Documentation
¶
Index ¶
- Constants
- func ParanoidUnmarshalJSONObject(data []byte, fieldResolver func(string) any) error
- func ParanoidUnmarshalJSONObjectExactFields(data []byte, exactFields map[string]any) error
- func VerifyRekorSET(publicKey *ecdsa.PublicKey, unverifiedRekorSET []byte, ...) (time.Time, error)
- type InvalidSignatureError
- type JSONFormatError
- type SigstorePayloadAcceptanceRules
- type UntrustedRekorPayload
- type UntrustedRekorSET
- type UntrustedSigstorePayload
Constants ¶
const HashedRekordV001APIVersion = "0.0.1"
This is the github.com/sigstore/rekor/pkg/generated/models.Hashedrekord.APIVersion for github.com/sigstore/rekor/pkg/generated/models.HashedrekordV001Schema. We could alternatively use github.com/sigstore/rekor/pkg/types/hashedrekord.APIVERSION, but that subpackage adds too many dependencies.
Variables ¶
This section is empty.
Functions ¶
func ParanoidUnmarshalJSONObject ¶
ParanoidUnmarshalJSONObject unmarshals data as a JSON object, but failing on the slightest unexpected aspect (including duplicated keys, unrecognized keys, and non-matching types). Uses fieldResolver to determine the destination for a field value, which should return a pointer to the destination if valid, or nil if the key is rejected.
The fieldResolver approach is useful for decoding the Policy.Transports map; using it for structs is a bit lazy, we could use reflection to automate this. Later?
func ParanoidUnmarshalJSONObjectExactFields ¶
ParanoidUnmarshalJSONObjectExactFields unmarshals data as a JSON object, but failing on the slightest unexpected aspect (including duplicated keys, unrecognized keys, and non-matching types). Each of the fields in exactFields must be present exactly once, and none other fields are accepted.
func VerifyRekorSET ¶ added in v5.24.0
func VerifyRekorSET(publicKey *ecdsa.PublicKey, unverifiedRekorSET []byte, unverifiedKeyOrCertBytes []byte, unverifiedBase64Signature string, unverifiedPayloadBytes []byte) (time.Time, error)
VerifyRekorSET verifies that unverifiedRekorSET is correctly signed by publicKey and matches the rest of the data. Returns bundle upload time on success.
Types ¶
type InvalidSignatureError ¶
type InvalidSignatureError struct {
// contains filtered or unexported fields
}
InvalidSignatureError is returned when parsing an invalid signature. This is publicly visible as signature.InvalidSignatureError
func NewInvalidSignatureError ¶
func NewInvalidSignatureError(msg string) InvalidSignatureError
func (InvalidSignatureError) Error ¶
func (err InvalidSignatureError) Error() string
type JSONFormatError ¶
type JSONFormatError string
JSONFormatError is returned when JSON does not match expected format.
func (JSONFormatError) Error ¶
func (err JSONFormatError) Error() string
type SigstorePayloadAcceptanceRules ¶
type SigstorePayloadAcceptanceRules struct {
ValidateSignedDockerReference func(string) error
ValidateSignedDockerManifestDigest func(digest.Digest) error
}
SigstorePayloadAcceptanceRules specifies how to decide whether an untrusted payload is acceptable. We centralize the actual parsing and data extraction in VerifySigstorePayload; this supplies the policy. We use an object instead of supplying func parameters to verifyAndExtractSignature because the functions have the same or similar types, so there is a risk of exchanging the functions; named members of this struct are more explicit.
type UntrustedRekorPayload ¶ added in v5.24.0
type UntrustedRekorPayload struct {
Body []byte // In cosign, this is an any, but only a string works
IntegratedTime int64
LogIndex int64
LogID string
}
func (UntrustedRekorPayload) MarshalJSON ¶ added in v5.24.0
func (p UntrustedRekorPayload) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
func (*UntrustedRekorPayload) UnmarshalJSON ¶ added in v5.24.0
func (p *UntrustedRekorPayload) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface
type UntrustedRekorSET ¶ added in v5.24.0
type UntrustedRekorSET struct {
UntrustedSignedEntryTimestamp []byte // A signature over some canonical JSON form of UntrustedPayload
UntrustedPayload json.RawMessage
}
UntrustedRekorSET is a parsed content of the sigstore-signature Rekor SET (note that this a signature-specific format, not a format directly used by the Rekor API). This corresponds to github.com/sigstore/cosign/bundle.RekorBundle, but we impose a stricter decoder.
func (UntrustedRekorSET) MarshalJSON ¶ added in v5.24.0
func (s UntrustedRekorSET) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
func (*UntrustedRekorSET) UnmarshalJSON ¶ added in v5.24.0
func (s *UntrustedRekorSET) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface
type UntrustedSigstorePayload ¶
type UntrustedSigstorePayload struct {
// contains filtered or unexported fields
}
UntrustedSigstorePayload is a parsed content of a sigstore signature payload (not the full signature)
func NewUntrustedSigstorePayload ¶
func NewUntrustedSigstorePayload(dockerManifestDigest digest.Digest, dockerReference string) UntrustedSigstorePayload
NewUntrustedSigstorePayload returns an UntrustedSigstorePayload object with the specified primary contents and appropriate metadata.
func VerifySigstorePayload ¶
func VerifySigstorePayload(publicKey crypto.PublicKey, unverifiedPayload []byte, unverifiedBase64Signature string, rules SigstorePayloadAcceptanceRules) (*UntrustedSigstorePayload, error)
VerifySigstorePayload verifies unverifiedBase64Signature of unverifiedPayload was correctly created by publicKey, and that its principal components match expected values, both as specified by rules, and returns it. We return an *UntrustedSigstorePayload, although nothing actually uses it, just to double-check against stupid typos.
func (UntrustedSigstorePayload) MarshalJSON ¶
func (s UntrustedSigstorePayload) MarshalJSON() ([]byte, error)
MarshalJSON implements the json.Marshaler interface.
func (*UntrustedSigstorePayload) UnmarshalJSON ¶
func (s *UntrustedSigstorePayload) UnmarshalJSON(data []byte) error
UnmarshalJSON implements the json.Unmarshaler interface
Source Files