refactor: consolidate verification funcs for GHA (#348)

* consolidate verification funcs Signed-off-by: Asra Ali <asraa@google.com>
slsa-framework · Nov 2, 2022 · ef0f1a7 · ef0f1a7
1 parent 26f422b
commit ef0f1a7
Show file tree

Hide file tree

Showing 6 changed files with 157 additions and 215 deletions.
diff --git a/.github/workflows/pre-submit.cli.yml b/.github/workflows/pre-submit.cli.yml
@@ -46,4 +46,4 @@ jobs:
           go build -mod=vendor -o service ./cli/experimental/service/
 
           # Tests
-          go test -mod=vendor -v ./...
+          go test -mod=vendor -v -timeout=20m  ./...
diff --git a/cli/slsa-verifier/main_test.go b/cli/slsa-verifier/main_test.go
@@ -401,7 +401,7 @@ func Test_runVerifyGHAArtifactPath(t *testing.T) {
 			name:      "rekor upload bypassed",
 			artifact:  "binary-linux-amd64-no-tlog-upload",
 			source:    "github.com/slsa-framework/example-package",
-			err:       serrors.ErrorNoValidRekorEntries,
+			err:       serrors.ErrorRekorSearch,
 			noversion: true,
 		},
 		{
@@ -415,7 +415,7 @@ func Test_runVerifyGHAArtifactPath(t *testing.T) {
 			name:      "malicious: invalid signature expired certificate",
 			artifact:  "binary-linux-amd64-expired-cert",
 			source:    "github.com/slsa-framework/example-package",
-			err:       serrors.ErrorNoValidRekorEntries,
+			err:       serrors.ErrorRekorSearch,
 			noversion: true,
 		},
 		// Annotated tags.

diff --git a/verifiers/internal/gha/provenance.go b/verifiers/internal/gha/provenance.go
@@ -14,11 +14,24 @@ import (
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
 	dsselib "github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/rekor/pkg/generated/client"
+	"github.com/sigstore/rekor/pkg/generated/models"
 
+	"github.com/slsa-framework/slsa-github-generator/signing/envelope"
 	serrors "github.com/slsa-framework/slsa-verifier/errors"
 	"github.com/slsa-framework/slsa-verifier/options"
 )
 
+// SignedAttestation contains a signed DSSE envelope
+// and its associated signing certificate.
+type SignedAttestation struct {
+	// The signed DSSE envelope
+	Envelope *dsselib.Envelope
+	// The signing certificate
+	SigningCert *x509.Certificate
+	// The associated verified Rekor entry
+	RekorEntry *models.LogEntryAnon
+}
+
 func EnvelopeFromBytes(payload []byte) (env *dsselib.Envelope, err error) {
 	env = &dsselib.Envelope{}
 	err = json.Unmarshal(payload, env)
@@ -150,32 +163,26 @@ func verifySha256Digest(prov *intoto.ProvenanceStatement, expectedHash string) e
 
 // VerifyProvenanceSignature returns the verified DSSE envelope containing the provenance
 // and the signing certificate given the provenance and artifact hash.
-func VerifyProvenanceSignature(ctx context.Context, rClient *client.Rekor, provenance []byte, artifactHash string) (*dsselib.Envelope, *x509.Certificate, error) {
-	// Get Rekor entries corresponding to provenance
-	env, cert, err := GetRekorEntriesWithCert(rClient, provenance)
-	if err == nil {
-		return env, cert, nil
+func VerifyProvenanceSignature(ctx context.Context, rClient *client.Rekor,
+	provenance []byte, artifactHash string) (
+	*SignedAttestation, error) {
+	// There are two cases, either we have an embedded certificate, or we need
+	// to use the Redis index for searching by artifact SHA.
+	if hasCertInEnvelope(provenance) {
+		// Get Rekor entries corresponding to provenance
+		return GetValidSignedAttestationWithCert(rClient, provenance)
 	}
 
 	// Fallback on using the redis search index to get matching UUIDs.
-	fmt.Fprintf(os.Stderr, "Getting rekor entry error %s, trying Redis search index to find entries by subject digest\n", err)
-	uuids, err := GetRekorEntries(rClient, artifactHash)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	env, err = EnvelopeFromBytes(provenance)
-	if err != nil {
-		return nil, nil, err
-	}
+	fmt.Fprintf(os.Stderr, "No certificate provided, trying Redis search index to find entries by subject digest\n")
 
 	// Verify the provenance and return the signing certificate.
-	cert, err = FindSigningCertificate(ctx, uuids, *env, rClient)
+	signedAttestation, err := SearchValidSignedAttestation(ctx, artifactHash, provenance, rClient)
 	if err != nil {
-		return nil, nil, err
+		return nil, err
 	}
 
-	return env, cert, nil
+	return signedAttestation, nil
 }
 
 func VerifyProvenance(env *dsselib.Envelope, provenanceOpts *options.ProvenanceOpts) error {
@@ -556,3 +563,10 @@ func getBranch(prov *intoto.ProvenanceStatement) (string, error) {
 			"unknown ref type", refType)
 	}
 }
+
+// hasCertInEnvelope checks if a valid x509 certificate is present in the
+// envelope.
+func hasCertInEnvelope(provenance []byte) bool {
+	certPem, err := envelope.GetCertFromEnvelope(provenance)
+	return err == nil && len(certPem) > 0
+}