Decouple manifest signing and verification

It was probably ill-advised to couple manifest signing and verification to their respective types. This changeset simply changes them from methods to functions. These might not even be in this package in the future. Signed-off-by: Stephen J Day <stephen.day@docker.com>
2015-01-02 15:46:47 -08:00 · 2015-01-02 15:46:47 -08:00 · f1f610c6cd
commit f1f610c6cd
parent 579aa3b617
7 changed files with 108 additions and 95 deletions
--- a/manifest/sign.go
+++ b/manifest/sign.go
@ -0,0 +1,66 @@
+package manifest
+
+import (
+	"crypto/x509"
+	"encoding/json"
+
+	"github.com/docker/libtrust"
+)
+
+// Sign signs the manifest with the provided private key, returning a
+// SignedManifest. This typically won't be used within the registry, except
+// for testing.
+func Sign(m *Manifest, pk libtrust.PrivateKey) (*SignedManifest, error) {
+	p, err := json.MarshalIndent(m, "", "   ")
+	if err != nil {
+		return nil, err
+	}
+
+	js, err := libtrust.NewJSONSignature(p)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := js.Sign(pk); err != nil {
+		return nil, err
+	}
+
+	pretty, err := js.PrettySignature("signatures")
+	if err != nil {
+		return nil, err
+	}
+
+	return &SignedManifest{
+		Manifest: *m,
+		Raw:      pretty,
+	}, nil
+}
+
+// SignWithChain signs the manifest with the given private key and x509 chain.
+// The public key of the first element in the chain must be the public key
+// corresponding with the sign key.
+func SignWithChain(m *Manifest, key libtrust.PrivateKey, chain []*x509.Certificate) (*SignedManifest, error) {
+	p, err := json.MarshalIndent(m, "", "   ")
+	if err != nil {
+		return nil, err
+	}
+
+	js, err := libtrust.NewJSONSignature(p)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := js.SignWithChain(key, chain); err != nil {
+		return nil, err
+	}
+
+	pretty, err := js.PrettySignature("signatures")
+	if err != nil {
+		return nil, err
+	}
+
+	return &SignedManifest{
+		Manifest: *m,
+		Raw:      pretty,
+	}, nil
+}