Documentation ¶
Index ¶
- Constants
- func CheckExpiry(cert *x509.Certificate, it time.Time) error
- func ComputeLeafHash(e *models.LogEntryAnon) ([]byte, error)
- func ConfirmPrompt(msg string) (bool, error)
- func FileExists(filename string) bool
- func FindTLogEntriesByPayload(ctx context.Context, rekorClient *client.Rekor, payload []byte) (uuids []string, err error)
- func FindTlogEntry(ctx context.Context, rekorClient *client.Rekor, b64Sig string, ...) (entry *models.LogEntryAnon, err error)
- func GeneratePrivateKey() (*ecdsa.PrivateKey, error)
- func GetPassFromTerm(confirm bool) ([]byte, error)
- func GetRekorPubs(ctx context.Context) (map[string]RekorPubKey, error)
- func GetTlogEntry(ctx context.Context, rekorClient *client.Rekor, uuid string) (*models.LogEntryAnon, error)
- func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error
- func IsTerminal() bool
- func LoadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error)
- func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error)
- func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error
- func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature, payload []byte, ...) (*models.LogEntryAnon, error)
- func TLogUploadInTotoAttestation(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)
- func TrustedCert(cert *x509.Certificate, roots *x509.CertPool, intermediates *x509.CertPool) ([][]*x509.Certificate, error)
- func ValidateAndUnpackCert(cert *x509.Certificate, co *CheckOpts) (signature.Verifier, error)
- func ValidateAndUnpackCertWithChain(cert *x509.Certificate, chain []*x509.Certificate, co *CheckOpts) (signature.Verifier, error)
- func VerifyBundle(ctx context.Context, sig oci.Signature) (bool, error)
- func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
- func VerifyImageSignature(ctx context.Context, sig oci.Signature, h v1.Hash, co *CheckOpts) (bundleVerified bool, err error)
- func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
- func VerifyLocalImageAttestations(ctx context.Context, path string, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
- func VerifyLocalImageSignatures(ctx context.Context, path string, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
- func VerifySET(bundlePayload cbundle.RekorPayload, signature []byte, pub *ecdsa.PublicKey) error
- func VerifyTLogEntry(ctx context.Context, rekorClient *client.Rekor, e *models.LogEntryAnon) error
- type AttestationPayload
- type CheckOpts
- type Identity
- type Keys
- type KeysBytes
- type LocalSignedPayload
- type PassFunc
- type RekorPubKey
- type Signatures
- type SignedPayload
Constants ¶
const ( Signature = "signature" SBOM = "sbom" Attestation = "attestation" )
const ( CosignPrivateKeyPemType = "ENCRYPTED COSIGN PRIVATE KEY" // PEM-encoded PKCS #1 RSA private key RSAPrivateKeyPemType = "RSA PRIVATE KEY" // PEM-encoded ECDSA private key ECPrivateKeyPemType = "EC PRIVATE KEY" // PEM-encoded PKCS #8 RSA, ECDSA or ED25519 private key PrivateKeyPemType = "PRIVATE KEY" BundleKey = static.BundleAnnotationKey )
Variables ¶
This section is empty.
Functions ¶
func CheckExpiry ¶ added in v1.5.0
func CheckExpiry(cert *x509.Certificate, it time.Time) error
CheckExpiry confirms the time provided is within the valid period of the cert
func ComputeLeafHash ¶ added in v1.7.0
func ComputeLeafHash(e *models.LogEntryAnon) ([]byte, error)
func ConfirmPrompt ¶ added in v1.7.0
func FileExists ¶ added in v1.5.0
TODO need to centralize this logic
func FindTLogEntriesByPayload ¶ added in v1.3.1
func FindTlogEntry ¶
func GeneratePrivateKey ¶
func GeneratePrivateKey() (*ecdsa.PrivateKey, error)
func GetPassFromTerm ¶ added in v1.5.0
func GetRekorPubs ¶ added in v1.6.0
func GetRekorPubs(ctx context.Context) (map[string]RekorPubKey, error)
GetRekorPubs retrieves trusted Rekor public keys from the embedded or cached TUF root. If expired, makes a network call to retrieve the updated targets.
func GetTlogEntry ¶ added in v1.3.1
func IntotoSubjectClaimVerifier ¶ added in v1.0.0
func IntotoSubjectClaimVerifier(sig oci.Signature, imageDigest v1.Hash, _ map[string]interface{}) error
IntotoSubjectClaimVerifier verifies that sig.Payload() is an Intoto statement which references the given image digest.
func IsTerminal ¶ added in v1.5.0
func IsTerminal() bool
func LoadPrivateKey ¶
func LoadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error)
func SimpleClaimVerifier ¶ added in v1.0.0
func SimpleClaimVerifier(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error
SimpleClaimVerifier verifies that sig.Payload() is a SimpleContainerImage payload which references the given image digest and contains the given annotations.
func TLogUpload ¶ added in v1.0.1
func TLogUpload(ctx context.Context, rekorClient *client.Rekor, signature, payload []byte, pemBytes []byte) (*models.LogEntryAnon, error)
TLogUpload will upload the signature, public key and payload to the transparency log.
func TLogUploadInTotoAttestation ¶ added in v1.0.1
func TLogUploadInTotoAttestation(ctx context.Context, rekorClient *client.Rekor, signature, pemBytes []byte) (*models.LogEntryAnon, error)
TLogUploadInTotoAttestation will upload and in-toto entry for the signature and public key to the transparency log.
func TrustedCert ¶
func TrustedCert(cert *x509.Certificate, roots *x509.CertPool, intermediates *x509.CertPool) ([][]*x509.Certificate, error)
func ValidateAndUnpackCert ¶ added in v1.5.0
ValidateAndUnpackCert creates a Verifier from a certificate. Veries that the certificate chains up to a trusted root. Optionally verifies the subject and issuer of the certificate.
func ValidateAndUnpackCertWithChain ¶ added in v1.7.0
func ValidateAndUnpackCertWithChain(cert *x509.Certificate, chain []*x509.Certificate, co *CheckOpts) (signature.Verifier, error)
ValidateAndUnpackCertWithChain creates a Verifier from a certificate. Verifies that the certificate chains up to the provided root. Chain should start with the parent of the certificate and end with the root. Optionally verifies the subject and issuer of the certificate.
func VerifyBundle ¶ added in v1.3.0
func VerifyImageAttestations ¶ added in v1.3.1
func VerifyImageAttestations(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
VerifyAttestations does all the main cosign checks in a loop, returning the verified attestations. If there were no valid attestations, we return an error.
func VerifyImageSignature ¶ added in v1.5.0
func VerifyImageSignature(ctx context.Context, sig oci.Signature, h v1.Hash, co *CheckOpts) (bundleVerified bool, err error)
VerifyImageSignature verifies a signature
func VerifyImageSignatures ¶ added in v1.3.1
func VerifyImageSignatures(ctx context.Context, signedImgRef name.Reference, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
VerifyImageSignatures does all the main cosign checks in a loop, returning the verified signatures. If there were no valid signatures, we return an error.
func VerifyLocalImageAttestations ¶ added in v1.4.1
func VerifyLocalImageAttestations(ctx context.Context, path string, co *CheckOpts) (checkedAttestations []oci.Signature, bundleVerified bool, err error)
VerifyLocalImageAttestations verifies attestations from a saved, local image, without any network calls, returning the verified attestations. If there were no valid signatures, we return an error.
func VerifyLocalImageSignatures ¶ added in v1.4.1
func VerifyLocalImageSignatures(ctx context.Context, path string, co *CheckOpts) (checkedSignatures []oci.Signature, bundleVerified bool, err error)
VerifyLocalImageSignatures verifies signatures from a saved, local image, without any network calls, returning the verified signatures. If there were no valid signatures, we return an error.
func VerifyTLogEntry ¶ added in v0.4.0
Types ¶
type AttestationPayload ¶ added in v1.5.0
type AttestationPayload struct { PayloadType string `json:"payloadType"` PayLoad string `json:"payload"` Signatures []Signatures `json:"signatures"` }
func FetchAttestationsForReference ¶ added in v1.5.0
type CheckOpts ¶
type CheckOpts struct { // RegistryClientOpts are the options for interacting with the container registry. RegistryClientOpts []ociremote.Option // Annotations optionally specifies image signature annotations to verify. Annotations map[string]interface{} // ClaimVerifier, if provided, verifies claims present in the oci.Signature. ClaimVerifier func(sig oci.Signature, imageDigest v1.Hash, annotations map[string]interface{}) error // RekorClient, if set, is used to use to verify signatures and public keys. RekorClient *client.Rekor // SigVerifier is used to verify signatures. SigVerifier signature.Verifier // PKOpts are the options provided to `SigVerifier.PublicKey()`. PKOpts []signature.PublicKeyOption // RootCerts are the root CA certs used to verify a signature's chained certificate. RootCerts *x509.CertPool // IntermediateCerts are the optional intermediate CA certs used to verify a certificate chain. IntermediateCerts *x509.CertPool // CertEmail is the email expected for a certificate to be valid. The empty string means any certificate can be valid. CertEmail string // CertOidcIssuer is the OIDC issuer expected for a certificate to be valid. The empty string means any certificate can be valid. CertOidcIssuer string // EnforceSCT requires that a certificate contain an embedded SCT during verification. An SCT is proof of inclusion in a // certificate transparency log. EnforceSCT bool // SignatureRef is the reference to the signature file SignatureRef string // Identities is an array of Identity (Subject, Issuer) matchers that have // to be met for the signature to ve valid. // Supercedes CertEmail / CertOidcIssuer Identities []Identity }
CheckOpts are the options for checking signatures.
type Identity ¶
Identity specifies an issuer/subject to verify a signature against. Both Issuer/Subject support regexp.
type KeysBytes ¶ added in v1.5.0
type KeysBytes struct { PrivateBytes []byte PublicBytes []byte // contains filtered or unexported fields }
func GenerateKeyPair ¶
func ImportKeyPair ¶ added in v1.5.0
type LocalSignedPayload ¶ added in v1.5.0
type LocalSignedPayload struct { Base64Signature string `json:"base64Signature"` Cert string `json:"cert,omitempty"` Bundle *bundle.RekorBundle `json:"rekorBundle,omitempty"` }
func FetchLocalSignedPayloadFromPath ¶ added in v1.5.0
func FetchLocalSignedPayloadFromPath(path string) (*LocalSignedPayload, error)
FetchLocalSignedPayloadFromPath fetches a local signed payload from a path to a file
type PassFunc ¶
PassFunc is the function to be called to retrieve the signer password. If nil, then it assumes that no password is provided.
type RekorPubKey ¶ added in v1.6.0
type RekorPubKey struct { PubKey *ecdsa.PublicKey Status tuf.StatusKind }
RekorPubKey contains the ECDSA verification key and the current status of the key according to TUF metadata, whether it's active or expired.
type Signatures ¶ added in v1.5.0
type SignedPayload ¶
type SignedPayload struct { Base64Signature string Payload []byte Cert *x509.Certificate Chain []*x509.Certificate Bundle *bundle.RekorBundle }