Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Find all valid entries in verify-blob #1673

Merged
merged 2 commits into from
Mar 28, 2022
Merged

Find all valid entries in verify-blob #1673

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
09063aa
Find all valid entries in verify-blob
priyawadhwa Mar 28, 2022
68a9901
Code review comments
priyawadhwa Mar 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/workflows/github-oidc.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,3 +49,8 @@ jobs:
set -e
# Build and publish an image.
make sign-keyless-container

- name: Build and sign a blob
run: |
set -e
make sign-blob-experimental
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,5 @@

bin*
dist/

test/verify-experimental*
67 changes: 49 additions & 18 deletions cmd/cosign/cli/verify/verify_blob.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ import (
sigs "github.com/sigstore/cosign/pkg/signature"

ctypes "github.com/sigstore/cosign/pkg/types"
"github.com/sigstore/rekor/pkg/generated/client"
"github.com/sigstore/rekor/pkg/generated/models"
"github.com/sigstore/rekor/pkg/types"
hashedrekord "github.com/sigstore/rekor/pkg/types/hashedrekord/v0.0.1"
Expand Down Expand Up @@ -161,44 +162,74 @@ func VerifyBlobCmd(ctx context.Context, ko sign.KeyOpts, certRef, certEmail, cer
if len(uuids) == 0 {
return errors.New("could not find a tlog entry for provided blob")
}
return verifySigByUUID(ctx, ko, rClient, certEmail, certOidcIssuer, sig, b64sig, uuids, blobBytes)
}

// Use the DSSE verifier if the payload is a DSSE with the In-Toto format.
if isIntotoDSSE(blobBytes) {
verifier = dsse.WrapVerifier(verifier)
}

// verify the signature
if err := verifier.VerifySignature(bytes.NewReader([]byte(sig)), bytes.NewReader(blobBytes)); err != nil {
return err
}

// verify the rekor entry
if err := verifyRekorEntry(ctx, ko, verifier, cert, b64sig, blobBytes); err != nil {
return err
}

fmt.Fprintln(os.Stderr, "Verified OK")
return nil
}

tlogEntry, err := cosign.GetTlogEntry(ctx, rClient, uuids[0])
func verifySigByUUID(ctx context.Context, ko sign.KeyOpts, rClient *client.Rekor, certEmail, certOidcIssuer, sig, b64sig string, uuids []string, blobBytes []byte) error {
var validSigExists bool
for _, u := range uuids {
tlogEntry, err := cosign.GetTlogEntry(ctx, rClient, u)
if err != nil {
return err
continue
}

certs, err := extractCerts(tlogEntry)
if err != nil {
return err
continue
}

co := &cosign.CheckOpts{
RootCerts: fulcio.GetRoots(),
CertEmail: certEmail,
CertOidcIssuer: certOidcIssuer,
}
cert = certs[0]
verifier, err = cosign.ValidateAndUnpackCert(cert, co)
cert := certs[0]
verifier, err := cosign.ValidateAndUnpackCert(cert, co)
if err != nil {
return err
continue
}
// Use the DSSE verifier if the payload is a DSSE with the In-Toto format.
if isIntotoDSSE(blobBytes) {
verifier = dsse.WrapVerifier(verifier)
}
// verify the signature
if err := verifier.VerifySignature(bytes.NewReader([]byte(sig)), bytes.NewReader(blobBytes)); err != nil {
continue
}
}

// Use the DSSE verifier if the payload is a DSSE with the In-Toto format.
if isIntotoDSSE(blobBytes) {
verifier = dsse.WrapVerifier(verifier)
// verify the rekor entry
if err := verifyRekorEntry(ctx, ko, verifier, cert, b64sig, blobBytes); err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI inside this we make another extraneous call to Rekor to get the TLOG entry UUID (

cosign/cmd/cosign/cli/verify/verify_blob.go

Line 326 in e2017af

e, err := cosign.GetTlogEntry(ctx, rekorClient, uuid)
) and perform tlog verification (check inclusion proof etc) inside this. I had this refactored/separated out #1662 so I'll rebase and make it even more clean here!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @asraa !

continue
}
validSigExists = true
}
if !validSigExists {
fmt.Fprintln(os.Stderr, `WARNING: No valid entries were found in rekor to verify this blob.

// verify the signature
if err := verifier.VerifySignature(bytes.NewReader([]byte(sig)), bytes.NewReader(blobBytes)); err != nil {
return err
}
Transparency log support for blobs is experimental, and occasionally an entry isn't found even if one exists.

// verify the rekor entry
if err := verifyRekorEntry(ctx, ko, verifier, cert, b64sig, blobBytes); err != nil {
return err
We recommend requesting the certificate/signature from the original signer of this blob and manually verifying with cosign verify-blob --cert [cert] --signature [signature].`)
return fmt.Errorf("could not find a valid tlog entry for provided blob, found %d invalid entries", len(uuids))
}

fmt.Fprintln(os.Stderr, "Verified OK")
return nil
}
Expand Down
4 changes: 4 additions & 0 deletions test/ci.mk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,7 @@ sign-keyless-sget:

.PHONY: sign-keyless-container
sign-keyless-container: ko sign-keyless-cosign sign-keyless-cosigned sign-keyless-sget

.PHONY: sign-blob-experimental
sign-blob-experimental:
./sign_blob_test.sh
75 changes: 75 additions & 0 deletions test/sign_blob_test.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
#!/usr/bin/env bash
#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# This test checks that verify-blob will iterate over all entries and check for at least one valid entry before erroring out
# This is to prevent verify-blob from only checking the most recent entry, which could result
# in a "denial of service" type attack if someone signs a piece of software
# with their own certificate which doesn't chain up to Sigstore

set -ex

export COSIGN_EXPERIMENTAL=1

echo "Creating a unique blob"
BLOB=verify-experimental-blob
date > $BLOB

echo "Sign the blob with cosign first and upload to rekor"
SIG=$(cosign sign-blob $BLOB)

echo "Verifying ..."
cosign verify-blob -signature $SIG $BLOB

# Now, sign the blob with a self-signed certificate and upload to rekor
SIG_FILE=verify-experimental-signature
openssl dgst -sha256 -sign testdata/test_blob_private_key -out $SIG_FILE $BLOB
openssl dgst -sha256 -verify testdata/test_blob_public_key -signature $SIG_FILE $BLOB

SHA256HASH=$(sha256sum $BLOB | cut -f1 -d' ')

SIGNATURE=$(cat $SIG_FILE | base64)
echo "Signature: $SIGNATURE"

CERT=$(cat testdata/test_blob_cert.pem | base64)
echo "Cert: $CERT"

JSON_BODY_FILE=verify-experimental-blob-http-body.json
cat <<EOF > $JSON_BODY_FILE
{
"apiVersion": "0.0.1",
"spec": {
"data": {
"hash": {
"algorithm": "sha256",
"value": "$SHA256HASH"
}
},
"signature": {
"content": "$SIGNATURE",
"publicKey": {
"content": "$CERT"
}
}
},
"kind": "hashedrekord"
}
EOF

curl -X POST https://rekor.sigstore.dev/api/v1/log/entries -H 'Content-Type: application/json' -d @$JSON_BODY_FILE

# Verifying should still work
echo "Verifying ..."
cosign verify-blob --signature $SIG $BLOB
13 changes: 13 additions & 0 deletions test/testdata/test_blob_cert.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
-----BEGIN CERTIFICATE-----
MIIB9jCCAZwCCQDmJAPXiurv9jAKBggqhkjOPQQDAjCBgjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEQMA4GA1UECgwHQ29tcGFueTENMAsG
A1UECwwEVW5pdDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUub3JnMR4wHAYJKoZIhvcN
AQkBFg9lbWFpbEBlbWFpbC5jb20wHhcNMjIwMzI4MTgwNDIwWhcNMjIwNDI3MTgw
NDIwWjCBgjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEQ
MA4GA1UECgwHQ29tcGFueTENMAsGA1UECwwEVW5pdDEYMBYGA1UEAwwPd3d3LmV4
YW1wbGUub3JnMR4wHAYJKoZIhvcNAQkBFg9lbWFpbEBlbWFpbC5jb20wWTATBgcq
hkjOPQIBBggqhkjOPQMBBwNCAAR1Q4hB1jtagrdsVxygtDa/rli00U7n/1I/NSw8
yoMRQ+MOAjRhg3gtcV0tha34L6150qJirQHbfocsao8X6wFmMAoGCCqGSM49BAMC
A0gAMEUCIQDkZ4ZmFOK2Ze+znScge1JidTRzxNxCLbrdfc5yEJia2QIgCEjIY6Zo
QUwiyuC3ll5a9GDc4swfguZq9kOFX9bD0XQ=
-----END CERTIFICATE-----
8 changes: 8 additions & 0 deletions test/testdata/test_blob_private_key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
-----BEGIN EC PARAMETERS-----
BggqhkjOPQMBBw==
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIMJRdxVQ7AH6z1BlE9ucEMSAQhY431IFHe0oVCH7Iw49oAoGCCqGSM49
AwEHoUQDQgAEdUOIQdY7WoK3bFccoLQ2v65YtNFO5/9SPzUsPMqDEUPjDgI0YYN4
LXFdLYWt+C+tedKiYq0B236HLGqPF+sBZg==
-----END EC PRIVATE KEY-----
4 changes: 4 additions & 0 deletions test/testdata/test_blob_public_key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEdUOIQdY7WoK3bFccoLQ2v65YtNFO
5/9SPzUsPMqDEUPjDgI0YYN4LXFdLYWt+C+tedKiYq0B236HLGqPF+sBZg==
-----END PUBLIC KEY-----