signing

package
v0.16.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 18, 2024 License: Apache-2.0 Imports: 36 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	DIGESTMODE_LOCAL = "local" // (default) store nested digests locally in component descriptor
	DIGESTMODE_TOP   = "top"   // store aggregated nested digests in signed component version
)

Variables

View Source 
var REALM = logging.NewRealm("signing")

Functions

func Apply 

func Apply(printer common.Printer, state *WalkingState, cv ocm.ComponentVersionAccess, opts *Options, closecv ...bool) (*metav1.DigestSpec, error)

func ArtefactDigest 

func ArtefactDigest(r *compdesc.Resource) metav1.ArtefactDigest

func DigestInfo 

func DigestInfo(opts *Options, d *metav1.DigestSpec) (crypto.Hash, []byte, error)

func DigesterType 

func DigesterType(digest *metav1.DigestSpec) ocm.DigesterType

func GetDigestMode 

func GetDigestMode(cd *compdesc.ComponentDescriptor, def ...string) string

GetDigestMode checks whether the versio has already been digested. If so, the digest mode used at this time fixes the mode for all further signing processes. If a version is still undigested, any mode possible and is optionally defaulted by an additional argument.

func GetDigests 

func GetDigests(cd *compdesc.ComponentDescriptor) (*metav1.NestedComponentDigests, bool)

func GetPublicKeyFromSignature 

func GetPublicKeyFromSignature(sig *compdesc.Signature, sctx signing.SigningContext, opts *Options) (signutils.GenericPublicKey, error)

func ListComponentDescriptors added in v0.15.0 

func ListComponentDescriptors(cv ocm.ComponentVersionAccess, state *WalkingState) []*compdesc.ComponentDescriptor

func NewRedirectedAccessMethod added in v0.15.0 

func NewRedirectedAccessMethod(m ocm.AccessMethod, bacc ocm.DataAccess) ocm.AccessMethod

func NewVersionInfo 

func NewVersionInfo(cd *compdesc.ComponentDescriptor, parent *DigestContext) (*VersionInfo, *DigestContext)

func NormalizedDigesterType 

func NormalizedDigesterType(digest *metav1.DigestSpec) ocm.DigesterType

func RequireReProcessing 

func RequireReProcessing(vi *VersionInfo, ctx *DigestContext, opts *Options) bool

func SignComponentVersion 

func SignComponentVersion(cv ocm.ComponentVersionAccess, name string, optlist ...Option) (*metav1.DigestSpec, error)

func VerifyComponentVersion 

func VerifyComponentVersion(cv ocm.ComponentVersionAccess, name string, optlist ...Option) (*metav1.DigestSpec, error)

func VerifyResourceDigest added in v0.15.0 

func VerifyResourceDigest(cv ocm.ComponentVersionAccess, i int, bacc ocm.DataAccess, ostore ...VerifiedStore) (bool, error)

VerifyResourceDigest verify the digest of a resource taken from a component version. The data of the resources (typically after fetching the content) is given by a ocm.DataAccess. The digest info for verification is taken from the resource described by a component version, which has been used to retrieve the data. The component version itself is not verified.

If a VerifiedStore is given, the found resource digest must match the content described by the store (which should describe verified component version descriptors), otherwise the verification is rejected. If the store does not contain the verified component version, verification is rejected, because no verified resource digest can be determined. So, if no store is give, the given component version is assumed to be already verified. Only the digest of the downloaded resource is verified.

The function returns true if the verification has been executed. If an error occurs, or the verification has been failed, an appropriate error occurs. If the resource is not signature relevant (false,nil) is returned.

func VerifyResourceDigestByResourceAccess added in v0.16.0 

func VerifyResourceDigestByResourceAccess(cv ocm.ComponentVersionAccess, rAcc ocm.ResourceAccess, bacc ocm.DataAccess, ostore ...VerifiedStore) (bool, error)

VerifyResourceDigestByResourceAccess verifies the digest of a resource passed by ResourceAccess.

Types

type DigestContext 

type DigestContext struct {
	*RootContextInfo

	Key        common.NameVersion
	Parent     *DigestContext
	Descriptor *compdesc.ComponentDescriptor
	Digest     *metav1.DigestSpec
	Signed     bool
	Source     common.NameVersion
	Refs       map[common.NameVersion]*metav1.DigestSpec
}

func NewDigestContext 

func NewDigestContext(cd *compdesc.ComponentDescriptor, parent *DigestContext) *DigestContext

func (*DigestContext) GetDigests 

func (dc *DigestContext) GetDigests() metav1.NestedDigests

func (*DigestContext) IsRoot 

func (dc *DigestContext) IsRoot() bool

func (*DigestContext) Propagate 

func (dc *DigestContext) Propagate(d *metav1.DigestSpec) error

func (*DigestContext) Use 

func (dc *DigestContext) Use(ctx *DigestContext) error

func (*DigestContext) ValidFor 

func (dc *DigestContext) ValidFor(ctx *DigestContext) bool

type Option 

type Option interface {
	ApplySigningOption(o *Options)
}

func DigestMode 

func DigestMode(name string) Option

DigestMode provides an option configuring the digest mode for a signing/verification operation. Possible values are

  • DIGESTMODE_LOCAL(default) all digest information is store along with a component version
  • DIGESTMODE_TOP (experimental) all digest information is gathered for referenced component versions in the initially signed component version.

func Hash 

func Hash(h signing.Hasher) Option

Hash provides an option requesting hashing with a dedicated hasher for a signing/hash operation.

func HashByAlgo 

func HashByAlgo(algo string) Option

HashByAlgo provides an option requesting to use a dedicated hasher by name for a signing/hash operation. The effective hasher is taken from the hasher registry provided by the OCM context.

func Issuer 

func Issuer(is string) Option

Issuer provides an option requesting to use a dedicated issuer name for a signing operation.

func IssuerFor 

func IssuerFor(name string, is string) Option

func PKIXIssuer 

func PKIXIssuer(is pkix.Name) Option

PKIXIssuer provides an option requesting to use a dedicated issuer name for a signing operation.

func PKIXIssuerFor 

func PKIXIssuerFor(name string, is pkix.Name) Option

func Printer 

func Printer(p common.Printer) Option

Printer provides an option configuring a printer for a signing/verification operation.

func PrivateKey 

func PrivateKey(name string, key interface{}) Option

PrivateKey provides an option requesting to use a dedicated private key for a dedicated signature name for a signing operation.

func PublicKey 

func PublicKey(name string, key interface{}) Option

PublicKey provides an option requesting to use a dedicated public key for a dedicated signature name for a verification operation.

func Recursive 

func Recursive(flags ...bool) Option

Recursive provides an option configuring recursion for a signing/verification operation. If enabled the operation will be done for all component versions in the reference graph.

func Registry 

func Registry(h signing.Registry) Option

Registry provides an option requesting to use a dedicated signing registry for a signing/verification operation. It is used to lookup signers, verifiers, hashers and signing public/private keys by name.

func Resolver 

func Resolver(h ...ocm.ComponentVersionResolver) Option

Resolver provides an option requesting to use a dedicated component version resolver for a signing/verification operation. It is used to resolve references in component versions.

func RootCertificates 

func RootCertificates(pool signutils.GenericCertificatePool) Option

RootCertificates provides an option requesting to dedicated root certificates for a signing/verification operation using certificates.

func Sign 

func Sign(h signing.Signer, name string) Option

Sign provides an option requesting signing for a dedicated name and signer for a signing operation.

func SignByAlgo 

func SignByAlgo(algo string, name string) Option

SignByAlgo provides an option requesting signing with a signing algorithm for a signing operation. The effective signer is taken from the signer registry provided by the OCM context.

func SignatureName 

func SignatureName(name string, reset ...bool) Option

SignatureName provides an option requesting to use dedicated signature names for a signing/verification operation.

func Signer 

func Signer(h signing.Signer) Option

Signer provides an option requesting to use a dedicated signer for a signing/verification operation.

func SignerByAlgo 

func SignerByAlgo(algo string) Option

SignerByAlgo provides an option requesting to use a dedicated signer by algorithm for a signing operation. The effective signer is taken from the signer registry provided by the OCM context.

func SkipAccessTypes 

func SkipAccessTypes(names ...string) Option

SkipAccessTypes provides an option to declare dedicated resource types which should be excluded from digesting. This is a legacy options, required only for the handling of older component version not yet completely configured with resource digests. The content of resources with the given types will be marked as not signature relevant.

func TSAUrl 

func TSAUrl(url string) Option

TSAUrl selects the TSA server URL to use, if TSA mode is enabled.

func Update 

func Update(flags ...bool) Option

Update provides an option configuring the update mode for a signing/verification operation. Only if enabled, state changes will be persisted.

func UseTSA 

func UseTSA(flag ...bool) Option

UseTSA enables the usage of a timestamp server authority.

func UseVerifiedStore added in v0.15.0 

func UseVerifiedStore(s ...VerifiedStore) Option

UseVerifiedStore configures a store for providing verify component decariptors. If no store is given, a local store is created.

func VerifyDigests 

func VerifyDigests(flags ...bool) Option

VerifyDigests provides an option requesting signature verification for a signing/verification operation.

func VerifySignature 

func VerifySignature(names ...string) Option

VerifySignature provides an option requesting verification for dedicated signature names for a signing/verification operation. If no name is specified the names are taken from the component version.

type Options 

type Options struct {
	Printer           common.Printer
	Update            bool
	Recursively       bool
	DigestMode        string
	Verify            bool
	SignAlgo          string
	Signer            signing.Signer
	Issuer            *pkix.Name
	VerifySignature   bool
	RootCerts         signutils.GenericCertificatePool
	HashAlgo          string
	Hasher            signing.Hasher
	Keys              signing.KeyRegistry
	Registry          signing.Registry
	Resolver          ocm.ComponentVersionResolver
	SkipAccessTypes   map[string]bool
	SignatureNames    []string
	NormalizationAlgo string
	Keyless           bool
	TSAUrl            string
	UseTSA            bool

	VerifiedStore VerifiedStore
	// contains filtered or unexported fields
}

func NewOptions 

func NewOptions(list ...Option) *Options

func (*Options) ApplySigningOption 

func (o *Options) ApplySigningOption(opts *Options)

func (*Options) Complete 

func (o *Options) Complete(ctx interface{}) error

Complete takes either nil, an ocm.ContextProvider or a signing.Registry. To be compatible with an older version the type has been changed to interface to support multiple variants.

func (*Options) DoSign 

func (o *Options) DoSign() bool

func (*Options) DoUpdate 

func (o *Options) DoUpdate() bool

func (*Options) DoVerify 

func (o *Options) DoVerify() bool

func (*Options) Dup 

func (o *Options) Dup() *Options

func (*Options) EffectiveTSAUrl 

func (o *Options) EffectiveTSAUrl() string

func (*Options) Eval 

func (opts *Options) Eval(list ...Option) *Options

func (*Options) GetIssuer 

func (o *Options) GetIssuer() *pkix.Name

func (*Options) IssuerFor 

func (o *Options) IssuerFor(name string) *pkix.Name

func (*Options) Nested 

func (o *Options) Nested() *Options

func (*Options) PrivateKey 

func (o *Options) PrivateKey() (signutils.GenericPrivateKey, error)

func (*Options) PublicKey 

func (o *Options) PublicKey(sig string) signutils.GenericPublicKey

func (*Options) SignatureConfigured 

func (o *Options) SignatureConfigured(name string) bool

func (*Options) SignatureName 

func (o *Options) SignatureName() string

func (*Options) StopRecursion 

func (o *Options) StopRecursion() *Options

func (*Options) StoreLocally 

func (o *Options) StoreLocally() bool

func (*Options) WithDigestMode 

func (o *Options) WithDigestMode(mode string) *Options

type RootContextInfo 

type RootContextInfo struct {
	CtxKey     common.NameVersion
	Sign       bool
	DigestType ocm.DigesterType
	Hasher     signing.Hasher
	In         map[common.NameVersion]*metav1.NestedComponentDigests
	Out        map[common.NameVersion]*metav1.NestedComponentDigests
}

func (*RootContextInfo) GetPreset 

func (dc *RootContextInfo) GetPreset(nv common.NameVersion) *metav1.NestedComponentDigests

type StorageDescriptor added in v0.15.0 

type StorageDescriptor struct {
	ComponentVersions map[string]*StorageEntry `json:"componentVersions,omitempty"`
}

type StorageEntry added in v0.15.0 

type StorageEntry struct {
	Signatures []string                             `json:"signatures,omitempty"`
	Descriptor *compdesc.GenericComponentDescriptor `json:"descriptor"`
}

type VerifiedStore added in v0.15.0 

type VerifiedStore interface {
	Add(cd *compdesc.ComponentDescriptor, signatures ...string)
	Remove(n common.VersionedElement)
	Get(n common.VersionedElement) *compdesc.ComponentDescriptor
	GetEntry(n common.VersionedElement) *StorageEntry

	GetResourceDigest(n common.VersionedElement, id metav1.Identity) *metav1.DigestSpec
	GetResourceDigestByIndex(n common.VersionedElement, idx int) *metav1.DigestSpec

	Entries() []common.NameVersion

	Load() error
	Save() error
}

VerifiedStore is an interface for some kind of memory providing information about verified component versions and the digests of the verified artifacts. It is used to verify downloaded resource content, without requiring to verify the complete component version, again. If the component version has already been marked as being verified only the digest of the downloaded content has be compared with the digest already marked as verified in the context of its component version.

A typical implementation is a file based store, which stored the serialized component versions (see NewVerifiedStore).

func NewLocalVerifiedStore added in v0.15.0 

func NewLocalVerifiedStore() VerifiedStore

NewLocalVerifiedStore creates a memory based VerifiedStore.

func NewVerifiedStore added in v0.15.0 

func NewVerifiedStore(path string, fss ...vfs.FileSystem) (VerifiedStore, error)

NewVerifiedStore loads or creates a new filesystem based VerifiedStore.

type VersionInfo 

type VersionInfo struct {
	// contains filtered or unexported fields
}

VersionInfo keeps track of handled component versions and provides the digest context used for a dedicated root component this component version is digested for (by following component references).

func (*VersionInfo) CreateContext 

func (vi *VersionInfo) CreateContext(cd *compdesc.ComponentDescriptor, parent *DigestContext) *DigestContext

func (*VersionInfo) GetContext 

func (vi *VersionInfo) GetContext(nv common.NameVersion) *DigestContext

type WalkingState 

type WalkingState struct {
	common.WalkingState[*VersionInfo, *DigestContext]
}

func DefaultWalkingState added in v0.15.0 

func DefaultWalkingState(octx ocm.ContextProvider) *WalkingState

func NewWalkingState 

func NewWalkingState(lctx ...logging.Context) WalkingState

func (*WalkingState) GetContext 

func (s *WalkingState) GetContext(nv common.NameVersion, ctxkey common.NameVersion) *DigestContext

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.