Skip to content

Commit

Permalink
reuse dsse signature wrappers instead of having a copy (#912)
Browse files Browse the repository at this point in the history 
Signed-off-by: Bob Callaway <bcallaway@google.com>
  • Loading branch information
@bobcallaway
bobcallaway authored Jul 8, 2022
1 parent fb4ed40 commit 25dbcf5
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 63 deletions.
54 changes: 4 additions & 50 deletions pkg/types/intoto/v0.0.1/entry.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ import (
"github.com/sigstore/rekor/pkg/types"
"github.com/sigstore/rekor/pkg/types/intoto"
"github.com/sigstore/sigstore/pkg/signature"
"github.com/sigstore/sigstore/pkg/signature/options"
dsse_verifier "github.com/sigstore/sigstore/pkg/signature/dsse"
)

const (
Expand Down Expand Up @@ -232,26 +232,12 @@ func (v *V001Entry) validate() error {
if err != nil {
return err
}
dsseVerifier, err := dsse.NewEnvelopeSigner(&verifier{
v: vfr,
pub: pk,
})
if err != nil {
return err
}

if v.IntotoObj.Content.Envelope == "" {
return nil
}
dsseVerifier := dsse_verifier.WrapVerifier(vfr)

if err := json.Unmarshal([]byte(v.IntotoObj.Content.Envelope), &v.env); err != nil {
if err := dsseVerifier.VerifySignature(strings.NewReader(v.IntotoObj.Content.Envelope), nil); err != nil {
return err
}

if _, err := dsseVerifier.Verify(&v.env); err != nil {
return err
}
return nil
return json.Unmarshal([]byte(v.IntotoObj.Content.Envelope), &v.env)
}

// AttestationKey returns the digest of the attestation that was uploaded, to be used to lookup the attestation from storage
Expand All @@ -275,38 +261,6 @@ func (v *V001Entry) AttestationKeyValue() (string, []byte) {
return attKey, attBytes
}

type verifier struct {
s signature.Signer
v signature.Verifier
pub crypto.PublicKey
}

func (v *verifier) KeyID() (string, error) {
return "", nil
}

func (v *verifier) Public() crypto.PublicKey {
return v.pub
}

func (v *verifier) Sign(data []byte) (sig []byte, err error) {
if v.s == nil {
return nil, errors.New("nil signer")
}
sig, err = v.s.SignMessage(bytes.NewReader(data), options.WithCryptoSignerOpts(crypto.SHA256))
if err != nil {
return nil, err
}
return sig, nil
}

func (v *verifier) Verify(data, sig []byte) error {
if v.v == nil {
return errors.New("nil verifier")
}
return v.v.VerifySignature(bytes.NewReader(sig), bytes.NewReader(data))
}

func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.ArtifactProperties) (models.ProposedEntry, error) {
returnVal := models.Intoto{}

Expand Down
17 changes: 4 additions & 13 deletions pkg/types/intoto/v0.0.1/entry_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ import (
"github.com/sigstore/rekor/pkg/generated/models"
"github.com/sigstore/rekor/pkg/types"
"github.com/sigstore/sigstore/pkg/signature"
dsse_signer "github.com/sigstore/sigstore/pkg/signature/dsse"
"go.uber.org/goleak"
)

Expand All @@ -71,23 +72,13 @@ func envelope(t *testing.T, k *ecdsa.PrivateKey, payload, payloadType string) st
if err != nil {
t.Fatal(err)
}
signer, err := in_toto.NewDSSESigner(&verifier{
s: s,
pub: k.Public(),
})
if err != nil {
t.Fatal(err)
}
dsseEnv, err := signer.SignPayload([]byte(payload))
if err != nil {
t.Fatal(err)
}
b, err := json.Marshal(dsseEnv)
wrappedSigner := dsse_signer.WrapSigner(s, string(payloadType))
dsseEnv, err := wrappedSigner.SignMessage(strings.NewReader(payload))
if err != nil {
t.Fatal(err)
}

return string(b)
return string(dsseEnv)
}

func TestV001Entry_Unmarshal(t *testing.T) {
Expand Down

0 comments on commit 25dbcf5

Please sign in to comment.