Skip to content

Commit 695ced1

Browse files
aaronlew02aaronlew02
committed
extract legacy bundle creation into helper functions
Signed-off-by: Aaron Lew <64337293+aaronlew02@users.noreply.github.com>
1 parent a20300d commit 695ced1

File tree

1 file changed

+44
-31
lines changed

1 file changed

+44
-31
lines changed

cmd/cosign/cli/sign/sign_blob.go

Lines changed: 44 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@ import (
3636
cbundle "github.com/sigstore/cosign/v3/pkg/cosign/bundle"
3737
protobundle "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1"
3838
protocommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
39+
protorekor "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v1"
3940
prototrustroot "github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1"
4041
"github.com/sigstore/sigstore-go/pkg/root"
4142
"github.com/sigstore/sigstore-go/pkg/sign"
@@ -125,44 +126,17 @@ func SignBlobCmd(ctx context.Context, ro *options.RootOptions, ko options.KeyOpt
125126
if err := protojson.Unmarshal(bundleBytes, &bundle); err != nil {
126127
return nil, fmt.Errorf("unmarshalling bundle: %w", err)
127128
}
128-
129-
sig := bundle.GetMessageSignature().GetSignature()
130-
var extractedCert *protocommon.X509Certificate
131-
if bundle.VerificationMaterial.GetCertificate() != nil {
132-
extractedCert = bundle.VerificationMaterial.GetCertificate()
133-
}
129+
130+
sig, extractedCert, rekorEntry := extractElementsFromProtoBundle(&bundle)
134131

135132
if ko.BundlePath != "" {
136133
var contents []byte
137134
if ko.NewBundleFormat {
138135
contents = bundleBytes
139136
} else {
140-
signedPayload := cosign.LocalSignedPayload{
141-
Base64Signature: base64.StdEncoding.EncodeToString(sig),
142-
}
143-
if extractedCert != nil {
144-
pemBlock := &pem.Block{
145-
Type: "CERTIFICATE",
146-
Bytes: extractedCert.GetRawBytes(),
147-
}
148-
certPem := pem.EncodeToMemory(pemBlock)
149-
signedPayload.Cert = base64.StdEncoding.EncodeToString(certPem)
150-
}
151-
if len(bundle.GetVerificationMaterial().GetTlogEntries()) > 0 {
152-
entry := bundle.GetVerificationMaterial().GetTlogEntries()[0]
153-
signedPayload.Bundle = &cbundle.RekorBundle{
154-
SignedEntryTimestamp: entry.GetInclusionPromise().GetSignedEntryTimestamp(),
155-
Payload: cbundle.RekorPayload{
156-
Body: entry.GetCanonicalizedBody(),
157-
IntegratedTime: entry.GetIntegratedTime(),
158-
LogIndex: entry.GetLogIndex(),
159-
LogID: hex.EncodeToString(entry.GetLogId().GetKeyId()),
160-
},
161-
}
162-
}
163-
contents, err = json.Marshal(signedPayload)
137+
contents, err = newLegacyBundleFromProtoBundleElements(sig, extractedCert, rekorEntry)
164138
if err != nil {
165-
return nil, err
139+
return nil, fmt.Errorf("creating legacy bundle: %w", err)
166140
}
167141
}
168142

@@ -263,6 +237,45 @@ func newSigningConfigFromKeyOpts(ko options.KeyOpts, shouldUpload bool) (*root.S
263237
)
264238
}
265239

240+
func extractElementsFromProtoBundle(bundle *protobundle.Bundle) ([]byte, *protocommon.X509Certificate, *protorekor.TransparencyLogEntry) {
241+
var extractedCert *protocommon.X509Certificate
242+
if bundle.VerificationMaterial.GetCertificate() != nil {
243+
extractedCert = bundle.VerificationMaterial.GetCertificate()
244+
}
245+
var rekorEntry *protorekor.TransparencyLogEntry
246+
if len(bundle.VerificationMaterial.GetTlogEntries()) > 0 {
247+
rekorEntry = bundle.VerificationMaterial.GetTlogEntries()[0]
248+
}
249+
return bundle.GetMessageSignature().GetSignature(), extractedCert, rekorEntry
250+
}
251+
252+
func newLegacyBundleFromProtoBundleElements(sig []byte, cert *protocommon.X509Certificate, rekorEntry *protorekor.TransparencyLogEntry) ([]byte, error) {
253+
signedPayload := cosign.LocalSignedPayload{
254+
Base64Signature: base64.StdEncoding.EncodeToString(sig),
255+
}
256+
if cert != nil {
257+
pemBlock := &pem.Block{
258+
Type: "CERTIFICATE",
259+
Bytes: cert.GetRawBytes(),
260+
}
261+
certPem := pem.EncodeToMemory(pemBlock)
262+
signedPayload.Cert = base64.StdEncoding.EncodeToString(certPem)
263+
}
264+
if rekorEntry != nil {
265+
signedPayload.Bundle = &cbundle.RekorBundle{
266+
SignedEntryTimestamp: rekorEntry.GetInclusionPromise().GetSignedEntryTimestamp(),
267+
Payload: cbundle.RekorPayload{
268+
Body: rekorEntry.GetCanonicalizedBody(),
269+
IntegratedTime: rekorEntry.GetIntegratedTime(),
270+
LogIndex: rekorEntry.GetLogIndex(),
271+
LogID: hex.EncodeToString(rekorEntry.GetLogId().GetKeyId()),
272+
},
273+
}
274+
}
275+
return json.Marshal(signedPayload)
276+
}
277+
278+
266279
func protoHashAlgoToHash(hashFunc protocommon.HashAlgorithm) crypto.Hash {
267280
switch hashFunc {
268281
case protocommon.HashAlgorithm_SHA2_256:

0 commit comments

Comments
 (0)