From 25dbcf5d2230bc02a0b1129422bcf15382fb8705 Mon Sep 17 00:00:00 2001 From: Bob Callaway Date: Fri, 8 Jul 2022 16:41:49 -0400 Subject: [PATCH] reuse dsse signature wrappers instead of having a copy (#912) Signed-off-by: Bob Callaway --- pkg/types/intoto/v0.0.1/entry.go | 54 ++------------------------- pkg/types/intoto/v0.0.1/entry_test.go | 17 ++------- 2 files changed, 8 insertions(+), 63 deletions(-) diff --git a/pkg/types/intoto/v0.0.1/entry.go b/pkg/types/intoto/v0.0.1/entry.go index 0e2560f5b..4c93ddb3c 100644 --- a/pkg/types/intoto/v0.0.1/entry.go +++ b/pkg/types/intoto/v0.0.1/entry.go @@ -43,7 +43,7 @@ import ( "github.com/sigstore/rekor/pkg/types" "github.com/sigstore/rekor/pkg/types/intoto" "github.com/sigstore/sigstore/pkg/signature" - "github.com/sigstore/sigstore/pkg/signature/options" + dsse_verifier "github.com/sigstore/sigstore/pkg/signature/dsse" ) const ( @@ -232,26 +232,12 @@ func (v *V001Entry) validate() error { if err != nil { return err } - dsseVerifier, err := dsse.NewEnvelopeSigner(&verifier{ - v: vfr, - pub: pk, - }) - if err != nil { - return err - } - - if v.IntotoObj.Content.Envelope == "" { - return nil - } + dsseVerifier := dsse_verifier.WrapVerifier(vfr) - if err := json.Unmarshal([]byte(v.IntotoObj.Content.Envelope), &v.env); err != nil { + if err := dsseVerifier.VerifySignature(strings.NewReader(v.IntotoObj.Content.Envelope), nil); err != nil { return err } - - if _, err := dsseVerifier.Verify(&v.env); err != nil { - return err - } - return nil + return json.Unmarshal([]byte(v.IntotoObj.Content.Envelope), &v.env) } // AttestationKey returns the digest of the attestation that was uploaded, to be used to lookup the attestation from storage @@ -275,38 +261,6 @@ func (v *V001Entry) AttestationKeyValue() (string, []byte) { return attKey, attBytes } -type verifier struct { - s signature.Signer - v signature.Verifier - pub crypto.PublicKey -} - -func (v *verifier) KeyID() (string, error) { - return "", nil -} - -func (v *verifier) Public() crypto.PublicKey { - return v.pub -} - -func (v *verifier) Sign(data []byte) (sig []byte, err error) { - if v.s == nil { - return nil, errors.New("nil signer") - } - sig, err = v.s.SignMessage(bytes.NewReader(data), options.WithCryptoSignerOpts(crypto.SHA256)) - if err != nil { - return nil, err - } - return sig, nil -} - -func (v *verifier) Verify(data, sig []byte) error { - if v.v == nil { - return errors.New("nil verifier") - } - return v.v.VerifySignature(bytes.NewReader(sig), bytes.NewReader(data)) -} - func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.ArtifactProperties) (models.ProposedEntry, error) { returnVal := models.Intoto{} diff --git a/pkg/types/intoto/v0.0.1/entry_test.go b/pkg/types/intoto/v0.0.1/entry_test.go index 512d0e857..b87668088 100644 --- a/pkg/types/intoto/v0.0.1/entry_test.go +++ b/pkg/types/intoto/v0.0.1/entry_test.go @@ -46,6 +46,7 @@ import ( "github.com/sigstore/rekor/pkg/generated/models" "github.com/sigstore/rekor/pkg/types" "github.com/sigstore/sigstore/pkg/signature" + dsse_signer "github.com/sigstore/sigstore/pkg/signature/dsse" "go.uber.org/goleak" ) @@ -71,23 +72,13 @@ func envelope(t *testing.T, k *ecdsa.PrivateKey, payload, payloadType string) st if err != nil { t.Fatal(err) } - signer, err := in_toto.NewDSSESigner(&verifier{ - s: s, - pub: k.Public(), - }) - if err != nil { - t.Fatal(err) - } - dsseEnv, err := signer.SignPayload([]byte(payload)) - if err != nil { - t.Fatal(err) - } - b, err := json.Marshal(dsseEnv) + wrappedSigner := dsse_signer.WrapSigner(s, string(payloadType)) + dsseEnv, err := wrappedSigner.SignMessage(strings.NewReader(payload)) if err != nil { t.Fatal(err) } - return string(b) + return string(dsseEnv) } func TestV001Entry_Unmarshal(t *testing.T) {