rebase

laurentsimon · laurentsimon · commit 9510d202b452 · 2024-01-17T22:43:24.000Z
Signed-off-by: laurentsimon &lt;laurentsimon@google.com&gt;
diff --git a/sigstore/_utils.py b/sigstore/_utils.py
@@ -25,17 +25,12 @@
 
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import ec, rsa
-<<<<<<< HEAD
-from cryptography.hazmat.primitives.asymmetric.utils import Prehashed
 from cryptography.x509 import (
     Certificate,
     ExtensionNotFound,
     Version,
     load_der_x509_certificate,
 )
-=======
-from cryptography.x509 import Certificate, ExtensionNotFound, Version
->>>>>>> f67b019 (Change API)
 from cryptography.x509.oid import ExtendedKeyUsageOID, ExtensionOID
 from sigstore_protobuf_specs.dev.sigstore.common.v1 import HashAlgorithm
 
diff --git a/sigstore/hashes.py b/sigstore/hashes.py
@@ -15,6 +15,7 @@
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric.utils import Prehashed
 from pydantic import BaseModel
+import rekor_types
 from sigstore_protobuf_specs.dev.sigstore.common.v1 import HashAlgorithm
 
 
@@ -33,11 +34,13 @@ class Hashed(BaseModel):
     The digest representing the hash value.
     """
 
-    def as_prehashed(self) -> Prehashed:
-        return Prehashed(self.hazmat_algorithm())
+    def as_hashedrekord_algorithm(self) -> rekor_types.hashedrekord.Algorithm:
+        if self.algorithm == HashAlgorithm.SHA2_256:
+            return rekor_types.hashedrekord.Algorithm.SHA256
+        raise ValueError(f"unknown hash algorithm: {self.algorithm}")
 
-    def hazmat_algorithm(self) -> hashes.HashAlgorithm:
+    def as_prehashed(self) -> Prehashed:
         if self.algorithm == HashAlgorithm.SHA2_256:
-            return hashes.SHA256()
-        # Add more hashes here.
+            return Prehashed(hashes.SHA256())
         raise ValueError(f"unknown hash algorithm: {self.algorithm}")
+
diff --git a/sigstore/sign.py b/sigstore/sign.py
@@ -56,7 +56,6 @@
     VerificationMaterial,
 )
 from sigstore_protobuf_specs.dev.sigstore.common.v1 import (
-    HashAlgorithm,
     HashOutput,
     LogId,
     MessageSignature,
@@ -72,8 +71,8 @@
 )
 from sigstore_protobuf_specs.io.intoto import Envelope
 
-from sigstore._internal import dsse
 from sigstore import hashes as sigstore_hashes
+from sigstore._internal import dsse
 from sigstore._internal.fulcio import (
     ExpiredCertificate,
     FulcioCertificateSigningResponse,
@@ -82,7 +81,7 @@
 from sigstore._internal.rekor.client import RekorClient
 from sigstore._internal.sct import verify_sct
 from sigstore._internal.trustroot import TrustedRoot
-from sigstore._utils import PEMCert, get_digest, sha256_streaming
+from sigstore._utils import PEMCert, get_digest
 from sigstore.oidc import ExpiredIdentity, IdentityToken
 from sigstore.transparency import LogEntry
 
@@ -176,7 +175,7 @@ def _signing_cert(
 
     def sign(
         self,
-        input_: IO[bytes] | Statement,
+        input_: IO[bytes] | Statement | sigstore_hashes.Hashed,
     ) -> Bundle:
         """Public API for signing blobs"""
         private_key = self._private_key
@@ -219,16 +218,16 @@ def sign(
                 ),
             )
         else:
-            input_digest = sha256_streaming(input_)
+            hashed_input = get_digest(input_)
 
             artifact_signature = private_key.sign(
-                input_digest, ec.ECDSA(Prehashed(hashes.SHA256()))
+                hashed_input.digest, ec.ECDSA(hashed_input.as_prehashed())
             )
 
             content = MessageSignature(
                 message_digest=HashOutput(
-                    algorithm=HashAlgorithm.SHA2_256,
-                    digest=input_digest,
+                    algorithm=hashed_input.algorithm,
+                    digest=hashed_input.digest.hex(),
                 ),
                 signature=artifact_signature,
             )
@@ -244,8 +243,8 @@ def sign(
                     ),
                     data=rekor_types.hashedrekord.Data(
                         hash=rekor_types.hashedrekord.Hash(
-                            algorithm=rekor_types.hashedrekord.Algorithm.SHA256,
-                            value=input_digest.hex(),
+                            algorithm=hashed_input.as_hashedrekord_algorithm(),
+                            value=hashed_input.digest.hex(),
                         )
                     ),
                 ),
