Adds shapes and methods for signature related tasks

go.mod

@@ -1,3 +1,5 @@
 module github.com/notaryproject/notation-core-go
 
 go 1.17
+
+require github.com/golang-jwt/jwt/v4 v4.4.1 // indirect

go.sum

@@ -0,0 +1,2 @@
+github.com/golang-jwt/jwt/v4 v4.4.1 h1:pC5DB52sCeK48Wlb9oPcdhnjkz1TKt1D/P7WKJ0kUcQ=
+github.com/golang-jwt/jwt/v4 v4.4.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=

internal/testhelper/certificatetest.go

@@ -0,0 +1,165 @@
+package testhelper
+
+import (
+	_ "crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"math/big"
+	"time"
+)
+
+var (
+	root      CertTuple
+	leaf      CertTuple
+	ecdsaRoot ECCertTuple
+	ecdsaLeaf   ECCertTuple
+	unsupported CertTuple
+)
+
+type CertTuple struct {
+	Cert       *x509.Certificate
+	PrivateKey *rsa.PrivateKey
+}
+
+type ECCertTuple struct {
+	Cert       *x509.Certificate
+	PrivateKey *ecdsa.PrivateKey
+}
+
+func init() {
+	setupCertificates()
+}
+
+func GetRootCertificate() CertTuple {
+	return root
+}
+
+func GetLeafCertificate() CertTuple {
+	return leaf
+}
+
+func GetECRootCertificate() ECCertTuple {
+	return ecdsaRoot
+}
+
+func GetECLeafCertificate() ECCertTuple {
+	return ecdsaLeaf
+}
+
+func GetUnsupportedCertificate() CertTuple {
+	return unsupported
+}
+
+func setupCertificates() {
+	root = getCertTuple("Notation Test Root", nil)
+	leaf = getCertTuple("Notation Test Leaf Cert", &root)
+	ecdsaRoot = getECCertTuple("Notation Test Root2", nil)
+	ecdsaLeaf = getECCertTuple("Notation Test Leaf Cert", &ecdsaRoot)
+
+	k, _ := rsa.GenerateKey(rand.Reader, 1024)
+	unsupported = getCertTupleWithPK(k, "Notation Unsupported Root", nil)
+}
+
+func getCertTupleWithPK(privKey *rsa.PrivateKey, cn string, issuer *CertTuple) CertTuple {
+	var certBytes []byte
+	if issuer != nil {
+		template := &x509.Certificate{
+			SerialNumber: big.NewInt(2),
+			Subject: pkix.Name{
+				Organization: []string{"Notary"},
+				Country:      []string{"US"},
+				Province:     []string{"WA"},
+				Locality:     []string{"Seattle"},
+				CommonName:   cn,
+			},
+			NotBefore:   time.Now(),
+			NotAfter:    time.Now().AddDate(0, 0, 1),
+			KeyUsage:    x509.KeyUsageDigitalSignature,
+			ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
+		}
+		certBytes, _ = x509.CreateCertificate(rand.Reader, template, issuer.Cert, &privKey.PublicKey, issuer.PrivateKey)
+	} else {
+		template := &x509.Certificate{
+			SerialNumber: big.NewInt(1),
+			Subject: pkix.Name{
+				Organization: []string{"Notary"},
+				Country:      []string{"US"},
+				Province:     []string{"WA"},
+				Locality:     []string{"Seattle"},
+				CommonName:   "Notation Test Root",
+			},
+			NotBefore:             time.Now(),
+			NotAfter:              time.Now().AddDate(0, 1, 0),
+			KeyUsage:              x509.KeyUsageCertSign,
+			BasicConstraintsValid: true,
+			MaxPathLen:            1,
+			IsCA:                  true,
+		}
+		certBytes, _ = x509.CreateCertificate(rand.Reader, template, template, &privKey.PublicKey, privKey)
+	}
+
+	cert, _ := x509.ParseCertificate(certBytes)
+	return CertTuple{
+		Cert:       cert,
+		PrivateKey: privKey,
+	}
+}
+
+func getEcdsaCertTupleWithPK(privKey *ecdsa.PrivateKey, cn string, issuer *ECCertTuple) ECCertTuple {
+	var certBytes []byte
+	if issuer != nil {
+		template := &x509.Certificate{
+			SerialNumber: big.NewInt(2),
+			Subject: pkix.Name{
+				Organization: []string{"Notary"},
+				Country:      []string{"US"},
+				Province:     []string{"WA"},
+				Locality:     []string{"Seattle"},
+				CommonName:   cn,
+			},
+			NotBefore:   time.Now(),
+			NotAfter:    time.Now().AddDate(0, 0, 1),
+			KeyUsage:    x509.KeyUsageDigitalSignature,
+			ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
+		}
+		certBytes, _ = x509.CreateCertificate(rand.Reader, template, issuer.Cert, &privKey.PublicKey, issuer.PrivateKey)
+	} else {
+		template := &x509.Certificate{
+			SerialNumber: big.NewInt(1),
+			Subject: pkix.Name{
+				Organization: []string{"Notary"},
+				Country:      []string{"US"},
+				Province:     []string{"WA"},
+				Locality:     []string{"Seattle"},
+				CommonName:   "Notation EC Test Root",
+			},
+			NotBefore:             time.Now(),
+			NotAfter:              time.Now().AddDate(0, 1, 0),
+			KeyUsage:              x509.KeyUsageCertSign,
+			BasicConstraintsValid: true,
+			MaxPathLen:            1,
+			IsCA:                  true,
+		}
+		certBytes, _ = x509.CreateCertificate(rand.Reader, template, template, &privKey.PublicKey, privKey)
+	}
+
+	cert, _ := x509.ParseCertificate(certBytes)
+	return ECCertTuple{
+		Cert:       cert,
+		PrivateKey: privKey,
+	}
+}
+
+func getCertTuple(cn string, issuer *CertTuple) CertTuple {
+	pk, _ := rsa.GenerateKey(rand.Reader, 3072)
+	return getCertTupleWithPK(pk, cn, issuer)
+}
+
+func getECCertTuple(cn string, issuer *ECCertTuple) ECCertTuple {
+	k, _ := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+	return getEcdsaCertTupleWithPK(k, cn, issuer)
+}

signer/errors.go

@@ -0,0 +1,106 @@
+package signer
+
+import "fmt"
+
+// InvalidSignatureError is used when the Signature associated is no longer valid.
+type InvalidSignatureError struct {
+	err error
+}
+
+func (e InvalidSignatureError) Error() string {
+	return fmt.Sprintf("signature is invalid. Error: %s", e.err.Error())
+}
+
+// MalformedSignatureError is used when Signature envelope is malformed.
+type MalformedSignatureError struct {
+	msg string
+}
+
+func (e MalformedSignatureError) Error() string {
+	if len(e.msg) != 0 {
+		return e.msg
+	} else {
+		return "signature envelope format is malformed"
+	}
+}
+
+// UnsupportedSignatureFormatError is used when Signature envelope is not supported.
+type UnsupportedSignatureFormatError struct {
+	mediaType string
+}
+
+func (e UnsupportedSignatureFormatError) Error() string {
+	return fmt.Sprintf("signature envelope format with media type %q is not supported", e.mediaType)
+}
+
+// SignatureNotFoundError is used when signature envelope is not signed.
+type SignatureNotFoundError struct{}
+
+func (e SignatureNotFoundError) Error() string {
+	return "signature envelope not present."
+}
+
+// UntrustedSignatureError is used when signature is not generated using trusted certificates.
+type UntrustedSignatureError struct{}
+
+func (e UntrustedSignatureError) Error() string {
+	return "signature not generated using specified trusted certificates"
+}
+
+// UnsupportedOperationError is used when an operation is not supported.
+type UnsupportedOperationError struct {
+	operation string
+}
+
+func (e UnsupportedOperationError) Error() string {
+	return fmt.Sprintf("%q operation is not supported", e.operation)
+}
+
+// UnSupportedSigningKeyError is used when a signing key is not supported
+type UnSupportedSigningKeyError struct {
+	keyType string
+}
+
+func (e UnSupportedSigningKeyError) Error() string {
+	if len(e.keyType) != 0 {
+		return fmt.Sprintf("%q signing key is not supported", e.keyType)
+	} else {
+		return "signing key is not supported"
+	}
+}
+
+// MalformedArgumentError is used when an argument to a function is malformed.
+type MalformedArgumentError struct {
+	param string
+	err   error
+}
+
+func (e MalformedArgumentError) Error() string {
+	if e.err != nil {
+		return fmt.Sprintf("%q param is malformed. Error: %s", e.param, e.err.Error())
+	} else {
+		return fmt.Sprintf("%q param is malformed", e.param)
+	}
+}
+
+// MalformedSignRequestError is used when SignRequest is malformed.
+type MalformedSignRequestError struct {
+	msg string
+}
+
+func (e MalformedSignRequestError) Error() string {
+	if len(e.msg) != 0 {
+		return e.msg
+	} else {
+		return "SignRequest is malformed"
+	}
+}
+
+// SignatureAlgoNotSupportedError is used when signing algo is not supported.
+type SignatureAlgoNotSupportedError struct {
+	alg string
+}
+
+func (e SignatureAlgoNotSupportedError) Error() string {
+	return fmt.Sprintf("%q algorithm is not supported", e.alg)
+}