Skip to content

Commit 418c349

Browse files
committed
PR fix
Signed-off-by: houdini91 <[email protected]>
1 parent 1c078e4 commit 418c349

File tree

5 files changed

+125
-16
lines changed

5 files changed

+125
-16
lines changed

dsse/sign.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -166,7 +166,7 @@ Any domain specific validation such as parsing the decoded body and
166166
validating the payload type is left out to the caller.
167167
Verify returns a list of accepted keys each including a keyid, public and signiture of the accepted provider keys.
168168
*/
169-
func (es *envelopeSigner) Verify(e *Envelope) ([]AcceptedKeys, error) {
169+
func (es *envelopeSigner) Verify(e *Envelope) ([]AcceptedKey, error) {
170170
return es.ev.Verify(e)
171171
}
172172

dsse/sign_test.go

Lines changed: 84 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -286,7 +286,7 @@ func (es *EcdsaSigner) KeyID() (string, error) {
286286
}
287287

288288
func (es *EcdsaSigner) Public() crypto.PublicKey {
289-
return es.Public
289+
return es.key.Public()
290290
}
291291

292292
// Test against the example in the protocol specification:
@@ -564,3 +564,86 @@ func TestVerifyOneFail(t *testing.T) {
564564
assert.Len(t, acceptedKeys, 1, "unexpected keys")
565565
assert.Equal(t, acceptedKeys[0].KeyID, "i1", "unexpected keyid")
566566
}
567+
568+
func TestVerifySameKeyID(t *testing.T) {
569+
var payloadType = "http://example.com/HelloWorld"
570+
var payload = "hello world"
571+
572+
var s1 = &interceptSigner{
573+
keyID: "i1",
574+
verifyRes: true,
575+
}
576+
var s2 = &interceptSigner{
577+
keyID: "i1",
578+
verifyRes: true,
579+
}
580+
signer, err := NewEnvelopeSigner(s1, s2)
581+
assert.Nil(t, err, "unexpected error")
582+
583+
env, err := signer.SignPayload(payloadType, []byte(payload))
584+
assert.Nil(t, err, "sign failed")
585+
586+
acceptedKeys, err := signer.Verify(env)
587+
assert.Nil(t, err, "expected error")
588+
assert.True(t, s1.verifyCalled, "verify not called")
589+
assert.True(t, s2.verifyCalled, "verify not called")
590+
assert.Len(t, acceptedKeys, 1, "unexpected keys")
591+
assert.Equal(t, acceptedKeys[0].KeyID, "i1", "unexpected keyid")
592+
}
593+
594+
func TestVerifyEmptyKeyID(t *testing.T) {
595+
var payloadType = "http://example.com/HelloWorld"
596+
var payload = "hello world"
597+
598+
var s1 = &interceptSigner{
599+
keyID: "",
600+
verifyRes: true,
601+
}
602+
603+
var s2 = &interceptSigner{
604+
keyID: "",
605+
verifyRes: true,
606+
}
607+
608+
signer, err := NewEnvelopeSigner(s1, s2)
609+
assert.Nil(t, err, "unexpected error")
610+
611+
env, err := signer.SignPayload(payloadType, []byte(payload))
612+
assert.Nil(t, err, "sign failed")
613+
614+
acceptedKeys, err := signer.Verify(env)
615+
assert.Nil(t, err, "expected error")
616+
// assert.True(t, s1.verifyCalled, "verify not called")
617+
// assert.True(t, s2.verifyCalled, "verify not called")
618+
assert.Len(t, acceptedKeys, 1, "unexpected keys")
619+
assert.Equal(t, acceptedKeys[0].KeyID, "", "unexpected keyid")
620+
}
621+
622+
func TestVerifyPublicKeyID(t *testing.T) {
623+
var payloadType = "http://example.com/HelloWorld"
624+
var payload = "hello world"
625+
var keyID = "SHA256:f4AuBLdH4Lj/dIuwAUXXebzoI9B/cJ4iSQ3/qByIl4M"
626+
// var keyID = "test key 123"
627+
628+
var s1 = &EcdsaSigner{
629+
keyID: "",
630+
key: newEcdsaKey(),
631+
}
632+
633+
var s2 = &EcdsaSigner{
634+
keyID: "",
635+
key: newEcdsaKey(),
636+
}
637+
// a := s1.Public()
638+
639+
signer, err := NewEnvelopeSigner(s1, s2)
640+
assert.Nil(t, err, "unexpected error")
641+
642+
env, err := signer.SignPayload(payloadType, []byte(payload))
643+
assert.Nil(t, err, "sign failed")
644+
645+
acceptedKeys, err := signer.Verify(env)
646+
assert.Nil(t, err, "expected error")
647+
assert.Len(t, acceptedKeys, 1, "unexpected keys")
648+
assert.Equal(t, acceptedKeys[0].KeyID, keyID, "unexpected keyid")
649+
}

dsse/verify.go

Lines changed: 28 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ import (
44
"crypto"
55
"errors"
66
"fmt"
7+
8+
"golang.org/x/crypto/ssh"
79
)
810

911
/*
@@ -23,13 +25,13 @@ type envelopeVerifier struct {
2325
threshold int
2426
}
2527

26-
type AcceptedKeys struct {
28+
type AcceptedKey struct {
2729
Public crypto.PublicKey
2830
KeyID string
2931
Sig Signature
3032
}
3133

32-
func (ev *envelopeVerifier) Verify(e *Envelope) ([]AcceptedKeys, error) {
34+
func (ev *envelopeVerifier) Verify(e *Envelope) ([]AcceptedKey, error) {
3335
if len(e.Signatures) == 0 {
3436
return nil, ErrNoSignature
3537
}
@@ -43,7 +45,7 @@ func (ev *envelopeVerifier) Verify(e *Envelope) ([]AcceptedKeys, error) {
4345
paeEnc := PAE(e.PayloadType, string(body))
4446

4547
// If *any* signature is found to be incorrect, it is skipped
46-
var acceptedKeys []AcceptedKeys
48+
var acceptedKeys []AcceptedKey
4749
usedKeyids := make(map[string]string)
4850
for _, s := range e.Signatures {
4951
sig, err := b64Decode(s.Sig)
@@ -57,27 +59,34 @@ func (ev *envelopeVerifier) Verify(e *Envelope) ([]AcceptedKeys, error) {
5759
// the loop and use the result.
5860
for _, v := range ev.providers {
5961
keyID, err := v.KeyID()
62+
63+
// Verifiers that do not provide a keyid will be generated one using public.
64+
if err != nil || keyID == "" {
65+
keyID, err = SHA256KeyID(v.Public())
66+
if err != nil {
67+
keyID = ""
68+
}
69+
}
70+
6071
if s.KeyID != "" && keyID != "" && err == nil && s.KeyID != keyID {
6172
continue
6273
}
63-
if err != nil {
64-
keyID = ""
65-
}
6674

6775
err = v.Verify(paeEnc, sig)
6876
if err != nil {
6977
continue
7078
}
7179

72-
acceptedKey := AcceptedKeys{
80+
acceptedKey := AcceptedKey{
7381
Public: v.Public(),
7482
KeyID: keyID,
7583
Sig: s,
7684
}
7785

7886
// See https://github.com/in-toto/in-toto/pull/251
79-
if val, ok := usedKeyids[keyID]; ok {
80-
fmt.Printf("Found envelope signed by different subkeys of the same main key, Only one of them is counted towards the step threshold, KeyID=%s\n", val)
87+
if _, ok := usedKeyids[keyID]; ok {
88+
fmt.Printf("Found envelope signed by different subkeys of the same main key, Only one of them is counted towards the step threshold, KeyID=%s\n", keyID)
89+
continue
8190
}
8291

8392
usedKeyids[keyID] = ""
@@ -114,3 +123,13 @@ func NewMultiEnvelopeVerifier(threshold int, p ...Verifier) (*envelopeVerifier,
114123
}
115124
return &ev, nil
116125
}
126+
127+
func SHA256KeyID(pub crypto.PublicKey) (string, error) {
128+
// Generate public key fingerprint
129+
sshpk, err := ssh.NewPublicKey(pub)
130+
if err != nil {
131+
return "", err
132+
}
133+
fingerprint := ssh.FingerprintSHA256(sshpk)
134+
return fingerprint, nil
135+
}

go.mod

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,4 @@ require (
77
github.com/stretchr/testify v1.7.0
88
)
99

10-
require (
11-
github.com/davecgh/go-spew v1.1.0 // indirect
12-
github.com/pmezard/go-difflib v1.0.0 // indirect
13-
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
14-
)
10+
require golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871

go.sum

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,17 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
77
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
88
github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
99
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
10+
golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871 h1:/pEO3GD/ABYAjuakUS6xSEmmlyVS4kxBNkeA9tLJiTI=
11+
golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
12+
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
13+
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
14+
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
15+
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
16+
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
17+
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
18+
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
19+
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
20+
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
1021
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
1122
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
1223
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=

0 commit comments

Comments
 (0)