Use updated s/s

sigstore · Jan 12, 2024 · 2d93686 · 2d93686
1 parent f791e53
commit 2d93686
Show file tree

Hide file tree

Showing 14 changed files with 47 additions and 33 deletions.
diff --git a/cmd/rekor-cli/app/log_info.go b/cmd/rekor-cli/app/log_info.go
@@ -181,7 +181,7 @@ func loadVerifier(rekorClient *rclient.Rekor) (signature.Verifier, error) {
 		return nil, err
 	}
 
-	return signature.LoadVerifier(pub, crypto.SHA256)
+	return signature.LoadVerifier(pub, crypto.SHA256, signature.LoadDefaultSV, nil)
 }
 
 func totalTreeSize(activeShard *models.LogInfo, inactiveShards []*models.InactiveShardLogInfo) int64 {

diff --git a/go.mod b/go.mod
@@ -206,4 +206,4 @@ require (
 )
 
 // TODO: replace this
-replace github.com/sigstore/sigstore => github.com/trail-of-forks/sigstore v0.0.0-20240111141334-bcd0b6e69e27
+replace github.com/sigstore/sigstore => github.com/trail-of-forks/sigstore v0.0.0-20240112143627-ef70c23a75c8
diff --git a/go.sum b/go.sum
@@ -430,8 +430,8 @@ github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qv
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
-github.com/trail-of-forks/sigstore v0.0.0-20240111141334-bcd0b6e69e27 h1:c2Ml9cPxyhUjvo+qqh+D1jlBMXe8+kRa68AlM4PqshU=
-github.com/trail-of-forks/sigstore v0.0.0-20240111141334-bcd0b6e69e27/go.mod h1:l12B1gFlLIpBIVeqk/q1Lb+6YSOGNuN3xLExIjYH+qc=
+github.com/trail-of-forks/sigstore v0.0.0-20240112143627-ef70c23a75c8 h1:xtAMpRyXS/lYwG1JBIFoXJcobPd9QViTLWMoNe7gQpQ=
+github.com/trail-of-forks/sigstore v0.0.0-20240112143627-ef70c23a75c8/go.mod h1:l12B1gFlLIpBIVeqk/q1Lb+6YSOGNuN3xLExIjYH+qc=
 github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=
 github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A=
 github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=

diff --git a/pkg/pki/x509/x509.go b/pkg/pki/x509/x509.go
@@ -38,17 +38,27 @@ import (
 var EmailAddressOID asn1.ObjectIdentifier = []int{1, 2, 840, 113549, 1, 9, 1}
 
 type Signature struct {
-	signature []byte
+	signature              []byte
+	loadSignerVerifierType sigsig.LoadSignerVerifierType
+	loadVerifierOpts       *sigsig.LoadVerifierOpts
 }
 
-// NewSignature creates and validates an x509 signature object
+// NewSignature creates and validates an x509 signature object.
 func NewSignature(r io.Reader) (*Signature, error) {
+	return NewSignatureWithOpts(r, sigsig.LoadDefaultSV, nil)
+}
+
+// NewSignatureWithOpts creates and validates an x509 signature object, allowing
+// specific verifiers to be used
+func NewSignatureWithOpts(r io.Reader, loadSignerVerifierType sigsig.LoadSignerVerifierType, loadVerifierOpts *sigsig.LoadVerifierOpts) (*Signature, error) {
 	b, err := io.ReadAll(r)
 	if err != nil {
 		return nil, err
 	}
 	return &Signature{
-		signature: b,
+		signature:              b,
+		loadSignerVerifierType: loadSignerVerifierType,
+		loadVerifierOpts:       loadVerifierOpts,
 	}, nil
 }
 
@@ -84,7 +94,7 @@ func (s Signature) Verify(r io.Reader, k interface{}, opts ...sigsig.VerifyOptio
 		}
 	}
 
-	verifier, err := sigsig.LoadVerifier(p, crypto.SHA256)
+	verifier, err := sigsig.LoadVerifier(p, crypto.SHA256, s.loadSignerVerifierType, s.loadVerifierOpts)
 	if err != nil {
 		return err
 	}

diff --git a/pkg/pki/x509/x509_test.go b/pkg/pki/x509/x509_test.go
@@ -104,7 +104,7 @@ func signData(t *testing.T, b []byte, pkey string) []byte {
 	if err != nil {
 		t.Fatal(err)
 	}
-	signer, err := signature.LoadSigner(priv, crypto.SHA256)
+	signer, err := signature.LoadSigner(priv, crypto.SHA256, signature.LoadDefaultSV, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -320,7 +320,7 @@ func TestPublicKeyWithCertChain(t *testing.T) {
 
 	// Generate signature to verify
 	data := []byte("test")
-	signer, err := signature.LoadSigner(leafKey, crypto.SHA256)
+	signer, err := signature.LoadSigner(leafKey, crypto.SHA256, signature.LoadDefaultSV, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -341,7 +341,7 @@ func TestPublicKeyWithCertChain(t *testing.T) {
 	leafCert, leafKey, _ = testutils.GenerateExpiredLeafCert("subject@example.com", "oidc-issuer", subCert, subKey)
 	pemCertChain, _ = cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{leafCert, subCert, rootCert})
 	pub, _ = NewPublicKey(bytes.NewReader(pemCertChain))
-	signer, _ = signature.LoadSigner(leafKey, crypto.SHA256)
+	signer, _ = signature.LoadSigner(leafKey, crypto.SHA256, signature.LoadDefaultSV, nil)
 	sigBytes, _ = signer.SignMessage(bytes.NewReader(data))
 	s, _ = NewSignature(bytes.NewReader(sigBytes))
 	err = s.Verify(bytes.NewReader(data), pub)
@@ -352,7 +352,7 @@ func TestPublicKeyWithCertChain(t *testing.T) {
 	// Verify error with invalid chain
 	pemCertChain, _ = cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{leafCert, rootCert})
 	pub, _ = NewPublicKey(bytes.NewReader(pemCertChain))
-	signer, _ = signature.LoadSigner(leafKey, crypto.SHA256)
+	signer, _ = signature.LoadSigner(leafKey, crypto.SHA256, signature.LoadDefaultSV, nil)
 	sigBytes, _ = signer.SignMessage(bytes.NewReader(data))
 	s, _ = NewSignature(bytes.NewReader(sigBytes))
 	err = s.Verify(bytes.NewReader(data), pub)
@@ -364,7 +364,7 @@ func TestPublicKeyWithCertChain(t *testing.T) {
 	leafCert, leafKey, _ = testutils.GenerateLeafCert("subject@example.com", "oidc-issuer", nil, rootCert, rootKey)
 	pemCertChain, _ = cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{leafCert, rootCert})
 	pub, _ = NewPublicKey(bytes.NewReader(pemCertChain))
-	signer, _ = signature.LoadSigner(leafKey, crypto.SHA256)
+	signer, _ = signature.LoadSigner(leafKey, crypto.SHA256, signature.LoadDefaultSV, nil)
 	sigBytes, _ = signer.SignMessage(bytes.NewReader(data))
 	s, _ = NewSignature(bytes.NewReader(sigBytes))
 	err = s.Verify(bytes.NewReader(data), pub)

diff --git a/pkg/signer/file.go b/pkg/signer/file.go
@@ -35,7 +35,7 @@ func NewFile(keyPath, keyPass string) (*File, error) {
 		return nil, fmt.Errorf("file: provide a valid signer, %s is not valid: %w", keyPath, err)
 	}
 
-	signer, err := signature.LoadSignerVerifier(opaqueKey, crypto.SHA256)
+	signer, err := signature.LoadSignerVerifier(opaqueKey, crypto.SHA256, signature.LoadDefaultSV, nil)
 	if err != nil {
 		return nil, fmt.Errorf(`file: loaded private key from %s can't be used to sign: %w`, keyPath, err)
 	}

diff --git a/pkg/types/dsse/v0.0.1/entry.go b/pkg/types/dsse/v0.0.1/entry.go
@@ -381,7 +381,7 @@ func verifyEnvelope(allPubKeyBytes [][]byte, env *dsse.Envelope) (map[string]*x5
 			return nil, fmt.Errorf("could not parse public key as x509: %w", err)
 		}
 
-		vfr, err := signature.LoadVerifier(key.CryptoPubKey(), crypto.SHA256)
+		vfr, err := signature.LoadVerifier(key.CryptoPubKey(), crypto.SHA256, signature.LoadDefaultSV, nil)
 		if err != nil {
 			return nil, fmt.Errorf("could not load verifier: %w", err)
 		}

diff --git a/pkg/types/hashedrekord/v0.0.1/entry.go b/pkg/types/hashedrekord/v0.0.1/entry.go
@@ -37,6 +37,7 @@ import (
 	"github.com/sigstore/rekor/pkg/pki/x509"
 	"github.com/sigstore/rekor/pkg/types"
 	hashedrekord "github.com/sigstore/rekor/pkg/types/hashedrekord"
+	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/options"
 )
 
@@ -145,7 +146,8 @@ func (v *V001Entry) validate() (pki.Signature, pki.PublicKey, error) {
 		return nil, nil, types.ValidationError(errors.New("missing signature"))
 	}
 	// Hashed rekord type only works for x509 signature types
-	sigObj, err := x509.NewSignature(bytes.NewReader(sig.Content))
+	// Use ED25519ph when ED25519 public keys are provided by the client
+	sigObj, err := x509.NewSignatureWithOpts(bytes.NewReader(sig.Content), signature.LoadED25519phSV, nil)
 	if err != nil {
 		return nil, nil, types.ValidationError(err)
 	}

diff --git a/pkg/types/hashedrekord/v0.0.1/entry_test.go b/pkg/types/hashedrekord/v0.0.1/entry_test.go
@@ -93,7 +93,7 @@ func TestCrossFieldValidation(t *testing.T) {
 	h := sha256.Sum256(dataBytes)
 	dataSHA := hex.EncodeToString(h[:])
 
-	signer, _ := signature.LoadSigner(key, crypto.SHA256)
+	signer, _ := signature.LoadSigner(key, crypto.SHA256, signature.LoadDefaultSV, nil)
 	sigBytes, _ := signer.SignMessage(bytes.NewReader(dataBytes))
 
 	incorrectLengthHash := sha256.Sum224(dataBytes)

diff --git a/pkg/types/intoto/v0.0.1/entry.go b/pkg/types/intoto/v0.0.1/entry.go
@@ -249,7 +249,7 @@ func (v *V001Entry) validate() error {
 		return nil
 	}
 
-	vfr, err := signature.LoadVerifier(pk.CryptoPubKey(), crypto.SHA256)
+	vfr, err := signature.LoadVerifier(pk.CryptoPubKey(), crypto.SHA256, signature.LoadDefaultSV, nil)
 	if err != nil {
 		return err
 	}

diff --git a/pkg/types/intoto/v0.0.2/entry.go b/pkg/types/intoto/v0.0.2/entry.go
@@ -426,7 +426,7 @@ func verifyEnvelope(allPubKeyBytes [][]byte, env *dsse.Envelope) (map[string]*x5
 			return nil, fmt.Errorf("could not parse public key as x509: %w", err)
 		}
 
-		vfr, err := signature.LoadVerifier(key.CryptoPubKey(), crypto.SHA256)
+		vfr, err := signature.LoadVerifier(key.CryptoPubKey(), crypto.SHA256, signature.LoadDefaultSV, nil)
 		if err != nil {
 			return nil, fmt.Errorf("could not load verifier: %w", err)
 		}

diff --git a/pkg/util/checkpoint_test.go b/pkg/util/checkpoint_test.go
@@ -310,20 +310,22 @@ func TestSigningRoundtripCheckpoint(t *testing.T) {
 			if err != nil {
 				t.Fatalf("error creating signed checkpoint")
 			}
-			signer, _ := signature.LoadSigner(test.signer, crypto.SHA256)
-			if _, ok := test.signer.(*rsa.PrivateKey); ok {
-				signer, _ = signature.LoadRSAPSSSigner(test.signer.(*rsa.PrivateKey), crypto.SHA256, test.opts.(*rsa.PSSOptions))
+			loadSignerOpts := signature.LoadSignerOpts{}
+			if rsaPSSOpts, ok := test.opts.(*rsa.PSSOptions); ok {
+				loadSignerOpts.RSAPSSOptions = rsaPSSOpts
 			}
+			signer, _ := signature.LoadSigner(test.signer, crypto.SHA256, signature.LoadRSAPSSSV, &loadSignerOpts)
 
 			_, err = sth.Sign(test.identity, signer, options.WithCryptoSignerOpts(test.opts))
 			if (err != nil) != test.wantSignErr {
 				t.Fatalf("signing test failed: wantSignErr %v, err %v", test.wantSignErr, err)
 			}
 			if !test.wantSignErr {
-				verifier, _ := signature.LoadVerifier(test.pubKey, crypto.SHA256)
-				if _, ok := test.pubKey.(*rsa.PublicKey); ok {
-					verifier, _ = signature.LoadRSAPSSVerifier(test.pubKey.(*rsa.PublicKey), crypto.SHA256, test.opts.(*rsa.PSSOptions))
+				loadVerifierOpts := signature.LoadVerifierOpts{}
+				if rsaPSSOpts, ok := test.opts.(*rsa.PSSOptions); ok {
+					loadVerifierOpts.RSAPSSOptions = rsaPSSOpts
 				}
+				verifier, _ := signature.LoadVerifier(test.pubKey, crypto.SHA256, signature.LoadRSAPSSSV, &loadVerifierOpts)
 
 				if !sth.Verify(verifier) != test.wantVerifyErr {
 					t.Fatalf("verification test failed %v", sth.Verify(verifier))
@@ -409,7 +411,7 @@ func TestInvalidSigVerification(t *testing.T) {
 				Note:       string(text),
 				Signatures: test.s,
 			}
-			verifier, _ := signature.LoadVerifier(test.pubKey, crypto.SHA256)
+			verifier, _ := signature.LoadVerifier(test.pubKey, crypto.SHA256, signature.LoadDefaultSV, nil)
 			result := sc.Verify(verifier)
 			if result != test.expectedResult {
 				t.Fatal("verification test generated unexpected result")

diff --git a/pkg/witness/publish_checkpoint_test.go b/pkg/witness/publish_checkpoint_test.go
@@ -45,7 +45,7 @@ func TestPublishCheckpoint(t *testing.T) {
 		Help: "Checkpoint publishing by shard and code",
 	}, []string{"shard", "code"})
 	priv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	signer, _ := signature.LoadSigner(priv, crypto.SHA256)
+	signer, _ := signature.LoadSigner(priv, crypto.SHA256, signature.LoadDefaultSV, nil)
 
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
@@ -100,7 +100,7 @@ func TestPublishCheckpointMultiple(t *testing.T) {
 		Help: "Checkpoint publishing by shard and code",
 	}, []string{"shard", "code"})
 	priv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	signer, _ := signature.LoadSigner(priv, crypto.SHA256)
+	signer, _ := signature.LoadSigner(priv, crypto.SHA256, signature.LoadDefaultSV, nil)
 
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
@@ -165,7 +165,7 @@ func TestPublishCheckpointTrillianError(t *testing.T) {
 		Help: "Checkpoint publishing by shard and code",
 	}, []string{"shard", "code"})
 	priv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	signer, _ := signature.LoadSigner(priv, crypto.SHA256)
+	signer, _ := signature.LoadSigner(priv, crypto.SHA256, signature.LoadDefaultSV, nil)
 
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
@@ -201,7 +201,7 @@ func TestPublishCheckpointInvalidTrillianResponse(t *testing.T) {
 		Help: "Checkpoint publishing by shard and code",
 	}, []string{"shard", "code"})
 	priv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	signer, _ := signature.LoadSigner(priv, crypto.SHA256)
+	signer, _ := signature.LoadSigner(priv, crypto.SHA256, signature.LoadDefaultSV, nil)
 
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
@@ -238,7 +238,7 @@ func TestPublishCheckpointRedisFailure(t *testing.T) {
 		Help: "Checkpoint publishing by shard and code",
 	}, []string{"shard", "code"})
 	priv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	signer, _ := signature.LoadSigner(priv, crypto.SHA256)
+	signer, _ := signature.LoadSigner(priv, crypto.SHA256, signature.LoadDefaultSV, nil)
 
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
@@ -282,7 +282,7 @@ func TestPublishCheckpointRedisLatestFailure(t *testing.T) {
 		Help: "Checkpoint publishing by shard and code",
 	}, []string{"shard", "code"})
 	priv, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	signer, _ := signature.LoadSigner(priv, crypto.SHA256)
+	signer, _ := signature.LoadSigner(priv, crypto.SHA256, signature.LoadDefaultSV, nil)
 
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()

diff --git a/tests/e2e_test.go b/tests/e2e_test.go
@@ -273,7 +273,7 @@ func TestSignedEntryTimestamp(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	verifier, err := signature.LoadVerifier(rekorPubKey, crypto.SHA256)
+	verifier, err := signature.LoadVerifier(rekorPubKey, crypto.SHA256, signature.LoadDefaultSV, nil)
 	if err != nil {
 		t.Fatal(err)
 	}