• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1"use strict";
2Object.defineProperty(exports, "__esModule", { value: true });
3exports.verifyTLogSET = void 0;
4/*
5Copyright 2023 The Sigstore Authors.
6
7Licensed under the Apache License, Version 2.0 (the "License");
8you may not use this file except in compliance with the License.
9You may obtain a copy of the License at
10
11    http://www.apache.org/licenses/LICENSE-2.0
12
13Unless required by applicable law or agreed to in writing, software
14distributed under the License is distributed on an "AS IS" BASIS,
15WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16See the License for the specific language governing permissions and
17limitations under the License.
18*/
19const core_1 = require("@sigstore/core");
20const error_1 = require("../error");
21const trust_1 = require("../trust");
22// Verifies the SET for the given entry against the list of trusted
23// transparency logs. Returns true if the SET can be verified against at least
24// one of the trusted logs; otherwise, returns false.
25function verifyTLogSET(entry, tlogs) {
26    // Filter the list of tlog instances to only those which might be able to
27    // verify the SET
28    const validTLogs = (0, trust_1.filterTLogAuthorities)(tlogs, {
29        logID: entry.logId.keyId,
30        targetDate: new Date(Number(entry.integratedTime) * 1000),
31    });
32    // Check to see if we can verify the SET against any of the valid tlogs
33    const verified = validTLogs.some((tlog) => {
34        // Re-create the original Rekor verification payload
35        const payload = toVerificationPayload(entry);
36        // Canonicalize the payload and turn into a buffer for verification
37        const data = Buffer.from(core_1.json.canonicalize(payload), 'utf8');
38        // Extract the SET from the tlog entry
39        const signature = entry.inclusionPromise.signedEntryTimestamp;
40        return core_1.crypto.verify(data, tlog.publicKey, signature);
41    });
42    if (!verified) {
43        throw new error_1.VerificationError({
44            code: 'TLOG_INCLUSION_PROMISE_ERROR',
45            message: 'inclusion promise could not be verified',
46        });
47    }
48}
49exports.verifyTLogSET = verifyTLogSET;
50// Returns a properly formatted "VerificationPayload" for one of the
51// transaction log entires in the given bundle which can be used for SET
52// verification.
53function toVerificationPayload(entry) {
54    const { integratedTime, logIndex, logId, canonicalizedBody } = entry;
55    return {
56        body: canonicalizedBody.toString('base64'),
57        integratedTime: Number(integratedTime),
58        logIndex: Number(logIndex),
59        logID: logId.keyId.toString('hex'),
60    };
61}
62