go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/client/cmd/cloudkms/verify.go

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/client/cmd/cloudkms/verify.go (about)

     1  // Copyright 2020 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package main
    16  
    17  import (
    18  	"context"
    19  	"crypto/ecdsa"
    20  	"crypto/sha256"
    21  	"crypto/x509"
    22  	"encoding/asn1"
    23  	"encoding/pem"
    24  	"fmt"
    25  	"io"
    26  	"math/big"
    27  	"os"
    28  
    29  	"github.com/maruel/subcommands"
    30  
    31  	cloudkms "cloud.google.com/go/kms/apiv1"
    32  	"cloud.google.com/go/kms/apiv1/kmspb"
    33  
    34  	"go.chromium.org/luci/auth"
    35  	"go.chromium.org/luci/common/logging"
    36  )
    37  
    38  func doVerify(ctx context.Context, client *cloudkms.KeyManagementClient, input *os.File, inputSig []byte, keyPath string) error {
    39  	// Verify Elliptic Curve signature.
    40  	var parsedSig struct{ R, S *big.Int }
    41  	if _, err := asn1.Unmarshal(inputSig, &parsedSig); err != nil {
    42  		return fmt.Errorf("asn1.Unmarshal: %v", err)
    43  	}
    44  
    45  	resp, err := client.GetPublicKey(ctx, &kmspb.GetPublicKeyRequest{Name: keyPath})
    46  	if err != nil {
    47  		logging.Errorf(ctx, "Error while making request")
    48  		return err
    49  	}
    50  
    51  	// Parse the key.
    52  	block, _ := pem.Decode([]byte(resp.Pem))
    53  	abstractKey, err := x509.ParsePKIXPublicKey(block.Bytes)
    54  	if err != nil {
    55  		return fmt.Errorf("x509.ParsePKIXPublicKey: %v", err)
    56  	}
    57  	ecKey, ok := abstractKey.(*ecdsa.PublicKey)
    58  	if !ok {
    59  		return fmt.Errorf("key '%s' is not EC", keyPath)
    60  	}
    61  
    62  	hash := sha256.New()
    63  	if _, err := io.Copy(hash, input); err != nil {
    64  		logging.Errorf(ctx, "Error while hashing input")
    65  		return err
    66  	}
    67  	digest := hash.Sum(nil)
    68  	if !ecdsa.Verify(ecKey, digest, parsedSig.R, parsedSig.S) {
    69  		return fmt.Errorf("ecdsa.Verify failed on key: %s", keyPath)
    70  	}
    71  
    72  	return nil
    73  }
    74  
    75  func cmdVerify(authOpts auth.Options) *subcommands.Command {
    76  	return &subcommands.Command{
    77  		UsageLine: "verify <options> <key_path>",
    78  		ShortDesc: "verify a signature that was previously created using a key in Cloud KMS",
    79  		LongDesc: `Verify a signature that was previously created with a key stored in Cloud KMS.
    80  
    81  At this time, this tool assumes that all signatures are on SHA-256 digests and
    82  all keys are EC_SIGN_P256_SHA256.
    83  
    84  <key_path> refers to the path to the public crypto key. e.g.
    85  
    86  projects/<project>/locations/<location>/keyRings/<keyRing>/cryptoKeys/<cryptoKey>/cryptoKeyVersions/<version>
    87  
    88  Exit code will be 0 if verification successful`,
    89  		CommandRun: func() subcommands.CommandRun {
    90  			c := verifyRun{doVerify: doVerify}
    91  			c.Init(authOpts)
    92  			return &c
    93  		},
    94  	}
    95  }