forked from in-toto/in-toto-golang
-
Notifications
You must be signed in to change notification settings - Fork 5
/
verify.go
101 lines (85 loc) · 3.1 KB
/
verify.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
package cmd
import (
"fmt"
"io/ioutil"
"os"
intoto "github.com/boxboat/in-toto-golang/in_toto"
"github.com/spf13/cobra"
)
var layoutPath string
var pubKeyPaths []string
var linkDir string
var intermediatePaths []string
var verifyCmd = &cobra.Command{
Use: "verify",
Short: "Verify that the software supply chain of the delivered product",
Long: `in-toto-verify is the main verification tool of the suite, and
it is used to verify that the software supply chain of the delivered
product was carried out as defined in the passed in-toto supply chain
layout. Evidence for supply chain steps must be available in the form
of link metadata files named ‘<step name>.<functionary keyid prefix>.link’.`,
Run: func(cmd *cobra.Command, args []string) {
var layoutMb intoto.Metablock
if err := layoutMb.Load(layoutPath); err != nil {
fmt.Println(err.Error())
}
//Load Keys
layoutKeys := make(map[string]intoto.Key, len(pubKeyPaths))
for _, pubKeyPath := range pubKeyPaths {
var pubKey intoto.Key
if err := pubKey.LoadKey(pubKeyPath, "rsassa-pss-sha256", []string{"sha256", "sha512"}); err != nil {
fmt.Println("Invalid Key Error:", err.Error())
os.Exit(1)
}
layoutKeys[pubKey.KeyID] = pubKey
}
intermediatePems := make([][]byte, 0, len(intermediatePaths))
for _, intermediate := range intermediatePaths {
f, err := os.Open(intermediate)
if err != nil {
fmt.Println(fmt.Sprintf("failed to open %v: %v", intermediate, err))
os.Exit(1)
}
pemBytes, err := ioutil.ReadAll(f)
if err != nil {
fmt.Println(fmt.Sprintf("failed to read %v: %v", intermediate, err))
os.Exit(1)
}
intermediatePems = append(intermediatePems, pemBytes)
if err := f.Close(); err != nil {
fmt.Println(fmt.Sprintf("failed to read %v: %v", intermediate, err))
os.Exit(1)
}
}
//Verify
_, err := intoto.InTotoVerify(layoutMb, layoutKeys, linkDir, "", make(map[string]string), intermediatePems)
if err != nil {
fmt.Println("Inspection Failed Error", err.Error())
os.Exit(1)
}
},
}
func init() {
rootCmd.AddCommand(verifyCmd)
verifyCmd.Flags().StringVarP(&layoutPath,
"layout", "l", "",
`Path to root layout specifying the software supply chain to be verified`)
verifyCmd.Flags().StringSliceVarP(&pubKeyPaths,
"layout-keys", "k", []string{},
`Path(s) to PEM formatted public key(s), used to verify the passed
root layout's signature(s). Passing at least one key using
'--layout-keys' is required. For each passed key the layout
must carry a valid signature.`)
verifyCmd.Flags().StringVarP(&linkDir,
"link-dir", "d", "",
`Path to directory where link metadata files for steps defined in
the root layout should be loaded from. If not passed links are
loaded from the current working directory.`)
verifyCmd.Flags().StringSliceVarP(&intermediatePaths,
"intermediate-certs", "i", []string{},
`Path(s) to PEM formatted certificates, used as intermediaetes to verify
the chain of trust to the layout's trusted root. These will be used in
addition to any intermediates in the layout.`)
verifyCmd.MarkFlagRequired("layout")
verifyCmd.MarkFlagRequired("layout-keys")
}