Pass in certificates more explicitly, for tests

Signed-off-by: Jason Hall <jason@chainguard.dev>
sigstore · Jun 14, 2022 · 9bb5ac2 · 9bb5ac2
1 parent 27f7cab
commit 9bb5ac2
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 39 deletions.
diff --git a/internal/git/git.go b/internal/git/git.go
@@ -28,6 +28,7 @@ import (
 	"github.com/sigstore/gitsign/internal/signature"
 	"github.com/sigstore/gitsign/pkg/git"
 	"github.com/sigstore/rekor/pkg/generated/models"
+	"github.com/sigstore/sigstore/pkg/fulcioroots"
 )
 
 func Sign(ctx context.Context, rekor rekor.Writer, ident *fulcio.Identity, data []byte, opts signature.SignOptions) ([]byte, *x509.Certificate, error) {
@@ -94,7 +95,16 @@ func NewClaim(c ClaimCondition, ok bool) Claim {
 func Verify(ctx context.Context, rekor rekor.Verifier, data, sig []byte, detached bool) (*VerificationSummary, error) {
 	claims := []Claim{}
 
-	cert, err := git.VerifySignature(data, sig, detached)
+	root, err := fulcioroots.Get()
+	if err != nil {
+		return nil, fmt.Errorf("getting fulcio root certificate: %w", err)
+	}
+	intermediates, err := fulcioroots.GetIntermediates()
+	if err != nil {
+		return nil, fmt.Errorf("getting fulcio intermediate certificates: %w", err)
+	}
+
+	cert, err := git.VerifySignature(data, sig, detached, root, intermediates)
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/git/signature_test.go b/pkg/git/signature_test.go
@@ -19,13 +19,10 @@ import (
 	"crypto"
 	"crypto/x509"
 	"fmt"
-	"os"
 	"testing"
 
 	"github.com/github/smimesign/fakeca"
 	"github.com/sigstore/gitsign/internal/signature"
-	"github.com/sigstore/sigstore/pkg/cryptoutils"
-	"github.com/sigstore/sigstore/pkg/fulcioroots"
 )
 
 type identity struct {
@@ -50,11 +47,11 @@ func (i *identity) Signer() (crypto.Signer, error) {
 // been more thoroghly vetted in other packages (i.e. ietf-cms).
 func TestSignVerify(t *testing.T) {
 	ca := fakeca.New()
-	initFulcioRoots(t, ca.Certificate)
-
 	id := &identity{
 		base: ca,
 	}
+	roots := x509.NewCertPool()
+	roots.AddCert(ca.Certificate)
 	data := []byte("tacocat")
 
 	for _, detached := range []bool{true, false} {
@@ -65,32 +62,14 @@ func TestSignVerify(t *testing.T) {
 				// Fake CA outputs self-signed certs, so we need to use -1 to make sure
 				// the self-signed cert itself is included in the chain, otherwise
 				// Verify cannot find a cert to use for verification.
-				IncludeCerts: -1,
+				IncludeCerts: 0,
 			})
 			if err != nil {
 				t.Fatalf("Sign() = %v", err)
 			}
-			if _, err := VerifySignature(data, sig, detached); err != nil {
+			if _, err := VerifySignature(data, sig, detached, roots, ca.ChainPool()); err != nil {
 				t.Fatalf("Verify() = %v", err)
 			}
 		})
 	}
 }
-
-func initFulcioRoots(t *testing.T, cert *x509.Certificate) {
-	t.Helper()
-
-	pem, _ := cryptoutils.MarshalCertificateToPEM(cert)
-	tmp, err := os.CreateTemp(t.TempDir(), "fulcio_root_*.cert")
-	if err != nil {
-		t.Fatalf("failed to create temp cert file: %v", err)
-	}
-	defer tmp.Close()
-	if _, err := tmp.Write(pem); err != nil {
-		t.Fatalf("failed to write cert file: %v", err)
-	}
-	t.Setenv("SIGSTORE_ROOT_FILE", tmp.Name())
-
-	// Call fulcioroots to set up the root init.
-	_ = fulcioroots.Get()
-}
diff --git a/pkg/git/verify.go b/pkg/git/verify.go
@@ -25,7 +25,6 @@ import (
 
 	"github.com/sigstore/gitsign/internal/rekor"
 	"github.com/sigstore/rekor/pkg/generated/models"
-	"github.com/sigstore/sigstore/pkg/fulcioroots"
 )
 
 // VerifySignature verifies for a given Git data + signature pair.
@@ -35,7 +34,7 @@ import (
 // work.
 //
 // Signatures should be CMS/PKCS7 formatted.
-func VerifySignature(data, sig []byte, detached bool) (*x509.Certificate, error) {
+func VerifySignature(data, sig []byte, detached bool, rootCerts, intermediates *x509.CertPool) (*x509.Certificate, error) {
 	// Try decoding as PEM
 	var der []byte
 	if blk, _ := pem.Decode(sig); blk != nil {
@@ -56,18 +55,9 @@ func VerifySignature(data, sig []byte, detached bool) (*x509.Certificate, error)
 	}
 	cert := certs[0]
 
-	fulcioRoots, err := fulcioroots.Get()
-	if err != nil {
-		return nil, fmt.Errorf("error getting fulcio root certificates: %v", err)
-	}
-	fulcioIntermediates, err := fulcioroots.GetIntermediates()
-	if err != nil {
-		return nil, fmt.Errorf("error getting fulcio intermediate certificates: %v", err)
-	}
-
 	opts := x509.VerifyOptions{
-		Roots:         fulcioRoots,
-		Intermediates: fulcioIntermediates,
+		Roots:         rootCerts,
+		Intermediates: intermediates,
 		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
 		// cosign hack: ignore the current time for now - we'll use the tlog to
 		// verify whether the commit was signed at a valid time.