-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Start adding more verification with VerificationOpts struct #153
Conversation
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
cmd/timestamp-cli/app/verify.go
Outdated
cmd.Flags().String("nonce", "", "optional nonce passed with the request") | ||
cmd.Flags().Var(NewFlagValue(oidFlag, ""), "oid", "optional oid passed with the request") | ||
cmd.Flags().String("subject", "", "expected leaf certificate subject") | ||
cmd.Flags().Var(NewFlagValue(fileFlag, ""), "tsa-cert", "path to TSA cert") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: we could omit adding --tsa-
as prefix to the flag.
Q: Is this an intermediate or root cert ?
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
cmd/timestamp-cli/app/verify.go
Outdated
@@ -85,6 +97,62 @@ func runVerify() (interface{}, error) { | |||
return nil, err | |||
} | |||
|
|||
opts, err := verification.NewVerificationOpts(ts, artifact, pemBytes) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@haydentherapper currently all verification is handled in a single function VerifyTimestampResponse
exported from the verification
package. Here I add new verification functions separately. Do you have thoughts on whether all new verification functions should be called from VerifyTimestampResponse
or if they should be called directly from here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it'd be best to have a single exported verification function that performs all other verifications. If you think there's value in exporting the sub-verification functions, maybe we put them under an internal package?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Happy to use a single exported function, I'll make that change.
Signed-off-by: Meredith Lancaster <[email protected]>
pkg/verification/verify.go
Outdated
func NewVerifyOpts() (VerifyOpts, error) { | ||
opts := VerifyOpts{} | ||
|
||
oidFlagVal := viper.GetString("oid") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I might have misunderstood, but we should keep flags out of the core library and just in the client. If you want to have this function that handles things like parsing OIDs, it should take in values that are already read in from the flags. Also, personally I prefer to not have files read from disk as part of the library, so I think this should also be handled in the client and the chain passed into the function.
So I'd say either:
- Move NewVerifyOpts to the client application with all flag parsing there
- Move NewVerifyOpts to the client app, but provide some helper utilities for constructing OIDs and splitting PEM chains into cert pools
- Keep NewVerifyOpts here, but have it take in all values (OID as a string, PEM chain as a string), and read in flags in the client app
Does that seem reasonable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree about keeping the flag parsing in the app
CLI package. Just moved that over.
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
cmd/timestamp-cli/app/verify.go
Outdated
@@ -43,6 +47,10 @@ func addVerifyFlags(cmd *cobra.Command) { | |||
cmd.MarkFlagRequired("timestamp") //nolint:errcheck | |||
cmd.Flags().Var(NewFlagValue(fileFlag, ""), "cert-chain", "path to certificate chain PEM file") | |||
cmd.MarkFlagRequired("cert-chain") //nolint:errcheck | |||
cmd.Flags().String("nonce", "", "optional nonce passed with the request") | |||
cmd.Flags().Var(NewFlagValue(oidFlag, ""), "oid", "optional oid passed with the request") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this refer to the hash algorithm OID ? If so, we might want to explain it in the description.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If so, we could rename this flag to hash-algorithm-oid
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, this refers to the TSA policy OID. I'll update the description to "optional TSA policy OID passed with the request".
cmd/timestamp-cli/app/verify.go
Outdated
if err != nil { | ||
return verification.VerifyOpts{}, fmt.Errorf("failed to parse root and intermediate certs from cert-chain flag: %w", err) | ||
} | ||
if roots != nil && intermediates != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion: The code looks good. I just share a suggestion here, feel free to adjust it.
To avoid all these != nil if statements for all the VerifyOpts fields, you could create functions for verifyOpts as such:
(v *VerifyOpts) OID(...)
where you set the OID if passed.
(v *VerifyOpts) Nonce(...)
where you set the Nonce if passed.
...
So you move all that logic inside these functions and only check for errors here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the VerifyOpts
fields will be initialized to their respective zero values when the struct instance is created, we could just set the fields to the values returned by the getter functions like getCerts
and remove the if statements altogether, since the getters will return zero values if no valid flag value is found. But I'm happy to add methods if you prefer.
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
…icate flag Signed-off-by: Meredith Lancaster <[email protected]>
@haydentherapper there are changes to the |
cmd/timestamp-cli/app/verify.go
Outdated
if err != nil { | ||
return verification.VerifyOpts{}, fmt.Errorf("failed to parse root and intermediate certs from certificate-chain flag: %w", err) | ||
} | ||
if roots != nil && intermediates != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be fine to unconditionally set the options. Also if there's only a root provided and no intermediates, will this conditional be skipped?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it will be skipped, I'll remove that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just a few nits
Co-authored-by: Hayden B <[email protected]> Signed-off-by: Meredith Lancaster <[email protected]>
Co-authored-by: Hayden B <[email protected]> Signed-off-by: Meredith Lancaster <[email protected]>
Co-authored-by: Hayden B <[email protected]> Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
…thority into verify-opts-struct
@malancas what do you think if we first merged this PR, rather than wait for the other? Then we'll get the pkcs7 changes merged, update the timestamp repo fork too, and then update verification to pass the intermediates/roots? We won't cut a new release til we get the CA cert verification in |
Signed-off-by: Meredith Lancaster <[email protected]>
@haydentherapper that sounds good. I just want to call out the skipped test We can change the verifySignature function upstream along with the other changes discussed or I can change the code here and make sure the test passes. Let me know what you think. |
@malancas Hm, yea, that's unfortunate. What do you think about updating the verifier to reject timestamps that do not include a certificate? We can leave all the other code in place, just add a TODO to remove the rejection once we update the pkcs7 library. |
Another idea, can you populate |
Looking over the code, the signature is verified against |
@haydentherapper populating |
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome!!
Summary
Part of #121. This PR starts adding additional verification using a VerificationOpts struct. More verification will be added in follow ups after some upstream changes to the timestamp package.
This PR adds the following verifications:
Release Note
Documentation