https://slsa.dev/provenance/v0.2",
    "predicate": {
      "builder": {
        "id": "https://tekton.dev/chains/v2"
      },
      "buildType": "tekton.dev/v1beta1/TaskRun",
      "invocation": {
        "configSource": {},
        "parameters": {}
      },
      "buildConfig": {
        "steps": [
          {
            "entryPoint": "#!/usr/bin/env sh\necho 'gcr.io/foo/bar' | tee /tekton/results/IMAGE_URL\necho \"danbev-tekton-chains-example\" | sha256sum | tr -d '-' | sed 's/^/sha256:/g' | tee /tekton/results/IMAGE_DIGEST",
            "arguments": null,
            "environment": {
              "container": "create-image",
              "image": "docker.io/library/busybox@sha256:b5d6fe0712636ceb7430189de28819e195e8966372edfc2d9409d79402a0dc16"
            },
            "annotations": null
          }
        ]
      },
      "metadata": {
        "buildStartedOn": "2023-03-31T11:22:28Z",
        "buildFinishedOn": "2023-03-31T11:22:33Z",
        "completeness": {
          "parameters": false,
          "environment": false,
          "materials": false
        },
        "reproducible": false
      }
    },
    "attesters_names": [
      "dan"
    ],
    "artifact_names": [
      "gcr.io/foo/bar"
    ]
  }
]

Documentation can be accessed on the local server at intoto::verify-envelope.

[danbev]

Landed in 1bc4661ddcb4aaab0b41bea8ab54e69cc5c37ff9.