sign/verify: clippy fixups

Signed-off-by: Jack Leightcap <jack.leightcap@trailofbits.com>

src/crypto/certificate.rs

@@ -22,8 +22,6 @@ use x509_cert::{
 
 use crate::errors::{Result, SigstoreError};
 
-pub type DERCert = Vec<u8>;
-
 /// Ensure the given certificate can be trusted for verifying cosign
 /// signatures.
 ///
@@ -145,9 +143,9 @@ pub(crate) fn is_leaf(certificate: &Certificate) -> Result<()> {
     Ok(())
 }
 
-pub(crate) fn is_root_ca(certificate: &Certificate) -> Result<()> {
+pub(crate) fn is_root_ca(_certificate: &Certificate) -> Result<()> {
     // TODO(tnytown)
-    Ok(())
+    todo!()
 }
 
 #[cfg(test)]

src/fulcio/mod.rs

@@ -259,7 +259,10 @@ impl FulcioClient {
             .iter()
             .map(|pem| Certificate::from_der(pem.contents()))
             .collect::<std::result::Result<Vec<_>, _>>()?;
-        let cert = chain.drain(..1).next().unwrap();
+        let cert = chain
+            .drain(..1)
+            .next()
+            .expect("failed to drain certificates of checked length!");
 
         // TODO(tnytown): Implement SCT extraction.
         /*

src/sign.rs

@@ -83,15 +83,15 @@ impl<'ctx> SigningSession<'ctx> {
                 "emailAddress={}",
                 identity.unverified_claims().email
             ))
-            .unwrap();
+            .expect("failed to initialize constant X509Name!");
 
             let mut builder = CertRequestBuilder::new(subject, private_key)?;
             builder
                 .add_extension(&x509_ext::BasicConstraints {
                     ca: false,
                     path_len_constraint: None,
                 })
-                .unwrap();
+                .expect("failed to initialize constant BasicConstaints!");
 
             let cert_req = builder
                 .build::<p256::ecdsa::DerSignature>()
@@ -215,7 +215,7 @@ impl SigningContext {
     pub fn production() -> Self {
         Self::new(
             FulcioClient::new(
-                Url::parse(FULCIO_ROOT).unwrap(),
+                Url::parse(FULCIO_ROOT).expect("constant FULCIO root fails to parse!"),
                 crate::fulcio::TokenProvider::Oauth(OauthTokenProvider::default()),
             ),
             Default::default(),
@@ -273,7 +273,8 @@ impl SigningArtifact {
         };
 
         let canonicalized_body = {
-            let mut body = json_syntax::to_value(self.log_entry.body).unwrap();
+            let mut body = json_syntax::to_value(self.log_entry.body)
+                .expect("failed to parse constructed Body!");
             body.canonicalize();
             Some(base64.encode(body.compact_print().to_string()))
         };

src/tuf/constants.rs

@@ -23,4 +23,4 @@ macro_rules! tuf_resource {
 }
 
 pub(crate) const SIGSTORE_ROOT: &[u8] = tuf_resource!("prod/root.json");
-pub(crate) const SIGSTORE_TRUST_BUNDLE: &[u8] = tuf_resource!("prod/trusted_root.json");
+pub(crate) const _SIGSTORE_TRUST_BUNDLE: &[u8] = tuf_resource!("prod/trusted_root.json");

src/verify/models.rs

@@ -130,12 +130,12 @@ impl VerificationMaterials {
             return None;
         };
 
-        if let Err(_) = is_leaf(leaf_cert) {
+        if is_leaf(leaf_cert).is_err() {
             return None;
         }
 
         for chain_cert in chain_certs {
-            if let Ok(_) = is_root_ca(chain_cert) {
+            if is_root_ca(chain_cert).is_ok() {
                 return None;
             }
         }

src/verify/policy.rs

@@ -85,7 +85,8 @@ impl<T: SingleX509ExtPolicy + const_oid::AssociatedOid> VerificationPolicy for T
         };
 
         // Parse raw string without DER encoding.
-        let val = std::str::from_utf8(ext.extn_value.as_bytes()).unwrap();
+        let val = std::str::from_utf8(ext.extn_value.as_bytes())
+            .expect("failed to parse constructed Extension!");
 
         if val != self.value() {
             Err(VerificationError::PolicyFailure(format!(
@@ -158,19 +159,14 @@ impl<'a> AnyOf<'a> {
 
 impl VerificationPolicy for AnyOf<'_> {
     fn verify(&self, cert: &x509_cert::Certificate) -> VerificationResult {
-        let ok = self
-            .children
+        self.children
             .iter()
-            .find(|policy| policy.verify(cert).is_ok());
-
-        return if let Some(_) = ok {
-            Ok(())
-        } else {
-            Err(VerificationError::PolicyFailure(format!(
+            .find(|policy| policy.verify(cert).is_ok())
+            .ok_or(VerificationError::PolicyFailure(format!(
                 "0 of {} policies succeeded",
                 self.children.len()
             )))
-        };
+            .map(|_| ())
     }
 }
 
@@ -194,7 +190,7 @@ impl VerificationPolicy for AllOf<'_> {
         // Without this, we'd consider empty lists of child policies trivially valid.
         // This is almost certainly not what the user wants and is a potential
         // source of API misuse, so we explicitly disallow it.
-        if self.children.len() < 1 {
+        if self.children.is_empty() {
             return Err(VerificationError::PolicyFailure(
                 "no child policies to verify".into(),
             ));
@@ -206,7 +202,7 @@ impl VerificationPolicy for AllOf<'_> {
             .map(|err| err.to_string())
             .collect();
 
-        if failures.len() == 0 {
+        if failures.is_empty() {
             Ok(())
         } else {
             Err(VerificationError::PolicyFailure(format!(

src/verify/verifier.rs

@@ -15,7 +15,7 @@
 use std::cell::OnceCell;
 
 use const_oid::db::rfc5280::ID_KP_CODE_SIGNING;
-use pkcs8::der::{Encode, EncodePem};
+use pkcs8::der::Encode;
 use rustls_pki_types::UnixTime;
 use x509_cert::ext::pkix::{ExtendedKeyUsage, KeyUsage};
 
@@ -30,6 +30,7 @@ use crate::{
 use super::{models::VerificationMaterials, policy::VerificationPolicy, VerificationResult};
 
 pub struct Verifier<'a, R: Repository> {
+    #[allow(dead_code)]
     rekor_config: RekorConfiguration,
     trust_repo: R,
     cert_pool: OnceCell<CertificatePool<'a>>,
@@ -93,7 +94,10 @@ impl<'a, R: Repository> Verifier<'a, R> {
             .validity
             .not_before
             .to_unix_duration();
-        let cert_der = &materials.certificate.to_der().unwrap();
+        let cert_der = &materials
+            .certificate
+            .to_der()
+            .expect("failed to DER-encode constructed Certificate!");
         store
             .verify_cert_with_time(cert_der, UnixTime::since_unix_epoch(issued_at))
             .or(Err(VerificationError::CertificateVerificationFailure))?;