Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix semantic bugs in attestation verifification. #1249

Merged
merged 1 commit into from
Dec 24, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 11 additions & 3 deletions pkg/cosign/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ import (

"github.com/sigstore/cosign/pkg/blob"
"github.com/sigstore/cosign/pkg/oci/static"
"github.com/sigstore/cosign/pkg/types"

"github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer"
"github.com/google/go-containerregistry/pkg/name"
Expand Down Expand Up @@ -106,18 +107,25 @@ func verifyOCISignature(ctx context.Context, verifier signature.Verifier, sig oc
return verifier.VerifySignature(bytes.NewReader(signature), bytes.NewReader(payload), options.WithContext(ctx))
}

func verifyOCIAttestation(_ context.Context, verifier signature.Verifier, att oci.Signature) error {
// TODO(dekkagaijin): plumb through context
// For unit testing
type payloader interface {
Payload() ([]byte, error)
}

func verifyOCIAttestation(_ context.Context, verifier signature.Verifier, att payloader) error {
payload, err := att.Payload()
if err != nil {
return err
}

env := ssldsse.Envelope{}
if err := json.Unmarshal(payload, &env); err != nil {
return nil
return err
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wild

}

if env.PayloadType != types.IntotoPayloadType {
return fmt.Errorf("invalid payloadType %s on envelepe. Expected %s", env.PayloadType, types.IntotoPayloadType)
}
dssev, err := ssldsse.NewEnvelopeVerifier(&dsse.VerifierAdapter{SignatureVerifier: verifier})
if err != nil {
return err
Expand Down
91 changes: 91 additions & 0 deletions pkg/cosign/verify_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
// Copyright 2021 The Sigstore Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package cosign

import (
"context"
"crypto"
"encoding/base64"
"encoding/json"
"io"
"testing"

"github.com/in-toto/in-toto-golang/in_toto"
"github.com/pkg/errors"
"github.com/secure-systems-lab/go-securesystemslib/dsse"
"github.com/sigstore/cosign/pkg/types"
"github.com/sigstore/sigstore/pkg/signature"
)

type mockVerifier struct {
shouldErr bool
}

func (m *mockVerifier) PublicKey(opts ...signature.PublicKeyOption) (crypto.PublicKey, error) {
return nil, nil
}

func (m *mockVerifier) VerifySignature(signature, message io.Reader, opts ...signature.VerifyOption) error {
if m.shouldErr {
return errors.New("failure")
}
return nil
}

var _ signature.Verifier = (*mockVerifier)(nil)

type mockAttestation struct {
payload interface{}
}

var _ payloader = (*mockAttestation)(nil)

func (m *mockAttestation) Annotations() (map[string]string, error) {
return nil, nil
}

func (m *mockAttestation) Payload() ([]byte, error) {
return json.Marshal(m.payload)
}
func Test_verifyOCIAttestation(t *testing.T) {
stmt, err := json.Marshal(in_toto.ProvenanceStatement{})
if err != nil {
t.Fatal(err)
}
valid := map[string]interface{}{
"payloadType": types.IntotoPayloadType,
"payload": stmt,
"signatures": []dsse.Signature{{Sig: base64.StdEncoding.EncodeToString([]byte("foobar"))}},
}
// Should Verify
if err := verifyOCIAttestation(context.TODO(), &mockVerifier{}, &mockAttestation{payload: valid}); err != nil {
t.Errorf("verifyOCIAttestation() error = %v", err)
}

invalid := map[string]interface{}{
"payloadType": "not valid type",
"payload": stmt,
"signatures": []dsse.Signature{{Sig: base64.StdEncoding.EncodeToString([]byte("foobar"))}},
}

// Should Not Verify
if err := verifyOCIAttestation(context.TODO(), &mockVerifier{}, &mockAttestation{payload: invalid}); err == nil {
t.Error("verifyOCIAttestation() expected invalid payload type error, got nil")
}

if err := verifyOCIAttestation(context.TODO(), &mockVerifier{shouldErr: true}, &mockAttestation{payload: valid}); err == nil {
t.Error("verifyOCIAttestation() expected invalid payload type error, got nil")
}
}