/
verifier.go
46 lines (36 loc) · 1.28 KB
/
verifier.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
package internal
import (
"fmt"
"github.com/open-policy-agent/opa/bundle"
)
// AwsKmsVerifier demonstrates a custom bundle verification implementation.
type AwsKmsVerifier struct{}
// VerifyBundleSignature demonstrates how to implement the bundle.Verifier interface,
// for the purpose of creating custom bundle verification.
func (v *AwsKmsVerifier) VerifyBundleSignature(sc bundle.SignaturesConfig, bvc *bundle.VerificationConfig) (map[string]bundle.FileInfo, error) {
files := make(map[string]bundle.FileInfo)
if len(sc.Signatures) == 0 {
return files, fmt.Errorf(".signatures.json: missing signature (expected exactly one)")
}
if len(sc.Signatures) > 1 {
return files, fmt.Errorf(".signatures.json: multiple sgnatures not supported (expected exactly one)")
}
for _, signature := range sc.Signatures {
bundleSignature, err := NewBundleSignature().Parse(signature)
if err != nil {
return nil, err
}
verifier, err := NewKmsSignerVerifier(bundleSignature.KeyID())
if err != nil {
return nil, err
}
err = verifier.Verify(GetAlgorithmSpec(bundleSignature.Algorithm()), bundleSignature.SignedMessage, bundleSignature.Signature)
if err != nil {
return nil, err
}
for key, value := range bundleSignature.FilesAsMap() {
files[key] = value
}
}
return files, nil
}