Add support for Ed25519ph Signer/Verifier

pkg/signature/ed25519ph.go

@@ -0,0 +1,201 @@
+//
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package signature
+
+import (
+	"crypto"
+	"crypto/ed25519"
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"io"
+
+	"github.com/sigstore/sigstore/pkg/signature/options"
+)
+
+var ed25519phSupportedHashFuncs = []crypto.Hash{
+	crypto.SHA512,
+}
+
+// ED25519phSigner is a signature.Signer that uses the Ed25519 public-key signature system with pre-hashing
+type ED25519phSigner struct {
+	priv ed25519.PrivateKey
+}
+
+// LoadED25519phSigner calculates signatures using the specified private key.
+func LoadED25519phSigner(priv ed25519.PrivateKey) (*ED25519phSigner, error) {
+	if priv == nil {
+		return nil, errors.New("invalid ED25519 private key specified")
+	}
+
+	return &ED25519phSigner{
+		priv: priv,
+	}, nil
+}
+
+// SignMessage signs the provided message. If the message is provided,
+// this method will compute the digest according to the hash function specified
+// when the ED25519phSigner was created.
+//
+// This function recognizes the following Options listed in order of preference:
+//
+// - WithDigest()
+//
+// All other options are ignored if specified.
+func (e ED25519phSigner) SignMessage(message io.Reader, opts ...SignOption) ([]byte, error) {
+	digest, _, err := ComputeDigestForSigning(message, crypto.SHA512, ed25519phSupportedHashFuncs, opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	return e.priv.Sign(nil, digest, crypto.SHA512)
+}
+
+// Public returns the public key that can be used to verify signatures created by
+// this signer.
+func (e ED25519phSigner) Public() crypto.PublicKey {
+	if e.priv == nil {
+		return nil
+	}
+
+	return e.priv.Public()
+}
+
+// PublicKey returns the public key that can be used to verify signatures created by
+// this signer. As this value is held in memory, all options provided in arguments
+// to this method are ignored.
+func (e ED25519phSigner) PublicKey(_ ...PublicKeyOption) (crypto.PublicKey, error) {
+	return e.Public(), nil
+}
+
+// Sign computes the signature for the specified message; the first and third arguments to this
+// function are ignored as they are not used by the ED25519ph algorithm.
+func (e ED25519phSigner) Sign(_ io.Reader, digest []byte, _ crypto.SignerOpts) ([]byte, error) {
+	return e.SignMessage(nil, options.WithDigest(digest))
+}
+
+// ED25519phVerifier is a signature.Verifier that uses the Ed25519 public-key signature system
+type ED25519phVerifier struct {
+	publicKey ed25519.PublicKey
+}
+
+// LoadED25519phVerifier returns a Verifier that verifies signatures using the
+// specified ED25519 public key.
+func LoadED25519phVerifier(pub ed25519.PublicKey) (*ED25519phVerifier, error) {
+	if pub == nil {
+		return nil, errors.New("invalid ED25519 public key specified")
+	}
+
+	return &ED25519phVerifier{
+		publicKey: pub,
+	}, nil
+}
+
+// PublicKey returns the public key that is used to verify signatures by
+// this verifier. As this value is held in memory, all options provided in arguments
+// to this method are ignored.
+func (e *ED25519phVerifier) PublicKey(_ ...PublicKeyOption) (crypto.PublicKey, error) {
+	return e.publicKey, nil
+}
+
+// VerifySignature verifies the signature for the given message. Unless provided
+// in an option, the digest of the message will be computed using the hash function specified
+// when the ED25519phVerifier was created.
+//
+// This function returns nil if the verification succeeded, and an error message otherwise.
+//
+// This function recognizes the following Options listed in order of preference:
+//
+// - WithDigest()
+//
+// All other options are ignored if specified.
+func (e *ED25519phVerifier) VerifySignature(signature, message io.Reader, opts ...VerifyOption) error {
+	if signature == nil {
+		return errors.New("nil signature passed to VerifySignature")
+	}
+
+	digest, _, err := ComputeDigestForVerifying(message, crypto.SHA512, ed25519phSupportedHashFuncs, opts...)
+	if err != nil {
+		return err
+	}
+
+	sigBytes, err := io.ReadAll(signature)
+	if err != nil {
+		return fmt.Errorf("reading signature: %w", err)
+	}
+
+	if err := ed25519.VerifyWithOptions(e.publicKey, digest, sigBytes, &ed25519.Options{Hash: crypto.SHA512}); err != nil {
+		return fmt.Errorf("failed to verify signature: %w", err)
+	}
+	return nil
+}
+
+// ED25519phSignerVerifier is a signature.SignerVerifier that uses the Ed25519 public-key signature system
+type ED25519phSignerVerifier struct {
+	*ED25519phSigner
+	*ED25519phVerifier
+}
+
+// LoadED25519phSignerVerifier creates a combined signer and verifier. This is
+// a convenience object that simply wraps an instance of ED25519phSigner and ED25519phVerifier.
+func LoadED25519phSignerVerifier(priv ed25519.PrivateKey) (*ED25519phSignerVerifier, error) {
+	signer, err := LoadED25519phSigner(priv)
+	if err != nil {
+		return nil, fmt.Errorf("initializing signer: %w", err)
+	}
+	pub, ok := priv.Public().(ed25519.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("given key is not ed25519.PublicKey")
+	}
+	verifier, err := LoadED25519phVerifier(pub)
+	if err != nil {
+		return nil, fmt.Errorf("initializing verifier: %w", err)
+	}
+
+	return &ED25519phSignerVerifier{
+		ED25519phSigner:   signer,
+		ED25519phVerifier: verifier,
+	}, nil
+}
+
+// NewDefaultED25519phSignerVerifier creates a combined signer and verifier using ED25519.
+// This creates a new ED25519 key using crypto/rand as an entropy source.
+func NewDefaultED25519phSignerVerifier() (*ED25519phSignerVerifier, ed25519.PrivateKey, error) {
+	return NewED25519phSignerVerifier(rand.Reader)
+}
+
+// NewED25519phSignerVerifier creates a combined signer and verifier using ED25519.
+// This creates a new ED25519 key using the specified entropy source.
+func NewED25519phSignerVerifier(rand io.Reader) (*ED25519phSignerVerifier, ed25519.PrivateKey, error) {
+	_, priv, err := ed25519.GenerateKey(rand)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	sv, err := LoadED25519phSignerVerifier(priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return sv, priv, nil
+}
+
+// PublicKey returns the public key that is used to verify signatures by
+// this verifier. As this value is held in memory, all options provided in arguments
+// to this method are ignored.
+func (e ED25519phSignerVerifier) PublicKey(_ ...PublicKeyOption) (crypto.PublicKey, error) {
+	return e.publicKey, nil
+}

pkg/signature/ed25519ph_test.go

@@ -0,0 +1,88 @@
+//
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package signature
+
+import (
+	"crypto"
+	"crypto/ed25519"
+	"encoding/base64"
+	"testing"
+
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
+)
+
+// Generated with:
+// openssl genpkey -algorithm ed25519 -outform PEM -out -
+const ed25519phPriv = `-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIFP9CZb6J1DiOLfdIkPfy1bwBOCjEG6KR/cIdhw90J1H
+-----END PRIVATE KEY-----`
+
+// Extracted from above with:
+// openssl ec -in ec_private.pem -pubout
+const ed25519phPub = `-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEA9wy4umF4RHQ8UQXo8fzEQNBWE4GsBMkCzQPAfHvkf/s=
+-----END PUBLIC KEY-----`
+
+func TestED25519phSignerVerifier(t *testing.T) {
+	privateKey, err := cryptoutils.UnmarshalPEMToPrivateKey([]byte(ed25519phPriv), cryptoutils.SkipPassword)
+	if err != nil {
+		t.Fatalf("unexpected error unmarshalling public key: %v", err)
+	}
+	edPriv, ok := privateKey.(ed25519.PrivateKey)
+	if !ok {
+		t.Fatalf("expected ed25519.PrivateKey")
+	}
+
+	sv, err := LoadED25519phSignerVerifier(edPriv)
+	if err != nil {
+		t.Fatalf("unexpected error creating signer/verifier: %v", err)
+	}
+
+	message := []byte("sign me")
+	sig, _ := base64.StdEncoding.DecodeString("9D4pA8jutZnbqKy4fFRl+kDsVUCO50qrOD1lxmsiUFk6NX+7OXUK5BCMkE2KYPRDxjkDFBzbDZEQhaFdDV5tDg==")
+	testingSigner(t, sv, "ed25519ph", crypto.SHA512, message)
+	testingVerifier(t, sv, "ed25519ph", crypto.SHA512, sig, message)
+	pub, err := sv.PublicKey()
+	if err != nil {
+		t.Fatalf("unexpected error from PublicKey(): %v", err)
+	}
+	assertPublicKeyIsx509Marshalable(t, pub)
+}
+
+func TestED25519phVerifier(t *testing.T) {
+	publicKey, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(ed25519phPub))
+	if err != nil {
+		t.Fatalf("unexpected error unmarshalling public key: %v", err)
+	}
+	edPub, ok := publicKey.(ed25519.PublicKey)
+	if !ok {
+		t.Fatalf("public key is not ed25519")
+	}
+
+	v, err := LoadED25519phVerifier(edPub)
+	if err != nil {
+		t.Fatalf("unexpected error creating verifier: %v", err)
+	}
+
+	message := []byte("sign me")
+	sig, _ := base64.StdEncoding.DecodeString("9D4pA8jutZnbqKy4fFRl+kDsVUCO50qrOD1lxmsiUFk6NX+7OXUK5BCMkE2KYPRDxjkDFBzbDZEQhaFdDV5tDg==")
+	testingVerifier(t, v, "ed25519ph", crypto.SHA512, sig, message)
+	pub, err := v.PublicKey()
+	if err != nil {
+		t.Fatalf("unexpected error from PublicKey(): %v", err)
+	}
+	assertPublicKeyIsx509Marshalable(t, pub)
+}

pkg/signature/options.go

@@ -18,6 +18,7 @@ package signature
 import (
 	"context"
 	"crypto"
+	"crypto/rsa"
 	"io"
 
 	"github.com/sigstore/sigstore/pkg/signature/options"
@@ -55,3 +56,10 @@ type VerifyOption interface {
 	RPCOption
 	MessageOption
 }
+
+// LoadOption specifies options to be used when creating a Signer/Verifier
+type LoadOption interface {
+	ApplyHash(*crypto.Hash)
+	ApplyED25519ph(*bool)
+	ApplyRSAPSS(**rsa.PSSOptions)
+}

pkg/signature/options/loadoptions.go

@@ -0,0 +1,76 @@
+//
+// Copyright 2024 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package options
+
+import (
+	"crypto"
+	"crypto/rsa"
+)
+
+// RequestHash implements the functional option pattern for setting a Hash
+// function when loading a signer or verifier
+type RequestHash struct {
+	NoOpOptionImpl
+	hashFunc crypto.Hash
+}
+
+// ApplyHash sets the hash as requested by the functional option
+func (r RequestHash) ApplyHash(hash *crypto.Hash) {
+	*hash = r.hashFunc
+}
+
+// WithHash specifies that the given hash function should be used when loading a signer or verifier
+func WithHash(hash crypto.Hash) RequestHash {
+	return RequestHash{hashFunc: hash}
+}
+
+// RequestED25519ph implements the functional option pattern for specifying
+// ED25519ph (pre-hashed) should be used when loading a signer or verifier and a
+// ED25519 key is
+type RequestED25519ph struct {
+	NoOpOptionImpl
+	useED25519ph bool
+}
+
+// ApplyED25519ph sets the ED25519ph flag as requested by the functional option
+func (r RequestED25519ph) ApplyED25519ph(useED25519ph *bool) {
+	*useED25519ph = r.useED25519ph
+}
+
+// WithED25519ph specifies that the ED25519ph algorithm should be used when a ED25519 key is used
+func WithED25519ph() RequestED25519ph {
+	return RequestED25519ph{useED25519ph: true}
+}
+
+// RequestPSSOptions implements the functional option pattern for specifying RSA
+// PSS should be used when loading a signer or verifier and a RSA key is
+// detected
+type RequestPSSOptions struct {
+	NoOpOptionImpl
+	opts *rsa.PSSOptions
+}
+
+// ApplyRSAPSS sets the RSAPSS options as requested by the functional option
+func (r RequestPSSOptions) ApplyRSAPSS(opts **rsa.PSSOptions) {
+	*opts = r.opts
+}
+
+// WithRSAPSS specifies that the RSAPSS algorithm should be used when a RSA key is used
+// Note that the RSA PSSOptions contains an hash algorithm, which will override
+// the hash function specified with WithHash.
+func WithRSAPSS(opts *rsa.PSSOptions) RequestPSSOptions {
+	return RequestPSSOptions{opts: opts}
+}