make all interfaces more type safe

Author: wolfv

crates/sigstore-crypto/src/checkpoint.rs

@@ -4,17 +4,18 @@
 //! through an extension trait on `sigstore_types::Checkpoint`.
 
 use crate::{Error, Result};
+use sigstore_types::{DerPublicKey, KeyHint, SignatureBytes};
 
 // Re-export checkpoint types from sigstore-types
 pub use sigstore_types::{Checkpoint, CheckpointSignature};
 
 /// Compute the key hint (4-byte key ID) from a public key.
 ///
 /// The key hint is the first 4 bytes of SHA-256(public key).
-pub fn compute_key_hint(public_key_der: &[u8]) -> [u8; 4] {
-    let hash = crate::hash::sha256(public_key_der);
+pub fn compute_key_hint(public_key: &DerPublicKey) -> KeyHint {
+    let hash = crate::hash::sha256(public_key.as_bytes());
     let bytes = hash.as_bytes();
-    [bytes[0], bytes[1], bytes[2], bytes[3]]
+    KeyHint::new([bytes[0], bytes[1], bytes[2], bytes[3]])
 }
 
 // OID constants for key type identification
@@ -38,10 +39,10 @@ pub enum KeyType {
 /// Detect the key type from SPKI-encoded public key bytes.
 ///
 /// This parses the SubjectPublicKeyInfo structure to determine the algorithm.
-pub fn detect_key_type(public_key_der: &[u8]) -> KeyType {
+pub fn detect_key_type(public_key: &DerPublicKey) -> KeyType {
     use spki::SubjectPublicKeyInfoRef;
 
-    match SubjectPublicKeyInfoRef::try_from(public_key_der) {
+    match SubjectPublicKeyInfoRef::try_from(public_key.as_bytes()) {
         Ok(spki) => {
             if spki.algorithm.oid == ID_ED25519 {
                 KeyType::Ed25519
@@ -55,7 +56,7 @@ pub fn detect_key_type(public_key_der: &[u8]) -> KeyType {
         Err(_) => {
             // If we can't parse as SPKI, might be raw key bytes
             // Check if it looks like a raw Ed25519 key (32 bytes)
-            if public_key_der.len() == 32 {
+            if public_key.as_bytes().len() == 32 {
                 KeyType::Ed25519
             } else {
                 KeyType::Unknown
@@ -68,48 +69,53 @@ pub fn detect_key_type(public_key_der: &[u8]) -> KeyType {
 ///
 /// For Ed25519, this extracts the 32-byte raw key from the SPKI wrapper.
 /// For ECDSA, the full SPKI is typically used by aws-lc-rs.
-pub fn extract_raw_key(public_key_der: &[u8]) -> Result<Vec<u8>> {
+pub fn extract_raw_key(public_key: &DerPublicKey) -> Result<Vec<u8>> {
     use spki::SubjectPublicKeyInfoRef;
 
-    match SubjectPublicKeyInfoRef::try_from(public_key_der) {
+    match SubjectPublicKeyInfoRef::try_from(public_key.as_bytes()) {
         Ok(spki) => {
             let raw_bytes = spki.subject_public_key.raw_bytes();
             Ok(raw_bytes.to_vec())
         }
         Err(_) => {
             // Already raw bytes
-            Ok(public_key_der.to_vec())
+            Ok(public_key.as_bytes().to_vec())
         }
     }
 }
 
 /// Verify an Ed25519 signature.
 ///
 /// Accepts either SPKI-encoded or raw 32-byte public keys.
-pub fn verify_ed25519(public_key_der: &[u8], signature: &[u8], message: &[u8]) -> Result<()> {
-    use aws_lc_rs::signature;
+pub fn verify_ed25519(
+    public_key: &DerPublicKey,
+    signature: &SignatureBytes,
+    message: &[u8],
+) -> Result<()> {
+    use aws_lc_rs::signature as sig;
 
     // Extract raw key bytes from SPKI if needed
-    let raw_key = extract_raw_key(public_key_der)?;
+    let raw_key = extract_raw_key(public_key)?;
 
-    let public_key = signature::UnparsedPublicKey::new(&signature::ED25519, &raw_key);
-    public_key
-        .verify(message, signature)
+    let pk = sig::UnparsedPublicKey::new(&sig::ED25519, &raw_key);
+    pk.verify(message, signature.as_bytes())
         .map_err(|_| Error::Verification("Ed25519 verification failed".to_string()))
 }
 
 /// Verify an ECDSA P-256 signature.
 ///
 /// Expects SPKI-encoded public key (as produced by x509 certificates).
-pub fn verify_ecdsa_p256(public_key_der: &[u8], signature: &[u8], message: &[u8]) -> Result<()> {
-    use aws_lc_rs::signature;
+pub fn verify_ecdsa_p256(
+    public_key: &DerPublicKey,
+    signature: &SignatureBytes,
+    message: &[u8],
+) -> Result<()> {
+    use aws_lc_rs::signature as sig;
 
     // aws-lc-rs expects the full SPKI for ECDSA, or raw uncompressed point
-    let public_key =
-        signature::UnparsedPublicKey::new(&signature::ECDSA_P256_SHA256_ASN1, public_key_der);
+    let pk = sig::UnparsedPublicKey::new(&sig::ECDSA_P256_SHA256_ASN1, public_key.as_bytes());
 
-    public_key
-        .verify(message, signature)
+    pk.verify(message, signature.as_bytes())
         .map_err(|_| Error::Verification("ECDSA P-256 verification failed".to_string()))
 }
 
@@ -118,20 +124,20 @@ pub fn verify_ecdsa_p256(public_key_der: &[u8], signature: &[u8], message: &[u8]
 /// This function detects the key type from the SPKI structure and calls
 /// the appropriate verification function.
 pub fn verify_signature_auto(
-    public_key_der: &[u8],
-    signature: &[u8],
+    public_key: &DerPublicKey,
+    signature: &SignatureBytes,
     message: &[u8],
 ) -> Result<()> {
-    match detect_key_type(public_key_der) {
-        KeyType::Ed25519 => verify_ed25519(public_key_der, signature, message),
-        KeyType::EcdsaP256 => verify_ecdsa_p256(public_key_der, signature, message),
+    match detect_key_type(public_key) {
+        KeyType::Ed25519 => verify_ed25519(public_key, signature, message),
+        KeyType::EcdsaP256 => verify_ecdsa_p256(public_key, signature, message),
         KeyType::Unknown => {
             // Fallback: try both (maintains backwards compatibility)
             tracing::debug!("Unknown key type, trying Ed25519 then ECDSA P-256");
-            if verify_ed25519(public_key_der, signature, message).is_ok() {
+            if verify_ed25519(public_key, signature, message).is_ok() {
                 return Ok(());
             }
-            verify_ecdsa_p256(public_key_der, signature, message)
+            verify_ecdsa_p256(public_key, signature, message)
         }
     }
 }
@@ -148,13 +154,13 @@ pub trait CheckpointVerifyExt {
     /// The key type is automatically detected from the SPKI structure.
     ///
     /// Returns Ok(()) if verification succeeds, or an error if it fails.
-    fn verify_signature(&self, public_key_der: &[u8]) -> Result<()>;
+    fn verify_signature(&self, public_key: &DerPublicKey) -> Result<()>;
 }
 
 impl CheckpointVerifyExt for Checkpoint {
-    fn verify_signature(&self, public_key_der: &[u8]) -> Result<()> {
+    fn verify_signature(&self, public_key: &DerPublicKey) -> Result<()> {
         // Compute key hint from public key
-        let key_hint = compute_key_hint(public_key_der);
+        let key_hint = compute_key_hint(public_key);
 
         // Find signature with matching key hint
         let signature = self
@@ -165,7 +171,7 @@ impl CheckpointVerifyExt for Checkpoint {
         let signed_data = self.signed_data();
 
         // Use automatic key type detection
-        verify_signature_auto(public_key_der, &signature.signature, signed_data)
+        verify_signature_auto(public_key, &signature.signature, signed_data)
             .map_err(|e| Error::Checkpoint(format!("Signature verification failed: {}", e)))
     }
 }
@@ -199,6 +205,6 @@ mod tests {
         assert_eq!(checkpoint.signatures.len(), 1);
         assert_eq!(checkpoint.signatures[0].name, "rekor.sigstore.dev");
         // Key hint is first 4 bytes of base64-decoded signature
-        assert_eq!(checkpoint.signatures[0].key_id.len(), 4);
+        assert_eq!(checkpoint.signatures[0].key_id.as_bytes().len(), 4);
     }
 }

crates/sigstore-crypto/src/verification.rs

@@ -36,14 +36,6 @@ impl VerificationKey {
         })
     }
 
-    /// Create a verification key from raw public key bytes (internal use)
-    fn from_raw_bytes(bytes: impl Into<Vec<u8>>, scheme: SigningScheme) -> Self {
-        Self {
-            bytes: bytes.into(),
-            scheme,
-        }
-    }
-
     /// Get the raw public key bytes
     pub fn as_bytes(&self) -> &[u8] {
         &self.bytes
@@ -155,30 +147,38 @@ impl VerificationKey {
 ///
 /// This is a convenience function that creates a temporary `VerificationKey`.
 /// For repeated verifications with the same key, prefer using `VerificationKey` directly.
+///
+/// # Arguments
+/// * `public_key` - DER-encoded SPKI public key
+/// * `data` - Data that was signed
+/// * `signature` - The signature to verify
+/// * `scheme` - The signing scheme used
 pub fn verify_signature(
-    public_key: &[u8],
+    public_key: &DerPublicKey,
     data: &[u8],
-    signature: &[u8],
+    signature: &SignatureBytes,
     scheme: SigningScheme,
 ) -> Result<()> {
-    VerificationKey::from_raw_bytes(public_key, scheme)
-        .verify(data, &SignatureBytes::from_bytes(signature))
+    VerificationKey::from_spki(public_key, scheme)?.verify(data, signature)
 }
 
 /// Verify a signature over prehashed data using the specified scheme
 ///
 /// This is used for hashedrekord verification where the signature is over
 /// the SHA-256 hash of the artifact, not the artifact itself.
+///
+/// # Arguments
+/// * `public_key` - DER-encoded SPKI public key
+/// * `digest` - SHA-256 hash of the artifact
+/// * `signature` - The signature to verify
+/// * `scheme` - The signing scheme used
 pub fn verify_signature_prehashed(
-    public_key: &[u8],
-    digest_bytes: &[u8],
-    signature: &[u8],
+    public_key: &DerPublicKey,
+    digest: &Sha256Hash,
+    signature: &SignatureBytes,
     scheme: SigningScheme,
 ) -> Result<()> {
-    let digest = Sha256Hash::try_from_slice(digest_bytes)
-        .map_err(|e| Error::Verification(format!("Invalid digest: {e}")))?;
-    VerificationKey::from_raw_bytes(public_key, scheme)
-        .verify_prehashed(&digest, &SignatureBytes::from_bytes(signature))
+    VerificationKey::from_spki(public_key, scheme)?.verify_prehashed(digest, signature)
 }
 
 #[cfg(test)]

crates/sigstore-crypto/src/x509.rs

@@ -190,4 +190,3 @@ pub fn extract_fulcio_issuer(cert: &Certificate) -> Result<Option<String>> {
 
     Ok(None)
 }
-

crates/sigstore-rekor/src/body.rs

@@ -66,6 +66,19 @@ pub struct PublicKeyContent {
     pub content: PemContent,
 }
 
+impl PublicKeyContent {
+    /// Parse the PEM content and return a DER certificate
+    pub fn to_certificate(&self) -> Result<DerCertificate, crate::error::Error> {
+        let pem_bytes = self.content.as_bytes();
+        let pem_str = String::from_utf8(pem_bytes.to_vec()).map_err(|e| {
+            crate::error::Error::InvalidResponse(format!("PEM not valid UTF-8: {}", e))
+        })?;
+        DerCertificate::from_pem(&pem_str).map_err(|e| {
+            crate::error::Error::InvalidResponse(format!("failed to parse certificate PEM: {}", e))
+        })
+    }
+}
+
 // ============================================================================
 // HashedRekord v0.0.2
 // ============================================================================
@@ -163,6 +176,19 @@ pub struct DsseV001Signature {
     pub verifier: PemContent,
 }
 
+impl DsseV001Signature {
+    /// Parse the PEM verifier and return a DER certificate
+    pub fn to_certificate(&self) -> Result<DerCertificate, crate::error::Error> {
+        let pem_bytes = self.verifier.as_bytes();
+        let pem_str = String::from_utf8(pem_bytes.to_vec()).map_err(|e| {
+            crate::error::Error::InvalidResponse(format!("PEM not valid UTF-8: {}", e))
+        })?;
+        DerCertificate::from_pem(&pem_str).map_err(|e| {
+            crate::error::Error::InvalidResponse(format!("failed to parse certificate PEM: {}", e))
+        })
+    }
+}
+
 // ============================================================================
 // DSSE v0.0.2
 // ============================================================================

crates/sigstore-trust-root/src/trusted_root.rs

@@ -4,7 +4,7 @@ use crate::{Error, Result};
 use chrono::{DateTime, Utc};
 use rustls_pki_types::CertificateDer;
 use serde::{Deserialize, Serialize};
-use sigstore_types::{DerCertificate, DerPublicKey, HashAlgorithm, LogId, LogKeyId};
+use sigstore_types::{DerCertificate, DerPublicKey, HashAlgorithm, KeyHint, LogId, LogKeyId};
 use std::collections::HashMap;
 
 /// TSA certificate with optional validity period (start, end)
@@ -209,46 +209,44 @@ impl TrustedRoot {
 
     /// Get all Rekor public keys with their key hints (4-byte identifiers)
     ///
-    /// Returns a vector of (key_hint, public_key_der) tuples where key_hint is
+    /// Returns a vector of (key_hint, public_key) tuples where key_hint is
     /// the first 4 bytes of the keyId from the log_id field.
-    pub fn rekor_keys_with_hints(&self) -> Result<Vec<([u8; 4], Vec<u8>)>> {
+    pub fn rekor_keys_with_hints(&self) -> Result<Vec<(KeyHint, DerPublicKey)>> {
         let mut keys = Vec::new();
         for tlog in &self.tlogs {
-            let key_bytes = tlog.public_key.raw_bytes.as_bytes().to_vec();
-
             // Decode the key_id to get the key hint (first 4 bytes)
             let key_id_bytes = tlog.log_id.key_id.decode()?;
 
             if key_id_bytes.len() >= 4 {
-                let key_hint: [u8; 4] = [
+                let key_hint = KeyHint::new([
                     key_id_bytes[0],
                     key_id_bytes[1],
                     key_id_bytes[2],
                     key_id_bytes[3],
-                ];
-                keys.push((key_hint, key_bytes));
+                ]);
+                keys.push((key_hint, tlog.public_key.raw_bytes.clone()));
             }
         }
         Ok(keys)
     }
 
     /// Get a specific Rekor public key by log ID
-    pub fn rekor_key_for_log(&self, log_id: &LogKeyId) -> Result<Vec<u8>> {
+    pub fn rekor_key_for_log(&self, log_id: &LogKeyId) -> Result<DerPublicKey> {
         for tlog in &self.tlogs {
             if &tlog.log_id.key_id == log_id {
-                return Ok(tlog.public_key.raw_bytes.as_bytes().to_vec());
+                return Ok(tlog.public_key.raw_bytes.clone());
             }
         }
         Err(Error::KeyNotFound(log_id.to_string()))
     }
 
     /// Get all Certificate Transparency log public keys mapped by key ID
-    pub fn ctfe_keys(&self) -> Result<HashMap<LogKeyId, Vec<u8>>> {
+    pub fn ctfe_keys(&self) -> Result<HashMap<LogKeyId, DerPublicKey>> {
         let mut keys = HashMap::new();
         for ctlog in &self.ctlogs {
             keys.insert(
                 ctlog.log_id.key_id.clone(),
-                ctlog.public_key.raw_bytes.as_bytes().to_vec(),
+                ctlog.public_key.raw_bytes.clone(),
             );
         }
         Ok(keys)
@@ -257,13 +255,13 @@ impl TrustedRoot {
     /// Get all Certificate Transparency log public keys with their SHA-256 log IDs
     /// Returns a list of (log_id, public_key) pairs where log_id is the SHA-256 hash
     /// of the public key (used for matching against SCTs)
-    pub fn ctfe_keys_with_ids(&self) -> Result<Vec<(Vec<u8>, Vec<u8>)>> {
+    pub fn ctfe_keys_with_ids(&self) -> Result<Vec<(Vec<u8>, DerPublicKey)>> {
         let mut result = Vec::new();
         for ctlog in &self.ctlogs {
             let key_bytes = ctlog.public_key.raw_bytes.as_bytes();
             // Compute SHA-256 hash of the public key to get the log ID
             let log_id = sigstore_crypto::sha256(key_bytes).as_bytes().to_vec();
-            result.push((log_id, key_bytes.to_vec()));
+            result.push((log_id, ctlog.public_key.raw_bytes.clone()));
         }
         Ok(result)
     }