From d33cbc3170134a43a2cbfe65f510965658544fa4 Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Tue, 25 Jun 2024 23:41:57 +0000 Subject: [PATCH] dont use TrustedAttestorID Signed-off-by: Ramon Petgrave --- cli/slsa-verifier/main_regression_test.go | 2 +- cli/slsa-verifier/verify.go | 2 +- cli/slsa-verifier/verify/verify_vsa.go | 17 ++++++++--------- verifiers/internal/vsa/verifier.go | 18 ++++++++---------- verifiers/utils/builder.go | 19 ------------------- verifiers/verifier.go | 6 ++++-- 6 files changed, 22 insertions(+), 42 deletions(-) diff --git a/cli/slsa-verifier/main_regression_test.go b/cli/slsa-verifier/main_regression_test.go index 514651f..5e935eb 100644 --- a/cli/slsa-verifier/main_regression_test.go +++ b/cli/slsa-verifier/main_regression_test.go @@ -1878,7 +1878,7 @@ func Test_runVerifyVSA(t *testing.T) { PublicKeyHashAlgo: tt.publicKeyHashAlgo, } - _, err := cmd.Exec(context.Background()) + err := cmd.Exec(context.Background()) if diff := cmp.Diff(tt.err, err, cmpopts.EquateErrors()); diff != "" { t.Fatalf("unexpected error (-want +got): \n%s", diff) } diff --git a/cli/slsa-verifier/verify.go b/cli/slsa-verifier/verify.go index 3ae48bb..79879e1 100644 --- a/cli/slsa-verifier/verify.go +++ b/cli/slsa-verifier/verify.go @@ -204,7 +204,7 @@ func verifyVSACmd() *cobra.Command { PublicKeyID: &o.PublicKeyID, PublicKeyHashAlgo: &o.PublicKeyHashAlgo, } - if _, err := v.Exec(cmd.Context()); err != nil { + if err := v.Exec(cmd.Context()); err != nil { fmt.Fprintf(os.Stderr, "%s: %v\n", FAILURE, err) os.Exit(1) } else { diff --git a/cli/slsa-verifier/verify/verify_vsa.go b/cli/slsa-verifier/verify/verify_vsa.go index 8bc3c7e..e5a11e8 100644 --- a/cli/slsa-verifier/verify/verify_vsa.go +++ b/cli/slsa-verifier/verify/verify_vsa.go @@ -24,7 +24,6 @@ import ( serrors "github.com/slsa-framework/slsa-verifier/v2/errors" "github.com/slsa-framework/slsa-verifier/v2/options" "github.com/slsa-framework/slsa-verifier/v2/verifiers" - "github.com/slsa-framework/slsa-verifier/v2/verifiers/utils" ) // VerifyVSACommand contains the parameters for the verify-vsa command. @@ -48,7 +47,7 @@ var hashAlgos = map[string]crypto.Hash{ } // Exec executes the verifiers.VerifyVSA. -func (c *VerifyVSACommand) Exec(ctx context.Context) (*utils.TrustedAttesterID, error) { +func (c *VerifyVSACommand) Exec(ctx context.Context) error { vsaOpts := &options.VSAOpts{ ExpectedDigests: c.SubjectDigests, ExpectedVerifierID: c.VerifierID, @@ -58,19 +57,19 @@ func (c *VerifyVSACommand) Exec(ctx context.Context) (*utils.TrustedAttesterID, pubKeyBytes, err := os.ReadFile(*c.PublicKeyPath) if err != nil { printFailed(err) - return nil, err + return err } pubKey, err := cryptoutils.UnmarshalPEMToPublicKey(pubKeyBytes) if err != nil { err = fmt.Errorf("%w: %w", serrors.ErrorInvalidPublicKey, err) printFailed(err) - return nil, err + return err } hashAlgo, ok := hashAlgos[*c.PublicKeyHashAlgo] if !ok { err := fmt.Errorf("%w: %s", serrors.ErrorInvalidHashAlgo, *c.PublicKeyHashAlgo) printFailed(err) - return nil, err + return err } VerificationOpts := &options.VerificationOpts{ PublicKey: pubKey, @@ -80,19 +79,19 @@ func (c *VerifyVSACommand) Exec(ctx context.Context) (*utils.TrustedAttesterID, attestation, err := os.ReadFile(*c.AttestationPath) if err != nil { printFailed(err) - return nil, err + return err } - verifiedProvenance, outProducerID, err := verifiers.VerifyVSA(ctx, attestation, vsaOpts, VerificationOpts) + verifiedProvenance, err := verifiers.VerifyVSA(ctx, attestation, vsaOpts, VerificationOpts) if err != nil { printFailed(err) - return nil, err + return err } if c.PrintAttestation { fmt.Fprintf(os.Stdout, "%s\n", string(verifiedProvenance)) } fmt.Fprintf(os.Stderr, "Verifying VSA: PASSED\n\n") // verfiers.VerifyVSA already checks if the producerID matches - return outProducerID, nil + return nil } // printFailed prints the error message to stderr. diff --git a/verifiers/internal/vsa/verifier.go b/verifiers/internal/vsa/verifier.go index 9103d15..f58f18a 100644 --- a/verifiers/internal/vsa/verifier.go +++ b/verifiers/internal/vsa/verifier.go @@ -15,15 +15,17 @@ import ( ) // VerifyVSA verifies the VSA attestation. It returns the attestation base64-decoded from the envelope, and the trusted attester ID. +// We don't return a TrustedBuilderID. Instead, the user can user can parse the builderID separately, perhaps with +// https://pkg.go.dev/golang.org/x/mod/semver. func VerifyVSA(ctx context.Context, attestation []byte, vsaOpts *options.VSAOpts, verificationOpts *options.VerificationOpts, -) ([]byte, *utils.TrustedAttesterID, error) { +) ([]byte, error) { // following steps in https://slsa.dev/spec/v1.1/verification_summary#how-to-verify envelope, err := utils.EnvelopeFromBytes(attestation) if err != nil { - return nil, nil, err + return nil, err } // 1. verify the envelope signature, @@ -31,7 +33,7 @@ func VerifyVSA(ctx context.Context, // 3. parse the VSA, verifying the predicateType. vsa, err := extractSignedVSA(ctx, envelope, verificationOpts) if err != nil { - return nil, nil, err + return nil, err } // 2. match the subject digests, @@ -42,17 +44,13 @@ func VerifyVSA(ctx context.Context, // no other fields are checked. err = matchExpectedValues(vsa, vsaOpts) if err != nil { - return nil, nil, err - } - trustedAttesterID, err := utils.TrustedAttesterIDNew(vsa.Predicate.Verifier.ID, false) - if err != nil { - return nil, nil, err + return nil, err } vsaBytes, err := envelope.DecodeB64Payload() if err != nil { - return nil, nil, fmt.Errorf("%w: %w", serrors.ErrorInvalidDssePayload, err) + return nil, fmt.Errorf("%w: %w", serrors.ErrorInvalidDssePayload, err) } - return vsaBytes, trustedAttesterID, nil + return vsaBytes, nil } // extractSignedVSA verifies the envelope signature and type and extracts the VSA from the envelope. diff --git a/verifiers/utils/builder.go b/verifiers/utils/builder.go index 22f9713..9978d05 100644 --- a/verifiers/utils/builder.go +++ b/verifiers/utils/builder.go @@ -9,25 +9,6 @@ import ( serrors "github.com/slsa-framework/slsa-verifier/v2/errors" ) -// TrustedAttesterID represents an identifier that has been explicitly trusted. -// TODO: don't embed TrustedBuilderID, use a whole new type that implements the -// Name, Version, and String, and maybe also MatchesLoose and MatchesFull. (using semver?) -type TrustedAttesterID struct { - TrustedBuilderID -} - -// TrustedAttesterIDNew creates a new AttesterID structure. -func TrustedAttesterIDNew(attesterID string, needVersion bool) (*TrustedAttesterID, error) { - builderID, err := TrustedBuilderIDNew(attesterID, needVersion) - if err != nil { - return nil, err - } - trustedAttesterID := &TrustedAttesterID{ - TrustedBuilderID: *builderID, - } - return trustedAttesterID, nil -} - // TrustedBuilderID represents a builder ID that has been explicitly trusted. type TrustedBuilderID struct { name, version string diff --git a/verifiers/verifier.go b/verifiers/verifier.go index f3dcb86..c978d20 100644 --- a/verifiers/verifier.go +++ b/verifiers/verifier.go @@ -76,11 +76,13 @@ func VerifyNpmPackage(ctx context.Context, provenanceOpts, builderOpts) } -// VerifyVSA verifies the VSA attestation. It returns the attestation base64-decoded from the envelope, and the trusted attester ID. +// VerifyVSA verifies the VSA attestation. It returns the attestation base64-decoded from the envelope. +// We don't return a TrustedBuilderID. Instead, the user can user can parse the builderID separately, perhaps with +// https://pkg.go.dev/golang.org/x/mod/semver func VerifyVSA(ctx context.Context, attestation []byte, vsaOpts *options.VSAOpts, verificationOpts *options.VerificationOpts, -) ([]byte, *utils.TrustedAttesterID, error) { +) ([]byte, error) { return vsa.VerifyVSA(ctx, attestation, vsaOpts, verificationOpts) }