Multi sign verifier flow.

Interfaces refactor

Signed-off-by: houdini91 <[email protected]>

Author: houdini91

dsse/sign.go

@@ -67,7 +67,8 @@ using the current algorithm, and the key used (if applicable).
 For an example see EcdsaSigner in sign_test.go.
 */
 type Signer interface {
-	Sign(data []byte) ([]byte, string, error)
+	Sign(data []byte) ([]byte, error)
+	KeyID() (string, error)
 }
 
 // SignVerifer provides both the signing and verification interface.
@@ -77,16 +78,26 @@ type SignVerifier interface {
 }
 
 // EnvelopeSigner creates signed Envelopes.
-type EnvelopeSigner struct {
+type envelopeSigner struct {
 	providers []SignVerifier
-	ev        EnvelopeVerifier
+	ev        *envelopeMultiVerifier
 }
 
 /*
 NewEnvelopeSigner creates an EnvelopeSigner that uses 1+ Signer
 algorithms to sign the data.
+Creates a verifier with threshold=1, at least one of the providers must validate signitures successfully.
 */
-func NewEnvelopeSigner(p ...SignVerifier) (*EnvelopeSigner, error) {
+func NewEnvelopeSigner(p ...SignVerifier) (*envelopeSigner, error) {
+	return NewMultiEnvelopeSigner(1, p...)
+}
+
+/*
+NewMultiEnvelopeSigner creates an EnvelopeSigner that uses 1+ Signer
+algorithms to sign the data.
+Creates a verifier with threshold at least threshold amount of the providers must validate signitures successfully.
+*/
+func NewMultiEnvelopeSigner(threshold int, p ...SignVerifier) (*envelopeSigner, error) {
 	var providers []SignVerifier
 
 	for _, sv := range p {
@@ -104,11 +115,14 @@ func NewEnvelopeSigner(p ...SignVerifier) (*EnvelopeSigner, error) {
 		evps = append(evps, p.(Verifier))
 	}
 
-	return &EnvelopeSigner{
+	ev, err := NewMultiEnvelopeVerifier(threshold, evps...)
+	if err != nil {
+		return nil, err
+	}
+
+	return &envelopeSigner{
 		providers: providers,
-		ev: EnvelopeVerifier{
-			providers: evps,
-		},
+		ev:        ev,
 	}, nil
 }
 
@@ -118,7 +132,7 @@ Returned is an envelope as defined here:
 https://github.com/secure-systems-lab/dsse/blob/master/envelope.md
 One signature will be added for each Signer in the EnvelopeSigner.
 */
-func (es *EnvelopeSigner) SignPayload(payloadType string, body []byte) (*Envelope, error) {
+func (es *envelopeSigner) SignPayload(payloadType string, body []byte) (*Envelope, error) {
 	var e = Envelope{
 		Payload:     base64.StdEncoding.EncodeToString(body),
 		PayloadType: payloadType,
@@ -127,10 +141,14 @@ func (es *EnvelopeSigner) SignPayload(payloadType string, body []byte) (*Envelop
 	paeEnc := PAE(payloadType, string(body))
 
 	for _, signer := range es.providers {
-		sig, keyID, err := signer.Sign(paeEnc)
+		sig, err := signer.Sign(paeEnc)
 		if err != nil {
 			return nil, err
 		}
+		keyID, err := signer.KeyID()
+		if err != nil {
+			keyID = ""
+		}
 
 		e.Signatures = append(e.Signatures, Signature{
 			KeyID: keyID,
@@ -145,8 +163,9 @@ func (es *EnvelopeSigner) SignPayload(payloadType string, body []byte) (*Envelop
 Verify decodes the payload and verifies the signature.
 Any domain specific validation such as parsing the decoded body and
 validating the payload type is left out to the caller.
+Verify returns a list of accepted keys each including a keyid, public and signiture of the accepted provider keys.
 */
-func (es *EnvelopeSigner) Verify(e *Envelope) error {
+func (es *envelopeSigner) Verify(e *Envelope) ([]AccesptedKey, error) {
 	return es.ev.Verify(e)
 }