Refactor SignWithSigner to reduce cognitive complexity

leifj · leifj · commit b06caa967ae6 · 2026-02-24T15:59:06.000+01:00
Extract computeSigningDigest helper function to reduce cognitive complexity
of SignWithSigner from 27 to under 15. The new helper handles:
- Canonicalization of credential and proof config
- Hash computation of both components
- Curve-appropriate re-hashing of combined data

This improves code maintainability per SonarCloud recommendations.
diff --git a/pkg/vc20/crypto/ecdsa/suite.go b/pkg/vc20/crypto/ecdsa/suite.go
@@ -147,29 +147,16 @@ func hashCombinedData(combined []byte, pubKey crypto.PublicKey) []byte {
 	return hasher.Sum(nil)
 }
 
-// SignWithSigner signs a credential using ecdsa-rdfc-2019 with a VCSigner.
-// This method supports both raw keys (via wrappers) and HSM-backed keys (via pki.RawSigner).
-func (s *Suite) SignWithSigner(ctx context.Context, cred *credential.RDFCredential, signer vccrypto.VCSigner, opts *SignOptions) (*credential.RDFCredential, error) {
-	if cred == nil {
-		return nil, fmt.Errorf("credential is nil")
-	}
-	if signer == nil {
-		return nil, fmt.Errorf("signer is nil")
-	}
-	if opts == nil {
-		return nil, fmt.Errorf("sign options are nil")
-	}
-
-	// 1. Get canonical document hash (without proof)
+// computeSigningDigest computes the digest to be signed from credential and proof config.
+// Returns the combined hash of (proofHash || docHash) re-hashed to curve-appropriate size.
+func computeSigningDigest(cred *credential.RDFCredential, proofConfig map[string]any, pubKey crypto.PublicKey) ([]byte, error) {
+	// Get canonical document (without proof)
 	credWithoutProof, err := cred.CredentialWithoutProof()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get credential without proof: %w", err)
 	}
 
-	// 2. Create proof configuration using helper
-	proofConfig := buildProofConfig(opts)
-
-	// 3. Canonicalize and hash proof configuration
+	// Canonicalize proof configuration
 	proofConfigBytes, err := json.Marshal(proofConfig)
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal proof config: %w", err)
@@ -183,7 +170,7 @@ func (s *Suite) SignWithSigner(ctx context.Context, cred *credential.RDFCredenti
 		return nil, fmt.Errorf("failed to create RDF credential for proof config: %w", err)
 	}
 
-	// 4. Combine hashes
+	// Get canonical forms
 	docCanonical, err := credWithoutProof.CanonicalForm()
 	if err != nil {
 		return nil, fmt.Errorf("failed to get canonical form of document: %w", err)
@@ -194,28 +181,49 @@ func (s *Suite) SignWithSigner(ctx context.Context, cred *credential.RDFCredenti
 		return nil, fmt.Errorf("failed to get canonical form of proof config: %w", err)
 	}
 
+	// Compute combined hash
 	docHashBytes := sha256.Sum256([]byte(docCanonical))
 	proofHashBytes := sha256.Sum256([]byte(proofCanonical))
 	combined := append(proofHashBytes[:], docHashBytes[:]...)
 
-	// 5. Hash combined data to curve-appropriate size before signing.
-	// This ensures both proofHash and docHash are cryptographically bound
-	// in the signature (raw ECDSA would truncate to curve order size).
-	digest := hashCombinedData(combined, signer.PublicKey())
+	return hashCombinedData(combined, pubKey), nil
+}
+
+// SignWithSigner signs a credential using ecdsa-rdfc-2019 with a VCSigner.
+// This method supports both raw keys (via wrappers) and HSM-backed keys (via pki.RawSigner).
+func (s *Suite) SignWithSigner(ctx context.Context, cred *credential.RDFCredential, signer vccrypto.VCSigner, opts *SignOptions) (*credential.RDFCredential, error) {
+	if cred == nil {
+		return nil, fmt.Errorf("credential is nil")
+	}
+	if signer == nil {
+		return nil, fmt.Errorf("signer is nil")
+	}
+	if opts == nil {
+		return nil, fmt.Errorf("sign options are nil")
+	}
+
+	// Build proof configuration
+	proofConfig := buildProofConfig(opts)
 
-	// 6. Sign using the VCSigner
+	// Compute the digest to sign
+	digest, err := computeSigningDigest(cred, proofConfig, signer.PublicKey())
+	if err != nil {
+		return nil, err
+	}
+
+	// Sign using the VCSigner
 	signature, err := signer.SignDigest(ctx, digest)
 	if err != nil {
 		return nil, fmt.Errorf("failed to sign: %w", err)
 	}
 
-	// 7. Encode signature (multibase base58-btc)
+	// Encode signature (multibase base58-btc)
 	proofValue, err := multibase.Encode(multibase.Base58BTC, signature)
 	if err != nil {
 		return nil, fmt.Errorf("failed to encode signature: %w", err)
 	}
 
-	// 7. Add proof to credential using helpers
+	// Add proof to credential
 	credMap, err := getCredentialAsMap(cred)
 	if err != nil {
 		return nil, err
@@ -230,6 +238,9 @@ func (s *Suite) SignWithSigner(ctx context.Context, cred *credential.RDFCredenti
 		return nil, fmt.Errorf("failed to marshal new credential: %w", err)
 	}
 
+	ldOpts := credential.NewJSONLDOptions("")
+	ldOpts.Algorithm = ld.AlgorithmURDNA2015
+
 	return credential.NewRDFCredentialFromJSON(newCredBytes, ldOpts)
 }
 
