attempt to verify envelope

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

go.mod

@@ -33,6 +33,7 @@ require (
 	github.com/go-openapi/strfmt v0.23.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/in-toto/attestation v1.1.0 // indirect
 	github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
 	github.com/sagikazarmark/locafero v0.4.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
@@ -115,7 +116,7 @@ require (
 	golang.org/x/term v0.19.0 // indirect
 	golang.org/x/text v0.14.0 // indirect
 	google.golang.org/grpc v1.62.1 // indirect
-	google.golang.org/protobuf v1.33.0
+	google.golang.org/protobuf v1.34.1
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.120.1 // indirect

go.sum

@@ -323,6 +323,8 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
 github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
+github.com/in-toto/attestation v1.1.0 h1:oRWzfmZPDSctChD0VaQV7MJrywKOzyNrtpENQFq//2Q=
+github.com/in-toto/attestation v1.1.0/go.mod h1:DB59ytd3z7cIHgXxwpSX2SABrU6WJUKg/grpdgHVgVs=
 github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU=
 github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -644,6 +646,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
+google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=

verifiers/internal/vsa/verifier.go

@@ -2,9 +2,17 @@ package vsa
 
 import (
 	"context"
+	"crypto"
 	"fmt"
 
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+	sigstoreBundle "github.com/sigstore/sigstore-go/pkg/bundle"
+	sigstoreCryptoUtils "github.com/sigstore/sigstore/pkg/cryptoutils"
+	sigstoreSignature "github.com/sigstore/sigstore/pkg/signature"
+	sigstoreDSSE "github.com/sigstore/sigstore/pkg/signature/dsse"
+	serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
 	"github.com/slsa-framework/slsa-verifier/v2/options"
+	vsa10 "github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/vsa/v1.0"
 	"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils"
 )
 
@@ -18,9 +26,55 @@ func VerifyVSA(ctx context.Context,
 	if err != nil {
 		return nil, nil, err
 	}
-	fmt.Println(envelope)
+	sigstoreEnvelope := sigstoreBundle.Envelope{
+		Envelope: envelope,
+	}
+	sigstoreStatement, err := sigstoreEnvelope.Statement()
+	if err != nil {
+		return nil, nil, err
+	}
+	fmt.Println(sigstoreStatement)
+	vsa, err := vsa10.VSAFromStatement(sigstoreStatement)
+	if err != nil {
+		return nil, nil, err
+	}
+	fmt.Println(vsa)
+
 	// verify the envelope. signature
+	err = verifyEnvelopeSignature(ctx, &sigstoreEnvelope)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// TODO:
 	// verify the metadata
 	// print the attestation
 	return nil, nil, nil
 }
+
+func verifyEnvelopeSignature(ctx context.Context, sigstoreEnvelope *sigstoreBundle.Envelope) error {
+	pubKeyBytes := []byte(`-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeGa6ZCZn0q6WpaUwJrSk+PPYEsca
+3Xkk3UrxvbQtoZzTmq0zIYq+4QQl0YBedSyy+XcwAMaUWTouTrB05WhYtg==
+-----END PUBLIC KEY-----`)
+	pubKey, err := sigstoreCryptoUtils.UnmarshalPEMToPublicKey(pubKeyBytes)
+	if err != nil {
+		return fmt.Errorf("%w: %w", serrors.ErrorInvalidPublicKey, err)
+	}
+	signatureVerifier, err := sigstoreSignature.LoadVerifier(pubKey, crypto.SHA256)
+	if err != nil {
+		return fmt.Errorf("%w: loading sigstore DSSE envolope verifier %w", serrors.ErrorInvalidPublicKey, err)
+	}
+	envelopeVerifier, err := dsse.NewEnvelopeVerifier(&sigstoreDSSE.VerifierAdapter{
+		SignatureVerifier: signatureVerifier,
+		Pub:               pubKey,
+	})
+	if err != nil {
+		return fmt.Errorf("%w: creating verifier %w", serrors.ErrorInvalidPublicKey, err)
+	}
+	_, err = envelopeVerifier.Verify(ctx, sigstoreEnvelope.Envelope)
+	if err != nil {
+		return fmt.Errorf("%w: verifying envelope %w", serrors.ErrorInvalidPublicKey, err)
+	}
+	return nil
+}