Merge pull request #668 from mjibson/jws-verify
Verify signed manifests
This commit is contained in:
Matt Jibson
commit
d24e69df2d
1 changed files with 10 additions and 2 deletions
|
|
@ -8,7 +8,7 @@ import json
|
||||||
|
|
||||||
from flask import make_response, request, url_for
|
from flask import make_response, request, url_for
|
||||||
from collections import namedtuple, OrderedDict
|
from collections import namedtuple, OrderedDict
|
||||||
from jwkest.jws import SIGNER_ALGS
|
from jwkest.jws import SIGNER_ALGS, keyrep
|
||||||
from datetime import datetime
|
from datetime import datetime
|
||||||
|
|
||||||
from app import storage, docker_v2_signing_key
|
from app import storage, docker_v2_signing_key
|
||||||
|
|
@ -69,7 +69,15 @@ class SignedManifest(object):
|
||||||
self._validate()
|
self._validate()
|
||||||
|
|
||||||
def _validate(self):
|
def _validate(self):
|
||||||
pass
|
for signature in self._signatures:
|
||||||
|
bytes_to_verify = '{0}.{1}'.format(signature['protected'], jwt.utils.base64url_encode(self.payload))
|
||||||
|
signer = SIGNER_ALGS[signature['header']['alg']]
|
||||||
|
key = keyrep(signature['header']['jwk'])
|
||||||
|
gk = key.get_key()
|
||||||
|
sig = jwt.utils.base64url_decode(signature['signature'].encode('utf-8'))
|
||||||
|
verified = signer.verify(bytes_to_verify, sig, gk)
|
||||||
|
if not verified:
|
||||||
|
raise ValueError('manifest file failed signature verification')
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def signatures(self):
|
def signatures(self):
|
||||||
|
|
|
||||||
Reference in a new issue