Skip to content

Commit

Permalink
Merge pull request #7 from scribe-security/feature/multi_sign
Browse files Browse the repository at this point in the history
Feature/multi sign
  • Loading branch information
adityasaky authored Dec 7, 2021
2 parents 994000d + 1509a8f commit 9e1a44e
Show file tree
Hide file tree
Showing 6 changed files with 405 additions and 111 deletions.
34 changes: 27 additions & 7 deletions dsse/sign.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,8 @@ using the current algorithm, and the key used (if applicable).
For an example see EcdsaSigner in sign_test.go.
*/
type Signer interface {
Sign(data []byte) ([]byte, string, error)
Sign(data []byte) ([]byte, error)
KeyID() (string, error)
}

// SignVerifer provides both the signing and verification interface.
Expand All @@ -79,14 +80,25 @@ type SignVerifier interface {
// EnvelopeSigner creates signed Envelopes.
type EnvelopeSigner struct {
providers []SignVerifier
ev EnvelopeVerifier
ev *envelopeVerifier
}

/*
NewEnvelopeSigner creates an EnvelopeSigner that uses 1+ Signer
algorithms to sign the data.
Creates a verifier with threshold=1, at least one of the providers must validate signitures successfully.
*/
func NewEnvelopeSigner(p ...SignVerifier) (*EnvelopeSigner, error) {
return NewMultiEnvelopeSigner(1, p...)
}

/*
NewMultiEnvelopeSigner creates an EnvelopeSigner that uses 1+ Signer
algorithms to sign the data.
Creates a verifier with threshold.
threashold indicates the amount of providers that must validate the envelope.
*/
func NewMultiEnvelopeSigner(threshold int, p ...SignVerifier) (*EnvelopeSigner, error) {
var providers []SignVerifier

for _, sv := range p {
Expand All @@ -104,11 +116,14 @@ func NewEnvelopeSigner(p ...SignVerifier) (*EnvelopeSigner, error) {
evps = append(evps, p.(Verifier))
}

ev, err := NewMultiEnvelopeVerifier(threshold, evps...)
if err != nil {
return nil, err
}

return &EnvelopeSigner{
providers: providers,
ev: EnvelopeVerifier{
providers: evps,
},
ev: ev,
}, nil
}

Expand All @@ -127,10 +142,14 @@ func (es *EnvelopeSigner) SignPayload(payloadType string, body []byte) (*Envelop
paeEnc := PAE(payloadType, body)

for _, signer := range es.providers {
sig, keyID, err := signer.Sign(paeEnc)
sig, err := signer.Sign(paeEnc)
if err != nil {
return nil, err
}
keyID, err := signer.KeyID()
if err != nil {
keyID = ""
}

e.Signatures = append(e.Signatures, Signature{
KeyID: keyID,
Expand All @@ -145,8 +164,9 @@ func (es *EnvelopeSigner) SignPayload(payloadType string, body []byte) (*Envelop
Verify decodes the payload and verifies the signature.
Any domain specific validation such as parsing the decoded body and
validating the payload type is left out to the caller.
Verify returns a list of accepted keys each including a keyid, public and signiture of the accepted provider keys.
*/
func (es *EnvelopeSigner) Verify(e *Envelope) error {
func (es *EnvelopeSigner) Verify(e *Envelope) ([]AcceptedKey, error) {
return es.ev.Verify(e)
}

Expand Down
Loading

0 comments on commit 9e1a44e

Please sign in to comment.