Skip to content

Commit

Permalink
Ensure that output is canonicalized
Browse files Browse the repository at this point in the history
  • Loading branch information
znewman01 committed Apr 17, 2022
1 parent 4f2830e commit 2ef1544
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 4 deletions.
14 changes: 10 additions & 4 deletions repo.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (
"strings"
"time"

"github.com/secure-systems-lab/go-securesystemslib/cjson"
"github.com/theupdateframework/go-tuf/data"
"github.com/theupdateframework/go-tuf/internal/roles"
"github.com/theupdateframework/go-tuf/internal/signer"
Expand Down Expand Up @@ -508,12 +509,12 @@ func (r *Repo) setTopLevelMeta(roleFilename string, meta interface{}) error {
return r.local.SetMeta(roleFilename, b)
}

// SignPayload signs the payload in signed to sign the keys associated with role.
// SignPayload signs the given payload using the key(s) associated with role.
//
// It returns the total number of keys used for signing, 0 (along with
// ErrInsufficientKeys) if no keys were found, or -1 (along with an error) in
// error cases.
func (r *Repo) SignPayload(role string, signed *data.Signed) (int, error) {
func (r *Repo) SignPayload(role string, payload *data.Signed) (int, error) {
if !roles.IsTopLevelRole(role) {
return -1, ErrInvalidRole{role, "only signing top-level metadata supported"}
}
Expand All @@ -526,7 +527,7 @@ func (r *Repo) SignPayload(role string, signed *data.Signed) (int, error) {
return 0, ErrInsufficientKeys{role}
}
for _, k := range keys {
if err = sign.Sign(signed, k); err != nil {
if err = sign.Sign(payload, k); err != nil {
return -1, err
}
}
Expand Down Expand Up @@ -1080,5 +1081,10 @@ func (r *Repo) Payload(roleFilename string) ([]byte, error) {
return nil, err
}

return s.Signed, nil
p, err := cjson.EncodeCanonical(s.Signed)
if err != nil {
return nil, err
}

return p, nil
}
9 changes: 9 additions & 0 deletions repo_test.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package tuf

import (
"bytes"
"crypto"
"crypto/rand"
"encoding/hex"
Expand Down Expand Up @@ -1894,6 +1895,14 @@ func (rs *RepoSuite) TestOfflineFlow(c *C) {
payload, err := r.Payload("root.json")
c.Assert(err, IsNil)

root, err := r.SignedMeta("root.json")
c.Assert(err, IsNil)
rootCanonical, err := cjson.EncodeCanonical(root.Signed)
c.Assert(err, IsNil)
if !bytes.Equal(payload, rootCanonical) {
c.Fatalf("Payload(): not canonical.\n%s\n%s", string(payload), string(rootCanonical))
}

// Sign the payload
signed := data.Signed{Signed: payload}
_, err = r.SignPayload("badrole", &signed)
Expand Down

0 comments on commit 2ef1544

Please sign in to comment.