Skip to content

Commit cbc9c44

Browse files
Refactor Verifiers to return multiple keys (#1601)
This supports DSSE and intoto types that allow for multiple keys/signatures. Signed-off-by: Hayden Blauzvern <[email protected]>
1 parent 8a30776 commit cbc9c44

35 files changed

+125
-72
lines changed

pkg/types/alpine/alpine_test.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error {
4343
return errors.New("error")
4444
}
4545

46-
func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) {
46+
func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) {
4747
return nil, nil
4848
}
4949

pkg/types/alpine/v0.0.1/entry.go

+6-2
Original file line numberDiff line numberDiff line change
@@ -351,11 +351,15 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types
351351
return &returnVal, nil
352352
}
353353

354-
func (v V001Entry) Verifier() (pki.PublicKey, error) {
354+
func (v V001Entry) Verifiers() ([]pki.PublicKey, error) {
355355
if v.AlpineModel.PublicKey == nil || v.AlpineModel.PublicKey.Content == nil {
356356
return nil, errors.New("alpine v0.0.1 entry not initialized")
357357
}
358-
return x509.NewPublicKey(bytes.NewReader(*v.AlpineModel.PublicKey.Content))
358+
key, err := x509.NewPublicKey(bytes.NewReader(*v.AlpineModel.PublicKey.Content))
359+
if err != nil {
360+
return nil, err
361+
}
362+
return []pki.PublicKey{key}, nil
359363
}
360364

361365
func (v V001Entry) Insertable() (bool, error) {

pkg/types/alpine/v0.0.1/entry_test.go

+3-3
Original file line numberDiff line numberDiff line change
@@ -179,19 +179,19 @@ func TestCrossFieldValidation(t *testing.T) {
179179
}
180180
}
181181

182-
verifier, err := v.Verifier()
182+
verifiers, err := v.Verifiers()
183183
if tc.expectedVerifierSuccess {
184184
if err != nil {
185185
t.Errorf("%v: unexpected error, got %v", tc.caseDesc, err)
186186
} else {
187-
pub, _ := verifier.CanonicalValue()
187+
pub, _ := verifiers[0].CanonicalValue()
188188
if !reflect.DeepEqual(pub, keyBytes) {
189189
t.Errorf("%v: verifier and public keys do not match: %v, %v", tc.caseDesc, string(pub), string(keyBytes))
190190
}
191191
}
192192
} else {
193193
if err == nil {
194-
s, _ := verifier.CanonicalValue()
194+
s, _ := verifiers[0].CanonicalValue()
195195
t.Errorf("%v: expected error for %v, got %v", tc.caseDesc, string(s), err)
196196
}
197197
}

pkg/types/cose/cose_test.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error {
4444
return errors.New("error")
4545
}
4646

47-
func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) {
47+
func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) {
4848
return nil, nil
4949
}
5050

pkg/types/cose/v0.0.1/entry.go

+6-2
Original file line numberDiff line numberDiff line change
@@ -348,11 +348,15 @@ func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.A
348348
return &returnVal, nil
349349
}
350350

351-
func (v V001Entry) Verifier() (pki.PublicKey, error) {
351+
func (v V001Entry) Verifiers() ([]pki.PublicKey, error) {
352352
if v.CoseObj.PublicKey == nil {
353353
return nil, errors.New("cose v0.0.1 entry not initialized")
354354
}
355-
return x509.NewPublicKey(bytes.NewReader(*v.CoseObj.PublicKey))
355+
key, err := x509.NewPublicKey(bytes.NewReader(*v.CoseObj.PublicKey))
356+
if err != nil {
357+
return nil, err
358+
}
359+
return []pki.PublicKey{key}, nil
356360
}
357361

358362
func (v V001Entry) Insertable() (bool, error) {

pkg/types/cose/v0.0.1/entry_test.go

+4-4
Original file line numberDiff line numberDiff line change
@@ -278,10 +278,10 @@ func TestV001Entry_Unmarshal(t *testing.T) {
278278
}
279279
}
280280

281-
verifier, err := v.Verifier()
281+
verifiers, err := v.Verifiers()
282282
if !tt.wantVerifierErr {
283283
if err != nil {
284-
s, _ := verifier.CanonicalValue()
284+
s, _ := verifiers[0].CanonicalValue()
285285
t.Errorf("%v: unexpected error for %v, got %v", tt.name, string(s), err)
286286
}
287287

@@ -305,12 +305,12 @@ func TestV001Entry_Unmarshal(t *testing.T) {
305305
}
306306
}
307307

308-
pubV, _ := verifier.CanonicalValue()
308+
pubV, _ := verifiers[0].CanonicalValue()
309309
if !reflect.DeepEqual(pubV, pub) && !reflect.DeepEqual(pubV, pemBytes) {
310310
t.Errorf("verifier and public keys do not match: %v, %v", string(pubV), string(pub))
311311
}
312312
} else if err == nil {
313-
s, _ := verifier.CanonicalValue()
313+
s, _ := verifiers[0].CanonicalValue()
314314
t.Errorf("%v: expected error for %v, got %v", tt.name, string(s), err)
315315
}
316316
})

pkg/types/dsse/dsse_test.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error {
4444
return errors.New("error")
4545
}
4646

47-
func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) {
47+
func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) {
4848
return nil, nil
4949
}
5050

pkg/types/dsse/v0.0.1/entry.go

+10-3
Original file line numberDiff line numberDiff line change
@@ -403,13 +403,20 @@ func verifyEnvelope(allPubKeyBytes [][]byte, env *dsse.Envelope) (map[string]*x5
403403
return verifierBySig, nil
404404
}
405405

406-
func (v V001Entry) Verifier() (pki.PublicKey, error) {
406+
func (v V001Entry) Verifiers() ([]pki.PublicKey, error) {
407407
if len(v.DSSEObj.Signatures) == 0 {
408408
return nil, errors.New("dsse v0.0.1 entry not initialized")
409409
}
410410

411-
//TODO: return multiple pki.PublicKeys; sigstore/rekor issue #1278
412-
return x509.NewPublicKey(bytes.NewReader(*v.DSSEObj.Signatures[0].Verifier))
411+
var keys []pki.PublicKey
412+
for _, s := range v.DSSEObj.Signatures {
413+
key, err := x509.NewPublicKey(bytes.NewReader(*s.Verifier))
414+
if err != nil {
415+
return nil, err
416+
}
417+
keys = append(keys, key)
418+
}
419+
return keys, nil
413420
}
414421

415422
func (v V001Entry) Insertable() (bool, error) {

pkg/types/entries.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ type EntryImpl interface {
3737
Canonicalize(ctx context.Context) ([]byte, error) // marshal the canonical entry to be put into the tlog
3838
Unmarshal(e models.ProposedEntry) error // unmarshal the abstract entry into the specific struct for this versioned type
3939
CreateFromArtifactProperties(context.Context, ArtifactProperties) (models.ProposedEntry, error)
40-
Verifier() (pki.PublicKey, error)
40+
Verifiers() ([]pki.PublicKey, error)
4141
Insertable() (bool, error) // denotes whether the entry that was unmarshalled has the writeOnly fields required to validate and insert into the log
4242
}
4343

pkg/types/hashedrekord/hashedrekord_test.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error {
4343
return errors.New("error")
4444
}
4545

46-
func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) {
46+
func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) {
4747
return nil, nil
4848
}
4949

pkg/types/hashedrekord/v0.0.1/entry.go

+6-2
Original file line numberDiff line numberDiff line change
@@ -246,11 +246,15 @@ func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.A
246246
return &returnVal, nil
247247
}
248248

249-
func (v V001Entry) Verifier() (pki.PublicKey, error) {
249+
func (v V001Entry) Verifiers() ([]pki.PublicKey, error) {
250250
if v.HashedRekordObj.Signature == nil || v.HashedRekordObj.Signature.PublicKey == nil || v.HashedRekordObj.Signature.PublicKey.Content == nil {
251251
return nil, errors.New("hashedrekord v0.0.1 entry not initialized")
252252
}
253-
return x509.NewPublicKey(bytes.NewReader(v.HashedRekordObj.Signature.PublicKey.Content))
253+
key, err := x509.NewPublicKey(bytes.NewReader(v.HashedRekordObj.Signature.PublicKey.Content))
254+
if err != nil {
255+
return nil, err
256+
}
257+
return []pki.PublicKey{key}, nil
254258
}
255259

256260
func (v V001Entry) Insertable() (bool, error) {

pkg/types/hashedrekord/v0.0.1/entry_test.go

+3-3
Original file line numberDiff line numberDiff line change
@@ -315,20 +315,20 @@ func TestCrossFieldValidation(t *testing.T) {
315315
}
316316
}
317317

318-
verifier, err := v.Verifier()
318+
verifiers, err := v.Verifiers()
319319
if tc.expectedVerifierSuccess {
320320
if err != nil {
321321
t.Errorf("%v: unexpected error, got %v", tc.caseDesc, err)
322322
} else {
323-
pub, _ := verifier.CanonicalValue()
323+
pub, _ := verifiers[0].CanonicalValue()
324324
// invalidKeyBytes is a valid ed25519 key
325325
if !reflect.DeepEqual(pub, keyBytes) && !reflect.DeepEqual(pub, invalidKeyBytes) {
326326
t.Errorf("verifier and public keys do not match: %v, %v", string(pub), string(keyBytes))
327327
}
328328
}
329329
} else {
330330
if err == nil {
331-
s, _ := verifier.CanonicalValue()
331+
s, _ := verifiers[0].CanonicalValue()
332332
t.Errorf("%v: expected error for %v, got %v", tc.caseDesc, string(s), err)
333333
}
334334
}

pkg/types/helm/helm_test.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error {
4343
return errors.New("error")
4444
}
4545

46-
func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) {
46+
func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) {
4747
return nil, nil
4848
}
4949

pkg/types/helm/v0.0.1/entry.go

+6-2
Original file line numberDiff line numberDiff line change
@@ -349,11 +349,15 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types
349349
return &returnVal, nil
350350
}
351351

352-
func (v V001Entry) Verifier() (pki.PublicKey, error) {
352+
func (v V001Entry) Verifiers() ([]pki.PublicKey, error) {
353353
if v.HelmObj.PublicKey == nil || v.HelmObj.PublicKey.Content == nil {
354354
return nil, errors.New("helm v0.0.1 entry not initialized")
355355
}
356-
return pgp.NewPublicKey(bytes.NewReader(*v.HelmObj.PublicKey.Content))
356+
key, err := pgp.NewPublicKey(bytes.NewReader(*v.HelmObj.PublicKey.Content))
357+
if err != nil {
358+
return nil, err
359+
}
360+
return []pki.PublicKey{key}, nil
357361
}
358362

359363
func (v V001Entry) Insertable() (bool, error) {

pkg/types/helm/v0.0.1/entry_test.go

+3-3
Original file line numberDiff line numberDiff line change
@@ -211,20 +211,20 @@ func TestCrossFieldValidation(t *testing.T) {
211211
}
212212
}
213213

214-
verifier, err := v.Verifier()
214+
verifiers, err := v.Verifiers()
215215
if tc.expectedVerifierSuccess {
216216
if err != nil {
217217
t.Errorf("%v: unexpected error, got %v", tc.caseDesc, err)
218218
} else {
219219
// TODO: Improve this test once CanonicalValue returns same result as input for PGP keys
220-
_, err := verifier.CanonicalValue()
220+
_, err := verifiers[0].CanonicalValue()
221221
if err != nil {
222222
t.Errorf("%v: unexpected error getting canonical value, got %v", tc.caseDesc, err)
223223
}
224224
}
225225
} else {
226226
if err == nil {
227-
s, _ := verifier.CanonicalValue()
227+
s, _ := verifiers[0].CanonicalValue()
228228
t.Errorf("%v: expected error for %v, got %v", tc.caseDesc, string(s), err)
229229
}
230230
}

pkg/types/intoto/intoto_test.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error {
4343
return errors.New("error")
4444
}
4545

46-
func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) {
46+
func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) {
4747
return nil, nil
4848
}
4949

pkg/types/intoto/v0.0.1/entry.go

+6-2
Original file line numberDiff line numberDiff line change
@@ -353,11 +353,15 @@ func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.A
353353
return &returnVal, nil
354354
}
355355

356-
func (v V001Entry) Verifier() (pki.PublicKey, error) {
356+
func (v V001Entry) Verifiers() ([]pki.PublicKey, error) {
357357
if v.IntotoObj.PublicKey == nil {
358358
return nil, errors.New("intoto v0.0.1 entry not initialized")
359359
}
360-
return x509.NewPublicKey(bytes.NewReader(*v.IntotoObj.PublicKey))
360+
key, err := x509.NewPublicKey(bytes.NewReader(*v.IntotoObj.PublicKey))
361+
if err != nil {
362+
return nil, err
363+
}
364+
return []pki.PublicKey{key}, nil
361365
}
362366

363367
func (v V001Entry) Insertable() (bool, error) {

pkg/types/intoto/v0.0.1/entry_test.go

+3-3
Original file line numberDiff line numberDiff line change
@@ -336,19 +336,19 @@ func TestV001Entry_Unmarshal(t *testing.T) {
336336
t.Errorf("index keys from hydrated object do not match those generated from canonicalized (and re-hydrated) object: %v %v", got, canonicalIndexKeys)
337337
}
338338

339-
verifier, err := v.Verifier()
339+
verifiers, err := v.Verifiers()
340340
if !tt.wantVerifierErr {
341341
if err != nil {
342342
t.Errorf("%v: unexpected error, got %v", tt.name, err)
343343
} else {
344-
pubV, _ := verifier.CanonicalValue()
344+
pubV, _ := verifiers[0].CanonicalValue()
345345
if !reflect.DeepEqual(pubV, pub) && !reflect.DeepEqual(pubV, pemBytes) {
346346
t.Errorf("verifier and public keys do not match: %v, %v", string(pubV), string(pub))
347347
}
348348
}
349349
} else {
350350
if err == nil {
351-
s, _ := verifier.CanonicalValue()
351+
s, _ := verifiers[0].CanonicalValue()
352352
t.Errorf("%v: expected error for %v, got %v", tt.name, string(s), err)
353353
}
354354
}

pkg/types/intoto/v0.0.2/entry.go

+10-2
Original file line numberDiff line numberDiff line change
@@ -457,7 +457,7 @@ func verifyEnvelope(allPubKeyBytes [][]byte, env *dsse.Envelope) (map[string]*x5
457457
return verifierBySig, nil
458458
}
459459

460-
func (v V002Entry) Verifier() (pki.PublicKey, error) {
460+
func (v V002Entry) Verifiers() ([]pki.PublicKey, error) {
461461
if v.IntotoObj.Content == nil || v.IntotoObj.Content.Envelope == nil {
462462
return nil, errors.New("intoto v0.0.2 entry not initialized")
463463
}
@@ -467,7 +467,15 @@ func (v V002Entry) Verifier() (pki.PublicKey, error) {
467467
return nil, errors.New("no signatures found on intoto entry")
468468
}
469469

470-
return x509.NewPublicKey(bytes.NewReader(*v.IntotoObj.Content.Envelope.Signatures[0].PublicKey))
470+
var keys []pki.PublicKey
471+
for _, s := range v.IntotoObj.Content.Envelope.Signatures {
472+
key, err := x509.NewPublicKey(bytes.NewReader(*s.PublicKey))
473+
if err != nil {
474+
return nil, err
475+
}
476+
keys = append(keys, key)
477+
}
478+
return keys, nil
471479
}
472480

473481
func (v V002Entry) Insertable() (bool, error) {

pkg/types/intoto/v0.0.2/entry_test.go

+3-3
Original file line numberDiff line numberDiff line change
@@ -377,19 +377,19 @@ func TestV002Entry_Unmarshal(t *testing.T) {
377377
t.Errorf("index keys from hydrated object do not match those generated from canonicalized (and re-hydrated) object: %v %v", got, canonicalIndexKeys)
378378
}
379379

380-
verifier, err := v.Verifier()
380+
verifiers, err := v.Verifiers()
381381
if !tt.wantVerifierErr {
382382
if err != nil {
383383
t.Errorf("%v: unexpected error, got %v", tt.name, err)
384384
} else {
385-
pubV, _ := verifier.CanonicalValue()
385+
pubV, _ := verifiers[0].CanonicalValue()
386386
if !reflect.DeepEqual(pubV, pub) && !reflect.DeepEqual(pubV, pemBytes) {
387387
t.Errorf("verifier and public keys do not match: %v, %v", string(pubV), string(pub))
388388
}
389389
}
390390
} else {
391391
if err == nil {
392-
s, _ := verifier.CanonicalValue()
392+
s, _ := verifiers[0].CanonicalValue()
393393
t.Errorf("%v: expected error for %v, got %v", tt.name, string(s), err)
394394
}
395395
}

pkg/types/jar/jar_test.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error {
4242
return errors.New("error")
4343
}
4444

45-
func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) {
45+
func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) {
4646
return nil, nil
4747
}
4848

pkg/types/jar/v0.0.1/entry.go

+6-2
Original file line numberDiff line numberDiff line change
@@ -338,11 +338,15 @@ func (v *V001Entry) CreateFromArtifactProperties(ctx context.Context, props type
338338
return &returnVal, nil
339339
}
340340

341-
func (v V001Entry) Verifier() (pki.PublicKey, error) {
341+
func (v V001Entry) Verifiers() ([]pki.PublicKey, error) {
342342
if v.JARModel.Signature == nil || v.JARModel.Signature.PublicKey == nil || v.JARModel.Signature.PublicKey.Content == nil {
343343
return nil, errors.New("jar v0.0.1 entry not initialized")
344344
}
345-
return x509.NewPublicKey(bytes.NewReader(*v.JARModel.Signature.PublicKey.Content))
345+
key, err := x509.NewPublicKey(bytes.NewReader(*v.JARModel.Signature.PublicKey.Content))
346+
if err != nil {
347+
return nil, err
348+
}
349+
return []pki.PublicKey{key}, nil
346350
}
347351

348352
func (v V001Entry) Insertable() (bool, error) {

pkg/types/jar/v0.0.1/entry_test.go

+3-3
Original file line numberDiff line numberDiff line change
@@ -142,19 +142,19 @@ Hr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ==
142142
}
143143
}
144144

145-
verifier, err := v.Verifier()
145+
verifiers, err := v.Verifiers()
146146
if tc.expectedVerifierSuccess {
147147
if err != nil {
148148
t.Errorf("%v: unexpected error, got %v", tc.caseDesc, err)
149149
} else {
150-
pub, _ := verifier.CanonicalValue()
150+
pub, _ := verifiers[0].CanonicalValue()
151151
if !reflect.DeepEqual(pub, []byte(certificate)) {
152152
t.Errorf("verifier and public keys do not match: %v, %v", string(pub), certificate)
153153
}
154154
}
155155
} else {
156156
if err == nil {
157-
s, _ := verifier.CanonicalValue()
157+
s, _ := verifiers[0].CanonicalValue()
158158
t.Errorf("%v: expected error for %v, got %v", tc.caseDesc, string(s), err)
159159
}
160160
}

0 commit comments

Comments
 (0)