aboutsummaryrefslogtreecommitdiff
path: root/cmd/sigsum/bundle/bundle.go
blob: d0ce207a48e34e1c1f30efb4059568a1a3e67710 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
package bundle

import (
	"bytes"
	"context"
	"fmt"
	"io/ioutil"
	"time"

	"git.sigsum.org/sigsum-go/pkg/requests"
	"git.sigsum.org/sigsum-go/pkg/types"
	"git.sigsum.org/sigsum-tools-go/internal/util"
	"git.sigsum.org/sigsum-tools-go/pkg/client"
	"git.sigsum.org/sigsum-tools-go/pkg/policy"
	"git.sigsum.org/sigsum-tools-go/pkg/signatures"
	"git.sigsum.org/sigsum-tools-go/pkg/signatures/minisign"
	"git.sigsum.org/sigsum-tools-go/pkg/signatures/signify"
	"git.sigsum.org/sigsum-tools-go/pkg/signatures/ssh"
)

func Main(args []string, policy policy.Policy, optType, optKey, optDomainHint string) error {
	if len(args) == 0 {
		return fmt.Errorf("bundle: need at least one input file")
	}
	b, err := ioutil.ReadFile(optKey)
	if err != nil {
		return fmt.Errorf("bundle: read key %q: %v", optKey, err)
	}
	parser, err := signatureParser(optType)
	if err != nil {
		return fmt.Errorf("bundle: %v", err)
	}
	pub, err := parser.PublicKey(bytes.NewBuffer(b))
	if err != nil {
		return fmt.Errorf("bundle: %v", err)
	}
	// TODO: check that domain hint is valid for public key

	var reqs []requests.Leaf
	for _, path := range args {
		preimage, err := util.FileHash(path)
		if err != nil {
			return fmt.Errorf("bundle: %v", err)
		}

		sigPath := path + parser.SignatureSuffix()
		b, err := ioutil.ReadFile(sigPath)
		if err != nil {
			return fmt.Errorf("bundle: failed reading file %q: %v", sigPath, err)
		}
		sig, err := parser.Signature(bytes.NewBuffer(b))
		if err != nil {
			return fmt.Errorf("bundle: %v", err)
		}

		req := requests.Leaf{
			ShardHint:       policy.ShardHint(),
			Preimage:        *preimage,
			Signature:       *sig,
			VerificationKey: *pub,
			DomainHint:      optDomainHint,
		}

		sd := types.Statement{
			ShardHint: req.ShardHint,
			Checksum:  *types.HashFn(req.Preimage[:]),
		}
		if !sd.Verify(&req.VerificationKey, &req.Signature) {
			return fmt.Errorf("bundle: invalid signature for file %q", path)
		}
		reqs = append(reqs, req)
	}

	sc := client.NewSubmitClient(policy)
	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Minute)
	defer cancel()
	bundles, err := sc.AddLeaves(ctx, reqs)
	if err != nil {
		return fmt.Errorf("bundle: %v", err)
	}

	// TODO: verify bundles
	// TODO: write to files
	fmt.Printf("got %d bundles\n", len(bundles))
	return nil
}

func signatureParser(optType string) (signatures.Parser, error) {
	switch optType {
	case "signify":
		return &signify.Parser{}, nil
	case "minisign":
		return &minisign.Parser{}, nil
	case "ssh":
		return &ssh.Parser{}, nil
	}
	return nil, fmt.Errorf("invalid key type %q", optType)
}