Refactor DeserializePublicKey to also return crypto.PublicKey

Signed-off-by: Cody Soyland <codysoyland@github.com>
github · Mar 20, 2024 · d28ef98 · d28ef98
1 parent 1042347
commit d28ef98
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 28 deletions.
diff --git a/pkg/apis/config/sigstore_keys.go b/pkg/apis/config/sigstore_keys.go
@@ -17,6 +17,7 @@ package config
 
 import (
 	"context"
+	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rsa"
@@ -141,7 +142,7 @@ func ConvertCertificateAuthority(source v1alpha1.CertificateAuthority) *pbtrustr
 // ConvertTransparencyLogInstance converts public into private
 // TransparencyLogInstance.
 func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) *pbtrustroot.TransparencyLogInstance {
-	pk, err := cryptoutils.UnmarshalPEMToPublicKey(source.PublicKey)
+	pbpk, pk, err := DeserializePublicKey(source.PublicKey)
 	if err != nil {
 		return nil // TODO: log error? Add return error?
 	}
@@ -153,7 +154,7 @@ func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) *pb
 	return &pbtrustroot.TransparencyLogInstance{
 		BaseUrl:       source.BaseURL.String(),
 		HashAlgorithm: HashStringToHashAlgorithm(source.HashAlgorithm),
-		PublicKey:     DeserializePublicKey(source.PublicKey),
+		PublicKey:     pbpk,
 		LogId: &pbcommon.LogId{
 			KeyId: []byte(logID),
 		},
@@ -207,14 +208,14 @@ func DeserializeCertChain(chain []byte) *pbcommon.X509CertificateChain {
 	return &pbcommon.X509CertificateChain{Certificates: certs}
 }
 
-func DeserializePublicKey(publicKey []byte) *pbcommon.PublicKey {
+func DeserializePublicKey(publicKey []byte) (*pbcommon.PublicKey, crypto.PublicKey, error) {
 	block, _ := pem.Decode(publicKey)
 	if block == nil {
-		return nil // TODO: log error? Add return error?
+		return nil, nil, fmt.Errorf("failed to decode public key")
 	}
 	pk, err := cryptoutils.UnmarshalPEMToPublicKey(publicKey)
 	if err != nil {
-		return nil // TODO: log error? Add return error?
+		return nil, nil, fmt.Errorf("failed to unmarshal public key: %w", err)
 	}
 	var keyDetails pbcommon.PublicKeyDetails
 	switch k := pk.(type) {
@@ -252,5 +253,5 @@ func DeserializePublicKey(publicKey []byte) *pbcommon.PublicKey {
 				Seconds: 0, // TODO: Add support for time range to v1alpha.TransparencyLogInstance
 			},
 		},
-	}
+	}, pk, nil
 }
diff --git a/pkg/reconciler/trustroot/trustroot.go b/pkg/reconciler/trustroot/trustroot.go
@@ -306,8 +306,7 @@ func getSigstoreKeysFromTuf(ctx context.Context, tufClient *client.Client) (*con
 }
 
 func genTransparencyLogInstance(baseURL string, pkBytes []byte) (*config.TransparencyLogInstance, error) {
-	pbpk := config.DeserializePublicKey(pkBytes) // TODO: refactor this func to also return public key and log id
-	pk, err := cryptoutils.UnmarshalPEMToPublicKey(pkBytes)
+	pbpk, pk, err := config.DeserializePublicKey(pkBytes)
 	if err != nil {
 		return nil, fmt.Errorf("unmarshaling PEM public key: %w", err)
 	}

diff --git a/pkg/webhook/validator_test.go b/pkg/webhook/validator_test.go
@@ -2950,6 +2950,10 @@ func TestFulcioCertsFromAuthority(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Failed to get embedded CTLog Public keys for testing")
 	}
+	pbpk, marshalledPK, err := config.DeserializePublicKey([]byte(ctfePublicKey))
+	if err != nil {
+		t.Fatalf("Failed to deserialize CTLog public key: %v", err)
+	}
 	sk := config.SigstoreKeys{
 		CertificateAuthorities: []*config.CertificateAuthority{{
 			Subject: &config.DistinguishedName{
@@ -2960,7 +2964,7 @@ func TestFulcioCertsFromAuthority(t *testing.T) {
 		}},
 		Ctlogs: []*config.TransparencyLogInstance{{
 			LogId:     &config.LogId{KeyId: []byte(ctfeLogID)},
-			PublicKey: config.DeserializePublicKey([]byte(ctfePublicKey)),
+			PublicKey: pbpk,
 		}},
 	}
 	c := &config.Config{
@@ -2970,10 +2974,6 @@ func TestFulcioCertsFromAuthority(t *testing.T) {
 			},
 		},
 	}
-	marshalledPK, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(ctfePublicKey))
-	if err != nil {
-		t.Fatalf("Failed to unmarshal CTLog public key: %v", err)
-	}
 
 	testCtx := config.ToContext(context.Background(), c)
 
@@ -3045,7 +3045,7 @@ func TestFulcioCertsFromAuthority(t *testing.T) {
 }
 
 func TestRekorClientAndKeysFromAuthority(t *testing.T) {
-	pk, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(rekorPublicKey))
+	pbpk, pk, err := config.DeserializePublicKey([]byte(rekorPublicKey))
 	if err != nil {
 		t.Fatalf("Failed to unmarshal public key for testing: %v", err)
 	}
@@ -3070,7 +3070,7 @@ func TestRekorClientAndKeysFromAuthority(t *testing.T) {
 
 	sk := config.SigstoreKeys{
 		Tlogs: []*config.TransparencyLogInstance{{
-			PublicKey: config.DeserializePublicKey([]byte(rekorPublicKey)),
+			PublicKey: pbpk,
 			LogId:     &config.LogId{KeyId: []byte(rekorLogID)},
 			BaseUrl:   "rekor.example.com",
 		}},
@@ -3158,11 +3158,15 @@ func TestRekorClientAndKeysFromAuthority(t *testing.T) {
 }
 
 func TestCheckOptsFromAuthority(t *testing.T) {
-	pk, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(rekorPublicKey))
+	pbpkRekor, pkRekor, err := config.DeserializePublicKey([]byte(rekorPublicKey))
 	if err != nil {
 		t.Fatalf("Failed to unmarshal public key for testing: %v", err)
 	}
-	ecpk, ok := pk.(*ecdsa.PublicKey)
+	pbpkCTFE, pkCTFE, err := config.DeserializePublicKey([]byte(ctfePublicKey))
+	if err != nil {
+		t.Fatalf("Failed to unmarshal public key for testing: %v", err)
+	}
+	ecpk, ok := pkRekor.(*ecdsa.PublicKey)
 	if !ok {
 		t.Fatalf("pk is not a ecsda public key")
 	}
@@ -3207,14 +3211,9 @@ func TestCheckOptsFromAuthority(t *testing.T) {
 		t.Fatalf("Failed to get embedded CTLog Public keys for testing")
 	}
 
-	marshalledPK, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(ctfePublicKey))
-	if err != nil {
-		t.Fatalf("Failed to unmarshal CTLog public key: %v", err)
-	}
-
 	skRekor := config.SigstoreKeys{
 		Tlogs: []*config.TransparencyLogInstance{{
-			PublicKey: config.DeserializePublicKey([]byte(rekorPublicKey)),
+			PublicKey: pbpkRekor,
 			LogId:     &config.LogId{KeyId: []byte("rekor-logid")},
 			BaseUrl:   "rekor.example.com",
 		}},
@@ -3229,12 +3228,12 @@ func TestCheckOptsFromAuthority(t *testing.T) {
 		}},
 		Ctlogs: []*config.TransparencyLogInstance{{
 			LogId:     &config.LogId{KeyId: []byte(ctfeLogID)},
-			PublicKey: config.DeserializePublicKey([]byte(ctfePublicKey)),
+			PublicKey: pbpkCTFE,
 		}},
 	}
 	skCombined := config.SigstoreKeys{
 		Tlogs: []*config.TransparencyLogInstance{{
-			PublicKey: config.DeserializePublicKey([]byte(rekorPublicKey)),
+			PublicKey: pbpkRekor,
 			LogId:     &config.LogId{KeyId: []byte("rekor-logid")},
 			BaseUrl:   "rekor.example.com",
 		}},
@@ -3247,7 +3246,7 @@ func TestCheckOptsFromAuthority(t *testing.T) {
 		}},
 		Ctlogs: []*config.TransparencyLogInstance{{
 			LogId:     &config.LogId{KeyId: []byte(ctfeLogID)},
-			PublicKey: config.DeserializePublicKey([]byte(ctfePublicKey)),
+			PublicKey: pbpkCTFE,
 		}},
 	}
 	c := &config.Config{
@@ -3321,7 +3320,7 @@ func TestCheckOptsFromAuthority(t *testing.T) {
 			RootCerts:         roots,
 			IntermediateCerts: intermediates,
 			IgnoreTlog:        true,
-			CTLogPubKeys:      &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{ctfeLogID: {PubKey: marshalledPK, Status: tuf.Active}}},
+			CTLogPubKeys:      &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{ctfeLogID: {PubKey: pkCTFE, Status: tuf.Active}}},
 		},
 	}, {
 		name: "trustroot found, combined, with Identities",
@@ -3346,7 +3345,7 @@ func TestCheckOptsFromAuthority(t *testing.T) {
 				Issuer:  "issuer",
 				Subject: "subject",
 			}},
-			CTLogPubKeys: &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{ctfeLogID: {PubKey: marshalledPK, Status: tuf.Active}}},
+			CTLogPubKeys: &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{ctfeLogID: {PubKey: pkCTFE, Status: tuf.Active}}},
 		},
 	}}