adding progress so far - a bit of a mess

Signed-off-by: chaosinthecrd <[email protected]>
in-toto · Dec 18, 2023 · 5d16222 · 5d16222
1 parent cfee7c9
commit 5d16222
Show file tree

Hide file tree

Showing 12 changed files with 132 additions and 51 deletions.
diff --git a/cryptoutil/ecdsa.go b/cryptoutil/ecdsa.go
@@ -15,10 +15,10 @@
 package cryptoutil
 
 import (
+	"context"
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/rand"
-	"io"
 )
 
 type ErrVerifyFailed struct{}
@@ -40,8 +40,8 @@ func (s *ECDSASigner) KeyID() (string, error) {
 	return GeneratePublicKeyID(&s.priv.PublicKey, s.hash)
 }
 
-func (s *ECDSASigner) Sign(r io.Reader) ([]byte, error) {
-	digest, err := Digest(r, s.hash)
+func (s *ECDSASigner) Sign(ctx context.Context, data []byte) ([]byte, error) {
+	digest, err := DigestBytes(data, s.hash)
 	if err != nil {
 		return nil, err
 	}
@@ -66,8 +66,8 @@ func (v *ECDSAVerifier) KeyID() (string, error) {
 	return GeneratePublicKeyID(v.pub, v.hash)
 }
 
-func (v *ECDSAVerifier) Verify(data io.Reader, sig []byte) error {
-	digest, err := Digest(data, v.hash)
+func (v *ECDSAVerifier) Verify(ctx context.Context, data []byte, sig []byte) error {
+	digest, err := DigestBytes(data, v.hash)
 	if err != nil {
 		return err
 	}
@@ -80,6 +80,10 @@ func (v *ECDSAVerifier) Verify(data io.Reader, sig []byte) error {
 	return nil
 }
 
+func (v *ECDSAVerifier) Public() crypto.PublicKey {
+	return v.pub
+}
+
 func (v *ECDSAVerifier) Bytes() ([]byte, error) {
 	return PublicPemBytes(v.pub)
 }
diff --git a/cryptoutil/ed25519.go b/cryptoutil/ed25519.go
@@ -15,10 +15,10 @@
 package cryptoutil
 
 import (
+	"context"
 	"crypto"
 	"crypto/ed25519"
 	"fmt"
-	"io"
 )
 
 type ED25519Signer struct {
@@ -33,13 +33,8 @@ func (s *ED25519Signer) KeyID() (string, error) {
 	return GeneratePublicKeyID(s.priv.Public(), crypto.SHA256)
 }
 
-func (s *ED25519Signer) Sign(r io.Reader) ([]byte, error) {
-	msg, err := io.ReadAll(r)
-	if err != nil {
-		return nil, err
-	}
-
-	return ed25519.Sign(s.priv, msg), nil
+func (s *ED25519Signer) Sign(ctx context.Context, data []byte) ([]byte, error) {
+	return ed25519.Sign(s.priv, data), nil
 }
 
 func (s *ED25519Signer) Verifier() (Verifier, error) {
@@ -64,20 +59,19 @@ func (v *ED25519Verifier) KeyID() (string, error) {
 	return GeneratePublicKeyID(v.pub, crypto.SHA256)
 }
 
-func (v *ED25519Verifier) Verify(r io.Reader, sig []byte) error {
-	msg, err := io.ReadAll(r)
-	if err != nil {
-		return err
-	}
-
-	verified := ed25519.Verify(v.pub, msg, sig)
+func (v *ED25519Verifier) Verify(ctx context.Context, payload []byte, sig []byte) error {
+	verified := ed25519.Verify(v.pub, payload, sig)
 	if !verified {
 		return ErrVerifyFailed{}
 	}
 
 	return nil
 }
 
+func (v *ED25519Verifier) Public() crypto.PublicKey {
+	return v.pub
+}
+
 func (v *ED25519Verifier) Bytes() ([]byte, error) {
 	return PublicPemBytes(v.pub)
 }
diff --git a/cryptoutil/rsa.go b/cryptoutil/rsa.go
@@ -15,10 +15,10 @@
 package cryptoutil
 
 import (
+	"context"
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
-	"io"
 )
 
 type RSASigner struct {
@@ -34,8 +34,8 @@ func (s *RSASigner) KeyID() (string, error) {
 	return GeneratePublicKeyID(&s.priv.PublicKey, s.hash)
 }
 
-func (s *RSASigner) Sign(r io.Reader) ([]byte, error) {
-	digest, err := Digest(r, s.hash)
+func (s *RSASigner) Sign(ctx context.Context, data []byte) ([]byte, error) {
+	digest, err := DigestBytes(data, s.hash)
 	if err != nil {
 		return nil, err
 	}
@@ -65,8 +65,8 @@ func (v *RSAVerifier) KeyID() (string, error) {
 	return GeneratePublicKeyID(v.pub, v.hash)
 }
 
-func (v *RSAVerifier) Verify(data io.Reader, sig []byte) error {
-	digest, err := Digest(data, v.hash)
+func (v *RSAVerifier) Verify(ctx context.Context, data []byte, sig []byte) error {
+	digest, err := DigestBytes(data, v.hash)
 	if err != nil {
 		return err
 	}
@@ -79,6 +79,10 @@ func (v *RSAVerifier) Verify(data io.Reader, sig []byte) error {
 	return rsa.VerifyPSS(v.pub, v.hash, digest, sig, pssOpts)
 }
 
+func (v *RSAVerifier) Public() crypto.PublicKey {
+	return v.pub
+}
+
 func (v *RSAVerifier) Bytes() ([]byte, error) {
 	return PublicPemBytes(v.pub)
 }
diff --git a/cryptoutil/signer.go b/cryptoutil/signer.go
@@ -15,6 +15,7 @@
 package cryptoutil
 
 import (
+	"context"
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/ed25519"
@@ -32,16 +33,23 @@ func (e ErrUnsupportedKeyType) Error() string {
 	return fmt.Sprintf("unsupported signer key type: %v", e.t)
 }
 
-type Signer interface {
-	KeyIdentifier
-	Sign(r io.Reader) ([]byte, error)
-	Verifier() (Verifier, error)
+type SignerVerifier struct {
+	Signer
+	Verifier
+}
+
+// NOTE: Signer verifier required this function and I don't know why
+func (sv SignerVerifier) KeyID() (string, error) {
+	return sv.Signer.KeyID()
 }
 
-type KeyIdentifier interface {
+type Signer interface {
 	KeyID() (string, error)
+	Sign(ctx context.Context, data []byte) ([]byte, error)
 }
 
+type KeyIdentifier interface{}
+
 type TrustBundler interface {
 	Certificate() *x509.Certificate
 	Intermediates() []*x509.Certificate

diff --git a/cryptoutil/util.go b/cryptoutil/util.go
@@ -78,9 +78,6 @@ func PublicPemBytes(pub interface{}) ([]byte, error) {
 	}
 
 	pemBytes := pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: keyBytes})
-	if err != nil {
-		return nil, err
-	}
 
 	return pemBytes, err
 }

diff --git a/cryptoutil/verifier.go b/cryptoutil/verifier.go
@@ -15,6 +15,7 @@
 package cryptoutil
 
 import (
+	"context"
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/ed25519"
@@ -26,9 +27,9 @@ import (
 )
 
 type Verifier interface {
-	KeyIdentifier
-	Verify(body io.Reader, sig []byte) error
-	Bytes() ([]byte, error)
+	Verify(ctx context.Context, data, sig []byte) error
+	KeyID() (string, error)
+	Public() crypto.PublicKey
 }
 
 type VerifierOption func(*verifierOptions)

diff --git a/cryptoutil/x509.go b/cryptoutil/x509.go
@@ -15,9 +15,10 @@
 package cryptoutil
 
 import (
+	"context"
+	"crypto"
 	"crypto/x509"
 	"encoding/pem"
-	"io"
 	"time"
 )
 
@@ -48,7 +49,7 @@ func (v *X509Verifier) KeyID() (string, error) {
 	return v.verifier.KeyID()
 }
 
-func (v *X509Verifier) Verify(body io.Reader, sig []byte) error {
+func (v *X509Verifier) Verify(ctx context.Context, body []byte, sig []byte) error {
 	rootPool := certificatesToPool(v.roots)
 	intermediatePool := certificatesToPool(v.intermediates)
 	if _, err := v.cert.Verify(x509.VerifyOptions{
@@ -60,7 +61,12 @@ func (v *X509Verifier) Verify(body io.Reader, sig []byte) error {
 		return err
 	}
 
-	return v.verifier.Verify(body, sig)
+	return v.verifier.Verify(context.TODO(), body, sig)
+}
+
+// TODO: THIS NEEDS TESTED
+func (v *X509Verifier) Public() crypto.PublicKey {
+	return (crypto.PublicKey)(v.cert.PublicKey)
 }
 
 func (v *X509Verifier) BelongsToRoot(root *x509.Certificate) error {
@@ -133,12 +139,18 @@ func (s *X509Signer) KeyID() (string, error) {
 	return s.signer.KeyID()
 }
 
-func (s *X509Signer) Sign(r io.Reader) ([]byte, error) {
-	return s.signer.Sign(r)
+func (s *X509Signer) Sign(ctx context.Context, data []byte) ([]byte, error) {
+	return s.signer.Sign(ctx, data)
+}
+
+// TODO: THIS NEEDS TESTED
+func (s *X509Signer) Public() crypto.PublicKey {
+	return (crypto.PublicKey)(s.cert.PublicKey)
 }
 
 func (s *X509Signer) Verifier() (Verifier, error) {
-	verifier, err := s.signer.Verifier()
+	// Left trustedTime as time.Time{} for now, this may need to be changed
+	verifier, err := NewX509Verifier(s.cert, s.intermediates, s.roots, time.Time{})
 	if err != nil {
 		return nil, err
 	}

diff --git a/dsse/sign.go b/dsse/sign.go
@@ -47,7 +47,7 @@ func SignWithTimestampers(timestampers ...Timestamper) SignOption {
 	}
 }
 
-func Sign(bodyType string, body io.Reader, opts ...SignOption) (Envelope, error) {
+func Sign(bodyType string, body []byte, opts ...SignOption) (Envelope, error) {
 	so := &signOptions{}
 	env := Envelope{}
 	for _, opt := range opts {
@@ -58,17 +58,12 @@ func Sign(bodyType string, body io.Reader, opts ...SignOption) (Envelope, error)
 		return env, fmt.Errorf("must have at least one signer, have %v", len(so.signers))
 	}
 
-	bodyBytes, err := io.ReadAll(body)
-	if err != nil {
-		return env, err
-	}
-
 	env.PayloadType = bodyType
-	env.Payload = bodyBytes
+	env.Payload = body
 	env.Signatures = make([]Signature, 0)
-	pae := preauthEncode(bodyType, bodyBytes)
+	pae := preauthEncode(bodyType, body)
 	for _, signer := range so.signers {
-		sig, err := signer.Sign(bytes.NewReader(pae))
+		sig, err := signer.Sign(context.TODO(), pae)
 		if err != nil {
 			return env, err
 		}

diff --git a/go.mod b/go.mod
@@ -44,6 +44,7 @@ require (
 	github.com/pjbgf/sha1cd v0.2.3 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/rogpeppe/go-internal v1.8.0 // indirect
+	github.com/secure-systems-lab/go-securesystemslib v0.7.0 // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
 	github.com/skeema/knownhosts v1.1.0 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect

diff --git a/go.sum b/go.sum
@@ -171,6 +171,8 @@ github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqn
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8=
 github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
+github.com/secure-systems-lab/go-securesystemslib v0.7.0 h1:OwvJ5jQf9LnIAS83waAjPbcMsODrTQUpJ02eNLUoxBg=
+github.com/secure-systems-lab/go-securesystemslib v0.7.0/go.mod h1:/2gYnlnHVQ6xeGtfIqFy7Do03K4cdCY0A/GlJLDKLHI=
 github.com/segmentio/ksuid v1.0.4 h1:sBo2BdShXjmcugAMwjugoGUdUV0pcxY5mW4xKRn3v4c=
 github.com/segmentio/ksuid v1.0.4/go.mod h1:/XUiZBD3kVx5SmUOl55voK5yeAbBNNIed+2O73XgrPE=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=

diff --git a/signature/envelope/dsse/dsse.go b/signature/envelope/dsse/dsse.go
@@ -0,0 +1,42 @@
+package dsse
+
+import (
+	"crypto"
+	"fmt"
+
+	"github.com/in-toto/go-witness/cryptoutil"
+	idsse "github.com/in-toto/go-witness/dsse"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+)
+
+type DSSEEnvelope struct {
+	Envelope *dsse.Envelope
+}
+
+func (e *DSSEEnvelope) Sign(signer *crypto.Signer, opts ...cryptoutil.SignerOption) (interface{}, error) {
+	if e.Envelope.PayloadType == "" || e.Envelope.Payload == "" {
+		return nil, fmt.Errorf("PayloadType and Payload not populated correctly")
+	}
+
+	s, err := cryptoutil.NewSigner(signer)
+	if err != nil {
+		return nil, err
+	}
+
+	v, err := cryptoutil.NewVerifier(signer)
+	if err != nil {
+		return nil, err
+	}
+
+	sv := cryptoutil.SignerVerifier{
+		Signer:   s,
+		Verifier: v,
+	}
+
+	se, err := idsse.Sign(e.Envelope.PayloadType, []byte(e.Envelope.Payload), idsse.SignWithSigners(sv.Signer))
+	if err != nil {
+		return nil, err
+	}
+
+	return se, nil
+}
diff --git a/signature/envelope/envelope.go b/signature/envelope/envelope.go
@@ -0,0 +1,21 @@
+package envelope
+
+import (
+	"crypto"
+
+	"github.com/in-toto/go-witness/cryptoutil"
+)
+
+// Envelope provides basic functions to manipulate signatures.
+type Envelope interface {
+	// Sign generates and sign the envelope according to the sign request.
+	Sign(signer *crypto.Signer, opts ...cryptoutil.SignerOption) (interface{}, error)
+
+	// Verify verifies the envelope and returns its enclosed payload and signer
+	// info.
+	Verify(pub *crypto.PublicKey, opts ...cryptoutil.VerifierOption) (interface{}, error)
+
+	// Content returns the payload and signer information of the envelope.
+	// Content is trusted only after the successful call to `Verify()`.
+	Content() ([]byte, error)
+}