constellation/internal/sigstore/verify.go

/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/

package sigstore

import (
	"bytes"
	"crypto"
	"encoding/base64"
	"fmt"

	"github.com/sigstore/sigstore/pkg/cryptoutils"
	sigsig "github.com/sigstore/sigstore/pkg/signature"
)

// Verifier checks if the signature of content can be verified.
type Verifier interface {
	VerifySignature(content, signature []byte) error
}

// CosignVerifier wraps a public key that can be used for verifying signatures.
type CosignVerifier struct {
	publicKey crypto.PublicKey
}

// NewCosignVerifier unmarshalls and validates the given pem encoded public key and returns a new CosignVerifier.
func NewCosignVerifier(pem []byte) (Verifier, error) {
	pubkey, err := cryptoutils.UnmarshalPEMToPublicKey(pem)
	if err != nil {
		return CosignVerifier{}, fmt.Errorf("unable to parse public key: %w", err)
	}
	if err := cryptoutils.ValidatePubKey(pubkey); err != nil {
		return CosignVerifier{}, fmt.Errorf("unable to validate public key: %w", err)
	}

	return CosignVerifier{pubkey}, nil
}

// VerifySignature checks if the signature of content can be verified
// using publicKey.
// signature is expected to be base64 encoded.
// publicKey is expected to be PEM encoded.
func (c CosignVerifier) VerifySignature(content, signature []byte) error {
	// LoadVerifier would also error if no public key is set.
	// However, this error message should be easier to debug.
	if c.publicKey == nil {
		return fmt.Errorf("no public key set")
	}

	sigRaw := base64.NewDecoder(base64.StdEncoding, bytes.NewReader(signature))

	verifier, err := sigsig.LoadVerifier(c.publicKey, crypto.SHA256)
	if err != nil {
		return fmt.Errorf("unable to load verifier: %w", err)
	}

	if err := verifier.VerifySignature(sigRaw, bytes.NewReader(content)); err != nil {
		return fmt.Errorf("unable to verify signature: %w", err)
	}

	return nil
}

// IsBase64 checks if the given byte slice is base64 encoded.
func IsBase64(signature []byte) error {
	target := make([]byte, base64.StdEncoding.DecodedLen(len(signature)))
	_, err := base64.StdEncoding.Decode(target, signature)
	return err
}
add license headers sed -i '1i/\nCopyright (c) Edgeless Systems GmbH\n\nSPDX-License-Identifier: AGPL-3.0-only\n/\n' `grep -rL --include='*.go' 'DO NOT EDIT'` gofumpt -w . 2022-09-05 07:06:08 +00:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`

			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

AB#2159 Feat/cli/fetch measurements (#301) Signed-off-by: Fabian Kammel <fk@edgeless.systems> 2022-08-01 07:37:05 +00:00			`package sigstore`

			`import (`
			`"bytes"`
			`"crypto"`
			`"encoding/base64"`
			`"fmt"`

			`"github.com/sigstore/sigstore/pkg/cryptoutils"`
			`sigsig "github.com/sigstore/sigstore/pkg/signature"`
			`)`

config: enable azure snp version fetcher again + minimum age for latest version (#1899) * fetch latest version when older than 2 weeks * extend hack upload tool to pass an upload date * Revert "config: disable user-facing version Azure SEV SNP fetch for v2.8 (#1882)" This reverts commit c7b22d314a35fa260b97bf156989328caf1c384b. * fix tests * use NewAzureSEVSNPVersionList for type guarantees * Revert "use NewAzureSEVSNPVersionList for type guarantees" This reverts commit 942566453f4b4a2b6dc16f8689248abf1dc47db4. * assure list is sorted * improve root.go style * daniel feedback 2023-06-09 10:48:12 +00:00			`// Verifier checks if the signature of content can be verified.`
			`type Verifier interface {`
api: add functions to transparently handle signatures upon API interaction (#2142) 2023-08-01 14:48:13 +00:00			`VerifySignature(content, signature []byte) error`
config: enable azure snp version fetcher again + minimum age for latest version (#1899) * fetch latest version when older than 2 weeks * extend hack upload tool to pass an upload date * Revert "config: disable user-facing version Azure SEV SNP fetch for v2.8 (#1882)" This reverts commit c7b22d314a35fa260b97bf156989328caf1c384b. * fix tests * use NewAzureSEVSNPVersionList for type guarantees * Revert "use NewAzureSEVSNPVersionList for type guarantees" This reverts commit 942566453f4b4a2b6dc16f8689248abf1dc47db4. * assure list is sorted * improve root.go style * daniel feedback 2023-06-09 10:48:12 +00:00			`}`

api: add functions to transparently handle signatures upon API interaction (#2142) 2023-08-01 14:48:13 +00:00			`// CosignVerifier wraps a public key that can be used for verifying signatures.`
			`type CosignVerifier struct {`
			`publicKey crypto.PublicKey`
			`}`

			`// NewCosignVerifier unmarshalls and validates the given pem encoded public key and returns a new CosignVerifier.`
			`func NewCosignVerifier(pem []byte) (Verifier, error) {`
			`pubkey, err := cryptoutils.UnmarshalPEMToPublicKey(pem)`
			`if err != nil {`
			`return CosignVerifier{}, fmt.Errorf("unable to parse public key: %w", err)`
			`}`
			`if err := cryptoutils.ValidatePubKey(pubkey); err != nil {`
			`return CosignVerifier{}, fmt.Errorf("unable to validate public key: %w", err)`
			`}`

			`return CosignVerifier{pubkey}, nil`
			`}`
cli: dynamically select signature validation pubkey for release and pre-release artifacts 2023-05-26 15:49:46 +00:00
AB#2159 Feat/cli/fetch measurements (#301) Signed-off-by: Fabian Kammel <fk@edgeless.systems> 2022-08-01 07:37:05 +00:00			`// VerifySignature checks if the signature of content can be verified`
			`// using publicKey.`
			`// signature is expected to be base64 encoded.`
			`// publicKey is expected to be PEM encoded.`
api: add functions to transparently handle signatures upon API interaction (#2142) 2023-08-01 14:48:13 +00:00			`func (c CosignVerifier) VerifySignature(content, signature []byte) error {`
			`// LoadVerifier would also error if no public key is set.`
			`// However, this error message should be easier to debug.`
			`if c.publicKey == nil {`
			`return fmt.Errorf("no public key set")`
AB#2159 Feat/cli/fetch measurements (#301) Signed-off-by: Fabian Kammel <fk@edgeless.systems> 2022-08-01 07:37:05 +00:00			`}`

api: add functions to transparently handle signatures upon API interaction (#2142) 2023-08-01 14:48:13 +00:00			`sigRaw := base64.NewDecoder(base64.StdEncoding, bytes.NewReader(signature))`

			`verifier, err := sigsig.LoadVerifier(c.publicKey, crypto.SHA256)`
AB#2159 Feat/cli/fetch measurements (#301) Signed-off-by: Fabian Kammel <fk@edgeless.systems> 2022-08-01 07:37:05 +00:00			`if err != nil {`
			`return fmt.Errorf("unable to load verifier: %w", err)`
			`}`

			`if err := verifier.VerifySignature(sigRaw, bytes.NewReader(content)); err != nil {`
			`return fmt.Errorf("unable to verify signature: %w", err)`
			`}`

			`return nil`
			`}`
api: refine signature types Wrapping apiObject does not work as intended as the version field is when fetching objects from the API. Thus we need to insert the target path of the signature directly. 2023-08-25 10:40:47 +00:00
			`// IsBase64 checks if the given byte slice is base64 encoded.`
			`func IsBase64(signature []byte) error {`
			`target := make([]byte, base64.StdEncoding.DecodedLen(len(signature)))`
			`_, err := base64.StdEncoding.Decode(target, signature)`
			`return err`
			`}`