From 39198445210cc5d5335e0c15af43340e360168ea Mon Sep 17 00:00:00 2001
From: Bob Callaway <bobcallaway@users.noreply.github.com>
Date: Thu, 28 Oct 2021 06:55:51 -0700
Subject: [PATCH] check that entry UUID == leafHash of returned entry (#469)

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>
---
 cmd/rekor-cli/app/verify.go | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/cmd/rekor-cli/app/verify.go b/cmd/rekor-cli/app/verify.go
index 80e071c..2e2cff1 100644
--- a/cmd/rekor-cli/app/verify.go
+++ b/cmd/rekor-cli/app/verify.go
@@ -16,7 +16,9 @@
 package app
 
 import (
+	"bytes"
 	"context"
+	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"math/bits"
@@ -136,6 +138,7 @@ var verifyCmd = &cobra.Command{
 		logEntry := resp.Payload[0]
 
 		var o *verifyCmdOutput
+		var entryBytes []byte
 		for k, v := range logEntry {
 			o = &verifyCmdOutput{
 				RootHash:  *v.Verification.InclusionProof.RootHash,
@@ -144,6 +147,19 @@ var verifyCmd = &cobra.Command{
 				Size:      *v.Verification.InclusionProof.TreeSize,
 				Hashes:    v.Verification.InclusionProof.Hashes,
 			}
+			entryBytes, err = base64.StdEncoding.DecodeString(v.Body.(string))
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		if viper.IsSet("uuid") && (viper.GetString("uuid") != o.EntryUUID) {
+			return nil, fmt.Errorf("unexpected entry returned from rekor server")
+		}
+
+		leafHash, _ := hex.DecodeString(o.EntryUUID)
+		if !bytes.Equal(rfc6962.DefaultHasher.HashLeaf(entryBytes), leafHash) {
+			return nil, fmt.Errorf("computed leaf hash did not match entry UUID")
 		}
 
 		hashes := [][]byte{}
@@ -153,7 +169,6 @@ var verifyCmd = &cobra.Command{
 		}
 
 		rootHash, _ := hex.DecodeString(o.RootHash)
-		leafHash, _ := hex.DecodeString(o.EntryUUID)
 
 		v := logverifier.New(rfc6962.DefaultHasher)
 		if err := v.VerifyInclusionProof(o.Index, o.Size, hashes, rootHash, leafHash); err != nil {
-- 
GitLab