From 428f264e4236430e9fb8d388079a58809ab0b3a5 Mon Sep 17 00:00:00 2001
From: dlorenc <dlorenc@google.com>
Date: Mon, 28 Jun 2021 13:07:47 -0500
Subject: [PATCH] Update in-toto-golang to pick up the latest interface
 changes. (#341)

Signed-off-by: Dan Lorenc <dlorenc@google.com>
---
 go.mod                           |  2 +-
 go.sum                           |  7 ++++---
 pkg/types/intoto/v0.0.1/entry.go | 15 +++++----------
 tests/x509.go                    |  9 ++++++---
 4 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/go.mod b/go.mod
index 072f3d313..ce766d450 100644
--- a/go.mod
+++ b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/google/go-cmp v0.5.6
 	github.com/google/rpmpack v0.0.0-20210107155803-d6befbf05148
 	github.com/google/trillian v1.3.14-0.20210413093047-5e12fb368c8f
-	github.com/in-toto/in-toto-golang v0.1.1-0.20210528150343-f7dc21abaccf
+	github.com/in-toto/in-toto-golang v0.2.1-0.20210627200632-886210ae2ab9
 	github.com/jedisct1/go-minisign v0.0.0-20210106175330-e54e81d562c7
 	github.com/mediocregopher/radix/v4 v4.0.0-beta.1
 	github.com/mitchellh/go-homedir v1.1.0
diff --git a/go.sum b/go.sum
index aa73e306d..72d076634 100644
--- a/go.sum
+++ b/go.sum
@@ -695,8 +695,8 @@ github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:
 github.com/imdario/mergo v0.3.4/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
-github.com/in-toto/in-toto-golang v0.1.1-0.20210528150343-f7dc21abaccf h1:yysOUUcpkuGZ0BZUtL+whU22H56Hqya/p636tGceacc=
-github.com/in-toto/in-toto-golang v0.1.1-0.20210528150343-f7dc21abaccf/go.mod h1:kOcoAhaukFZpRm6D53dd2xB++q065UxKi938k81l1aM=
+github.com/in-toto/in-toto-golang v0.2.1-0.20210627200632-886210ae2ab9 h1:j7klXz5kh0ydPmHkBtJ/Al27G1/au4sH7OkGhkgRJWg=
+github.com/in-toto/in-toto-golang v0.2.1-0.20210627200632-886210ae2ab9/go.mod h1:Skbg04kmfB7IAnEIsspKPg/ny1eiFt/TgPr9SDCHusA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo=
@@ -1444,8 +1444,9 @@ golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210503080704-8803ae5d1324/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210503173754-0981d6026fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40 h1:JWgyZ1qgdTaF3N3oxC+MdTV7qvEEgHo3otj+HB5CM7Q=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 h1:RqytpXGR1iVNX7psjB3ff8y7sNFinVFvkx1c8SjBkio=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf h1:MZ2shdL+ZM/XzY3ZGOnh4Nlpnxz5GSOhOmtHo3iPU6M=
diff --git a/pkg/types/intoto/v0.0.1/entry.go b/pkg/types/intoto/v0.0.1/entry.go
index 3ebd86bea..8e7c944c0 100644
--- a/pkg/types/intoto/v0.0.1/entry.go
+++ b/pkg/types/intoto/v0.0.1/entry.go
@@ -151,14 +151,9 @@ func (v *V001Entry) Validate() error {
 		return err
 	}
 
-	ok, err := sslVerifier.Verify(&v.env)
-	if err != nil {
+	if err := sslVerifier.Verify(&v.env); err != nil {
 		return err
 	}
-	if !ok {
-		return errors.New("invalid signature")
-	}
-
 	return nil
 }
 
@@ -187,14 +182,14 @@ func (v *verifier) Sign(d []byte) ([]byte, string, error) {
 	return sig, "", nil
 }
 
-func (v *verifier) Verify(keyID string, data, sig []byte) (bool, error) {
+func (v *verifier) Verify(keyID string, data, sig []byte) error {
 	af := pki.NewArtifactFactory("x509")
 	s, err := af.NewSignature(bytes.NewReader(sig))
 	if err != nil {
-		return false, err
+		return err
 	}
 	if err := s.Verify(bytes.NewReader(data), v.pub); err != nil {
-		return false, err
+		return err
 	}
-	return true, nil
+	return nil
 }
diff --git a/tests/x509.go b/tests/x509.go
index fde442f62..7586108ba 100644
--- a/tests/x509.go
+++ b/tests/x509.go
@@ -25,6 +25,7 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/pem"
+	"errors"
 	"io/ioutil"
 	"testing"
 
@@ -169,9 +170,11 @@ func (it *IntotoSigner) Sign(data []byte) ([]byte, string, error) {
 	return sig, "", nil
 }
 
-func (it *IntotoSigner) Verify(_ string, data, sig []byte) (bool, error) {
+func (it *IntotoSigner) Verify(_ string, data, sig []byte) error {
 	h := sha256.Sum256(data)
-
 	ok := ecdsa.VerifyASN1(&it.priv.PublicKey, h[:], sig)
-	return ok, nil
+	if ok {
+		return nil
+	}
+	return errors.New("invalid signature")
 }