diff --git a/pkg/bundle/verification_content.go b/pkg/bundle/verification_content.go index 8e41e791..b775295d 100644 --- a/pkg/bundle/verification_content.go +++ b/pkg/bundle/verification_content.go @@ -48,8 +48,8 @@ func (c *Certificate) ValidAtTime(t time.Time, _ root.TrustedMaterial) bool { return !(c.Certificate.NotAfter.Before(t) || c.Certificate.NotBefore.After(t)) } -func (c *Certificate) HasCertificate() (x509.Certificate, bool) { - return *c.Certificate, true +func (c *Certificate) GetCertificate() *x509.Certificate { + return c.Certificate } func (c *Certificate) HasPublicKey() (verify.PublicKeyProvider, bool) { @@ -79,8 +79,8 @@ func (pk *PublicKey) ValidAtTime(t time.Time, tm root.TrustedMaterial) bool { return verifier.ValidAtTime(t) } -func (pk *PublicKey) HasCertificate() (x509.Certificate, bool) { - return x509.Certificate{}, false +func (pk *PublicKey) GetCertificate() *x509.Certificate { + return nil } func (pk *PublicKey) HasPublicKey() (verify.PublicKeyProvider, bool) { diff --git a/pkg/fulcio/certificate/summarize_test.go b/pkg/fulcio/certificate/summarize_test.go index a977086d..e8c33f4d 100644 --- a/pkg/fulcio/certificate/summarize_test.go +++ b/pkg/fulcio/certificate/summarize_test.go @@ -30,13 +30,13 @@ func TestSummarizeCertificateWithActionsBundle(t *testing.T) { t.Fatalf("failed to get verification content: %v", err) } - leaf, ok := vc.HasCertificate() + leaf := vc.GetCertificate() - if !ok { + if leaf == nil { t.Fatalf("expected verification content to be a certificate chain") } - cs, err := certificate.SummarizeCertificate(&leaf) + cs, err := certificate.SummarizeCertificate(leaf) if err != nil { t.Fatalf("failed to summarize: %v", err) } @@ -79,13 +79,13 @@ func TestSummarizeCertificateWithOauthBundle(t *testing.T) { t.Fatalf("failed to get verification content: %v", err) } - leaf, ok := vc.HasCertificate() + leaf := vc.GetCertificate() - if !ok { + if leaf == nil { t.Fatalf("expected verification content to be a certificate chain") } - cs, err := certificate.SummarizeCertificate(&leaf) + cs, err := certificate.SummarizeCertificate(leaf) if err != nil { t.Fatalf("failed to summarize: %v", err) } diff --git a/pkg/verify/certificate.go b/pkg/verify/certificate.go index 5ee4561e..4ce2dff2 100644 --- a/pkg/verify/certificate.go +++ b/pkg/verify/certificate.go @@ -22,7 +22,7 @@ import ( "github.com/sigstore/sigstore-go/pkg/root" ) -func VerifyLeafCertificate(observerTimestamp time.Time, leafCert x509.Certificate, trustedMaterial root.TrustedMaterial) error { // nolint: revive +func VerifyLeafCertificate(observerTimestamp time.Time, leafCert *x509.Certificate, trustedMaterial root.TrustedMaterial) error { // nolint: revive for _, ca := range trustedMaterial.FulcioCertificateAuthorities() { if !ca.ValidityPeriodStart.IsZero() && observerTimestamp.Before(ca.ValidityPeriodStart) { continue diff --git a/pkg/verify/certificate_test.go b/pkg/verify/certificate_test.go index 6603f06f..8c7df7d7 100644 --- a/pkg/verify/certificate_test.go +++ b/pkg/verify/certificate_test.go @@ -53,7 +53,7 @@ func TestVerifyValidityPeriod(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - if err := verify.VerifyLeafCertificate(tt.observerTimestamp, *leaf, virtualSigstore); (err != nil) != tt.wantErr { + if err := verify.VerifyLeafCertificate(tt.observerTimestamp, leaf, virtualSigstore); (err != nil) != tt.wantErr { t.Errorf("VerifyLeafCertificate() error = %v, wantErr %v", err, tt.wantErr) } }) diff --git a/pkg/verify/interface.go b/pkg/verify/interface.go index f5a3549f..464b0d5f 100644 --- a/pkg/verify/interface.go +++ b/pkg/verify/interface.go @@ -64,7 +64,7 @@ type SignedEntity interface { type VerificationContent interface { CompareKey(any, root.TrustedMaterial) bool ValidAtTime(time.Time, root.TrustedMaterial) bool - HasCertificate() (x509.Certificate, bool) + GetCertificate() *x509.Certificate HasPublicKey() (PublicKeyProvider, bool) } diff --git a/pkg/verify/signature.go b/pkg/verify/signature.go index da6ca341..2cadd126 100644 --- a/pkg/verify/signature.go +++ b/pkg/verify/signature.go @@ -89,7 +89,7 @@ func VerifySignatureWithArtifactDigest(sigContent SignatureContent, verification } func getSignatureVerifier(verificationContent VerificationContent, tm root.TrustedMaterial) (signature.Verifier, error) { - if leafCert, ok := verificationContent.HasCertificate(); ok { + if leafCert := verificationContent.GetCertificate(); leafCert != nil { // TODO: Inspect certificate's SignatureAlgorithm to determine hash function return signature.LoadVerifier(leafCert.PublicKey, crypto.SHA256) } else if pk, ok := verificationContent.HasPublicKey(); ok { diff --git a/pkg/verify/signed_entity.go b/pkg/verify/signed_entity.go index 08be6594..ae442fb4 100644 --- a/pkg/verify/signed_entity.go +++ b/pkg/verify/signed_entity.go @@ -494,7 +494,7 @@ func (v *SignedEntityVerifier) Verify(entity SignedEntity, pb PolicyBuilder) (*V // If the bundle was signed with a long-lived key, and does not have a Fulcio certificate, // then skip the certificate verification steps - if leafCert, ok := verificationContent.HasCertificate(); ok { + if leafCert := verificationContent.GetCertificate(); leafCert != nil { signedWithCertificate = true // From spec: @@ -514,13 +514,13 @@ func (v *SignedEntityVerifier) Verify(entity SignedEntity, pb PolicyBuilder) (*V // > Unless performing online verification (see §Alternative Workflows), the Verifier MUST extract the SignedCertificateTimestamp embedded in the leaf certificate, and verify it as in RFC 9162 §8.1.3, using the verification key from the Certificate Transparency Log. if v.config.weExpectSCTs { - err = VerifySignedCertificateTimestamp(&leafCert, v.config.ctlogEntriesThreshold, v.trustedMaterial) + err = VerifySignedCertificateTimestamp(leafCert, v.config.ctlogEntriesThreshold, v.trustedMaterial) if err != nil { return nil, fmt.Errorf("failed to verify signed certificate timestamp: %w", err) } } - certSummary, err = certificate.SummarizeCertificate(&leafCert) + certSummary, err = certificate.SummarizeCertificate(leafCert) if err != nil { return nil, fmt.Errorf("failed to summarize certificate: %w", err) } @@ -685,7 +685,7 @@ func (v *SignedEntityVerifier) VerifyObserverTimestamps(entity SignedEntity, log return nil, err } - if leafCert, ok := verificationContent.HasCertificate(); ok { + if leafCert := verificationContent.GetCertificate(); leafCert != nil { verifiedTimestamps = append(verifiedTimestamps, TimestampVerificationResult{Type: "LeafCert.NotBefore", URI: "", Timestamp: leafCert.NotBefore}) } else { // no cert? use current time