Skip to content

Commit

Permalink
Attempt verification with ED25519 if ED25519ph is used for compatibility
Browse files Browse the repository at this point in the history 
Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
  • Loading branch information
@ret2libc
ret2libc committed Jan 30, 2024
1 parent 25ea5fd commit 0bf4bce
Showing 1 changed file with 29 additions and 2 deletions.
31 changes: 29 additions & 2 deletions pkg/cosign/verify.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ import (
"context"
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
"crypto/sha256"
"crypto/sha512"
"crypto/x509"
Expand Down Expand Up @@ -260,15 +261,41 @@ func verifyOCISignature(ctx context.Context, verifier signature.Verifier, sig pa
if err != nil {
return err
}
signature, err := base64.StdEncoding.DecodeString(b64sig)
decodedSignature, err := base64.StdEncoding.DecodeString(b64sig)
if err != nil {
return err
}
payload, err := sig.Payload()
if err != nil {
return err
}
return verifier.VerifySignature(bytes.NewReader(signature), bytes.NewReader(payload), options.WithContext(ctx))
// For compatibility reasons, if ED25519ph is used, we try both ED25519 and ED25519ph.
// Refusing to verify ED25519 signatures (used e.g. by rekord entries) would break compatibility.
// The signature algorithm to use should be uniquely determined before this point.
verificationErr := verifier.VerifySignature(bytes.NewReader(decodedSignature), bytes.NewReader(payload), options.WithContext(ctx))
if verificationErr == nil {
return nil
}

switch verifier.(type) {
case *signature.ED25519phVerifier:
publicKey, err := verifier.PublicKey()
if err != nil {
return err
}

if edPublicKey, ok := publicKey.(ed25519.PublicKey); ok {
altVerifier, err := signature.LoadED25519Verifier(edPublicKey)
if err != nil {
return err
}

fmt.Fprintf(os.Stderr, "Failed to verify signature with ED25519ph, falling back to ED25519 for backward compatibility.\n")
verificationErr = altVerifier.VerifySignature(bytes.NewReader(decodedSignature), bytes.NewReader(payload), options.WithContext(ctx))
}
}

return verificationErr
}

// ValidateAndUnpackCert creates a Verifier from a certificate. Verifies that the
Expand Down

0 comments on commit 0bf4bce

Please sign in to comment.