ci: define govulncheck version in pre-commit, avoid polluting go.mod

Other pre-commit dependencies' version are defined there already.

.pre-commit-config.yaml

@@ -31,7 +31,7 @@ repos:
     - id: my-cmd-repo
       alias: govulncheck
       name: govulncheck
-      args: ["bash", "-c", "go tool golang.org/x/vuln/cmd/govulncheck ./..."]
+      args: ["bash", "-c", "go run golang.org/x/vuln/cmd/govulncheck@v1.1.4 ./..."]
 - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
   rev: v9.22.0
   hooks:

.tool-versions

@@ -1,4 +1,4 @@
 act 0.2.79
 golang 1.24.4
 golangci-lint 2.2.1
-pre-commit 4.0.1
+pre-commit 4.2.0

README.md

@@ -2,12 +2,12 @@
 
 `go-varsig` implements the upcoming v1.0.0 release of the [`varsig` specification](https://github.com/ChainAgnostic/varsig/pull/18)
 with limited (and soon to be deprecated) support for the `varsig` < v1.0
-specification.  This is predominatly included to support the UCAN v1.0
+specification.  This is predominantly included to support the UCAN v1.0
 use-case.
 
 ## Usage
 
-Include the `go-varsig` library  by running the following command:
+Include the `go-varsig` library by running the following command:
 
 ```bash
 go get github.com/ucan-wg/go-varsig@latest
@@ -29,7 +29,7 @@ asdf install
 
 ### Checks
 
-This repository contains an set of pre-commit hooks that are run prior to
+This repository contains a set of pre-commit hooks that are run prior to
 each `git commit`.  You can also run these checks manually using the
 following command:
 

common.go

@@ -4,7 +4,7 @@ package varsig
 // by the [IANA JOSE specification].
 //
 // [IANA JOSE specification]: https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
-func Ed25519(payloadEncoding PayloadEncoding, opts ...Option) (*EdDSAVarsig, error) {
+func Ed25519(payloadEncoding PayloadEncoding, opts ...Option) (EdDSAVarsig, error) {
 	return NewEdDSAVarsig(CurveEd25519, HashAlgorithmSHA512, payloadEncoding, opts...)
 }
 
@@ -12,7 +12,7 @@ func Ed25519(payloadEncoding PayloadEncoding, opts ...Option) (*EdDSAVarsig, err
 // by the [IANA JOSE specification].
 //
 // [IANA JOSE specification]: https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
-func Ed448(payloadEncoding PayloadEncoding, opts ...Option) (*EdDSAVarsig, error) {
+func Ed448(payloadEncoding PayloadEncoding, opts ...Option) (EdDSAVarsig, error) {
 	return NewEdDSAVarsig(CurveEd448, HashAlgorithmShake256, payloadEncoding, opts...)
 }
 
@@ -20,7 +20,7 @@ func Ed448(payloadEncoding PayloadEncoding, opts ...Option) (*EdDSAVarsig, error
 // by the [IANA JOSE specification].
 //
 // [IANA JOSE specification]: https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
-func RS256(keyLength uint64, payloadEncoding PayloadEncoding, opts ...Option) (*RSAVarsig, error) {
+func RS256(keyLength uint64, payloadEncoding PayloadEncoding, opts ...Option) (RSAVarsig, error) {
 	return NewRSAVarsig(HashAlgorithmSHA256, keyLength, payloadEncoding, opts...)
 }
 
@@ -28,7 +28,7 @@ func RS256(keyLength uint64, payloadEncoding PayloadEncoding, opts ...Option) (*
 // by the [IANA JOSE specification].
 //
 // [IANA JOSE specification]: https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
-func RS384(keyLength uint64, payloadEncoding PayloadEncoding, opts ...Option) (*RSAVarsig, error) {
+func RS384(keyLength uint64, payloadEncoding PayloadEncoding, opts ...Option) (RSAVarsig, error) {
 	return NewRSAVarsig(HashAlgorithmSHA384, keyLength, payloadEncoding, opts...)
 }
 
@@ -36,6 +36,6 @@ func RS384(keyLength uint64, payloadEncoding PayloadEncoding, opts ...Option) (*
 // by the [IANA JOSE specification].
 //
 // [IANA JOSE specification]: https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
-func RS512(keyLength uint64, payloadEncoding PayloadEncoding, opts ...Option) (*RSAVarsig, error) {
+func RS512(keyLength uint64, payloadEncoding PayloadEncoding, opts ...Option) (RSAVarsig, error) {
 	return NewRSAVarsig(HashAlgorithmSHA512, keyLength, payloadEncoding, opts...)
 }

common_test.go

@@ -11,7 +11,8 @@ import (
 func TestEd25519(t *testing.T) {
 	t.Parallel()
 
-	in := mustVarsig[varsig.EdDSAVarsig](t)(varsig.Ed25519(varsig.PayloadEncodingDAGCBOR))
+	in, err := varsig.Ed25519(varsig.PayloadEncodingDAGCBOR)
+	mustVarsig(t, in, err)
 	out := roundTrip(t, in, "3401ed01ed011371")
 	assertEdDSAEqual(t, in, out)
 }
@@ -19,7 +20,8 @@ func TestEd25519(t *testing.T) {
 func TestEd448(t *testing.T) {
 	t.Parallel()
 
-	in := mustVarsig[varsig.EdDSAVarsig](t)(varsig.Ed448(varsig.PayloadEncodingDAGCBOR))
+	in, err := varsig.Ed448(varsig.PayloadEncodingDAGCBOR)
+	mustVarsig(t, in, err)
 	out := roundTrip(t, in, "3401ed0183241971")
 	assertEdDSAEqual(t, in, out)
 }
@@ -27,7 +29,8 @@ func TestEd448(t *testing.T) {
 func TestRS256(t *testing.T) {
 	t.Parallel()
 
-	in := mustVarsig[varsig.RSAVarsig](t)(varsig.RS256(0x100, varsig.PayloadEncodingDAGCBOR))
+	in, err := varsig.RS256(0x100, varsig.PayloadEncodingDAGCBOR)
+	mustVarsig(t, in, err)
 	out := roundTrip(t, in, "3401852412800271")
 	assertRSAEqual(t, in, out)
 }
@@ -35,7 +38,8 @@ func TestRS256(t *testing.T) {
 func TestRS384(t *testing.T) {
 	t.Parallel()
 
-	in := mustVarsig[varsig.RSAVarsig](t)(varsig.RS384(0x100, varsig.PayloadEncodingDAGCBOR))
+	in, err := varsig.RS384(0x100, varsig.PayloadEncodingDAGCBOR)
+	mustVarsig(t, in, err)
 	out := roundTrip(t, in, "3401852420800271")
 	assertRSAEqual(t, in, out)
 }
@@ -43,19 +47,20 @@ func TestRS384(t *testing.T) {
 func TestRS512(t *testing.T) {
 	t.Parallel()
 
-	in := mustVarsig[varsig.RSAVarsig](t)(varsig.RS512(0x100, varsig.PayloadEncodingDAGCBOR))
+	in, err := varsig.RS512(0x100, varsig.PayloadEncodingDAGCBOR)
+	mustVarsig(t, in, err)
 	out := roundTrip(t, in, "3401852413800271")
 	assertRSAEqual(t, in, out)
 }
 
-func assertEdDSAEqual(t *testing.T, in, out *varsig.EdDSAVarsig) {
+func assertEdDSAEqual(t *testing.T, in, out varsig.EdDSAVarsig) {
 	t.Helper()
 
 	assert.Equal(t, in.Curve(), out.Curve())
 	assert.Equal(t, in.HashAlgorithm(), out.HashAlgorithm())
 }
 
-func assertRSAEqual(t *testing.T, in, out *varsig.RSAVarsig) {
+func assertRSAEqual(t *testing.T, in, out varsig.RSAVarsig) {
 	t.Helper()
 
 	assert.Equal(t, in.HashAlgorithm(), out.HashAlgorithm())

constant.go

@@ -1,34 +1,30 @@
 package varsig
 
 import (
-	"bytes"
 	"encoding/binary"
 	"fmt"
-
-	"github.com/multiformats/go-multicodec"
 )
 
-// Prefix is the multicodec.Code for the varsig's varuint prefix byte.
+// Prefix is the value for the varsig's varuint prefix byte.
-const Prefix = uint64(multicodec.Varsig)
+const Prefix = uint64(0x34)
 
-// HashAlgorithm is the multicodec.Code that specifies the hash algorithm
+// HashAlgorithm is the value that specifies the hash algorithm
 // that's used to reduce the signed content
 type HashAlgorithm uint64
 
-// Constant multicodec.Code values that allow Varsig implementations to
+// Constant values that allow Varsig implementations to specify how
-// specify how the payload content is hashed before the signature is
+// the payload content is hashed before the signature is generated.
-// generated.
 const (
 	HashAlgorithmUnspecified HashAlgorithm = 0x00
-	HashAlgorithmSHA256                    = HashAlgorithm(multicodec.Sha2_256)
+	HashAlgorithmSHA256                    = HashAlgorithm(0x12)
-	HashAlgorithmSHA384                    = HashAlgorithm(multicodec.Sha2_384)
+	HashAlgorithmSHA384                    = HashAlgorithm(0x20)
-	HashAlgorithmSHA512                    = HashAlgorithm(multicodec.Sha2_512)
+	HashAlgorithmSHA512                    = HashAlgorithm(0x13)
-	HashAlgorithmShake256                  = HashAlgorithm(multicodec.Shake256)
+	HashAlgorithmShake256                  = HashAlgorithm(0x19)
 )
 
 // DecodeHashAlgorithm reads and validates the expected hash algorithm
 // (for varsig types include a variable hash algorithm.)
-func DecodeHashAlgorithm(r *bytes.Reader) (HashAlgorithm, error) {
+func DecodeHashAlgorithm(r BytesReader) (HashAlgorithm, error) {
 	u, err := binary.ReadUvarint(r)
 	if err != nil {
 		return HashAlgorithmUnspecified, fmt.Errorf("%w: %w", ErrUnknownHashAlgorithm, err)
@@ -52,22 +48,22 @@ func DecodeHashAlgorithm(r *bytes.Reader) (HashAlgorithm, error) {
 // consistent hashes and signatures.
 type PayloadEncoding uint64
 
-// Constant multicodec.Code values that allow Varsig implementations to
+// Constant values that allow Varsig implementations to specify how the
-// specify how the payload content is encoded before being hashed.  In
+// payload content is encoded before being hashed.
-// varsig >= v1, only canonical encoding is allowed.
+// In varsig >= v1, only canonical encoding is allowed.
 const (
 	PayloadEncodingUnspecified PayloadEncoding = 0x00
 	PayloadEncodingVerbatim    PayloadEncoding = 0x5f
-	PayloadEncodingDAGPB                       = PayloadEncoding(multicodec.DagPb)
+	PayloadEncodingDAGPB                       = PayloadEncoding(0x70)
-	PayloadEncodingDAGCBOR                     = PayloadEncoding(multicodec.DagCbor)
+	PayloadEncodingDAGCBOR                     = PayloadEncoding(0x71)
-	PayloadEncodingDAGJSON                     = PayloadEncoding(multicodec.DagJson)
+	PayloadEncodingDAGJSON                     = PayloadEncoding(0x0129)
-	PayloadEncodingEIP191                      = PayloadEncoding(multicodec.Eip191)
+	PayloadEncodingEIP191                      = PayloadEncoding(0xd191)
 	PayloadEncodingJWT         PayloadEncoding = 0x6a77
 )
 
 // DecodePayloadEncoding reads and validates the expected canonical payload
 // encoding of the data to be signed.
-func DecodePayloadEncoding(r *bytes.Reader, vers Version) (PayloadEncoding, error) {
+func DecodePayloadEncoding(r BytesReader, vers Version) (PayloadEncoding, error) {
 	u, err := binary.ReadUvarint(r)
 	if err != nil {
 		return PayloadEncodingUnspecified, fmt.Errorf("%w: %w", ErrUnsupportedPayloadEncoding, err)
@@ -113,8 +109,8 @@ func decodeEncodingInfoV1(payEnc PayloadEncoding) (PayloadEncoding, error) {
 	}
 }
 
-// Discriminator is (usually) the multicodec.Code representing the public
+// Discriminator is (usually) the value representing the public key type of
-// key type of the algorithm used to create the signature.
+// the algorithm used to create the signature.
 //
 // There is not set list of constants here, nor is there a decode function
 // as the author of an implementation should include the constant with the

eddsa.go

@@ -1,37 +1,49 @@
 package varsig
 
 import (
-	"bytes"
 	"crypto/ed25519"
 	"encoding/binary"
-
+	"fmt"
-	"github.com/multiformats/go-multicodec"
 )
 
-// Constants containing multicodec.Code values that specify EdDSA signatures.
+// Constants containing values that specify EdDSA signatures.
 const (
-	DiscriminatorEdDSA   = Discriminator(multicodec.Ed25519Pub)
+	DiscriminatorEdDSA   = Discriminator(0xed)
-	DiscriminatorEd25519 = Discriminator(multicodec.Ed25519Pub)
+	DiscriminatorEd25519 = Discriminator(0xed)
-	DiscriminatorEd448   = Discriminator(multicodec.Ed448Pub)
+	DiscriminatorEd448   = Discriminator(0x1203)
 )
 
-// EdDSACurve are multicodec.Code values that specify which Edwards curve
+// EdDSACurve are values that specify which Edwards curve is used when
-// is used when generating the signature.
+// generating the signature.
 type EdDSACurve uint64
 
-// Constants describing the multicodec.Code for each specific Edwards
+// Constants describing the values for each specific Edwards curve that can
-// curve that can be encoded into a Varsig.
+// be encoded into a Varsig.
 const (
-	CurveEd25519 = EdDSACurve(multicodec.Ed25519Pub)
+	CurveEd25519 = EdDSACurve(0xed)
-	CurveEd448   = EdDSACurve(multicodec.Ed448Pub)
+	CurveEd448   = EdDSACurve(0x1203)
 )
 
-var _ Varsig = (*EdDSAVarsig)(nil)
+func decodeEdDSACurve(r BytesReader) (EdDSACurve, error) {
+	u, err := binary.ReadUvarint(r)
+	if err != nil {
+		return 0, err
+	}
+
+	switch curve := EdDSACurve(u); curve {
+	case CurveEd25519, CurveEd448:
+		return curve, nil
+	default:
+		return 0, fmt.Errorf("%w: %x", ErrUnknownEdDSACurve, u)
+	}
+}
+
+var _ Varsig = EdDSAVarsig{}
 
 // EdDSAVarsig is a varsig that encodes the parameters required to describe
 // an EdDSA signature.
 type EdDSAVarsig struct {
-	varsig[EdDSAVarsig]
+	varsig
 
 	curve   EdDSACurve
 	hashAlg HashAlgorithm
@@ -39,13 +51,13 @@ type EdDSAVarsig struct {
 
 // NewEdDSAVarsig creates and validates an EdDSA varsig with the provided
 // curve, hash algorithm and payload encoding.
-func NewEdDSAVarsig(curve EdDSACurve, hashAlgorithm HashAlgorithm, payloadEncoding PayloadEncoding, opts ...Option) (*EdDSAVarsig, error) {
+func NewEdDSAVarsig(curve EdDSACurve, hashAlgorithm HashAlgorithm, payloadEncoding PayloadEncoding, opts ...Option) (EdDSAVarsig, error) {
 	options := newOptions(opts...)
 
 	var (
 		vers = Version1
 		disc = DiscriminatorEdDSA
-		sig  = []byte{}
+		sig  []byte
 	)
 
 	if options.ForceVersion0() {
@@ -54,8 +66,8 @@ func NewEdDSAVarsig(curve EdDSACurve, hashAlgorithm HashAlgorithm, payloadEncodi
 		sig = options.Signature()
 	}
 
-	v := &EdDSAVarsig{
+	v := EdDSAVarsig{
-		varsig: varsig[EdDSAVarsig]{
+		varsig: varsig{
 			vers:   vers,
 			disc:   disc,
 			payEnc: payloadEncoding,
@@ -65,17 +77,17 @@ func NewEdDSAVarsig(curve EdDSACurve, hashAlgorithm HashAlgorithm, payloadEncodi
 		hashAlg: hashAlgorithm,
 	}
 
-	return v.validateSig(v, ed25519.PrivateKeySize)
+	return validateSig(v, ed25519.SignatureSize)
 }
 
 // Curve returns the Edwards curve used to generate the EdDSA signature.
-func (v *EdDSAVarsig) Curve() EdDSACurve {
+func (v EdDSAVarsig) Curve() EdDSACurve {
 	return v.curve
 }
 
-// HashAlgorithm returns the multicodec.Code describing the hash algorithm
+// HashAlgorithm returns the value describing the hash algorithm used to hash
-// used to hash the payload content before the signature is generated.
+// the payload content before the signature is generated.
-func (v *EdDSAVarsig) HashAlgorithm() HashAlgorithm {
+func (v EdDSAVarsig) HashAlgorithm() HashAlgorithm {
 	return v.hashAlg
 }
 
@@ -94,31 +106,35 @@ func (v EdDSAVarsig) Encode() []byte {
 	return buf
 }
 
-func decodeEd25519(r *bytes.Reader, vers Version, disc Discriminator) (Varsig, error) {
+func decodeEd25519(r BytesReader, vers Version, disc Discriminator) (Varsig, error) {
-	curve := uint64(disc)
+	curve := EdDSACurve(disc)
 	if vers != Version0 {
-		u, err := binary.ReadUvarint(r)
+		var err error
 
+		curve, err = decodeEdDSACurve(r)
 		if err != nil {
-			return nil, err // TODO: wrap error?
+			return nil, err
 		}
-
-		curve = u
 	}
 
-	hashAlg, err := binary.ReadUvarint(r)
+	hashAlg, err := DecodeHashAlgorithm(r)
 	if err != nil {
-		return nil, err // TODO: wrap error?
+		return nil, err
 	}
 
-	v := &EdDSAVarsig{
+	v := EdDSAVarsig{
-		varsig: varsig[EdDSAVarsig]{
+		varsig: varsig{
 			vers: vers,
 			disc: disc,
 		},
-		curve:   EdDSACurve(curve),
+		curve:   curve,
-		hashAlg: HashAlgorithm(hashAlg),
+		hashAlg: hashAlg,
 	}
 
-	return v.decodePayEncAndSig(r, v, ed25519.PrivateKeySize)
+	v.payEnc, v.sig, err = v.decodePayEncAndSig(r)
+	if err != nil {
+		return nil, err
+	}
+
+	return validateSig(v, ed25519.SignatureSize)
 }

eddsa_test.go

@@ -1,6 +1,7 @@
 package varsig_test
 
 import (
+	"encoding/base64"
 	"encoding/hex"
 	"testing"
 
@@ -35,7 +36,7 @@ func TestDecodeEd25519(t *testing.T) {
 			assert.Equal(t, varsig.PayloadEncodingDAGCBOR, v.PayloadEncoding())
 			assert.Len(t, v.Signature(), 64)
 
-			impl, ok := v.(*varsig.EdDSAVarsig)
+			impl, ok := v.(varsig.EdDSAVarsig)
 			require.True(t, ok)
 			assert.Equal(t, varsig.CurveEd25519, impl.Curve())
 			assert.Equal(t, varsig.HashAlgorithmSHA512, impl.HashAlgorithm())
@@ -56,3 +57,44 @@ func TestDecodeEd25519(t *testing.T) {
 		})
 	})
 }
+
+func TestUCANExampleV1(t *testing.T) {
+	t.Parallel()
+
+	// This test is the value shown in the UCAN v1.0.0 example, which is
+	// an EdDSA varsig = v1 with the Ed25519 curve, SHA2_256 hashing and
+	// DAG-CBOR content encoding.
+	example, err := base64.RawStdEncoding.DecodeString("NAHtAe0BE3E")
+	require.NoError(t, err)
+
+	t.Run("Decode", func(t *testing.T) {
+		t.Parallel()
+
+		v, err := varsig.Decode(example)
+		require.NoError(t, err)
+
+		rsaV, ok := v.(varsig.EdDSAVarsig)
+		require.True(t, ok)
+
+		assert.Equal(t, varsig.Version1, rsaV.Version())
+		assert.Equal(t, varsig.DiscriminatorEdDSA, rsaV.Discriminator())
+		assert.Equal(t, varsig.CurveEd25519, rsaV.Curve())
+		assert.Equal(t, varsig.HashAlgorithmSHA512, rsaV.HashAlgorithm())
+		assert.Equal(t, varsig.PayloadEncodingDAGCBOR, rsaV.PayloadEncoding())
+		assert.Len(t, rsaV.Signature(), 0)
+	})
+
+	t.Run("Encode", func(t *testing.T) {
+		t.Parallel()
+
+		edDSAVarsig, err := varsig.NewEdDSAVarsig(
+			varsig.CurveEd25519,
+			varsig.HashAlgorithmSHA512,
+			varsig.PayloadEncodingDAGCBOR,
+		)
+		require.NoError(t, err)
+
+		assert.Equal(t, example, edDSAVarsig.Encode())
+		t.Log(base64.RawStdEncoding.EncodeToString(edDSAVarsig.Encode()))
+	})
+}

error.go

@@ -13,7 +13,7 @@ var ErrMissingSignature = errors.New("missing signature expected in varsig v0")
 var ErrNotYetImplemented = errors.New("not yet implemented")
 
 // ErrUnexpectedSignaturePresent is returned when a signature is present
-// in  a varsig >= v1.
+// in a varsig >= v1.
 var ErrUnexpectedSignaturePresent = errors.New("unexpected signature present in varsig >= v1")
 
 // ErrUnexpectedSignatureSize is returned when the length of the decoded
@@ -21,7 +21,7 @@ var ErrUnexpectedSignaturePresent = errors.New("unexpected signature present in
 // signing algorithm or sent via a Varsig field.
 var ErrUnexpectedSignatureSize = errors.New("unexpected signature size in varsig v0")
 
-// ErrUnknownHashAlgoritm is returned when an unexpected value is provided
+// ErrUnknownHashAlgorithm is returned when an unexpected value is provided
 // while decoding the hashing algorithm.
 var ErrUnknownHashAlgorithm = errors.New("unknown hash algorithm")
 
@@ -30,14 +30,18 @@ var ErrUnknownHashAlgorithm = errors.New("unknown hash algorithm")
 // for this field may vary based on the varsig version.
 var ErrUnsupportedPayloadEncoding = errors.New("unsupported payload encoding")
 
-// ErrUnknowndiscorith is returned when the Registry doesn't have a
+// ErrUnknownDiscriminator is returned when the Registry doesn't have a
 // parsing function for the decoded signing algorithm.
 var ErrUnknownDiscriminator = errors.New("unknown signing algorithm")
 
+// ErrUnknownEdDSACurve is returned when the decoded uvarint isn't either
+// CurveEd25519 or CurveEd448.
+var ErrUnknownEdDSACurve = errors.New("unknown Edwards curve")
+
 // ErrUnsupportedVersion is returned when an unsupported varsig version
 // field is present.
 var ErrUnsupportedVersion = errors.New("unsupported version")
 
 // ErrBadPrefix is returned when the prefix field contains a value other
-// than 0x34 (encoded as a uvarint).
+// than 0x34 (encoded as an uvarint).
 var ErrBadPrefix = errors.New("varsig prefix not found")

go.mod

@@ -2,21 +2,10 @@ module github.com/ucan-wg/go-varsig
 
 go 1.24.4
 
-require (
+require github.com/stretchr/testify v1.10.0
-	github.com/multiformats/go-multicodec v0.9.2
-	github.com/stretchr/testify v1.10.0
-)
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 // indirect
-	golang.org/x/tools v0.29.0 // indirect
-	golang.org/x/vuln v1.1.4 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
-
-tool golang.org/x/vuln/cmd/govulncheck

go.sum

@@ -1,29 +1,9 @@
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786 h1:rcv+Ippz6RAtvaGgKxc+8FQIpxHgsF+HBzPyYL2cyVU=
-github.com/google/go-cmdtest v0.4.1-0.20220921163831-55ab3332a786/go.mod h1:apVn/GCasLZUVpAJ6oWAuyP7Ne7CEsQbTnc0plM3m+o=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/renameio v0.1.0 h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/multiformats/go-multicodec v0.9.2 h1:YrlXCuqxjqm3bXl+vBq5LKz5pz4mvAsugdqy78k0pXQ=
-github.com/multiformats/go-multicodec v0.9.2/go.mod h1:LLWNMtyV5ithSBUo3vFIMaeDy+h3EbkMTek1m+Fybbo=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
-golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7 h1:FemxDzfMUcK2f3YY4H+05K9CDzbSVr2+q/JKN45pey0=
-golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7/go.mod h1:pRgIJT+bRLFKnoM1ldnzKoxTIn14Yxz928LQRYYgIN0=
-golang.org/x/tools v0.29.0 h1:Xx0h3TtM9rzQpQuR4dKLrdglAmCEN5Oi+P74JdhdzXE=
-golang.org/x/tools v0.29.0/go.mod h1:KMQVMRsVxU6nHCFXrBPhDB8XncLNLM0lIy/F14RP588=
-golang.org/x/vuln v1.1.4 h1:Ju8QsuyhX3Hk8ma3CesTbO8vfJD9EvUBgHvkxHBzj0I=
-golang.org/x/vuln v1.1.4/go.mod h1:F+45wmU18ym/ca5PLTPLsSzr2KppzswxPP603ldA67s=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

registry.go

@@ -6,11 +6,11 @@ import (
 	"fmt"
 )
 
-// Version represents which version of the vasig specification was used
+// Version represents which version of the varsig specification was used
 // to produce Varsig value.
 type Version uint64
 
-// Constancts for the existing varsig specifications
+// Constants for the existing varsig specifications
 const (
 	Version0 Version = 0
 	Version1 Version = 1
@@ -18,9 +18,9 @@ const (
 
 // DecodeFunc is a function that parses the varsig representing a specific
 // signing algorithm.
-type DecodeFunc func(*bytes.Reader, Version, Discriminator) (Varsig, error)
+type DecodeFunc func(BytesReader, Version, Discriminator) (Varsig, error)
 
-// Registry contains a mapping between known signing algorithms, and
+// Registry contains a mapping between known signing algorithms and
 // functions that can parse varsigs for that signing algorithm.
 type Registry map[Discriminator]DecodeFunc
 
@@ -56,7 +56,7 @@ func (rs Registry) Decode(data []byte) (Varsig, error) {
 
 // DecodeStream converts data read from the provided io.Reader into one
 // of the registered Varsig types.
-func (rs Registry) DecodeStream(r *bytes.Reader) (Varsig, error) {
+func (rs Registry) DecodeStream(r BytesReader) (Varsig, error) {
 	pre, err := binary.ReadUvarint(r)
 	if err != nil {
 		return nil, fmt.Errorf("%w: %w", ErrBadPrefix, err)
@@ -79,7 +79,7 @@ func (rs Registry) DecodeStream(r *bytes.Reader) (Varsig, error) {
 	return decodeFunc(r, vers, disc)
 }
 
-func (rs Registry) decodeVersAnddisc(r *bytes.Reader) (Version, Discriminator, error) {
+func (rs Registry) decodeVersAnddisc(r BytesReader) (Version, Discriminator, error) {
 	vers, err := binary.ReadUvarint(r)
 	if err != nil {
 		return Version(vers), 0, err
@@ -98,6 +98,6 @@ func (rs Registry) decodeVersAnddisc(r *bytes.Reader) (Version, Discriminator, e
 	return Version(vers), Discriminator(disc), err
 }
 
-func notYetImplementedVarsigDecoder(_ *bytes.Reader, vers Version, disc Discriminator) (Varsig, error) {
+func notYetImplementedVarsigDecoder(_ BytesReader, vers Version, disc Discriminator) (Varsig, error) {
 	return nil, fmt.Errorf("%w: Version: %d, Discriminator: %x", ErrNotYetImplemented, vers, disc)
 }

registry_test.go

@@ -61,7 +61,7 @@ func testRegistry(t *testing.T) varsig.Registry {
 func testDecodeFunc(t *testing.T) varsig.DecodeFunc {
 	t.Helper()
 
-	return func(r *bytes.Reader, vers varsig.Version, disc varsig.Discriminator) (varsig.Varsig, error) {
+	return func(r varsig.BytesReader, vers varsig.Version, disc varsig.Discriminator) (varsig.Varsig, error) {
 		v := &testVarsig{
 			vers: vers,
 			disc: disc,
@@ -71,7 +71,7 @@ func testDecodeFunc(t *testing.T) varsig.DecodeFunc {
 	}
 }
 
-var _ varsig.Varsig = (*testVarsig)(nil)
+var _ varsig.Varsig = testVarsig{}
 
 type testVarsig struct {
 	vers   varsig.Version
@@ -80,22 +80,22 @@ type testVarsig struct {
 	sig    []byte
 }
 
-func (v *testVarsig) Version() varsig.Version {
+func (v testVarsig) Version() varsig.Version {
 	return v.vers
 }
 
-func (v *testVarsig) Discriminator() varsig.Discriminator {
+func (v testVarsig) Discriminator() varsig.Discriminator {
 	return v.disc
 }
 
-func (v *testVarsig) PayloadEncoding() varsig.PayloadEncoding {
+func (v testVarsig) PayloadEncoding() varsig.PayloadEncoding {
 	return v.payEnc
 }
 
-func (v *testVarsig) Signature() []byte {
+func (v testVarsig) Signature() []byte {
 	return v.sig
 }
 
-func (v *testVarsig) Encode() []byte {
+func (v testVarsig) Encode() []byte {
 	return nil
 }

rsa.go

@@ -1,33 +1,30 @@
 package varsig
 
 import (
-	"bytes"
 	"encoding/binary"
-
-	"github.com/multiformats/go-multicodec"
 )
 
-// DiscriminatorRSA is the multicodec.Code specifying an RSA signature.
+// DiscriminatorRSA is the value specifying an RSA signature.
-const DiscriminatorRSA = Discriminator(multicodec.RsaPub)
+const DiscriminatorRSA = Discriminator(0x1205)
 
-var _ Varsig = (*RSAVarsig)(nil)
+var _ Varsig = RSAVarsig{}
 
 // RSAVarsig is a varsig that encodes the parameters required to describe
 // an RSA signature.
 type RSAVarsig struct {
-	varsig[RSAVarsig]
+	varsig
 	hashAlg HashAlgorithm
 	sigLen  uint64
 }
 
 // NewRSAVarsig creates and validates an RSA varsig with the provided
 // hash algorithm, key length and payload encoding.
-func NewRSAVarsig(hashAlgorithm HashAlgorithm, keyLength uint64, payloadEncoding PayloadEncoding, opts ...Option) (*RSAVarsig, error) {
+func NewRSAVarsig(hashAlgorithm HashAlgorithm, keyLength uint64, payloadEncoding PayloadEncoding, opts ...Option) (RSAVarsig, error) {
 	options := newOptions(opts...)
 
 	var (
 		vers = Version1
-		sig  = []byte{}
+		sig  []byte
 	)
 
 	if options.ForceVersion0() {
@@ -35,8 +32,8 @@ func NewRSAVarsig(hashAlgorithm HashAlgorithm, keyLength uint64, payloadEncoding
 		sig = options.Signature()
 	}
 
-	v := &RSAVarsig{
+	v := RSAVarsig{
-		varsig: varsig[RSAVarsig]{
+		varsig: varsig{
 			vers:   vers,
 			disc:   DiscriminatorRSA,
 			payEnc: payloadEncoding,
@@ -46,7 +43,7 @@ func NewRSAVarsig(hashAlgorithm HashAlgorithm, keyLength uint64, payloadEncoding
 		sigLen:  keyLength,
 	}
 
-	return v.validateSig(v, v.sigLen)
+	return validateSig(v, v.sigLen)
 }
 
 // Encode returns the encoded byte format of the RSAVarsig.
@@ -61,17 +58,17 @@ func (v RSAVarsig) Encode() []byte {
 }
 
 // HashAlgorithm returns the hash algorithm used to has the payload content.
-func (v *RSAVarsig) HashAlgorithm() HashAlgorithm {
+func (v RSAVarsig) HashAlgorithm() HashAlgorithm {
 	return v.hashAlg
 }
 
 // KeyLength returns the length of the RSA key used to sign the payload
 // content.
-func (v *RSAVarsig) KeyLength() uint64 {
+func (v RSAVarsig) KeyLength() uint64 {
 	return v.sigLen
 }
 
-func decodeRSA(r *bytes.Reader, vers Version, disc Discriminator) (Varsig, error) {
+func decodeRSA(r BytesReader, vers Version, disc Discriminator) (Varsig, error) {
 	hashAlg, err := DecodeHashAlgorithm(r)
 	if err != nil {
 		return nil, err
@@ -82,14 +79,19 @@ func decodeRSA(r *bytes.Reader, vers Version, disc Discriminator) (Varsig, error
 		return nil, err
 	}
 
-	vs := &RSAVarsig{
+	vs := RSAVarsig{
-		varsig: varsig[RSAVarsig]{
+		varsig: varsig{
 			vers: vers,
 			disc: disc,
 		},
-		hashAlg: HashAlgorithm(hashAlg),
+		hashAlg: hashAlg,
 		sigLen:  sigLen,
 	}
 
-	return vs.decodePayEncAndSig(r, vs, sigLen)
+	vs.payEnc, vs.sig, err = vs.decodePayEncAndSig(r)
+	if err != nil {
+		return nil, err
+	}
+
+	return validateSig(vs, vs.sigLen)
 }

rsa_test.go

@@ -26,7 +26,7 @@ func TestRSAVarsig(t *testing.T) {
 		vs, err := varsig.Decode(example)
 		require.NoError(t, err)
 
-		rsaVs, ok := vs.(*varsig.RSAVarsig)
+		rsaVs, ok := vs.(varsig.RSAVarsig)
 		require.True(t, ok)
 
 		assert.Equal(t, varsig.Version1, rsaVs.Version())
@@ -52,7 +52,7 @@ func TestRSAVarsig(t *testing.T) {
 	})
 }
 
-func TestUCANExample(t *testing.T) {
+func TestUCANExampleV0(t *testing.T) {
 	t.Parallel()
 
 	const keyLen = 0x100
@@ -69,7 +69,7 @@ func TestUCANExample(t *testing.T) {
 		vs, err := varsig.Decode(example)
 		require.ErrorIs(t, err, varsig.ErrMissingSignature)
 
-		rsaVs, ok := vs.(*varsig.RSAVarsig)
+		rsaVs, ok := vs.(varsig.RSAVarsig)
 		require.True(t, ok)
 
 		assert.Equal(t, varsig.Version0, rsaVs.Version())

varsig.go

@@ -19,21 +19,29 @@
 package varsig
 
 import (
-	"bytes"
 	"encoding/binary"
+	"errors"
 	"io"
 )
 
 // Varsig represents types that describe how a signature was generated
 // and thus how to interpret the signature and verify the signed data.
 type Varsig interface {
-	// accessors for fields that are common to all varsig
+	// Version returns the varsig's version field.
 	Version() Version
+
+	// Discriminator returns the algorithm used to produce the corresponding signature.
 	Discriminator() Discriminator
+
+	// PayloadEncoding returns the codec that was used to encode the signed data.
 	PayloadEncoding() PayloadEncoding
+
+	// Signature returns the cryptographic signature of the signed data.
+	// This value is never present in a varsig >= v1 and must either be a valid
+	// signature with the correct length or empty in varsig < v1.
 	Signature() []byte
 
-	// Operations that are common to all varsig
+	// Encode returns the encoded byte format of the varsig.
 	Encode() []byte
 }
 
@@ -45,11 +53,11 @@ func Decode(data []byte) (Varsig, error) {
 
 // DecodeStream converts data read from the provided io.Reader into one
 // of the Varsig types provided by the DefaultRegistry.
-func DecodeStream(r *bytes.Reader) (Varsig, error) {
+func DecodeStream(r BytesReader) (Varsig, error) {
 	return DefaultRegistry().DecodeStream(r)
 }
 
-type varsig[T Varsig] struct {
+type varsig struct {
 	vers   Version
 	disc   Discriminator
 	payEnc PayloadEncoding
@@ -57,30 +65,30 @@ type varsig[T Varsig] struct {
 }
 
 // Version returns the varsig's version field.
-func (v varsig[_]) Version() Version {
+func (v varsig) Version() Version {
 	return v.vers
 }
 
-// Discriminator returns the algorithm used to produce corresponding
+// Discriminator returns the algorithm used to produce the corresponding
 // signature.
-func (v varsig[_]) Discriminator() Discriminator {
+func (v varsig) Discriminator() Discriminator {
 	return v.disc
 }
 
 // PayloadEncoding returns the codec that was used to encode the signed
 // data.
-func (v varsig[_]) PayloadEncoding() PayloadEncoding {
+func (v varsig) PayloadEncoding() PayloadEncoding {
 	return v.payEnc
 }
 
 // Signature returns the cryptographic signature of the signed data. This
 // value is never present in a varsig >= v1 and must either be a valid
 // signature with the correct length or empty in varsig < v1.
-func (v varsig[_]) Signature() []byte {
+func (v varsig) Signature() []byte {
 	return v.sig
 }
 
-func (v *varsig[_]) encode() []byte {
+func (v varsig) encode() []byte {
 	var buf []byte
 
 	buf = binary.AppendUvarint(buf, Prefix)
@@ -94,37 +102,51 @@ func (v *varsig[_]) encode() []byte {
 	return buf
 }
 
-func (v *varsig[T]) decodePayEncAndSig(r *bytes.Reader, varsig *T, expectedLength uint64) (*T, error) {
+func (v varsig) decodePayEncAndSig(r BytesReader) (PayloadEncoding, []byte, error) {
 	payEnc, err := DecodePayloadEncoding(r, v.Version())
 	if err != nil {
-		return nil, err
+		return 0, nil, err
 	}
 
-	v.payEnc = payEnc
+	var signature []byte
-
+	switch v.Version() {
-	signature, err := io.ReadAll(r)
+	case Version0:
-	if err != nil {
+		signature, err = io.ReadAll(r)
-		return nil, err
+		if err != nil {
+			return 0, nil, err
+		}
+	case Version1:
+		_, err := r.ReadByte()
+		if err != nil && !errors.Is(err, io.EOF) {
+			return 0, nil, err
+		}
+		if err == nil {
+			return 0, nil, ErrUnexpectedSignaturePresent
+		}
+	default:
+		return 0, nil, ErrUnsupportedVersion
 	}
 
-	v.sig = signature
+	return payEnc, signature, nil
-
-	return v.validateSig(varsig, expectedLength)
 }
 
-func (v *varsig[T]) validateSig(varsig *T, expectedLength uint64) (*T, error) {
+func validateSig[T Varsig](v T, expectedLength uint64) (T, error) {
-	if v.Version() == Version0 && len(v.sig) == 0 {
+	if v.Version() == Version0 && len(v.Signature()) == 0 {
-		return varsig, ErrMissingSignature
+		return v, ErrMissingSignature
 	}
 
-	if v.Version() == Version0 && uint64(len(v.sig)) != expectedLength {
+	if v.Version() == Version0 && uint64(len(v.Signature())) != expectedLength {
-		return nil, ErrUnexpectedSignatureSize
+		return *new(T), ErrUnexpectedSignatureSize
 	}
 
-	if v.Version() == Version1 && len(v.sig) != 0 {
+	if v.Version() == Version1 && len(v.Signature()) != 0 {
-		return nil, ErrUnexpectedSignaturePresent
+		return *new(T), ErrUnexpectedSignaturePresent
 	}
 
-	return varsig, nil
+	return v, nil
-
+}
+
+type BytesReader interface {
+	io.ByteReader
+	io.Reader
 }

varsig_test.go

@@ -133,7 +133,7 @@ func TestDecode(t *testing.T) {
 
 		vs, err := varsig.Decode(data)
 		require.ErrorIs(t, err, varsig.ErrUnexpectedSignatureSize)
-		assert.Nil(t, vs)
+		assert.Zero(t, vs)
 	})
 
 	t.Run("fails - unexpected signature present - v1", func(t *testing.T) {
@@ -158,15 +158,11 @@ func TestDecode(t *testing.T) {
 	})
 }
 
-func mustVarsig[T varsig.Varsig](t *testing.T) func(*T, error) *T {
+func mustVarsig[T varsig.Varsig](t *testing.T, v T, err error) {
 	t.Helper()
 
-	return func(v *T, err error) *T {
+	if err != nil && (v.Version() != varsig.Version0 || !errors.Is(err, varsig.ErrMissingSignature)) {
-		if err != nil && ((*v).Version() != varsig.Version0 || !errors.Is(err, varsig.ErrMissingSignature)) {
+		t.Error(err)
-			t.Error(err)
-		}
-
-		return v
 	}
 }