Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Signed-off-by: Brian DeHamer <[email protected]>
  • Loading branch information
bdehamer authored Jul 3, 2023
1 parent 5baf6a2 commit 9238682
Show file tree
Hide file tree
Showing 15 changed files with 207 additions and 224 deletions.
2 changes: 0 additions & 2 deletions DEPENDENCIES.md
Original file line number Diff line number Diff line change
Expand Up @@ -769,8 +769,6 @@ graph LR;
sigstore-->make-fetch-happen;
sigstore-->sigstore-protobuf-specs["@sigstore/protobuf-specs"];
sigstore-->sigstore-tuf["@sigstore/tuf"];
sigstore-->tuf-js;
sigstore-tuf-->make-fetch-happen;
sigstore-tuf-->sigstore-protobuf-specs["@sigstore/protobuf-specs"];
sigstore-tuf-->tuf-js;
socks-->ip;
Expand Down
12 changes: 4 additions & 8 deletions node_modules/@sigstore/tuf/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@sigstore/tuf",
"version": "1.0.0",
"version": "1.0.2",
"description": "Client for the Sigstore TUF repository",
"main": "dist/index.js",
"types": "dist/index.d.ts",
Expand All @@ -27,17 +27,13 @@
"provenance": true
},
"devDependencies": {
"@total-typescript/shoehorn": "^0.1.0",
"@sigstore/jest": "^0.0.0",
"@tufjs/repo-mock": "^1.1.0",
"@types/node": "^20.2.5",
"nock": "^13.2.4",
"shx": "^0.3.3",
"typescript": "^5.1.3"
"@types/make-fetch-happen": "^10.0.0"
},
"dependencies": {
"@sigstore/protobuf-specs": "^0.1.0",
"tuf-js": "^1.1.3",
"make-fetch-happen": "^11.0.1"
"tuf-js": "^1.1.7"
},
"engines": {
"node": "^14.17.0 || ^16.13.0 || >=18.0.0"
Expand Down
48 changes: 0 additions & 48 deletions node_modules/sigstore/dist/merkle/digest.js

This file was deleted.

22 changes: 0 additions & 22 deletions node_modules/sigstore/dist/merkle/index.js

This file was deleted.

78 changes: 0 additions & 78 deletions node_modules/sigstore/dist/merkle/verify.js

This file was deleted.

2 changes: 1 addition & 1 deletion node_modules/sigstore/dist/sigstore-utils.js
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,6 @@ async function createRekorEntry(dsseEnvelope, publicKey, options = {}) {
signature: sigMaterial,
tlogEntry: entry,
});
return sigstore.Bundle.toJSON(bundle);
return sigstore.bundleToJSON(bundle);
}
exports.createRekorEntry = createRekorEntry;
24 changes: 21 additions & 3 deletions node_modules/sigstore/dist/sigstore.js
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.ValidationError = exports.PolicyError = exports.InternalError = exports.verify = exports.attest = exports.sign = void 0;
exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.ValidationError = exports.PolicyError = exports.InternalError = exports.createVerifier = exports.verify = exports.attest = exports.sign = void 0;
/*
Copyright 2023 The Sigstore Authors.
Expand Down Expand Up @@ -57,7 +57,7 @@ async function sign(payload, options = {}) {
tlogUpload: options.tlogUpload,
});
const bundle = await signer.signBlob(payload);
return sigstore.Bundle.toJSON(bundle);
return sigstore.bundleToJSON(bundle);
}
exports.sign = sign;
async function attest(payload, payloadType, options = {}) {
Expand All @@ -75,7 +75,7 @@ async function attest(payload, payloadType, options = {}) {
tlogUpload: options.tlogUpload,
});
const bundle = await signer.signAttestation(payload, payloadType);
return sigstore.Bundle.toJSON(bundle);
return sigstore.bundleToJSON(bundle);
}
exports.attest = attest;
async function verify(bundle, payload, options = {}) {
Expand All @@ -92,6 +92,24 @@ async function verify(bundle, payload, options = {}) {
return verifier.verify(deserializedBundle, opts, payload);
}
exports.verify = verify;
async function createVerifier(options) {
const trustedRoot = await tuf.getTrustedRoot({
mirrorURL: options.tufMirrorURL,
rootPath: options.tufRootPath,
cachePath: options.tufCachePath,
retry: options.retry ?? config.DEFAULT_RETRY,
timeout: options.timeout ?? config.DEFAULT_TIMEOUT,
});
const verifier = new verify_1.Verifier(trustedRoot, options.keySelector);
const verifyOpts = config.artifactVerificationOptions(options);
return {
verify: (bundle) => {
const deserializedBundle = sigstore.bundleFromJSON(bundle);
return verifier.verify(deserializedBundle, verifyOpts);
},
};
}
exports.createVerifier = createVerifier;
const tufUtils = {
client: (options = {}) => {
return tuf.initTUF({
Expand Down
10 changes: 9 additions & 1 deletion node_modules/sigstore/dist/tlog/verify/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ limitations under the License.
*/
const error_1 = require("../../error");
const sigstore = __importStar(require("../../types/sigstore"));
const cert_1 = require("../../x509/cert");
const body_1 = require("./body");
const set_1 = require("./set");
// Verifies that the number of tlog entries that pass offline verification
Expand All @@ -50,7 +51,7 @@ function verifyTLogEntries(bundle, trustedRoot, options) {
throw new error_1.VerificationError('Online verification not implemented');
}
// Extract the signing cert, if available
const signingCert = sigstore.signingCertificate(bundle);
const signingCert = signingCertificate(bundle);
// Iterate over the tlog entries and verify each one
const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryOffline(entry, bundle.content, trustedRoot.tlogs, signingCert));
if (verifiedEntries.length < options.threshold) {
Expand All @@ -73,3 +74,10 @@ function verifyTLogEntryOffline(entry, bundleContent, tlogs, signingCert) {
(0, set_1.verifyTLogSET)(entry, tlogs) &&
verifyTLogIntegrationTime());
}
function signingCertificate(bundle) {
if (!sigstore.isBundleWithCertificateChain(bundle)) {
return undefined;
}
const signingCert = bundle.verificationMaterial.content.x509CertificateChain.certificates[0];
return cert_1.x509Certificate.parse(signingCert.rawBytes);
}
109 changes: 109 additions & 0 deletions node_modules/sigstore/dist/tlog/verify/merkle.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyMerkleInclusion = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const crypto_1 = __importDefault(require("crypto"));
const error_1 = require("../../error");
const RFC6962_LEAF_HASH_PREFIX = Buffer.from([0x00]);
const RFC6962_NODE_HASH_PREFIX = Buffer.from([0x01]);
function verifyMerkleInclusion(entry) {
const inclusionProof = entry.inclusionProof;
if (!inclusionProof) {
throw new error_1.VerificationError('tlog entry has no inclusion proof');
}
const logIndex = BigInt(inclusionProof.logIndex);
const treeSize = BigInt(inclusionProof.treeSize);
if (logIndex < 0n || logIndex >= treeSize) {
throw new error_1.VerificationError('invalid inclusion proof index');
}
// Figure out which subset of hashes corresponds to the inner and border
// nodes
const { inner, border } = decompInclProof(logIndex, treeSize);
if (inclusionProof.hashes.length !== inner + border) {
throw new error_1.VerificationError('invalid inclusion proof length');
}
const innerHashes = inclusionProof.hashes.slice(0, inner);
const borderHashes = inclusionProof.hashes.slice(inner);
// The entry's hash is the leaf hash
const leafHash = hashLeaf(entry.canonicalizedBody);
// Chain the hashes belonging to the inner and border portions
const calculatedHash = chainBorderRight(chainInner(leafHash, innerHashes, logIndex), borderHashes);
// Calculated hash should match the root hash in the inclusion proof
return bufferEqual(calculatedHash, inclusionProof.rootHash);
}
exports.verifyMerkleInclusion = verifyMerkleInclusion;
// Breaks down inclusion proof for a leaf at the specified index in a tree of
// the specified size. The split point is where paths to the index leaf and
// the (size - 1) leaf diverge. Returns lengths of the bottom and upper proof
// parts.
function decompInclProof(index, size) {
const inner = innerProofSize(index, size);
const border = onesCount(index >> BigInt(inner));
return { inner, border };
}
// Computes a subtree hash for a node on or below the tree's right border.
// Assumes the provided proof hashes are ordered from lower to higher levels
// and seed is the initial hash of the node specified by the index.
function chainInner(seed, hashes, index) {
return hashes.reduce((acc, h, i) => {
if ((index >> BigInt(i)) & BigInt(1)) {
return hashChildren(h, acc);
}
else {
return hashChildren(acc, h);
}
}, seed);
}
// Computes a subtree hash for nodes along the tree's right border.
function chainBorderRight(seed, hashes) {
return hashes.reduce((acc, h) => hashChildren(h, acc), seed);
}
function innerProofSize(index, size) {
return (index ^ (size - BigInt(1))).toString(2).length;
}
// Counts the number of ones in the binary representation of the given number.
// https://en.wikipedia.org/wiki/Hamming_weight
function onesCount(x) {
return x.toString(2).split('1').length - 1;
}
// Hashing logic according to RFC6962.
// https://datatracker.ietf.org/doc/html/rfc6962#section-2
function hashChildren(left, right) {
const hasher = crypto_1.default.createHash('sha256');
hasher.update(RFC6962_NODE_HASH_PREFIX);
hasher.update(left);
hasher.update(right);
return hasher.digest();
}
function hashLeaf(leaf) {
const hasher = crypto_1.default.createHash('sha256');
hasher.update(RFC6962_LEAF_HASH_PREFIX);
hasher.update(leaf);
return hasher.digest();
}
function bufferEqual(a, b) {
try {
return crypto_1.default.timingSafeEqual(a, b);
}
catch {
/* istanbul ignore next */
return false;
}
}
Loading

0 comments on commit 9238682

Please sign in to comment.