pkg: separate pki types from implementations

pkg/pki package defines both the interface types for PublicKey
and Signature, linked to many external packages, and also all the
implementations for pki via static factory map.

This separates the types to separate package so the packages
that use them can be included without a big dependency chain.
The types are aliased to the old pkg/pki package so that this
change wouldn't break any backwards compatibility.

Signed-off-by: Tonis Tiigi <[email protected]>

Author: tonistiigi

pkg/pki/pki.go

@@ -16,25 +16,11 @@
 package pki
 
 import (
-	"io"
-
-	"github.com/sigstore/rekor/pkg/pki/identity"
-	sigsig "github.com/sigstore/sigstore/pkg/signature"
+	pkitypes "github.com/sigstore/rekor/pkg/pki/pkitypes"
 )
 
 // PublicKey Generic object representing a public key (regardless of format & algorithm)
-type PublicKey interface {
-	CanonicalValue() ([]byte, error)
-	// Deprecated: EmailAddresses() will be deprecated in favor of Subjects() which will
-	// also return Subject URIs present in public keys.
-	EmailAddresses() []string
-	Subjects() []string
-	// Identities returns a list of typed keys and certificates.
-	Identities() ([]identity.Identity, error)
-}
+type PublicKey = pkitypes.PublicKey
 
 // Signature Generic object representing a signature (regardless of format & algorithm)
-type Signature interface {
-	CanonicalValue() ([]byte, error)
-	Verify(r io.Reader, k interface{}, opts ...sigsig.VerifyOption) error
-}
+type Signature = pkitypes.Signature

pkg/pki/pkitypes/types.go

@@ -0,0 +1,40 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pki
+
+import (
+	"io"
+
+	"github.com/sigstore/rekor/pkg/pki/identity"
+	sigsig "github.com/sigstore/sigstore/pkg/signature"
+)
+
+// PublicKey Generic object representing a public key (regardless of format & algorithm)
+type PublicKey interface {
+	CanonicalValue() ([]byte, error)
+	// Deprecated: EmailAddresses() will be deprecated in favor of Subjects() which will
+	// also return Subject URIs present in public keys.
+	EmailAddresses() []string
+	Subjects() []string
+	// Identities returns a list of typed keys and certificates.
+	Identities() ([]identity.Identity, error)
+}
+
+// Signature Generic object representing a signature (regardless of format & algorithm)
+type Signature interface {
+	CanonicalValue() ([]byte, error)
+	Verify(r io.Reader, k interface{}, opts ...sigsig.VerifyOption) error
+}

pkg/types/dsse/v0.0.1/entry.go

@@ -38,7 +38,7 @@ import (
 
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/rekor/pkg/log"
-	"github.com/sigstore/rekor/pkg/pki"
+	pkitypes "github.com/sigstore/rekor/pkg/pki/pkitypes"
 	"github.com/sigstore/rekor/pkg/pki/x509"
 	"github.com/sigstore/rekor/pkg/types"
 	dsseType "github.com/sigstore/rekor/pkg/types/dsse"
@@ -508,12 +508,12 @@ func verifyEnvelope(allPubKeyBytes [][]byte, env *dsse.Envelope) (map[string]*x5
 	return verifierBySig, nil
 }
 
-func (v V001Entry) Verifiers() ([]pki.PublicKey, error) {
+func (v V001Entry) Verifiers() ([]pkitypes.PublicKey, error) {
 	if len(v.DSSEObj.Signatures) == 0 {
 		return nil, errors.New("dsse v0.0.1 entry not initialized")
 	}
 
-	var keys []pki.PublicKey
+	var keys []pkitypes.PublicKey
 	for _, s := range v.DSSEObj.Signatures {
 		key, err := x509.NewPublicKey(bytes.NewReader(*s.Verifier))
 		if err != nil {

pkg/types/entries.go

@@ -27,7 +27,7 @@ import (
 	"github.com/go-openapi/strfmt"
 	"github.com/mitchellh/mapstructure"
 	"github.com/sigstore/rekor/pkg/generated/models"
-	"github.com/sigstore/rekor/pkg/pki"
+	pkitypes "github.com/sigstore/rekor/pkg/pki/pkitypes"
 )
 
 // EntryImpl specifies the behavior of a versioned type
@@ -37,9 +37,9 @@ type EntryImpl interface {
 	Canonicalize(ctx context.Context) ([]byte, error) // marshal the canonical entry to be put into the tlog
 	Unmarshal(e models.ProposedEntry) error           // unmarshal the abstract entry into the specific struct for this versioned type
 	CreateFromArtifactProperties(context.Context, ArtifactProperties) (models.ProposedEntry, error)
-	Verifiers() ([]pki.PublicKey, error) // list of keys or certificates that can verify an entry's signature
-	ArtifactHash() (string, error)       // hex-encoded artifact hash prefixed with hash name, e.g. sha256:abcdef
-	Insertable() (bool, error)           // denotes whether the entry that was unmarshalled has the writeOnly fields required to validate and insert into the log
+	Verifiers() ([]pkitypes.PublicKey, error) // list of keys or certificates that can verify an entry's signature
+	ArtifactHash() (string, error)            // hex-encoded artifact hash prefixed with hash name, e.g. sha256:abcdef
+	Insertable() (bool, error)                // denotes whether the entry that was unmarshalled has the writeOnly fields required to validate and insert into the log
 }
 
 // EntryWithAttestationImpl specifies the behavior of a versioned type that also stores attestations

pkg/types/hashedrekord/v0.0.1/entry.go

@@ -34,7 +34,7 @@ import (
 
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/rekor/pkg/log"
-	"github.com/sigstore/rekor/pkg/pki"
+	pkitypes "github.com/sigstore/rekor/pkg/pki/pkitypes"
 	"github.com/sigstore/rekor/pkg/pki/x509"
 	"github.com/sigstore/rekor/pkg/types"
 	hashedrekord "github.com/sigstore/rekor/pkg/types/hashedrekord"
@@ -201,7 +201,7 @@ func (v *V001Entry) Canonicalize(_ context.Context) ([]byte, error) {
 }
 
 // validate performs cross-field validation for fields in object
-func (v *V001Entry) validate() (pki.Signature, pki.PublicKey, error) {
+func (v *V001Entry) validate() (pkitypes.Signature, pkitypes.PublicKey, error) {
 	sig := v.HashedRekordObj.Signature
 	if sig == nil {
 		return nil, nil, &types.InputValidationError{Err: errors.New("missing signature")}
@@ -281,7 +281,7 @@ func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.A
 
 	var err error
 
-	if props.PKIFormat != string(pki.X509) {
+	if props.PKIFormat != "x509" {
 		return nil, errors.New("hashedrekord entries can only be created for artifacts signed with x509-based PKI")
 	}
 
@@ -330,15 +330,15 @@ func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.A
 	return &returnVal, nil
 }
 
-func (v V001Entry) Verifiers() ([]pki.PublicKey, error) {
+func (v V001Entry) Verifiers() ([]pkitypes.PublicKey, error) {
 	if v.HashedRekordObj.Signature == nil || v.HashedRekordObj.Signature.PublicKey == nil || v.HashedRekordObj.Signature.PublicKey.Content == nil {
 		return nil, errors.New("hashedrekord v0.0.1 entry not initialized")
 	}
 	key, err := x509.NewPublicKey(bytes.NewReader(v.HashedRekordObj.Signature.PublicKey.Content))
 	if err != nil {
 		return nil, err
 	}
-	return []pki.PublicKey{key}, nil
+	return []pkitypes.PublicKey{key}, nil
 }
 
 func (v V001Entry) ArtifactHash() (string, error) {

pkg/types/intoto/v0.0.1/entry.go

@@ -38,7 +38,7 @@ import (
 
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/rekor/pkg/log"
-	"github.com/sigstore/rekor/pkg/pki"
+	pkitypes "github.com/sigstore/rekor/pkg/pki/pkitypes"
 	"github.com/sigstore/rekor/pkg/pki/x509"
 	"github.com/sigstore/rekor/pkg/types"
 	"github.com/sigstore/rekor/pkg/types/intoto"
@@ -58,7 +58,7 @@ func init() {
 
 type V001Entry struct {
 	IntotoObj models.IntotoV001Schema
-	keyObj    pki.PublicKey
+	keyObj    pkitypes.PublicKey
 	env       dsse.Envelope
 }
 
@@ -411,15 +411,15 @@ func (v V001Entry) CreateFromArtifactProperties(_ context.Context, props types.A
 	return &returnVal, nil
 }
 
-func (v V001Entry) Verifiers() ([]pki.PublicKey, error) {
+func (v V001Entry) Verifiers() ([]pkitypes.PublicKey, error) {
 	if v.IntotoObj.PublicKey == nil {
 		return nil, errors.New("intoto v0.0.1 entry not initialized")
 	}
 	key, err := x509.NewPublicKey(bytes.NewReader(*v.IntotoObj.PublicKey))
 	if err != nil {
 		return nil, err
 	}
-	return []pki.PublicKey{key}, nil
+	return []pkitypes.PublicKey{key}, nil
 }
 
 func (v V001Entry) ArtifactHash() (string, error) {

pkg/types/intoto/v0.0.2/entry.go

@@ -39,7 +39,7 @@ import (
 
 	"github.com/sigstore/rekor/pkg/generated/models"
 	"github.com/sigstore/rekor/pkg/log"
-	"github.com/sigstore/rekor/pkg/pki"
+	pkitypes "github.com/sigstore/rekor/pkg/pki/pkitypes"
 	"github.com/sigstore/rekor/pkg/pki/x509"
 	"github.com/sigstore/rekor/pkg/types"
 	"github.com/sigstore/rekor/pkg/types/intoto"
@@ -577,7 +577,7 @@ func verifyEnvelope(allPubKeyBytes [][]byte, env *dsse.Envelope) (map[string]*x5
 	return verifierBySig, nil
 }
 
-func (v V002Entry) Verifiers() ([]pki.PublicKey, error) {
+func (v V002Entry) Verifiers() ([]pkitypes.PublicKey, error) {
 	if v.IntotoObj.Content == nil || v.IntotoObj.Content.Envelope == nil {
 		return nil, errors.New("intoto v0.0.2 entry not initialized")
 	}
@@ -587,7 +587,7 @@ func (v V002Entry) Verifiers() ([]pki.PublicKey, error) {
 		return nil, errors.New("no signatures found on intoto entry")
 	}
 
-	var keys []pki.PublicKey
+	var keys []pkitypes.PublicKey
 	for _, s := range v.IntotoObj.Content.Envelope.Signatures {
 		key, err := x509.NewPublicKey(bytes.NewReader(*s.PublicKey))
 		if err != nil {

pkg/types/test_util.go

@@ -22,7 +22,7 @@ import (
 	"github.com/go-openapi/strfmt"
 
 	"github.com/sigstore/rekor/pkg/generated/models"
-	"github.com/sigstore/rekor/pkg/pki"
+	pkitypes "github.com/sigstore/rekor/pkg/pki/pkitypes"
 )
 
 type BaseUnmarshalTester struct{}
@@ -35,7 +35,7 @@ func (u BaseUnmarshalTester) ArtifactHash() (string, error) {
 	return "", nil
 }
 
-func (u BaseUnmarshalTester) Verifiers() ([]pki.PublicKey, error) {
+func (u BaseUnmarshalTester) Verifiers() ([]pkitypes.PublicKey, error) {
 	return nil, nil
 }