From 769a7197072b074c6be25ad7f0ed5b922a58371d Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Thu, 27 Jul 2023 23:09:38 +0000 Subject: [PATCH] Refactor Verifiers to return multiple keys This supports DSSE and intoto types that allow for multiple keys/signatures. Signed-off-by: Hayden Blauzvern --- pkg/types/alpine/alpine_test.go | 2 +- pkg/types/alpine/v0.0.1/entry.go | 8 ++++++-- pkg/types/alpine/v0.0.1/entry_test.go | 6 +++--- pkg/types/cose/cose_test.go | 2 +- pkg/types/cose/v0.0.1/entry.go | 8 ++++++-- pkg/types/cose/v0.0.1/entry_test.go | 8 ++++---- pkg/types/dsse/dsse_test.go | 2 +- pkg/types/dsse/v0.0.1/entry.go | 13 ++++++++++--- pkg/types/entries.go | 2 +- pkg/types/hashedrekord/hashedrekord_test.go | 2 +- pkg/types/hashedrekord/v0.0.1/entry.go | 8 ++++++-- pkg/types/hashedrekord/v0.0.1/entry_test.go | 6 +++--- pkg/types/helm/helm_test.go | 2 +- pkg/types/helm/v0.0.1/entry.go | 8 ++++++-- pkg/types/helm/v0.0.1/entry_test.go | 6 +++--- pkg/types/intoto/intoto_test.go | 2 +- pkg/types/intoto/v0.0.1/entry.go | 8 ++++++-- pkg/types/intoto/v0.0.1/entry_test.go | 6 +++--- pkg/types/intoto/v0.0.2/entry.go | 12 ++++++++++-- pkg/types/intoto/v0.0.2/entry_test.go | 6 +++--- pkg/types/jar/jar_test.go | 2 +- pkg/types/jar/v0.0.1/entry.go | 8 ++++++-- pkg/types/jar/v0.0.1/entry_test.go | 6 +++--- pkg/types/rekord/rekord_test.go | 2 +- pkg/types/rekord/v0.0.1/entry.go | 16 +++++++++++----- pkg/types/rekord/v0.0.1/entry_test.go | 6 +++--- pkg/types/rfc3161/rfc3161_test.go | 2 +- pkg/types/rfc3161/v0.0.1/entry.go | 4 ++-- pkg/types/rpm/rpm_test.go | 2 +- pkg/types/rpm/v0.0.1/entry.go | 8 ++++++-- pkg/types/rpm/v0.0.1/entry_test.go | 6 +++--- pkg/types/test_util.go | 2 +- pkg/types/tuf/tuf_test.go | 2 +- pkg/types/tuf/v0.0.1/entry.go | 8 ++++++-- pkg/types/tuf/v0.0.1/entry_test.go | 6 +++--- 35 files changed, 125 insertions(+), 72 deletions(-) diff --git a/pkg/types/alpine/alpine_test.go b/pkg/types/alpine/alpine_test.go index a961968ed..e0c4240ba 100644 --- a/pkg/types/alpine/alpine_test.go +++ b/pkg/types/alpine/alpine_test.go @@ -43,7 +43,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error { return errors.New("error") } -func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) { +func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) { return nil, nil } diff --git a/pkg/types/alpine/v0.0.1/entry.go b/pkg/types/alpine/v0.0.1/entry.go index 98d31dabf..cd3f20bf5 100644 --- a/pkg/types/alpine/v0.0.1/entry.go +++ b/pkg/types/alpine/v0.0.1/entry.go @@ -351,11 +351,15 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types return &returnVal, nil } -func (v V001Entry) Verifier() (pki.PublicKey, error) { +func (v V001Entry) Verifiers() ([]pki.PublicKey, error) { if v.AlpineModel.PublicKey == nil || v.AlpineModel.PublicKey.Content == nil { return nil, errors.New("alpine v0.0.1 entry not initialized") } - return x509.NewPublicKey(bytes.NewReader(*v.AlpineModel.PublicKey.Content)) + key, err := x509.NewPublicKey(bytes.NewReader(*v.AlpineModel.PublicKey.Content)) + if err != nil { + return nil, err + } + return []pki.PublicKey{key}, nil } func (v V001Entry) Insertable() (bool, error) { diff --git a/pkg/types/alpine/v0.0.1/entry_test.go b/pkg/types/alpine/v0.0.1/entry_test.go index f6c6cc801..03fd600ae 100644 --- a/pkg/types/alpine/v0.0.1/entry_test.go +++ b/pkg/types/alpine/v0.0.1/entry_test.go @@ -179,19 +179,19 @@ func TestCrossFieldValidation(t *testing.T) { } } - verifier, err := v.Verifier() + verifiers, err := v.Verifiers() if tc.expectedVerifierSuccess { if err != nil { t.Errorf("%v: unexpected error, got %v", tc.caseDesc, err) } else { - pub, _ := verifier.CanonicalValue() + pub, _ := verifiers[0].CanonicalValue() if !reflect.DeepEqual(pub, keyBytes) { t.Errorf("%v: verifier and public keys do not match: %v, %v", tc.caseDesc, string(pub), string(keyBytes)) } } } else { if err == nil { - s, _ := verifier.CanonicalValue() + s, _ := verifiers[0].CanonicalValue() t.Errorf("%v: expected error for %v, got %v", tc.caseDesc, string(s), err) } } diff --git a/pkg/types/cose/cose_test.go b/pkg/types/cose/cose_test.go index 080253a2a..237e2329d 100644 --- a/pkg/types/cose/cose_test.go +++ b/pkg/types/cose/cose_test.go @@ -44,7 +44,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error { return errors.New("error") } -func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) { +func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) { return nil, nil } diff --git a/pkg/types/cose/v0.0.1/entry.go b/pkg/types/cose/v0.0.1/entry.go index b7c12a907..d5a74b422 100644 --- a/pkg/types/cose/v0.0.1/entry.go +++ b/pkg/types/cose/v0.0.1/entry.go @@ -348,11 +348,15 @@ func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.A return &returnVal, nil } -func (v V001Entry) Verifier() (pki.PublicKey, error) { +func (v V001Entry) Verifiers() ([]pki.PublicKey, error) { if v.CoseObj.PublicKey == nil { return nil, errors.New("cose v0.0.1 entry not initialized") } - return x509.NewPublicKey(bytes.NewReader(*v.CoseObj.PublicKey)) + key, err := x509.NewPublicKey(bytes.NewReader(*v.CoseObj.PublicKey)) + if err != nil { + return nil, err + } + return []pki.PublicKey{key}, nil } func (v V001Entry) Insertable() (bool, error) { diff --git a/pkg/types/cose/v0.0.1/entry_test.go b/pkg/types/cose/v0.0.1/entry_test.go index 34af5cfe4..0aed90df9 100644 --- a/pkg/types/cose/v0.0.1/entry_test.go +++ b/pkg/types/cose/v0.0.1/entry_test.go @@ -278,10 +278,10 @@ func TestV001Entry_Unmarshal(t *testing.T) { } } - verifier, err := v.Verifier() + verifiers, err := v.Verifiers() if !tt.wantVerifierErr { if err != nil { - s, _ := verifier.CanonicalValue() + s, _ := verifiers[0].CanonicalValue() t.Errorf("%v: unexpected error for %v, got %v", tt.name, string(s), err) } @@ -305,12 +305,12 @@ func TestV001Entry_Unmarshal(t *testing.T) { } } - pubV, _ := verifier.CanonicalValue() + pubV, _ := verifiers[0].CanonicalValue() if !reflect.DeepEqual(pubV, pub) && !reflect.DeepEqual(pubV, pemBytes) { t.Errorf("verifier and public keys do not match: %v, %v", string(pubV), string(pub)) } } else if err == nil { - s, _ := verifier.CanonicalValue() + s, _ := verifiers[0].CanonicalValue() t.Errorf("%v: expected error for %v, got %v", tt.name, string(s), err) } }) diff --git a/pkg/types/dsse/dsse_test.go b/pkg/types/dsse/dsse_test.go index c8579b41b..d81aa164a 100644 --- a/pkg/types/dsse/dsse_test.go +++ b/pkg/types/dsse/dsse_test.go @@ -44,7 +44,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error { return errors.New("error") } -func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) { +func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) { return nil, nil } diff --git a/pkg/types/dsse/v0.0.1/entry.go b/pkg/types/dsse/v0.0.1/entry.go index 3cb2ef0d9..ba41742b9 100644 --- a/pkg/types/dsse/v0.0.1/entry.go +++ b/pkg/types/dsse/v0.0.1/entry.go @@ -403,13 +403,20 @@ func verifyEnvelope(allPubKeyBytes [][]byte, env *dsse.Envelope) (map[string]*x5 return verifierBySig, nil } -func (v V001Entry) Verifier() (pki.PublicKey, error) { +func (v V001Entry) Verifiers() ([]pki.PublicKey, error) { if len(v.DSSEObj.Signatures) == 0 { return nil, errors.New("dsse v0.0.1 entry not initialized") } - //TODO: return multiple pki.PublicKeys; sigstore/rekor issue #1278 - return x509.NewPublicKey(bytes.NewReader(*v.DSSEObj.Signatures[0].Verifier)) + var keys []pki.PublicKey + for _, s := range v.DSSEObj.Signatures { + key, err := x509.NewPublicKey(bytes.NewReader(*s.Verifier)) + if err != nil { + return nil, err + } + keys = append(keys, key) + } + return keys, nil } func (v V001Entry) Insertable() (bool, error) { diff --git a/pkg/types/entries.go b/pkg/types/entries.go index 9309b4c33..3bbf47e05 100644 --- a/pkg/types/entries.go +++ b/pkg/types/entries.go @@ -37,7 +37,7 @@ type EntryImpl interface { Canonicalize(ctx context.Context) ([]byte, error) // marshal the canonical entry to be put into the tlog Unmarshal(e models.ProposedEntry) error // unmarshal the abstract entry into the specific struct for this versioned type CreateFromArtifactProperties(context.Context, ArtifactProperties) (models.ProposedEntry, error) - Verifier() (pki.PublicKey, error) + Verifiers() ([]pki.PublicKey, error) Insertable() (bool, error) // denotes whether the entry that was unmarshalled has the writeOnly fields required to validate and insert into the log } diff --git a/pkg/types/hashedrekord/hashedrekord_test.go b/pkg/types/hashedrekord/hashedrekord_test.go index e03395400..aeb2975aa 100644 --- a/pkg/types/hashedrekord/hashedrekord_test.go +++ b/pkg/types/hashedrekord/hashedrekord_test.go @@ -43,7 +43,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error { return errors.New("error") } -func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) { +func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) { return nil, nil } diff --git a/pkg/types/hashedrekord/v0.0.1/entry.go b/pkg/types/hashedrekord/v0.0.1/entry.go index 82f54fe1a..5fdef0286 100644 --- a/pkg/types/hashedrekord/v0.0.1/entry.go +++ b/pkg/types/hashedrekord/v0.0.1/entry.go @@ -246,11 +246,15 @@ func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.A return &returnVal, nil } -func (v V001Entry) Verifier() (pki.PublicKey, error) { +func (v V001Entry) Verifiers() ([]pki.PublicKey, error) { if v.HashedRekordObj.Signature == nil || v.HashedRekordObj.Signature.PublicKey == nil || v.HashedRekordObj.Signature.PublicKey.Content == nil { return nil, errors.New("hashedrekord v0.0.1 entry not initialized") } - return x509.NewPublicKey(bytes.NewReader(v.HashedRekordObj.Signature.PublicKey.Content)) + key, err := x509.NewPublicKey(bytes.NewReader(v.HashedRekordObj.Signature.PublicKey.Content)) + if err != nil { + return nil, err + } + return []pki.PublicKey{key}, nil } func (v V001Entry) Insertable() (bool, error) { diff --git a/pkg/types/hashedrekord/v0.0.1/entry_test.go b/pkg/types/hashedrekord/v0.0.1/entry_test.go index ba9a528d1..6c9fb2f31 100644 --- a/pkg/types/hashedrekord/v0.0.1/entry_test.go +++ b/pkg/types/hashedrekord/v0.0.1/entry_test.go @@ -315,12 +315,12 @@ func TestCrossFieldValidation(t *testing.T) { } } - verifier, err := v.Verifier() + verifiers, err := v.Verifiers() if tc.expectedVerifierSuccess { if err != nil { t.Errorf("%v: unexpected error, got %v", tc.caseDesc, err) } else { - pub, _ := verifier.CanonicalValue() + pub, _ := verifiers[0].CanonicalValue() // invalidKeyBytes is a valid ed25519 key if !reflect.DeepEqual(pub, keyBytes) && !reflect.DeepEqual(pub, invalidKeyBytes) { t.Errorf("verifier and public keys do not match: %v, %v", string(pub), string(keyBytes)) @@ -328,7 +328,7 @@ func TestCrossFieldValidation(t *testing.T) { } } else { if err == nil { - s, _ := verifier.CanonicalValue() + s, _ := verifiers[0].CanonicalValue() t.Errorf("%v: expected error for %v, got %v", tc.caseDesc, string(s), err) } } diff --git a/pkg/types/helm/helm_test.go b/pkg/types/helm/helm_test.go index db9d7a775..f3e17a6b7 100644 --- a/pkg/types/helm/helm_test.go +++ b/pkg/types/helm/helm_test.go @@ -43,7 +43,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error { return errors.New("error") } -func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) { +func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) { return nil, nil } diff --git a/pkg/types/helm/v0.0.1/entry.go b/pkg/types/helm/v0.0.1/entry.go index dfb05c255..9100a7d98 100644 --- a/pkg/types/helm/v0.0.1/entry.go +++ b/pkg/types/helm/v0.0.1/entry.go @@ -349,11 +349,15 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types return &returnVal, nil } -func (v V001Entry) Verifier() (pki.PublicKey, error) { +func (v V001Entry) Verifiers() ([]pki.PublicKey, error) { if v.HelmObj.PublicKey == nil || v.HelmObj.PublicKey.Content == nil { return nil, errors.New("helm v0.0.1 entry not initialized") } - return pgp.NewPublicKey(bytes.NewReader(*v.HelmObj.PublicKey.Content)) + key, err := pgp.NewPublicKey(bytes.NewReader(*v.HelmObj.PublicKey.Content)) + if err != nil { + return nil, err + } + return []pki.PublicKey{key}, nil } func (v V001Entry) Insertable() (bool, error) { diff --git a/pkg/types/helm/v0.0.1/entry_test.go b/pkg/types/helm/v0.0.1/entry_test.go index 36a4cf306..d9f79eb98 100644 --- a/pkg/types/helm/v0.0.1/entry_test.go +++ b/pkg/types/helm/v0.0.1/entry_test.go @@ -211,20 +211,20 @@ func TestCrossFieldValidation(t *testing.T) { } } - verifier, err := v.Verifier() + verifiers, err := v.Verifiers() if tc.expectedVerifierSuccess { if err != nil { t.Errorf("%v: unexpected error, got %v", tc.caseDesc, err) } else { // TODO: Improve this test once CanonicalValue returns same result as input for PGP keys - _, err := verifier.CanonicalValue() + _, err := verifiers[0].CanonicalValue() if err != nil { t.Errorf("%v: unexpected error getting canonical value, got %v", tc.caseDesc, err) } } } else { if err == nil { - s, _ := verifier.CanonicalValue() + s, _ := verifiers[0].CanonicalValue() t.Errorf("%v: expected error for %v, got %v", tc.caseDesc, string(s), err) } } diff --git a/pkg/types/intoto/intoto_test.go b/pkg/types/intoto/intoto_test.go index af4c90f13..782e50f9b 100644 --- a/pkg/types/intoto/intoto_test.go +++ b/pkg/types/intoto/intoto_test.go @@ -43,7 +43,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error { return errors.New("error") } -func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) { +func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) { return nil, nil } diff --git a/pkg/types/intoto/v0.0.1/entry.go b/pkg/types/intoto/v0.0.1/entry.go index 1018d4c0d..ceb7371d5 100644 --- a/pkg/types/intoto/v0.0.1/entry.go +++ b/pkg/types/intoto/v0.0.1/entry.go @@ -353,11 +353,15 @@ func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.A return &returnVal, nil } -func (v V001Entry) Verifier() (pki.PublicKey, error) { +func (v V001Entry) Verifiers() ([]pki.PublicKey, error) { if v.IntotoObj.PublicKey == nil { return nil, errors.New("intoto v0.0.1 entry not initialized") } - return x509.NewPublicKey(bytes.NewReader(*v.IntotoObj.PublicKey)) + key, err := x509.NewPublicKey(bytes.NewReader(*v.IntotoObj.PublicKey)) + if err != nil { + return nil, err + } + return []pki.PublicKey{key}, nil } func (v V001Entry) Insertable() (bool, error) { diff --git a/pkg/types/intoto/v0.0.1/entry_test.go b/pkg/types/intoto/v0.0.1/entry_test.go index 9a6b2eeb9..23eb54939 100644 --- a/pkg/types/intoto/v0.0.1/entry_test.go +++ b/pkg/types/intoto/v0.0.1/entry_test.go @@ -336,19 +336,19 @@ func TestV001Entry_Unmarshal(t *testing.T) { t.Errorf("index keys from hydrated object do not match those generated from canonicalized (and re-hydrated) object: %v %v", got, canonicalIndexKeys) } - verifier, err := v.Verifier() + verifiers, err := v.Verifiers() if !tt.wantVerifierErr { if err != nil { t.Errorf("%v: unexpected error, got %v", tt.name, err) } else { - pubV, _ := verifier.CanonicalValue() + pubV, _ := verifiers[0].CanonicalValue() if !reflect.DeepEqual(pubV, pub) && !reflect.DeepEqual(pubV, pemBytes) { t.Errorf("verifier and public keys do not match: %v, %v", string(pubV), string(pub)) } } } else { if err == nil { - s, _ := verifier.CanonicalValue() + s, _ := verifiers[0].CanonicalValue() t.Errorf("%v: expected error for %v, got %v", tt.name, string(s), err) } } diff --git a/pkg/types/intoto/v0.0.2/entry.go b/pkg/types/intoto/v0.0.2/entry.go index 5231eee2c..69a9b4c14 100644 --- a/pkg/types/intoto/v0.0.2/entry.go +++ b/pkg/types/intoto/v0.0.2/entry.go @@ -457,7 +457,7 @@ func verifyEnvelope(allPubKeyBytes [][]byte, env *dsse.Envelope) (map[string]*x5 return verifierBySig, nil } -func (v V002Entry) Verifier() (pki.PublicKey, error) { +func (v V002Entry) Verifiers() ([]pki.PublicKey, error) { if v.IntotoObj.Content == nil || v.IntotoObj.Content.Envelope == nil { return nil, errors.New("intoto v0.0.2 entry not initialized") } @@ -467,7 +467,15 @@ func (v V002Entry) Verifier() (pki.PublicKey, error) { return nil, errors.New("no signatures found on intoto entry") } - return x509.NewPublicKey(bytes.NewReader(*v.IntotoObj.Content.Envelope.Signatures[0].PublicKey)) + var keys []pki.PublicKey + for _, s := range v.IntotoObj.Content.Envelope.Signatures { + key, err := x509.NewPublicKey(bytes.NewReader(*s.PublicKey)) + if err != nil { + return nil, err + } + keys = append(keys, key) + } + return keys, nil } func (v V002Entry) Insertable() (bool, error) { diff --git a/pkg/types/intoto/v0.0.2/entry_test.go b/pkg/types/intoto/v0.0.2/entry_test.go index 0301468f1..cde69708e 100644 --- a/pkg/types/intoto/v0.0.2/entry_test.go +++ b/pkg/types/intoto/v0.0.2/entry_test.go @@ -377,19 +377,19 @@ func TestV002Entry_Unmarshal(t *testing.T) { t.Errorf("index keys from hydrated object do not match those generated from canonicalized (and re-hydrated) object: %v %v", got, canonicalIndexKeys) } - verifier, err := v.Verifier() + verifiers, err := v.Verifiers() if !tt.wantVerifierErr { if err != nil { t.Errorf("%v: unexpected error, got %v", tt.name, err) } else { - pubV, _ := verifier.CanonicalValue() + pubV, _ := verifiers[0].CanonicalValue() if !reflect.DeepEqual(pubV, pub) && !reflect.DeepEqual(pubV, pemBytes) { t.Errorf("verifier and public keys do not match: %v, %v", string(pubV), string(pub)) } } } else { if err == nil { - s, _ := verifier.CanonicalValue() + s, _ := verifiers[0].CanonicalValue() t.Errorf("%v: expected error for %v, got %v", tt.name, string(s), err) } } diff --git a/pkg/types/jar/jar_test.go b/pkg/types/jar/jar_test.go index 4e43b747a..afadab599 100644 --- a/pkg/types/jar/jar_test.go +++ b/pkg/types/jar/jar_test.go @@ -42,7 +42,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error { return errors.New("error") } -func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) { +func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) { return nil, nil } diff --git a/pkg/types/jar/v0.0.1/entry.go b/pkg/types/jar/v0.0.1/entry.go index 60faa25dd..01fc6aced 100644 --- a/pkg/types/jar/v0.0.1/entry.go +++ b/pkg/types/jar/v0.0.1/entry.go @@ -338,11 +338,15 @@ func (v *V001Entry) CreateFromArtifactProperties(ctx context.Context, props type return &returnVal, nil } -func (v V001Entry) Verifier() (pki.PublicKey, error) { +func (v V001Entry) Verifiers() ([]pki.PublicKey, error) { if v.JARModel.Signature == nil || v.JARModel.Signature.PublicKey == nil || v.JARModel.Signature.PublicKey.Content == nil { return nil, errors.New("jar v0.0.1 entry not initialized") } - return x509.NewPublicKey(bytes.NewReader(*v.JARModel.Signature.PublicKey.Content)) + key, err := x509.NewPublicKey(bytes.NewReader(*v.JARModel.Signature.PublicKey.Content)) + if err != nil { + return nil, err + } + return []pki.PublicKey{key}, nil } func (v V001Entry) Insertable() (bool, error) { diff --git a/pkg/types/jar/v0.0.1/entry_test.go b/pkg/types/jar/v0.0.1/entry_test.go index bb5b54e5c..9a096b3a2 100644 --- a/pkg/types/jar/v0.0.1/entry_test.go +++ b/pkg/types/jar/v0.0.1/entry_test.go @@ -142,19 +142,19 @@ Hr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ== } } - verifier, err := v.Verifier() + verifiers, err := v.Verifiers() if tc.expectedVerifierSuccess { if err != nil { t.Errorf("%v: unexpected error, got %v", tc.caseDesc, err) } else { - pub, _ := verifier.CanonicalValue() + pub, _ := verifiers[0].CanonicalValue() if !reflect.DeepEqual(pub, []byte(certificate)) { t.Errorf("verifier and public keys do not match: %v, %v", string(pub), certificate) } } } else { if err == nil { - s, _ := verifier.CanonicalValue() + s, _ := verifiers[0].CanonicalValue() t.Errorf("%v: expected error for %v, got %v", tc.caseDesc, string(s), err) } } diff --git a/pkg/types/rekord/rekord_test.go b/pkg/types/rekord/rekord_test.go index 7d1694105..c4cd059e1 100644 --- a/pkg/types/rekord/rekord_test.go +++ b/pkg/types/rekord/rekord_test.go @@ -43,7 +43,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error { return errors.New("error") } -func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) { +func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) { return nil, nil } diff --git a/pkg/types/rekord/v0.0.1/entry.go b/pkg/types/rekord/v0.0.1/entry.go index dd124e1ad..da0af234e 100644 --- a/pkg/types/rekord/v0.0.1/entry.go +++ b/pkg/types/rekord/v0.0.1/entry.go @@ -425,23 +425,29 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types return &returnVal, nil } -func (v V001Entry) Verifier() (pki.PublicKey, error) { +func (v V001Entry) Verifiers() ([]pki.PublicKey, error) { if v.RekordObj.Signature == nil || v.RekordObj.Signature.PublicKey == nil || v.RekordObj.Signature.PublicKey.Content == nil { return nil, errors.New("rekord v0.0.1 entry not initialized") } + var key pki.PublicKey + var err error switch f := *v.RekordObj.Signature.Format; f { case "x509": - return x509.NewPublicKey(bytes.NewReader(*v.RekordObj.Signature.PublicKey.Content)) + key, err = x509.NewPublicKey(bytes.NewReader(*v.RekordObj.Signature.PublicKey.Content)) case "ssh": - return ssh.NewPublicKey(bytes.NewReader(*v.RekordObj.Signature.PublicKey.Content)) + key, err = ssh.NewPublicKey(bytes.NewReader(*v.RekordObj.Signature.PublicKey.Content)) case "pgp": - return pgp.NewPublicKey(bytes.NewReader(*v.RekordObj.Signature.PublicKey.Content)) + key, err = pgp.NewPublicKey(bytes.NewReader(*v.RekordObj.Signature.PublicKey.Content)) case "minisign": - return minisign.NewPublicKey(bytes.NewReader(*v.RekordObj.Signature.PublicKey.Content)) + key, err = minisign.NewPublicKey(bytes.NewReader(*v.RekordObj.Signature.PublicKey.Content)) default: return nil, fmt.Errorf("unexpected format of public key: %s", f) } + if err != nil { + return nil, err + } + return []pki.PublicKey{key}, nil } func (v V001Entry) Insertable() (bool, error) { diff --git a/pkg/types/rekord/v0.0.1/entry_test.go b/pkg/types/rekord/v0.0.1/entry_test.go index ecca28942..e236a50f2 100644 --- a/pkg/types/rekord/v0.0.1/entry_test.go +++ b/pkg/types/rekord/v0.0.1/entry_test.go @@ -258,13 +258,13 @@ func TestCrossFieldValidation(t *testing.T) { } } - verifier, err := v.Verifier() + verifiers, err := v.Verifiers() if tc.expectedVerifierSuccess { if err != nil { t.Errorf("%v: unexpected error, got %v", tc.caseDesc, err) } else { // TODO: Improve this test once CanonicalValue returns same result as input for PGP keys - _, err := verifier.CanonicalValue() + _, err := verifiers[0].CanonicalValue() if err != nil { t.Errorf("%v: unexpected error getting canonical value, got %v", tc.caseDesc, err) } @@ -272,7 +272,7 @@ func TestCrossFieldValidation(t *testing.T) { } else { if err == nil { - s, _ := verifier.CanonicalValue() + s, _ := verifiers[0].CanonicalValue() t.Errorf("%v: expected error for %v, got %v", tc.caseDesc, string(s), err) } } diff --git a/pkg/types/rfc3161/rfc3161_test.go b/pkg/types/rfc3161/rfc3161_test.go index f9a6b3f42..556267eac 100644 --- a/pkg/types/rfc3161/rfc3161_test.go +++ b/pkg/types/rfc3161/rfc3161_test.go @@ -43,7 +43,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error { return errors.New("error") } -func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) { +func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) { return nil, nil } diff --git a/pkg/types/rfc3161/v0.0.1/entry.go b/pkg/types/rfc3161/v0.0.1/entry.go index 35a21e05f..9a6c04949 100644 --- a/pkg/types/rfc3161/v0.0.1/entry.go +++ b/pkg/types/rfc3161/v0.0.1/entry.go @@ -207,8 +207,8 @@ func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.A return &returnVal, nil } -func (v V001Entry) Verifier() (pki.PublicKey, error) { - return nil, errors.New("Verifier() does not support rfc3161 entry type") +func (v V001Entry) Verifiers() ([]pki.PublicKey, error) { + return nil, errors.New("Verifiers() does not support rfc3161 entry type") } func (v V001Entry) Insertable() (bool, error) { diff --git a/pkg/types/rpm/rpm_test.go b/pkg/types/rpm/rpm_test.go index d365238bd..390cf21b0 100644 --- a/pkg/types/rpm/rpm_test.go +++ b/pkg/types/rpm/rpm_test.go @@ -43,7 +43,7 @@ func (u UnmarshalFailsTester) Unmarshal(_ models.ProposedEntry) error { return errors.New("error") } -func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) { +func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) { return nil, nil } diff --git a/pkg/types/rpm/v0.0.1/entry.go b/pkg/types/rpm/v0.0.1/entry.go index a10b60c81..fd3b91ce7 100644 --- a/pkg/types/rpm/v0.0.1/entry.go +++ b/pkg/types/rpm/v0.0.1/entry.go @@ -371,11 +371,15 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types return &returnVal, nil } -func (v V001Entry) Verifier() (pki.PublicKey, error) { +func (v V001Entry) Verifiers() ([]pki.PublicKey, error) { if v.RPMModel.PublicKey == nil || v.RPMModel.PublicKey.Content == nil { return nil, errors.New("rpm v0.0.1 entry not initialized") } - return pgp.NewPublicKey(bytes.NewReader(*v.RPMModel.PublicKey.Content)) + key, err := pgp.NewPublicKey(bytes.NewReader(*v.RPMModel.PublicKey.Content)) + if err != nil { + return nil, err + } + return []pki.PublicKey{key}, nil } func (v V001Entry) Insertable() (bool, error) { diff --git a/pkg/types/rpm/v0.0.1/entry_test.go b/pkg/types/rpm/v0.0.1/entry_test.go index 941f852b2..9b1ec7bd0 100644 --- a/pkg/types/rpm/v0.0.1/entry_test.go +++ b/pkg/types/rpm/v0.0.1/entry_test.go @@ -196,20 +196,20 @@ func TestCrossFieldValidation(t *testing.T) { } } - verifier, err := v.Verifier() + verifiers, err := v.Verifiers() if tc.expectVerifierSuccess { if err != nil { t.Errorf("%v: unexpected error, got %v", tc.caseDesc, err) } else { // TODO: Improve this test once CanonicalValue returns same result as input for PGP keys - _, err := verifier.CanonicalValue() + _, err := verifiers[0].CanonicalValue() if err != nil { t.Errorf("%v: unexpected error getting canonical value, got %v", tc.caseDesc, err) } } } else { if err == nil { - s, _ := verifier.CanonicalValue() + s, _ := verifiers[0].CanonicalValue() t.Errorf("%v: expected error for %v, got %v", tc.caseDesc, string(s), err) } } diff --git a/pkg/types/test_util.go b/pkg/types/test_util.go index 03b5b9c0b..529d71b79 100644 --- a/pkg/types/test_util.go +++ b/pkg/types/test_util.go @@ -31,7 +31,7 @@ func (u BaseUnmarshalTester) NewEntry() EntryImpl { return &BaseUnmarshalTester{} } -func (u BaseUnmarshalTester) Verifier() (pki.PublicKey, error) { +func (u BaseUnmarshalTester) Verifiers() ([]pki.PublicKey, error) { return nil, nil } diff --git a/pkg/types/tuf/tuf_test.go b/pkg/types/tuf/tuf_test.go index 16a9fb96f..282881955 100644 --- a/pkg/types/tuf/tuf_test.go +++ b/pkg/types/tuf/tuf_test.go @@ -39,7 +39,7 @@ func (u UnmarshalFailsTester) NewEntry() types.EntryImpl { return &UnmarshalFailsTester{} } -func (u UnmarshalFailsTester) Verifier() (pki.PublicKey, error) { +func (u UnmarshalFailsTester) Verifiers() ([]pki.PublicKey, error) { return nil, nil } diff --git a/pkg/types/tuf/v0.0.1/entry.go b/pkg/types/tuf/v0.0.1/entry.go index ec471c94b..b8413cad7 100644 --- a/pkg/types/tuf/v0.0.1/entry.go +++ b/pkg/types/tuf/v0.0.1/entry.go @@ -369,7 +369,7 @@ func (v V001Entry) CreateFromArtifactProperties(ctx context.Context, props types return &returnVal, nil } -func (v V001Entry) Verifier() (pki.PublicKey, error) { +func (v V001Entry) Verifiers() ([]pki.PublicKey, error) { if v.TufObj.Root == nil { return nil, errors.New("tuf v0.0.1 entry not initialized") } @@ -377,7 +377,11 @@ func (v V001Entry) Verifier() (pki.PublicKey, error) { if err != nil { return nil, err } - return ptuf.NewPublicKey(bytes.NewReader(keyBytes)) + key, err := ptuf.NewPublicKey(bytes.NewReader(keyBytes)) + if err != nil { + return nil, err + } + return []pki.PublicKey{key}, nil } func (v V001Entry) Insertable() (bool, error) { diff --git a/pkg/types/tuf/v0.0.1/entry_test.go b/pkg/types/tuf/v0.0.1/entry_test.go index 4193c4e52..d9d05cc94 100644 --- a/pkg/types/tuf/v0.0.1/entry_test.go +++ b/pkg/types/tuf/v0.0.1/entry_test.go @@ -228,12 +228,12 @@ func TestCrossFieldValidation(t *testing.T) { // Insertable on canonicalized content is variable so we skip testing it here } - verifier, err := v.Verifier() + verifiers, err := v.Verifiers() if tc.expectVerifierSuccess { if err != nil { t.Errorf("%v: unexpected error, got %v", tc.caseDesc, err) } else { - pub, _ := verifier.CanonicalValue() + pub, _ := verifiers[0].CanonicalValue() rootBytes := new(bytes.Buffer) if err := json.Compact(rootBytes, keyBytes); err != nil { t.Fatal(err) @@ -244,7 +244,7 @@ func TestCrossFieldValidation(t *testing.T) { } } else { if err == nil { - s, _ := verifier.CanonicalValue() + s, _ := verifiers[0].CanonicalValue() t.Errorf("%v: expected error for %v, got %v", tc.caseDesc, string(s), err) } }