...

Source file src/github.com/google/certificate-transparency-go/internal/witness/verifier/verifier.go

Documentation: github.com/google/certificate-transparency-go/internal/witness/verifier

     1  // Copyright 2021 Google LLC. All Rights Reserved.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // Package verifier is designed to verify the signatures produced by a witness.
    16  package verifier
    17  
    18  import (
    19  	"crypto"
    20  	"errors"
    21  	"fmt"
    22  
    23  	ct "github.com/google/certificate-transparency-go"
    24  	"github.com/google/certificate-transparency-go/internal/witness/api"
    25  	"github.com/google/certificate-transparency-go/tls"
    26  )
    27  
    28  // WitnessVerifier consists of a CT signature verifier.
    29  type WitnessVerifier struct {
    30  	SigVerifier *ct.SignatureVerifier
    31  }
    32  
    33  // NewWitnessVerifier creates a witness signature verifier from a public key.
    34  func NewWitnessVerifier(pk crypto.PublicKey) (*WitnessVerifier, error) {
    35  	sv, err := ct.NewSignatureVerifier(pk)
    36  	if err != nil {
    37  		return nil, fmt.Errorf("failed to create signature verifier: %v", err)
    38  	}
    39  	return &WitnessVerifier{SigVerifier: sv}, nil
    40  }
    41  
    42  // VerifySignature finds and verifies this witness' signature on a cosigned STH.
    43  // This may mean that there are other witness signatures that remain unverified,
    44  // so future implementations may want to take in multiple signature verifiers
    45  // like in the Note package (https://pkg.go.dev/golang.org/x/mod/sumdb/note).
    46  func (wv WitnessVerifier) VerifySignature(sth api.CosignedSTH) error {
    47  	if len(sth.WitnessSigs) == 0 {
    48  		return errors.New("no witness signature present in the STH")
    49  	}
    50  	sigData, err := tls.Marshal(sth.SignedTreeHead)
    51  	if err != nil {
    52  		return fmt.Errorf("failed to marshal internal STH: %v", err)
    53  	}
    54  	for _, sig := range sth.WitnessSigs {
    55  		// If we find a signature that verifies then we're okay.
    56  		if err := wv.SigVerifier.VerifySignature(sigData, tls.DigitallySigned(sig)); err == nil {
    57  			return nil
    58  		}
    59  	}
    60  	return errors.New("failed to verify any signature for this witness")
    61  }
    62  

View as plain text