From 89ea82a8ab52cfcaa2a3358e3e2aab38af48c924 Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Tue, 3 Jan 2023 10:31:21 -0600 Subject: [PATCH] fix: add enhanced error messages for failing verification with TUF targets Signed-off-by: Asra Ali --- pkg/cosign/tlog.go | 2 +- pkg/cosign/verify.go | 2 +- pkg/cosign/verify_sct.go | 26 +++++++++++++++++--------- 3 files changed, 19 insertions(+), 11 deletions(-) diff --git a/pkg/cosign/tlog.go b/pkg/cosign/tlog.go index 201999feaa6..aebc10f3df3 100644 --- a/pkg/cosign/tlog.go +++ b/pkg/cosign/tlog.go @@ -453,7 +453,7 @@ func VerifyTLogEntryOffline(e *models.LogEntryAnon, rekorPubKeys *TrustedTranspa pubKey, ok := rekorPubKeys.Keys[payload.LogID] if !ok { - return errors.New("rekor log public key not found for payload") + return errors.New("rekor log public key not found for payload. Check your TUF root (see cosign initialize) or set a custom key with env var SIGSTORE_REKOR_PUBLIC_KEY") } err = VerifySET(payload, []byte(e.Verification.SignedEntryTimestamp), pubKey.PubKey.(*ecdsa.PublicKey)) if err != nil { diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index 116c8a8a6ef..de6dd766c83 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -1263,7 +1263,7 @@ func TrustedCert(cert *x509.Certificate, roots *x509.CertPool, intermediates *x5 }, }) if err != nil { - return nil, err + return nil, fmt.Errorf("cert verification failed: %w. Check your TUF root (see cosign initialize) or set a custom root with env var SIGSTORE_ROOT_FILE", err) } return chains, nil } diff --git a/pkg/cosign/verify_sct.go b/pkg/cosign/verify_sct.go index 111de2745d0..eaf9e9cc49f 100644 --- a/pkg/cosign/verify_sct.go +++ b/pkg/cosign/verify_sct.go @@ -45,6 +45,16 @@ func ContainsSCT(cert []byte) (bool, error) { return false, nil } +func getCTPublicKey(sct *ct.SignedCertificateTimestamp, + pubKeys *TrustedTransparencyLogPubKeys) (*TransparencyLogPubKey, error) { + keyID := hex.EncodeToString(sct.LogID.KeyID[:]) + pubKeyMetadata, ok := pubKeys.Keys[keyID] + if !ok { + return nil, errors.New("ctfe public key not found for payload. Check your TUF root (see cosign initialize) or set a custom key with env var SIGSTORE_CT_LOG_PUBLIC_KEY_FILE") + } + return &pubKeyMetadata, nil +} + // VerifySCT verifies SCTs against the Fulcio CT log public key. // // The SCT is a `Signed Certificate Timestamp`, which promises that @@ -92,12 +102,11 @@ func VerifySCT(ctx context.Context, certPEM, chainPEM, rawSCT []byte, pubKeys *T // check SCT embedded in certificate if len(embeddedSCTs) != 0 { for _, sct := range embeddedSCTs { - keyID := hex.EncodeToString(sct.LogID.KeyID[:]) - pubKeyMetadata, ok := pubKeys.Keys[keyID] - if !ok { - return errors.New("ctfe public key not found for embedded SCT") + pubKeyMetadata, err := getCTPublicKey(sct, pubKeys) + if err != nil { + return err } - err := ctutil.VerifySCT(pubKeyMetadata.PubKey, []*ctx509.Certificate{cert, certChain[0]}, sct, true) + err = ctutil.VerifySCT(pubKeyMetadata.PubKey, []*ctx509.Certificate{cert, certChain[0]}, sct, true) if err != nil { return fmt.Errorf("error verifying embedded SCT") } @@ -117,10 +126,9 @@ func VerifySCT(ctx context.Context, certPEM, chainPEM, rawSCT []byte, pubKeys *T if err != nil { return err } - keyID := hex.EncodeToString(sct.LogID.KeyID[:]) - pubKeyMetadata, ok := pubKeys.Keys[keyID] - if !ok { - return errors.New("ctfe public key not found") + pubKeyMetadata, err := getCTPublicKey(sct, pubKeys) + if err != nil { + return err } err = ctutil.VerifySCT(pubKeyMetadata.PubKey, []*ctx509.Certificate{cert}, sct, false) if err != nil {