sigstore type refactoring (#550)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

.changeset/lucky-mangos-hug.md

@@ -0,0 +1,5 @@
+---
+'sigstore': patch
+---
+
+Internal refactoring of Typescript types

packages/client/src/__tests__/__fixtures__/trust.ts

@@ -13,7 +13,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import * as sigstore from '../../types/sigstore';
+import { TrustedRoot } from '@sigstore/protobuf-specs';
+
 const trustedRootJSON = {
   mediaType: 'application/vnd.dev.sigstore.trustedroot+json;version=0.1',
   tlogs: [
@@ -103,4 +104,4 @@ const trustedRootJSON = {
   timestampAuthorities: [],
 };
 
-export const trustedRoot = sigstore.TrustedRoot.fromJSON(trustedRootJSON);
+export const trustedRoot = TrustedRoot.fromJSON(trustedRootJSON);

packages/client/src/__tests__/ca/verify/index.test.ts

@@ -21,7 +21,7 @@ import { trustedRoot } from '../../__fixtures__/trust';
 describe('verifySigningCertificate', () => {
   // Temporary until we reconsole bundle formats
   const bundleJSON = bundles.dsse.valid.withSigningCert;
-  const bundle = sigstore.Bundle.fromJSON(
+  const bundle = sigstore.bundleFromJSON(
     bundleJSON
   ) as sigstore.BundleWithCertificateChain;
 

packages/client/src/__tests__/sigstore.test.ts

@@ -13,19 +13,19 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import { TUFError } from '@sigstore/tuf';
-import mocktuf, { Target } from '@tufjs/repo-mock';
-import { PolicyError, VerificationError } from '../error';
-import { Signer } from '../sign';
-import { attest, sign, tuf, verify } from '../sigstore';
 import {
   Bundle,
   HashAlgorithm,
   TimestampVerificationData,
   TransparencyLogEntry,
   TrustedRoot,
   X509CertificateChain,
-} from '../types/sigstore';
+} from '@sigstore/protobuf-specs';
+import { TUFError } from '@sigstore/tuf';
+import mocktuf, { Target } from '@tufjs/repo-mock';
+import { PolicyError, VerificationError } from '../error';
+import { Signer } from '../sign';
+import { attest, sign, tuf, verify } from '../sigstore';
 import bundles from './__fixtures__/bundles';
 import { trustedRoot } from './__fixtures__/trust';
 

packages/client/src/__tests__/tlog/verify/index.test.ts

@@ -22,7 +22,7 @@ import { trustedRoot } from '../../__fixtures__/trust';
 describe('verifyTLogEntries', () => {
   const bundle = sigstore.bundleFromJSON(
     bundles.signature.valid.withSigningCert
-  ) as sigstore.BundleWithVerificationMaterial;
+  ) as sigstore.Bundle;
 
   const options: sigstore.ArtifactVerificationOptions_TlogOptions = {
     disable: false,
@@ -42,7 +42,7 @@ describe('verifyTLogEntries', () => {
     describe('when the bundle does NOT have a signing certificate', () => {
       const bundle = sigstore.bundleFromJSON(
         bundles.signature.valid.withPublicKey
-      ) as sigstore.BundleWithVerificationMaterial;
+      ) as sigstore.Bundle;
 
       it('does NOT throw an error', () => {
         expect(() =>
@@ -83,7 +83,7 @@ describe('verifyTLogEntries', () => {
   describe('when tlog entries are missing data necessary for verification', () => {
     const bundle = sigstore.bundleFromJSON(
       bundles.dsse.invalid.tlogKindVersionMissing
-    ) as sigstore.BundleWithVerificationMaterial;
+    ) as sigstore.Bundle;
 
     it('throws an error', () => {
       expect(() => verifyTLogEntries(bundle, trustedRoot, options)).toThrow(

packages/client/src/__tests__/types/sigstore/index.test.ts

@@ -13,49 +13,16 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+import type { Entry } from '../../../external/rekor';
 import { SignatureMaterial } from '../../../types/signature';
 import * as sigstore from '../../../types/sigstore';
 import { encoding as enc, pem } from '../../../util';
 import bundles from '../../__fixtures__/bundles/';
 
-import type { Entry } from '../../../external/rekor';
-
-describe('isBundleWithVerificationMaterial', () => {
-  describe('when the bundle contains verification material', () => {
-    const json = bundles.dsse.valid.withSigningCert;
-    const bundle = sigstore.Bundle.fromJSON(json);
-
-    it('returns true', () => {
-      expect(sigstore.isBundleWithVerificationMaterial(bundle)).toBe(true);
-    });
-  });
-
-  describe('when the bundle does NOT contain verification material', () => {
-    const bundle: sigstore.Bundle = {
-      mediaType: 'application/vnd.dev.cosign.simplesigning.v1+json',
-      verificationMaterial: undefined,
-      content: {
-        $case: 'messageSignature',
-        messageSignature: {
-          messageDigest: {
-            algorithm: sigstore.HashAlgorithm.SHA2_256,
-            digest: Buffer.from(''),
-          },
-          signature: Buffer.from(''),
-        },
-      },
-    };
-
-    it('returns false', () => {
-      expect(sigstore.isBundleWithVerificationMaterial(bundle)).toBe(false);
-    });
-  });
-});
-
 describe('isBundleWithCertificateChain', () => {
   describe('when the bundle contains a certificate chain', () => {
     const json = bundles.dsse.valid.withSigningCert;
-    const bundle = sigstore.Bundle.fromJSON(json);
+    const bundle = sigstore.bundleFromJSON(json);
 
     it('returns true', () => {
       expect(sigstore.isBundleWithCertificateChain(bundle)).toBe(true);
@@ -64,7 +31,7 @@ describe('isBundleWithCertificateChain', () => {
 
   describe('when the bundle does NOT contain a certificate chain', () => {
     const json = bundles.dsse.valid.withPublicKey;
-    const bundle = sigstore.Bundle.fromJSON(json);
+    const bundle = sigstore.bundleFromJSON(json);
 
     it('returns false', () => {
       expect(sigstore.isBundleWithCertificateChain(bundle)).toBe(false);

packages/client/src/__tests__/types/sigstore/serialized.test.ts

@@ -13,11 +13,10 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import {
-  Bundle,
+import { Bundle, hashAlgorithmToJSON } from '@sigstore/protobuf-specs';
+import type {
   Envelope,
   HashAlgorithm,
-  hashAlgorithmToJSON,
   MessageSignature,
   PublicKeyIdentifier,
   SerializedBundle,

packages/client/src/__tests__/types/sigstore/validate.test.ts

@@ -14,12 +14,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 import { ValidationError } from '../../../error';
-import {
-  assertValidBundle,
+import { assertValidBundle } from '../../../types/sigstore/validate';
+
+import type {
   Bundle,
   Signature,
   X509Certificate,
-} from '../../../types/sigstore';
+} from '@sigstore/protobuf-specs';
 
 describe('assertValidBundle', () => {
   describe('when the bundle is completely empty', () => {

packages/client/src/__tests__/x509/cert.test.ts

@@ -13,7 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import * as sigstore from '../../types/sigstore';
+import { TransparencyLogInstance } from '@sigstore/protobuf-specs';
 import { pem } from '../../util';
 import { x509Certificate } from '../../x509/cert';
 import { certificates } from '../__fixtures__/certs';
@@ -290,8 +290,8 @@ describe('x509Certificate', () => {
       logId: { keyId: 'CGCS8ChS/2hF0dFrJ4ScRWcYrBY9wzjSbea8IgY2b3I=' },
     };
 
-    const logs: sigstore.TransparencyLogInstance[] = [
-      sigstore.TransparencyLogInstance.fromJSON(ctl),
+    const logs: TransparencyLogInstance[] = [
+      TransparencyLogInstance.fromJSON(ctl),
     ];
 
     describe('when the certificate does NOT have an SCT extension', () => {

packages/client/src/__tests__/x509/sct.test.ts

@@ -13,7 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import * as sigstore from '../../types/sigstore';
+import { TransparencyLogInstance } from '@sigstore/protobuf-specs';
 import { SignedCertificateTimestamp } from '../../x509/sct';
 
 describe('SignedCertificateTimestamp', () => {
@@ -130,8 +130,8 @@ describe('SignedCertificateTimestamp', () => {
         logId: { keyId: Buffer.from(logID, 'hex') },
       };
 
-      const logs: sigstore.TransparencyLogInstance[] = [
-        sigstore.TransparencyLogInstance.fromJSON(ctl),
+      const logs: TransparencyLogInstance[] = [
+        TransparencyLogInstance.fromJSON(ctl),
       ];
 
       describe('when the signature is valid', () => {

packages/client/src/sigstore-utils.ts

@@ -65,5 +65,5 @@ export async function createRekorEntry(
     signature: sigMaterial,
     tlogEntry: entry,
   });
-  return sigstore.Bundle.toJSON(bundle) as sigstore.SerializedBundle;
+  return sigstore.bundleToJSON(bundle) as sigstore.SerializedBundle;
 }

packages/client/src/sigstore.ts

@@ -36,7 +36,7 @@ export async function sign(
   });
 
   const bundle = await signer.signBlob(payload);
-  return sigstore.Bundle.toJSON(bundle) as sigstore.SerializedBundle;
+  return sigstore.bundleToJSON(bundle) as sigstore.SerializedBundle;
 }
 
 export async function attest(
@@ -59,7 +59,7 @@ export async function attest(
   });
 
   const bundle = await signer.signAttestation(payload, payloadType);
-  return sigstore.Bundle.toJSON(bundle) as sigstore.SerializedBundle;
+  return sigstore.bundleToJSON(bundle) as sigstore.SerializedBundle;
 }
 
 export async function verify(

packages/client/src/tlog/verify/index.ts

@@ -22,7 +22,7 @@ import { verifyTLogSET } from './set';
 // Verifies that the number of tlog entries that pass offline verification
 // is greater than or equal to the threshold specified in the options.
 export function verifyTLogEntries(
-  bundle: sigstore.BundleWithVerificationMaterial,
+  bundle: sigstore.Bundle,
   trustedRoot: sigstore.TrustedRoot,
   options: sigstore.ArtifactVerificationOptions_TlogOptions
 ): void {
@@ -31,7 +31,7 @@ export function verifyTLogEntries(
   }
 
   // Extract the signing cert, if available
-  const signingCert = sigstore.signingCertificate(bundle);
+  const signingCert = signingCertificate(bundle);
 
   // Iterate over the tlog entries and verify each one
   const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter(
@@ -74,3 +74,15 @@ function verifyTLogEntryOffline(
     verifyTLogIntegrationTime()
   );
 }
+
+function signingCertificate(
+  bundle: sigstore.Bundle
+): x509Certificate | undefined {
+  if (!sigstore.isBundleWithCertificateChain(bundle)) {
+    return undefined;
+  }
+
+  const signingCert =
+    bundle.verificationMaterial.content.x509CertificateChain.certificates[0];
+  return x509Certificate.parse(signingCert.rawBytes);
+}