Improve measurements verification with Rekor (#206)

Fetched measurements are now verified using Rekor in addition to a signature check. Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2025-05-02 06:16:08 -04:00 · 2022-10-11 13:57:52 +02:00 · 2022-10-11 13:57:52 +02:00 · 57b8efd1ec
commit 57b8efd1ec
parent 1c29638421
18 changed files with 1320 additions and 322 deletions
--- a/internal/sigstore/rekor_test.go
+++ b/internal/sigstore/rekor_test.go
@ -0,0 +1,110 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package sigstore
+
+import (
+	"testing"
+
+	"github.com/sigstore/rekor/pkg/generated/models"
+	hashedrekord "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestIsEntrySignedBy(t *testing.T) {
+	testCases := map[string]struct {
+		entry       *hashedrekord.V001Entry
+		key         string
+		wantSuccess bool
+	}{
+		"valid key": {
+			entry: &hashedrekord.V001Entry{
+				HashedRekordObj: models.HashedrekordV001Schema{
+					Signature: &models.HashedrekordV001SchemaSignature{
+						PublicKey: &models.HashedrekordV001SchemaSignaturePublicKey{
+							Content: []byte("my key"),
+						},
+					},
+				},
+			},
+			key:         "bXkga2V5", // "my key" in base64
+			wantSuccess: true,
+		},
+		"nil rekord": {
+			entry:       nil,
+			wantSuccess: false,
+		},
+		"nil signature": {
+			entry: &hashedrekord.V001Entry{
+				HashedRekordObj: models.HashedrekordV001Schema{
+					Signature: nil,
+				},
+			},
+			wantSuccess: false,
+		},
+		"nil pub key": {
+			entry: &hashedrekord.V001Entry{
+				HashedRekordObj: models.HashedrekordV001Schema{
+					Signature: &models.HashedrekordV001SchemaSignature{
+						PublicKey: nil,
+					},
+				},
+			},
+			wantSuccess: false,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			assert.Equal(tc.wantSuccess, isEntrySignedBy(tc.entry, tc.key))
+		})
+	}
+}
+
+func TestNewRekor(t *testing.T) {
+	assert := assert.New(t)
+	rekor, err := NewRekor()
+	assert.NoError(err)
+	assert.NotNil(rekor)
+}
+
+func TestHashedRekordFromEntry(t *testing.T) {
+	testCases := map[string]struct {
+		jsonEntry string
+		wantError bool
+	}{
+		"invalid base64": {
+			jsonEntry: "{\"body\":\"abc!\"}",
+			wantError: true,
+		},
+		"valid base64, but invalid json": {
+			jsonEntry: "{\"body\":\"aGVsbG8K\"}", // base64(hello)
+			wantError: true,
+		},
+		"valid v001Entry": {
+			jsonEntry: "{\"body\":\"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI0MGUxMzdiOWI5YjgyMDRkNjcyNjQyZmQxZTE4MWM2ZDVjY2I1MGNmYzVjYzdmY2JiMDZhOGMyYzc4ZjQ0YWZmIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJUUNTRVIzbUdqK2o1UHIya09YVGxDSUhRQzNnVDMwSTdxa0xyOUF3dDZlVVVRSWdjTFVLUklsWTUwVU44Skd3VmVOZ2tCWnlZRDhITXh3Qy9MRlJXb01uMTgwPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGWmpoR01XaHdiWGRGSzFsRFJsaDZha2QwWVZGamNrdzJXRnBXVkFwS2JVVmxOV2xUVEhaSE1WTjVVVk5CWlhjM1YyUk5TMFkyYnpsME9HVXlWRVoxUTJ0NmJFOW9hR3gzY3pKUFNGZGlhVVphYmtaWFEwWjNQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=\"}", // base64("hello")
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			require := require.New(t)
+			var entry models.LogEntryAnon
+			err := entry.UnmarshalBinary([]byte(tc.jsonEntry))
+			require.NoError(err)
+
+			_, err = hashedRekordFromEntry(entry)
+			if tc.wantError {
+				assert.Error(err)
+				return
+			}
+			assert.NoError(err)
+		})
+	}
+}