sign: test if in-toto tools verify our signatures

Signed-off-by: Pieter Lexis <[email protected]>
philips-labs · Dec 16, 2021 · 2ef1cc2 · 2ef1cc2
1 parent d5630fb
commit 2ef1cc2
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 0 deletions.
diff --git a/cmd/slsa-provenance/cli/sign_test.go b/cmd/slsa-provenance/cli/sign_test.go
@@ -3,16 +3,20 @@ package cli_test
 import (
 	"bytes"
 	"crypto/ed25519"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"io/ioutil"
 	"os"
 	"path"
 	"runtime"
 	"testing"
 
+	"github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/in-toto/in-toto-golang/pkg/ssl"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/dsse"
 	"github.com/stretchr/testify/assert"
@@ -74,6 +78,18 @@ const (
 	`
 )
 
+type MyVerifier struct {
+	K in_toto.Key
+}
+
+func (v MyVerifier) Verify(_ string, data, sig []byte) error {
+	s := in_toto.Signature{
+		KeyID: "",
+		Sig:   hex.EncodeToString(sig),
+	}
+	return in_toto.VerifySignature(v.K, s, data)
+}
+
 func TestSignCliOptions(t *testing.T) {
 	_, filename, _, _ := runtime.Caller(0)
 	rootDir := path.Join(path.Dir(filename), "../../..")
@@ -273,6 +289,37 @@ func TestSignSignature(t *testing.T) {
 
 		assert.EqualValues(expected, prov)
 	})
+
+	t.Run("Test if in-toto tools like our signature", func(t *testing.T) {
+		var pubkey []byte
+		pubkey, err = x509.MarshalPKIXPublicKey(privkey.Public())
+		assert.NoError(err)
+
+		block := &pem.Block{
+			Type:  "PUBLIC KEY",
+			Bytes: pubkey,
+		}
+
+		pubKeyFile := path.Join(rootDir, "bin/public.key")
+		err = ioutil.WriteFile(pubKeyFile, pem.EncodeToMemory(block), 0644)
+		assert.NoError(err)
+		defer os.Remove(pubKeyFile)
+
+		var env ssl.Envelope
+		err = json.Unmarshal(message, &env)
+		assert.NoError(err)
+
+		var k in_toto.Key
+		k.LoadKeyDefaults(pubKeyFile)
+
+		v := MyVerifier{
+			K: k,
+		}
+
+		ev := ssl.NewEnvelopeVerifier(v)
+
+		assert.NoError(ev.Verify(&env))
+	})
 }
 
 func BenchmarkSign(b *testing.B) {

diff --git a/go.mod b/go.mod
@@ -13,6 +13,7 @@ require (
 require (
 	github.com/google/go-containerregistry v0.6.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.1.0 // indirect
+	github.com/shibumi/go-pathspec v1.2.0 // indirect
 	github.com/theupdateframework/go-tuf v0.0.0-20210722233521-90e262754396 // indirect
 	golang.org/x/sys v0.0.0-20211205182925-97ca703d548d // indirect
 	golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect
@@ -23,6 +24,7 @@ require (
 	github.com/docker/go v1.5.1-1
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/in-toto/in-toto-golang v0.3.3
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect

diff --git a/go.sum b/go.sum
@@ -535,6 +535,8 @@ github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
+github.com/in-toto/in-toto-golang v0.3.3 h1:tkkEBU5i09UEeWKnrp6Rq4fXKAfpVXYMLRO5mDfnb3I=
+github.com/in-toto/in-toto-golang v0.3.3/go.mod h1:dbXecHGZSqRubmm5TXtvDSZT5JyaKD7ebVTiC2aMLWY=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA=
@@ -747,6 +749,8 @@ github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvW
 github.com/secure-systems-lab/go-securesystemslib v0.1.0 h1:wZNQ7t1UTOQtDL/+PBPzxI52gLQGyC7qfXyJh6Lgf1Y=
 github.com/secure-systems-lab/go-securesystemslib v0.1.0/go.mod h1:eIjBmIP8LD2MLBL/DkQWayLiz006Q4p+hCu79rvWleY=
 github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
+github.com/shibumi/go-pathspec v1.2.0 h1:KVKEDHYk7bQolRMs7nfzjT3SBOCgcXFJzccnj9bsGbA=
+github.com/shibumi/go-pathspec v1.2.0/go.mod h1:bDxCftD0fST3qXIlHoQ/fChsU4mWMVklXp1yPErQaaY=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sigstore/sigstore v1.0.1 h1:AiJAuz309uei26tRtvzV1XQorns2UogZsgs4ZQ2cYiA=
 github.com/sigstore/sigstore v1.0.1/go.mod h1:1+krIdtuf81/fLC8mHPt/7uwYiOg7W8k/PAR7lzKW3w=