Skip to content

Commit

Permalink
Simplify HasCertificate interface method (#209)
Browse files Browse the repository at this point in the history
Return one value instead of two, since the same information can be
gleaned from the one value. Rename the method to be semantically
consistent with the new signature.

Signed-off-by: Colleen Murphy <[email protected]>
  • Loading branch information
cmurphy authored Jun 13, 2024
1 parent 7eeb1cb commit 4d5b65e
Show file tree
Hide file tree
Showing 7 changed files with 18 additions and 18 deletions.
8 changes: 4 additions & 4 deletions pkg/bundle/verification_content.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,8 +48,8 @@ func (c *Certificate) ValidAtTime(t time.Time, _ root.TrustedMaterial) bool {
return !(c.Certificate.NotAfter.Before(t) || c.Certificate.NotBefore.After(t))
}

func (c *Certificate) HasCertificate() (x509.Certificate, bool) {
return *c.Certificate, true
func (c *Certificate) GetCertificate() *x509.Certificate {
return c.Certificate
}

func (c *Certificate) HasPublicKey() (verify.PublicKeyProvider, bool) {
Expand Down Expand Up @@ -79,8 +79,8 @@ func (pk *PublicKey) ValidAtTime(t time.Time, tm root.TrustedMaterial) bool {
return verifier.ValidAtTime(t)
}

func (pk *PublicKey) HasCertificate() (x509.Certificate, bool) {
return x509.Certificate{}, false
func (pk *PublicKey) GetCertificate() *x509.Certificate {
return nil
}

func (pk *PublicKey) HasPublicKey() (verify.PublicKeyProvider, bool) {
Expand Down
12 changes: 6 additions & 6 deletions pkg/fulcio/certificate/summarize_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,13 +30,13 @@ func TestSummarizeCertificateWithActionsBundle(t *testing.T) {
t.Fatalf("failed to get verification content: %v", err)
}

leaf, ok := vc.HasCertificate()
leaf := vc.GetCertificate()

if !ok {
if leaf == nil {
t.Fatalf("expected verification content to be a certificate chain")
}

cs, err := certificate.SummarizeCertificate(&leaf)
cs, err := certificate.SummarizeCertificate(leaf)
if err != nil {
t.Fatalf("failed to summarize: %v", err)
}
Expand Down Expand Up @@ -79,13 +79,13 @@ func TestSummarizeCertificateWithOauthBundle(t *testing.T) {
t.Fatalf("failed to get verification content: %v", err)
}

leaf, ok := vc.HasCertificate()
leaf := vc.GetCertificate()

if !ok {
if leaf == nil {
t.Fatalf("expected verification content to be a certificate chain")
}

cs, err := certificate.SummarizeCertificate(&leaf)
cs, err := certificate.SummarizeCertificate(leaf)
if err != nil {
t.Fatalf("failed to summarize: %v", err)
}
Expand Down
2 changes: 1 addition & 1 deletion pkg/verify/certificate.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ import (
"github.com/sigstore/sigstore-go/pkg/root"
)

func VerifyLeafCertificate(observerTimestamp time.Time, leafCert x509.Certificate, trustedMaterial root.TrustedMaterial) error { // nolint: revive
func VerifyLeafCertificate(observerTimestamp time.Time, leafCert *x509.Certificate, trustedMaterial root.TrustedMaterial) error { // nolint: revive
for _, ca := range trustedMaterial.FulcioCertificateAuthorities() {
if !ca.ValidityPeriodStart.IsZero() && observerTimestamp.Before(ca.ValidityPeriodStart) {
continue
Expand Down
2 changes: 1 addition & 1 deletion pkg/verify/certificate_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ func TestVerifyValidityPeriod(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := verify.VerifyLeafCertificate(tt.observerTimestamp, *leaf, virtualSigstore); (err != nil) != tt.wantErr {
if err := verify.VerifyLeafCertificate(tt.observerTimestamp, leaf, virtualSigstore); (err != nil) != tt.wantErr {
t.Errorf("VerifyLeafCertificate() error = %v, wantErr %v", err, tt.wantErr)
}
})
Expand Down
2 changes: 1 addition & 1 deletion pkg/verify/interface.go
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ type SignedEntity interface {
type VerificationContent interface {
CompareKey(any, root.TrustedMaterial) bool
ValidAtTime(time.Time, root.TrustedMaterial) bool
HasCertificate() (x509.Certificate, bool)
GetCertificate() *x509.Certificate
HasPublicKey() (PublicKeyProvider, bool)
}

Expand Down
2 changes: 1 addition & 1 deletion pkg/verify/signature.go
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ func VerifySignatureWithArtifactDigest(sigContent SignatureContent, verification
}

func getSignatureVerifier(verificationContent VerificationContent, tm root.TrustedMaterial) (signature.Verifier, error) {
if leafCert, ok := verificationContent.HasCertificate(); ok {
if leafCert := verificationContent.GetCertificate(); leafCert != nil {
// TODO: Inspect certificate's SignatureAlgorithm to determine hash function
return signature.LoadVerifier(leafCert.PublicKey, crypto.SHA256)
} else if pk, ok := verificationContent.HasPublicKey(); ok {
Expand Down
8 changes: 4 additions & 4 deletions pkg/verify/signed_entity.go
Original file line number Diff line number Diff line change
Expand Up @@ -494,7 +494,7 @@ func (v *SignedEntityVerifier) Verify(entity SignedEntity, pb PolicyBuilder) (*V

// If the bundle was signed with a long-lived key, and does not have a Fulcio certificate,
// then skip the certificate verification steps
if leafCert, ok := verificationContent.HasCertificate(); ok {
if leafCert := verificationContent.GetCertificate(); leafCert != nil {
signedWithCertificate = true

// From spec:
Expand All @@ -514,13 +514,13 @@ func (v *SignedEntityVerifier) Verify(entity SignedEntity, pb PolicyBuilder) (*V
// > Unless performing online verification (see §Alternative Workflows), the Verifier MUST extract the SignedCertificateTimestamp embedded in the leaf certificate, and verify it as in RFC 9162 §8.1.3, using the verification key from the Certificate Transparency Log.

if v.config.weExpectSCTs {
err = VerifySignedCertificateTimestamp(&leafCert, v.config.ctlogEntriesThreshold, v.trustedMaterial)
err = VerifySignedCertificateTimestamp(leafCert, v.config.ctlogEntriesThreshold, v.trustedMaterial)
if err != nil {
return nil, fmt.Errorf("failed to verify signed certificate timestamp: %w", err)
}
}

certSummary, err = certificate.SummarizeCertificate(&leafCert)
certSummary, err = certificate.SummarizeCertificate(leafCert)
if err != nil {
return nil, fmt.Errorf("failed to summarize certificate: %w", err)
}
Expand Down Expand Up @@ -685,7 +685,7 @@ func (v *SignedEntityVerifier) VerifyObserverTimestamps(entity SignedEntity, log
return nil, err
}

if leafCert, ok := verificationContent.HasCertificate(); ok {
if leafCert := verificationContent.GetCertificate(); leafCert != nil {
verifiedTimestamps = append(verifiedTimestamps, TimestampVerificationResult{Type: "LeafCert.NotBefore", URI: "", Timestamp: leafCert.NotBefore})
} else {
// no cert? use current time
Expand Down

0 comments on commit 4d5b65e

Please sign in to comment.