sigstore · codysoyland · Dec 11, 2024 · Dec 10, 2024 · Dec 10, 2024 · Dec 10, 2024
@@ -255,7 +255,7 @@ func (b *Bundle) VerificationContent() (verify.VerificationContent, error) {
 			return nil, ErrValidationError(err)
 		}
 		cert := &Certificate{
-			Certificate: parsedCert,
+			certificate: parsedCert,
 		}
 		return cert, nil
 	case *protobundle.VerificationMaterial_Certificate:
@@ -267,7 +267,7 @@ func (b *Bundle) VerificationContent() (verify.VerificationContent, error) {
 			return nil, ErrValidationError(err)
 		}
 		cert := &Certificate{
-			Certificate: parsedCert,
+			certificate: parsedCert,
 		}
 		return cert, nil
 	case *protobundle.VerificationMaterial_PublicKey:

@@ -814,7 +814,7 @@ func TestVerificationContent(t *testing.T) {
 			}
 			require.NoError(t, gotErr)
 			if tt.wantCertificate {
-				require.NotNil(t, got.GetCertificate())
+				require.NotNil(t, got.Certificate())
 				return
 			}
 			if tt.wantPublicKey {

@@ -24,7 +24,11 @@ import (
 )
 
 type Certificate struct {
-	*x509.Certificate
+	certificate *x509.Certificate
+}
+
+func NewCertificate(cert *x509.Certificate) *Certificate {
+	return &Certificate{certificate: cert}
 }
 
 type PublicKey struct {
@@ -41,15 +45,15 @@ func (c *Certificate) CompareKey(key any, _ root.TrustedMaterial) bool {
 		return false
 	}
 
-	return c.Certificate.Equal(x509Key)
+	return c.certificate.Equal(x509Key)
 }
 
 func (c *Certificate) ValidAtTime(t time.Time, _ root.TrustedMaterial) bool {
-	return !(c.Certificate.NotAfter.Before(t) || c.Certificate.NotBefore.After(t))
+	return !(c.certificate.NotAfter.Before(t) || c.certificate.NotBefore.After(t))
 }
 
-func (c *Certificate) GetCertificate() *x509.Certificate {
-	return c.Certificate
+func (c *Certificate) Certificate() *x509.Certificate {
+	return c.certificate
 }
 
 func (c *Certificate) HasPublicKey() (verify.PublicKeyProvider, bool) {
@@ -79,7 +83,7 @@ func (pk *PublicKey) ValidAtTime(t time.Time, tm root.TrustedMaterial) bool {
 	return verifier.ValidAtTime(t)
 }
 
-func (pk *PublicKey) GetCertificate() *x509.Certificate {
+func (pk *PublicKey) Certificate() *x509.Certificate {
 	return nil
 }
 

@@ -30,7 +30,7 @@ func TestSummarizeCertificateWithActionsBundle(t *testing.T) {
 		t.Fatalf("failed to get verification content: %v", err)
 	}
 
-	leaf := vc.GetCertificate()
+	leaf := vc.Certificate()
 
 	if leaf == nil {
 		t.Fatalf("expected verification content to be a certificate chain")
@@ -79,7 +79,7 @@ func TestSummarizeCertificateWithOauthBundle(t *testing.T) {
 		t.Fatalf("failed to get verification content: %v", err)
 	}
 
-	leaf := vc.GetCertificate()
+	leaf := vc.Certificate()
 
 	if leaf == nil {
 		t.Fatalf("expected verification content to be a certificate chain")
@@ -108,7 +108,7 @@ func TestSummarizeCertificateWithOtherNameSAN(t *testing.T) {
 		t.Fatalf("failed to get verification content: %v", err)
 	}
 
-	leaf := vc.GetCertificate()
+	leaf := vc.Certificate()
 
 	if leaf == nil {
 		t.Fatalf("expected verification content to be a certificate chain")

@@ -516,7 +516,7 @@ type TestEntity struct {
 }
 
 func (e *TestEntity) VerificationContent() (verify.VerificationContent, error) {
-	return &bundle.Certificate{Certificate: e.certChain[0]}, nil
+	return bundle.NewCertificate(e.certChain[0]), nil
 }
 
 func (e *TestEntity) HasInclusionPromise() bool {

@@ -63,7 +63,7 @@ type SignedEntity interface {
 type VerificationContent interface {
 	CompareKey(any, root.TrustedMaterial) bool
 	ValidAtTime(time.Time, root.TrustedMaterial) bool
-	GetCertificate() *x509.Certificate
+	Certificate() *x509.Certificate
 	HasPublicKey() (PublicKeyProvider, bool)
 }
 

@@ -94,7 +94,7 @@ func VerifySignatureWithArtifactDigest(sigContent SignatureContent, verification
 }
 
 func getSignatureVerifier(verificationContent VerificationContent, tm root.TrustedMaterial) (signature.Verifier, error) {
-	if leafCert := verificationContent.GetCertificate(); leafCert != nil {
+	if leafCert := verificationContent.Certificate(); leafCert != nil {
 		// TODO: Inspect certificate's SignatureAlgorithm to determine hash function
 		return signature.LoadVerifier(leafCert.PublicKey, crypto.SHA256)
 	} else if pk, ok := verificationContent.HasPublicKey(); ok {

@@ -508,7 +508,7 @@ func (v *SignedEntityVerifier) Verify(entity SignedEntity, pb PolicyBuilder) (*V
 
 	// If the bundle was signed with a long-lived key, and does not have a Fulcio certificate,
 	// then skip the certificate verification steps
-	if leafCert := verificationContent.GetCertificate(); leafCert != nil {
+	if leafCert := verificationContent.Certificate(); leafCert != nil {
 		if policy.WeExpectSigningKey() {
 			return nil, errors.New("expected key signature, not certificate")
 		}
@@ -719,7 +719,7 @@ func (v *SignedEntityVerifier) VerifyObserverTimestamps(entity SignedEntity, log
 			return nil, err
 		}
 
-		if leafCert := verificationContent.GetCertificate(); leafCert != nil {
+		if leafCert := verificationContent.Certificate(); leafCert != nil {
 			verifiedTimestamps = append(verifiedTimestamps, TimestampVerificationResult{Type: "LeafCert.NotBefore", URI: "", Timestamp: leafCert.NotBefore})
 		} else {
 			// no cert? use current time