From 293854d5af619df036611e366917724a21f7a5fd Mon Sep 17 00:00:00 2001
From: Aditya Sirish <aditya@saky.in>
Date: Thu, 28 Oct 2021 16:30:30 -0400
Subject: [PATCH] Update PAE to expect byte sequence for payload

Signed-off-by: Aditya Sirish <aditya@saky.in>
---
 dsse/sign.go      |  4 ++--
 dsse/sign_test.go | 12 +++++++++---
 dsse/verify.go    |  2 +-
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/dsse/sign.go b/dsse/sign.go
index 3ec8c03..750cbf9 100644
--- a/dsse/sign.go
+++ b/dsse/sign.go
@@ -48,7 +48,7 @@ type Signature struct {
 PAE implementes the DSSE Pre-Authentic Encoding
 https://github.com/secure-systems-lab/dsse/blob/master/protocol.md#signature-definition
 */
-func PAE(payloadType, payload string) []byte {
+func PAE(payloadType string, payload []byte) []byte {
 	return []byte(fmt.Sprintf("DSSEv1 %d %s %d %s",
 		len(payloadType), payloadType,
 		len(payload), payload))
@@ -124,7 +124,7 @@ func (es *EnvelopeSigner) SignPayload(payloadType string, body []byte) (*Envelop
 		PayloadType: payloadType,
 	}
 
-	paeEnc := PAE(payloadType, string(body))
+	paeEnc := PAE(payloadType, body)
 
 	for _, signer := range es.providers {
 		sig, keyID, err := signer.Sign(paeEnc)
diff --git a/dsse/sign_test.go b/dsse/sign_test.go
index c3c77bb..55fe858 100644
--- a/dsse/sign_test.go
+++ b/dsse/sign_test.go
@@ -20,13 +20,19 @@ func TestPAE(t *testing.T) {
 	t.Run("Empty", func(t *testing.T) {
 		var want = []byte("DSSEv1 0  0 ")
 
-		got := PAE("", "")
+		got := PAE("", []byte{})
 		assert.Equal(t, want, got, "Wrong encoding")
 	})
 	t.Run("Hello world", func(t *testing.T) {
 		var want = []byte("DSSEv1 29 http://example.com/HelloWorld 11 hello world")
 
-		got := PAE("http://example.com/HelloWorld", "hello world")
+		got := PAE("http://example.com/HelloWorld", []byte("hello world"))
+		assert.Equal(t, want, got, "Wrong encoding")
+	})
+	t.Run("Unicode-only", func(t *testing.T) {
+		var want = []byte("DSSEv1 29 http://example.com/HelloWorld 3 ಠ")
+
+		got := PAE("http://example.com/HelloWorld", []byte("ಠ"))
 		assert.Equal(t, want, got, "Wrong encoding")
 	})
 }
@@ -144,7 +150,7 @@ func TestNoSigners(t *testing.T) {
 func TestNilSign(t *testing.T) {
 	var keyID = "nil"
 	var payloadType = "http://example.com/HelloWorld"
-	var payload = "hello world"
+	var payload = []byte("hello world")
 
 	pae := PAE(payloadType, payload)
 	want := Envelope{
diff --git a/dsse/verify.go b/dsse/verify.go
index f1677fc..385a404 100644
--- a/dsse/verify.go
+++ b/dsse/verify.go
@@ -29,7 +29,7 @@ func (ev *EnvelopeVerifier) Verify(e *Envelope) error {
 		return err
 	}
 	// Generate PAE(payloadtype, serialized body)
-	paeEnc := PAE(e.PayloadType, string(body))
+	paeEnc := PAE(e.PayloadType, body)
 
 	// If *any* signature is found to be incorrect, the entire verification
 	// step fails even if *some* signatures are correct.