Make SCTsigner an object (#263)

phbnf · web-flow · commit 76b85e3fe4e8 · 2025-04-15T16:15:21.000+01:00
* move sct signer to object

# Conflicts:
#	internal/scti/handlers_test.go

# Conflicts:
#	internal/scti/handlers_test.go

# Conflicts:
#	internal/scti/signatures_test.go

* typo
diff --git a/internal/scti/ctlog.go b/internal/scti/ctlog.go
@@ -30,6 +30,9 @@ type log struct {
 	storage Storage
 }
 
+// signSCT builds an SCT for a leaf.
+type signSCT func(leaf *rfc6962.MerkleTreeLeaf) (*rfc6962.SignedCertificateTimestamp, error)
+
 // Storage provides functions to store certificates in a static-ct-api log.
 type Storage interface {
 	// Add assigns an index to the provided Entry, stages the entry for integration, and returns a future for the assigned index.
@@ -71,9 +74,8 @@ func NewLog(ctx context.Context, origin string, signer crypto.Signer, cv ChainVa
 		return nil, fmt.Errorf("unsupported key type: %v", keyType)
 	}
 
-	log.signSCT = func(leaf *rfc6962.MerkleTreeLeaf) (*rfc6962.SignedCertificateTimestamp, error) {
-		return buildV1SCT(signer, leaf)
-	}
+	sctSigner := &sctSigner{signer: signer}
+	log.signSCT = sctSigner.Sign
 
 	log.chainValidator = cv
 
diff --git a/internal/scti/handlers_test.go b/internal/scti/handlers_test.go
@@ -96,7 +96,7 @@ func setupTestLog(t *testing.T) (*log, string) {
 	t.Helper()
 	storageDir := t.TempDir()
 
-	signer, err := setupSigner(fakeSignature)
+	sctSigner, err := setupSCTSigner(fakeSignature)
 	if err != nil {
 		t.Fatalf("Failed to create test signer: %v", err)
 	}
@@ -112,7 +112,7 @@ func setupTestLog(t *testing.T) (*log, string) {
 		rejectUnexpired: false,
 	}
 
-	log, err := NewLog(t.Context(), origin, signer, cv, newPOSIXStorageFunc(t, storageDir), newFixedTimeSource(fakeTime))
+	log, err := NewLog(t.Context(), origin, sctSigner.signer, cv, newPOSIXStorageFunc(t, storageDir), newFixedTimeSource(fakeTime))
 	if err != nil {
 		t.Fatalf("newLog(): %v", err)
 	}
diff --git a/internal/scti/signatures.go b/internal/scti/signatures.go
@@ -31,8 +31,9 @@ import (
 
 const nanosPerMilli int64 = int64(time.Millisecond / time.Nanosecond)
 
-// signSCT builds an SCT for a leaf.
-type signSCT func(leaf *rfc6962.MerkleTreeLeaf) (*rfc6962.SignedCertificateTimestamp, error)
+type sctSigner struct {
+	signer crypto.Signer
+}
 
 // serializeSCTSignatureInput serializes the passed in sct and log entry into
 // the correct format for signing.
@@ -63,9 +64,7 @@ func serializeSCTSignatureInput(sct rfc6962.SignedCertificateTimestamp, entry rf
 	}
 }
 
-// TODO(phboneff): create an SCTSigner object
-// TODO(phboneff): see if we can change leaf to idx and entry
-func buildV1SCT(signer crypto.Signer, leaf *rfc6962.MerkleTreeLeaf) (*rfc6962.SignedCertificateTimestamp, error) {
+func (sctSigner *sctSigner) Sign(leaf *rfc6962.MerkleTreeLeaf) (*rfc6962.SignedCertificateTimestamp, error) {
 	// Serialize SCT signature input to get the bytes that need to be signed
 	sctInput := rfc6962.SignedCertificateTimestamp{
 		SCTVersion: rfc6962.V1,
@@ -78,20 +77,20 @@ func buildV1SCT(signer crypto.Signer, leaf *rfc6962.MerkleTreeLeaf) (*rfc6962.Si
 	}
 
 	h := sha256.Sum256(data)
-	signature, err := signer.Sign(rand.Reader, h[:], crypto.SHA256)
+	signature, err := sctSigner.signer.Sign(rand.Reader, h[:], crypto.SHA256)
 	if err != nil {
 		return nil, fmt.Errorf("failed to sign SCT data: %v", err)
 	}
 
 	digitallySigned := rfc6962.DigitallySigned{
 		Algorithm: tls.SignatureAndHashAlgorithm{
 			Hash:      tls.SHA256,
-			Signature: tls.SignatureAlgorithmFromPubKey(signer.Public()),
+			Signature: tls.SignatureAlgorithmFromPubKey(sctSigner.signer.Public()),
 		},
 		Signature: signature,
 	}
 
-	logID, err := getCTLogID(signer.Public())
+	logID, err := getCTLogID(sctSigner.signer.Public())
 	if err != nil {
 		return nil, fmt.Errorf("failed to get logID for signing: %v", err)
 	}
diff --git a/internal/scti/signatures_test.go b/internal/scti/signatures_test.go
@@ -16,7 +16,6 @@ package scti
 
 import (
 	"bytes"
-	"crypto"
 	"crypto/ecdsa"
 	"crypto/sha256"
 	"crypto/x509"
@@ -250,7 +249,7 @@ func TestBuildV1MerkleTreeLeafForCert(t *testing.T) {
 		t.Fatalf("failed to set up test cert: %v", err)
 	}
 
-	signer, err := setupSigner(fakeSignature)
+	sctSigner, err := setupSCTSigner(fakeSignature)
 	if err != nil {
 		t.Fatalf("could not create signer: %v", err)
 	}
@@ -267,7 +266,7 @@ func TestBuildV1MerkleTreeLeafForCert(t *testing.T) {
 	} else if len(rest) > 0 {
 		t.Fatalf("extra data (%d bytes) on reconstructing MerkleTreeLeaf", len(rest))
 	}
-	got, err := buildV1SCT(signer, &leaf)
+	got, err := sctSigner.Sign(&leaf)
 	if err != nil {
 		t.Fatalf("buildV1SCT()=nil,%v; want _,nil", err)
 	}
@@ -313,7 +312,7 @@ func TestSignV1SCTForPrecertificate(t *testing.T) {
 		t.Fatalf("failed to set up test precert: %v", err)
 	}
 
-	signer, err := setupSigner(fakeSignature)
+	sctSigner, err := setupSCTSigner(fakeSignature)
 	if err != nil {
 		t.Fatalf("could not create signer: %v", err)
 	}
@@ -331,7 +330,7 @@ func TestSignV1SCTForPrecertificate(t *testing.T) {
 		t.Fatalf("extra data (%d bytes) on reconstructing MerkleTreeLeaf", len(rest))
 	}
 
-	got, err := buildV1SCT(signer, &leaf)
+	got, err := sctSigner.Sign(&leaf)
 	if err != nil {
 		t.Fatalf("buildV1SCT()=nil,%v; want _,nil", err)
 	}
@@ -393,14 +392,14 @@ func TestGetCTLogID(t *testing.T) {
 
 // Creates a fake signer for use in interaction tests.
 // It will always return fakeSig when asked to sign something.
-func setupSigner(fakeSig []byte) (crypto.Signer, error) {
+func setupSCTSigner(fakeSig []byte) (*sctSigner, error) {
 	block, _ := pem.Decode([]byte(testdata.DemoPublicKey))
 	key, err := x509.ParsePKIXPublicKey(block.Bytes)
 	if err != nil {
 		return nil, err
 	}
 
-	return testdata.NewSignerWithFixedSig(key, fakeSig), nil
+	return &sctSigner{testdata.NewSignerWithFixedSig(key, fakeSig)}, nil
 }
 
 func TestBuildCp(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ func setupTestLog(t testing.T) (log, string) {`
`96`	`96`	`t.Helper()`
`97`	`97`	`storageDir := t.TempDir()`
`98`	`98`
`99`		`- signer, err := setupSigner(fakeSignature)`
	`99`	`+ sctSigner, err := setupSCTSigner(fakeSignature)`
`100`	`100`	`if err != nil {`
`101`	`101`	`t.Fatalf("Failed to create test signer: %v", err)`
`102`	`102`	`}`
`@@ -112,7 +112,7 @@ func setupTestLog(t testing.T) (log, string) {`
`112`	`112`	`rejectUnexpired: false,`
`113`	`113`	`}`
`114`	`114`
`115`		`- log, err := NewLog(t.Context(), origin, signer, cv, newPOSIXStorageFunc(t, storageDir), newFixedTimeSource(fakeTime))`
	`115`	`+ log, err := NewLog(t.Context(), origin, sctSigner.signer, cv, newPOSIXStorageFunc(t, storageDir), newFixedTimeSource(fakeTime))`
`116`	`116`	`if err != nil {`
`117`	`117`	`t.Fatalf("newLog(): %v", err)`
`118`	`118`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,6 @@ package scti`
`16`	`16`
`17`	`17`	`import (`
`18`	`18`	`"bytes"`
`19`		`- "crypto"`
`20`	`19`	`"crypto/ecdsa"`
`21`	`20`	`"crypto/sha256"`
`22`	`21`	`"crypto/x509"`
`@@ -250,7 +249,7 @@ func TestBuildV1MerkleTreeLeafForCert(t *testing.T) {`
`250`	`249`	`t.Fatalf("failed to set up test cert: %v", err)`
`251`	`250`	`}`
`252`	`251`
`253`		`- signer, err := setupSigner(fakeSignature)`
	`252`	`+ sctSigner, err := setupSCTSigner(fakeSignature)`
`254`	`253`	`if err != nil {`
`255`	`254`	`t.Fatalf("could not create signer: %v", err)`
`256`	`255`	`}`
`@@ -267,7 +266,7 @@ func TestBuildV1MerkleTreeLeafForCert(t *testing.T) {`
`267`	`266`	`} else if len(rest) > 0 {`
`268`	`267`	`t.Fatalf("extra data (%d bytes) on reconstructing MerkleTreeLeaf", len(rest))`
`269`	`268`	`}`
`270`		`- got, err := buildV1SCT(signer, &leaf)`
	`269`	`+ got, err := sctSigner.Sign(&leaf)`
`271`	`270`	`if err != nil {`
`272`	`271`	`t.Fatalf("buildV1SCT()=nil,%v; want _,nil", err)`
`273`	`272`	`}`
`@@ -313,7 +312,7 @@ func TestSignV1SCTForPrecertificate(t *testing.T) {`
`313`	`312`	`t.Fatalf("failed to set up test precert: %v", err)`
`314`	`313`	`}`
`315`	`314`
`316`		`- signer, err := setupSigner(fakeSignature)`
	`315`	`+ sctSigner, err := setupSCTSigner(fakeSignature)`
`317`	`316`	`if err != nil {`
`318`	`317`	`t.Fatalf("could not create signer: %v", err)`
`319`	`318`	`}`
`@@ -331,7 +330,7 @@ func TestSignV1SCTForPrecertificate(t *testing.T) {`
`331`	`330`	`t.Fatalf("extra data (%d bytes) on reconstructing MerkleTreeLeaf", len(rest))`
`332`	`331`	`}`
`333`	`332`
`334`		`- got, err := buildV1SCT(signer, &leaf)`
	`333`	`+ got, err := sctSigner.Sign(&leaf)`
`335`	`334`	`if err != nil {`
`336`	`335`	`t.Fatalf("buildV1SCT()=nil,%v; want _,nil", err)`
`337`	`336`	`}`
`@@ -393,14 +392,14 @@ func TestGetCTLogID(t *testing.T) {`
`393`	`392`
`394`	`393`	`// Creates a fake signer for use in interaction tests.`
`395`	`394`	`// It will always return fakeSig when asked to sign something.`
`396`		`-func setupSigner(fakeSig []byte) (crypto.Signer, error) {`
	`395`	`+func setupSCTSigner(fakeSig []byte) (*sctSigner, error) {`
`397`	`396`	`block, _ := pem.Decode([]byte(testdata.DemoPublicKey))`
`398`	`397`	`key, err := x509.ParsePKIXPublicKey(block.Bytes)`
`399`	`398`	`if err != nil {`
`400`	`399`	`return nil, err`
`401`	`400`	`}`
`402`	`401`
`403`		`- return testdata.NewSignerWithFixedSig(key, fakeSig), nil`
	`402`	`+ return &sctSigner{testdata.NewSignerWithFixedSig(key, fakeSig)}, nil`
`404`	`403`	`}`
`405`	`404`
`406`	`405`	`func TestBuildCp(t *testing.T) {`