Skip to content

Commit

Permalink
incorporate code reviews
Browse files Browse the repository at this point in the history
  • Loading branch information
siretart committed Nov 13, 2023
1 parent 03eaf40 commit 199c207
Show file tree
Hide file tree
Showing 9 changed files with 62 additions and 4 deletions.
3 changes: 3 additions & 0 deletions signature/fulcio_cert.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
//go:build !containers_image_fulcio_stub
// +build !containers_image_fulcio_stub

package signature

import (
Expand Down
28 changes: 28 additions & 0 deletions signature/fulcio_cert_stub.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
//go:build containers_image_fulcio_stub
// +build containers_image_fulcio_stub

package signature

import (
"crypto"
"crypto/ecdsa"
"crypto/x509"
"errors"
)

type fulcioTrustRoot struct {
caCertificates *x509.CertPool
oidcIssuer string
subjectEmail string
}

func (f *fulcioTrustRoot) validate() error {
return errors.New("fulcio disabled at compile-time")
}

func verifyRekorFulcio(rekorPublicKey *ecdsa.PublicKey, fulcioTrustRoot *fulcioTrustRoot, untrustedRekorSET []byte,
untrustedCertificateBytes []byte, untrustedIntermediateChainBytes []byte, untrustedBase64Signature string,
untrustedPayloadBytes []byte) (crypto.PublicKey, error) {
return nil, errors.New("fulcio diabled at compile-time")

}
3 changes: 3 additions & 0 deletions signature/fulcio_cert_test.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
//go:build !containers_image_fulcio_stub
// +build !containers_image_fulcio_stub

package signature

import (
Expand Down
3 changes: 3 additions & 0 deletions signature/internal/rekor_set.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
//go:build !containers_image_rekor_stub
// +build !containers_image_rekor_stub

package internal

import (
Expand Down
15 changes: 15 additions & 0 deletions signature/internal/rekor_set_stub.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
//go:build containers_image_rekor_stub
// +build containers_image_rekor_stub

package internal

import (
"crypto/ecdsa"
"time"
)

// VerifyRekorSET verifies that unverifiedRekorSET is correctly signed by publicKey and matches the rest of the data.
// Returns bundle upload time on success.
func VerifyRekorSET(publicKey *ecdsa.PublicKey, unverifiedRekorSET []byte, unverifiedKeyOrCertBytes []byte, unverifiedBase64Signature string, unverifiedPayloadBytes []byte) (time.Time, error) {
return time.Time{}, NewInvalidSignatureError("rekor disabled at compile-time")
}
3 changes: 3 additions & 0 deletions signature/internal/rekor_set_test.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
//go:build !containers_image_rekor_stub
// +build !containers_image_rekor_stub

package internal

import (
Expand Down
3 changes: 3 additions & 0 deletions signature/policy_eval_sigstore_test.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
//go:build !containers_image_fulcio_stub
// +build !containers_image_fulcio_stub

// Policy evaluation for prCosignSigned.

package signature
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import (

func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) internal.Option {
return func(s *internal.SigstoreSigner) error {
return fmt.Errorf("Fulcio disabled at compile time")
return fmt.Errorf("fulcio disabled at compile time")
}
}

Expand All @@ -24,7 +24,7 @@ func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string)
func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string,
interactiveOutput io.Writer) internal.Option {
return func(s *internal.SigstoreSigner) error {
return fmt.Errorf("Fulcio disabled at compile time")
return fmt.Errorf("fulcio disabled at compile time")
}
}

Expand All @@ -40,6 +40,6 @@ func WithFulcioAndDeviceAuthorizationGrantOIDC(fulcioURL *url.URL, oidcIssuerURL
func WithFulcioAndInteractiveOIDC(fulcioURL *url.URL, oidcIssuerURL *url.URL, oidcClientID, oidcClientSecret string,
interactiveInput io.Reader, interactiveOutput io.Writer) internal.Option {
return func(s *internal.SigstoreSigner) error {
return fmt.Errorf("Fulcio disabled at compile time")
return fmt.Errorf("fulcio disabled at compile time")
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,6 @@ import (

func WithRekor(rekorURL *url.URL) signerInternal.Option {
return func(s *signerInternal.SigstoreSigner) error {
return fmt.Errorf("Rekor disabled at build time")
return fmt.Errorf("rekor disabled at build time")
}
}

0 comments on commit 199c207

Please sign in to comment.