sigstore type refactoring (#550)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

Author: bdehamer

.changeset/lucky-mangos-hug.md

@@ -0,0 +1,5 @@
+---
+'sigstore': patch
+---
+
+Internal refactoring of Typescript types

packages/client/src/__tests__/__fixtures__/trust.ts

@@ -13,7 +13,8 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import * as sigstore from '../../types/sigstore';
+import { TrustedRoot } from '@sigstore/protobuf-specs';
+
 const trustedRootJSON = {
   mediaType: 'application/vnd.dev.sigstore.trustedroot+json;version=0.1',
   tlogs: [
@@ -103,4 +104,4 @@ const trustedRootJSON = {
   timestampAuthorities: [],
 };
 
-export const trustedRoot = sigstore.TrustedRoot.fromJSON(trustedRootJSON);
+export const trustedRoot = TrustedRoot.fromJSON(trustedRootJSON);

packages/client/src/__tests__/ca/verify/index.test.ts

@@ -21,7 +21,7 @@ import { trustedRoot } from '../../__fixtures__/trust';
 describe('verifySigningCertificate', () => {
   // Temporary until we reconsole bundle formats
   const bundleJSON = bundles.dsse.valid.withSigningCert;
-  const bundle = sigstore.Bundle.fromJSON(
+  const bundle = sigstore.bundleFromJSON(
     bundleJSON
   ) as sigstore.BundleWithCertificateChain;
 

packages/client/src/__tests__/sigstore.test.ts

@@ -13,19 +13,19 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import { TUFError } from '@sigstore/tuf';
-import mocktuf, { Target } from '@tufjs/repo-mock';
-import { PolicyError, VerificationError } from '../error';
-import { Signer } from '../sign';
-import { attest, sign, tuf, verify } from '../sigstore';
 import {
   Bundle,
   HashAlgorithm,
   TimestampVerificationData,
   TransparencyLogEntry,
   TrustedRoot,
   X509CertificateChain,
-} from '../types/sigstore';
+} from '@sigstore/protobuf-specs';
+import { TUFError } from '@sigstore/tuf';
+import mocktuf, { Target } from '@tufjs/repo-mock';
+import { PolicyError, VerificationError } from '../error';
+import { Signer } from '../sign';
+import { attest, sign, tuf, verify } from '../sigstore';
 import bundles from './__fixtures__/bundles';
 import { trustedRoot } from './__fixtures__/trust';
 

packages/client/src/__tests__/tlog/verify/index.test.ts

@@ -22,7 +22,7 @@ import { trustedRoot } from '../../__fixtures__/trust';
 describe('verifyTLogEntries', () => {
   const bundle = sigstore.bundleFromJSON(
     bundles.signature.valid.withSigningCert
-  ) as sigstore.BundleWithVerificationMaterial;
+  ) as sigstore.Bundle;
 
   const options: sigstore.ArtifactVerificationOptions_TlogOptions = {
     disable: false,
@@ -42,7 +42,7 @@ describe('verifyTLogEntries', () => {
     describe('when the bundle does NOT have a signing certificate', () => {
       const bundle = sigstore.bundleFromJSON(
         bundles.signature.valid.withPublicKey
-      ) as sigstore.BundleWithVerificationMaterial;
+      ) as sigstore.Bundle;
 
       it('does NOT throw an error', () => {
         expect(() =>
@@ -83,7 +83,7 @@ describe('verifyTLogEntries', () => {
   describe('when tlog entries are missing data necessary for verification', () => {
     const bundle = sigstore.bundleFromJSON(
       bundles.dsse.invalid.tlogKindVersionMissing
-    ) as sigstore.BundleWithVerificationMaterial;
+    ) as sigstore.Bundle;
 
     it('throws an error', () => {
       expect(() => verifyTLogEntries(bundle, trustedRoot, options)).toThrow(

packages/client/src/__tests__/types/sigstore/index.test.ts

@@ -13,49 +13,16 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
+import type { Entry } from '../../../external/rekor';
 import { SignatureMaterial } from '../../../types/signature';
 import * as sigstore from '../../../types/sigstore';
 import { encoding as enc, pem } from '../../../util';
 import bundles from '../../__fixtures__/bundles/';
 
-import type { Entry } from '../../../external/rekor';
-
-describe('isBundleWithVerificationMaterial', () => {
-  describe('when the bundle contains verification material', () => {
-    const json = bundles.dsse.valid.withSigningCert;
-    const bundle = sigstore.Bundle.fromJSON(json);
-
-    it('returns true', () => {
-      expect(sigstore.isBundleWithVerificationMaterial(bundle)).toBe(true);
-    });
-  });
-
-  describe('when the bundle does NOT contain verification material', () => {
-    const bundle: sigstore.Bundle = {
-      mediaType: 'application/vnd.dev.cosign.simplesigning.v1+json',
-      verificationMaterial: undefined,
-      content: {
-        $case: 'messageSignature',
-        messageSignature: {
-          messageDigest: {
-            algorithm: sigstore.HashAlgorithm.SHA2_256,
-            digest: Buffer.from(''),
-          },
-          signature: Buffer.from(''),
-        },
-      },
-    };
-
-    it('returns false', () => {
-      expect(sigstore.isBundleWithVerificationMaterial(bundle)).toBe(false);
-    });
-  });
-});
-
 describe('isBundleWithCertificateChain', () => {
   describe('when the bundle contains a certificate chain', () => {
     const json = bundles.dsse.valid.withSigningCert;
-    const bundle = sigstore.Bundle.fromJSON(json);
+    const bundle = sigstore.bundleFromJSON(json);
 
     it('returns true', () => {
       expect(sigstore.isBundleWithCertificateChain(bundle)).toBe(true);
@@ -64,7 +31,7 @@ describe('isBundleWithCertificateChain', () => {
 
   describe('when the bundle does NOT contain a certificate chain', () => {
     const json = bundles.dsse.valid.withPublicKey;
-    const bundle = sigstore.Bundle.fromJSON(json);
+    const bundle = sigstore.bundleFromJSON(json);
 
     it('returns false', () => {
       expect(sigstore.isBundleWithCertificateChain(bundle)).toBe(false);

packages/client/src/__tests__/types/sigstore/serialized.test.ts

@@ -13,11 +13,10 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import {
-  Bundle,
+import { Bundle, hashAlgorithmToJSON } from '@sigstore/protobuf-specs';
+import type {
   Envelope,
   HashAlgorithm,
-  hashAlgorithmToJSON,
   MessageSignature,
   PublicKeyIdentifier,
   SerializedBundle,

packages/client/src/__tests__/types/sigstore/validate.test.ts

@@ -14,12 +14,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 import { ValidationError } from '../../../error';
-import {
-  assertValidBundle,
+import { assertValidBundle } from '../../../types/sigstore/validate';
+
+import type {
   Bundle,
   Signature,
   X509Certificate,
-} from '../../../types/sigstore';
+} from '@sigstore/protobuf-specs';
 
 describe('assertValidBundle', () => {
   describe('when the bundle is completely empty', () => {

packages/client/src/__tests__/x509/cert.test.ts

@@ -13,7 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import * as sigstore from '../../types/sigstore';
+import { TransparencyLogInstance } from '@sigstore/protobuf-specs';
 import { pem } from '../../util';
 import { x509Certificate } from '../../x509/cert';
 import { certificates } from '../__fixtures__/certs';
@@ -290,8 +290,8 @@ describe('x509Certificate', () => {
       logId: { keyId: 'CGCS8ChS/2hF0dFrJ4ScRWcYrBY9wzjSbea8IgY2b3I=' },
     };
 
-    const logs: sigstore.TransparencyLogInstance[] = [
-      sigstore.TransparencyLogInstance.fromJSON(ctl),
+    const logs: TransparencyLogInstance[] = [
+      TransparencyLogInstance.fromJSON(ctl),
     ];
 
     describe('when the certificate does NOT have an SCT extension', () => {

packages/client/src/__tests__/x509/sct.test.ts

@@ -13,7 +13,7 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import * as sigstore from '../../types/sigstore';
+import { TransparencyLogInstance } from '@sigstore/protobuf-specs';
 import { SignedCertificateTimestamp } from '../../x509/sct';
 
 describe('SignedCertificateTimestamp', () => {
@@ -130,8 +130,8 @@ describe('SignedCertificateTimestamp', () => {
         logId: { keyId: Buffer.from(logID, 'hex') },
       };
 
-      const logs: sigstore.TransparencyLogInstance[] = [
-        sigstore.TransparencyLogInstance.fromJSON(ctl),
+      const logs: TransparencyLogInstance[] = [
+        TransparencyLogInstance.fromJSON(ctl),
       ];
 
       describe('when the signature is valid', () => {

packages/client/src/sigstore-utils.ts

@@ -65,5 +65,5 @@ export async function createRekorEntry(
     signature: sigMaterial,
     tlogEntry: entry,
   });
-  return sigstore.Bundle.toJSON(bundle) as sigstore.SerializedBundle;
+  return sigstore.bundleToJSON(bundle) as sigstore.SerializedBundle;
 }

packages/client/src/sigstore.ts

@@ -36,7 +36,7 @@ export async function sign(
   });
 
   const bundle = await signer.signBlob(payload);
-  return sigstore.Bundle.toJSON(bundle) as sigstore.SerializedBundle;
+  return sigstore.bundleToJSON(bundle) as sigstore.SerializedBundle;
 }
 
 export async function attest(
@@ -59,7 +59,7 @@ export async function attest(
   });
 
   const bundle = await signer.signAttestation(payload, payloadType);
-  return sigstore.Bundle.toJSON(bundle) as sigstore.SerializedBundle;
+  return sigstore.bundleToJSON(bundle) as sigstore.SerializedBundle;
 }
 
 export async function verify(

packages/client/src/tlog/verify/index.ts

@@ -22,7 +22,7 @@ import { verifyTLogSET } from './set';
 // Verifies that the number of tlog entries that pass offline verification
 // is greater than or equal to the threshold specified in the options.
 export function verifyTLogEntries(
-  bundle: sigstore.BundleWithVerificationMaterial,
+  bundle: sigstore.Bundle,
   trustedRoot: sigstore.TrustedRoot,
   options: sigstore.ArtifactVerificationOptions_TlogOptions
 ): void {
@@ -31,7 +31,7 @@ export function verifyTLogEntries(
   }
 
   // Extract the signing cert, if available
-  const signingCert = sigstore.signingCertificate(bundle);
+  const signingCert = signingCertificate(bundle);
 
   // Iterate over the tlog entries and verify each one
   const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter(
@@ -74,3 +74,15 @@ function verifyTLogEntryOffline(
     verifyTLogIntegrationTime()
   );
 }
+
+function signingCertificate(
+  bundle: sigstore.Bundle
+): x509Certificate | undefined {
+  if (!sigstore.isBundleWithCertificateChain(bundle)) {
+    return undefined;
+  }
+
+  const signingCert =
+    bundle.verificationMaterial.content.x509CertificateChain.certificates[0];
+  return x509Certificate.parse(signingCert.rawBytes);
+}

packages/client/src/types/sigstore/index.ts

@@ -13,26 +13,54 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import {
+import { Bundle, HashAlgorithm } from '@sigstore/protobuf-specs';
+import { encoding as enc, pem } from '../../util';
+import { SignatureMaterial } from '../signature';
+import { ValidBundle, assertValidBundle } from './validate';
+
+import type {
   ArtifactVerificationOptions,
-  Bundle,
   Envelope,
-  HashAlgorithm,
   TimestampVerificationData,
   TransparencyLogEntry,
   VerificationMaterial,
 } from '@sigstore/protobuf-specs';
-import { encoding as enc, pem } from '../../util';
-import { x509Certificate } from '../../x509/cert';
-import { WithRequired } from '../utility';
-import { ValidBundle, assertValidBundle } from './validate';
-
 import type { Entry, ProposedEntry } from '../../external/rekor';
-import type { SignatureMaterial } from '../signature';
+import type { WithRequired } from '../utility';
+import type { SerializedBundle } from './serialized';
 
-export * from '@sigstore/protobuf-specs';
-export * from './serialized';
-export * from './validate';
+// Enums from protobuf-specs
+// TODO: Move Envelope to "type" export once @sigstore/sign is a thing
+export {
+  Envelope,
+  HashAlgorithm,
+  PublicKeyDetails,
+  SubjectAlternativeNameType,
+} from '@sigstore/protobuf-specs';
+// Types from protobuf-specs
+export type {
+  ArtifactVerificationOptions,
+  ArtifactVerificationOptions_CtlogOptions,
+  ArtifactVerificationOptions_TlogOptions,
+  CertificateAuthority,
+  CertificateIdentities,
+  CertificateIdentity,
+  MessageSignature,
+  ObjectIdentifierValuePair,
+  PublicKey,
+  PublicKeyIdentifier,
+  RFC3161SignedTimestamp,
+  Signature,
+  SubjectAlternativeName,
+  TimestampVerificationData,
+  TransparencyLogEntry,
+  TransparencyLogInstance,
+  TrustedRoot,
+  X509Certificate,
+  X509CertificateChain,
+} from '@sigstore/protobuf-specs';
+export type { SerializedBundle, SerializedEnvelope } from './serialized';
+export type { ValidBundle as Bundle };
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 export const bundleFromJSON = (obj: any): ValidBundle => {
@@ -41,26 +69,17 @@ export const bundleFromJSON = (obj: any): ValidBundle => {
   return bundle;
 };
 
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+export const bundleToJSON = (bundle: ValidBundle): SerializedBundle => {
+  return Bundle.toJSON(bundle) as SerializedBundle;
+};
+
 const BUNDLE_MEDIA_TYPE =
   'application/vnd.dev.sigstore.bundle+json;version=0.1';
 
-// Subset of sigstore.Bundle that has verification material as part
-// of the bundle
-export type BundleWithVerificationMaterial = WithRequired<
-  Bundle,
-  'verificationMaterial'
->;
-
-// Type guard for narrowing a Bundle to a BundleWithVerificationMaterial
-export function isBundleWithVerificationMaterial(
-  bundle: Bundle
-): bundle is BundleWithVerificationMaterial {
-  return bundle.verificationMaterial !== undefined;
-}
-
 // Subset of sigstore.Bundle that has a certificate chain as part
 // of the verification material (as opposed to a public key)
-export type BundleWithCertificateChain = Bundle & {
+export type BundleWithCertificateChain = ValidBundle & {
   verificationMaterial: VerificationMaterial & {
     content: Extract<
       VerificationMaterial['content'],
@@ -71,10 +90,9 @@ export type BundleWithCertificateChain = Bundle & {
 
 // Type guard for narrowing a Bundle to a BundleWithCertificateChain
 export function isBundleWithCertificateChain(
-  bundle: Bundle
+  bundle: ValidBundle
 ): bundle is BundleWithCertificateChain {
   return (
-    isBundleWithVerificationMaterial(bundle) &&
     bundle.verificationMaterial.content !== undefined &&
     bundle.verificationMaterial.content.$case === 'x509CertificateChain'
   );
@@ -122,6 +140,9 @@ export function isVerifiableTransparencyLogEntry(
   );
 }
 
+// All of the following functions are used to construct a ValidBundle
+// from various types of input. When this code moves into the
+// @sigstore/sign package, these functions will be exported from there.
 export function toDSSEBundle({
   envelope,
   signature,
@@ -132,7 +153,7 @@ export function toDSSEBundle({
   signature: SignatureMaterial;
   tlogEntry?: Entry;
   timestamp?: Buffer;
-}): Bundle {
+}): ValidBundle {
   return {
     mediaType: BUNDLE_MEDIA_TYPE,
     content: { $case: 'dsseEnvelope', dsseEnvelope: envelope },
@@ -154,7 +175,7 @@ export function toMessageSignatureBundle({
   signature: SignatureMaterial;
   tlogEntry?: Entry;
   timestamp?: Buffer;
-}): Bundle {
+}): ValidBundle {
   return {
     mediaType: BUNDLE_MEDIA_TYPE,
     content: {
@@ -210,7 +231,7 @@ function toVerificationMaterial({
   signature: SignatureMaterial;
   tlogEntry?: Entry;
   timestamp?: Buffer;
-}): VerificationMaterial {
+}): ValidBundle['verificationMaterial'] {
   return {
     content: signature.certificates
       ? toVerificationMaterialx509CertificateChain(signature.certificates)
@@ -224,7 +245,7 @@ function toVerificationMaterial({
 
 function toVerificationMaterialx509CertificateChain(
   certificates: string[]
-): VerificationMaterial['content'] {
+): ValidBundle['verificationMaterial']['content'] {
   return {
     $case: 'x509CertificateChain',
     x509CertificateChain: {
@@ -237,7 +258,7 @@ function toVerificationMaterialx509CertificateChain(
 
 function toVerificationMaterialPublicKey(
   hint: string
-): VerificationMaterial['content'] {
+): ValidBundle['verificationMaterial']['content'] {
   return { $case: 'publicKey', publicKey: { hint } };
 }
 
@@ -248,15 +269,3 @@ function toTimestampVerificationData(
     rfc3161Timestamps: [{ signedTimestamp: timestamp }],
   };
 }
-
-export function signingCertificate(
-  bundle: Bundle
-): x509Certificate | undefined {
-  if (!isBundleWithCertificateChain(bundle)) {
-    return undefined;
-  }
-
-  const signingCert =
-    bundle.verificationMaterial.content.x509CertificateChain.certificates[0];
-  return x509Certificate.parse(signingCert.rawBytes);
-}

packages/client/src/types/sigstore/serialized.ts

@@ -67,6 +67,9 @@ type SerializedDSSEEnvelope = {
   }[];
 };
 
+// Serialized form of the DSSE Envelope
+export type { SerializedDSSEEnvelope as SerializedEnvelope };
+
 // Serialized form of the Sigstore Bundle union type with all possible options
 // represented
 export type SerializedBundle = {
@@ -85,15 +88,3 @@ export type SerializedBundle = {
   dsseEnvelope: SerializedDSSEEnvelope;
   messageSignature: SerializedMessageSignature;
 }>;
-
-interface SerializedSignature {
-  sig: string;
-  keyid: string;
-}
-
-// Serialized form of the DSSE Envelope
-export type SerializedEnvelope = {
-  payload: string;
-  payloadType: string;
-  signatures: SerializedSignature[];
-};

packages/client/src/types/sigstore/validate.ts

@@ -13,15 +13,19 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 */
-import {
+import { ValidationError } from '../../error';
+import { WithRequired } from '../utility';
+
+import type {
   Bundle,
   MessageSignature,
   VerificationMaterial,
 } from '@sigstore/protobuf-specs';
-import { ValidationError } from '../../error';
-import { WithRequired } from '../utility';
 
-// Sigstore bundle with all required fields populated
+// Sigstore bundle with all required fields populated.
+// This is the version of Bundle which should be used for all internal
+// functions. Any Bundle which is passed to an internal function should be
+// validated with assertValidBundle and cast to ValidBundle.
 export type ValidBundle = Bundle & {
   verificationMaterial: VerificationMaterial & {
     content: NonNullable<VerificationMaterial['content']>;

packages/client/src/verify.ts

@@ -35,7 +35,7 @@ export class Verifier {
   // Verifies the bundle signature, the bundle's certificate chain (if present)
   // and the bundle's transparency log entries.
   public verify(
-    bundle: sigstore.ValidBundle,
+    bundle: sigstore.Bundle,
     options: sigstore.RequiredArtifactVerificationOptions,
     data?: Buffer
   ): void {
@@ -53,7 +53,7 @@ export class Verifier {
   // Performs bundle signature verification. Determines the type of the bundle
   // content and delegates to the appropriate signature verification function.
   private verifyArtifactSignature(
-    bundle: sigstore.ValidBundle,
+    bundle: sigstore.Bundle,
     data?: Buffer
   ): void {
     const publicKey = this.getPublicKey(bundle);
@@ -99,7 +99,7 @@ export class Verifier {
   // Performs verification of the bundle's transparency log entries. The bundle
   // must contain a list of transparency log entries.
   private verifyTLogEntries(
-    bundle: sigstore.ValidBundle,
+    bundle: sigstore.Bundle,
     options: sigstore.RequiredArtifactVerificationOptions
   ): void {
     tlog.verifyTLogEntries(bundle, this.trustedRoot, options.tlogOptions);
@@ -108,7 +108,7 @@ export class Verifier {
   // Returns the public key which will be used to verify the bundle signature.
   // The public key is selected based on the verification material in the bundle
   // and the options provided.
-  private getPublicKey(bundle: sigstore.ValidBundle): KeyLike {
+  private getPublicKey(bundle: sigstore.Bundle): KeyLike {
     // Select the key which will be used to verify the signature
     switch (bundle.verificationMaterial?.content?.$case) {
       // If the bundle contains a certificate chain, the public key is the