verify.go

Documentation: github.com/sigstore/rekor/pkg/pki/ssh

     1  //
     2  // Copyright 2021 The Sigstore Authors.
     3  //
     4  // Licensed under the Apache License, Version 2.0 (the "License");
     5  // you may not use this file except in compliance with the License.
     6  // You may obtain a copy of the License at
     7  //
     8  //     http://www.apache.org/licenses/LICENSE-2.0
     9  //
    10  // Unless required by applicable law or agreed to in writing, software
    11  // distributed under the License is distributed on an "AS IS" BASIS,
    12  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  // See the License for the specific language governing permissions and
    14  // limitations under the License.
    15  
    16  package ssh
    17  
    18  import (
    19  	"io"
    20  
    21  	"golang.org/x/crypto/ssh"
    22  )
    23  
    24  func Verify(message io.Reader, armoredSignature []byte, publicKey []byte) error {
    25  	decodedSignature, err := Decode(armoredSignature)
    26  	if err != nil {
    27  		return err
    28  	}
    29  
    30  	desiredPk, _, _, _, err := ssh.ParseAuthorizedKey(publicKey)
    31  	if err != nil {
    32  		return err
    33  	}
    34  
    35  	// Hash the message so we can verify it against the signature.
    36  	h := supportedHashAlgorithms[decodedSignature.hashAlg]()
    37  	if _, err := io.Copy(h, message); err != nil {
    38  		return err
    39  	}
    40  	hm := h.Sum(nil)
    41  
    42  	toVerify := MessageWrapper{
    43  		Namespace:     "file",
    44  		HashAlgorithm: decodedSignature.hashAlg,
    45  		Hash:          string(hm),
    46  	}
    47  	signedMessage := ssh.Marshal(toVerify)
    48  	signedMessage = append([]byte(magicHeader), signedMessage...)
    49  	return desiredPk.Verify(signedMessage, decodedSignature.signature)
    50  }
    51
View as plain text