implement VerifyEd25519Signature func

in-toto · Jun 23, 2020 · 4969540 · 4969540
1 parent 14a8de0
commit 4969540
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/in_toto/keylib.go b/in_toto/keylib.go
@@ -8,6 +8,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"golang.org/x/crypto/ed25519"
 	"io/ioutil"
@@ -219,3 +220,23 @@ func GenerateEd25519Signature(signable []byte, key Key) (Signature, error) {
 
 	return signature, nil
 }
+
+/*
+VerifyEd25519Signature uses the passed Key to verify the passed Signature over the
+passed data. It returns an error if the key is not a valid ed25519 public key or
+if the signature is not valid for the data.
+*/
+func VerifyEd25519Signature(key Key, sig Signature, data []byte) error {
+	pubHex, err := hex.DecodeString(key.KeyVal.Public)
+	if err != nil {
+		return err
+	}
+	sigHex, err := hex.DecodeString(sig.Sig)
+	if err != nil {
+		return err
+	}
+	if ok := ed25519.Verify(pubHex, data, sigHex); !ok {
+		return errors.New("invalid ed25519 signature")
+	}
+	return nil
+}
diff --git a/in_toto/keylib_test.go b/in_toto/keylib_test.go
@@ -204,10 +204,16 @@ func TestGenerateEd25519Signature(t *testing.T) {
 
 	signature, err := GenerateEd25519Signature([]uint8("ohmywhatatest"), key)
 	if err != nil {
-		t.Errorf("GenerateEd25519Signature shouldn't have returned error (%s)",
+		t.Errorf("GenerateEd25519Signature shouldn't have returned an error (%s)",
 			err)
 	}
 
+	// validate signature
+	err = VerifyEd25519Signature(key, signature, []uint8("ohmywhatatest"))
+	if err != nil {
+		t.Errorf("VerifyEd25519Signature shouldn't have returned an error (%s)", err)
+	}
+
 	if signature.KeyId != key.KeyId {
 		t.Errorf("GenerateEd25519Signature should've returned matching keyids!")
 	}