add documentation and reduce the surface of /pkg (sigstore#492)

Signed-off-by: Jake Sanders <jsand@google.com>

cmd/cosign/cli/attest.go

@@ -206,7 +206,7 @@ func AttestCmd(ctx context.Context, ko KeyOpts, imageRef string, certPath string
 		if sv.Cert != nil {
 			rekorBytes = sv.Cert
 		} else {
-			pemBytes, err := cosign.PublicKeyPem(sv, options.WithContext(ctx))
+			pemBytes, err := publicKeyPem(sv, options.WithContext(ctx))
 			if err != nil {
 				return err
 			}
@@ -216,7 +216,7 @@ func AttestCmd(ctx context.Context, ko KeyOpts, imageRef string, certPath string
 		if err != nil {
 			return err
 		}
-		entry, err := cosign.UploadAttestationTLog(rekorClient, sig, rekorBytes)
+		entry, err := cosign.TLogUploadInTotoAttestation(rekorClient, sig, rekorBytes)
 		if err != nil {
 			return err
 		}

cmd/cosign/cli/keys.go

@@ -17,15 +17,21 @@ package cli
 import (
 	"context"
 	"crypto"
+	"crypto/ecdsa"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
 	"io/ioutil"
 	"path/filepath"
 	"strings"
 
 	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/pkg/cosign"
 	"github.com/sigstore/cosign/pkg/cosign/kubernetes"
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/kms"
+	"github.com/theupdateframework/go-tuf/encrypted"
 )
 
 func loadKey(keyPath string, pf cosign.PassFunc) (*signature.ECDSASignerVerifier, error) {
@@ -37,7 +43,7 @@ func loadKey(keyPath string, pf cosign.PassFunc) (*signature.ECDSASignerVerifier
 	if err != nil {
 		return nil, err
 	}
-	return cosign.LoadECDSAPrivateKey(kb, pass)
+	return LoadECDSAPrivateKey(kb, pass)
 }
 
 func loadPublicKey(raw []byte) (signature.Verifier, error) {
@@ -67,7 +73,7 @@ func signerVerifierFromKeyRef(ctx context.Context, keyRef string, pf cosign.Pass
 		}
 
 		if len(s.Data) > 0 {
-			return cosign.LoadECDSAPrivateKey(s.Data["cosign.key"], s.Data["cosign.password"])
+			return LoadECDSAPrivateKey(s.Data["cosign.key"], s.Data["cosign.password"])
 		}
 	}
 
@@ -88,3 +94,37 @@ func publicKeyFromKeyRef(ctx context.Context, keyRef string) (signature.Verifier
 
 	return LoadPublicKey(ctx, keyRef)
 }
+
+func publicKeyPem(key signature.PublicKeyProvider, pkOpts ...signature.PublicKeyOption) ([]byte, error) {
+	pub, err := key.PublicKey(pkOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return cryptoutils.MarshalPublicKeyToPEM(pub)
+}
+
+func LoadECDSAPrivateKey(key []byte, pass []byte) (*signature.ECDSASignerVerifier, error) {
+	// Decrypt first
+	p, _ := pem.Decode(key)
+	if p == nil {
+		return nil, errors.New("invalid pem block")
+	}
+	if p.Type != cosign.PrivakeKeyPemType {
+		return nil, fmt.Errorf("unsupported pem type: %s", p.Type)
+	}
+
+	x509Encoded, err := encrypted.Decrypt(p.Bytes, pass)
+	if err != nil {
+		return nil, errors.Wrap(err, "decrypt")
+	}
+
+	pk, err := x509.ParsePKCS8PrivateKey(x509Encoded)
+	if err != nil {
+		return nil, errors.Wrap(err, "parsing private key")
+	}
+	epk, ok := pk.(*ecdsa.PrivateKey)
+	if !ok {
+		return nil, fmt.Errorf("invalid private key")
+	}
+	return signature.LoadECDSASignerVerifier(epk, crypto.SHA256)
+}

cmd/cosign/cli/keys_test.go

@@ -16,6 +16,7 @@ package cli
 
 import (
 	"context"
+	"crypto/rand"
 	"io/ioutil"
 	"testing"
 
@@ -107,3 +108,30 @@ func TestPublicKeyFromFileRef(t *testing.T) {
 
 	}
 }
+
+func TestLoadECDSAPrivateKey(t *testing.T) {
+	// Generate a valid keypair
+	keys, err := cosign.GenerateKeyPair(pass("hello"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Load the private key with the right password
+	if _, err := LoadECDSAPrivateKey(keys.PrivateBytes, []byte("hello")); err != nil {
+		t.Errorf("unexpected error decrypting key: %s", err)
+	}
+
+	// Try it with the wrong one
+	if _, err := LoadECDSAPrivateKey(keys.PrivateBytes, []byte("wrong")); err == nil {
+		t.Error("expected error decrypting key!")
+	}
+
+	// Try to decrypt garbage
+	buf := [100]byte{}
+	if _, err := rand.Read(buf[:]); err != nil {
+		t.Fatal(err)
+	}
+	if _, err := LoadECDSAPrivateKey(buf[:], []byte("wrong")); err == nil {
+		t.Error("expected error decrypting key!")
+	}
+}

cmd/cosign/cli/public_key.go

@@ -130,7 +130,7 @@ func GetPublicKey(ctx context.Context, opts Pkopts, writer NamedWriter, pf cosig
 		k = pk
 	}
 
-	pemBytes, err := cosign.PublicKeyPem(k, options.WithContext(ctx))
+	pemBytes, err := publicKeyPem(k, options.WithContext(ctx))
 	if err != nil {
 		return err
 	}

cmd/cosign/cli/sign.go

@@ -328,7 +328,7 @@ func SignCmd(ctx context.Context, ko KeyOpts, annotations map[string]interface{}
 			if sv.Cert != nil {
 				rekorBytes = sv.Cert
 			} else {
-				pemBytes, err := cosign.PublicKeyPem(sv, options.WithContext(ctx))
+				pemBytes, err := publicKeyPem(sv, options.WithContext(ctx))
 				if err != nil {
 					return err
 				}
@@ -338,7 +338,7 @@ func SignCmd(ctx context.Context, ko KeyOpts, annotations map[string]interface{}
 			if err != nil {
 				return err
 			}
-			entry, err := cosign.UploadTLog(rekorClient, sig, payload, rekorBytes)
+			entry, err := cosign.TLogUpload(rekorClient, sig, payload, rekorBytes)
 			if err != nil {
 				return err
 			}

cmd/cosign/cli/sign_blob.go

@@ -148,7 +148,7 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, payloadPath string, b64 bool,
 		// TODO: Refactor with sign.go
 		rekorBytes := sv.Cert
 		if rekorBytes == nil {
-			pemBytes, err := cosign.PublicKeyPem(sv, options.WithContext(ctx))
+			pemBytes, err := publicKeyPem(sv, options.WithContext(ctx))
 			if err != nil {
 				return nil, err
 			}
@@ -158,7 +158,7 @@ func SignBlobCmd(ctx context.Context, ko KeyOpts, payloadPath string, b64 bool,
 		if err != nil {
 			return nil, err
 		}
-		entry, err := cosign.UploadTLog(rekorClient, sig, payload, rekorBytes)
+		entry, err := cosign.TLogUpload(rekorClient, sig, payload, rekorBytes)
 		if err != nil {
 			return nil, err
 		}

cmd/cosign/cli/verify_blob.go

@@ -210,7 +210,7 @@ func VerifyBlobCmd(ctx context.Context, ko KeyOpts, certRef, sigRef, blobRef str
 		}
 		var pubBytes []byte
 		if pubKey != nil {
-			pubBytes, err = cosign.PublicKeyPem(pubKey, options.WithContext(ctx))
+			pubBytes, err = publicKeyPem(pubKey, options.WithContext(ctx))
 			if err != nil {
 				return err
 			}

pkg/cosign/fetch.go

@@ -40,6 +40,7 @@ type SignedPayload struct {
 	Cert            *x509.Certificate
 	Chain           []*x509.Certificate
 	Bundle          *cremote.Bundle
+	bundleVerified  bool
 }
 
 // TODO: marshal the cert correctly.

pkg/cosign/keys.go

@@ -16,7 +16,6 @@
 package cosign
 
 import (
-	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
@@ -29,11 +28,11 @@ import (
 	"github.com/theupdateframework/go-tuf/encrypted"
 
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
-	"github.com/sigstore/sigstore/pkg/signature"
 )
 
 const (
-	PemType   = "ENCRYPTED COSIGN PRIVATE KEY"
+	PrivakeKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY"
+
 	sigkey    = "dev.cosignproject.cosign/signature"
 	certkey   = "dev.sigstore.cosign/certificate"
 	chainkey  = "dev.sigstore.cosign/chain"
@@ -74,7 +73,7 @@ func GenerateKeyPair(pf PassFunc) (*Keys, error) {
 	// store in PEM format
 	privBytes := pem.EncodeToMemory(&pem.Block{
 		Bytes: encBytes,
-		Type:  PemType,
+		Type:  PrivakeKeyPemType,
 	})
 
 	// Now do the public key
@@ -94,40 +93,6 @@ func (k *Keys) Password() []byte {
 	return k.password
 }
 
-func PublicKeyPem(key signature.PublicKeyProvider, pkOpts ...signature.PublicKeyOption) ([]byte, error) {
-	pub, err := key.PublicKey(pkOpts...)
-	if err != nil {
-		return nil, err
-	}
-	return cryptoutils.MarshalPublicKeyToPEM(pub)
-}
-
-func LoadECDSAPrivateKey(key []byte, pass []byte) (*signature.ECDSASignerVerifier, error) {
-	// Decrypt first
-	p, _ := pem.Decode(key)
-	if p == nil {
-		return nil, errors.New("invalid pem block")
-	}
-	if p.Type != PemType {
-		return nil, fmt.Errorf("unsupported pem type: %s", p.Type)
-	}
-
-	x509Encoded, err := encrypted.Decrypt(p.Bytes, pass)
-	if err != nil {
-		return nil, errors.Wrap(err, "decrypt")
-	}
-
-	pk, err := x509.ParsePKCS8PrivateKey(x509Encoded)
-	if err != nil {
-		return nil, errors.Wrap(err, "parsing private key")
-	}
-	epk, ok := pk.(*ecdsa.PrivateKey)
-	if !ok {
-		return nil, fmt.Errorf("invalid private key")
-	}
-	return signature.LoadECDSASignerVerifier(epk, crypto.SHA256)
-}
-
 func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error) {
 	pub, err := cryptoutils.UnmarshalPEMToPublicKey(pemBytes)
 	if err != nil {

pkg/cosign/remote/remote.go

@@ -39,11 +39,12 @@ import (
 
 const (
 	SimpleSigningMediaType = "application/vnd.dev.cosign.simplesigning.v1+json"
-	sigkey                 = "dev.cosignproject.cosign/signature"
-	certkey                = "dev.sigstore.cosign/certificate"
-	chainkey               = "dev.sigstore.cosign/chain"
-	BundleKey              = "dev.sigstore.cosign/bundle"
-	DockerMediaTypesEnv    = "COSIGN_DOCKER_MEDIA_TYPES"
+
+	sigkey              = "dev.cosignproject.cosign/signature"
+	certkey             = "dev.sigstore.cosign/certificate"
+	chainkey            = "dev.sigstore.cosign/chain"
+	BundleKey           = "dev.sigstore.cosign/bundle"
+	DockerMediaTypesEnv = "COSIGN_DOCKER_MEDIA_TYPES"
 )
 
 func Descriptors(ref name.Reference, remoteOpts ...remote.Option) ([]v1.Descriptor, error) {