Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
laurentsimon committed Aug 23, 2022
1 parent a353ca0 commit 523ffe3
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 27 deletions.
35 changes: 20 additions & 15 deletions verifiers/internal/gcb/keys/keys.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,9 @@ import (
var publicKeys embed.FS

type PublicKey struct {
Value []byte
Region string
value []byte
pubKey *ecdsa.PublicKey
region string
// TODO: key type and size
}

Expand All @@ -27,31 +28,35 @@ func PublicKeyNew(region string) (*PublicKey, error) {
return nil, fmt.Errorf("%w: cannot read key materials", err)
}

return &PublicKey{
Value: content,
Region: region,
}, nil
}

func (self *PublicKey) VerifySignature(digest [32]byte, sig []byte) error {
block, _ := pem.Decode(self.Value)
block, _ := pem.Decode(content)
if block == nil {
return fmt.Errorf("%w: %s", serrors.ErrorInvalidPEM, self.Value)
return nil, fmt.Errorf("%w: %s", serrors.ErrorInvalidPEM, content)
}

key, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
return fmt.Errorf("x509.ParsePKIXPublicKey: %w", err)
return nil, fmt.Errorf("x509.ParsePKIXPublicKey: %w", err)
}

pubKey, ok := key.(*ecdsa.PublicKey)
if !ok {
return fmt.Errorf("%w: public key not of type ECDSA", err)
return nil, fmt.Errorf("%w: public key not of type ECDSA", err)
}

if !ecdsa.VerifyASN1(pubKey, digest[:], sig) {
return &PublicKey{
value: content,
pubKey: pubKey,
region: region,
}, nil
}

func (self *PublicKey) VerifySignature(digest [32]byte, sig []byte) error {
if self.pubKey == nil {
return fmt.Errorf("%w: key is empty", serrors.ErrorInternal)
}
if !ecdsa.VerifyASN1(self.pubKey, digest[:], sig) {
return fmt.Errorf("%w: cannot verify with public key '%v'",
serrors.ErrorInvalidSignature, string(self.Region))
serrors.ErrorInvalidSignature, string(self.region))
}

return nil
Expand Down
14 changes: 2 additions & 12 deletions verifiers/internal/gcb/provenance.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,16 +65,6 @@ func ProvenanceFromBytes(payload []byte) (*GCBProvenance, error) {
}, nil
}

func signatureAsRaw(s string) ([]byte, error) {
s = strings.ReplaceAll(s, "-", "+")
s = strings.ReplaceAll(s, "_", "/")
sig, err := base64.StdEncoding.DecodeString(s)
if err != nil {
return nil, fmt.Errorf("%w: %s", serrors.ErrorInvalidDssePayload, err.Error())
}
return sig, nil
}

func payloadFromEnvelope(env *dsselib.Envelope) ([]byte, error) {
payload, err := base64.StdEncoding.DecodeString(env.Payload)
if err != nil {
Expand Down Expand Up @@ -327,14 +317,14 @@ func (self *GCBProvenance) verifySignatures(prov *provenance) error {
}

// Decode the signature.
sig, err := signatureAsRaw(sig.Sig)
rsig, err := base64.RawURLEncoding.DecodeString(sig.Sig)
if err != nil {
errs = append(errs, err)
continue
}

// Verify the signature.
err = pubKey.VerifySignature(payloadHash, sig)
err = pubKey.VerifySignature(payloadHash, rsig)
if err != nil {
errs = append(errs, err)
continue
Expand Down

0 comments on commit 523ffe3

Please sign in to comment.