root

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 12, 2025 License: Apache-2.0 Imports: 24 Imported by: 16

Documentation

Index

Constants

View Source 
const SigningConfigMediaType02 = "application/vnd.dev.sigstore.signingconfig.v0.2+json"
View Source 
const TrustedRootMediaType01 = "application/vnd.dev.sigstore.trustedroot+json;version=0.1"

Variables

This section is empty.

Functions

func NewSigningConfigProtobuf added in v0.7.0 

func NewSigningConfigProtobuf(scJSON []byte) (*prototrustroot.SigningConfig, error)

NewSigningConfigProtobuf returns a Sigstore signing configuration as a protobuf.

func NewTrustedRootProtobuf 

func NewTrustedRootProtobuf(rootJSON []byte) (*prototrustroot.TrustedRoot, error)

NewTrustedRootProtobuf returns the Sigstore trusted root as a protobuf.

func ParseTransparencyLogs added in v0.3.0 

func ParseTransparencyLogs(tlogs []*prototrustroot.TransparencyLogInstance) (transparencyLogs map[string]*TransparencyLog, err error)

func SelectService added in v0.7.1 

func SelectService(services []Service, supportedAPIVersions []uint32, currentTime time.Time) (string, error)

SelectService returns which service endpoint should be used based on supported API versions and current time. It will select the first service with the highest API version that matches the criteria. Services should be sorted from newest to oldest validity period start time, to minimize how far clients need to search to find a matching service.

func SelectServices added in v0.7.1 

func SelectServices(services []Service, config ServiceConfiguration, supportedAPIVersions []uint32, currentTime time.Time) ([]string, error)

SelectServices returns which service endpoints should be used based on supported API versions and current time. It will use the configuration's selector to pick a set of services. ALL will return all service endpoints, ANY will return a random endpoint, and EXACT will return a random selection of a specified number of endpoints. It will select services from the highest supported API versions and will not select services from different API versions.

Types

type BaseTrustedMaterial 

type BaseTrustedMaterial struct{}

func (*BaseTrustedMaterial) CTLogs added in v0.3.0 

func (b *BaseTrustedMaterial) CTLogs() map[string]*TransparencyLog

func (*BaseTrustedMaterial) FulcioCertificateAuthorities 

func (b *BaseTrustedMaterial) FulcioCertificateAuthorities() []CertificateAuthority

func (*BaseTrustedMaterial) PublicKeyVerifier 

func (b *BaseTrustedMaterial) PublicKeyVerifier(_ string) (TimeConstrainedVerifier, error)

func (*BaseTrustedMaterial) RekorLogs added in v0.3.0 

func (b *BaseTrustedMaterial) RekorLogs() map[string]*TransparencyLog

func (*BaseTrustedMaterial) TimestampingAuthorities added in v0.3.0 

func (b *BaseTrustedMaterial) TimestampingAuthorities() []TimestampingAuthority

type CertificateAuthority 

type CertificateAuthority interface {
	Verify(cert *x509.Certificate, observerTimestamp time.Time) ([][]*x509.Certificate, error)
}

func ParseCertificateAuthorities 

func ParseCertificateAuthorities(certAuthorities []*prototrustroot.CertificateAuthority) (certificateAuthorities []CertificateAuthority, err error)

type ExpiringKey 

type ExpiringKey struct {
	signature.Verifier
	// contains filtered or unexported fields
}

ExpiringKey is a TimeConstrainedVerifier with a static validity period.

func NewExpiringKey 

func NewExpiringKey(verifier signature.Verifier, validityPeriodStart, validityPeriodEnd time.Time) *ExpiringKey

NewExpiringKey returns a new ExpiringKey with the given validity period

func (*ExpiringKey) ValidAtTime 

func (k *ExpiringKey) ValidAtTime(t time.Time) bool

ValidAtTime returns true if the key is valid at the given time. If the validity period start time is not set, the key is considered valid for all times before the end time. Likewise, if the validity period end time is not set, the key is considered valid for all times after the start time.

type FulcioCertificateAuthority added in v0.7.0 

type FulcioCertificateAuthority struct {
	Root                *x509.Certificate
	Intermediates       []*x509.Certificate
	ValidityPeriodStart time.Time
	ValidityPeriodEnd   time.Time
	URI                 string
}

func ParseCertificateAuthority 

func ParseCertificateAuthority(certAuthority *prototrustroot.CertificateAuthority) (*FulcioCertificateAuthority, error)

func (*FulcioCertificateAuthority) Verify added in v0.7.0 

func (ca *FulcioCertificateAuthority) Verify(cert *x509.Certificate, observerTimestamp time.Time) ([][]*x509.Certificate, error)

type LiveTrustedRoot added in v0.2.0 

type LiveTrustedRoot struct {
	*TrustedRoot
	// contains filtered or unexported fields
}

LiveTrustedRoot is a wrapper around TrustedRoot that periodically refreshes the trusted root from TUF. This is needed for long-running processes to ensure that the trusted root does not expire.

func NewLiveTrustedRoot added in v0.2.0 

func NewLiveTrustedRoot(opts *tuf.Options) (*LiveTrustedRoot, error)

NewLiveTrustedRoot returns a LiveTrustedRoot that will periodically refresh the trusted root from TUF.

func NewLiveTrustedRootFromTarget added in v0.7.1 

func NewLiveTrustedRootFromTarget(opts *tuf.Options, target string) (*LiveTrustedRoot, error)

NewLiveTrustedRootFromTarget returns a LiveTrustedRoot that will periodically refresh the trusted root from TUF using the provided target.

func (*LiveTrustedRoot) CTLogs added in v0.3.0 

func (l *LiveTrustedRoot) CTLogs() map[string]*TransparencyLog

func (*LiveTrustedRoot) FulcioCertificateAuthorities added in v0.2.0 

func (l *LiveTrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority

func (*LiveTrustedRoot) PublicKeyVerifier added in v0.2.0 

func (l *LiveTrustedRoot) PublicKeyVerifier(keyID string) (TimeConstrainedVerifier, error)

func (*LiveTrustedRoot) RekorLogs added in v0.3.0 

func (l *LiveTrustedRoot) RekorLogs() map[string]*TransparencyLog

func (*LiveTrustedRoot) TimestampingAuthorities added in v0.3.0 

func (l *LiveTrustedRoot) TimestampingAuthorities() []TimestampingAuthority

type Service added in v0.7.1 

type Service struct {
	URL                 string
	MajorAPIVersion     uint32
	ValidityPeriodStart time.Time
	ValidityPeriodEnd   time.Time
}

func NewService added in v0.7.3 

func NewService(s *prototrustroot.Service) Service

func (Service) ToServiceProtobuf added in v0.7.1 

func (s Service) ToServiceProtobuf() *prototrustroot.Service

func (Service) ValidAtTime added in v0.7.1 

func (s Service) ValidAtTime(t time.Time) bool

type ServiceConfiguration added in v0.7.1 

type ServiceConfiguration struct {
	Selector prototrustroot.ServiceSelector
	Count    uint32
}

func (ServiceConfiguration) ToConfigProtobuf added in v0.7.1 

func (sc ServiceConfiguration) ToConfigProtobuf() *prototrustroot.ServiceConfiguration

type SigningConfig added in v0.7.0 

type SigningConfig struct {
	// contains filtered or unexported fields
}

func FetchSigningConfig added in v0.7.0 

func FetchSigningConfig() (*SigningConfig, error)

FetchSigningConfig fetches the public-good Sigstore signing configuration from TUF.

func FetchSigningConfigWithOptions added in v0.7.0 

func FetchSigningConfigWithOptions(opts *tuf.Options) (*SigningConfig, error)

FetchSigningConfig fetches the public-good Sigstore signing configuration with the given options from TUF.

func GetSigningConfig added in v0.7.0 

func GetSigningConfig(c *tuf.Client) (*SigningConfig, error)

FetchSigningConfig fetches the public-good Sigstore signing configuration target from TUF.

func NewSigningConfig added in v0.7.0 

func NewSigningConfig(mediaType string,
	fulcioCertificateAuthorities []Service,
	oidcProviders []Service,
	rekorLogs []Service,
	rekorLogsConfig ServiceConfiguration,
	timestampAuthorities []Service,
	timestampAuthoritiesConfig ServiceConfiguration) (*SigningConfig, error)

NewSigningConfig initializes a SigningConfig object from a mediaType string, Fulcio certificate authority URLs, OIDC provider URLs, Rekor transparency log URLs, timestamp authorities URLs, selection criteria for Rekor logs and TSAs.

func NewSigningConfigFromJSON added in v0.7.0 

func NewSigningConfigFromJSON(rootJSON []byte) (*SigningConfig, error)

NewSigningConfigFromJSON returns a Sigstore signing configuration from JSON.

func NewSigningConfigFromPath added in v0.7.0 

func NewSigningConfigFromPath(path string) (*SigningConfig, error)

NewSigningConfigFromPath returns a Sigstore signing configuration from a file.

func NewSigningConfigFromProtobuf added in v0.7.0 

func NewSigningConfigFromProtobuf(sc *prototrustroot.SigningConfig) (*SigningConfig, error)

NewSigningConfigFromProtobuf returns a Sigstore signing configuration.

func (*SigningConfig) AddFulcioCertificateAuthorityURLs added in v0.7.1 

func (sc *SigningConfig) AddFulcioCertificateAuthorityURLs(fulcioURLs ...Service) *SigningConfig

func (*SigningConfig) AddOIDCProviderURLs added in v0.7.1 

func (sc *SigningConfig) AddOIDCProviderURLs(oidcURLs ...Service) *SigningConfig

func (*SigningConfig) AddRekorLogURLs added in v0.7.0 

func (sc *SigningConfig) AddRekorLogURLs(logURLs ...Service) *SigningConfig

func (*SigningConfig) AddTimestampAuthorityURLs added in v0.7.0 

func (sc *SigningConfig) AddTimestampAuthorityURLs(tsaURLs ...Service) *SigningConfig

func (*SigningConfig) FulcioCertificateAuthorityURLs added in v0.7.1 

func (sc *SigningConfig) FulcioCertificateAuthorityURLs() []Service

func (*SigningConfig) OIDCProviderURLs added in v0.7.1 

func (sc *SigningConfig) OIDCProviderURLs() []Service

func (*SigningConfig) RekorLogURLs added in v0.7.0 

func (sc *SigningConfig) RekorLogURLs() []Service

func (*SigningConfig) RekorLogURLsConfig added in v0.7.1 

func (sc *SigningConfig) RekorLogURLsConfig() ServiceConfiguration

func (SigningConfig) String added in v0.7.0 

func (sc SigningConfig) String() string

func (*SigningConfig) TimestampAuthorityURLs added in v0.7.0 

func (sc *SigningConfig) TimestampAuthorityURLs() []Service

func (*SigningConfig) TimestampAuthorityURLsConfig added in v0.7.1 

func (sc *SigningConfig) TimestampAuthorityURLsConfig() ServiceConfiguration

func (*SigningConfig) WithFulcioCertificateAuthorityURLs added in v0.7.1 

func (sc *SigningConfig) WithFulcioCertificateAuthorityURLs(fulcioURLs ...Service) *SigningConfig

func (*SigningConfig) WithOIDCProviderURLs added in v0.7.1 

func (sc *SigningConfig) WithOIDCProviderURLs(oidcURLs ...Service) *SigningConfig

func (*SigningConfig) WithRekorLogURLs added in v0.7.0 

func (sc *SigningConfig) WithRekorLogURLs(logURLs ...Service) *SigningConfig

func (*SigningConfig) WithRekorTlogConfig added in v0.7.1 

func (sc *SigningConfig) WithRekorTlogConfig(selector prototrustroot.ServiceSelector, count uint32) *SigningConfig

func (*SigningConfig) WithTimestampAuthorityURLs added in v0.7.0 

func (sc *SigningConfig) WithTimestampAuthorityURLs(tsaURLs ...Service) *SigningConfig

func (*SigningConfig) WithTsaConfig added in v0.7.1 

func (sc *SigningConfig) WithTsaConfig(selector prototrustroot.ServiceSelector, count uint32) *SigningConfig

type SigstoreTimestampingAuthority added in v0.7.0 

type SigstoreTimestampingAuthority struct {
	Root                *x509.Certificate
	Intermediates       []*x509.Certificate
	Leaf                *x509.Certificate
	ValidityPeriodStart time.Time
	ValidityPeriodEnd   time.Time
	URI                 string
}

func (*SigstoreTimestampingAuthority) Verify added in v0.7.0 

func (tsa *SigstoreTimestampingAuthority) Verify(signedTimestamp []byte, signatureBytes []byte) (*Timestamp, error)

type TimeConstrainedVerifier 

type TimeConstrainedVerifier interface {
	ValidityPeriodChecker
	signature.Verifier
}

type Timestamp added in v0.7.0 

type Timestamp struct {
	Time time.Time
	URI  string
}

type TimestampingAuthority added in v0.7.0 

type TimestampingAuthority interface {
	Verify(signedTimestamp []byte, signatureBytes []byte) (*Timestamp, error)
}

func ParseTimestampingAuthorities added in v0.7.0 

func ParseTimestampingAuthorities(certAuthorities []*prototrustroot.CertificateAuthority) (timestampingAuthorities []TimestampingAuthority, err error)

func ParseTimestampingAuthority added in v0.7.0 

func ParseTimestampingAuthority(certAuthority *prototrustroot.CertificateAuthority) (TimestampingAuthority, error)

type TransparencyLog added in v0.3.0 

type TransparencyLog struct {
	BaseURL             string
	ID                  []byte
	ValidityPeriodStart time.Time
	ValidityPeriodEnd   time.Time
	// This is the hash algorithm used by the Merkle tree
	HashFunc  crypto.Hash
	PublicKey crypto.PublicKey
	// The hash algorithm used during signature creation
	SignatureHashFunc crypto.Hash
}

type TrustedMaterial 

type TrustedMaterial interface {
	TimestampingAuthorities() []TimestampingAuthority
	FulcioCertificateAuthorities() []CertificateAuthority
	RekorLogs() map[string]*TransparencyLog
	CTLogs() map[string]*TransparencyLog
	PublicKeyVerifier(string) (TimeConstrainedVerifier, error)
}

type TrustedMaterialCollection 

type TrustedMaterialCollection []TrustedMaterial

func (TrustedMaterialCollection) CTLogs added in v0.3.0 

func (tmc TrustedMaterialCollection) CTLogs() map[string]*TransparencyLog

func (TrustedMaterialCollection) FulcioCertificateAuthorities 

func (tmc TrustedMaterialCollection) FulcioCertificateAuthorities() []CertificateAuthority

func (TrustedMaterialCollection) PublicKeyVerifier 

func (tmc TrustedMaterialCollection) PublicKeyVerifier(keyID string) (TimeConstrainedVerifier, error)

func (TrustedMaterialCollection) RekorLogs added in v0.3.0 

func (tmc TrustedMaterialCollection) RekorLogs() map[string]*TransparencyLog

func (TrustedMaterialCollection) TimestampingAuthorities added in v0.3.0 

func (tmc TrustedMaterialCollection) TimestampingAuthorities() []TimestampingAuthority

type TrustedPublicKeyMaterial 

type TrustedPublicKeyMaterial struct {
	BaseTrustedMaterial
	// contains filtered or unexported fields
}

func NewTrustedPublicKeyMaterial 

func NewTrustedPublicKeyMaterial(publicKeyVerifier func(string) (TimeConstrainedVerifier, error)) *TrustedPublicKeyMaterial

func NewTrustedPublicKeyMaterialFromMapping 

func NewTrustedPublicKeyMaterialFromMapping(trustedPublicKeys map[string]*ExpiringKey) *TrustedPublicKeyMaterial

NewTrustedPublicKeyMaterialFromMapping returns a TrustedPublicKeyMaterial from a map of key IDs to ExpiringKeys.

func (*TrustedPublicKeyMaterial) PublicKeyVerifier 

func (tr *TrustedPublicKeyMaterial) PublicKeyVerifier(keyID string) (TimeConstrainedVerifier, error)

type TrustedRoot 

type TrustedRoot struct {
	BaseTrustedMaterial
	// contains filtered or unexported fields
}

func FetchTrustedRoot added in v0.2.0 

func FetchTrustedRoot() (*TrustedRoot, error)

FetchTrustedRoot fetches the Sigstore trusted root from TUF and returns it.

func FetchTrustedRootWithOptions added in v0.2.0 

func FetchTrustedRootWithOptions(opts *tuf.Options) (*TrustedRoot, error)

FetchTrustedRootWithOptions fetches the trusted root from TUF with the given options and returns it.

func GetTrustedRoot added in v0.2.0 

func GetTrustedRoot(c *tuf.Client) (*TrustedRoot, error)

GetTrustedRoot returns the trusted root

func NewTrustedRoot added in v0.6.1 

func NewTrustedRoot(mediaType string,
	certificateAuthorities []CertificateAuthority,
	certificateTransparencyLogs map[string]*TransparencyLog,
	timestampAuthorities []TimestampingAuthority,
	transparencyLogs map[string]*TransparencyLog) (*TrustedRoot, error)

NewTrustedRoot initializes a TrustedRoot object from a mediaType string, list of Fulcio certificate authorities, list of timestamp authorities and maps of ctlogs and rekor transparency log instances. mediaType must be TrustedRootMediaType01 ("application/vnd.dev.sigstore.trustedroot+json;version=0.1").

func NewTrustedRootFromJSON 

func NewTrustedRootFromJSON(rootJSON []byte) (*TrustedRoot, error)

NewTrustedRootFromJSON returns the Sigstore trusted root.

func NewTrustedRootFromPath 

func NewTrustedRootFromPath(path string) (*TrustedRoot, error)

func NewTrustedRootFromProtobuf 

func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot) (trustedRoot *TrustedRoot, err error)

func (*TrustedRoot) CTLogs added in v0.3.0 

func (tr *TrustedRoot) CTLogs() map[string]*TransparencyLog

func (*TrustedRoot) FulcioCertificateAuthorities 

func (tr *TrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority

func (*TrustedRoot) MarshalJSON added in v0.6.1 

func (tr *TrustedRoot) MarshalJSON() ([]byte, error)

func (*TrustedRoot) RekorLogs added in v0.3.0 

func (tr *TrustedRoot) RekorLogs() map[string]*TransparencyLog

func (*TrustedRoot) TimestampingAuthorities added in v0.3.0 

func (tr *TrustedRoot) TimestampingAuthorities() []TimestampingAuthority

type ValidityPeriodChecker 

type ValidityPeriodChecker interface {
	ValidAtTime(time.Time) bool
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.