github.com/transparency-dev/armored-witness-boot@v0.1.0/crypto/crypto.go (about) 1 // Copyright 2022 The Armored Witness Boot authors. All Rights Reserved. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 //go:build linkramsize 16 17 // crypto contains cryptographic verification support for the bootloader. 18 package crypto 19 20 import ( 21 "encoding/json" 22 "fmt" 23 "log" 24 25 "github.com/transparency-dev/armored-witness-boot/config" 26 abc "github.com/usbarmory/armory-boot/config" 27 ) 28 29 // Verify authenticates the armored-witness-boot configuration hash signatures. 30 func VerifyConfig(c config.Config, buf []byte, pubKeysJSON string, quorum int) (err error) { 31 var pubKeys []string 32 if err = json.Unmarshal([]byte(pubKeysJSON), &pubKeys); err != nil { 33 return 34 } 35 36 if len(pubKeys) < quorum { 37 return fmt.Errorf("invalid configuration, at least %d authentication keys are required", quorum) 38 } 39 40 if len(c.Signatures) < quorum { 41 return fmt.Errorf("invalid configuration, at least %d authentication signatures are required", quorum) 42 } 43 44 n := 0 45 46 for i, pubKey := range pubKeys { 47 log.Printf("armored-witness-boot: authenticating kernel (%s)", pubKey) 48 49 if err = abc.Verify(buf, c.Signatures[i], pubKey); err != nil { 50 log.Printf("armored-witness-boot: %s, %v", pubKey, err) 51 continue 52 } 53 54 n += 1 55 } 56 57 if n < quorum { 58 return fmt.Errorf("invalid configuration, at least %d valid signatures are required", quorum) 59 } 60 61 return 62 }