constellation/cli/internal/cmd/verifier.go
Fabian Kammel 57b8efd1ec
Improve measurements verification with Rekor (#206)
Fetched measurements are now verified using Rekor in addition to a signature check.
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
2022-10-11 13:57:52 +02:00

43 lines
1.0 KiB
Go

/*
Copyright (c) Edgeless Systems GmbH
SPDX-License-Identifier: AGPL-3.0-only
*/
package cmd
import (
"context"
"encoding/base64"
"fmt"
"github.com/edgelesssys/constellation/v2/internal/constants"
)
type rekorVerifier interface {
SearchByHash(context.Context, string) ([]string, error)
VerifyEntry(context.Context, string, string) error
}
func verifyWithRekor(ctx context.Context, verifier rekorVerifier, hash string) error {
uuids, err := verifier.SearchByHash(ctx, hash)
if err != nil {
return fmt.Errorf("searching Rekor for hash: %w", err)
}
if len(uuids) == 0 {
return fmt.Errorf("no matching entries in Rekor")
}
// We expect the first entry in Rekor to be our original entry.
// SHA256 should ensure there is no entry with the same hash.
// Any subsequent hashes are treated as potential attacks and are ignored.
// Attacks on Rekor will be monitored from other backend services.
artifactUUID := uuids[0]
return verifier.VerifyEntry(
ctx, artifactUUID,
base64.StdEncoding.EncodeToString([]byte(constants.CosignPublicKey)),
)
}