From 39198445210cc5d5335e0c15af43340e360168ea Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Thu, 28 Oct 2021 06:55:51 -0700 Subject: [PATCH] check that entry UUID == leafHash of returned entry (#469) Signed-off-by: Bob Callaway --- cmd/rekor-cli/app/verify.go | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/cmd/rekor-cli/app/verify.go b/cmd/rekor-cli/app/verify.go index 80e071c0a..2e2cff17d 100644 --- a/cmd/rekor-cli/app/verify.go +++ b/cmd/rekor-cli/app/verify.go @@ -16,7 +16,9 @@ package app import ( + "bytes" "context" + "encoding/base64" "encoding/hex" "fmt" "math/bits" @@ -136,6 +138,7 @@ var verifyCmd = &cobra.Command{ logEntry := resp.Payload[0] var o *verifyCmdOutput + var entryBytes []byte for k, v := range logEntry { o = &verifyCmdOutput{ RootHash: *v.Verification.InclusionProof.RootHash, @@ -144,6 +147,19 @@ var verifyCmd = &cobra.Command{ Size: *v.Verification.InclusionProof.TreeSize, Hashes: v.Verification.InclusionProof.Hashes, } + entryBytes, err = base64.StdEncoding.DecodeString(v.Body.(string)) + if err != nil { + return nil, err + } + } + + if viper.IsSet("uuid") && (viper.GetString("uuid") != o.EntryUUID) { + return nil, fmt.Errorf("unexpected entry returned from rekor server") + } + + leafHash, _ := hex.DecodeString(o.EntryUUID) + if !bytes.Equal(rfc6962.DefaultHasher.HashLeaf(entryBytes), leafHash) { + return nil, fmt.Errorf("computed leaf hash did not match entry UUID") } hashes := [][]byte{} @@ -153,7 +169,6 @@ var verifyCmd = &cobra.Command{ } rootHash, _ := hex.DecodeString(o.RootHash) - leafHash, _ := hex.DecodeString(o.EntryUUID) v := logverifier.New(rfc6962.DefaultHasher) if err := v.VerifyInclusionProof(o.Index, o.Size, hashes, rootHash, leafHash); err != nil {