sigstore · haydentherapper · Jun 13, 2024 · Jun 12, 2024
@@ -48,8 +48,8 @@ func (c *Certificate) ValidAtTime(t time.Time, _ root.TrustedMaterial) bool {
 	return !(c.Certificate.NotAfter.Before(t) || c.Certificate.NotBefore.After(t))
 }
 
-func (c *Certificate) HasCertificate() (x509.Certificate, bool) {
-	return *c.Certificate, true
+func (c *Certificate) GetCertificate() *x509.Certificate {
+	return c.Certificate
 }
 
 func (c *Certificate) HasPublicKey() (verify.PublicKeyProvider, bool) {
@@ -79,8 +79,8 @@ func (pk *PublicKey) ValidAtTime(t time.Time, tm root.TrustedMaterial) bool {
 	return verifier.ValidAtTime(t)
 }
 
-func (pk *PublicKey) HasCertificate() (x509.Certificate, bool) {
-	return x509.Certificate{}, false
+func (pk *PublicKey) GetCertificate() *x509.Certificate {
+	return nil
 }
 
 func (pk *PublicKey) HasPublicKey() (verify.PublicKeyProvider, bool) {

@@ -30,13 +30,13 @@ func TestSummarizeCertificateWithActionsBundle(t *testing.T) {
 		t.Fatalf("failed to get verification content: %v", err)
 	}
 
-	leaf, ok := vc.HasCertificate()
+	leaf := vc.GetCertificate()
 
-	if !ok {
+	if leaf == nil {
 		t.Fatalf("expected verification content to be a certificate chain")
 	}
 
-	cs, err := certificate.SummarizeCertificate(&leaf)
+	cs, err := certificate.SummarizeCertificate(leaf)
 	if err != nil {
 		t.Fatalf("failed to summarize: %v", err)
 	}
@@ -79,13 +79,13 @@ func TestSummarizeCertificateWithOauthBundle(t *testing.T) {
 		t.Fatalf("failed to get verification content: %v", err)
 	}
 
-	leaf, ok := vc.HasCertificate()
+	leaf := vc.GetCertificate()
 
-	if !ok {
+	if leaf == nil {
 		t.Fatalf("expected verification content to be a certificate chain")
 	}
 
-	cs, err := certificate.SummarizeCertificate(&leaf)
+	cs, err := certificate.SummarizeCertificate(leaf)
 	if err != nil {
 		t.Fatalf("failed to summarize: %v", err)
 	}

@@ -22,7 +22,7 @@ import (
 	"github.com/sigstore/sigstore-go/pkg/root"
 )
 
-func VerifyLeafCertificate(observerTimestamp time.Time, leafCert x509.Certificate, trustedMaterial root.TrustedMaterial) error { // nolint: revive
+func VerifyLeafCertificate(observerTimestamp time.Time, leafCert *x509.Certificate, trustedMaterial root.TrustedMaterial) error { // nolint: revive
 	for _, ca := range trustedMaterial.FulcioCertificateAuthorities() {
 		if !ca.ValidityPeriodStart.IsZero() && observerTimestamp.Before(ca.ValidityPeriodStart) {
 			continue

@@ -53,7 +53,7 @@ func TestVerifyValidityPeriod(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if err := verify.VerifyLeafCertificate(tt.observerTimestamp, *leaf, virtualSigstore); (err != nil) != tt.wantErr {
+			if err := verify.VerifyLeafCertificate(tt.observerTimestamp, leaf, virtualSigstore); (err != nil) != tt.wantErr {
 				t.Errorf("VerifyLeafCertificate() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})

@@ -64,7 +64,7 @@ type SignedEntity interface {
 type VerificationContent interface {
 	CompareKey(any, root.TrustedMaterial) bool
 	ValidAtTime(time.Time, root.TrustedMaterial) bool
-	HasCertificate() (x509.Certificate, bool)
+	GetCertificate() *x509.Certificate
 	HasPublicKey() (PublicKeyProvider, bool)
 }
 

@@ -89,7 +89,7 @@ func VerifySignatureWithArtifactDigest(sigContent SignatureContent, verification
 }
 
 func getSignatureVerifier(verificationContent VerificationContent, tm root.TrustedMaterial) (signature.Verifier, error) {
-	if leafCert, ok := verificationContent.HasCertificate(); ok {
+	if leafCert := verificationContent.GetCertificate(); leafCert != nil {
 		// TODO: Inspect certificate's SignatureAlgorithm to determine hash function
 		return signature.LoadVerifier(leafCert.PublicKey, crypto.SHA256)
 	} else if pk, ok := verificationContent.HasPublicKey(); ok {

@@ -494,7 +494,7 @@ func (v *SignedEntityVerifier) Verify(entity SignedEntity, pb PolicyBuilder) (*V
 
 	// If the bundle was signed with a long-lived key, and does not have a Fulcio certificate,
 	// then skip the certificate verification steps
-	if leafCert, ok := verificationContent.HasCertificate(); ok {
+	if leafCert := verificationContent.GetCertificate(); leafCert != nil {
 		signedWithCertificate = true
 
 		// From spec:
@@ -514,13 +514,13 @@ func (v *SignedEntityVerifier) Verify(entity SignedEntity, pb PolicyBuilder) (*V
 		// > Unless performing online verification (see §Alternative Workflows), the Verifier MUST extract the  SignedCertificateTimestamp embedded in the leaf certificate, and verify it as in RFC 9162 §8.1.3, using the verification key from the Certificate Transparency Log.
 
 		if v.config.weExpectSCTs {
-			err = VerifySignedCertificateTimestamp(&leafCert, v.config.ctlogEntriesThreshold, v.trustedMaterial)
+			err = VerifySignedCertificateTimestamp(leafCert, v.config.ctlogEntriesThreshold, v.trustedMaterial)
 			if err != nil {
 				return nil, fmt.Errorf("failed to verify signed certificate timestamp: %w", err)
 			}
 		}
 
-		certSummary, err = certificate.SummarizeCertificate(&leafCert)
+		certSummary, err = certificate.SummarizeCertificate(leafCert)
 		if err != nil {
 			return nil, fmt.Errorf("failed to summarize certificate: %w", err)
 		}
@@ -685,7 +685,7 @@ func (v *SignedEntityVerifier) VerifyObserverTimestamps(entity SignedEntity, log
 			return nil, err
 		}
 
-		if leafCert, ok := verificationContent.HasCertificate(); ok {
+		if leafCert := verificationContent.GetCertificate(); leafCert != nil {
 			verifiedTimestamps = append(verifiedTimestamps, TimestampVerificationResult{Type: "LeafCert.NotBefore", URI: "", Timestamp: leafCert.NotBefore})
 		} else {
 			// no cert? use current time