1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 package tuf
17
18 import (
19 "crypto/ed25519"
20 "crypto/sha256"
21 "crypto/x509"
22 "encoding/hex"
23 "encoding/json"
24 "errors"
25 "fmt"
26 "io"
27 "time"
28
29 "github.com/cyberphone/json-canonicalization/go/src/webpki.org/jsoncanonicalizer"
30 "github.com/sigstore/rekor/pkg/pki/identity"
31 "github.com/sigstore/sigstore/pkg/cryptoutils"
32 sigsig "github.com/sigstore/sigstore/pkg/signature"
33 "github.com/theupdateframework/go-tuf/data"
34 "github.com/theupdateframework/go-tuf/pkg/keys"
35 "github.com/theupdateframework/go-tuf/verify"
36 )
37
38 type Signature struct {
39 signed *data.Signed
40 Role string
41 Version int
42 }
43
44 type signedMeta struct {
45 Type string `json:"_type"`
46 Expires time.Time `json:"expires"`
47 Version int `json:"version"`
48 SpecVersion string `json:"spec_version"`
49 }
50
51
52 func NewSignature(r io.Reader) (*Signature, error) {
53 b, err := io.ReadAll(r)
54 if err != nil {
55 return nil, err
56 }
57
58 s := &data.Signed{}
59 if err := json.Unmarshal(b, s); err != nil {
60 return nil, err
61 }
62
63
64 sm := &signedMeta{}
65 if err := json.Unmarshal(s.Signed, sm); err != nil {
66 return nil, err
67 }
68
69 return &Signature{
70 signed: s,
71 Role: sm.Type,
72 Version: sm.Version,
73 }, nil
74 }
75
76
77 func (s Signature) CanonicalValue() ([]byte, error) {
78 if s.signed == nil {
79 return nil, errors.New("tuf manifest has not been initialized")
80 }
81 marshalledBytes, err := json.Marshal(s.signed)
82 if err != nil {
83 return nil, fmt.Errorf("marshalling signature: %w", err)
84 }
85 return jsoncanonicalizer.Transform(marshalledBytes)
86 }
87
88
89 func (s Signature) Verify(_ io.Reader, k interface{}, _ ...sigsig.VerifyOption) error {
90 key, ok := k.(*PublicKey)
91 if !ok {
92 return fmt.Errorf("invalid public key type for: %v", k)
93 }
94
95 if key.db == nil {
96 return errors.New("tuf root has not been initialized")
97 }
98
99 return key.db.Verify(s.signed, s.Role, 0)
100 }
101
102
103 type PublicKey struct {
104
105 root *data.Signed
106 db *verify.DB
107 }
108
109
110 func NewPublicKey(r io.Reader) (*PublicKey, error) {
111 rawRoot, err := io.ReadAll(r)
112 if err != nil {
113 return nil, err
114 }
115
116
117 s := &data.Signed{}
118 if err := json.Unmarshal(rawRoot, s); err != nil {
119 return nil, err
120 }
121 root := &data.Root{}
122 if err := json.Unmarshal(s.Signed, root); err != nil {
123 return nil, err
124 }
125
126
127 db := verify.NewDB()
128 for id, k := range root.Keys {
129 if err := db.AddKey(id, k); err != nil {
130 return nil, err
131 }
132 }
133 for name, role := range root.Roles {
134 if err := db.AddRole(name, role); err != nil {
135 return nil, err
136 }
137 }
138
139
140 if err := db.Verify(s, "root", 0); err != nil {
141 return nil, err
142 }
143
144 return &PublicKey{root: s, db: db}, nil
145 }
146
147
148 func (k PublicKey) CanonicalValue() (encoded []byte, err error) {
149 if k.root == nil {
150 return nil, errors.New("tuf root has not been initialized")
151 }
152 marshalledBytes, err := json.Marshal(k.root)
153 if err != nil {
154 return nil, fmt.Errorf("marshalling tuf root: %w", err)
155 }
156 return jsoncanonicalizer.Transform(marshalledBytes)
157 }
158
159 func (k PublicKey) SpecVersion() (string, error) {
160
161 sm := &signedMeta{}
162 if err := json.Unmarshal(k.root.Signed, sm); err != nil {
163 return "", err
164 }
165 return sm.SpecVersion, nil
166 }
167
168
169 func (k PublicKey) EmailAddresses() []string {
170 return nil
171 }
172
173
174 func (k PublicKey) Subjects() []string {
175 return nil
176 }
177
178
179 func (k PublicKey) Identities() ([]identity.Identity, error) {
180 root := &data.Root{}
181 if err := json.Unmarshal(k.root.Signed, root); err != nil {
182 return nil, err
183 }
184 var ids []identity.Identity
185 for _, k := range root.Keys {
186 verifier, err := keys.GetVerifier(k)
187 if err != nil {
188 return nil, err
189 }
190 switch k.Type {
191
192 case data.KeyTypeRSASSA_PSS_SHA256:
193 fallthrough
194
195 case "ecdsa-sha2-nistp256":
196 fallthrough
197 case "ecdsa":
198
199 pub, err := x509.ParsePKIXPublicKey([]byte(verifier.Public()))
200 if err != nil {
201 return nil, err
202 }
203 pkixKey, err := cryptoutils.MarshalPublicKeyToDER(pub)
204 if err != nil {
205 return nil, err
206 }
207 digest := sha256.Sum256(pkixKey)
208 ids = append(ids, identity.Identity{
209 Crypto: pub,
210 Raw: pkixKey,
211 Fingerprint: hex.EncodeToString(digest[:]),
212 })
213 case data.KeyTypeEd25519:
214
215 pub := ed25519.PublicKey(verifier.Public())
216 pkixKey, err := cryptoutils.MarshalPublicKeyToDER(pub)
217 if err != nil {
218 return nil, err
219 }
220 digest := sha256.Sum256(pkixKey)
221 ids = append(ids, identity.Identity{
222 Crypto: pub,
223 Raw: pkixKey,
224 Fingerprint: hex.EncodeToString(digest[:]),
225 })
226 default:
227 return nil, fmt.Errorf("unsupported key type: %v", k.Type)
228 }
229 }
230 return ids, nil
231 }
232
View as plain text