• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1"use strict";
2Object.defineProperty(exports, "__esModule", { value: true });
3exports.Verifier = void 0;
4/*
5Copyright 2023 The Sigstore Authors.
6
7Licensed under the Apache License, Version 2.0 (the "License");
8you may not use this file except in compliance with the License.
9You may obtain a copy of the License at
10
11    http://www.apache.org/licenses/LICENSE-2.0
12
13Unless required by applicable law or agreed to in writing, software
14distributed under the License is distributed on an "AS IS" BASIS,
15WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16See the License for the specific language governing permissions and
17limitations under the License.
18*/
19const util_1 = require("util");
20const error_1 = require("./error");
21const key_1 = require("./key");
22const policy_1 = require("./policy");
23const timestamp_1 = require("./timestamp");
24const tlog_1 = require("./tlog");
25class Verifier {
26    constructor(trustMaterial, options = {}) {
27        this.trustMaterial = trustMaterial;
28        this.options = {
29            ctlogThreshold: options.ctlogThreshold ?? 1,
30            tlogThreshold: options.tlogThreshold ?? 1,
31            tsaThreshold: options.tsaThreshold ?? 0,
32        };
33    }
34    verify(entity, policy) {
35        const timestamps = this.verifyTimestamps(entity);
36        const signer = this.verifySigningKey(entity, timestamps);
37        this.verifyTLogs(entity);
38        this.verifySignature(entity, signer);
39        if (policy) {
40            this.verifyPolicy(policy, signer.identity || {});
41        }
42        return signer;
43    }
44    // Checks that all of the timestamps in the entity are valid and returns them
45    verifyTimestamps(entity) {
46        let tlogCount = 0;
47        let tsaCount = 0;
48        const timestamps = entity.timestamps.map((timestamp) => {
49            switch (timestamp.$case) {
50                case 'timestamp-authority':
51                    tsaCount++;
52                    return (0, timestamp_1.verifyTSATimestamp)(timestamp.timestamp, entity.signature.signature, this.trustMaterial.timestampAuthorities);
53                case 'transparency-log':
54                    tlogCount++;
55                    return (0, timestamp_1.verifyTLogTimestamp)(timestamp.tlogEntry, this.trustMaterial.tlogs);
56            }
57        });
58        // Check for duplicate timestamps
59        if (containsDupes(timestamps)) {
60            throw new error_1.VerificationError({
61                code: 'TIMESTAMP_ERROR',
62                message: 'duplicate timestamp',
63            });
64        }
65        if (tlogCount < this.options.tlogThreshold) {
66            throw new error_1.VerificationError({
67                code: 'TIMESTAMP_ERROR',
68                message: `expected ${this.options.tlogThreshold} tlog timestamps, got ${tlogCount}`,
69            });
70        }
71        if (tsaCount < this.options.tsaThreshold) {
72            throw new error_1.VerificationError({
73                code: 'TIMESTAMP_ERROR',
74                message: `expected ${this.options.tsaThreshold} tsa timestamps, got ${tsaCount}`,
75            });
76        }
77        return timestamps.map((t) => t.timestamp);
78    }
79    // Checks that the signing key is valid for all of the the supplied timestamps
80    // and returns the signer.
81    verifySigningKey({ key }, timestamps) {
82        switch (key.$case) {
83            case 'public-key': {
84                return (0, key_1.verifyPublicKey)(key.hint, timestamps, this.trustMaterial);
85            }
86            case 'certificate': {
87                const result = (0, key_1.verifyCertificate)(key.certificate, timestamps, this.trustMaterial);
88                /* istanbul ignore next - no fixture */
89                if (containsDupes(result.scts)) {
90                    throw new error_1.VerificationError({
91                        code: 'CERTIFICATE_ERROR',
92                        message: 'duplicate SCT',
93                    });
94                }
95                if (result.scts.length < this.options.ctlogThreshold) {
96                    throw new error_1.VerificationError({
97                        code: 'CERTIFICATE_ERROR',
98                        message: `expected ${this.options.ctlogThreshold} SCTs, got ${result.scts.length}`,
99                    });
100                }
101                return result.signer;
102            }
103        }
104    }
105    // Checks that the tlog entries are valid for the supplied content
106    verifyTLogs({ signature: content, tlogEntries }) {
107        tlogEntries.forEach((entry) => (0, tlog_1.verifyTLogBody)(entry, content));
108    }
109    // Checks that the signature is valid for the supplied content
110    verifySignature(entity, signer) {
111        if (!entity.signature.verifySignature(signer.key)) {
112            throw new error_1.VerificationError({
113                code: 'SIGNATURE_ERROR',
114                message: 'signature verification failed',
115            });
116        }
117    }
118    verifyPolicy(policy, identity) {
119        // Check the subject alternative name of the signer matches the policy
120        if (policy.subjectAlternativeName) {
121            (0, policy_1.verifySubjectAlternativeName)(policy.subjectAlternativeName, identity.subjectAlternativeName);
122        }
123        // Check that the extensions of the signer match the policy
124        if (policy.extensions) {
125            (0, policy_1.verifyExtensions)(policy.extensions, identity.extensions);
126        }
127    }
128}
129exports.Verifier = Verifier;
130// Checks for duplicate items in the array. Objects are compared using
131// deep equality.
132function containsDupes(arr) {
133    for (let i = 0; i < arr.length; i++) {
134        for (let j = i + 1; j < arr.length; j++) {
135            if ((0, util_1.isDeepStrictEqual)(arr[i], arr[j])) {
136                return true;
137            }
138        }
139    }
140    return false;
141}
142