Multiple changes

* Consolidate Signer and Verifier interfaces in signerverifier.go
* Move verification tests to verify_test.go
* Rename interceptSigner

Signed-off-by: Aditya Sirish <[email protected]>

Author: adityasaky

dsse/envelope.go

@@ -37,6 +37,16 @@ type Signature struct {
 	Sig   string `json:"sig"`
 }
 
+/*
+PAE implementes the DSSE Pre-Authentic Encoding
+https://github.com/secure-systems-lab/dsse/blob/master/protocol.md#signature-definition
+*/
+func PAE(payloadType string, payload []byte) []byte {
+	return []byte(fmt.Sprintf("DSSEv1 %d %s %d %s",
+		len(payloadType), payloadType,
+		len(payload), payload))
+}
+
 /*
 Both standard and url encoding are allowed:
 https://github.com/secure-systems-lab/dsse/blob/master/envelope.md

dsse/sign.go

@@ -8,46 +8,11 @@ import (
 	"context"
 	"encoding/base64"
 	"errors"
-	"fmt"
 )
 
-// ErrUnknownKey indicates that the implementation does not recognize the
-// key.
-var ErrUnknownKey = errors.New("unknown key")
-
-// ErrNoSignature indicates that an envelope did not contain any signatures.
-var ErrNoSignature = errors.New("no signature found")
-
 // ErrNoSigners indicates that no signer was provided.
 var ErrNoSigners = errors.New("no signers provided")
 
-/*
-PAE implementes the DSSE Pre-Authentic Encoding
-https://github.com/secure-systems-lab/dsse/blob/master/protocol.md#signature-definition
-*/
-func PAE(payloadType string, payload []byte) []byte {
-	return []byte(fmt.Sprintf("DSSEv1 %d %s %d %s",
-		len(payloadType), payloadType,
-		len(payload), payload))
-}
-
-/*
-Signer defines the interface for an abstract signing algorithm.
-The Signer interface is used to inject signature algorithm implementations
-into the EnevelopeSigner. This decoupling allows for any signing algorithm
-and key management system can be used.
-The full message is provided as the parameter. If the signature algorithm
-depends on hashing of the message prior to signature calculation, the
-implementor of this interface must perform such hashing.
-The function must return raw bytes representing the calculated signature
-using the current algorithm, and the key used (if applicable).
-For an example see EcdsaSigner in sign_test.go.
-*/
-type Signer interface {
-	Sign(ctx context.Context, data []byte) ([]byte, error)
-	KeyID() (string, error)
-}
-
 // EnvelopeSigner creates signed Envelopes.
 type EnvelopeSigner struct {
 	providers []SignerVerifier

dsse/sign_test.go

@@ -378,312 +378,3 @@ func TestDecodeB64Payload(t *testing.T) {
 		assert.Nil(t, got, "wrong data")
 	})
 }
-
-func TestVerifyOneProvider(t *testing.T) {
-	var payloadType = "http://example.com/HelloWorld"
-	var payload = "hello world"
-
-	var ns nilSignerVerifier
-	signer, err := NewEnvelopeSigner(ns)
-	assert.Nil(t, err, "unexpected error")
-
-	env, err := signer.SignPayload(context.TODO(), payloadType, []byte(payload))
-	assert.Nil(t, err, "sign failed")
-
-	verifier, err := NewEnvelopeVerifier(ns)
-	assert.Nil(t, err, "unexpected error")
-	acceptedKeys, err := verifier.Verify(context.TODO(), env)
-	assert.Nil(t, err, "unexpected error")
-	assert.Len(t, acceptedKeys, 1, "unexpected keys")
-	assert.Equal(t, acceptedKeys[0].KeyID, "nil", "unexpected keyid")
-}
-
-func TestVerifyMultipleProvider(t *testing.T) {
-	var payloadType = "http://example.com/HelloWorld"
-	var payload = "hello world"
-
-	var ns nilSignerVerifier
-	var null nullSignerVerifier
-	signer, err := NewEnvelopeSigner(ns, null)
-	assert.Nil(t, err, "unexpected error")
-
-	env, err := signer.SignPayload(context.TODO(), payloadType, []byte(payload))
-	assert.Nil(t, err, "sign failed")
-
-	verifier, err := NewEnvelopeVerifier(ns, null)
-	assert.Nil(t, err, "unexpected error")
-	acceptedKeys, err := verifier.Verify(context.TODO(), env)
-	assert.Nil(t, err, "unexpected error")
-	assert.Len(t, acceptedKeys, 2, "unexpected keys")
-}
-
-func TestVerifyMultipleProviderThreshold(t *testing.T) {
-	var payloadType = "http://example.com/HelloWorld"
-	var payload = "hello world"
-
-	var ns nilSignerVerifier
-	var null nullSignerVerifier
-	signer, err := NewMultiEnvelopeSigner(2, ns, null)
-	assert.Nil(t, err)
-	env, err := signer.SignPayload(context.TODO(), payloadType, []byte(payload))
-	assert.Nil(t, err, "sign failed")
-
-	verifier, err := NewMultiEnvelopeVerifier(2, ns, null)
-	assert.Nil(t, err, "unexpected error")
-	acceptedKeys, err := verifier.Verify(context.TODO(), env)
-	assert.Nil(t, err, "unexpected error")
-	assert.Len(t, acceptedKeys, 2, "unexpected keys")
-}
-
-func TestVerifyMultipleProviderThresholdErr(t *testing.T) {
-	var ns nilSignerVerifier
-	var null nullSignerVerifier
-	_, err := NewMultiEnvelopeVerifier(3, ns, null)
-	assert.Equal(t, errThreshold, err, "wrong error")
-	_, err = NewMultiEnvelopeVerifier(0, ns, null)
-	assert.Equal(t, errThreshold, err, "wrong error")
-}
-
-func TestVerifyErr(t *testing.T) {
-	var payloadType = "http://example.com/HelloWorld"
-	var payload = "hello world"
-
-	var errsv errSignerVerifier
-	signer, err := NewEnvelopeSigner(errsv)
-	assert.Nil(t, err, "unexpected error")
-
-	env, err := signer.SignPayload(context.TODO(), payloadType, []byte(payload))
-	assert.Nil(t, err, "sign failed")
-
-	verifier, err := NewEnvelopeVerifier(errsv)
-	assert.Nil(t, err, "unexpected error")
-	_, err = verifier.Verify(context.TODO(), env)
-	assert.Equal(t, errVerify, err, "wrong error")
-}
-
-func TestBadVerifier(t *testing.T) {
-	var payloadType = "http://example.com/HelloWorld"
-	var payload = "hello world"
-
-	var badv badverifier
-	signer, err := NewEnvelopeSigner(badv)
-	assert.Nil(t, err, "unexpected error")
-
-	env, err := signer.SignPayload(context.TODO(), payloadType, []byte(payload))
-	assert.Nil(t, err, "sign failed")
-
-	verifier, err := NewEnvelopeVerifier(badv)
-	assert.Nil(t, err, "unexpected error")
-	_, err = verifier.Verify(context.TODO(), env)
-	assert.NotNil(t, err, "expected error")
-}
-
-func TestVerifyNoSig(t *testing.T) {
-	var badv badverifier
-	verifier, err := NewEnvelopeVerifier(badv)
-	assert.Nil(t, err, "unexpected error")
-
-	env := &Envelope{}
-
-	_, err = verifier.Verify(context.TODO(), env)
-	assert.Equal(t, ErrNoSignature, err, "wrong error")
-}
-
-func TestVerifyBadBase64(t *testing.T) {
-	var badv badverifier
-	verifier, err := NewEnvelopeVerifier(badv)
-	assert.Nil(t, err, "unexpected error")
-
-	t.Run("Payload", func(t *testing.T) {
-		env := &Envelope{
-			Payload: "Not base 64",
-			Signatures: []Signature{
-				{},
-			},
-		}
-
-		_, err := verifier.Verify(context.TODO(), env)
-		assert.IsType(t, base64.CorruptInputError(0), err, "wrong error")
-	})
-
-	t.Run("Signature", func(t *testing.T) {
-		env := &Envelope{
-			Payload: "cGF5bG9hZAo=",
-			Signatures: []Signature{
-				{
-					Sig: "not base 64",
-				},
-			},
-		}
-
-		_, err := verifier.Verify(context.TODO(), env)
-		assert.IsType(t, base64.CorruptInputError(0), err, "wrong error")
-	})
-}
-
-func TestVerifyNoMatch(t *testing.T) {
-	var payloadType = "http://example.com/HelloWorld"
-
-	var ns nilSignerVerifier
-	var null nullSignerVerifier
-	verifier, err := NewEnvelopeVerifier(ns, null)
-	assert.Nil(t, err, "unexpected error")
-
-	env := &Envelope{
-		PayloadType: payloadType,
-		Payload:     "cGF5bG9hZAo=",
-		Signatures: []Signature{
-			{
-				KeyID: "not found",
-				Sig:   "cGF5bG9hZAo=",
-			},
-		},
-	}
-
-	_, err = verifier.Verify(context.TODO(), env)
-	assert.NotNil(t, err, "expected error")
-}
-
-type interceptSigner struct {
-	keyID        string
-	verifyRes    bool
-	verifyCalled bool
-}
-
-func (i *interceptSigner) Sign(ctx context.Context, data []byte) ([]byte, error) {
-	return data, nil
-}
-
-func (i *interceptSigner) Verify(ctx context.Context, data, sig []byte) error {
-	i.verifyCalled = true
-
-	if i.verifyRes {
-		return nil
-	}
-	return errVerify
-}
-
-func (i *interceptSigner) KeyID() (string, error) {
-	return i.keyID, nil
-}
-
-func (i *interceptSigner) Public() crypto.PublicKey {
-	return "intercept-public"
-}
-
-func TestVerifyOneFail(t *testing.T) {
-	var payloadType = "http://example.com/HelloWorld"
-	var payload = "hello world"
-
-	var s1 = &interceptSigner{
-		keyID:     "i1",
-		verifyRes: true,
-	}
-	var s2 = &interceptSigner{
-		keyID:     "i2",
-		verifyRes: false,
-	}
-	signer, err := NewEnvelopeSigner(s1, s2)
-	assert.Nil(t, err, "unexpected error")
-
-	env, err := signer.SignPayload(context.TODO(), payloadType, []byte(payload))
-	assert.Nil(t, err, "sign failed")
-
-	verifier, err := NewEnvelopeVerifier(s1, s2)
-	assert.Nil(t, err, "unexpected error")
-	acceptedKeys, err := verifier.Verify(context.TODO(), env)
-	assert.Nil(t, err, "expected error")
-	assert.True(t, s1.verifyCalled, "verify not called")
-	assert.True(t, s2.verifyCalled, "verify not called")
-	assert.Len(t, acceptedKeys, 1, "unexpected keys")
-	assert.Equal(t, acceptedKeys[0].KeyID, "i1", "unexpected keyid")
-}
-
-func TestVerifySameKeyID(t *testing.T) {
-	var payloadType = "http://example.com/HelloWorld"
-	var payload = "hello world"
-
-	var s1 = &interceptSigner{
-		keyID:     "i1",
-		verifyRes: true,
-	}
-	var s2 = &interceptSigner{
-		keyID:     "i1",
-		verifyRes: true,
-	}
-	signer, err := NewEnvelopeSigner(s1, s2)
-	assert.Nil(t, err, "unexpected error")
-
-	env, err := signer.SignPayload(context.TODO(), payloadType, []byte(payload))
-	assert.Nil(t, err, "sign failed")
-
-	verifier, err := NewEnvelopeVerifier(s1, s2)
-	assert.Nil(t, err, "unexpected error")
-	acceptedKeys, err := verifier.Verify(context.TODO(), env)
-	assert.Nil(t, err, "expected error")
-	assert.True(t, s1.verifyCalled, "verify not called")
-	assert.True(t, s2.verifyCalled, "verify not called")
-	assert.Len(t, acceptedKeys, 1, "unexpected keys")
-	assert.Equal(t, acceptedKeys[0].KeyID, "i1", "unexpected keyid")
-}
-
-func TestVerifyEmptyKeyID(t *testing.T) {
-	var payloadType = "http://example.com/HelloWorld"
-	var payload = "hello world"
-
-	var s1 = &interceptSigner{
-		keyID:     "",
-		verifyRes: true,
-	}
-
-	var s2 = &interceptSigner{
-		keyID:     "",
-		verifyRes: true,
-	}
-
-	signer, err := NewEnvelopeSigner(s1, s2)
-	assert.Nil(t, err, "unexpected error")
-
-	env, err := signer.SignPayload(context.TODO(), payloadType, []byte(payload))
-	assert.Nil(t, err, "sign failed")
-
-	verifier, err := NewEnvelopeVerifier(s1, s2)
-	assert.Nil(t, err, "unexpected error")
-	acceptedKeys, err := verifier.Verify(context.TODO(), env)
-	assert.Nil(t, err, "expected error")
-	// assert.True(t, s1.verifyCalled, "verify not called")
-	// assert.True(t, s2.verifyCalled, "verify not called")
-	assert.Len(t, acceptedKeys, 1, "unexpected keys")
-	assert.Equal(t, acceptedKeys[0].KeyID, "", "unexpected keyid")
-}
-
-func TestVerifyPublicKeyID(t *testing.T) {
-	var payloadType = "http://example.com/HelloWorld"
-	var payload = "hello world"
-	var keyID = "SHA256:f4AuBLdH4Lj/dIuwAUXXebzoI9B/cJ4iSQ3/qByIl4M"
-	// var keyID = "test key 123"
-
-	var s1 = &ecdsaSignerVerifier{
-		keyID: "",
-		key:   newEcdsaKey(),
-	}
-
-	var s2 = &ecdsaSignerVerifier{
-		keyID: "",
-		key:   newEcdsaKey(),
-	}
-	// a := s1.Public()
-
-	signer, err := NewEnvelopeSigner(s1, s2)
-	assert.Nil(t, err, "unexpected error")
-
-	env, err := signer.SignPayload(context.TODO(), payloadType, []byte(payload))
-	assert.Nil(t, err, "sign failed")
-
-	verifier, err := NewEnvelopeVerifier(s1, s2)
-	assert.Nil(t, err, "unexpected error")
-	acceptedKeys, err := verifier.Verify(context.TODO(), env)
-	assert.Nil(t, err, "expected error")
-	assert.Len(t, acceptedKeys, 1, "unexpected keys")
-	assert.Equal(t, acceptedKeys[0].KeyID, keyID, "unexpected keyid")
-}