Skip to content

Commit

Permalink
Use updated s/s
Browse files Browse the repository at this point in the history
  • Loading branch information
ret2libc committed Jan 12, 2024
1 parent f791e53 commit 2d93686
Show file tree
Hide file tree
Showing 14 changed files with 47 additions and 33 deletions.
2 changes: 1 addition & 1 deletion cmd/rekor-cli/app/log_info.go
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,7 @@ func loadVerifier(rekorClient *rclient.Rekor) (signature.Verifier, error) {
return nil, err
}

return signature.LoadVerifier(pub, crypto.SHA256)
return signature.LoadVerifier(pub, crypto.SHA256, signature.LoadDefaultSV, nil)
}

func totalTreeSize(activeShard *models.LogInfo, inactiveShards []*models.InactiveShardLogInfo) int64 {
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -206,4 +206,4 @@ require (
)

// TODO: replace this
replace github.com/sigstore/sigstore => github.com/trail-of-forks/sigstore v0.0.0-20240111141334-bcd0b6e69e27
replace github.com/sigstore/sigstore => github.com/trail-of-forks/sigstore v0.0.0-20240112143627-ef70c23a75c8
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -430,8 +430,8 @@ github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qv
github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
github.com/trail-of-forks/sigstore v0.0.0-20240111141334-bcd0b6e69e27 h1:c2Ml9cPxyhUjvo+qqh+D1jlBMXe8+kRa68AlM4PqshU=
github.com/trail-of-forks/sigstore v0.0.0-20240111141334-bcd0b6e69e27/go.mod h1:l12B1gFlLIpBIVeqk/q1Lb+6YSOGNuN3xLExIjYH+qc=
github.com/trail-of-forks/sigstore v0.0.0-20240112143627-ef70c23a75c8 h1:xtAMpRyXS/lYwG1JBIFoXJcobPd9QViTLWMoNe7gQpQ=
github.com/trail-of-forks/sigstore v0.0.0-20240112143627-ef70c23a75c8/go.mod h1:l12B1gFlLIpBIVeqk/q1Lb+6YSOGNuN3xLExIjYH+qc=
github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=
github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A=
github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
Expand Down
18 changes: 14 additions & 4 deletions pkg/pki/x509/x509.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,17 +38,27 @@ import (
var EmailAddressOID asn1.ObjectIdentifier = []int{1, 2, 840, 113549, 1, 9, 1}

type Signature struct {
signature []byte
signature []byte
loadSignerVerifierType sigsig.LoadSignerVerifierType
loadVerifierOpts *sigsig.LoadVerifierOpts
}

// NewSignature creates and validates an x509 signature object
// NewSignature creates and validates an x509 signature object.
func NewSignature(r io.Reader) (*Signature, error) {
return NewSignatureWithOpts(r, sigsig.LoadDefaultSV, nil)
}

// NewSignatureWithOpts creates and validates an x509 signature object, allowing
// specific verifiers to be used
func NewSignatureWithOpts(r io.Reader, loadSignerVerifierType sigsig.LoadSignerVerifierType, loadVerifierOpts *sigsig.LoadVerifierOpts) (*Signature, error) {
b, err := io.ReadAll(r)
if err != nil {
return nil, err
}
return &Signature{
signature: b,
signature: b,
loadSignerVerifierType: loadSignerVerifierType,
loadVerifierOpts: loadVerifierOpts,
}, nil
}

Expand Down Expand Up @@ -84,7 +94,7 @@ func (s Signature) Verify(r io.Reader, k interface{}, opts ...sigsig.VerifyOptio
}
}

verifier, err := sigsig.LoadVerifier(p, crypto.SHA256)
verifier, err := sigsig.LoadVerifier(p, crypto.SHA256, s.loadSignerVerifierType, s.loadVerifierOpts)
if err != nil {
return err
}
Expand Down
10 changes: 5 additions & 5 deletions pkg/pki/x509/x509_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ func signData(t *testing.T, b []byte, pkey string) []byte {
if err != nil {
t.Fatal(err)
}
signer, err := signature.LoadSigner(priv, crypto.SHA256)
signer, err := signature.LoadSigner(priv, crypto.SHA256, signature.LoadDefaultSV, nil)
if err != nil {
t.Fatal(err)
}
Expand Down Expand Up @@ -320,7 +320,7 @@ func TestPublicKeyWithCertChain(t *testing.T) {

// Generate signature to verify
data := []byte("test")
signer, err := signature.LoadSigner(leafKey, crypto.SHA256)
signer, err := signature.LoadSigner(leafKey, crypto.SHA256, signature.LoadDefaultSV, nil)
if err != nil {
t.Fatal(err)
}
Expand All @@ -341,7 +341,7 @@ func TestPublicKeyWithCertChain(t *testing.T) {
leafCert, leafKey, _ = testutils.GenerateExpiredLeafCert("subject@example.com", "oidc-issuer", subCert, subKey)
pemCertChain, _ = cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{leafCert, subCert, rootCert})
pub, _ = NewPublicKey(bytes.NewReader(pemCertChain))
signer, _ = signature.LoadSigner(leafKey, crypto.SHA256)
signer, _ = signature.LoadSigner(leafKey, crypto.SHA256, signature.LoadDefaultSV, nil)
sigBytes, _ = signer.SignMessage(bytes.NewReader(data))
s, _ = NewSignature(bytes.NewReader(sigBytes))
err = s.Verify(bytes.NewReader(data), pub)
Expand All @@ -352,7 +352,7 @@ func TestPublicKeyWithCertChain(t *testing.T) {
// Verify error with invalid chain
pemCertChain, _ = cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{leafCert, rootCert})
pub, _ = NewPublicKey(bytes.NewReader(pemCertChain))
signer, _ = signature.LoadSigner(leafKey, crypto.SHA256)
signer, _ = signature.LoadSigner(leafKey, crypto.SHA256, signature.LoadDefaultSV, nil)
sigBytes, _ = signer.SignMessage(bytes.NewReader(data))
s, _ = NewSignature(bytes.NewReader(sigBytes))
err = s.Verify(bytes.NewReader(data), pub)
Expand All @@ -364,7 +364,7 @@ func TestPublicKeyWithCertChain(t *testing.T) {
leafCert, leafKey, _ = testutils.GenerateLeafCert("subject@example.com", "oidc-issuer", nil, rootCert, rootKey)
pemCertChain, _ = cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{leafCert, rootCert})
pub, _ = NewPublicKey(bytes.NewReader(pemCertChain))
signer, _ = signature.LoadSigner(leafKey, crypto.SHA256)
signer, _ = signature.LoadSigner(leafKey, crypto.SHA256, signature.LoadDefaultSV, nil)
sigBytes, _ = signer.SignMessage(bytes.NewReader(data))
s, _ = NewSignature(bytes.NewReader(sigBytes))
err = s.Verify(bytes.NewReader(data), pub)
Expand Down
2 changes: 1 addition & 1 deletion pkg/signer/file.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ func NewFile(keyPath, keyPass string) (*File, error) {
return nil, fmt.Errorf("file: provide a valid signer, %s is not valid: %w", keyPath, err)
}

signer, err := signature.LoadSignerVerifier(opaqueKey, crypto.SHA256)
signer, err := signature.LoadSignerVerifier(opaqueKey, crypto.SHA256, signature.LoadDefaultSV, nil)
if err != nil {
return nil, fmt.Errorf(`file: loaded private key from %s can't be used to sign: %w`, keyPath, err)
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/types/dsse/v0.0.1/entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -381,7 +381,7 @@ func verifyEnvelope(allPubKeyBytes [][]byte, env *dsse.Envelope) (map[string]*x5
return nil, fmt.Errorf("could not parse public key as x509: %w", err)
}

vfr, err := signature.LoadVerifier(key.CryptoPubKey(), crypto.SHA256)
vfr, err := signature.LoadVerifier(key.CryptoPubKey(), crypto.SHA256, signature.LoadDefaultSV, nil)
if err != nil {
return nil, fmt.Errorf("could not load verifier: %w", err)
}
Expand Down
4 changes: 3 additions & 1 deletion pkg/types/hashedrekord/v0.0.1/entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ import (
"github.com/sigstore/rekor/pkg/pki/x509"
"github.com/sigstore/rekor/pkg/types"
hashedrekord "github.com/sigstore/rekor/pkg/types/hashedrekord"
"github.com/sigstore/sigstore/pkg/signature"
"github.com/sigstore/sigstore/pkg/signature/options"
)

Expand Down Expand Up @@ -145,7 +146,8 @@ func (v *V001Entry) validate() (pki.Signature, pki.PublicKey, error) {
return nil, nil, types.ValidationError(errors.New("missing signature"))
}
// Hashed rekord type only works for x509 signature types
sigObj, err := x509.NewSignature(bytes.NewReader(sig.Content))
// Use ED25519ph when ED25519 public keys are provided by the client
sigObj, err := x509.NewSignatureWithOpts(bytes.NewReader(sig.Content), signature.LoadED25519phSV, nil)
if err != nil {
return nil, nil, types.ValidationError(err)
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/types/hashedrekord/v0.0.1/entry_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ func TestCrossFieldValidation(t *testing.T) {
h := sha256.Sum256(dataBytes)
dataSHA := hex.EncodeToString(h[:])

signer, _ := signature.LoadSigner(key, crypto.SHA256)
signer, _ := signature.LoadSigner(key, crypto.SHA256, signature.LoadDefaultSV, nil)
sigBytes, _ := signer.SignMessage(bytes.NewReader(dataBytes))

incorrectLengthHash := sha256.Sum224(dataBytes)
Expand Down
2 changes: 1 addition & 1 deletion pkg/types/intoto/v0.0.1/entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,7 @@ func (v *V001Entry) validate() error {
return nil
}

vfr, err := signature.LoadVerifier(pk.CryptoPubKey(), crypto.SHA256)
vfr, err := signature.LoadVerifier(pk.CryptoPubKey(), crypto.SHA256, signature.LoadDefaultSV, nil)
if err != nil {
return err
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/types/intoto/v0.0.2/entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -426,7 +426,7 @@ func verifyEnvelope(allPubKeyBytes [][]byte, env *dsse.Envelope) (map[string]*x5
return nil, fmt.Errorf("could not parse public key as x509: %w", err)
}

vfr, err := signature.LoadVerifier(key.CryptoPubKey(), crypto.SHA256)
vfr, err := signature.LoadVerifier(key.CryptoPubKey(), crypto.SHA256, signature.LoadDefaultSV, nil)
if err != nil {
return nil, fmt.Errorf("could not load verifier: %w", err)
}
Expand Down
16 changes: 9 additions & 7 deletions pkg/util/checkpoint_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -310,20 +310,22 @@ func TestSigningRoundtripCheckpoint(t *testing.T) {
if err != nil {
t.Fatalf("error creating signed checkpoint")
}
signer, _ := signature.LoadSigner(test.signer, crypto.SHA256)
if _, ok := test.signer.(*rsa.PrivateKey); ok {
signer, _ = signature.LoadRSAPSSSigner(test.signer.(*rsa.PrivateKey), crypto.SHA256, test.opts.(*rsa.PSSOptions))
loadSignerOpts := signature.LoadSignerOpts{}
if rsaPSSOpts, ok := test.opts.(*rsa.PSSOptions); ok {
loadSignerOpts.RSAPSSOptions = rsaPSSOpts
}
signer, _ := signature.LoadSigner(test.signer, crypto.SHA256, signature.LoadRSAPSSSV, &loadSignerOpts)

_, err = sth.Sign(test.identity, signer, options.WithCryptoSignerOpts(test.opts))
if (err != nil) != test.wantSignErr {
t.Fatalf("signing test failed: wantSignErr %v, err %v", test.wantSignErr, err)
}
if !test.wantSignErr {
verifier, _ := signature.LoadVerifier(test.pubKey, crypto.SHA256)
if _, ok := test.pubKey.(*rsa.PublicKey); ok {
verifier, _ = signature.LoadRSAPSSVerifier(test.pubKey.(*rsa.PublicKey), crypto.SHA256, test.opts.(*rsa.PSSOptions))
loadVerifierOpts := signature.LoadVerifierOpts{}
if rsaPSSOpts, ok := test.opts.(*rsa.PSSOptions); ok {
loadVerifierOpts.RSAPSSOptions = rsaPSSOpts
}
verifier, _ := signature.LoadVerifier(test.pubKey, crypto.SHA256, signature.LoadRSAPSSSV, &loadVerifierOpts)

if !sth.Verify(verifier) != test.wantVerifyErr {
t.Fatalf("verification test failed %v", sth.Verify(verifier))
Expand Down Expand Up @@ -409,7 +411,7 @@ func TestInvalidSigVerification(t *testing.T) {
Note: string(text),
Signatures: test.s,
}
verifier, _ := signature.LoadVerifier(test.pubKey, crypto.SHA256)
verifier, _ := signature.LoadVerifier(test.pubKey, crypto.SHA256, signature.LoadDefaultSV, nil)
result := sc.Verify(verifier)
if result != test.expectedResult {
t.Fatal("verification test generated unexpected result")
Expand Down
12 changes: 6 additions & 6 deletions pkg/witness/publish_checkpoint_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ func TestPublishCheckpoint(t *testing.T) {
Help: "Checkpoint publishing by shard and code",
}, []string{"shard", "code"})
priv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
signer, _ := signature.LoadSigner(priv, crypto.SHA256)
signer, _ := signature.LoadSigner(priv, crypto.SHA256, signature.LoadDefaultSV, nil)

ctrl := gomock.NewController(t)
defer ctrl.Finish()
Expand Down Expand Up @@ -100,7 +100,7 @@ func TestPublishCheckpointMultiple(t *testing.T) {
Help: "Checkpoint publishing by shard and code",
}, []string{"shard", "code"})
priv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
signer, _ := signature.LoadSigner(priv, crypto.SHA256)
signer, _ := signature.LoadSigner(priv, crypto.SHA256, signature.LoadDefaultSV, nil)

ctrl := gomock.NewController(t)
defer ctrl.Finish()
Expand Down Expand Up @@ -165,7 +165,7 @@ func TestPublishCheckpointTrillianError(t *testing.T) {
Help: "Checkpoint publishing by shard and code",
}, []string{"shard", "code"})
priv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
signer, _ := signature.LoadSigner(priv, crypto.SHA256)
signer, _ := signature.LoadSigner(priv, crypto.SHA256, signature.LoadDefaultSV, nil)

ctrl := gomock.NewController(t)
defer ctrl.Finish()
Expand Down Expand Up @@ -201,7 +201,7 @@ func TestPublishCheckpointInvalidTrillianResponse(t *testing.T) {
Help: "Checkpoint publishing by shard and code",
}, []string{"shard", "code"})
priv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
signer, _ := signature.LoadSigner(priv, crypto.SHA256)
signer, _ := signature.LoadSigner(priv, crypto.SHA256, signature.LoadDefaultSV, nil)

ctrl := gomock.NewController(t)
defer ctrl.Finish()
Expand Down Expand Up @@ -238,7 +238,7 @@ func TestPublishCheckpointRedisFailure(t *testing.T) {
Help: "Checkpoint publishing by shard and code",
}, []string{"shard", "code"})
priv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
signer, _ := signature.LoadSigner(priv, crypto.SHA256)
signer, _ := signature.LoadSigner(priv, crypto.SHA256, signature.LoadDefaultSV, nil)

ctrl := gomock.NewController(t)
defer ctrl.Finish()
Expand Down Expand Up @@ -282,7 +282,7 @@ func TestPublishCheckpointRedisLatestFailure(t *testing.T) {
Help: "Checkpoint publishing by shard and code",
}, []string{"shard", "code"})
priv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
signer, _ := signature.LoadSigner(priv, crypto.SHA256)
signer, _ := signature.LoadSigner(priv, crypto.SHA256, signature.LoadDefaultSV, nil)

ctrl := gomock.NewController(t)
defer ctrl.Finish()
Expand Down
2 changes: 1 addition & 1 deletion tests/e2e_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -273,7 +273,7 @@ func TestSignedEntryTimestamp(t *testing.T) {
t.Fatal(err)
}

verifier, err := signature.LoadVerifier(rekorPubKey, crypto.SHA256)
verifier, err := signature.LoadVerifier(rekorPubKey, crypto.SHA256, signature.LoadDefaultSV, nil)
if err != nil {
t.Fatal(err)
}
Expand Down

0 comments on commit 2d93686

Please sign in to comment.