AB#2159 Feat/cli/fetch measurements (#301)

Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2025-11-11 16:25:05 -05:00 · 2022-08-01 09:37:05 +02:00 · 2022-08-01 09:37:05 +02:00 · 050e8fdc4a
commit 050e8fdc4a
parent 7baf98f014
16 changed files with 1430 additions and 496 deletions
--- a/internal/sigstore/verify.go
+++ b/internal/sigstore/verify.go
@ -0,0 +1,38 @@
+package sigstore
+
+import (
+	"bytes"
+	"crypto"
+	"encoding/base64"
+	"fmt"
+
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	sigsig "github.com/sigstore/sigstore/pkg/signature"
+)
+
+// VerifySignature checks if the signature of content can be verified
+// using publicKey.
+// signature is expected to be base64 encoded.
+// publicKey is expected to be PEM encoded.
+func VerifySignature(content, signature, publicKey []byte) error {
+	sigRaw := base64.NewDecoder(base64.StdEncoding, bytes.NewReader(signature))
+
+	pubKeyRaw, err := cryptoutils.UnmarshalPEMToPublicKey(publicKey)
+	if err != nil {
+		return fmt.Errorf("unable to parse public key: %w", err)
+	}
+	if err := cryptoutils.ValidatePubKey(pubKeyRaw); err != nil {
+		return fmt.Errorf("unable to validate public key: %w", err)
+	}
+
+	verifier, err := sigsig.LoadVerifier(pubKeyRaw, crypto.SHA256)
+	if err != nil {
+		return fmt.Errorf("unable to load verifier: %w", err)
+	}
+
+	if err := verifier.VerifySignature(sigRaw, bytes.NewReader(content)); err != nil {
+		return fmt.Errorf("unable to verify signature: %w", err)
+	}
+
+	return nil
+}
--- a/internal/sigstore/verify_test.go
+++ b/internal/sigstore/verify_test.go
@ -0,0 +1,65 @@
+package sigstore
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestVerifySignature(t *testing.T) {
+	testCases := map[string]struct {
+		content   []byte
+		signature []byte
+		publicKey []byte
+		wantErr   bool
+	}{
+		"good verification": {
+			content:   []byte("This is some content to be signed!\n"),
+			signature: []byte("MEUCIQDzMN3yaiO9sxLGAaSA9YD8rLwzvOaZKWa/bzkcjImUFAIgXLLGzClYUd1dGbuEiY3O/g/eiwQYlyxqLQalxjFmz+8="),
+			publicKey: []byte(`-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElWUhon39eAqzEC+/GP03oY4/MQg+
+gCDlEzkuOCybCHf+q766bve799L7Y5y5oRsHY1MrUCUwYF/tL7Sg7EYMsA==
+-----END PUBLIC KEY-----`),
+		},
+		"mismatching content": {
+			content:   []byte("This is some completely different content!\n"),
+			signature: []byte("MEUCIQDzMN3yaiO9sxLGAaSA9YD8rLwzvOaZKWa/bzkcjImUFAIgXLLGzClYUd1dGbuEiY3O/g/eiwQYlyxqLQalxjFmz+8="),
+			publicKey: []byte(`-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAElWUhon39eAqzEC+/GP03oY4/MQg+
+gCDlEzkuOCybCHf+q766bve799L7Y5y5oRsHY1MrUCUwYF/tL7Sg7EYMsA==
+-----END PUBLIC KEY-----`),
+			wantErr: true,
+		},
+		"broken public key": {
+			content:   []byte("This is some content to be signed!\n"),
+			signature: []byte("MEUCIQDzMN3yaiO9sxLGAaSA9YD8rLwzvOaZKWa/bzkcjImUFAIgXLLGzClYUd1dGbuEiY3O/g/eiwQYlyxqLQalxjFmz+8="),
+			publicKey: []byte(`-----BEGIN PUBLIC KEY-----
+			MFkwEwYHKoZIthisIsNotAValidPublicAtAllUhon39eAqzEC+/GP03oY4/MQg+
+			gCDlEzkuOCybCHf+q766bve799L7Y5y5oRsHY1MrUCUwYF/tL7Sg7EYMsA==
+			-----END PUBLIC KEY-----`),
+			wantErr: true,
+		},
+		"valid content and sig, but mismatching public key": {
+			content:   []byte("This is some content to be signed!\n"),
+			signature: []byte("MEUCIQDzMN3yaiO9sxLGAaSA9YD8rLwzvOaZKWa/bzkcjImUFAIgXLLGzClYUd1dGbuEiY3O/g/eiwQYlyxqLQalxjFmz+8="),
+			publicKey: []byte(`-----BEGIN PUBLIC KEY-----
+		MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFARL653CK4xicoxqwr4M9A2A/3hz
+		hQaKKRsnjc2LITnxKYmQ4CYqTOAMfZ3agxpW/ndillUox4eDYcidZSXvWw==
+		-----END PUBLIC KEY-----`),
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+
+			err := VerifySignature(tc.content, tc.signature, tc.publicKey)
+			if tc.wantErr {
+				assert.Error(err)
+				return
+			}
+			assert.NoError(err)
+		})
+	}
+}