Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix validation for proposed vs committed log entries for intoto v0.0.1 #1309

Merged
merged 3 commits into from
Feb 6, 2023
Merged

fix validation for proposed vs committed log entries for intoto v0.0.1 #1309

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b89a404
fix validation for proposed vs committed log entries
bobcallaway Jan 27, 2023
65799fd
be more accepting of existing clients
bobcallaway Jan 28, 2023
4144c6d
update code comment
bobcallaway Jan 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 27 additions & 2 deletions pkg/types/intoto/v0.0.1/entry.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,16 @@ func (v *V001Entry) Unmarshal(pe models.ProposedEntry) error {

func (v *V001Entry) Canonicalize(ctx context.Context) ([]byte, error) {
if v.keyObj == nil {
return nil, errors.New("cannot canonicalze empty key")
return nil, errors.New("cannot canonicalize empty key")
}
if v.IntotoObj.Content == nil {
return nil, errors.New("missing content")
}
if v.IntotoObj.Content.Hash == nil {
return nil, errors.New("missing envelope hash")
}
if v.IntotoObj.Content.PayloadHash == nil {
return nil, errors.New("missing payload hash")
}
pk, err := v.keyObj.CanonicalValue()
if err != nil {
Expand Down Expand Up @@ -219,10 +228,26 @@ func (v *V001Entry) validate() error {
// TODO handle multiple
pk := v.keyObj.(*x509.PublicKey)

// This also gets called in the CLI, where we won't have this data
// one of two cases must be true:
// - ProposedEntry: client gives an envelope and NOT hash/payloadhash (to be computed server-side) OR
// - CommittedEntry: NO envelope and hash/payloadHash must be present
if v.IntotoObj.Content.Envelope == "" {
if v.IntotoObj.Content.Hash == nil {
return fmt.Errorf("missing hash value for envelope")
} else if err := v.IntotoObj.Content.Hash.Validate(strfmt.Default); err != nil {
return fmt.Errorf("validation error on envelope hash: %w", err)
}
if v.IntotoObj.Content.PayloadHash == nil {
return fmt.Errorf("missing hash value for payload")
} else if err := v.IntotoObj.Content.PayloadHash.Validate(strfmt.Default); err != nil {
return fmt.Errorf("validation error on payload hash: %w", err)
}
// if there is no envelope, and hash/payloadHash are valid, then there's nothing else to do here
return nil
} else if v.IntotoObj.Content.Hash != nil || v.IntotoObj.Content.PayloadHash != nil {
bobcallaway marked this conversation as resolved.
Show resolved Hide resolved
return fmt.Errorf("hash values for payload and envelope are read-only fields")
}

vfr, err := signature.LoadVerifier(pk.CryptoPubKey(), crypto.SHA256)
if err != nil {
return err
Expand Down
68 changes: 47 additions & 21 deletions pkg/types/intoto/v0.0.1/entry_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ func TestV001Entry_Unmarshal(t *testing.T) {
wantVerifierErr: false,
},
{
name: "missing envelope",
name: "invalid key",
it: &models.IntotoV001Schema{
PublicKey: p([]byte("hello")),
},
Expand All @@ -160,27 +160,70 @@ func TestV001Entry_Unmarshal(t *testing.T) {
},
{
name: "valid intoto",
it: &models.IntotoV001Schema{
PublicKey: p(pub),
Content: &models.IntotoV001SchemaContent{
Envelope: envelope(t, key, validPayload, "application/vnd.in-toto+json"),
},
},
wantErr: false,
wantVerifierErr: false,
},
{
name: "valid intoto but hash specified by client",
it: &models.IntotoV001Schema{
PublicKey: p(pub),
Content: &models.IntotoV001SchemaContent{
Envelope: envelope(t, key, validPayload, "application/vnd.in-toto+json"),
Hash: &models.IntotoV001SchemaContentHash{
Algorithm: swag.String(models.IntotoV001SchemaContentHashAlgorithmSha256),
Value: swag.String("1a1707bb54e5fb4deddd19f07adcb4f1e022ca7879e3c8348da8d4fa496ae8e2"),
},
},
},
wantErr: false,
wantErr: true,
wantVerifierErr: false,
},
{
name: "valid dsse but invalid intoto",
name: "valid intoto but payloadhash specified by client",
it: &models.IntotoV001Schema{
PublicKey: p(pub),
Content: &models.IntotoV001SchemaContent{
Envelope: envelope(t, key, validPayload, "text"),
Envelope: envelope(t, key, validPayload, "application/vnd.in-toto+json"),
PayloadHash: &models.IntotoV001SchemaContentPayloadHash{
Algorithm: swag.String(models.IntotoV001SchemaContentPayloadHashAlgorithmSha256),
Value: swag.String("1a1707bb54e5fb4deddd19f07adcb4f1e022ca7879e3c8348da8d4fa496ae8e2"),
},
},
},
wantErr: true,
wantVerifierErr: false,
},
{
name: "valid intoto but envelope and payloadhash specified by client",
it: &models.IntotoV001Schema{
PublicKey: p(pub),
Content: &models.IntotoV001SchemaContent{
Envelope: envelope(t, key, validPayload, "application/vnd.in-toto+json"),
Hash: &models.IntotoV001SchemaContentHash{
Algorithm: swag.String(models.IntotoV001SchemaContentHashAlgorithmSha256),
Value: swag.String("1a1707bb54e5fb4deddd19f07adcb4f1e022ca7879e3c8348da8d4fa496ae8e2"),
},
PayloadHash: &models.IntotoV001SchemaContentPayloadHash{
Algorithm: swag.String(models.IntotoV001SchemaContentPayloadHashAlgorithmSha256),
Value: swag.String("1a1707bb54e5fb4deddd19f07adcb4f1e022ca7879e3c8348da8d4fa496ae8e2"),
},
},
},
wantErr: true,
wantVerifierErr: false,
},
{
name: "valid dsse but invalid intoto",
it: &models.IntotoV001Schema{
PublicKey: p(pub),
Content: &models.IntotoV001SchemaContent{
Envelope: envelope(t, key, validPayload, "text"),
},
},
wantErr: false,
Expand All @@ -192,9 +235,6 @@ func TestV001Entry_Unmarshal(t *testing.T) {
PublicKey: p([]byte(pemBytes)),
Content: &models.IntotoV001SchemaContent{
Envelope: envelope(t, priv, validPayload, "text"),
Hash: &models.IntotoV001SchemaContentHash{
Algorithm: swag.String(models.IntotoV001SchemaContentHashAlgorithmSha256),
},
},
},
additionalIndexKeys: []string{"joe@schmoe.com"},
Expand All @@ -207,9 +247,6 @@ func TestV001Entry_Unmarshal(t *testing.T) {
PublicKey: p(pub),
Content: &models.IntotoV001SchemaContent{
Envelope: string(invalid),
Hash: &models.IntotoV001SchemaContentHash{
Algorithm: swag.String(models.IntotoV001SchemaContentHashAlgorithmSha256),
},
},
},
wantErr: true,
Expand All @@ -221,9 +258,6 @@ func TestV001Entry_Unmarshal(t *testing.T) {
PublicKey: p([]byte("notavalidkey")),
Content: &models.IntotoV001SchemaContent{
Envelope: envelope(t, key, validPayload, "text"),
Hash: &models.IntotoV001SchemaContentHash{
Algorithm: swag.String(models.IntotoV001SchemaContentHashAlgorithmSha256),
},
},
},
wantErr: true,
Expand All @@ -233,11 +267,6 @@ func TestV001Entry_Unmarshal(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
v := &V001Entry{}
if tt.it.Content != nil {
h := sha256.Sum256([]byte(tt.it.Content.Envelope))
tt.it.Content.Hash.Algorithm = swag.String(models.IntotoV001SchemaContentHashAlgorithmSha256)
tt.it.Content.Hash.Value = swag.String(hex.EncodeToString(h[:]))
}

it := &models.Intoto{
Spec: tt.it,
Expand All @@ -247,9 +276,6 @@ func TestV001Entry_Unmarshal(t *testing.T) {
if err := v.Unmarshal(it); err != nil {
return err
}
if err := v.validate(); err != nil {
return err
}
if v.IntotoObj.Content.Hash == nil || v.IntotoObj.Content.Hash.Algorithm != tt.it.Content.Hash.Algorithm || v.IntotoObj.Content.Hash.Value != tt.it.Content.Hash.Value {
return errors.New("missing envelope hash in validated object")
}
Expand Down