attest/signerverifier/common.go

package signerverifier

import (
	"context"
	"crypto"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/rand"
	"crypto/x509"
	"encoding/pem"
	"fmt"
	"io"

	"github.com/secure-systems-lab/go-securesystemslib/dsse"
)

func LoadKeyPair(priv []byte) (dsse.SignerVerifier, error) {
	privateKey, err := parsePriv(priv)
	if err != nil {
		return nil, err
	}
	return NewECDSASignerVerifier(privateKey)
}

func parsePriv(privkeyBytes []byte) (*ecdsa.PrivateKey, error) {
	p, _ := pem.Decode(privkeyBytes)
	if p == nil {
		return nil, fmt.Errorf("privkey file does not contain any PEM data")
	}
	if p.Type != "EC PRIVATE KEY" {
		return nil, fmt.Errorf("privkey file does not contain a priavte key")
	}
	privKey, err := x509.ParseECPrivateKey(p.Bytes)
	if err != nil {
		return nil, fmt.Errorf("error failed to parse public key: %w", err)
	}

	return privKey, nil
}

func GenKeyPair() (dsse.SignerVerifier, error) {
	signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
	if err != nil {
		return nil, err
	}
	return NewECDSASignerVerifier(signer)
}

// ensure it implements crypto.Signer.
var _ crypto.Signer = (*cryptoSignerWrapper)(nil)

type cryptoSignerWrapper struct {
	sv dsse.SignerVerifier
}

// Public implements crypto.Signer.
func (c *cryptoSignerWrapper) Public() crypto.PublicKey {
	return c.sv.Public()
}

// Sign implements crypto.Signer.
func (c *cryptoSignerWrapper) Sign(_ io.Reader, digest []byte, _ crypto.SignerOpts) (signature []byte, err error) {
	return c.sv.Sign(context.Background(), digest)
}

func AsCryptoSigner(signer dsse.SignerVerifier) (crypto.Signer, error) {
	return &cryptoSignerWrapper{sv: signer}, nil
}
feat: add tlog and signerverifier 2024-04-19 09:08:31 -05:00			`package signerverifier`

			`import (`
			`"context"`
			`"crypto"`
			`"crypto/ecdsa"`
			`"crypto/elliptic"`
			`"crypto/rand"`
Return VSA and rich errors from verification (#38) * Start of richer results from verification * Pull out VSA code from signing * Expose attestation signing fns * Add VSA test * Notes for policy result * Require separate policy for VSA creation * Load test signing key from tests * Return rich object from policy * Add result object schema and fix tests * Ensure example test runs * Remove data.yaml files from mock policies * Don't run example - TUF policy isn't compatible * Add attestation to manifests for all subjects * Ensure adding attestation doesn't touch statements * Don't export sign function * Remove attestations from VerificationResult * Change bool to Outcome enum in result * Use outputLayout directly * Make clearer that Outcome strings are for VSA * Return multiple SLSA levels from policy * Fix unmarshalling of policy-id (#39) * Rename function * Rename policy.VerificationResult -> policy.Result * Re-add test for canonical input --------- Co-authored-by: James Carnegie <james.carnegie@docker.com> Co-authored-by: James Carnegie <kipz@users.noreply.github.com> 2024-05-22 14:49:23 +01:00			`"crypto/x509"`
			`"encoding/pem"`
feat: add tlog and signerverifier 2024-04-19 09:08:31 -05:00			`"fmt"`
Use a Factory to create signature verifiers at policy evaluation time (#165) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier 2024-09-18 13:34:10 +01:00			`"io"`
feat: add tlog and signerverifier 2024-04-19 09:08:31 -05:00
			`"github.com/secure-systems-lab/go-securesystemslib/dsse"`
			`)`

Return VSA and rich errors from verification (#38) * Start of richer results from verification * Pull out VSA code from signing * Expose attestation signing fns * Add VSA test * Notes for policy result * Require separate policy for VSA creation * Load test signing key from tests * Return rich object from policy * Add result object schema and fix tests * Ensure example test runs * Remove data.yaml files from mock policies * Don't run example - TUF policy isn't compatible * Add attestation to manifests for all subjects * Ensure adding attestation doesn't touch statements * Don't export sign function * Remove attestations from VerificationResult * Change bool to Outcome enum in result * Use outputLayout directly * Make clearer that Outcome strings are for VSA * Return multiple SLSA levels from policy * Fix unmarshalling of policy-id (#39) * Rename function * Rename policy.VerificationResult -> policy.Result * Re-add test for canonical input --------- Co-authored-by: James Carnegie <james.carnegie@docker.com> Co-authored-by: James Carnegie <kipz@users.noreply.github.com> 2024-05-22 14:49:23 +01:00			`func LoadKeyPair(priv []byte) (dsse.SignerVerifier, error) {`
			`privateKey, err := parsePriv(priv)`
			`if err != nil {`
			`return nil, err`
			`}`
Use a Factory to create signature verifiers at policy evaluation time (#165) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier 2024-09-18 13:34:10 +01:00			`return NewECDSASignerVerifier(privateKey)`
Return VSA and rich errors from verification (#38) * Start of richer results from verification * Pull out VSA code from signing * Expose attestation signing fns * Add VSA test * Notes for policy result * Require separate policy for VSA creation * Load test signing key from tests * Return rich object from policy * Add result object schema and fix tests * Ensure example test runs * Remove data.yaml files from mock policies * Don't run example - TUF policy isn't compatible * Add attestation to manifests for all subjects * Ensure adding attestation doesn't touch statements * Don't export sign function * Remove attestations from VerificationResult * Change bool to Outcome enum in result * Use outputLayout directly * Make clearer that Outcome strings are for VSA * Return multiple SLSA levels from policy * Fix unmarshalling of policy-id (#39) * Rename function * Rename policy.VerificationResult -> policy.Result * Re-add test for canonical input --------- Co-authored-by: James Carnegie <james.carnegie@docker.com> Co-authored-by: James Carnegie <kipz@users.noreply.github.com> 2024-05-22 14:49:23 +01:00			`}`

			`func parsePriv(privkeyBytes []byte) (*ecdsa.PrivateKey, error) {`
			`p, _ := pem.Decode(privkeyBytes)`
			`if p == nil {`
			`return nil, fmt.Errorf("privkey file does not contain any PEM data")`
			`}`
			`if p.Type != "EC PRIVATE KEY" {`
			`return nil, fmt.Errorf("privkey file does not contain a priavte key")`
			`}`
			`privKey, err := x509.ParseECPrivateKey(p.Bytes)`
			`if err != nil {`
			`return nil, fmt.Errorf("error failed to parse public key: %w", err)`
			`}`

			`return privKey, nil`
			`}`

feat: add tlog and signerverifier 2024-04-19 09:08:31 -05:00			`func GenKeyPair() (dsse.SignerVerifier, error) {`
			`signer, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)`
			`if err != nil {`
			`return nil, err`
			`}`
Use a Factory to create signature verifiers at policy evaluation time (#165) * Make verifiers composable * fix: remove unused code and improve signature verification logic * fix: simplify abstractions and renamed some things * fix: improve tl interface. * fix: sort out signer/verifier 2024-09-18 13:34:10 +01:00			`return NewECDSASignerVerifier(signer)`
			`}`

			`// ensure it implements crypto.Signer.`
			`var _ crypto.Signer = (*cryptoSignerWrapper)(nil)`

			`type cryptoSignerWrapper struct {`
			`sv dsse.SignerVerifier`
			`}`

			`// Public implements crypto.Signer.`
			`func (c *cryptoSignerWrapper) Public() crypto.PublicKey {`
			`return c.sv.Public()`
			`}`

			`// Sign implements crypto.Signer.`
			`func (c *cryptoSignerWrapper) Sign(_ io.Reader, digest []byte, _ crypto.SignerOpts) (signature []byte, err error) {`
			`return c.sv.Sign(context.Background(), digest)`
			`}`

			`func AsCryptoSigner(signer dsse.SignerVerifier) (crypto.Signer, error) {`
			`return &cryptoSignerWrapper{sv: signer}, nil`
feat: add tlog and signerverifier 2024-04-19 09:08:31 -05:00			`}`