From 2ef1cc2f260abd791cb388987b83f92dbde860e3 Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Mon, 13 Dec 2021 13:53:02 +0100 Subject: [PATCH] sign: test if in-toto tools verify our signatures Signed-off-by: Pieter Lexis --- cmd/slsa-provenance/cli/sign_test.go | 47 ++++++++++++++++++++++++++++ go.mod | 2 ++ go.sum | 4 +++ 3 files changed, 53 insertions(+) diff --git a/cmd/slsa-provenance/cli/sign_test.go b/cmd/slsa-provenance/cli/sign_test.go index 0070db70..8c463dd7 100644 --- a/cmd/slsa-provenance/cli/sign_test.go +++ b/cmd/slsa-provenance/cli/sign_test.go @@ -3,9 +3,11 @@ package cli_test import ( "bytes" "crypto/ed25519" + "crypto/x509" "encoding/base64" "encoding/hex" "encoding/json" + "encoding/pem" "errors" "io/ioutil" "os" @@ -13,6 +15,8 @@ import ( "runtime" "testing" + "github.com/in-toto/in-toto-golang/in_toto" + "github.com/in-toto/in-toto-golang/pkg/ssl" "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/dsse" "github.com/stretchr/testify/assert" @@ -74,6 +78,18 @@ const ( ` ) +type MyVerifier struct { + K in_toto.Key +} + +func (v MyVerifier) Verify(_ string, data, sig []byte) error { + s := in_toto.Signature{ + KeyID: "", + Sig: hex.EncodeToString(sig), + } + return in_toto.VerifySignature(v.K, s, data) +} + func TestSignCliOptions(t *testing.T) { _, filename, _, _ := runtime.Caller(0) rootDir := path.Join(path.Dir(filename), "../../..") @@ -273,6 +289,37 @@ func TestSignSignature(t *testing.T) { assert.EqualValues(expected, prov) }) + + t.Run("Test if in-toto tools like our signature", func(t *testing.T) { + var pubkey []byte + pubkey, err = x509.MarshalPKIXPublicKey(privkey.Public()) + assert.NoError(err) + + block := &pem.Block{ + Type: "PUBLIC KEY", + Bytes: pubkey, + } + + pubKeyFile := path.Join(rootDir, "bin/public.key") + err = ioutil.WriteFile(pubKeyFile, pem.EncodeToMemory(block), 0644) + assert.NoError(err) + defer os.Remove(pubKeyFile) + + var env ssl.Envelope + err = json.Unmarshal(message, &env) + assert.NoError(err) + + var k in_toto.Key + k.LoadKeyDefaults(pubKeyFile) + + v := MyVerifier{ + K: k, + } + + ev := ssl.NewEnvelopeVerifier(v) + + assert.NoError(ev.Verify(&env)) + }) } func BenchmarkSign(b *testing.B) { diff --git a/go.mod b/go.mod index 75ab14e0..f8ba6312 100644 --- a/go.mod +++ b/go.mod @@ -13,6 +13,7 @@ require ( require ( github.com/google/go-containerregistry v0.6.0 // indirect github.com/secure-systems-lab/go-securesystemslib v0.1.0 // indirect + github.com/shibumi/go-pathspec v1.2.0 // indirect github.com/theupdateframework/go-tuf v0.0.0-20210722233521-90e262754396 // indirect golang.org/x/sys v0.0.0-20211205182925-97ca703d548d // indirect golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b // indirect @@ -23,6 +24,7 @@ require ( github.com/docker/go v1.5.1-1 github.com/golang/protobuf v1.5.2 // indirect github.com/google/go-querystring v1.1.0 // indirect + github.com/in-toto/in-toto-golang v0.3.3 github.com/inconshreveable/mousetrap v1.0.0 // indirect github.com/kr/pretty v0.3.0 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect diff --git a/go.sum b/go.sum index 69fa11d7..66a0b4de 100644 --- a/go.sum +++ b/go.sum @@ -535,6 +535,8 @@ github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/in-toto/in-toto-golang v0.3.3 h1:tkkEBU5i09UEeWKnrp6Rq4fXKAfpVXYMLRO5mDfnb3I= +github.com/in-toto/in-toto-golang v0.3.3/go.mod h1:dbXecHGZSqRubmm5TXtvDSZT5JyaKD7ebVTiC2aMLWY= github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA= @@ -747,6 +749,8 @@ github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvW github.com/secure-systems-lab/go-securesystemslib v0.1.0 h1:wZNQ7t1UTOQtDL/+PBPzxI52gLQGyC7qfXyJh6Lgf1Y= github.com/secure-systems-lab/go-securesystemslib v0.1.0/go.mod h1:eIjBmIP8LD2MLBL/DkQWayLiz006Q4p+hCu79rvWleY= github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE= +github.com/shibumi/go-pathspec v1.2.0 h1:KVKEDHYk7bQolRMs7nfzjT3SBOCgcXFJzccnj9bsGbA= +github.com/shibumi/go-pathspec v1.2.0/go.mod h1:bDxCftD0fST3qXIlHoQ/fChsU4mWMVklXp1yPErQaaY= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sigstore/sigstore v1.0.1 h1:AiJAuz309uei26tRtvzV1XQorns2UogZsgs4ZQ2cYiA= github.com/sigstore/sigstore v1.0.1/go.mod h1:1+krIdtuf81/fLC8mHPt/7uwYiOg7W8k/PAR7lzKW3w=