component-store 0.3.0

Store abstraction and verification for Greentic components
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

use sha2::{Digest as _, Sha256};
use thiserror::Error;

#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum DigestAlgorithm {
    Sha256,
}

#[derive(Debug, Clone)]
pub struct DigestPolicy {
    algorithm: DigestAlgorithm,
    expected: Option<String>,
    required: bool,
}

impl DigestPolicy {
    pub fn sha256(expected: Option<String>, required: bool) -> Self {
        Self {
            algorithm: DigestAlgorithm::Sha256,
            expected,
            required,
        }
    }

    pub fn expected(&self) -> Option<&str> {
        self.expected.as_deref()
    }

    pub fn verify(&self, bytes: &[u8]) -> Result<VerifiedDigest, VerificationError> {
        let computed = match self.algorithm {
            DigestAlgorithm::Sha256 => {
                let digest = Sha256::digest(bytes);
                VerifiedDigest {
                    algorithm: DigestAlgorithm::Sha256,
                    value: hex::encode(digest),
                }
            }
        };

        if let Some(expected) = &self.expected {
            if !equal_digest(expected, &computed.value) {
                return Err(VerificationError::DigestMismatch {
                    expected: expected.clone(),
                    actual: computed.value,
                });
            }
        } else if self.required {
            return Err(VerificationError::DigestMissing);
        }

        Ok(computed)
    }
}

#[derive(Debug, Clone)]
pub enum SignaturePolicy {
    Disabled,
    Cosign { required: bool },
}

impl SignaturePolicy {
    pub fn cosign_required() -> Self {
        SignaturePolicy::Cosign { required: true }
    }

    pub fn cosign_optional() -> Self {
        SignaturePolicy::Cosign { required: false }
    }

    pub fn verify(&self, _bytes: &[u8]) -> Result<VerifiedSignature, VerificationError> {
        match self {
            SignaturePolicy::Disabled => Ok(VerifiedSignature::Skipped),
            SignaturePolicy::Cosign { required } => {
                if *required {
                    Err(VerificationError::SignatureNotImplemented(
                        "cosign signature verification required".into(),
                    ))
                } else {
                    Ok(VerifiedSignature::Skipped)
                }
            }
        }
    }
}

#[derive(Debug, Clone, Default)]
pub struct VerificationPolicy {
    pub digest: Option<DigestPolicy>,
    pub signature: Option<SignaturePolicy>,
}

impl VerificationPolicy {
    pub fn verify(&self, bytes: &[u8]) -> Result<VerificationReport, VerificationError> {
        let digest = match &self.digest {
            Some(policy) => Some(policy.verify(bytes)?),
            None => None,
        };
        let signature = match &self.signature {
            Some(policy) => Some(policy.verify(bytes)?),
            None => None,
        };
        Ok(VerificationReport { digest, signature })
    }
}

#[derive(Debug, Clone)]
pub struct VerificationReport {
    pub digest: Option<VerifiedDigest>,
    pub signature: Option<VerifiedSignature>,
}

#[derive(Debug, Clone)]
pub struct VerifiedDigest {
    pub algorithm: DigestAlgorithm,
    pub value: String,
}

impl VerifiedDigest {
    pub fn compute(algorithm: DigestAlgorithm, bytes: &[u8]) -> Self {
        match algorithm {
            DigestAlgorithm::Sha256 => {
                let digest = Sha256::digest(bytes);
                Self {
                    algorithm,
                    value: hex::encode(digest),
                }
            }
        }
    }
}

#[derive(Debug, Clone)]
pub enum VerifiedSignature {
    Skipped,
}

#[derive(Debug, Error)]
pub enum VerificationError {
    #[error("digest check required but no expected value provided")]
    DigestMissing,
    #[error("digest mismatch (expected {expected}, actual {actual})")]
    DigestMismatch { expected: String, actual: String },
    #[error("signature verification not implemented: {0}")]
    SignatureNotImplemented(String),
}

fn equal_digest(expected: &str, actual: &str) -> bool {
    expected.eq_ignore_ascii_case(actual)
}