feat: implement signature verification

Author: ctron

Cargo.lock

@@ -122,6 +122,7 @@ serde-cyclonedx = "0.9.1"
 serde_json = "1.0.114"
 serde_with = { version = "3.12.0", features = ["base64"] }
 serde_yml = { package = "serde_yaml_ng", version = "0.10" }
+sequoia-openpgp = { version = "2", default-features = false }
 sha2 = "0.10.8"
 spdx = "0.10.6"
 spdx-expression = "0.5.2"

Cargo.toml

@@ -71,14 +71,27 @@ mod default {
     }
 }
 
-// NOTE: This struct must be aligned with the struct in the [`paginated`] macro below.
+/// Paginated results
+///
+/// This carries the requested page, plus the total number of items matching the request.
 #[derive(Clone, Debug, PartialEq, Eq, serde::Deserialize, serde::Serialize, ToSchema)]
 #[serde(rename_all = "camelCase")]
 pub struct PaginatedResults<R> {
+    /// The page of items
     pub items: Vec<R>,
+    /// The total number of items
     pub total: u64,
 }
 
+impl<R> Default for PaginatedResults<R> {
+    fn default() -> Self {
+        Self {
+            items: vec![],
+            total: 0,
+        }
+    }
+}
+
 impl<R> PaginatedResults<R> {
     /// Create a new paginated result
     pub async fn new<C, S1, S2>(

common/src/model.rs

@@ -42,9 +42,11 @@ serde_json = { workspace = true }
 spdx = { workspace = true, features = ["text"] }
 strum = { workspace = true }
 tar = { workspace = true }
+tempfile = { workspace = true }
 thiserror = { workspace = true }
 time = { workspace = true }
 tokio = { workspace = true, features = ["full"] }
+tokio-util = { workspace = true }
 tracing = { workspace = true }
 tracing-futures = { workspace = true, features = ["futures-03"] }
 utoipa = { workspace = true, features = ["actix_extras", "uuid", "time"] }

modules/fundamental/Cargo.toml

@@ -17,6 +17,7 @@ use config::Config;
 use futures_util::TryStreamExt;
 use sea_orm::TransactionTrait;
 use std::str::FromStr;
+use tokio_util::io::StreamReader;
 use trustify_auth::{CreateAdvisory, DeleteAdvisory, ReadAdvisory, authorizer::Require};
 use trustify_common::{
     db::{Database, query::Query},
@@ -26,9 +27,10 @@ use trustify_common::{
 };
 use trustify_entity::labels::Labels;
 use trustify_module_ingestor::service::{Format, Ingest, IngestorService};
+use trustify_module_signature::model::VerificationResult;
 use trustify_module_signature::{
     model::Signature,
-    service::{DocumentType, SignatureService},
+    service::{DocumentType, SignatureService, TrustAnchorService},
 };
 use trustify_module_storage::service::StorageBackend;
 use utoipa::IntoParams;
@@ -40,18 +42,21 @@ pub fn configure(
 ) {
     let advisory_service = AdvisoryService::new(db.clone());
     let purl_service = PurlService::new();
+    let signature_service = SignatureService::new();
 
     config
         .app_data(web::Data::new(db))
         .app_data(web::Data::new(advisory_service))
         .app_data(web::Data::new(purl_service))
+        .app_data(web::Data::new(signature_service))
         .app_data(web::Data::new(Config { upload_limit }))
         .service(all)
         .service(get)
         .service(delete)
         .service(upload)
         .service(download)
         .service(list_signatures)
+        .service(verify_signatures)
         .service(label::set)
         .service(label::update);
 }
@@ -275,15 +280,91 @@ pub async fn download(
 #[get("/v2/advisory/{key}/signature")]
 pub async fn list_signatures(
     db: web::Data<Database>,
+    service: web::Data<SignatureService>,
     key: web::Path<String>,
     web::Query(paginated): web::Query<Paginated>,
     _: Require<ReadAdvisory>,
 ) -> Result<impl Responder, Error> {
     let id = Id::from_str(&key).map_err(Error::IdKey)?;
 
-    let result = SignatureService
-        .list_signatures(DocumentType::Sbom, id, paginated, db.get_ref())
+    let result = service
+        .list_signatures(DocumentType::Advisory, id, paginated, db.get_ref())
         .await?;
 
     Ok(HttpResponse::Ok().json(result))
 }
+
+/// Get signatures of an SBOM
+#[utoipa::path(
+    tag = "advisory",
+    operation_id = "verifyAdvisorySignatures",
+    params(
+        ("key" = Id, Path),
+    ),
+    responses(
+        (status = 200, description = "Signatures of an advisory", body = PaginatedResults<VerificationResult>),
+        (status = 404, description = "The document could not be found"),
+    )
+)]
+#[get("/v2/advisory/{key}/verify")]
+#[allow(clippy::too_many_arguments)]
+pub async fn verify_signatures(
+    db: web::Data<Database>,
+    signature_service: web::Data<SignatureService>,
+    trust_anchor_service: web::Data<TrustAnchorService>,
+    ingestor: web::Data<IngestorService>,
+    advisory: web::Data<AdvisoryService>,
+    key: web::Path<String>,
+    web::Query(paginated): web::Query<Paginated>,
+    _: Require<ReadAdvisory>,
+) -> Result<impl Responder, Error> {
+    let id = Id::from_str(&key).map_err(Error::IdKey)?;
+
+    // fetch signatures of the document
+    let result = signature_service
+        .list_signatures(DocumentType::Advisory, id.clone(), paginated, db.get_ref())
+        .await?;
+
+    if result.items.is_empty() {
+        // early exit, so we don't need to fetch content or trust anchors.
+        return Ok(HttpResponse::Ok().json(PaginatedResults::<VerificationResult>::default()));
+    }
+
+    // look up document by id
+    let Some(advisory) = advisory
+        .fetch_advisory(id.clone(), db.as_ref())
+        .await?
+        .and_then(|advisory| advisory.source_document)
+    else {
+        return Ok(HttpResponse::NotFound().finish());
+    };
+
+    let stream = ingestor
+        .get_ref()
+        .storage()
+        .clone()
+        .retrieve(advisory.try_into()?)
+        .await
+        .map_err(Error::Storage)?;
+
+    let Some(stream) = stream else {
+        return Ok(HttpResponse::NotFound().finish());
+    };
+
+    let content = tempfile::tempfile()?;
+    tokio::io::copy(
+        &mut StreamReader::new(
+            stream.map_err(|err| std::io::Error::new(std::io::ErrorKind::Other, err.to_string())),
+        ),
+        &mut tokio::fs::File::from_std(content.try_clone().map_err(|err| Error::Any(err.into()))?),
+    )
+    .await
+    .map_err(|err| Error::Any(err.into()))?;
+
+    let result = PaginatedResults {
+        items: trust_anchor_service.verify(result.items, content).await?,
+        total: result.total,
+    };
+
+    Ok(HttpResponse::Ok().json(result))
+}

modules/fundamental/src/advisory/endpoints/mod.rs

@@ -55,11 +55,13 @@ pub fn configure(
 ) {
     let sbom_service = SbomService::new(db.clone());
     let purl_service = PurlService::new();
+    let signature_service = SignatureService::new();
 
     config
         .app_data(web::Data::new(db))
         .app_data(web::Data::new(sbom_service))
         .app_data(web::Data::new(purl_service))
+        .app_data(web::Data::new(signature_service))
         .app_data(web::Data::new(Config { upload_limit }))
         .service(all)
         .service(all_related)
@@ -529,13 +531,14 @@ pub async fn download(
 #[get("/v2/sbom/{key}/signature")]
 pub async fn list_signatures(
     db: web::Data<Database>,
+    service: web::Data<SignatureService>,
     key: web::Path<String>,
     web::Query(paginated): web::Query<Paginated>,
     _: Require<ReadSbom>,
 ) -> Result<impl Responder, Error> {
     let id = Id::from_str(&key).map_err(Error::IdKey)?;
 
-    let result = SignatureService
+    let result = service
         .list_signatures(DocumentType::Sbom, id, paginated, db.get_ref())
         .await?;
 

modules/fundamental/src/sbom/endpoints/mod.rs

@@ -10,20 +10,21 @@ trustify-auth = { workspace = true }
 trustify-common = { workspace = true }
 trustify-entity = { workspace = true }
 
-actix-http = { workspace = true }
 actix-web = { workspace = true }
 anyhow = { workspace = true }
 json-merge-patch = { workspace = true }
 log = { workspace = true }
 sea-orm = { workspace = true }
 sea-query = { workspace = true }
+sequoia-openpgp = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
 serde_with = { workspace = true }
 thiserror = { workspace = true }
+tokio = { workspace = true }
 tracing = { workspace = true }
-tracing-futures = { workspace = true, features = ["futures-03"] }
 utoipa = { workspace = true, features = ["actix_extras", "uuid", "time"] }
 utoipa-actix-web = { workspace = true }
+walker-common = { workspace = true }
 
 [dev-dependencies]

modules/signature/Cargo.toml

@@ -87,3 +87,10 @@ pub struct TrustAnchorData {
     #[serde_as(as = "serde_with::base64::Base64")]
     pub payload: Vec<u8>,
 }
+
+#[derive(Clone, Debug, Serialize, Deserialize, utoipa::ToSchema, Eq, PartialEq)]
+#[serde(rename_all = "camelCase")]
+pub struct VerificationResult {
+    pub signature: Signature,
+    pub trust_anchors: Vec<TrustAnchor>,
+}

modules/signature/src/model/mod.rs

@@ -1,16 +1,27 @@
-use crate::{error::Error, error::PatchError, model::TrustAnchor, model::TrustAnchorData};
+mod pgp;
+
+use crate::{
+    error::{Error, PatchError},
+    model::{Signature, TrustAnchor, TrustAnchorData, VerificationResult},
+    service::trust_anchor::pgp::Anchor,
+};
 use sea_orm::{
     ActiveModelTrait, ColumnTrait, ConnectionTrait, EntityTrait, PaginatorTrait, QueryOrder, Set,
     prelude::Uuid, query::QueryFilter,
 };
 use sea_query::{Expr, Order, SimpleExpr};
-use std::fmt::{Debug, Display};
+use sequoia_openpgp::{Cert, cert::CertParser, parse::Parse};
+use std::time::SystemTime;
+use std::{
+    fmt::{Debug, Display},
+    fs::File,
+};
 use tracing::instrument;
 use trustify_common::{
     db::{Database, DatabaseErrors, limiter::LimiterTrait},
     model::{Paginated, PaginatedResults, Revisioned},
 };
-use trustify_entity::trust_anchor;
+use trustify_entity::{signature_type::SignatureType, trust_anchor};
 
 /// A service managing trust anchors for signatures of documents.
 pub struct TrustAnchorService {
@@ -190,4 +201,71 @@ impl TrustAnchorService {
 
         Ok(result.rows_affected > 0)
     }
+
+    #[instrument(skip(self, signatures))]
+    pub async fn verify(
+        &self,
+        signatures: Vec<Signature>,
+        content: File,
+    ) -> Result<Vec<VerificationResult>, Error> {
+        let anchors = trust_anchor::Entity::find().all(&self.db).await?;
+
+        let now = SystemTime::now();
+
+        let anchors: Vec<_> = anchors
+            .into_iter()
+            .filter(|a| !a.disabled)
+            .filter_map(|anchor| match anchor.r#type {
+                SignatureType::Pgp => CertParser::from_bytes(&anchor.payload)
+                    .ok()
+                    .and_then(|certificates| certificates.collect::<Result<Vec<Cert>, _>>().ok())
+                    .map(|certificates| {
+                        (
+                            TrustAnchor::from(anchor),
+                            Anchor::Pgp {
+                                certificates,
+                                // TODO: allow specifying time for v3 signatures
+                                policy_time: now,
+                            },
+                        )
+                    }),
+            })
+            .collect();
+
+        let mut result = Vec::with_capacity(signatures.len());
+
+        for signature in signatures {
+            log::trace!("Signature: {:?}", signature);
+
+            let mut trust_anchors = vec![];
+
+            for anchor in &anchors {
+                log::trace!("  Anchor: {:?}", anchor);
+
+                match anchor
+                    .1
+                    .validate(
+                        &signature,
+                        content.try_clone().map_err(|err| Error::Any(err.into()))?,
+                    )
+                    .await
+                {
+                    Ok(()) => {
+                        // TODO: report result
+                        trust_anchors.push(anchor.0.clone());
+                    }
+                    Err(err) => {
+                        log::debug!("Failed: {err}");
+                    }
+                }
+            }
+
+            result.push(VerificationResult {
+                signature,
+                trust_anchors,
+            });
+        }
+
+        Ok(result)
+    }
 }