Skip to content

Commit

Permalink
fixing ca path flag to be used and allowing timestamp server to be
Browse files Browse the repository at this point in the history
specified for policy check

Signed-off-by: chaosinthecrd <[email protected]>
  • Loading branch information
ChaosInTheCRD committed Jan 11, 2024
1 parent abce18b commit 6d85e84
Show file tree
Hide file tree
Showing 2 changed files with 65 additions and 20 deletions.
66 changes: 55 additions & 11 deletions cmd/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package cmd
import (
"context"
"crypto"
"crypto/x509"
"encoding/json"
"errors"
"fmt"
Expand All @@ -28,6 +29,7 @@ import (
"github.com/in-toto/go-witness/dsse"
"github.com/in-toto/go-witness/log"
"github.com/in-toto/go-witness/source"
"github.com/in-toto/go-witness/timestamp"
"github.com/in-toto/witness/options"
"github.com/spf13/cobra"
)
Expand Down Expand Up @@ -56,23 +58,58 @@ const (
// todo: this logic should be broken out and moved to pkg/
// we need to abstract where keys are coming from, etc
func runVerify(ctx context.Context, vo options.VerifyOptions) error {
if vo.KeyPath == "" && len(vo.CAPaths) == 0 {
return fmt.Errorf("must suply public key or ca paths")
if vo.KeyPath == "" && len(vo.PolicyCAPaths) == 0 {
return fmt.Errorf("must supply public key or ca paths")
}

var verifier cryptoutil.Verifier
var verifiers []cryptoutil.Verifier
if vo.KeyPath != "" {
keyFile, err := os.Open(vo.KeyPath)
if err != nil {
return fmt.Errorf("failed to open key file: %w", err)
}
defer keyFile.Close()

verifier, err = cryptoutil.NewVerifierFromReader(keyFile)
v, err := cryptoutil.NewVerifierFromReader(keyFile)
if err != nil {
return fmt.Errorf("failed to create verifier: %w", err)
}

verifiers = append(verifiers, v)
}

var policyRoots []*x509.Certificate
if len(vo.PolicyCAPaths) > 0 {
for _, caPath := range vo.PolicyCAPaths {
caFile, err := os.ReadFile(caPath)
if err != nil {
return fmt.Errorf("failed to read CA certificate file: %w", err)
}

cert, err := cryptoutil.TryParseCertificate(caFile)
if err != nil {
return fmt.Errorf("failed to parse Timestamp Server CA certificate: %w", err)
}

policyRoots = append(policyRoots, cert)
}
}

ptsv := make([]dsse.TimestampVerifier, 0)
if len(vo.PolicyTimestampServers) > 0 {
for _, server := range vo.PolicyTimestampServers {
f, err := os.ReadFile(server)
if err != nil {
return fmt.Errorf("failed to open Timestamp Server CA certificate file: %w", err)
}

cert, err := cryptoutil.TryParseCertificate(f)
if err != nil {
return fmt.Errorf("failed to parse Timestamp Server CA certificate: %w", err)
}

ptsv = append(ptsv, timestamp.NewVerifier(timestamp.VerifyWithCerts([]*x509.Certificate{cert})))
}
}

inFile, err := os.Open(vo.PolicyFilePath)
Expand Down Expand Up @@ -121,26 +158,33 @@ func runVerify(ctx context.Context, vo options.VerifyOptions) error {
verifiedEvidence, err := witness.Verify(
ctx,
policyEnvelope,
[]cryptoutil.Verifier{verifier},
verifiers,
witness.VerifyWithSubjectDigests(subjects),
witness.VerifyWithCollectionSource(collectionSource),
witness.VerifyWithPolicyTimestampServers(ptsv),

Check failure on line 164 in cmd/verify.go

View workflow job for this annotation

GitHub Actions / sast / witness

undefined: witness.VerifyWithPolicyTimestampServers

Check failure on line 164 in cmd/verify.go

View workflow job for this annotation

GitHub Actions / unit-test / witness

undefined: witness.VerifyWithPolicyTimestampServers
witness.VerifyWithPolicyCACerts(policyRoots),

Check failure on line 165 in cmd/verify.go

View workflow job for this annotation

GitHub Actions / sast / witness

undefined: witness.VerifyWithPolicyCACerts

Check failure on line 165 in cmd/verify.go

View workflow job for this annotation

GitHub Actions / unit-test / witness

undefined: witness.VerifyWithPolicyCACerts
)

if err != nil {
return fmt.Errorf("failed to verify policy: %w", err)

}

log.Info("Verification succeeded")
log.Info("Evidence:")
log.Infof("Evidence:")
num := 0
for _, stepEvidence := range verifiedEvidence {
for step, stepEvidence := range verifiedEvidence {
for _, e := range stepEvidence {
log.Info(fmt.Sprintf("%d: %s", num, e.Reference))
log.Info(fmt.Sprintf("step %d: %s", num, step))
log.Info(fmt.Sprintf("reference: %s", e.Reference))
for _, v := range e.Verifiers {
k, err := v.KeyID()
if err != nil {
return fmt.Errorf("failed to get verifier key id: %w", err)
}
log.Info(fmt.Sprintf("Verified Key IDs: %s", k))
}
num++
}
}

return nil

}
19 changes: 10 additions & 9 deletions options/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,14 @@ package options
import "github.com/spf13/cobra"

type VerifyOptions struct {
ArchivistaOptions ArchivistaOptions
KeyPath string
AttestationFilePaths []string
PolicyFilePath string
ArtifactFilePath string
AdditionalSubjects []string
CAPaths []string
ArchivistaOptions ArchivistaOptions
KeyPath string
AttestationFilePaths []string
PolicyFilePath string
ArtifactFilePath string
AdditionalSubjects []string
PolicyCAPaths []string
PolicyTimestampServers []string
}

func (vo *VerifyOptions) AddFlags(cmd *cobra.Command) {
Expand All @@ -33,6 +34,6 @@ func (vo *VerifyOptions) AddFlags(cmd *cobra.Command) {
cmd.Flags().StringVarP(&vo.PolicyFilePath, "policy", "p", "", "Path to the policy to verify")
cmd.Flags().StringVarP(&vo.ArtifactFilePath, "artifactfile", "f", "", "Path to the artifact to verify")
cmd.Flags().StringSliceVarP(&vo.AdditionalSubjects, "subjects", "s", []string{}, "Additional subjects to lookup attestations")
cmd.Flags().StringSliceVarP(&vo.CAPaths, "policy-ca", "", []string{}, "Paths to CA certificates to use for verifying the policy")

cmd.Flags().StringSliceVarP(&vo.PolicyCAPaths, "policy-ca", "", []string{}, "Paths to CA certificates to use for verifying the policy")
cmd.Flags().StringSliceVarP(&vo.PolicyTimestampServers, "policy-timestamp-servers", "", []string{}, "Paths to the CA certificates for Timestamp Authority Servers to use when verifying policy")
}

0 comments on commit 6d85e84

Please sign in to comment.