added public key check for SCTs

Signed-off-by: Horiodino <[email protected]>

added public key check for SCTs

Signed-off-by: Horiodino <[email protected]>

Author: Horiodino

examples/sigstore-go-verification/main.go

@@ -186,7 +186,7 @@ func run() error {
 		return errors.New("no trusted material provided")
 	}
 
-	sev, err := verify.NewSignedEntityVerifier(trustedMaterial, verifierConfig...)
+	sev, err := verify.NewSignedEntityVerifier(trustedMaterial, b, verifierConfig...)
 	if err != nil {
 		return err
 	}

pkg/sign/signer.go

@@ -139,12 +139,12 @@ func Bundle(content Content, keypair Keypair, opts BundleOptions) (*protobundle.
 	}
 
 	if opts.TrustedRoot != nil && len(verifierOptions) > 0 {
-		sev, err := verify.NewSignedEntityVerifier(opts.TrustedRoot, verifierOptions...)
+		protobundle, err := verifyBundle.NewBundle(bundle)
 		if err != nil {
 			return nil, err
 		}
 
-		protobundle, err := verifyBundle.NewBundle(bundle)
+		sev, err := verify.NewSignedEntityVerifier(opts.TrustedRoot, protobundle, verifierOptions...)
 		if err != nil {
 			return nil, err
 		}

pkg/verify/fuzz_test.go

@@ -123,7 +123,7 @@ func FuzzSignedEntityVerifier(f *testing.F) {
 		if err != nil {
 			t.Skip()
 		}
-		v, err := verify.NewSignedEntityVerifier(trustedRoot,
+		v, err := verify.NewSignedEntityVerifier(trustedRoot, entity,
 			verify.WithTransparencyLog(1),
 			verify.WithObserverTimestamps(1))
 		if err != nil {

pkg/verify/signature_test.go

@@ -72,7 +72,7 @@ func TestEnvelopeSubject(t *testing.T) {
 	entity, err := virtualSigstore.Attest("[email protected]", "issuer", statement)
 	assert.NoError(t, err)
 
-	verifier, err := verify.NewSignedEntityVerifier(virtualSigstore, verify.WithTransparencyLog(1), verify.WithSignedTimestamps(1))
+	verifier, err := verify.NewSignedEntityVerifier(virtualSigstore, entity, verify.WithTransparencyLog(1), verify.WithSignedTimestamps(1))
 	assert.NoError(t, err)
 
 	_, err = verifier.Verify(entity, SkipArtifactAndIdentitiesPolicy)
@@ -101,7 +101,7 @@ func TestSignatureVerifierMessageSignature(t *testing.T) {
 	entity, err := virtualSigstore.Sign("[email protected]", "issuer", []byte(artifact))
 	assert.NoError(t, err)
 
-	verifier, err := verify.NewSignedEntityVerifier(virtualSigstore, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
+	verifier, err := verify.NewSignedEntityVerifier(virtualSigstore, entity, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
 	assert.NoError(t, err)
 
 	result, err := verifier.Verify(entity, verify.NewPolicy(verify.WithArtifact(bytes.NewBufferString(artifact)), verify.WithoutIdentitiesUnsafe()))
@@ -137,7 +137,7 @@ func TestTooManySubjects(t *testing.T) {
 	tooManySubjectsEntity, err := virtualSigstore.Attest("[email protected]", "issuer", tooManySubjectsStatementBytes)
 	assert.NoError(t, err)
 
-	verifier, err := verify.NewSignedEntityVerifier(virtualSigstore, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
+	verifier, err := verify.NewSignedEntityVerifier(virtualSigstore, tooManySubjectsEntity, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
 	assert.NoError(t, err)
 
 	artifact := "Hi, I am an artifact!" //nolint:goconst
@@ -167,7 +167,7 @@ func TestTooManyDigests(t *testing.T) {
 	tooManySubjectsEntity, err := virtualSigstore.Attest("[email protected]", "issuer", tooManySubjectsStatementBytes)
 	assert.NoError(t, err)
 
-	verifier, err := verify.NewSignedEntityVerifier(virtualSigstore, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
+	verifier, err := verify.NewSignedEntityVerifier(virtualSigstore, tooManySubjectsEntity, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
 	assert.NoError(t, err)
 
 	artifact := "Hi, I am an artifact!" //nolint:goconst

pkg/verify/signed_entity.go

@@ -83,7 +83,7 @@ type VerifierOption func(*VerifierConfig) error
 // VerifierConfig's set of options should match the properties of a given
 // Sigstore deployment, i.e. whether to expect SCTs, Tlog entries, or signed
 // timestamps.
-func NewSignedEntityVerifier(trustedMaterial root.TrustedMaterial, options ...VerifierOption) (*SignedEntityVerifier, error) {
+func NewSignedEntityVerifier(trustedMaterial root.TrustedMaterial, entity SignedEntity, options ...VerifierOption) (*SignedEntityVerifier, error) {
 	var err error
 	c := VerifierConfig{}
 
@@ -104,6 +104,18 @@ func NewSignedEntityVerifier(trustedMaterial root.TrustedMaterial, options ...Ve
 		config:          c,
 	}
 
+	// Early check: If SCTs are required, ensure the bundle is certificate-signed not public key-signed
+	if v.config.requireSCTs {
+		verificationContent, err := entity.VerificationContent()
+		if err != nil {
+			return nil, fmt.Errorf("failed to fetch verification content: %w", err)
+		}
+
+		if verificationContent.PublicKey() != nil {
+			return nil, errors.New("SCTs required but bundle is signed with a public key, which cannot contain SCTs")
+		}
+	}
+
 	return v, nil
 }
 

pkg/verify/signed_entity_test.go

@@ -34,43 +34,43 @@ func TestSignedEntityVerifierInitialization(t *testing.T) {
 	tr := data.TrustedRoot(t, "public-good.json")
 
 	// can't create a verifier without specifying either tlog or tsa
-	_, err := verify.NewSignedEntityVerifier(tr)
+	_, err := verify.NewSignedEntityVerifier(tr, nil)
 	assert.NotNil(t, err)
 
 	// can create a verifier with both of them
-	_, err = verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithSignedTimestamps(1))
+	_, err = verify.NewSignedEntityVerifier(tr, nil, verify.WithTransparencyLog(1), verify.WithSignedTimestamps(1))
 	assert.Nil(t, err)
 
 	// unless we are really sure we want a verifier without either tlog or tsa
-	_, err = verify.NewSignedEntityVerifier(tr, verify.WithCurrentTime())
+	_, err = verify.NewSignedEntityVerifier(tr, nil, verify.WithCurrentTime())
 	assert.Nil(t, err)
 
 	// can configure the verifiers with thresholds
-	_, err = verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(2), verify.WithSignedTimestamps(10))
+	_, err = verify.NewSignedEntityVerifier(tr, nil, verify.WithTransparencyLog(2), verify.WithSignedTimestamps(10))
 
 	assert.Nil(t, err)
 
 	// can't configure them with < 1 thresholds
-	_, err = verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(0), verify.WithSignedTimestamps(-10))
+	_, err = verify.NewSignedEntityVerifier(tr, nil, verify.WithTransparencyLog(0), verify.WithSignedTimestamps(-10))
 	assert.Error(t, err)
 }
 
 func TestSignedEntityVerifierInitRequiresTimestamp(t *testing.T) {
 	tr := data.TrustedRoot(t, "public-good.json")
 
-	_, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1))
+	_, err := verify.NewSignedEntityVerifier(tr, nil, verify.WithTransparencyLog(1))
 	assert.Error(t, err)
 	if !strings.Contains(err.Error(), "you must specify at least one of") {
 		t.Errorf("expected error missing timestamp verifier, got: %v", err)
 	}
 
-	_, err = verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1))
+	_, err = verify.NewSignedEntityVerifier(tr, nil, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1))
 	assert.NoError(t, err)
-	_, err = verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithSignedTimestamps(1))
+	_, err = verify.NewSignedEntityVerifier(tr, nil, verify.WithTransparencyLog(1), verify.WithSignedTimestamps(1))
 	assert.NoError(t, err)
-	_, err = verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
+	_, err = verify.NewSignedEntityVerifier(tr, nil, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
 	assert.NoError(t, err)
-	_, err = verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithCurrentTime())
+	_, err = verify.NewSignedEntityVerifier(tr, nil, verify.WithTransparencyLog(1), verify.WithCurrentTime())
 	assert.NoError(t, err)
 }
 
@@ -83,7 +83,7 @@ func TestEntitySignedByPublicGoodWithTlogVerifiesSuccessfully(t *testing.T) {
 	tr := data.TrustedRoot(t, "public-good.json")
 	entity := data.Bundle(t, "[email protected]")
 
-	v, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
+	v, err := verify.NewSignedEntityVerifier(tr, entity, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
 	assert.NoError(t, err)
 
 	res, err := v.Verify(entity, SkipArtifactAndIdentitiesPolicy)
@@ -99,7 +99,7 @@ func TestEntitySignedByPublicGoodWithTlogVerifiesSuccessfully(t *testing.T) {
 	assert.Equal(t, "https://rekor.sigstore.dev", res.VerifiedTimestamps[0].URI)
 
 	// verifies with integrated timestamp threshold too
-	v, err = verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1))
+	v, err = verify.NewSignedEntityVerifier(tr, entity, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1))
 	assert.NoError(t, err)
 	res, err = v.Verify(entity, SkipArtifactAndIdentitiesPolicy)
 	assert.NoError(t, err)
@@ -110,7 +110,7 @@ func TestEntitySignedByPublicGoodWithoutTimestampsVerifiesSuccessfully(t *testin
 	tr := data.TrustedRoot(t, "public-good.json")
 	entity := data.Bundle(t, "[email protected]")
 
-	v, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1))
+	v, err := verify.NewSignedEntityVerifier(tr, entity, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1))
 	assert.NoError(t, err)
 
 	res, err := v.Verify(entity, SkipArtifactAndIdentitiesPolicy)
@@ -122,7 +122,7 @@ func TestEntitySignedByPublicGoodWithHighTlogThresholdFails(t *testing.T) {
 	tr := data.TrustedRoot(t, "public-good.json")
 	entity := data.Bundle(t, "[email protected]")
 
-	v, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(2), verify.WithObserverTimestamps(1))
+	v, err := verify.NewSignedEntityVerifier(tr, entity, verify.WithTransparencyLog(2), verify.WithObserverTimestamps(1))
 	assert.NoError(t, err)
 
 	res, err := v.Verify(entity, SkipArtifactAndIdentitiesPolicy)
@@ -137,7 +137,7 @@ func TestEntitySignedByPublicGoodWithoutVerifyingLogEntryFails(t *testing.T) {
 	tr := data.TrustedRoot(t, "public-good.json")
 	entity := data.Bundle(t, "[email protected]")
 
-	v, err := verify.NewSignedEntityVerifier(tr, verify.WithObserverTimestamps(1))
+	v, err := verify.NewSignedEntityVerifier(tr, entity, verify.WithObserverTimestamps(1))
 	assert.NoError(t, err)
 
 	res, err := v.Verify(entity, SkipArtifactAndIdentitiesPolicy)
@@ -148,7 +148,7 @@ func TestEntitySignedByPublicGoodWithoutVerifyingLogEntryFails(t *testing.T) {
 	}
 
 	// also fails trying to use integrated timestamps without verifying the log
-	v, err = verify.NewSignedEntityVerifier(tr, verify.WithIntegratedTimestamps(1))
+	v, err = verify.NewSignedEntityVerifier(tr, entity, verify.WithIntegratedTimestamps(1))
 	assert.NoError(t, err)
 	res, err = v.Verify(entity, SkipArtifactAndIdentitiesPolicy)
 	assert.Error(t, err)
@@ -162,7 +162,7 @@ func TestEntitySignedByPublicGoodWithHighLogTimestampThresholdFails(t *testing.T
 	tr := data.TrustedRoot(t, "public-good.json")
 	entity := data.Bundle(t, "[email protected]")
 
-	v, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(2))
+	v, err := verify.NewSignedEntityVerifier(tr, entity, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(2))
 	assert.NoError(t, err)
 
 	res, err := v.Verify(entity, SkipArtifactAndIdentitiesPolicy)
@@ -177,7 +177,7 @@ func TestEntitySignedByPublicGoodExpectingTSAFails(t *testing.T) {
 	tr := data.TrustedRoot(t, "public-good.json")
 	entity := data.Bundle(t, "[email protected]")
 
-	v, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithSignedTimestamps(1))
+	v, err := verify.NewSignedEntityVerifier(tr, entity, verify.WithTransparencyLog(1), verify.WithSignedTimestamps(1))
 	assert.NoError(t, err)
 
 	res, err := v.Verify(entity, SkipArtifactAndIdentitiesPolicy)
@@ -192,7 +192,7 @@ func TestEntitySignedByPublicGoodWithHighObserverTimestampThresholdFails(t *test
 	tr := data.TrustedRoot(t, "public-good.json")
 	entity := data.Bundle(t, "[email protected]")
 
-	v, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(2))
+	v, err := verify.NewSignedEntityVerifier(tr, entity, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(2))
 	assert.NoError(t, err)
 
 	res, err := v.Verify(entity, SkipArtifactAndIdentitiesPolicy)
@@ -207,7 +207,7 @@ func TestEntityWithOthernameSan(t *testing.T) {
 	tr := data.TrustedRoot(t, "scaffolding.json")
 	entity := data.Bundle(t, "othername.sigstore.json")
 
-	v, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1))
+	v, err := verify.NewSignedEntityVerifier(tr, entity, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1))
 	assert.NoError(t, err)
 
 	digest, err := hex.DecodeString("bc103b4a84971ef6459b294a2b98568a2bfb72cded09d4acd1e16366a401f95b")
@@ -235,7 +235,7 @@ func TestVerifyPolicyOptionErors(t *testing.T) {
 	tr := data.TrustedRoot(t, "public-good.json")
 	entity := data.Bundle(t, "[email protected]")
 
-	verifier, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
+	verifier, err := verify.NewSignedEntityVerifier(tr, entity, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
 	assert.Nil(t, err)
 
 	goodCertID, err := verify.NewShortCertificateIdentity(verify.ActionsIssuerValue, "", "", verify.SigstoreSanRegex)
@@ -332,7 +332,7 @@ func TestEntitySignedByPublicGoodWithCertificateIdentityVerifiesSuccessfully(t *
 	goodCI, _ := verify.NewShortCertificateIdentity(verify.ActionsIssuerValue, "", "", verify.SigstoreSanRegex)
 	badCI, _ := verify.NewShortCertificateIdentity(verify.ActionsIssuerValue, "", "BadSANValue", "")
 
-	verifier, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
+	verifier, err := verify.NewSignedEntityVerifier(tr, entity, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
 
 	assert.Nil(t, err)
 
@@ -380,7 +380,7 @@ func TestThatAllTheJSONKeysStartWithALowerCase(t *testing.T) {
 	tr := data.TrustedRoot(t, "public-good.json")
 	entity := data.Bundle(t, "[email protected]")
 
-	verifier, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
+	verifier, err := verify.NewSignedEntityVerifier(tr, entity, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
 	assert.Nil(t, err)
 
 	res, err := verifier.Verify(entity, SkipArtifactAndIdentitiesPolicy)
@@ -417,7 +417,7 @@ func TestSigstoreBundle2Sig(t *testing.T) {
 	tr := data.TrustedRoot(t, "public-good.json")
 	entity := data.Bundle(t, "dsse-2sigs.sigstore.json")
 
-	v, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
+	v, err := verify.NewSignedEntityVerifier(tr, entity, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
 	assert.NoError(t, err)
 
 	res, err := v.Verify(entity, SkipArtifactAndIdentitiesPolicy)

test/conformance/main.go

@@ -247,7 +247,7 @@ func main() {
 			verifierConfig = append(verifierConfig, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1))
 		}
 
-		sev, err := verify.NewSignedEntityVerifier(tr, verifierConfig...)
+		sev, err := verify.NewSignedEntityVerifier(tr, b, verifierConfig...)
 		if err != nil {
 			log.Fatal(err)
 		}