Skip to content

Commit

Permalink
Clarify error when KMS provider fails to load
Browse files Browse the repository at this point in the history
Before:

    $ KEY_REF=gcpkms://projects/test/locations/global/keyRings/test/cryptoKeys/mykey/cryptoKeyVersions/1
    $ cosign verify-blob --key $KEY_REF --signature /dev/null /dev/null
    Error: verifying blob [/dev/null]: loading public key: loading URL: unrecognized scheme: gcpkms://
    main.go:62: error during command execution: verifying blob [/dev/null]: loading public key: loading URL: unrecognized scheme: gcpkms://

After:

    $ KEY_REF=gcpkms://projects/test/locations/global/keyRings/test/cryptoKeys/mykey/cryptoKeyVersions/1
    $ cosign verify-blob --key $KEY_REF --signature /dev/null /dev/null
    Error: verifying blob [/dev/null]: loading public key: new gcp kms client: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
    main.go:62: error during command execution: verifying blob [/dev/null]: loading public key: new gcp kms client: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.

Addresses #2094; I'm not sure if this fixes it, but it'll give us more
information.

Signed-off-by: Zachary Newman <z@znewman.net>
  • Loading branch information
znewman01 committed Sep 3, 2022
1 parent 1ca09f2 commit cee72e1
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 2 deletions.
10 changes: 9 additions & 1 deletion pkg/blob/load.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,14 @@ import (
"strings"
)

type UnrecognizedSchemeError struct {
Scheme string
}

func (e *UnrecognizedSchemeError) Error() string {
return fmt.Sprintf("loading URL: unrecognized scheme: %s", e.Scheme)
}

func LoadFileOrURL(fileRef string) ([]byte, error) {
var raw []byte
var err error
Expand Down Expand Up @@ -51,7 +59,7 @@ func LoadFileOrURL(fileRef string) ([]byte, error) {
}
raw = []byte(value)
default:
return nil, fmt.Errorf("loading URL: unrecognized scheme: %s", scheme)
return nil, &UnrecognizedSchemeError{Scheme: scheme}
}
} else {
raw, err = os.ReadFile(filepath.Clean(fileRef))
Expand Down
12 changes: 11 additions & 1 deletion pkg/signature/keys.go
Original file line number Diff line number Diff line change
Expand Up @@ -43,9 +43,19 @@ func LoadPublicKey(ctx context.Context, keyRef string) (verifier signature.Verif
// verifier using the provided hash algorithm
func VerifierForKeyRef(ctx context.Context, keyRef string, hashAlgorithm crypto.Hash) (verifier signature.Verifier, err error) {
// The key could be plaintext, in a file, at a URL, or in KMS.
if kmsKey, err := kms.Get(ctx, keyRef, hashAlgorithm); err == nil {
var perr *kms.ProviderNotFoundError
kmsKey, err := kms.Get(ctx, keyRef, hashAlgorithm)
switch {
case err == nil:
// KMS specified
return kmsKey, nil
case errors.As(err, &perr):
// We can ignore ProviderNotFoundError; that just means the keyRef
// didn't match any of the KMS schemes.
default:
// But other errors indicate something more insidious; pass those
// through.
return nil, err
}

raw, err := blob.LoadFileOrURL(keyRef)
Expand Down
27 changes: 27 additions & 0 deletions pkg/signature/keys_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,15 @@ package signature

import (
"context"
"crypto"
"errors"
"os"
"testing"

"github.com/sigstore/cosign/pkg/blob"
"github.com/sigstore/cosign/pkg/cosign"
sigsignature "github.com/sigstore/sigstore/pkg/signature"
"github.com/sigstore/sigstore/pkg/signature/kms"
)

func generateKeyFile(t *testing.T, tmpDir string, pf cosign.PassFunc) (privFile, pubFile string) {
Expand Down Expand Up @@ -134,6 +139,28 @@ func TestSignerVerifierFromEnvVar(t *testing.T) {
}
}

func TestVerifierForKeyRefError(t *testing.T) {
kms.AddProvider("errorkms://", func(ctx context.Context, _ string, hf crypto.Hash, _ ...sigsignature.RPCOption) (kms.SignerVerifier, error) {
return nil, errors.New("bad")
})
var uerr *blob.UnrecognizedSchemeError

ctx := context.Background()
_, err := PublicKeyFromKeyRef(ctx, "errorkms://bad")
if err == nil {
t.Fatalf("PublicKeyFromKeyRef didn't return any error")
} else if errors.As(err, &uerr) {
t.Fatalf("PublicKeyFromKeyRef returned UnrecognizedSchemeError: %v", err)
}

_, err = PublicKeyFromKeyRef(ctx, "badscheme://bad")
if err == nil {
t.Fatalf("PublicKeyFromKeyRef didn't return any error")
} else if !errors.As(err, &uerr) {
t.Fatalf("PublicKeyFromKeyRef didn't return UnrecognizedSchemeError: %v", err)
}
}

func pass(s string) cosign.PassFunc {
return func(_ bool) ([]byte, error) {
return []byte(s), nil
Expand Down

0 comments on commit cee72e1

Please sign in to comment.