Skip to content

Commit 9865ca9

Browse files
ret2libcwoodruffw
ret2libc
and
woodruffw
authored
Added support for sha384/sha512 hash algorithms in hashedrekords (#1959)
* Added support for sha384/sha512 hash algorithms in hashedrekords Includes changes provided by @bobcallaway Signed-off-by: Riccardo Schirone <[email protected]> * Added e2e test for hashedrekord type Make sure Rekor accepts SHA256 digest but not SHA1 Signed-off-by: Riccardo Schirone <[email protected]> * hashedrekord: add a SHA1 backstop test for CreateFromArtifactProperties Signed-off-by: William Woodruff <[email protected]> --------- Signed-off-by: Riccardo Schirone <[email protected]> Signed-off-by: William Woodruff <[email protected]> Co-authored-by: William Woodruff <[email protected]>
1 parent 9a17431 commit 9865ca9

File tree

8 files changed

+389
-31
lines changed

8 files changed

+389
-31
lines changed

pkg/generated/models/hashedrekord_v001_schema.go

+9-3
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pkg/generated/restapi/embedded_spec.go

+12-6
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pkg/types/hashedrekord/v0.0.1/e2e_test.go

+94
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,94 @@
1+
//
2+
// Copyright 2024 The Sigstore Authors.
3+
//
4+
// Licensed under the Apache License, Version 2.0 (the "License");
5+
// you may not use this file except in compliance with the License.
6+
// You may obtain a copy of the License at
7+
//
8+
// http://www.apache.org/licenses/LICENSE-2.0
9+
//
10+
// Unless required by applicable law or agreed to in writing, software
11+
// distributed under the License is distributed on an "AS IS" BASIS,
12+
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
// See the License for the specific language governing permissions and
14+
// limitations under the License.
15+
16+
//go:build e2e
17+
18+
package hashedrekord
19+
20+
import (
21+
"bytes"
22+
"context"
23+
"crypto"
24+
"crypto/ecdsa"
25+
"crypto/elliptic"
26+
"crypto/rand"
27+
"os"
28+
"testing"
29+
"time"
30+
31+
"github.com/sigstore/rekor/pkg/client"
32+
"github.com/sigstore/rekor/pkg/generated/client/entries"
33+
"github.com/sigstore/rekor/pkg/types"
34+
"github.com/sigstore/sigstore/pkg/cryptoutils"
35+
"github.com/sigstore/sigstore/pkg/signature"
36+
)
37+
38+
func rekorServer() string {
39+
if s := os.Getenv("REKOR_SERVER"); s != "" {
40+
return s
41+
}
42+
return "http://localhost:3000"
43+
}
44+
45+
// TestSHA256HashedRekordEntry tests sending a valid HashedRekord proposed entry.
46+
func TestSHA256HashedRekordEntry(t *testing.T) {
47+
privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
48+
if err != nil {
49+
t.Fatalf("error generating key: %v", err)
50+
}
51+
pubBytes, err := cryptoutils.MarshalPublicKeyToPEM(privKey.Public())
52+
if err != nil {
53+
t.Fatalf("error marshaling public key: %v", err)
54+
}
55+
56+
data := []byte("data")
57+
signer, err := signature.LoadSigner(privKey, crypto.SHA256)
58+
if err != nil {
59+
t.Fatalf("error loading verifier: %v", err)
60+
}
61+
signature, err := signer.SignMessage(bytes.NewReader(data))
62+
if err != nil {
63+
t.Fatalf("error signing message: %v", err)
64+
}
65+
66+
ap := types.ArtifactProperties{
67+
ArtifactBytes: []byte("data"),
68+
ArtifactHash: "sha256:3a6eb0790f39ac87c94f3856b2dd2c5d110e6811602261a9a923d3bb23adc8b7",
69+
PublicKeyBytes: [][]byte{pubBytes},
70+
PKIFormat: "x509",
71+
SignatureBytes: signature,
72+
}
73+
74+
ei := NewEntry()
75+
76+
entry, err := ei.CreateFromArtifactProperties(context.Background(), ap)
77+
if err != nil {
78+
t.Fatalf("error creating entry: %v", err)
79+
}
80+
81+
rc, err := client.GetRekorClient(rekorServer())
82+
if err != nil {
83+
t.Errorf("error getting client: %v", err)
84+
}
85+
86+
params := &entries.CreateLogEntryParams{}
87+
params.SetProposedEntry(entry)
88+
params.SetContext(context.Background())
89+
params.SetTimeout(5 * time.Second)
90+
91+
if _, err = rc.Entries.CreateLogEntry(params); err != nil {
92+
t.Fatalf("expected no errors when submitting hashedrekord entry with sha256 to rekor %s", err)
93+
}
94+
}

pkg/types/hashedrekord/v0.0.1/entry.go

+27-3
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ package hashedrekord
1818
import (
1919
"bytes"
2020
"context"
21+
"crypto"
2122
"crypto/ed25519"
2223
"crypto/sha256"
2324
"encoding/hex"
@@ -38,6 +39,7 @@ import (
3839
"github.com/sigstore/rekor/pkg/pki/x509"
3940
"github.com/sigstore/rekor/pkg/types"
4041
hashedrekord "github.com/sigstore/rekor/pkg/types/hashedrekord"
42+
"github.com/sigstore/rekor/pkg/util"
4143
"github.com/sigstore/sigstore/pkg/signature/options"
4244
)
4345

@@ -178,17 +180,38 @@ func (v *V001Entry) validate() (pki.Signature, pki.PublicKey, error) {
178180
return nil, nil, types.ValidationError(errors.New("invalid value for hash"))
179181
}
180182

183+
var alg crypto.Hash
184+
switch swag.StringValue(hash.Algorithm) {
185+
case models.HashedrekordV001SchemaDataHashAlgorithmSha384:
186+
alg = crypto.SHA384
187+
case models.HashedrekordV001SchemaDataHashAlgorithmSha512:
188+
alg = crypto.SHA512
189+
default:
190+
alg = crypto.SHA256
191+
}
192+
181193
decoded, err := hex.DecodeString(*hash.Value)
182194
if err != nil {
183195
return nil, nil, err
184196
}
185-
if err := sigObj.Verify(nil, keyObj, options.WithDigest(decoded)); err != nil {
197+
if err := sigObj.Verify(nil, keyObj, options.WithDigest(decoded), options.WithCryptoSignerOpts(alg)); err != nil {
186198
return nil, nil, types.ValidationError(fmt.Errorf("verifying signature: %w", err))
187199
}
188200

189201
return sigObj, keyObj, nil
190202
}
191203

204+
func getDataHashAlgorithm(hashAlgorithm crypto.Hash) string {
205+
switch hashAlgorithm {
206+
case crypto.SHA384:
207+
return models.HashedrekordV001SchemaDataHashAlgorithmSha384
208+
case crypto.SHA512:
209+
return models.HashedrekordV001SchemaDataHashAlgorithmSha512
210+
default:
211+
return models.HashedrekordV001SchemaDataHashAlgorithmSha256
212+
}
213+
}
214+
192215
func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.ArtifactProperties) (models.ProposedEntry, error) {
193216
returnVal := models.Hashedrekord{}
194217
re := V001Entry{}
@@ -230,10 +253,11 @@ func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.A
230253
return nil, errors.New("only one public key must be provided")
231254
}
232255

256+
hashAlgorithm, hashValue := util.UnprefixSHA(props.ArtifactHash)
233257
re.HashedRekordObj.Signature.PublicKey.Content = strfmt.Base64(publicKeyBytes[0])
234258
re.HashedRekordObj.Data.Hash = &models.HashedrekordV001SchemaDataHash{
235-
Algorithm: swag.String(models.HashedrekordV001SchemaDataHashAlgorithmSha256),
236-
Value: swag.String(props.ArtifactHash),
259+
Algorithm: swag.String(getDataHashAlgorithm(hashAlgorithm)),
260+
Value: swag.String(hashValue),
237261
}
238262

239263
if _, _, err := re.validate(); err != nil {

0 commit comments

Comments
 (0)