diff --git a/signature/jws/plugin.go b/signature/jws/plugin.go index 59f67300..c966ce32 100644 --- a/signature/jws/plugin.go +++ b/signature/jws/plugin.go @@ -95,7 +95,7 @@ func (s *PluginSigner) generateSignature(ctx context.Context, desc notation.Desc // Generate signing string. token := jwtToken(alg.JWS(), payload) - signing, err := token.SigningString() + payloadToSign, err := token.SigningString() if err != nil { return nil, fmt.Errorf("failed to marshal signing payload: %v", err) } @@ -106,7 +106,7 @@ func (s *PluginSigner) generateSignature(ctx context.Context, desc notation.Desc KeyID: s.KeyID, KeySpec: key.KeySpec, Hash: alg.Hash(), - Payload: []byte(signing), + Payload: []byte(payloadToSign), PluginConfig: config, } out, err := s.Runner.Run(ctx, req) @@ -120,7 +120,7 @@ func (s *PluginSigner) generateSignature(ctx context.Context, desc notation.Desc // Check keyID is honored. if s.KeyID != resp.KeyID { - return nil, fmt.Errorf("keyID in generateSignature response %q does not match request %q",resp.KeyID, s.KeyID") + return nil, fmt.Errorf("keyID in generateSignature response %q does not match request %q", resp.KeyID, s.KeyID) } // Check algorithm is supported. @@ -144,7 +144,7 @@ func (s *PluginSigner) generateSignature(ctx context.Context, desc notation.Desc // At this point, resp.Signature is not base64-encoded, // but verifyJWT expects a base64URL encoded string. signed64Url := base64.RawURLEncoding.EncodeToString(resp.Signature) - err = verifyJWT(jwsAlg, signing, signed64Url, certs[0]) + err = verifyJWT(jwsAlg, payloadToSign, signed64Url, certs[0]) if err != nil { return nil, fmt.Errorf("signature returned by generateSignature cannot be verified: %v", err) } @@ -155,7 +155,7 @@ func (s *PluginSigner) generateSignature(ctx context.Context, desc notation.Desc } // Assemble the JWS signature envelope. - return jwsEnvelope(ctx, opts, signing+"."+signed64Url, resp.CertificateChain) + return jwsEnvelope(ctx, opts, payloadToSign+"."+signed64Url, resp.CertificateChain) } func (s *PluginSigner) mergeConfig(config map[string]string) map[string]string { diff --git a/signature/jws/plugin_test.go b/signature/jws/plugin_test.go index d8ee45ae..e8e97e70 100644 --- a/signature/jws/plugin_test.go +++ b/signature/jws/plugin_test.go @@ -118,7 +118,7 @@ func TestPluginSigner_Sign_DescribeKeyKeyIDMismatch(t *testing.T) { Runner: &mockSignerPlugin{KeyID: "2", KeySpec: notation.RSA_2048}, KeyID: "1", } - testPluginSignerError(t, signer, "keyID mismatch") + testPluginSignerError(t, signer, "keyID in describeKey response \"2\" does not match request \"1\"") } func TestPluginSigner_Sign_KeySpecNotSupported(t *testing.T) { @@ -126,7 +126,7 @@ func TestPluginSigner_Sign_KeySpecNotSupported(t *testing.T) { Runner: &mockSignerPlugin{KeyID: "1", KeySpec: "custom"}, KeyID: "1", } - testPluginSignerError(t, signer, "keySpec \"custom\" not supported") + testPluginSignerError(t, signer, "keySpec \"custom\" for key \"1\" is not supported") } func TestPluginSigner_Sign_PayloadNotValid(t *testing.T) { @@ -153,7 +153,7 @@ func TestPluginSigner_Sign_GenerateSignatureKeyIDMismatch(t *testing.T) { }, []error{nil, nil, nil}, 0}, KeyID: "1", } - testPluginSignerError(t, signer, "keyID mismatch") + testPluginSignerError(t, signer, "keyID in generateSignature response \"2\" does not match request \"1\"") } func TestPluginSigner_Sign_UnsuportedAlgorithm(t *testing.T) { @@ -161,7 +161,7 @@ func TestPluginSigner_Sign_UnsuportedAlgorithm(t *testing.T) { Runner: &mockSignerPlugin{KeyID: "1", KeySpec: notation.RSA_2048, SigningAlg: "custom"}, KeyID: "1", } - testPluginSignerError(t, signer, "signing algorithm \"custom\" not supported") + testPluginSignerError(t, signer, "signing algorithm \"custom\" in generateSignature response is not supported") } func TestPluginSigner_Sign_NoCertChain(t *testing.T) {