notaryproject · binbin-li · Aug 23, 2022 · Aug 23, 2022
diff --git a/signature/internal/base/envelope.go b/signature/internal/base/envelope.go
@@ -28,10 +28,17 @@ func (e *Envelope) Sign(req *signature.SignRequest) ([]byte, error) {
 		return nil, err
 	}
 
-	e.Raw, err = e.Envelope.Sign(req)
+	raw, err := e.Envelope.Sign(req)
 	if err != nil {
 		return nil, err
 	}
+
+	// validate certificate chain
+	if _, err := e.SignerInfo(); err != nil {
+		return nil, err
+	}
+
+	e.Raw = raw
 	return e.Raw, nil
 }
 
@@ -129,17 +136,8 @@ func validateSignRequest(req *signature.SignRequest) error {
 		return &signature.MalformedSignatureError{Msg: "signer is nil"}
 	}
 
-	certs, err := req.Signer.CertificateChain()
-	if err != nil {
-		return err
-	}
-
-	keySpec, err := req.Signer.KeySpec()
-	if err != nil {
-		return err
-	}
-
-	return validateCertificateChain(certs, req.SigningTime, keySpec.SignatureAlgorithm())
+	_, err := req.Signer.KeySpec()
+	return err
 }
 
 // validateSignerInfo performs basic set of validations on SignerInfo struct.

diff --git a/signature/signer.go b/signature/signer.go
@@ -11,11 +11,8 @@ import (
 
 // Signer is used to sign bytes generated after signature envelope created.
 type Signer interface {
-	// Sign signs the digest and returns the raw signature.
-	Sign(digest []byte) ([]byte, error)
-
-	// CertificateChain returns the certificate chain.
-	CertificateChain() ([]*x509.Certificate, error)
+	// Sign signs the payload and returns the raw signature and certificates.
+	Sign(payload []byte) ([]byte, []*x509.Certificate, error)
 
 	// KeySpec returns the key specification.
 	KeySpec() (KeySpec, error)
@@ -25,6 +22,9 @@ type Signer interface {
 type LocalSigner interface {
 	Signer
 
+	// CertificateChain returns the certificate chain.
+	CertificateChain() ([]*x509.Certificate, error)
+
 	// PrivateKey returns the private key.
 	PrivateKey() crypto.PrivateKey
 }
@@ -84,22 +84,22 @@ func isKeyPair(priv crypto.PrivateKey, pub crypto.PublicKey, keySpec KeySpec) bo
 	}
 }
 
-// Sign signs the digest and returns the raw signature.
+// Sign signs the digest and returns the raw signature and certificates.
 // This implementation should never be used by built-in signers.
-func (s *signer) Sign(digest []byte) ([]byte, error) {
-	return nil, fmt.Errorf("local signer doesn't support sign with digest")
-}
-
-// CertificateChain returns the certificate chain.
-func (s *signer) CertificateChain() ([]*x509.Certificate, error) {
-	return s.certs, nil
+func (s *signer) Sign(digest []byte) ([]byte, []*x509.Certificate, error) {
+	return nil, nil, fmt.Errorf("local signer doesn't support sign with digest")
 }
 
 // KeySpec returns the key specification.
 func (s *signer) KeySpec() (KeySpec, error) {
 	return s.keySpec, nil
 }
 
+// CertificateChain returns the certificate chain.
+func (s *signer) CertificateChain() ([]*x509.Certificate, error) {
+	return s.certs, nil
+}
+
 // PrivateKey returns the private key.
 func (s *signer) PrivateKey() crypto.PrivateKey {
 	return s.key

diff --git a/signature/signer_test.go b/signature/signer_test.go
@@ -107,25 +107,15 @@ func TestNewLocalSigner(t *testing.T) {
 func TestSign(t *testing.T) {
 	signer := &signer{}
 
-	_, err := signer.Sign(make([]byte, 0))
+	raw, certs, err := signer.Sign(make([]byte, 0))
 	if err == nil {
 		t.Errorf("expect error but got nil")
 	}
-}
-
-func TestCertificateChain(t *testing.T) {
-	expectCerts := []*x509.Certificate{
-		testhelper.GetRSALeafCertificate().Cert,
-	}
-	signer := &signer{certs: expectCerts}
-
-	certs, err := signer.CertificateChain()
-
-	if err != nil {
-		t.Errorf("expect no error but got %v", err)
+	if raw != nil {
+		t.Errorf("expect nil raw signature but got %v", raw)
 	}
-	if !reflect.DeepEqual(certs, expectCerts) {
-		t.Errorf("expect certs %+v, got %+v", expectCerts, certs)
+	if certs != nil {
+		t.Errorf("expect nil certs but got %v", certs)
 	}
 }