root

package
v0.6.3-yckms.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 26, 2024 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source 
const TrustedRootMediaType01 = "application/vnd.dev.sigstore.trustedroot+json;version=0.1"

Variables

This section is empty.

Functions

func NewTrustedRootProtobuf 

func NewTrustedRootProtobuf(rootJSON []byte) (*prototrustroot.TrustedRoot, error)

NewTrustedRootProtobuf returns the Sigstore trusted root as a protobuf.

func ParseTransparencyLogs 

func ParseTransparencyLogs(tlogs []*prototrustroot.TransparencyLogInstance) (transparencyLogs map[string]*TransparencyLog, err error)

Types

type BaseTrustedMaterial 

type BaseTrustedMaterial struct{}

func (*BaseTrustedMaterial) CTLogs 

func (b *BaseTrustedMaterial) CTLogs() map[string]*TransparencyLog

func (*BaseTrustedMaterial) FulcioCertificateAuthorities 

func (b *BaseTrustedMaterial) FulcioCertificateAuthorities() []CertificateAuthority

func (*BaseTrustedMaterial) PublicKeyVerifier 

func (b *BaseTrustedMaterial) PublicKeyVerifier(_ string) (TimeConstrainedVerifier, error)

func (*BaseTrustedMaterial) RekorLogs 

func (b *BaseTrustedMaterial) RekorLogs() map[string]*TransparencyLog

func (*BaseTrustedMaterial) TimestampingAuthorities 

func (b *BaseTrustedMaterial) TimestampingAuthorities() []TimestampingAuthority

type CertificateAuthority 

type CertificateAuthority interface {
	Verify(cert *x509.Certificate, observerTimestamp time.Time) ([][]*x509.Certificate, error)
}

func ParseCertificateAuthorities 

func ParseCertificateAuthorities(certAuthorities []*prototrustroot.CertificateAuthority) (certificateAuthorities []CertificateAuthority, err error)

type ExpiringKey 

type ExpiringKey struct {
	signature.Verifier
	// contains filtered or unexported fields
}

ExpiringKey is a TimeConstrainedVerifier with a static validity period.

func NewExpiringKey 

func NewExpiringKey(verifier signature.Verifier, validityPeriodStart, validityPeriodEnd time.Time) *ExpiringKey

NewExpiringKey returns a new ExpiringKey with the given validity period

func (*ExpiringKey) ValidAtTime 

func (k *ExpiringKey) ValidAtTime(t time.Time) bool

ValidAtTime returns true if the key is valid at the given time. If the validity period start time is not set, the key is considered valid for all times before the end time. Likewise, if the validity period end time is not set, the key is considered valid for all times after the start time.

type FulcioCertificateAuthority 

type FulcioCertificateAuthority struct {
	Root                *x509.Certificate
	Intermediates       []*x509.Certificate
	ValidityPeriodStart time.Time
	ValidityPeriodEnd   time.Time
	URI                 string
}

func ParseCertificateAuthority 

func ParseCertificateAuthority(certAuthority *prototrustroot.CertificateAuthority) (*FulcioCertificateAuthority, error)

func (*FulcioCertificateAuthority) Verify 

func (ca *FulcioCertificateAuthority) Verify(cert *x509.Certificate, observerTimestamp time.Time) ([][]*x509.Certificate, error)

type LiveTrustedRoot 

type LiveTrustedRoot struct {
	*TrustedRoot
	// contains filtered or unexported fields
}

LiveTrustedRoot is a wrapper around TrustedRoot that periodically refreshes the trusted root from TUF. This is needed for long-running processes to ensure that the trusted root does not expire.

func NewLiveTrustedRoot 

func NewLiveTrustedRoot(opts *tuf.Options) (*LiveTrustedRoot, error)

NewLiveTrustedRoot returns a LiveTrustedRoot that will periodically refresh the trusted root from TUF.

func (*LiveTrustedRoot) CTLogs 

func (l *LiveTrustedRoot) CTLogs() map[string]*TransparencyLog

func (*LiveTrustedRoot) FulcioCertificateAuthorities 

func (l *LiveTrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority

func (*LiveTrustedRoot) PublicKeyVerifier 

func (l *LiveTrustedRoot) PublicKeyVerifier(keyID string) (TimeConstrainedVerifier, error)

func (*LiveTrustedRoot) RekorLogs 

func (l *LiveTrustedRoot) RekorLogs() map[string]*TransparencyLog

func (*LiveTrustedRoot) TimestampingAuthorities 

func (l *LiveTrustedRoot) TimestampingAuthorities() []TimestampingAuthority

type SigstoreTimestampingAuthority 

type SigstoreTimestampingAuthority struct {
	Root                *x509.Certificate
	Intermediates       []*x509.Certificate
	Leaf                *x509.Certificate
	ValidityPeriodStart time.Time
	ValidityPeriodEnd   time.Time
	URI                 string
}

func (*SigstoreTimestampingAuthority) Verify 

func (tsa *SigstoreTimestampingAuthority) Verify(signedTimestamp []byte, signatureBytes []byte) (*Timestamp, error)

type TimeConstrainedVerifier 

type TimeConstrainedVerifier interface {
	ValidityPeriodChecker
	signature.Verifier
}

type Timestamp 

type Timestamp struct {
	Time time.Time
	URI  string
}

type TimestampingAuthority 

type TimestampingAuthority interface {
	Verify(signedTimestamp []byte, signatureBytes []byte) (*Timestamp, error)
}

func ParseTimestampingAuthorities 

func ParseTimestampingAuthorities(certAuthorities []*prototrustroot.CertificateAuthority) (timestampingAuthorities []TimestampingAuthority, err error)

func ParseTimestampingAuthority 

func ParseTimestampingAuthority(certAuthority *prototrustroot.CertificateAuthority) (TimestampingAuthority, error)

type TransparencyLog 

type TransparencyLog struct {
	BaseURL             string
	ID                  []byte
	ValidityPeriodStart time.Time
	ValidityPeriodEnd   time.Time
	// This is the hash algorithm used by the Merkle tree
	HashFunc  crypto.Hash
	PublicKey crypto.PublicKey
	// The hash algorithm used during signature creation
	SignatureHashFunc crypto.Hash
}

type TrustedMaterial 

type TrustedMaterial interface {
	TimestampingAuthorities() []TimestampingAuthority
	FulcioCertificateAuthorities() []CertificateAuthority
	RekorLogs() map[string]*TransparencyLog
	CTLogs() map[string]*TransparencyLog
	PublicKeyVerifier(string) (TimeConstrainedVerifier, error)
}

type TrustedMaterialCollection 

type TrustedMaterialCollection []TrustedMaterial

func (TrustedMaterialCollection) CTLogs 

func (tmc TrustedMaterialCollection) CTLogs() map[string]*TransparencyLog

func (TrustedMaterialCollection) FulcioCertificateAuthorities 

func (tmc TrustedMaterialCollection) FulcioCertificateAuthorities() []CertificateAuthority

func (TrustedMaterialCollection) PublicKeyVerifier 

func (tmc TrustedMaterialCollection) PublicKeyVerifier(keyID string) (TimeConstrainedVerifier, error)

func (TrustedMaterialCollection) RekorLogs 

func (tmc TrustedMaterialCollection) RekorLogs() map[string]*TransparencyLog

func (TrustedMaterialCollection) TimestampingAuthorities 

func (tmc TrustedMaterialCollection) TimestampingAuthorities() []TimestampingAuthority

type TrustedPublicKeyMaterial 

type TrustedPublicKeyMaterial struct {
	BaseTrustedMaterial
	// contains filtered or unexported fields
}

func NewTrustedPublicKeyMaterial 

func NewTrustedPublicKeyMaterial(publicKeyVerifier func(string) (TimeConstrainedVerifier, error)) *TrustedPublicKeyMaterial

func NewTrustedPublicKeyMaterialFromMapping 

func NewTrustedPublicKeyMaterialFromMapping(trustedPublicKeys map[string]*ExpiringKey) *TrustedPublicKeyMaterial

NewTrustedPublicKeyMaterialFromMapping returns a TrustedPublicKeyMaterial from a map of key IDs to ExpiringKeys.

func (*TrustedPublicKeyMaterial) PublicKeyVerifier 

func (tr *TrustedPublicKeyMaterial) PublicKeyVerifier(keyID string) (TimeConstrainedVerifier, error)

type TrustedRoot 

type TrustedRoot struct {
	BaseTrustedMaterial
	// contains filtered or unexported fields
}

func FetchTrustedRoot 

func FetchTrustedRoot() (*TrustedRoot, error)

FetchTrustedRoot fetches the Sigstore trusted root from TUF and returns it.

func FetchTrustedRootWithOptions 

func FetchTrustedRootWithOptions(opts *tuf.Options) (*TrustedRoot, error)

FetchTrustedRootWithOptions fetches the trusted root from TUF with the given options and returns it.

func GetTrustedRoot 

func GetTrustedRoot(c *tuf.Client) (*TrustedRoot, error)

GetTrustedRoot returns the trusted root

func NewTrustedRoot 

func NewTrustedRoot(mediaType string,
	certificateAuthorities []CertificateAuthority,
	certificateTransparencyLogs map[string]*TransparencyLog,
	timestampAuthorities []TimestampingAuthority,
	transparencyLogs map[string]*TransparencyLog) (*TrustedRoot, error)

NewTrustedRoot initializes a TrustedRoot object from a mediaType string, list of Fulcio certificate authorities, list of timestamp authorities and maps of ctlogs and rekor transparency log instances.

func NewTrustedRootFromJSON 

func NewTrustedRootFromJSON(rootJSON []byte) (*TrustedRoot, error)

NewTrustedRootFromJSON returns the Sigstore trusted root.

func NewTrustedRootFromPath 

func NewTrustedRootFromPath(path string) (*TrustedRoot, error)

func NewTrustedRootFromProtobuf 

func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot) (trustedRoot *TrustedRoot, err error)

func (*TrustedRoot) CTLogs 

func (tr *TrustedRoot) CTLogs() map[string]*TransparencyLog

func (*TrustedRoot) FulcioCertificateAuthorities 

func (tr *TrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority

func (*TrustedRoot) MarshalJSON 

func (tr *TrustedRoot) MarshalJSON() ([]byte, error)

func (*TrustedRoot) RekorLogs 

func (tr *TrustedRoot) RekorLogs() map[string]*TransparencyLog

func (*TrustedRoot) TimestampingAuthorities 

func (tr *TrustedRoot) TimestampingAuthorities() []TimestampingAuthority

type ValidityPeriodChecker 

type ValidityPeriodChecker interface {
	ValidAtTime(time.Time) bool
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.