fix: fix the certs validation in envelope.Sign() (#51)

Signed-off-by: Binbin Li <libinbin@microsoft.com>

Signed-off-by: Binbin Li <libinbin@microsoft.com>
Co-authored-by: Binbin Li <libinbin@microsoft.com>

signature/internal/base/envelope.go

@@ -34,7 +34,16 @@ func (e *Envelope) Sign(req *signature.SignRequest) ([]byte, error) {
 	}
 
 	// validate certificate chain
-	if _, err := e.SignerInfo(); err != nil {
+	signerInfo, err := e.Envelope.SignerInfo()
+	if err != nil {
+		return nil, err
+	}
+
+	if err := validateCertificateChain(
+		signerInfo.CertificateChain,
+		signerInfo.SignedAttributes.SigningTime,
+		signerInfo.SignatureAlgorithm,
+	); err != nil {
 		return nil, err
 	}
 

signature/internal/base/envelope_test.go

@@ -177,7 +177,7 @@ func TestSign(t *testing.T) {
 			expectErr: true,
 		},
 		{
-			name: "err returned by internal envelope",
+			name: "internal envelope fails to sign",
 			req:  signReq1,
 			env: &Envelope{
 				Raw:      nil,
@@ -187,7 +187,7 @@ func TestSign(t *testing.T) {
 			expectErr: true,
 		},
 		{
-			name: "invalid certificate chain",
+			name: "internal envelope fails to get signerInfo",
 			req:  validReq,
 			env: &Envelope{
 				Raw:      nil,
@@ -196,16 +196,28 @@ func TestSign(t *testing.T) {
 			expect:    nil,
 			expectErr: true,
 		},
+		{
+			name: "invalid certificate chain",
+			req:  validReq,
+			env: &Envelope{
+				Raw: nil,
+				Envelope: mockEnvelope{
+					signerInfo: &signature.SignerInfo{},
+				},
+			},
+			expect:    nil,
+			expectErr: true,
+		},
 		{
 			name: "successfully signed",
-			req: validReq,
+			req:  validReq,
 			env: &Envelope{
 				Raw: validBytes,
 				Envelope: &mockEnvelope{
 					signerInfo: validSignerInfo,
 				},
 			},
-			expect: validBytes,
+			expect:    validBytes,
 			expectErr: false,
 		},
 	}