From 842a81a9e23add03550b9b2ea218b2769da77fe9 Mon Sep 17 00:00:00 2001 From: priyawadhwa Date: Wed, 1 Sep 2021 20:07:11 -0400 Subject: [PATCH] Embed CT log public key (#607) This way, we don't have to depend on users running `init` and we can error out if SCT verification fails. Signed-off-by: Priya Wadhwa --- cmd/cosign/cli/fulcio/ctfe.pub | 4 ++++ cmd/cosign/cli/fulcio/fulcio.go | 16 ++++++---------- 2 files changed, 10 insertions(+), 10 deletions(-) create mode 100644 cmd/cosign/cli/fulcio/ctfe.pub diff --git a/cmd/cosign/cli/fulcio/ctfe.pub b/cmd/cosign/cli/fulcio/ctfe.pub new file mode 100644 index 00000000000..75df6bbb9bc --- /dev/null +++ b/cmd/cosign/cli/fulcio/ctfe.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbfwR+RJudXscgRBRpKX1XFDy3Pyu +dDxz/SfnRi1fT8ekpfBd2O1uoz7jr3Z8nKzxA69EUQ+eFCFI3zeubPWU7w== +-----END PUBLIC KEY----- diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index 455a4936d33..978c44ec417 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -69,7 +69,9 @@ type Resp struct { //go:embed fulcio.pem var rootPem string -var ctPublicKeyStr = `ctfe.pub` +// This is the CT log public key +//go:embed ctfe.pub +var ctPublicKey string var fulcioTargetStr = `fulcio.crt.pem` var ( @@ -146,10 +148,9 @@ func getCertForOauthID(priv *ecdsa.PrivateKey, scp signingCertProvider, connecto // verify the sct if err := VerifySCT(fr); err != nil { - fmt.Printf("Unable to verify SCT: %v\n", err) - } else { - fmt.Println("Successfully verified SCT...") + return Resp{}, errors.Wrap(err, "verifying SCT") } + fmt.Println("Successfully verified SCT...") return fr, nil } @@ -158,12 +159,7 @@ func getCertForOauthID(priv *ecdsa.PrivateKey, scp signingCertProvider, connecto // the certificate issued by Fulcio was also added to the public CT log within // some defined time period func verifySCT(fr Resp) error { - buf := tuf.ByteDestination{Buffer: &bytes.Buffer{}} - if err := tuf.GetTarget(context.TODO(), ctPublicKeyStr, &buf); err != nil { - fmt.Println("Unable to verify SCT, try running `cosign init`...") - return err - } - pubKey, err := cosign.PemToECDSAKey(buf.Bytes()) + pubKey, err := cosign.PemToECDSAKey([]byte(ctPublicKey)) if err != nil { return err }