From b4554f4d14983659ea1dd306ccc35de555aac353 Mon Sep 17 00:00:00 2001
From: Matt Jibson <matt.jibson@gmail.com>
Date: Tue, 20 Oct 2015 02:08:45 -0400
Subject: [PATCH] Verify signed manifests

fixes #394
---
 endpoints/v2/manifest.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/endpoints/v2/manifest.py b/endpoints/v2/manifest.py
index 28704d82f..917de3621 100644
--- a/endpoints/v2/manifest.py
+++ b/endpoints/v2/manifest.py
@@ -8,7 +8,7 @@ import json
 
 from flask import make_response, request, url_for
 from collections import namedtuple, OrderedDict
-from jwkest.jws import SIGNER_ALGS
+from jwkest.jws import SIGNER_ALGS, keyrep
 from datetime import datetime
 
 from app import storage, docker_v2_signing_key
@@ -69,7 +69,15 @@ class SignedManifest(object):
     self._validate()
 
   def _validate(self):
-    pass
+    for signature in self._signatures:
+      bytes_to_verify = '{0}.{1}'.format(signature['protected'], jwt.utils.base64url_encode(self.payload))
+      signer = SIGNER_ALGS[signature['header']['alg']]
+      key = keyrep(signature['header']['jwk'])
+      gk = key.get_key()
+      sig = jwt.utils.base64url_decode(signature['signature'].encode('utf-8'))
+      verified = signer.verify(bytes_to_verify, sig, gk)
+      if not verified:
+        raise ValueError('manifest file failed signature verification')
 
   @property
   def signatures(self):