mirror of
https://github.com/slsa-framework/slsa-verifier.git
synced 2026-05-16 21:46:40 +00:00
dont use TrustedAttestorID
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
This commit is contained in:
Ramon Petgrave
@@ -1878,7 +1878,7 @@ func Test_runVerifyVSA(t *testing.T) {
|
||||
PublicKeyHashAlgo: tt.publicKeyHashAlgo,
|
||||
}
|
||||
|
||||
_, err := cmd.Exec(context.Background())
|
||||
err := cmd.Exec(context.Background())
|
||||
if diff := cmp.Diff(tt.err, err, cmpopts.EquateErrors()); diff != "" {
|
||||
t.Fatalf("unexpected error (-want +got): \n%s", diff)
|
||||
}
|
||||
|
||||
@@ -204,7 +204,7 @@ func verifyVSACmd() *cobra.Command {
|
||||
PublicKeyID: &o.PublicKeyID,
|
||||
PublicKeyHashAlgo: &o.PublicKeyHashAlgo,
|
||||
}
|
||||
if _, err := v.Exec(cmd.Context()); err != nil {
|
||||
if err := v.Exec(cmd.Context()); err != nil {
|
||||
fmt.Fprintf(os.Stderr, "%s: %v\n", FAILURE, err)
|
||||
os.Exit(1)
|
||||
} else {
|
||||
|
||||
@@ -24,7 +24,6 @@ import (
|
||||
serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
|
||||
"github.com/slsa-framework/slsa-verifier/v2/options"
|
||||
"github.com/slsa-framework/slsa-verifier/v2/verifiers"
|
||||
"github.com/slsa-framework/slsa-verifier/v2/verifiers/utils"
|
||||
)
|
||||
|
||||
// VerifyVSACommand contains the parameters for the verify-vsa command.
|
||||
@@ -48,7 +47,7 @@ var hashAlgos = map[string]crypto.Hash{
|
||||
}
|
||||
|
||||
// Exec executes the verifiers.VerifyVSA.
|
||||
func (c *VerifyVSACommand) Exec(ctx context.Context) (*utils.TrustedAttesterID, error) {
|
||||
func (c *VerifyVSACommand) Exec(ctx context.Context) error {
|
||||
vsaOpts := &options.VSAOpts{
|
||||
ExpectedDigests: c.SubjectDigests,
|
||||
ExpectedVerifierID: c.VerifierID,
|
||||
@@ -58,19 +57,19 @@ func (c *VerifyVSACommand) Exec(ctx context.Context) (*utils.TrustedAttesterID,
|
||||
pubKeyBytes, err := os.ReadFile(*c.PublicKeyPath)
|
||||
if err != nil {
|
||||
printFailed(err)
|
||||
return nil, err
|
||||
return err
|
||||
}
|
||||
pubKey, err := cryptoutils.UnmarshalPEMToPublicKey(pubKeyBytes)
|
||||
if err != nil {
|
||||
err = fmt.Errorf("%w: %w", serrors.ErrorInvalidPublicKey, err)
|
||||
printFailed(err)
|
||||
return nil, err
|
||||
return err
|
||||
}
|
||||
hashAlgo, ok := hashAlgos[*c.PublicKeyHashAlgo]
|
||||
if !ok {
|
||||
err := fmt.Errorf("%w: %s", serrors.ErrorInvalidHashAlgo, *c.PublicKeyHashAlgo)
|
||||
printFailed(err)
|
||||
return nil, err
|
||||
return err
|
||||
}
|
||||
VerificationOpts := &options.VerificationOpts{
|
||||
PublicKey: pubKey,
|
||||
@@ -80,19 +79,19 @@ func (c *VerifyVSACommand) Exec(ctx context.Context) (*utils.TrustedAttesterID,
|
||||
attestation, err := os.ReadFile(*c.AttestationPath)
|
||||
if err != nil {
|
||||
printFailed(err)
|
||||
return nil, err
|
||||
return err
|
||||
}
|
||||
verifiedProvenance, outProducerID, err := verifiers.VerifyVSA(ctx, attestation, vsaOpts, VerificationOpts)
|
||||
verifiedProvenance, err := verifiers.VerifyVSA(ctx, attestation, vsaOpts, VerificationOpts)
|
||||
if err != nil {
|
||||
printFailed(err)
|
||||
return nil, err
|
||||
return err
|
||||
}
|
||||
if c.PrintAttestation {
|
||||
fmt.Fprintf(os.Stdout, "%s\n", string(verifiedProvenance))
|
||||
}
|
||||
fmt.Fprintf(os.Stderr, "Verifying VSA: PASSED\n\n")
|
||||
// verfiers.VerifyVSA already checks if the producerID matches
|
||||
return outProducerID, nil
|
||||
return nil
|
||||
}
|
||||
|
||||
// printFailed prints the error message to stderr.
|
||||
|
||||
@@ -15,15 +15,17 @@ import (
|
||||
)
|
||||
|
||||
// VerifyVSA verifies the VSA attestation. It returns the attestation base64-decoded from the envelope, and the trusted attester ID.
|
||||
// We don't return a TrustedBuilderID. Instead, the user can user can parse the builderID separately, perhaps with
|
||||
// https://pkg.go.dev/golang.org/x/mod/semver.
|
||||
func VerifyVSA(ctx context.Context,
|
||||
attestation []byte,
|
||||
vsaOpts *options.VSAOpts,
|
||||
verificationOpts *options.VerificationOpts,
|
||||
) ([]byte, *utils.TrustedAttesterID, error) {
|
||||
) ([]byte, error) {
|
||||
// following steps in https://slsa.dev/spec/v1.1/verification_summary#how-to-verify
|
||||
envelope, err := utils.EnvelopeFromBytes(attestation)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// 1. verify the envelope signature,
|
||||
@@ -31,7 +33,7 @@ func VerifyVSA(ctx context.Context,
|
||||
// 3. parse the VSA, verifying the predicateType.
|
||||
vsa, err := extractSignedVSA(ctx, envelope, verificationOpts)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// 2. match the subject digests,
|
||||
@@ -42,17 +44,13 @@ func VerifyVSA(ctx context.Context,
|
||||
// no other fields are checked.
|
||||
err = matchExpectedValues(vsa, vsaOpts)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
trustedAttesterID, err := utils.TrustedAttesterIDNew(vsa.Predicate.Verifier.ID, false)
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
return nil, err
|
||||
}
|
||||
vsaBytes, err := envelope.DecodeB64Payload()
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("%w: %w", serrors.ErrorInvalidDssePayload, err)
|
||||
return nil, fmt.Errorf("%w: %w", serrors.ErrorInvalidDssePayload, err)
|
||||
}
|
||||
return vsaBytes, trustedAttesterID, nil
|
||||
return vsaBytes, nil
|
||||
}
|
||||
|
||||
// extractSignedVSA verifies the envelope signature and type and extracts the VSA from the envelope.
|
||||
|
||||
@@ -9,25 +9,6 @@ import (
|
||||
serrors "github.com/slsa-framework/slsa-verifier/v2/errors"
|
||||
)
|
||||
|
||||
// TrustedAttesterID represents an identifier that has been explicitly trusted.
|
||||
// TODO: don't embed TrustedBuilderID, use a whole new type that implements the
|
||||
// Name, Version, and String, and maybe also MatchesLoose and MatchesFull. (using semver?)
|
||||
type TrustedAttesterID struct {
|
||||
TrustedBuilderID
|
||||
}
|
||||
|
||||
// TrustedAttesterIDNew creates a new AttesterID structure.
|
||||
func TrustedAttesterIDNew(attesterID string, needVersion bool) (*TrustedAttesterID, error) {
|
||||
builderID, err := TrustedBuilderIDNew(attesterID, needVersion)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
trustedAttesterID := &TrustedAttesterID{
|
||||
TrustedBuilderID: *builderID,
|
||||
}
|
||||
return trustedAttesterID, nil
|
||||
}
|
||||
|
||||
// TrustedBuilderID represents a builder ID that has been explicitly trusted.
|
||||
type TrustedBuilderID struct {
|
||||
name, version string
|
||||
|
||||
@@ -76,11 +76,13 @@ func VerifyNpmPackage(ctx context.Context,
|
||||
provenanceOpts, builderOpts)
|
||||
}
|
||||
|
||||
// VerifyVSA verifies the VSA attestation. It returns the attestation base64-decoded from the envelope, and the trusted attester ID.
|
||||
// VerifyVSA verifies the VSA attestation. It returns the attestation base64-decoded from the envelope.
|
||||
// We don't return a TrustedBuilderID. Instead, the user can user can parse the builderID separately, perhaps with
|
||||
// https://pkg.go.dev/golang.org/x/mod/semver
|
||||
func VerifyVSA(ctx context.Context,
|
||||
attestation []byte,
|
||||
vsaOpts *options.VSAOpts,
|
||||
verificationOpts *options.VerificationOpts,
|
||||
) ([]byte, *utils.TrustedAttesterID, error) {
|
||||
) ([]byte, error) {
|
||||
return vsa.VerifyVSA(ctx, attestation, vsaOpts, verificationOpts)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user