fix: make client shard aware when verifying (#280)

Signed-off-by: Asra Ali <asraa@google.com> Signed-off-by: Asra Ali <asraa@google.com>
slsa-framework · Oct 2, 2022 · 49ab4e7 · 49ab4e7
1 parent 5bb13ef
commit 49ab4e7
Showing 1 changed file with 31 additions and 7 deletions.
diff --git a/verifiers/internal/gha/rekor.go b/verifiers/internal/gha/rekor.go
@@ -45,7 +45,9 @@ const (
 	defaultRekorAddr = "https://rekor.sigstore.dev"
 )
 
-func verifyRootHash(ctx context.Context, rekorClient *client.Rekor, eproof *models.InclusionProof, pub *ecdsa.PublicKey) error {
+func verifyRootHash(ctx context.Context, rekorClient *client.Rekor,
+	treeID int64, eproof *models.InclusionProof, pub *ecdsa.PublicKey) error {
+	treeIDString := fmt.Sprintf("%d", treeID)
 	infoParams := tlog.NewGetLogInfoParamsWithContext(ctx)
 	result, err := rekorClient.Tlog.GetLogInfo(infoParams)
 	if err != nil {
@@ -58,6 +60,13 @@ func verifyRootHash(ctx context.Context, rekorClient *client.Rekor, eproof *mode
 	if err := sth.UnmarshalText([]byte(*logInfo.SignedTreeHead)); err != nil {
 		return err
 	}
+	for _, inactiveShard := range logInfo.InactiveShards {
+		if *inactiveShard.TreeID == treeIDString {
+			if err := sth.UnmarshalText([]byte(*inactiveShard.SignedTreeHead)); err != nil {
+				return err
+			}
+		}
+	}
 
 	verifier, err := signature.LoadVerifier(pub, crypto.SHA256)
 	if err != nil {
@@ -122,22 +131,36 @@ func verifyTlogEntryByUUID(ctx context.Context, rekorClient *client.Rekor, entry
 		return nil, err
 	}
 
-	var e models.LogEntryAnon
 	for k, entry := range lep.Payload {
-		if k != uuid {
+		returnUUID, err := sharding.GetUUIDFromIDString(k)
+		if err != nil {
+			return nil, err
+		}
+		// Validate that the request matches the response
+		if returnUUID != uuid {
 			return nil, errors.New("expected matching UUID")
 		}
-		e = entry
+		return verifyTlogEntry(ctx, rekorClient, k, entry)
 	}
 
-	return verifyTlogEntry(ctx, rekorClient, uuid, e)
+	return nil, serrors.ErrorRekorSearch
 }
 
-func verifyTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string, e models.LogEntryAnon) (*models.LogEntryAnon, error) {
+func verifyTlogEntry(ctx context.Context, rekorClient *client.Rekor,
+	entryUUID string, e models.LogEntryAnon) (*models.LogEntryAnon, error) {
 	if e.Verification == nil || e.Verification.InclusionProof == nil {
 		return nil, errors.New("inclusion proof not provided")
 	}
 
+	uuid, err := sharding.GetUUIDFromIDString(entryUUID)
+	if err != nil {
+		return nil, fmt.Errorf("%w: retrieving uuid from entry uuid", err)
+	}
+	treeID, err := sharding.TreeID(entryUUID)
+	if err != nil {
+		return nil, fmt.Errorf("%w: retrieving tree ID", err)
+	}
+
 	var hashes [][]byte
 	for _, h := range e.Verification.InclusionProof.Hashes {
 		hb, err := hex.DecodeString(h)
@@ -165,7 +188,8 @@ func verifyTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string
 	var entryVerError error
 	for _, pubKey := range pubs {
 		// Verify inclusion against the signed tree head
-		entryVerError = verifyRootHash(ctx, rekorClient, e.Verification.InclusionProof, pubKey.PubKey)
+		entryVerError = verifyRootHash(ctx, rekorClient, treeID,
+			e.Verification.InclusionProof, pubKey.PubKey)
 		if entryVerError == nil {
 			break
 		}