From fec61b1f273e207734cdbb953c320e3e1c575bcd Mon Sep 17 00:00:00 2001 From: Ramon Petgrave Date: Thu, 20 Jun 2024 18:03:48 +0000 Subject: [PATCH] use pointers Signed-off-by: Ramon Petgrave --- cli/slsa-verifier/verify/verify_vsa.go | 14 +++++++------- options/options.go | 14 +++++++------- verifiers/internal/vsa/verifier.go | 12 ++++++------ 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/cli/slsa-verifier/verify/verify_vsa.go b/cli/slsa-verifier/verify/verify_vsa.go index 78ea0e3..2caa196 100644 --- a/cli/slsa-verifier/verify/verify_vsa.go +++ b/cli/slsa-verifier/verify/verify_vsa.go @@ -56,10 +56,10 @@ func (c *VerifyVSACommand) Exec(ctx context.Context) (*utils.TrustedAttesterID, return nil, err } vsaOpts := &options.VSAOpts{ - ExpectedDigests: *c.SubjectDigests, - ExpectedVerifierID: *c.VerifierID, - ExpectedResourceURI: *c.ResourceURI, - ExpectedVerifiedLevels: *c.VerifiedLevels, + ExpectedDigests: c.SubjectDigests, + ExpectedVerifierID: c.VerifierID, + ExpectedResourceURI: c.ResourceURI, + ExpectedVerifiedLevels: c.VerifiedLevels, } pubKeyBytes, err := os.ReadFile(*c.PublicKeyPath) if err != nil { @@ -79,9 +79,9 @@ func (c *VerifyVSACommand) Exec(ctx context.Context) (*utils.TrustedAttesterID, return nil, err } VerificationOpts := &options.VerificationOpts{ - PublicKey: pubKey, - PublicKeyID: *c.PublicKeyID, - PublicKeyHashAlgo: hashHalgo, + PublicKey: &pubKey, + PublicKeyID: c.PublicKeyID, + PublicKeyHashAlgo: &hashHalgo, } attestations, err := os.ReadFile(*c.AttestationsPath) if err != nil { diff --git a/options/options.go b/options/options.go index c408e13..761d376 100644 --- a/options/options.go +++ b/options/options.go @@ -43,25 +43,25 @@ type BuilderOpts struct { // VSAOpts are the options for checking the VSA. type VSAOpts struct { //ExpectedDigests are the digests expected to be in the VSA - ExpectedDigests []string + ExpectedDigests *[]string // ExpectedVerifierID is the verifier ID that is passed from user and not verified - ExpectedVerifierID string + ExpectedVerifierID *string // ExpectedResourceURI is the resource URI that is passed from user and not verified - ExpectedResourceURI string + ExpectedResourceURI *string // ExpectedVerifiedLevels is the levels of verification that are passed from user and not verified - ExpectedVerifiedLevels []string + ExpectedVerifiedLevels *[]string } type VerificationOpts struct { // PublicKey is the public key used to verify the signature on the Envelope - PublicKey crypto.PublicKey + PublicKey *crypto.PublicKey // PublicKeyID is the ID of the public key - PublicKeyID string + PublicKeyID *string // PublicKeyHashAlgo is the hash algorithm used to hash the signature - PublicKeyHashAlgo crypto.Hash + PublicKeyHashAlgo *crypto.Hash } diff --git a/verifiers/internal/vsa/verifier.go b/verifiers/internal/vsa/verifier.go index edd2418..4bc3ad0 100644 --- a/verifiers/internal/vsa/verifier.go +++ b/verifiers/internal/vsa/verifier.go @@ -72,14 +72,14 @@ func VerifyVSA(ctx context.Context, // verifyEnvelopeSignature verifies the signature of the envelope. func verifyEnvelopeSignature(ctx context.Context, sigstoreEnvelope *sigstoreBundle.Envelope, verificationOpts *options.VerificationOpts) error { - signatureVerifier, err := sigstoreSignature.LoadVerifier(verificationOpts.PublicKey, verificationOpts.PublicKeyHashAlgo) + signatureVerifier, err := sigstoreSignature.LoadVerifier(*verificationOpts.PublicKey, *verificationOpts.PublicKeyHashAlgo) if err != nil { return fmt.Errorf("%w: loading sigstore DSSE envolope verifier %w", serrors.ErrorInvalidPublicKey, err) } envelopeVerifier, err := dsse.NewEnvelopeVerifier(&sigstoreDSSE.VerifierAdapter{ SignatureVerifier: signatureVerifier, Pub: verificationOpts.PublicKey, - PubKeyID: verificationOpts.PublicKeyID, + PubKeyID: *verificationOpts.PublicKeyID, }) if err != nil { return fmt.Errorf("%w: creating sigstore DSSE envelope verifier %w", serrors.ErrorInvalidPublicKey, err) @@ -139,7 +139,7 @@ func matchExepectedSubjectDigests(vsa *vsa10.VSA, vsaOpts *options.VSAOpts) erro } } // search for the expected digests in the VSA - for _, expectedDigest := range vsaOpts.ExpectedDigests { + for _, expectedDigest := range *vsaOpts.ExpectedDigests { parts := strings.SplitN(expectedDigest, ":", 2) if len(parts) != 2 { return fmt.Errorf("%w: expected digest %s is not in the format :", serrors.ErrorInvalidDssePayload, expectedDigest) @@ -158,7 +158,7 @@ func matchExepectedSubjectDigests(vsa *vsa10.VSA, vsaOpts *options.VSAOpts) erro // matchVerifierID checks if the verifier ID in the VSA matches the expected value. func matchVerifierID(vsa *vsa10.VSA, vsaOpts *options.VSAOpts) error { - if vsa.Predicate.Verifier.ID != vsaOpts.ExpectedVerifierID { + if vsa.Predicate.Verifier.ID != *vsaOpts.ExpectedVerifierID { return fmt.Errorf("%w: verifier ID mismatch: expected %s, got %s", serrors.ErrorInvalidDssePayload, vsa.Predicate.Verifier.ID, vsa.Predicate.Verifier.ID) } return nil @@ -166,7 +166,7 @@ func matchVerifierID(vsa *vsa10.VSA, vsaOpts *options.VSAOpts) error { // matchResourceURI checks if the resource URI in the VSA matches the expected value. func matchResourceURI(vsa *vsa10.VSA, vsaOpts *options.VSAOpts) error { - if vsa.Predicate.ResourceURI != vsaOpts.ExpectedResourceURI { + if vsa.Predicate.ResourceURI != *vsaOpts.ExpectedResourceURI { return fmt.Errorf("%w: resource URI mismatch: expected %s, got %s", serrors.ErrorInvalidDssePayload, vsa.Predicate.ResourceURI, vsaOpts.ExpectedResourceURI) } return nil @@ -186,7 +186,7 @@ func matchVerifiedLevels(vsa *vsa10.VSA, vsaOpts *options.VSAOpts) error { for _, level := range vsa.Predicate.VerifiedLevels { vsaLevels[level] = true } - for _, expectedLevel := range vsaOpts.ExpectedVerifiedLevels { + for _, expectedLevel := range *vsaOpts.ExpectedVerifiedLevels { if _, ok := vsaLevels[normalizeString(expectedLevel)]; !ok { return fmt.Errorf("%w: expected verified level not found: %s", serrors.ErrorInvalidDssePayload, expectedLevel) }