Added --signing-algorithm flag to verify/verify-blob commands

ret2libc · ret2libc · commit c8076cb9a35f · 2024-01-29T18:07:25.000+01:00
Signed-off-by: Riccardo Schirone &lt;riccardo.schirone@trailofbits.com&gt;
diff --git a/cmd/cosign/cli/options/verify.go b/cmd/cosign/cli/options/verify.go
@@ -16,9 +16,15 @@
 package options
 
 import (
+	"fmt"
+	"strings"
+
 	"github.com/spf13/cobra"
 
 	"github.com/sigstore/cosign/v2/internal/pkg/cosign"
+	cosign_v2 "github.com/sigstore/cosign/v2/pkg/cosign"
+	v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
+	"github.com/sigstore/sigstore/pkg/signature"
 )
 
 type CommonVerifyOptions struct {
@@ -56,13 +62,14 @@ func (o *CommonVerifyOptions) AddFlags(cmd *cobra.Command) {
 
 // VerifyOptions is the top level wrapper for the `verify` command.
 type VerifyOptions struct {
-	Key          string
-	CheckClaims  bool
-	Attachment   string
-	Output       string
-	SignatureRef string
-	PayloadRef   string
-	LocalImage   bool
+	Key              string
+	SigningAlgorithm string
+	CheckClaims      bool
+	Attachment       string
+	Output           string
+	SignatureRef     string
+	PayloadRef       string
+	LocalImage       bool
 
 	CommonVerifyOptions CommonVerifyOptions
 	SecurityKey         SecurityKeyOptions
@@ -90,6 +97,11 @@ func (o *VerifyOptions) AddFlags(cmd *cobra.Command) {
 		"path to the public key file, KMS URI or Kubernetes Secret")
 	_ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{})
 
+	keyAlgorithmTypes := cosign_v2.GetSupportedAlgorithms()
+	keyAlgorithmHelp := fmt.Sprintf("accepted signing algorithm to use for verifying the signature (allowed %s)", strings.Join(keyAlgorithmTypes, ", "))
+	defaultKeyFlag, _ := signature.FormatSignatureAlgorithmFlag(v1.KnownSignatureAlgorithm_ECDSA_SHA2_256_NISTP256)
+	cmd.Flags().StringVar(&o.SigningAlgorithm, "signing-algorithm", defaultKeyFlag, keyAlgorithmHelp)
+
 	cmd.Flags().BoolVar(&o.CheckClaims, "check-claims", true,
 		"whether to check the claims found")
 
@@ -154,9 +166,10 @@ func (o *VerifyAttestationOptions) AddFlags(cmd *cobra.Command) {
 
 // VerifyBlobOptions is the top level wrapper for the `verify blob` command.
 type VerifyBlobOptions struct {
-	Key        string
-	Signature  string
-	BundlePath string
+	Key              string
+	SigningAlgorithm string
+	Signature        string
+	BundlePath       string
 
 	SecurityKey         SecurityKeyOptions
 	CertVerify          CertVerifyOptions
@@ -178,6 +191,11 @@ func (o *VerifyBlobOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.Key, "key", "",
 		"path to the public key file, KMS URI or Kubernetes Secret")
 
+	keyAlgorithmTypes := cosign_v2.GetSupportedAlgorithms()
+	keyAlgorithmHelp := fmt.Sprintf("accepted signing algorithm to use for verifying the signature (allowed %s)", strings.Join(keyAlgorithmTypes, ", "))
+	defaultKeyFlag, _ := signature.FormatSignatureAlgorithmFlag(v1.KnownSignatureAlgorithm_ECDSA_SHA2_256_NISTP256)
+	cmd.Flags().StringVar(&o.SigningAlgorithm, "signing-algorithm", defaultKeyFlag, keyAlgorithmHelp)
+
 	cmd.Flags().StringVar(&o.Signature, "signature", "",
 		"signature content or path or remote URL")
 
diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go
@@ -125,6 +125,7 @@ against the transparency log.`,
 				Attachment:                   o.Attachment,
 				Annotations:                  annotations,
 				HashAlgorithm:                hashAlgorithm,
+				SigningAlgorithm:             o.SigningAlgorithm,
 				SignatureRef:                 o.SignatureRef,
 				PayloadRef:                   o.PayloadRef,
 				LocalImage:                   o.LocalImage,
@@ -315,6 +316,7 @@ The blob may be specified as a path to a file or - for stdin.`,
 
 			ko := options.KeyOpts{
 				KeyRef:               o.Key,
+				SigningAlgorithm:     o.SigningAlgorithm,
 				Sk:                   o.SecurityKey.Use,
 				Slot:                 o.SecurityKey.Slot,
 				RekorURL:             o.Rekor.URL,
diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -42,6 +42,7 @@ import (
 	"github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key"
 	"github.com/sigstore/cosign/v2/pkg/oci"
 	sigs "github.com/sigstore/cosign/v2/pkg/signature"
+	pb_go_v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
 	signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
@@ -74,6 +75,7 @@ type VerifyCommand struct {
 	SignatureRef                 string
 	PayloadRef                   string
 	HashAlgorithm                crypto.Hash
+	SigningAlgorithm             string
 	LocalImage                   bool
 	NameOptions                  []name.Option
 	Offline                      bool
@@ -215,9 +217,23 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		}
 	}
 
-	svOpts := []signature.LoadOption{
-		signatureoptions.WithHash(crypto.SHA256),
-		signatureoptions.WithED25519ph(),
+	var svOpts []signature.LoadOption
+	signingAlgorithm, err := signature.ParseSignatureAlgorithmFlag(c.SigningAlgorithm)
+	if err != nil {
+		// Default to ECDSA_SHA2_256_NISTP256 if no algorithm is specified
+		signingAlgorithm = pb_go_v1.KnownSignatureAlgorithm_ECDSA_SHA2_256_NISTP256
+	}
+
+	algorithmDetails, err := signature.GetAlgorithmDetails(signingAlgorithm)
+	if err != nil {
+		return err
+	}
+	hashAlgorithm := algorithmDetails.GetHashType()
+	svOpts = []signature.LoadOption{
+		signatureoptions.WithHash(hashAlgorithm),
+	}
+	if algorithmDetails.GetSignatureAlgorithm() == pb_go_v1.KnownSignatureAlgorithm_ED25519_PH {
+		svOpts = append(svOpts, signatureoptions.WithED25519ph())
 	}
 
 	// Keys are optional!
diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
@@ -17,7 +17,6 @@ package verify
 
 import (
 	"context"
-	"crypto"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
@@ -39,6 +38,7 @@ import (
 	"github.com/sigstore/cosign/v2/pkg/cosign/pkcs11key"
 	"github.com/sigstore/cosign/v2/pkg/oci/static"
 	sigs "github.com/sigstore/cosign/v2/pkg/signature"
+	pb_go_v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
 
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
@@ -172,9 +172,23 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 		}
 	}
 
-	svOpts := []signature.LoadOption{
-		signatureoptions.WithHash(crypto.SHA256),
-		signatureoptions.WithED25519ph(),
+	var svOpts []signature.LoadOption
+	signingAlgorithm, err := signature.ParseSignatureAlgorithmFlag(c.KeyOpts.SigningAlgorithm)
+	if err != nil {
+		// Default to ECDSA_SHA2_256_NISTP256 if no algorithm is specified
+		signingAlgorithm = pb_go_v1.KnownSignatureAlgorithm_ECDSA_SHA2_256_NISTP256
+	}
+
+	algorithmDetails, err := signature.GetAlgorithmDetails(signingAlgorithm)
+	if err != nil {
+		return err
+	}
+	hashAlgorithm := algorithmDetails.GetHashType()
+	svOpts = []signature.LoadOption{
+		signatureoptions.WithHash(hashAlgorithm),
+	}
+	if algorithmDetails.GetSignatureAlgorithm() == pb_go_v1.KnownSignatureAlgorithm_ED25519_PH {
+		svOpts = append(svOpts, signatureoptions.WithED25519ph())
 	}
 
 	// Keys are optional!
