Skip to content

Commit

Permalink
Adding support for using timestamp authority and CA certificates for …
Browse files Browse the repository at this point in the history
…verifying policy (#124)

* fixing a couple of things
* renamed fields and added intermediates for verify
---------
Signed-off-by: chaosinthecrd <[email protected]>
  • Loading branch information
ChaosInTheCRD authored Jan 17, 2024
1 parent 43a586f commit 0b28c0f
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 9 deletions.
4 changes: 2 additions & 2 deletions dsse/dsse.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,11 @@ func (e ErrNoMatchingSigs) Error() string {

type ErrThresholdNotMet struct {
Theshold int
Acutal int
Actual int
}

func (e ErrThresholdNotMet) Error() string {
return fmt.Sprintf("envelope did not meet verifier threshold. expected %v valid verifiers but got %v", e.Theshold, e.Acutal)
return fmt.Sprintf("envelope did not meet verifier threshold. expected %v valid verifiers but got %v", e.Theshold, e.Actual)
}

type ErrInvalidThreshold int
Expand Down
2 changes: 1 addition & 1 deletion dsse/dsse_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -217,7 +217,7 @@ func TestThreshold(t *testing.T) {
assert.ElementsMatch(t, approvedVerifiers, expectedVerifiers)

approvedVerifiers, err = env.Verify(VerifyWithVerifiers(verifiers...), VerifyWithThreshold(10))
require.ErrorIs(t, err, ErrThresholdNotMet{Acutal: 5, Theshold: 10})
require.ErrorIs(t, err, ErrThresholdNotMet{Actual: 5, Theshold: 10})
assert.ElementsMatch(t, approvedVerifiers, expectedVerifiers)

_, err = env.Verify(VerifyWithVerifiers(verifiers...), VerifyWithThreshold(-10))
Expand Down
8 changes: 7 additions & 1 deletion dsse/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"time"

"github.com/in-toto/go-witness/cryptoutil"
"github.com/in-toto/go-witness/log"
)

type TimestampVerifier interface {
Expand Down Expand Up @@ -115,6 +116,8 @@ func (e Envelope) Verify(opts ...VerificationOption) ([]PassedVerifier, error) {
if verifier, err := verifyX509Time(cert, sigIntermediates, options.roots, pae, sig.Signature, time.Now()); err == nil {
matchingSigFound = true
passedVerifiers = append(passedVerifiers, PassedVerifier{Verifier: verifier})
} else {
log.Debugf("failed to verify with timestamp verifier: %w", err)
}
} else {
var passedVerifier cryptoutil.Verifier
Expand All @@ -130,7 +133,10 @@ func (e Envelope) Verify(opts ...VerificationOption) ([]PassedVerifier, error) {
if verifier, err := verifyX509Time(cert, sigIntermediates, options.roots, pae, sig.Signature, timestamp); err == nil {
passedVerifier = verifier
passedTimestampVerifiers = append(passedTimestampVerifiers, timestampVerifier)
} else {
log.Debugf("failed to verify with timestamp verifier: %w", err)
}

}
}

Expand Down Expand Up @@ -159,7 +165,7 @@ func (e Envelope) Verify(opts ...VerificationOption) ([]PassedVerifier, error) {
}

if len(passedVerifiers) < options.threshold {
return passedVerifiers, ErrThresholdNotMet{Theshold: options.threshold, Acutal: len(passedVerifiers)}
return passedVerifiers, ErrThresholdNotMet{Theshold: options.threshold, Actual: len(passedVerifiers)}
}

return passedVerifiers, nil
Expand Down
25 changes: 20 additions & 5 deletions verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,13 @@ func VerifySignature(r io.Reader, verifiers ...cryptoutil.Verifier) (dsse.Envelo
}

type verifyOptions struct {
policyEnvelope dsse.Envelope
policyVerifiers []cryptoutil.Verifier
collectionSource source.Sourcer
subjectDigests []string
policyTimestampAuthorities []dsse.TimestampVerifier
policyCARoots []*x509.Certificate
policyCAIntermediates []*x509.Certificate
policyEnvelope dsse.Envelope
policyVerifiers []cryptoutil.Verifier
collectionSource source.Sourcer
subjectDigests []string
}

type VerifyOption func(*verifyOptions)
Expand All @@ -64,6 +67,18 @@ func VerifyWithCollectionSource(source source.Sourcer) VerifyOption {
}
}

func VerifyWithPolicyTimestampAuthorities(authorities []dsse.TimestampVerifier) VerifyOption {
return func(vo *verifyOptions) {
vo.policyTimestampAuthorities = authorities
}
}

func VerifyWithPolicyCARoots(roots []*x509.Certificate) VerifyOption {
return func(vo *verifyOptions) {
vo.policyCARoots = roots
}
}

// Verify verifies a set of attestations against a provided policy. The set of attestations that satisfy the policy will be returned
// if verifiation is successful.
func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers []cryptoutil.Verifier, opts ...VerifyOption) (map[string][]source.VerifiedCollection, error) {
Expand All @@ -76,7 +91,7 @@ func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers [
opt(&vo)
}

if _, err := vo.policyEnvelope.Verify(dsse.VerifyWithVerifiers(vo.policyVerifiers...)); err != nil {
if _, err := vo.policyEnvelope.Verify(dsse.VerifyWithVerifiers(vo.policyVerifiers...), dsse.VerifyWithTimestampVerifiers(vo.policyTimestampAuthorities...), dsse.VerifyWithRoots(vo.policyCARoots...), dsse.VerifyWithIntermediates(vo.policyCAIntermediates...)); err != nil {
return nil, fmt.Errorf("could not verify policy: %w", err)
}

Expand Down

0 comments on commit 0b28c0f

Please sign in to comment.