diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go index 4d6045da..57292bd8 100644 --- a/cmd/conformance/main.go +++ b/cmd/conformance/main.go @@ -308,7 +308,7 @@ func main() { log.Fatal(err) } - bun, err := bundle.NewProtobufBundle(&pb) + bun, err := bundle.NewBundle(&pb) if err != nil { log.Fatal(err) } diff --git a/docs/verification.md b/docs/verification.md index 3533c1e6..b0b16c45 100644 --- a/docs/verification.md +++ b/docs/verification.md @@ -32,7 +32,7 @@ The verifier allows you to use the Sigstore Public Good TUF root or your own cus This library includes a few abstractions to support different use cases, testing, and extensibility: -- `SignedEntity` - an interface type respresenting a signed message or attestation, with a signature and metadata, implemented by `ProtobufBundle`, a type which wraps the `Bundle` type from `protobuf-specs`. +- `SignedEntity` - an interface type respresenting a signed message or attestation, with a signature and metadata, implemented by `Bundle`, a type which wraps the `Bundle` type from `protobuf-specs`. - `TrustedMaterial` - an interface type representing a trusted set of keys or certificates for verifying certificates, timestamps, and artifact transparency logs, implemented by `TrustedRoot` ## Verifier diff --git a/examples/oci-image-verification/main.go b/examples/oci-image-verification/main.go index 8c36b7be..356d765c 100644 --- a/examples/oci-image-verification/main.go +++ b/examples/oci-image-verification/main.go @@ -98,7 +98,7 @@ func main() { } func run() error { - var b *bundle.ProtobufBundle + var b *bundle.Bundle var err error if *ociImage != "" { @@ -246,8 +246,8 @@ func trustedPublicKeyMaterial(pk crypto.PublicKey) *root.TrustedPublicKeyMateria }) } -// bundleFromOCIImage returns a ProtobufBundle based on OCI image reference. -func bundleFromOCIImage(imageRef string) (*bundle.ProtobufBundle, *string, error) { +// bundleFromOCIImage returns a Bundle based on OCI image reference. +func bundleFromOCIImage(imageRef string) (*bundle.Bundle, *string, error) { // 1. Get the simple signing layer simpleSigning, err := simpleSigningLayerFromOCIImage(imageRef) if err != nil { @@ -273,7 +273,7 @@ func bundleFromOCIImage(imageRef string) (*bundle.ProtobufBundle, *string, error VerificationMaterial: verificationMaterial, Content: msgSignature, } - bun, err := bundle.NewProtobufBundle(&pb) + bun, err := bundle.NewBundle(&pb) if err != nil { return nil, nil, fmt.Errorf("error creating bundle: %w", err) } diff --git a/pkg/bundle/bundle.go b/pkg/bundle/bundle.go index 5fcf949f..fbf53e6c 100644 --- a/pkg/bundle/bundle.go +++ b/pkg/bundle/bundle.go @@ -48,14 +48,14 @@ func ErrValidationError(err error) error { return fmt.Errorf("%w: %w", ErrValidation, err) } -type ProtobufBundle struct { +type Bundle struct { *protobundle.Bundle hasInclusionPromise bool hasInclusionProof bool } -func NewProtobufBundle(pbundle *protobundle.Bundle) (*ProtobufBundle, error) { - bundle := &ProtobufBundle{ +func NewBundle(pbundle *protobundle.Bundle) (*Bundle, error) { + bundle := &Bundle{ Bundle: pbundle, hasInclusionPromise: false, hasInclusionProof: false, @@ -69,7 +69,7 @@ func NewProtobufBundle(pbundle *protobundle.Bundle) (*ProtobufBundle, error) { return bundle, nil } -func (b *ProtobufBundle) validate() error { +func (b *Bundle) validate() error { bundleVersion, err := getBundleVersion(b.Bundle.MediaType) if err != nil { return fmt.Errorf("error getting bundle version: %w", err) @@ -194,8 +194,8 @@ func validateBundle(b *protobundle.Bundle) error { return nil } -func LoadJSONFromPath(path string) (*ProtobufBundle, error) { - var bundle ProtobufBundle +func LoadJSONFromPath(path string) (*Bundle, error) { + var bundle Bundle bundle.Bundle = new(protobundle.Bundle) contents, err := os.ReadFile(path) @@ -211,11 +211,11 @@ func LoadJSONFromPath(path string) (*ProtobufBundle, error) { return &bundle, nil } -func (b *ProtobufBundle) MarshalJSON() ([]byte, error) { +func (b *Bundle) MarshalJSON() ([]byte, error) { return protojson.Marshal(b.Bundle) } -func (b *ProtobufBundle) UnmarshalJSON(data []byte) error { +func (b *Bundle) UnmarshalJSON(data []byte) error { b.Bundle = new(protobundle.Bundle) err := protojson.Unmarshal(data, b.Bundle) if err != nil { @@ -230,7 +230,7 @@ func (b *ProtobufBundle) UnmarshalJSON(data []byte) error { return nil } -func (b *ProtobufBundle) VerificationContent() (verify.VerificationContent, error) { +func (b *Bundle) VerificationContent() (verify.VerificationContent, error) { if b.VerificationMaterial == nil { return nil, ErrMissingVerificationMaterial } @@ -269,15 +269,15 @@ func (b *ProtobufBundle) VerificationContent() (verify.VerificationContent, erro } } -func (b *ProtobufBundle) HasInclusionPromise() bool { +func (b *Bundle) HasInclusionPromise() bool { return b.hasInclusionPromise } -func (b *ProtobufBundle) HasInclusionProof() bool { +func (b *Bundle) HasInclusionProof() bool { return b.hasInclusionProof } -func (b *ProtobufBundle) TlogEntries() ([]*tlog.Entry, error) { +func (b *Bundle) TlogEntries() ([]*tlog.Entry, error) { if b.VerificationMaterial == nil { return nil, nil } @@ -301,7 +301,7 @@ func (b *ProtobufBundle) TlogEntries() ([]*tlog.Entry, error) { return tlogEntries, nil } -func (b *ProtobufBundle) SignatureContent() (verify.SignatureContent, error) { +func (b *Bundle) SignatureContent() (verify.SignatureContent, error) { switch content := b.Bundle.Content.(type) { //nolint:gocritic case *protobundle.Bundle_DsseEnvelope: envelope, err := parseEnvelope(content.DsseEnvelope) @@ -319,7 +319,7 @@ func (b *ProtobufBundle) SignatureContent() (verify.SignatureContent, error) { return nil, ErrMissingVerificationMaterial } -func (b *ProtobufBundle) Envelope() (*Envelope, error) { +func (b *Bundle) Envelope() (*Envelope, error) { switch content := b.Bundle.Content.(type) { //nolint:gocritic case *protobundle.Bundle_DsseEnvelope: envelope, err := parseEnvelope(content.DsseEnvelope) @@ -331,7 +331,7 @@ func (b *ProtobufBundle) Envelope() (*Envelope, error) { return nil, ErrMissingVerificationMaterial } -func (b *ProtobufBundle) Timestamps() ([][]byte, error) { +func (b *Bundle) Timestamps() ([][]byte, error) { if b.VerificationMaterial == nil { return nil, ErrMissingVerificationMaterial } @@ -350,7 +350,7 @@ func (b *ProtobufBundle) Timestamps() ([][]byte, error) { } // MinVersion returns true if the bundle version is greater than or equal to the expected version. -func (b *ProtobufBundle) MinVersion(expectVersion string) bool { +func (b *Bundle) MinVersion(expectVersion string) bool { version, err := getBundleVersion(b.Bundle.MediaType) if err != nil { return false diff --git a/pkg/bundle/bundle_test.go b/pkg/bundle/bundle_test.go index 9fddc318..0e3630bc 100644 --- a/pkg/bundle/bundle_test.go +++ b/pkg/bundle/bundle_test.go @@ -129,7 +129,7 @@ func TestMinVersion(t *testing.T) { tc := tc t.Run(tc.name, func(t *testing.T) { t.Parallel() - b := &ProtobufBundle{Bundle: &protobundle.Bundle{ + b := &Bundle{Bundle: &protobundle.Bundle{ MediaType: tc.mediaType, }} ret := b.MinVersion(tc.expectedVersion) @@ -192,12 +192,12 @@ func Test_validate(t *testing.T) { require.NoError(t, err) tests := []struct { name string - pb ProtobufBundle + pb Bundle wantErr bool }{ { name: "invalid media type", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ MediaType: "", }, @@ -206,7 +206,7 @@ func Test_validate(t *testing.T) { }, { name: "version too low", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle.v0.0.1+json", }, @@ -215,7 +215,7 @@ func Test_validate(t *testing.T) { }, { name: "version too high", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.4", }, @@ -224,7 +224,7 @@ func Test_validate(t *testing.T) { }, { name: "no verification material", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.1", }, @@ -233,7 +233,7 @@ func Test_validate(t *testing.T) { }, { name: "v0.1 with no inclusion promise", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.1", VerificationMaterial: &protobundle.VerificationMaterial{ @@ -258,7 +258,7 @@ func Test_validate(t *testing.T) { }, { name: "v0.1 with inclusion promise", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.1", VerificationMaterial: &protobundle.VerificationMaterial{ @@ -289,7 +289,7 @@ func Test_validate(t *testing.T) { }, { name: "v0.2 with no inclusion proof", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.2", VerificationMaterial: &protobundle.VerificationMaterial{ @@ -318,7 +318,7 @@ func Test_validate(t *testing.T) { }, { name: "v0.2 with inclusion proof", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.2", VerificationMaterial: &protobundle.VerificationMaterial{ @@ -351,7 +351,7 @@ func Test_validate(t *testing.T) { }, { name: "v0.3 with x.509 certificate chain", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", VerificationMaterial: &protobundle.VerificationMaterial{ @@ -385,7 +385,7 @@ func Test_validate(t *testing.T) { }, { name: "v0.3 without x.509 certificate chain", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", VerificationMaterial: &protobundle.VerificationMaterial{ @@ -446,21 +446,21 @@ func TestVerificationContent(t *testing.T) { require.NoError(t, err) tests := []struct { name string - pb ProtobufBundle + pb Bundle wantCertificate bool wantPublicKey bool wantErr bool }{ { name: "no verification material", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{}, }, wantErr: true, }, { name: "certificate chain with zero certs", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ VerificationMaterial: &protobundle.VerificationMaterial{ Content: &protobundle.VerificationMaterial_X509CertificateChain{ @@ -473,7 +473,7 @@ func TestVerificationContent(t *testing.T) { }, { name: "certificate chain with self-signed cert", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ VerificationMaterial: &protobundle.VerificationMaterial{ Content: &protobundle.VerificationMaterial_X509CertificateChain{ @@ -492,7 +492,7 @@ func TestVerificationContent(t *testing.T) { }, { name: "certificate chain", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ VerificationMaterial: &protobundle.VerificationMaterial{ Content: &protobundle.VerificationMaterial_X509CertificateChain{ @@ -514,7 +514,7 @@ func TestVerificationContent(t *testing.T) { }, { name: "certificate chain with invalid cert", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ VerificationMaterial: &protobundle.VerificationMaterial{ Content: &protobundle.VerificationMaterial_X509CertificateChain{ @@ -533,7 +533,7 @@ func TestVerificationContent(t *testing.T) { }, { name: "certificate", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ VerificationMaterial: &protobundle.VerificationMaterial{ Content: &protobundle.VerificationMaterial_Certificate{ @@ -548,7 +548,7 @@ func TestVerificationContent(t *testing.T) { }, { name: "invalid certificate", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ VerificationMaterial: &protobundle.VerificationMaterial{ Content: &protobundle.VerificationMaterial_Certificate{ @@ -563,7 +563,7 @@ func TestVerificationContent(t *testing.T) { }, { name: "public key", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ VerificationMaterial: &protobundle.VerificationMaterial{ Content: &protobundle.VerificationMaterial_PublicKey{ @@ -601,13 +601,13 @@ func TestSignatureContent(t *testing.T) { t.Parallel() tests := []struct { name string - pb ProtobufBundle + pb Bundle wantEnvelope bool wantSignature bool }{ { name: "dsse envelope", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ Content: &protobundle.Bundle_DsseEnvelope{}, }, @@ -616,7 +616,7 @@ func TestSignatureContent(t *testing.T) { }, { name: "message signature", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ Content: &protobundle.Bundle_MessageSignature{ MessageSignature: &protocommon.MessageSignature{ @@ -649,12 +649,12 @@ func TestEnvelope(t *testing.T) { t.Parallel() tests := []struct { name string - pb ProtobufBundle + pb Bundle wantErr bool }{ { name: "dsse envelope", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ Content: &protobundle.Bundle_DsseEnvelope{}, }, @@ -662,7 +662,7 @@ func TestEnvelope(t *testing.T) { }, { name: "message signature", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ Content: &protobundle.Bundle_MessageSignature{ MessageSignature: &protocommon.MessageSignature{ @@ -691,18 +691,18 @@ func TestTimestamps(t *testing.T) { t.Parallel() tests := []struct { name string - pb ProtobufBundle + pb Bundle wantTimestamps [][]byte wantErr bool }{ { name: "missing verification material", - pb: ProtobufBundle{Bundle: &protobundle.Bundle{}}, + pb: Bundle{Bundle: &protobundle.Bundle{}}, wantErr: true, }, { name: "empty timestamp data", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ VerificationMaterial: &protobundle.VerificationMaterial{}, }, @@ -711,7 +711,7 @@ func TestTimestamps(t *testing.T) { }, { name: "one timestamp", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ VerificationMaterial: &protobundle.VerificationMaterial{ TimestampVerificationData: &protobundle.TimestampVerificationData{ @@ -730,7 +730,7 @@ func TestTimestamps(t *testing.T) { }, { name: "multiple timestamps", - pb: ProtobufBundle{ + pb: Bundle{ Bundle: &protobundle.Bundle{ VerificationMaterial: &protobundle.VerificationMaterial{ TimestampVerificationData: &protobundle.TimestampVerificationData{ @@ -769,13 +769,13 @@ func TestTimestamps(t *testing.T) { func Test_BundleValidation(t *testing.T) { tests := []struct { name string - bundle *ProtobufBundle + bundle *Bundle errMsg string wantErr bool }{ { name: "Empty verification material", - bundle: &ProtobufBundle{ + bundle: &Bundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", VerificationMaterial: &protobundle.VerificationMaterial{ @@ -789,7 +789,7 @@ func Test_BundleValidation(t *testing.T) { }, { name: "No bundle content", - bundle: &ProtobufBundle{ + bundle: &Bundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", Content: nil, @@ -800,7 +800,7 @@ func Test_BundleValidation(t *testing.T) { }, { name: "Nil verification material", - bundle: &ProtobufBundle{ + bundle: &Bundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", Content: &protobundle.Bundle_MessageSignature{}, @@ -812,7 +812,7 @@ func Test_BundleValidation(t *testing.T) { }, { name: "Valid protobuf bundle", - bundle: &ProtobufBundle{ + bundle: &Bundle{ Bundle: &protobundle.Bundle{ MediaType: "application/vnd.dev.sigstore.bundle+json;version=0.3", Content: &protobundle.Bundle_DsseEnvelope{}, diff --git a/pkg/sign/signer.go b/pkg/sign/signer.go index dfca1226..8252f498 100644 --- a/pkg/sign/signer.go +++ b/pkg/sign/signer.go @@ -144,7 +144,7 @@ func Bundle(content Content, keypair Keypair, opts BundleOptions) (*protobundle. return nil, err } - protobundle, err := verifyBundle.NewProtobufBundle(bundle) + protobundle, err := verifyBundle.NewBundle(bundle) if err != nil { return nil, err } diff --git a/pkg/testing/data/data.go b/pkg/testing/data/data.go index 1bf9ff29..e163e2cd 100644 --- a/pkg/testing/data/data.go +++ b/pkg/testing/data/data.go @@ -49,15 +49,15 @@ var SigstoreJS200ProvenanceBundleRaw []byte //go:embed othernameBundle.json var OthernameBundleRaw []byte -// TestBundle creates *bundle.ProtobufBundle from a raw byte stream +// TestBundle creates *bundle.Bundle from a raw byte stream // containing a JSON encoded protobuf bundle. -func TestBundle(t *testing.T, raw []byte) *bundle.ProtobufBundle { +func TestBundle(t *testing.T, raw []byte) *bundle.Bundle { var b protobundle.Bundle err := protojson.Unmarshal(raw, &b) if err != nil { t.Fatal(err) } - bun, err := bundle.NewProtobufBundle(&b) + bun, err := bundle.NewBundle(&b) if err != nil { t.Fatal(err) } @@ -65,24 +65,24 @@ func TestBundle(t *testing.T, raw []byte) *bundle.ProtobufBundle { } // SigstoreBundle returns a test *sigstore.Bundle. -func SigstoreBundle(t *testing.T) *bundle.ProtobufBundle { +func SigstoreBundle(t *testing.T) *bundle.Bundle { return TestBundle(t, SigstoreBundleRaw) } // SigstoreBundle2Sig returns a test *sigstore.Bundle with two signatures. -func SigstoreBundle2Sig(t *testing.T) *bundle.ProtobufBundle { +func SigstoreBundle2Sig(t *testing.T) *bundle.Bundle { return TestBundle(t, SigstoreBundle2SigRaw) } // SigstoreJS200ProvenanceBundle returns a test *sigstore.Bundle that // contains a complete sigstore-js build provenance. -func SigstoreJS200ProvenanceBundle(t *testing.T) *bundle.ProtobufBundle { +func SigstoreJS200ProvenanceBundle(t *testing.T) *bundle.Bundle { return TestBundle(t, SigstoreJS200ProvenanceBundleRaw) } // OthernameBundle returns a test *sigstore.Bundle that contains verification // content for an artifact signed with an Othername identity. -func OthernameBundle(t *testing.T) *bundle.ProtobufBundle { +func OthernameBundle(t *testing.T) *bundle.Bundle { return TestBundle(t, OthernameBundleRaw) }