Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Leverage Rekor's Verifiers API to extract keys/certs from entries #66

Open
haydentherapper opened this issue Jan 3, 2024 · 2 comments
Open

Leverage Rekor's Verifiers API to extract keys/certs from entries #66

haydentherapper opened this issue Jan 3, 2024 · 2 comments
Labels
blocked enhancement New feature or request

Comments

@haydentherapper
Copy link
Contributor

Description

We've created a Verifiers API in the Entries interface to abstract extracting "verifiers" - eg certificates, public keys, pgp keys, etc - from a given entry. This would simplify the logic in PublicKey() and add support for additional types (though there may be more places where types are hardcoded).

Interface: https://github.com/sigstore/rekor/blob/main/pkg/types/entries.go#L40

Code:

sigstore-go/pkg/tlog/entry.go

Lines 197 to 222 in f7518a6

func (entry *Entry) PublicKey() any {
var pemString []byte
switch e := entry.rekorEntry.(type) {
case *dsse_v001.V001Entry:
pemString = []byte(*e.DSSEObj.Signatures[0].Verifier)
case *hashedrekord_v001.V001Entry:
pemString = []byte(e.HashedRekordObj.Signature.PublicKey.Content)
case *intoto_v002.V002Entry:
pemString = []byte(*e.IntotoObj.Content.Envelope.Signatures[0].PublicKey)
}
certBlock, _ := pem.Decode(pemString)
var pk any
var err error
pk, err = x509.ParseCertificate(certBlock.Bytes)
if err != nil {
pk, err = x509.ParsePKIXPublicKey(certBlock.Bytes)
if err != nil {
return nil
}
}
return pk

@haydentherapper haydentherapper added the enhancement New feature or request label Jan 3, 2024
@vishal-chdhry
Copy link
Contributor

Can you please also mention the additional types we have to add support here. As we will also have to add validation checks for those types like we do for the currently supported types

sigstore-go/pkg/tlog/entry.go

Lines 148 to 170 in 3a6a109

func ValidateEntry(entry *Entry) error {
switch e := entry.rekorEntry.(type) {
case *dsse_v001.V001Entry:
err := e.DSSEObj.Validate(strfmt.Default)
if err != nil {
return err
}
case *hashedrekord_v001.V001Entry:
err := e.HashedRekordObj.Validate(strfmt.Default)
if err != nil {
return err
}
case *intoto_v002.V002Entry:
err := e.IntotoObj.Validate(strfmt.Default)
if err != nil {
return err
}
default:
return fmt.Errorf("unsupported entry type: %T", e)
}
return nil
}

@haydentherapper
Copy link
Contributor Author

That's a good point, I would say that this issue is blocked until Rekor adds a method on the Entries interface for both Validate() and Signature() (also needed here).

I'll leave this issue open for now, but consider it blocked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@haydentherapper @vishal-chdhry