Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding support for using timestamp authority and CA certificates for verifying policy #124

Merged
merged 2 commits into from
Jan 17, 2024
Merged

Adding support for using timestamp authority and CA certificates for verifying policy #124

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b84c6ad
fixing a couple of things
ChaosInTheCRD Jan 12, 2024
f4c8f12
renamed fields and added intermediates for verify
ChaosInTheCRD Jan 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions dsse/dsse.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,11 @@ func (e ErrNoMatchingSigs) Error() string {

type ErrThresholdNotMet struct {
Theshold int
Acutal int
Actual int
}

func (e ErrThresholdNotMet) Error() string {
return fmt.Sprintf("envelope did not meet verifier threshold. expected %v valid verifiers but got %v", e.Theshold, e.Acutal)
return fmt.Sprintf("envelope did not meet verifier threshold. expected %v valid verifiers but got %v", e.Theshold, e.Actual)
}

type ErrInvalidThreshold int
Expand Down
2 changes: 1 addition & 1 deletion dsse/dsse_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,7 +217,7 @@ func TestThreshold(t *testing.T) {
assert.ElementsMatch(t, approvedVerifiers, expectedVerifiers)

approvedVerifiers, err = env.Verify(VerifyWithVerifiers(verifiers...), VerifyWithThreshold(10))
require.ErrorIs(t, err, ErrThresholdNotMet{Acutal: 5, Theshold: 10})
require.ErrorIs(t, err, ErrThresholdNotMet{Actual: 5, Theshold: 10})
assert.ElementsMatch(t, approvedVerifiers, expectedVerifiers)

_, err = env.Verify(VerifyWithVerifiers(verifiers...), VerifyWithThreshold(-10))
Expand Down
8 changes: 7 additions & 1 deletion dsse/verify.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"time"

"github.com/in-toto/go-witness/cryptoutil"
"github.com/in-toto/go-witness/log"
)

type TimestampVerifier interface {
Expand Down Expand Up @@ -115,6 +116,8 @@ func (e Envelope) Verify(opts ...VerificationOption) ([]PassedVerifier, error) {
if verifier, err := verifyX509Time(cert, sigIntermediates, options.roots, pae, sig.Signature, time.Now()); err == nil {
matchingSigFound = true
passedVerifiers = append(passedVerifiers, PassedVerifier{Verifier: verifier})
} else {
log.Debugf("failed to verify with timestamp verifier: %w", err)
}
} else {
var passedVerifier cryptoutil.Verifier
Expand All @@ -130,7 +133,10 @@ func (e Envelope) Verify(opts ...VerificationOption) ([]PassedVerifier, error) {
if verifier, err := verifyX509Time(cert, sigIntermediates, options.roots, pae, sig.Signature, timestamp); err == nil {
passedVerifier = verifier
passedTimestampVerifiers = append(passedTimestampVerifiers, timestampVerifier)
} else {
log.Debugf("failed to verify with timestamp verifier: %w", err)
}

}
}

Expand Down Expand Up @@ -159,7 +165,7 @@ func (e Envelope) Verify(opts ...VerificationOption) ([]PassedVerifier, error) {
}

if len(passedVerifiers) < options.threshold {
return passedVerifiers, ErrThresholdNotMet{Theshold: options.threshold, Acutal: len(passedVerifiers)}
return passedVerifiers, ErrThresholdNotMet{Theshold: options.threshold, Actual: len(passedVerifiers)}
}

return passedVerifiers, nil
Expand Down
25 changes: 20 additions & 5 deletions verify.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,13 @@ func VerifySignature(r io.Reader, verifiers ...cryptoutil.Verifier) (dsse.Envelo
}

type verifyOptions struct {
policyEnvelope dsse.Envelope
policyVerifiers []cryptoutil.Verifier
collectionSource source.Sourcer
subjectDigests []string
policyTimestampAuthorities []dsse.TimestampVerifier
policyCARoots []*x509.Certificate
policyCAIntermediates []*x509.Certificate
policyEnvelope dsse.Envelope
policyVerifiers []cryptoutil.Verifier
collectionSource source.Sourcer
subjectDigests []string
}

type VerifyOption func(*verifyOptions)
Expand All @@ -64,6 +67,18 @@ func VerifyWithCollectionSource(source source.Sourcer) VerifyOption {
}
}

func VerifyWithPolicyTimestampAuthorities(authorities []dsse.TimestampVerifier) VerifyOption {
return func(vo *verifyOptions) {
vo.policyTimestampAuthorities = authorities
}
}

func VerifyWithPolicyCARoots(roots []*x509.Certificate) VerifyOption {
return func(vo *verifyOptions) {
vo.policyCARoots = roots
}
}

// Verify verifies a set of attestations against a provided policy. The set of attestations that satisfy the policy will be returned
// if verifiation is successful.
func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers []cryptoutil.Verifier, opts ...VerifyOption) (map[string][]source.VerifiedCollection, error) {
Expand All @@ -76,7 +91,7 @@ func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers [
opt(&vo)
}

if _, err := vo.policyEnvelope.Verify(dsse.VerifyWithVerifiers(vo.policyVerifiers...)); err != nil {
if _, err := vo.policyEnvelope.Verify(dsse.VerifyWithVerifiers(vo.policyVerifiers...), dsse.VerifyWithTimestampVerifiers(vo.policyTimestampAuthorities...), dsse.VerifyWithRoots(vo.policyCARoots...), dsse.VerifyWithIntermediates(vo.policyCAIntermediates...)); err != nil {
return nil, fmt.Errorf("could not verify policy: %w", err)
}

Expand Down
Loading