veraison / go-cose

go library for CBOR Object Signing and Encryption (COSE)

Mozilla Public License 2.0

50 stars 26 forks source link

refactor!: accept message content instead of digest for sign and verify #101

Closed shizhMSFT closed 2 years ago

shizhMSFT commented 2 years ago

Resolves #100

Changes:

Sign() in the Signer interface accepts message content instead of digest.
Verify() in the Verifier interface accepts message content instead of digest.
External algorithm registration is removed since signing and verification no longer require digest computation.
Improved doc comments.
Fixes tests.

codecov[bot] commented 2 years ago

Codecov Report

Merging #101 (aa2f81c) into main (66b4a5a) will increase coverage by 2.61%. The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main     #101      +/-   ##
==========================================
+ Coverage   89.48%   92.10%   +2.61%     
==========================================
  Files          10       10              
  Lines        1018      975      -43     
==========================================
- Hits          911      898      -13     
+ Misses         72       51      -21     
+ Partials       35       26       -9

Impacted Files	Coverage Δ
signer.go	`100.00% <ø> (ø)`
verifier.go	`100.00% <ø> (ø)`
algorithm.go	`100.00% <100.00%> (+3.44%)`	:arrow_up:
ecdsa.go	`95.89% <100.00%> (+19.32%)`	:arrow_up:
ed25519.go	`100.00% <100.00%> (ø)`
rsa.go	`100.00% <100.00%> (+25.00%)`	:arrow_up:
sign.go	`88.93% <100.00%> (+1.03%)`	:arrow_up:
sign1.go	`86.86% <100.00%> (+1.75%)`	:arrow_up:
headers.go	`93.05% <0.00%> (+0.90%)`	:arrow_up:
... and 2 more

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more

qmuntal commented 2 years ago

If I'm not mistaken, one could previously register a custom algorithm and reuse the built-in signers. This PR removes this capability. Is this intentional?

shizhMSFT commented 2 years ago

If I'm not mistaken, one could previously register a custom algorithm and reuse the built-in signers. This PR removes this capability. Is this intentional?

Previously, we needed to register the external algorithm to access hash algorithms. Now, we don't need them since the digests are computed by the Signer and the Verifier.

External algorithm implementors can implement the Signer and Verifier interfaces and can be used by go-cose directly without any registration. Here's an example implementation.

qmuntal commented 2 years ago

If I'm not mistaken, one could previously register a custom algorithm and reuse the built-in signers. This PR removes this capability. Is this intentional?

Previously, we needed to register the external algorithm to access hash algorithms. Now, we don't need them since the digests are computed by the Signer and the Verifier.

External algorithm implementors can implement the Signer and Verifier interfaces and can be used by go-cose directly without any registration. Here's an example implementation.

You are right, I though a caller could instantiate a built-in signer with a custom algorithm, but it is not possible, so we are fine 😄 .