mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-25 15:39:37 -05:00
050e8fdc4a
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
39 lines
1.1 KiB
Go
39 lines
1.1 KiB
Go
package sigstore
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto"
|
|
"encoding/base64"
|
|
"fmt"
|
|
|
|
"github.com/sigstore/sigstore/pkg/cryptoutils"
|
|
sigsig "github.com/sigstore/sigstore/pkg/signature"
|
|
)
|
|
|
|
// VerifySignature checks if the signature of content can be verified
|
|
// using publicKey.
|
|
// signature is expected to be base64 encoded.
|
|
// publicKey is expected to be PEM encoded.
|
|
func VerifySignature(content, signature, publicKey []byte) error {
|
|
sigRaw := base64.NewDecoder(base64.StdEncoding, bytes.NewReader(signature))
|
|
|
|
pubKeyRaw, err := cryptoutils.UnmarshalPEMToPublicKey(publicKey)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to parse public key: %w", err)
|
|
}
|
|
if err := cryptoutils.ValidatePubKey(pubKeyRaw); err != nil {
|
|
return fmt.Errorf("unable to validate public key: %w", err)
|
|
}
|
|
|
|
verifier, err := sigsig.LoadVerifier(pubKeyRaw, crypto.SHA256)
|
|
if err != nil {
|
|
return fmt.Errorf("unable to load verifier: %w", err)
|
|
}
|
|
|
|
if err := verifier.VerifySignature(sigRaw, bytes.NewReader(content)); err != nil {
|
|
return fmt.Errorf("unable to verify signature: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|