@@ -375,20 +375,6 @@ def _verify_common_signing_cert(
375375 f"invalid signing cert: expired at time of signing, time via { vts }
376376 )
377377
378- @staticmethod
379- def _get_key_details (certificate : Certificate ) -> v1 .PublicKeyDetails :
380- """Determine PublicKeyDetails from a certificate"""
381- public_key = certificate .public_key ()
382- if isinstance (public_key , EllipticCurvePublicKey ):
383- if public_key .curve .name == "secp256r1" :
384- return cast (
385- v1 .PublicKeyDetails ,
386- v1 .PublicKeyDetails .PKIX_ECDSA_P256_SHA_256 ,
387- )
388- # TODO support other keys
389- raise ValueError (f"Unsupported EC curve: { public_key .curve .name } )
390- raise ValueError (f"Unsupported public key type: { type (public_key )} )
391-
392378 def verify_dsse (
393379 self , bundle : Bundle , policy : VerificationPolicy
394380 ) -> tuple [str , bytes ]:
@@ -440,9 +426,9 @@ def verify_dsse(
440426 entry ._kind_version .kind == "dsse"
441427 and entry ._kind_version .version == "0.0.2"
442428 ):
443- validate_dsse_v002_entry_body (bundle )
429+ _validate_dsse_v002_entry_body (bundle )
444430 else :
445- validate_dsse_v001_entry_body (bundle )
431+ _validate_dsse_v001_entry_body (bundle )
446432
447433 return (envelope ._inner .payload_type , envelope ._inner .payload )
448434
@@ -491,14 +477,14 @@ def verify_artifact(
491477 entry ._kind_version .kind == "hashedrekord"
492478 and entry ._kind_version .version == "0.0.2"
493479 ):
494- validate_hashedrekord_v002_entry_body (bundle )
480+ _validate_hashedrekord_v002_entry_body (bundle )
495481 else :
496- validate_hashedrekord_v001_entry_body (bundle , hashed_input )
482+ _validate_hashedrekord_v001_entry_body (bundle , hashed_input )
497483
498484
499- def validate_dsse_v001_entry_body (bundle : Bundle ) -> None :
485+ def _validate_dsse_v001_entry_body (bundle : Bundle ) -> None :
500486 """
501- Valideate the Entry body for dsse v001.
487+ Validate the Entry body for dsse v001.
502488 """
503489 entry = bundle .log_entry
504490 envelope = bundle ._dsse_envelope
@@ -534,9 +520,9 @@ def validate_dsse_v001_entry_body(bundle: Bundle) -> None:
534520 raise VerificationError ("log entry signatures do not match bundle" )
535521
536522
537- def validate_dsse_v002_entry_body (bundle : Bundle ) -> None :
523+ def _validate_dsse_v002_entry_body (bundle : Bundle ) -> None :
538524 """
539- Valideate the Entry body for dsse v002.
525+ Validate Entry body for dsse v002.
540526 """
541527 entry = bundle .log_entry
542528 envelope = bundle ._dsse_envelope
@@ -562,24 +548,19 @@ def validate_dsse_v002_entry_body(bundle: Bundle) -> None:
562548 v2_signatures = [
563549 v2 .Signature (
564550 content = signature .sig ,
565- verifier = v2 .Verifier (
566- x509_certificate = v1 .X509Certificate (
567- bundle .signing_certificate .public_bytes (
568- encoding = serialization .Encoding .DER
569- )
570- ),
571- key_details = Verifier ._get_key_details (bundle .signing_certificate ),
572- ),
551+ verifier = _v2_verifier_from_certificate (bundle .signing_certificate ),
573552 )
574553 for signature in envelope ._inner .signatures
575554 ]
576555 if v2_signatures != v2_body .spec .dsse_v002 .signatures :
577556 raise VerificationError ("log entry signatures do not match bundle" )
578557
579558
580- def validate_hashedrekord_v001_entry_body (bundle : Bundle , hashed_input : Hashed ) -> None :
559+ def _validate_hashedrekord_v001_entry_body (
560+ bundle : Bundle , hashed_input : Hashed
561+ ) -> None :
581562 """
582- Valideate the Entry body for hashedrekord v001.
563+ Validate the Entry body for hashedrekord v001.
583564 """
584565 entry = bundle .log_entry
585566 expected_body = _hashedrekord_from_parts (
@@ -596,9 +577,9 @@ def validate_hashedrekord_v001_entry_body(bundle: Bundle, hashed_input: Hashed)
596577 )
597578
598579
599- def validate_hashedrekord_v002_entry_body (bundle : Bundle ) -> None :
580+ def _validate_hashedrekord_v002_entry_body (bundle : Bundle ) -> None :
600581 """
601- Valideate the Entry body for hashedrekord v002.
582+ Validate Entry body for hashedrekord v002.
602583 """
603584 entry = bundle .log_entry
604585 if bundle ._inner .message_signature is None :
@@ -616,16 +597,7 @@ def validate_hashedrekord_v002_entry_body(bundle: Bundle) -> None:
616597 ),
617598 signature = v2 .Signature (
618599 content = bundle ._inner .message_signature .signature ,
619- verifier = v2 .Verifier (
620- x509_certificate = v1 .X509Certificate (
621- bundle .signing_certificate .public_bytes (
622- encoding = serialization .Encoding .DER
623- )
624- ),
625- key_details = Verifier ._get_key_details (
626- bundle .signing_certificate
627- ),
628- ),
600+ verifier = _v2_verifier_from_certificate (bundle .signing_certificate ),
629601 ),
630602 )
631603 ),
@@ -635,3 +607,29 @@ def validate_hashedrekord_v002_entry_body(bundle: Bundle) -> None:
635607 raise VerificationError (
636608 "transparency log entry is inconsistent with other materials"
637609 )
610+
611+
612+ def _v2_verifier_from_certificate (certificate : Certificate ) -> v2 .Verifier :
613+ public_key = certificate .public_key ()
614+ key_details = None
615+
616+ if isinstance (public_key , EllipticCurvePublicKey ):
617+ if public_key .curve .name == "secp256r1" :
618+ key_details = cast (
619+ v1 .PublicKeyDetails ,
620+ v1 .PublicKeyDetails .PKIX_ECDSA_P256_SHA_256 ,
621+ )
622+ else :
623+ raise ValueError (f"Unsupported EC curve: { public_key .curve .name } )
624+
625+ # TODO support other keys
626+
627+ if key_details is None :
628+ raise ValueError (f"Unsupported public key type: { type (public_key )} )
629+
630+ return v2 .Verifier (
631+ x509_certificate = v1 .X509Certificate (
632+ certificate .public_bytes (encoding = serialization .Encoding .DER )
633+ ),
634+ key_details = key_details ,
635+ )
0 commit comments