Skip to content

Commit

Permalink
bug: fix verification fail when policy contains multiple pubkeys
Browse files Browse the repository at this point in the history 
The DSSE code failed early if a verifier failed to successfully verify
an envelope. This caused the policy verification code to incorrectly
report that the policy failed verification.

Signed-off-by: Mikhail Swift <mikhail@testifysec.com>
  • Loading branch information
@mikhailswift @colek42
mikhailswift authored and colek42 committed Aug 1, 2022
1 parent 90b2da9 commit d7c6718
Show file tree
Hide file tree
Showing 13 changed files with 654 additions and 511 deletions.
1 change: 1 addition & 0 deletions .github/workflows/golangci-lint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,4 @@ jobs:
uses: golangci/golangci-lint-action@v2
with:
version: latest
args: --timeout=3m
4 changes: 2 additions & 2 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ jobs:
test:
strategy:
matrix:
go-version: [ 1.17.x ]
go-version: [ 1.18.x ]
os: [ ubuntu-latest ]
runs-on: ${{ matrix.os }}
steps:
Expand Down Expand Up @@ -47,7 +47,7 @@ jobs:
- name: Set up Go
uses: actions/setup-go@v2
with:
go-version: 1.17
go-version: 1.18
- uses: actions/cache@v2
with:
path: |
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/verify-docgen.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,5 @@ jobs:
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
with:
go-version: '1.17.x'
go-version: '1.18.x'
- run: ./docgen/verify.sh
2 changes: 1 addition & 1 deletion .github/workflows/verify-licence.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
with:
go-version: '1.17.x'
go-version: '1.18.x'
- name: Install addlicense
run: go install github.com/google/addlicense@latest
- name: Check license headers
Expand Down
221 changes: 130 additions & 91 deletions go.mod
View file

Large diffs are not rendered by default.

799 changes: 392 additions & 407 deletions go.sum
View file

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions test/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
*.attestation.json
policy-signed.json
testapp
testapp.tar.tgz
5 changes: 5 additions & 0 deletions test/failkey.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIEBmgB/Xwk5lvG9MZxMvKDrFlyMhjlzpfd27y0Hp7WgzoAoGCCqGSM49
AwEHoUQDQgAEnE5sMbtWZ7uxSSwVu231xRfaDkLyGRBqCdVRnF+U92EaN3Eu08f4
jTNk8G5nZm/0bEvjswy4MvlYeS9Gzmg26A==
-----END EC PRIVATE KEY-----
32 changes: 32 additions & 0 deletions test/policy.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,12 +28,44 @@
"publickeyid": "ae2dcc989ea9c109a36e8eba5c4bc16d8fafcfe8e1a614164670d50aedacd647"
}
]
},
"package": {
"name": "package",
"attestations": [
{
"type": "https://witness.dev/attestations/material/v0.1",
"regopolicies": []
},
{
"type": "https://witness.dev/attestations/command-run/v0.1",
"regopolicies": [
{
"name": "expected command",
"module": "cGFja2FnZSBjb21tYW5kcnVuLmNtZAoKZGVueVttc2ddIHsKCWlucHV0LmNtZCAhPSBbInRhciIsICJjemYiLCAiLi90ZXN0YXBwLnRhci50Z3oiLCAiLi90ZXN0YXBwIl0KCW1zZyA6PSAidW5leHBlY3RlZCBjbWQiCn0K"
}
]
},
{
"type": "https://witness.dev/attestations/product/v0.1",
"regopolicies": []
}
],
"functionaries": [
{
"type": "publickey",
"publickeyid": "5e8c57df8ae58fe9a29b29f9993e2fc3b25bd75eb2754f353880bad4b9ebfdb3"
}
]
}
},
"publickeys": {
"ae2dcc989ea9c109a36e8eba5c4bc16d8fafcfe8e1a614164670d50aedacd647": {
"keyid": "ae2dcc989ea9c109a36e8eba5c4bc16d8fafcfe8e1a614164670d50aedacd647",
"key": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUNvd0JRWURLMlZ3QXlFQWYyOW9QUDhVZ2hCeUc4NTJ1QmRPeHJKS0tuN01NNWhUYlA5ZXNnT1ovazA9Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo="
},
"5e8c57df8ae58fe9a29b29f9993e2fc3b25bd75eb2754f353880bad4b9ebfdb3": {
"keyid": "5e8c57df8ae58fe9a29b29f9993e2fc3b25bd75eb2754f353880bad4b9ebfdb3",
"key": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FnOEFNSUlDQ2dLQ0FnRUFvRTZ6TDdvMG5jY3ZLbjBJVFNEUApSWUFhTnR6ZlYzOVJaUVh1aTVpTXljTWFzU3JWR2Y3bEhKTFR2YWZrQWNMU3huY3RTdWdad3prMlo4a2FjK0FkCksxV2cwemtBd2VocjJzVVZ1cWY5d0ZQTUdueWVJUXJQTnhtY1hGbnp5WjZ3ZTRxQnBVQmhrdGZacWI5bm05cUUKVDA4SmJvUkdVdlpHamx3ckloZmJYR2RTYnA2cG1XQUVqNUdWOUd0bGswTWg4YmFrNUxid3hyZUYzVXZhUE1sSwpWVWdsNDVFYVYxWVpRWjI3NmFVSStpWitnMnh1QjlyTGd5a04vUlZMSUh5VDAyS0xBYXo5K0xONkVhaEQzWHFICkptUlVJZmsyQ0VlZTBiUHJIL0c2Z21HRVoxQ1dLL3dMQ2hsMkVpOU5MYnUvMjIzZSt0TVpmc1MvU0RrR1hlQ3UKR3BTUzgrK3VyYkpFZnkyZEpsUitiOGlCMzV0bldSOVhNUTRzV0MwanBIQW53Rm1ZOXNQTTMweEl2QnJ6TElRdwpHK1FDTXBhRFlDMGhXakJzb09WT0xpbnJCSDFXSGVmTEdWdWRmQ2Y4d1pXNzUrRnpPRHRhMG5lWERYWVRCU2FFCmVDb2NGUStLTTJsaDhlTjFIb1pjTkZ2TzhhTCttWkNQSTFXOTUwMTlzeVFmTWgrekhLeDNZV3VnZjNvbjAycHQKSGV6TlZjQTYrVkQ2WnJpNGVpZEkranBjamdOek16bnRzSWQ4RFpUdWVPRXVHdUZFY1MrTlFnNnhtRzQzVHRtNgpwVmwzakFidEVBbEwzeUpPaTF4b1M1Zm12bFNPTlVEbmhYckxLNkpXTnh6YU04RlBFVndzbXRLcXdoaS84Tk4rCmpCTXpqREtaQmdqOXFuekJXSHdONWxjQ0F3RUFBUT09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo="
}
}
}
23 changes: 17 additions & 6 deletions test/test.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,25 @@ set -e
DIR="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
. "$DIR/common.sh"

if ! checkprograms make ; then
if ! checkprograms make tar ; then
exit 1
fi



make -C ../ build
rm -f ./test-attestation.demo ./testapp ./policy-signed.json
../bin/witness -c test.yaml run -- go build -o=testapp .
../bin/witness -c test.yaml sign -f policy.json
rm -f ./policy-signed.json ./build.attestation.json ./package.attestation.json ./fail.attestation.json ./testapp ./testapp.tar.tgz
../bin/witness -c test.yaml -l debug sign -f policy.json

# successful test
../bin/witness -c test.yaml run -o build.attestation.json -- go build -o=testapp .
../bin/witness -c test.yaml run -s package -k ./testkey2.pem -o package.attestation.json -- tar czf ./testapp.tar.tgz ./testapp
../bin/witness -c test.yaml verify

# make sure we fail if we run with a key not in the policy
../bin/witness -c test.yaml run -k failkey.pem -o ./fail.attestation.json -- go build -o=testapp .
../bin/witness -c test.yaml run -s package -k ./testkey2.pem -o package.attestation.json -- tar czf ./testapp.tar.tgz ./testapp
set +e
../bin/witness -c test.yaml verify -a ./fail.attestation.json -a ./package.attestation.json
if [ $? -eq 0 ]; then
echo "expected verify to fail"
exit 1
fi
6 changes: 3 additions & 3 deletions test/test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,15 @@

run:
key: testkey.pem
outfile: test-attestation.json
step: build
trace: true
sign:
key: testkey.pem
outfile: policy-signed.json
verify:
attestations:
- "test-attestation.json"
- "build.attestation.json"
- "package.attestation.json"
policy: policy-signed.json
publickey: testpub.pem
artifactfile: testapp
artifactfile: testapp
52 changes: 52 additions & 0 deletions test/testkey2.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCgTrMvujSdxy8q
fQhNIM9FgBo23N9Xf1FlBe6LmIzJwxqxKtUZ/uUcktO9p+QBwtLGdy1K6BnDOTZn
yRpz4B0rVaDTOQDB6GvaxRW6p/3AU8wafJ4hCs83GZxcWfPJnrB7ioGlQGGS19mp
v2eb2oRPTwluhEZS9kaOXCsiF9tcZ1JunqmZYASPkZX0a2WTQyHxtqTktvDGt4Xd
S9o8yUpVSCXjkRpXVhlBnbvppQj6Jn6DbG4H2suDKQ39FUsgfJPTYosBrP34s3oR
qEPdeocmZFQh+TYIR57Rs+sf8bqCYYRnUJYr/AsKGXYSL00tu7/bbd760xl+xL9I
OQZd4K4alJLz766tskR/LZ0mVH5vyIHfm2dZH1cxDixYLSOkcCfAWZj2w8zfTEi8
GvMshDAb5AIyloNgLSFaMGyg5U4uKesEfVYd58sZW518J/zBlbvn4XM4O1rSd5cN
dhMFJoR4KhwVD4ozaWHx43Uehlw0W87xov6ZkI8jVb3nTX2zJB8yH7McrHdha6B/
eifTam0d7M1VwDr5UPpmuLh6J0j6OlyOA3MzOe2wh3wNlO544S4a4URxL41CDrGY
bjdO2bqlWXeMBu0QCUvfIk6LXGhLl+a+VI41QOeFessrolY3HNozwU8RXCya0qrC
GL/w036MEzOMMpkGCP2qfMFYfA3mVwIDAQABAoICAEzb3sqDxuVc0g7XeqrsD6R9
WlQyirx7NQ2wDeKNJfc4XWxTIm//x15vQSjdvZJgk8kG68bNyEhS/nQ9NbsX2TRl
LiIHYwcVRdzSgGwJTj6vjpymYfRqp9X9p/uZPyrMNEZPLoCKAR4z8k6SD/1oA+a4
eMetkMAHBuYLZ7zFXm2LtjiGRr9cC2PAQ/q3oTA9UCGBVca4tXE5HWvwCbb6NXL1
EAFvGQeFpr9Qfn9zmn3BBghB7PFEJC4C+Yt9cZMmV4PSa95GUFA00NJ1b/BY5kJw
eOv+/bpziEB3uEQNFESdt6sHNrDo+2wAsBzg4+qI6WAt6eotWzxt3V4lxRkud5pR
AtRZNcMfm2bpu0TrHEDGppT5XhlEhAK5kx1a6xf0ThgtnDFqqhv9F+dUgfAlPA6C
dCWgPxSjzJZbdON/i9qydA4+DMytYUomiyq5gvgRpvG9ElQOxjOIuPgzi4oQ19aE
BIgbfOi6UyMKpTkqGnLOsAHLu6uC0QL1KlF+2UhOqr+WvsT6MjBFY7dLowlmfiO4
djojZWjQ1EmBdj+fvYTgccI+jJtHv5FAbWcBQvDeMqDj4tRklCXdp0Y8WB7X1XPO
Zs68ty+84bE+YxCDkasdYQz2zeTdu7joT53ccbcFEDPwAmLDtfHT074NZwaGxx6/
CJxilvBoyuFjnYu1dRqVAoIBAQC7I0JaZtNIOAvxOxHQWkHdYp4KsYLL/azfWmOY
3IuAtQPeUxbnyb/wCN8y2sN1qV1E25NYKDfv3SfPDKya/RC6HpfbLn/2Ysa+DzHV
svkBu0NilSS0ykTXyfmY93Cq7AAzUeyL0rZOQ136EwwK6bjhfBItAODrVJf2vHkm
nI9v7UU/4cfqSgF/N9rR7xul5zxcXXgyBqJL0GUzKZ+nCALgyriIuPB96De0gIzE
Oufdv4V4r1Sg+HbHIFFEvRQhQgiSCdAXA3RnDXeOjrgXoNi+x5cKd83lpjS+twmu
XCNEDdzPrw5uL/45wlWZgU1WrRn0MQit5ZLpHbs7znQu0SyjAoIBAQDbS/kZhcDp
BROhZEdYETJ2Go/wQtdZ6PjJQu0evtCPSyLxuSy1ulZjubj3MKniIEUmTQYNDh8W
OhB6qXi/2trpXswDSlrq+boj7CDrZxaxft6PqJN4Ra9umHNoJbsKcVizMgCoZ2MK
dZeG2P7hmd33F8GdjO+2ip8zPoeQ48L5wptYLLacnez5BmKpRRS/k8ZKU29G4O4q
rWxMS/vkiqlbL5BY32v+VmQNfKJZH8cV+J1ACzl+J+0nTZdZybiPVUSyIGtYEGKl
ojQqx/5lLvZl3mqZcoP9M76yxz/VLOijuIu4YjZH/Pc+8eqYc6ZHlSOtg+OmkQ1H
BztGrUdbPWa9AoIBABOV5hzmBBjb3MwbfYrL13bfGmFOIL1OyGf74s6dzm/jAguj
sJMDt3Xcx9dfs/M9jYhmXq5sTyZohAEUd4AlGjoQd5416KiVv+0mU/XkrFD1E2Fe
8J+HR9s5xUiwJPeOiZrVaSddHz1jqZNBqRH/Uh0vSguxutiGWv00zo0u94gkUgoU
jELGChARfXJZTxB2+gdEtQ6vSQ8cOWs4YQAvQ3XZYaTVjj3vLt1SUuk6rQe1QrfV
ycqrFmtSw46pJ1EvwwvdwQyXjPg4HZoq77NxXx3gb7tlvIPbeEu5hmbcN8iolsKZ
tK3tkfLjlufg84ItzbiT5S+mBlEljnH88oXv2HcCggEBAI8r+7a5B2hawyU0Vgve
Nma7EsxWp0hw/LRReIQBKiLTeD3+mn0O6cX0BBmGcPNMBDlsQg4V8R/OyuF6cXY4
iYGhPWrMia0tW2SGjjuCM2Owo9eAxL7aKB35dCdDsuivdayQcbOAxD2Y5lPIqida
EHt4zBRzZjF0MVoAcfubZ7kuX8NiddqslIFEtPc0PcaR0PzHmjfZNEUysijh1tOv
37/Dvub2/wevGWVgwJGVWKI0jV25tlBx+rgVRUH+m/sgPVhaKBr3n5/p1Us1BRbE
YWPCoTALfra5qMAJq9gemMgC/V1k6XF4a2dyA6qCnsXPTdrD58Xgn52G0CFlkde0
r7UCggEBALSUVChkZ0KM7xtwQ5j/TvR+ZEhrUWtaWT2ZlG056/lzjMawehfscUTd
wcBC7aWc9/5ZpnR7LJeWOfnSqJXzZrA+tnP8fYKWl1V9nrQNqkZnZh/LSqd4PO3u
slA/SPrydy8E6wCiM4pbfbunjyImJl4GlZDd5FwlQ1TRqH7rLNx0sZFlhCAmFfgI
PFfd/VbzC+NWFim95pL0MWQm3yM18PNOUJYc6z2FqUwuTuA2zgJFTdw0RF03l26p
GX3zl02Bb5O5CS6/koUCTeosCRsohB1jL5oP1Ysyyf19jYZnb1OL+eNvS6rASMy0
b9S+7aQPafqPQZwZUS5DsPwakYRRY3k=
-----END PRIVATE KEY-----
14 changes: 14 additions & 0 deletions test/testpub2.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoE6zL7o0nccvKn0ITSDP
RYAaNtzfV39RZQXui5iMycMasSrVGf7lHJLTvafkAcLSxnctSugZwzk2Z8kac+Ad
K1Wg0zkAwehr2sUVuqf9wFPMGnyeIQrPNxmcXFnzyZ6we4qBpUBhktfZqb9nm9qE
T08JboRGUvZGjlwrIhfbXGdSbp6pmWAEj5GV9Gtlk0Mh8bak5LbwxreF3UvaPMlK
VUgl45EaV1YZQZ276aUI+iZ+g2xuB9rLgykN/RVLIHyT02KLAaz9+LN6EahD3XqH
JmRUIfk2CEee0bPrH/G6gmGEZ1CWK/wLChl2Ei9NLbu/223e+tMZfsS/SDkGXeCu
GpSS8++urbJEfy2dJlR+b8iB35tnWR9XMQ4sWC0jpHAnwFmY9sPM30xIvBrzLIQw
G+QCMpaDYC0hWjBsoOVOLinrBH1WHefLGVudfCf8wZW75+FzODta0neXDXYTBSaE
eCocFQ+KM2lh8eN1HoZcNFvO8aL+mZCPI1W95019syQfMh+zHKx3YWugf3on02pt
HezNVcA6+VD6Zri4eidI+jpcjgNzMzntsId8DZTueOEuGuFEcS+NQg6xmG43Ttm6
pVl3jAbtEAlL3yJOi1xoS5fmvlSONUDnhXrLK6JWNxzaM8FPEVwsmtKqwhi/8NN+
jBMzjDKZBgj9qnzBWHwN5lcCAwEAAQ==
-----END PUBLIC KEY-----

0 comments on commit d7c6718

Please sign in to comment.