From 1f123f3c1dd8e75636ee8cfa49e3e6b6f3d4cc50 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Tue, 18 Jun 2024 18:35:53 +0000 Subject: [PATCH] attempt to verify envelope Signed-off-by: Ramon Petgrave --- go.mod | 3 +- go.sum | 4 +++ verifiers/internal/vsa/verifier.go | 56 +++++++++++++++++++++++++++++- 3 files changed, 61 insertions(+), 2 deletions(-) diff --git a/go.mod b/go.mod index 51bd2e9..67c9666 100644 --- a/go.mod +++ b/go.mod @@ -33,6 +33,7 @@ require ( github.com/go-openapi/strfmt v0.23.0 // indirect github.com/go-openapi/swag v0.23.0 // indirect github.com/google/uuid v1.6.0 // indirect + github.com/in-toto/attestation v1.1.0 // indirect github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect github.com/sagikazarmark/slog-shim v0.1.0 // indirect @@ -115,7 +116,7 @@ require ( golang.org/x/term v0.19.0 // indirect golang.org/x/text v0.14.0 // indirect google.golang.org/grpc v1.62.1 // indirect - google.golang.org/protobuf v1.33.0 + google.golang.org/protobuf v1.34.1 gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/klog/v2 v2.120.1 // indirect diff --git a/go.sum b/go.sum index a4ea7d5..3c9ad00 100644 --- a/go.sum +++ b/go.sum @@ -323,6 +323,8 @@ github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpO github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= +github.com/in-toto/attestation v1.1.0 h1:oRWzfmZPDSctChD0VaQV7MJrywKOzyNrtpENQFq//2Q= +github.com/in-toto/attestation v1.1.0/go.mod h1:DB59ytd3z7cIHgXxwpSX2SABrU6WJUKg/grpdgHVgVs= github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU= github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= @@ -644,6 +646,8 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= +google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg= +google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= diff --git a/verifiers/internal/vsa/verifier.go b/verifiers/internal/vsa/verifier.go index b997367..d03e3cf 100644 --- a/verifiers/internal/vsa/verifier.go +++ b/verifiers/internal/vsa/verifier.go @@ -2,9 +2,17 @@ package vsa import ( "context" + "crypto" "fmt" + "github.com/secure-systems-lab/go-securesystemslib/dsse" + sigstoreBundle "github.com/sigstore/sigstore-go/pkg/bundle" + sigstoreCryptoUtils "github.com/sigstore/sigstore/pkg/cryptoutils" + sigstoreSignature "github.com/sigstore/sigstore/pkg/signature" + sigstoreDSSE "github.com/sigstore/sigstore/pkg/signature/dsse" + serrors "github.com/slsa-framework/slsa-verifier/v2/errors" "github.com/slsa-framework/slsa-verifier/v2/options" + vsa10 "github.com/slsa-framework/slsa-verifier/v2/verifiers/internal/vsa/v1.0" "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils" ) @@ -18,9 +26,55 @@ func VerifyVSA(ctx context.Context, if err != nil { return nil, nil, err } - fmt.Println(envelope) + sigstoreEnvelope := sigstoreBundle.Envelope{ + Envelope: envelope, + } + sigstoreStatement, err := sigstoreEnvelope.Statement() + if err != nil { + return nil, nil, err + } + fmt.Println(sigstoreStatement) + vsa, err := vsa10.VSAFromStatement(sigstoreStatement) + if err != nil { + return nil, nil, err + } + fmt.Println(vsa) + // verify the envelope. signature + err = verifyEnvelopeSignature(ctx, &sigstoreEnvelope) + if err != nil { + return nil, nil, err + } + + // TODO: // verify the metadata // print the attestation return nil, nil, nil } + +func verifyEnvelopeSignature(ctx context.Context, sigstoreEnvelope *sigstoreBundle.Envelope) error { + pubKeyBytes := []byte(`-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeGa6ZCZn0q6WpaUwJrSk+PPYEsca +3Xkk3UrxvbQtoZzTmq0zIYq+4QQl0YBedSyy+XcwAMaUWTouTrB05WhYtg== +-----END PUBLIC KEY-----`) + pubKey, err := sigstoreCryptoUtils.UnmarshalPEMToPublicKey(pubKeyBytes) + if err != nil { + return fmt.Errorf("%w: %w", serrors.ErrorInvalidPublicKey, err) + } + signatureVerifier, err := sigstoreSignature.LoadVerifier(pubKey, crypto.SHA256) + if err != nil { + return fmt.Errorf("%w: loading sigstore DSSE envolope verifier %w", serrors.ErrorInvalidPublicKey, err) + } + envelopeVerifier, err := dsse.NewEnvelopeVerifier(&sigstoreDSSE.VerifierAdapter{ + SignatureVerifier: signatureVerifier, + Pub: pubKey, + }) + if err != nil { + return fmt.Errorf("%w: creating verifier %w", serrors.ErrorInvalidPublicKey, err) + } + _, err = envelopeVerifier.Verify(ctx, sigstoreEnvelope.Envelope) + if err != nil { + return fmt.Errorf("%w: verifying envelope %w", serrors.ErrorInvalidPublicKey, err) + } + return nil +}