Skip to content

Commit

Permalink
fix: make client shard aware when verifying (#280)
Browse files Browse the repository at this point in the history
Signed-off-by: Asra Ali <asraa@google.com>

Signed-off-by: Asra Ali <asraa@google.com>
  • Loading branch information
asraa authored Oct 2, 2022
1 parent 5bb13ef commit 49ab4e7
Showing 1 changed file with 31 additions and 7 deletions.
38 changes: 31 additions & 7 deletions verifiers/internal/gha/rekor.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,9 @@ const (
defaultRekorAddr = "https://rekor.sigstore.dev"
)

func verifyRootHash(ctx context.Context, rekorClient *client.Rekor, eproof *models.InclusionProof, pub *ecdsa.PublicKey) error {
func verifyRootHash(ctx context.Context, rekorClient *client.Rekor,
treeID int64, eproof *models.InclusionProof, pub *ecdsa.PublicKey) error {
treeIDString := fmt.Sprintf("%d", treeID)
infoParams := tlog.NewGetLogInfoParamsWithContext(ctx)
result, err := rekorClient.Tlog.GetLogInfo(infoParams)
if err != nil {
Expand All @@ -58,6 +60,13 @@ func verifyRootHash(ctx context.Context, rekorClient *client.Rekor, eproof *mode
if err := sth.UnmarshalText([]byte(*logInfo.SignedTreeHead)); err != nil {
return err
}
for _, inactiveShard := range logInfo.InactiveShards {
if *inactiveShard.TreeID == treeIDString {
if err := sth.UnmarshalText([]byte(*inactiveShard.SignedTreeHead)); err != nil {
return err
}
}
}

verifier, err := signature.LoadVerifier(pub, crypto.SHA256)
if err != nil {
Expand Down Expand Up @@ -122,22 +131,36 @@ func verifyTlogEntryByUUID(ctx context.Context, rekorClient *client.Rekor, entry
return nil, err
}

var e models.LogEntryAnon
for k, entry := range lep.Payload {
if k != uuid {
returnUUID, err := sharding.GetUUIDFromIDString(k)
if err != nil {
return nil, err
}
// Validate that the request matches the response
if returnUUID != uuid {
return nil, errors.New("expected matching UUID")
}
e = entry
return verifyTlogEntry(ctx, rekorClient, k, entry)
}

return verifyTlogEntry(ctx, rekorClient, uuid, e)
return nil, serrors.ErrorRekorSearch
}

func verifyTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string, e models.LogEntryAnon) (*models.LogEntryAnon, error) {
func verifyTlogEntry(ctx context.Context, rekorClient *client.Rekor,
entryUUID string, e models.LogEntryAnon) (*models.LogEntryAnon, error) {
if e.Verification == nil || e.Verification.InclusionProof == nil {
return nil, errors.New("inclusion proof not provided")
}

uuid, err := sharding.GetUUIDFromIDString(entryUUID)
if err != nil {
return nil, fmt.Errorf("%w: retrieving uuid from entry uuid", err)
}
treeID, err := sharding.TreeID(entryUUID)
if err != nil {
return nil, fmt.Errorf("%w: retrieving tree ID", err)
}

var hashes [][]byte
for _, h := range e.Verification.InclusionProof.Hashes {
hb, err := hex.DecodeString(h)
Expand Down Expand Up @@ -165,7 +188,8 @@ func verifyTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string
var entryVerError error
for _, pubKey := range pubs {
// Verify inclusion against the signed tree head
entryVerError = verifyRootHash(ctx, rekorClient, e.Verification.InclusionProof, pubKey.PubKey)
entryVerError = verifyRootHash(ctx, rekorClient, treeID,
e.Verification.InclusionProof, pubKey.PubKey)
if entryVerError == nil {
break
}
Expand Down

0 comments on commit 49ab4e7

Please sign in to comment.