diff --git a/src/crypto/certificate.rs b/src/crypto/certificate.rs index 53f2a78ca6..1089fc7b8f 100644 --- a/src/crypto/certificate.rs +++ b/src/crypto/certificate.rs @@ -22,8 +22,6 @@ use x509_cert::{ use crate::errors::{Result, SigstoreError}; -pub type DERCert = Vec; - /// Ensure the given certificate can be trusted for verifying cosign /// signatures. /// @@ -145,9 +143,9 @@ pub(crate) fn is_leaf(certificate: &Certificate) -> Result<()> { Ok(()) } -pub(crate) fn is_root_ca(certificate: &Certificate) -> Result<()> { +pub(crate) fn is_root_ca(_certificate: &Certificate) -> Result<()> { // TODO(tnytown) - Ok(()) + todo!() } #[cfg(test)] diff --git a/src/fulcio/mod.rs b/src/fulcio/mod.rs index 0f7c6cb2f6..9a2ab089f3 100644 --- a/src/fulcio/mod.rs +++ b/src/fulcio/mod.rs @@ -259,7 +259,10 @@ impl FulcioClient { .iter() .map(|pem| Certificate::from_der(pem.contents())) .collect::, _>>()?; - let cert = chain.drain(..1).next().unwrap(); + let cert = chain + .drain(..1) + .next() + .expect("failed to drain certificates of checked length!"); // TODO(tnytown): Implement SCT extraction. /* diff --git a/src/sign.rs b/src/sign.rs index f7fba52203..80f39919a4 100644 --- a/src/sign.rs +++ b/src/sign.rs @@ -83,7 +83,7 @@ impl<'ctx> SigningSession<'ctx> { "emailAddress={}", identity.unverified_claims().email )) - .unwrap(); + .expect("failed to initialize constant X509Name!"); let mut builder = CertRequestBuilder::new(subject, private_key)?; builder @@ -91,7 +91,7 @@ impl<'ctx> SigningSession<'ctx> { ca: false, path_len_constraint: None, }) - .unwrap(); + .expect("failed to initialize constant BasicConstaints!"); let cert_req = builder .build::() @@ -215,7 +215,7 @@ impl SigningContext { pub fn production() -> Self { Self::new( FulcioClient::new( - Url::parse(FULCIO_ROOT).unwrap(), + Url::parse(FULCIO_ROOT).expect("constant FULCIO root fails to parse!"), crate::fulcio::TokenProvider::Oauth(OauthTokenProvider::default()), ), Default::default(), @@ -273,7 +273,8 @@ impl SigningArtifact { }; let canonicalized_body = { - let mut body = json_syntax::to_value(self.log_entry.body).unwrap(); + let mut body = json_syntax::to_value(self.log_entry.body) + .expect("failed to parse constructed Body!"); body.canonicalize(); Some(base64.encode(body.compact_print().to_string())) }; diff --git a/src/tuf/constants.rs b/src/tuf/constants.rs index 546f118be2..0529d1128b 100644 --- a/src/tuf/constants.rs +++ b/src/tuf/constants.rs @@ -23,4 +23,4 @@ macro_rules! tuf_resource { } pub(crate) const SIGSTORE_ROOT: &[u8] = tuf_resource!("prod/root.json"); -pub(crate) const SIGSTORE_TRUST_BUNDLE: &[u8] = tuf_resource!("prod/trusted_root.json"); +pub(crate) const _SIGSTORE_TRUST_BUNDLE: &[u8] = tuf_resource!("prod/trusted_root.json"); diff --git a/src/verify/models.rs b/src/verify/models.rs index 00d98bd84c..2603ff53a7 100644 --- a/src/verify/models.rs +++ b/src/verify/models.rs @@ -130,12 +130,12 @@ impl VerificationMaterials { return None; }; - if let Err(_) = is_leaf(leaf_cert) { + if is_leaf(leaf_cert).is_err() { return None; } for chain_cert in chain_certs { - if let Ok(_) = is_root_ca(chain_cert) { + if is_root_ca(chain_cert).is_ok() { return None; } } diff --git a/src/verify/policy.rs b/src/verify/policy.rs index f0e4bd022b..8f0791c50f 100644 --- a/src/verify/policy.rs +++ b/src/verify/policy.rs @@ -85,7 +85,8 @@ impl VerificationPolicy for T }; // Parse raw string without DER encoding. - let val = std::str::from_utf8(ext.extn_value.as_bytes()).unwrap(); + let val = std::str::from_utf8(ext.extn_value.as_bytes()) + .expect("failed to parse constructed Extension!"); if val != self.value() { Err(VerificationError::PolicyFailure(format!( @@ -158,19 +159,14 @@ impl<'a> AnyOf<'a> { impl VerificationPolicy for AnyOf<'_> { fn verify(&self, cert: &x509_cert::Certificate) -> VerificationResult { - let ok = self - .children + self.children .iter() - .find(|policy| policy.verify(cert).is_ok()); - - return if let Some(_) = ok { - Ok(()) - } else { - Err(VerificationError::PolicyFailure(format!( + .find(|policy| policy.verify(cert).is_ok()) + .ok_or(VerificationError::PolicyFailure(format!( "0 of {} policies succeeded", self.children.len() ))) - }; + .map(|_| ()) } } @@ -194,7 +190,7 @@ impl VerificationPolicy for AllOf<'_> { // Without this, we'd consider empty lists of child policies trivially valid. // This is almost certainly not what the user wants and is a potential // source of API misuse, so we explicitly disallow it. - if self.children.len() < 1 { + if self.children.is_empty() { return Err(VerificationError::PolicyFailure( "no child policies to verify".into(), )); @@ -206,7 +202,7 @@ impl VerificationPolicy for AllOf<'_> { .map(|err| err.to_string()) .collect(); - if failures.len() == 0 { + if failures.is_empty() { Ok(()) } else { Err(VerificationError::PolicyFailure(format!( diff --git a/src/verify/verifier.rs b/src/verify/verifier.rs index b183e6a3ed..dd70b195cd 100644 --- a/src/verify/verifier.rs +++ b/src/verify/verifier.rs @@ -15,7 +15,7 @@ use std::cell::OnceCell; use const_oid::db::rfc5280::ID_KP_CODE_SIGNING; -use pkcs8::der::{Encode, EncodePem}; +use pkcs8::der::Encode; use rustls_pki_types::UnixTime; use x509_cert::ext::pkix::{ExtendedKeyUsage, KeyUsage}; @@ -30,6 +30,7 @@ use crate::{ use super::{models::VerificationMaterials, policy::VerificationPolicy, VerificationResult}; pub struct Verifier<'a, R: Repository> { + #[allow(dead_code)] rekor_config: RekorConfiguration, trust_repo: R, cert_pool: OnceCell>, @@ -93,7 +94,10 @@ impl<'a, R: Repository> Verifier<'a, R> { .validity .not_before .to_unix_duration(); - let cert_der = &materials.certificate.to_der().unwrap(); + let cert_der = &materials + .certificate + .to_der() + .expect("failed to DER-encode constructed Certificate!"); store .verify_cert_with_time(cert_der, UnixTime::since_unix_epoch(issued_at)) .or(Err(VerificationError::CertificateVerificationFailure))?;