func VerifySignatures(s *data.Signed, role string, db *keys.DB) error {
if len(s.Signatures) == 0 {
return ErrNoSignatures
}
roleData := db.GetRole(role)
if roleData == nil {
return ErrUnknownRole
}
var decoded map[string]interface{}
if err := json.Unmarshal(s.Signed, &decoded); err != nil {
return err
}
msg, err := cjson.Marshal(decoded)
if err != nil {
return err
}
valid := make(map[string]struct{})
var sigBytes [ed25519.SignatureSize]byte
for _, sig := range s.Signatures {
if sig.Method != "ed25519" {
return ErrWrongMethod
}
if len(sig.Signature) != len(sigBytes) {
return ErrInvalid
}
if !roleData.ValidKey(sig.KeyID) {
continue
}
key := db.GetKey(sig.KeyID)
if key == nil {
continue
}
copy(sigBytes[:], sig.Signature)
if !ed25519.Verify(&key.Public, msg, &sigBytes) {
return ErrInvalid
}
valid[sig.KeyID] = struct{}{}
}
if len(valid) < roleData.Threshold {
return ErrRoleThreshold
}
return nil
}
func (v Ed25519Verifier) Verify(key []byte, msg []byte, sig []byte) error {
var sigBytes [ed25519.SignatureSize]byte
if len(sig) != len(sigBytes) {
return ErrInvalid
}
copy(sigBytes[:], sig)
var keyBytes [ed25519.PublicKeySize]byte
copy(keyBytes[:], key)
if !ed25519.Verify(&keyBytes, msg, &sigBytes) {
return ErrInvalid
}
return nil
}