Improve measurements verification with Rekor (#206)

Fetched measurements are now verified using Rekor in addition to a signature check. Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2025-05-02 06:16:08 -04:00 · 2022-10-11 13:57:52 +02:00 · 2022-10-11 13:57:52 +02:00 · 57b8efd1ec
commit 57b8efd1ec
parent 1c29638421
18 changed files with 1320 additions and 322 deletions
--- a/cli/internal/cmd/verifier.go
+++ b/cli/internal/cmd/verifier.go
@ -0,0 +1,42 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package cmd
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+
+	"github.com/edgelesssys/constellation/v2/internal/constants"
+)
+
+type rekorVerifier interface {
+	SearchByHash(context.Context, string) ([]string, error)
+	VerifyEntry(context.Context, string, string) error
+}
+
+func verifyWithRekor(ctx context.Context, verifier rekorVerifier, hash string) error {
+	uuids, err := verifier.SearchByHash(ctx, hash)
+	if err != nil {
+		return fmt.Errorf("searching Rekor for hash: %w", err)
+	}
+
+	if len(uuids) == 0 {
+		return fmt.Errorf("no matching entries in Rekor")
+	}
+
+	// We expect the first entry in Rekor to be our original entry.
+	// SHA256 should ensure there is no entry with the same hash.
+	// Any subsequent hashes are treated as potential attacks and are ignored.
+	// Attacks on Rekor will be monitored from other backend services.
+	artifactUUID := uuids[0]
+
+	return verifier.VerifyEntry(
+		ctx, artifactUUID,
+		base64.StdEncoding.EncodeToString([]byte(constants.CosignPublicKey)),
+	)
+}