add a first draft for signing links in InTotoRun

We use the model.Sign() func for signing keys.
This commit also removes unrelated code in TestMetablockSignWithEd25519
because we **indeed** support RSA now.

This adds support for signing links in InTotoRun via a
specific key

in_toto/model.go

@@ -642,14 +642,20 @@ func (mb *Metablock) Sign(key Key) error {
 	// FIXME: we could be fancier about signature-generation using a dispatch
 	// table or something but for now let's just be explicit
 	// (also, lolnogenerics)
-	if key.KeyType == "ed25519" && key.Scheme == "ed25519" {
+	switch key.Scheme {
+	case "ed25519":
 		newSignature, err = GenerateEd25519Signature(dataCanonical, key)
 		if err != nil {
 			return err
 		}
-	} else {
-		return fmt.Errorf("This key type or signature (%s, %s) scheme is "+
-			"not supported yet!", key.KeyType, key.Scheme)
+	case "rsassa-pss-sha256":
+		newSignature, err = GenerateRSASignature(dataCanonical, key)
+		if err != nil {
+			return err
+		}
+	default:
+		return fmt.Errorf("this key type or signature (%s, %s) scheme is "+
+			"not supported yet", key.KeyType, key.Scheme)
 	}
 
 	mb.Signatures = append(mb.Signatures, newSignature)

in_toto/model_test.go

@@ -1168,16 +1168,6 @@ func TestMetablockSignWithEd25519(t *testing.T) {
 		t.Errorf("Cannot parse template file: %s", err)
 	}
 
-	if err := key.LoadRSAPublicKey("alice.pub"); err != nil {
-		t.Errorf("Cannot load public key file: %s", err)
-	}
-	err := mb.Sign(key)
-	if err == nil || !strings.Contains(err.Error(), "supported yet") {
-		t.Errorf("Metablock.Sign returned (%s), expected it to claim this "+
-			"key type/scheme is unsupported", err)
-
-	}
-
 	pubkey := `{"keytype": "ed25519", "scheme": "ed25519", "keyid": "308e3f53523b632983a988b72a2e39c85fe8fc967116043ce51fa8d92a6aef64", "keyid_hash_algorithms": ["sha256", "sha512"], "keyval": {"public": "8f93f549eb4cca8dc2142fb655ba2d0955d1824f79474f354e38d6a359e9d440", "private": ""}}`
 
 	badkey, err := ParseEd25519FromPrivateJSON(pubkey)

in_toto/runlib.go

@@ -249,7 +249,7 @@ return value is an empty Metablock and the second return value is the error.
 NOTE: Currently InTotoRun cannot be used to sign Link metadata.
 */
 func InTotoRun(name string, materialPaths []string, productPaths []string,
-	cmdArgs []string) (Metablock, error) {
+	cmdArgs []string, key Key) (Metablock, error) {
 	var linkMb Metablock
 	materials, err := RecordArtifacts(materialPaths)
 	if err != nil {
@@ -266,8 +266,7 @@ func InTotoRun(name string, materialPaths []string, productPaths []string,
 		return linkMb, err
 	}
 
-	linkMb.Signatures = []Signature{}
-	linkMb.Signed = Link{
+	link := Link{
 		Type:        "link",
 		Name:        name,
 		Materials:   materials,
@@ -277,5 +276,14 @@ func InTotoRun(name string, materialPaths []string, productPaths []string,
 		Environment: map[string]interface{}{},
 	}
 
+	linkMb.Signatures = []Signature{}
+	// we expect that key has been initialized if it has a valid KeyId
+	if key.KeyId != "" {
+		if err := linkMb.Sign(key); err != nil {
+			return linkMb, err
+		}
+	}
+	linkMb.Signed = link
+
 	return linkMb, nil
 }

in_toto/runlib_test.go

@@ -317,7 +317,7 @@ func TestInTotoRun(t *testing.T) {
 	}
 	for i := 0; i < len(parameters); i++ {
 		result, err := InTotoRun(linkName, parameters[i]["materialPaths"],
-			parameters[i]["productPaths"], parameters[i]["cmdArgs"])
+			parameters[i]["productPaths"], parameters[i]["cmdArgs"], Key{})
 		if !reflect.DeepEqual(result, expected[i]) {
 			t.Errorf("InTotoRun returned '(%s, %s)', expected '(%s, nil)'",
 				result, err, expected[i])
@@ -348,7 +348,7 @@ func TestInTotoRun(t *testing.T) {
 
 	for i := 0; i < len(parameters); i++ {
 		result, err := InTotoRun(linkName, parameters[i]["materialPaths"],
-			parameters[i]["productPaths"], parameters[i]["cmdArgs"])
+			parameters[i]["productPaths"], parameters[i]["cmdArgs"], Key{})
 		if err == nil {
 			t.Errorf("InTotoRun returned '(%s, %s)', expected '(%s, <error>)'",
 				result, err, expected[i])

in_toto/verifylib.go

@@ -39,7 +39,7 @@ func RunInspections(layout Layout) (map[string]Metablock, error) {
 	for _, inspection := range layout.Inspect {
 
 		linkMb, err := InTotoRun(inspection.Name, []string{"."}, []string{"."},
-			inspection.Run)
+			inspection.Run, Key{})
 		if err != nil {
 			return nil, err
 		}