Skip to content

Commit f85886e

Browse files
asraaasraa
authored
fix: make client shard aware when verifying (#279)
Signed-off-by: Asra Ali <[email protected]> Signed-off-by: Asra Ali <[email protected]>
1 parent fb9aeaf commit f85886e

File tree

1 file changed

+30
-7
lines changed

1 file changed

+30
-7
lines changed

pkg/rekor.go

+30-7
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,9 @@ const (
4343
defaultRekorAddr = "https://rekor.sigstore.dev"
4444
)
4545

46-
func verifyRootHash(ctx context.Context, rekorClient *client.Rekor, eproof *models.InclusionProof, pub *ecdsa.PublicKey) error {
46+
func verifyRootHash(ctx context.Context, rekorClient *client.Rekor,
47+
treeID int64, eproof *models.InclusionProof, pub *ecdsa.PublicKey) error {
48+
treeIDString := fmt.Sprintf("%d", treeID)
4749
infoParams := tlog.NewGetLogInfoParamsWithContext(ctx)
4850
result, err := rekorClient.Tlog.GetLogInfo(infoParams)
4951
if err != nil {
@@ -56,6 +58,13 @@ func verifyRootHash(ctx context.Context, rekorClient *client.Rekor, eproof *mode
5658
if err := sth.UnmarshalText([]byte(*logInfo.SignedTreeHead)); err != nil {
5759
return err
5860
}
61+
for _, inactiveShard := range logInfo.InactiveShards {
62+
if *inactiveShard.TreeID == treeIDString {
63+
if err := sth.UnmarshalText([]byte(*inactiveShard.SignedTreeHead)); err != nil {
64+
return err
65+
}
66+
}
67+
}
5968

6069
verifier, err := signature.LoadVerifier(pub, crypto.SHA256)
6170
if err != nil {
@@ -120,22 +129,35 @@ func verifyTlogEntryByUUID(ctx context.Context, rekorClient *client.Rekor, entry
120129
return nil, err
121130
}
122131

123-
var e models.LogEntryAnon
124132
for k, entry := range lep.Payload {
125-
if k != uuid {
133+
returnUUID, err := sharding.GetUUIDFromIDString(k)
134+
if err != nil {
135+
return nil, err
136+
}
137+
// Validate that the request matches the response
138+
if returnUUID != uuid {
126139
return nil, errors.New("expected matching UUID")
127140
}
128-
e = entry
141+
return verifyTlogEntry(ctx, rekorClient, k, entry)
129142
}
130143

131-
return verifyTlogEntry(ctx, rekorClient, uuid, e)
144+
return nil, ErrorRekorSearch
132145
}
133146

134-
func verifyTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string, e models.LogEntryAnon) (*models.LogEntryAnon, error) {
147+
func verifyTlogEntry(ctx context.Context, rekorClient *client.Rekor, entryUUID string, e models.LogEntryAnon) (*models.LogEntryAnon, error) {
135148
if e.Verification == nil || e.Verification.InclusionProof == nil {
136149
return nil, errors.New("inclusion proof not provided")
137150
}
138151

152+
uuid, err := sharding.GetUUIDFromIDString(entryUUID)
153+
if err != nil {
154+
return nil, fmt.Errorf("%w: retrieving uuid from entry uuid", err)
155+
}
156+
treeID, err := sharding.TreeID(entryUUID)
157+
if err != nil {
158+
return nil, fmt.Errorf("%w: retrieving tree ID", err)
159+
}
160+
139161
var hashes [][]byte
140162
for _, h := range e.Verification.InclusionProof.Hashes {
141163
hb, err := hex.DecodeString(h)
@@ -163,7 +185,8 @@ func verifyTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string
163185
var entryVerError error
164186
for _, pubKey := range pubs {
165187
// Verify inclusion against the signed tree head
166-
entryVerError = verifyRootHash(ctx, rekorClient, e.Verification.InclusionProof, pubKey.PubKey)
188+
entryVerError = verifyRootHash(ctx, rekorClient, treeID,
189+
e.Verification.InclusionProof, pubKey.PubKey)
167190
if entryVerError == nil {
168191
break
169192
}

0 commit comments

Comments
 (0)