Update verify-blob to support DSSEs (#1355)

Adds the ability to verify DSSEs from the `verify-blob` command. Fixes #1321 Signed-off-by: Rémy Greinhofer <remy.greinhofer@gmail.com>
sigstore · Jan 26, 2022 · 21e6b80 · 21e6b80
1 parent 79012c3
commit 21e6b80
Show file tree

Hide file tree

Showing 2 changed files with 71 additions and 0 deletions.
diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
@@ -23,13 +23,15 @@ import (
 	_ "crypto/sha256" // for `crypto.SHA256`
 	"crypto/x509"
 	"encoding/base64"
+	"encoding/json"
 	"fmt"
 	"io"
 	"os"
 	"time"
 
 	"github.com/go-openapi/runtime"
 	"github.com/pkg/errors"
+	ssldsse "github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/cmd/cosign/cli/rekor"
@@ -39,12 +41,15 @@ import (
 	"github.com/sigstore/cosign/pkg/cosign/pivkey"
 	"github.com/sigstore/cosign/pkg/cosign/pkcs11key"
 	sigs "github.com/sigstore/cosign/pkg/signature"
+
+	ctypes "github.com/sigstore/cosign/pkg/types"
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/rekor/pkg/types"
 	hashedrekord "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
 	rekord "github.com/sigstore/rekor/pkg/types/rekord/v0.0.1"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
+	"github.com/sigstore/sigstore/pkg/signature/dsse"
 	signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
 )
 
@@ -162,6 +167,11 @@ func VerifyBlobCmd(ctx context.Context, ko sign.KeyOpts, certRef, certEmail, cer
 		}
 	}
 
+	// Use the DSSE verifier if the payload is a DSSE with the In-Toto format.
+	if isIntotoDSSE(blobBytes) {
+		verifier = dsse.WrapVerifier(verifier)
+	}
+
 	// verify the signature
 	if err := verifier.VerifySignature(bytes.NewReader([]byte(sig)), bytes.NewReader(blobBytes)); err != nil {
 		return err
@@ -348,3 +358,16 @@ func extractCerts(e *models.LogEntryAnon) ([]*x509.Certificate, error) {
 
 	return certs, err
 }
+
+// isIntotoDSSE checks whether a payload is a Dead Simple Signing Envelope with the In-Toto format.
+func isIntotoDSSE(blobBytes []byte) bool {
+	DSSEenvelope := ssldsse.Envelope{}
+	if err := json.Unmarshal(blobBytes, &DSSEenvelope); err != nil {
+		return false
+	}
+	if DSSEenvelope.PayloadType != ctypes.IntotoPayloadType {
+		return false
+	}
+
+	return true
+}
diff --git a/cmd/cosign/cli/verify/verify_blob_test.go b/cmd/cosign/cli/verify/verify_blob_test.go
@@ -15,11 +15,13 @@
 package verify
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"io/ioutil"
 	"path/filepath"
 	"testing"
 
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/cosign/pkg/cosign"
 )
 
@@ -93,3 +95,49 @@ func TestSignaturesBundle(t *testing.T) {
 		t.Fatalf("unexpected encoded signature, expected: %s got: %s", b64sig, gotb64Sig)
 	}
 }
+
+func TestIsIntotoDSSEWithEnvelopes(t *testing.T) {
+	tts := []struct {
+		envelope     dsse.Envelope
+		isIntotoDSSE bool
+	}{
+		{
+			envelope: dsse.Envelope{
+				PayloadType: "application/vnd.in-toto+json",
+				Payload:     base64.StdEncoding.EncodeToString([]byte("This is a test")),
+				Signatures:  []dsse.Signature{},
+			},
+			isIntotoDSSE: true,
+		},
+	}
+	for _, tt := range tts {
+		envlopeBytes, _ := json.Marshal(tt.envelope)
+		got := isIntotoDSSE(envlopeBytes)
+		if got != tt.isIntotoDSSE {
+			t.Fatalf("unexpected envelope content")
+		}
+	}
+}
+
+func TestIsIntotoDSSEWithBytes(t *testing.T) {
+	tts := []struct {
+		envelope     []byte
+		isIntotoDSSE bool
+	}{
+		{
+			envelope:     []byte("This is no valid"),
+			isIntotoDSSE: false,
+		},
+		{
+			envelope:     []byte("MEUCIQDBmE1ZRFjUVic1hzukesJlmMFG1JqWWhcthnhawTeBNQIga3J9/WKsNlSZaySnl8V360bc2S8dIln2/qo186EfjHA="),
+			isIntotoDSSE: false,
+		},
+	}
+	for _, tt := range tts {
+		envlopeBytes, _ := json.Marshal(tt.envelope)
+		got := isIntotoDSSE(envlopeBytes)
+		if got != tt.isIntotoDSSE {
+			t.Fatalf("unexpected envelope content")
+		}
+	}
+}