Skip to content

Commit

Permalink
fix: 10263 don't explode for bad option values
Browse files Browse the repository at this point in the history
Also expand the test coverage to fully cover verification modes.

Positive and negative cases for `--leaf`, `--entryid` and `--event-json-file`

Negative *tamper* case for `--event-json-file`

AB#10263
  • Loading branch information
Robin Bryce committed Dec 12, 2024
1 parent d74bbe0 commit 9116430
Show file tree
Hide file tree
Showing 5 changed files with 547 additions and 37 deletions.
46 changes: 31 additions & 15 deletions datatrails_scitt_samples/scripts/verify_receipt.py
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
import sys
import json

from requests import HTTPError

from pycose.messages import Sign1Message

from datatrails_scitt_samples.cose_receipt_verification import verify_receipt_mmriver
Expand Down Expand Up @@ -50,7 +52,7 @@ def verify_transparent_statement(
return verify_receipt_mmriver(receipt_bytes, leaf)


def main():
def main(args=None) -> bool:
"""Verifies a counter signed receipt signature"""

parser = argparse.ArgumentParser(
Expand Down Expand Up @@ -91,7 +93,7 @@ def main():
default="transparent-statement.cbor",
)

args = parser.parse_args()
args = parser.parse_args(args or sys.argv[1:])

# Note: the context is only used if --entryid is
# used to obtain the leaf hash directly from datatrails
Expand All @@ -101,25 +103,36 @@ def main():
ctx = ServiceContext.from_env("verify-receipt", **cfg_overrides)

if not (args.leaf or args.event_json_file or args.entryid):
print("either --leaf or --event-json-file is required", file=sys.stderr)
sys.exit(1)
ctx.error("either --leaf or --event-json-file is required")
return False

leaf = None
if args.leaf:
leaf = bytes.fromhex(args.leaf)
try:
leaf = bytes.fromhex(args.leaf)
except ValueError:
ctx.error("failed to parse leaf hash")
return False

elif args.event_json_file:
event = json.loads(open_event_json(args.event_json_file))
try:
event = json.loads(open_event_json(args.event_json_file))
except ValueError:
ctx.error("failed to parse event json")
return False
leaf = v3leaf_hash(event)
print(leaf.hex())
elif args.entryid:
identity = entryid_to_identity(args.entryid)
event = get_event(ctx, identity, True)
try:
event = get_event(ctx, identity, True)
except HTTPError as e:
ctx.error("failed to obtain event: %s", e)
return False
leaf = v3leaf_hash(event)
print(leaf.hex())

if leaf is None:
print("failed to obtain leaf hash", file=sys.stderr)
sys.exit(1)
ctx.error("failed to obtain leaf hash")
return False

if args.receipt_file:
with open(args.receipt_file, "rb") as file:
Expand All @@ -132,10 +145,13 @@ def main():
verified = verify_transparent_statement(transparent_statement, leaf)

if verified:
print("signature verification succeeded")
else:
print("signature verification failed")
print("verification succeeded")
return True
print("verification failed")
return False


if __name__ == "__main__":
main()
if not main():
sys.exit(1)
sys.exit(0)
1 change: 0 additions & 1 deletion tests/test_register_signed_statement.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,6 @@ def test_create_and_register_statement(self):
# create a signed statement
create_hashed_signed_statement(
[
"--use-draft-04-labels", # TEMPORARY: Until backend support catches up
"--signing-key-file",
"my-signing-key.pem",
"--payload-file",
Expand Down
Loading

0 comments on commit 9116430

Please sign in to comment.