Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Attestation ¶
type Attestation struct { // PublicKeyID is the ID of the public key that can verify the Attestation. PublicKeyID string // Signature stores the signature content for the Attestation. For PKIX, // this is only the raw signature. For PGP, this is an attached signature, // containing both the signature and message payload. For JWT, this is a // signed and serialized JWT. Signature []byte // SerializedPayload stores the payload over which the signature was // signed. This field is only used for PKIX Attestations. SerializedPayload []byte }
Attestation is a generic wrapper for an attestation. It can store signatures generated by PGP or PKIX keys. Alternatively, it can store an attestation represented as a JWT.
type PublicKey ¶
type PublicKey struct { // KeyType stores the type of the public key, one of Pgp, Pkix, or Jwt. KeyType KeyType // KeyData holds the raw key material which can verify a signature. KeyData []byte // ID uniquely identifies this public key. For PGP, this should be the // OpenPGP RFC4880 V4 fingerprint of the key. ID string }
PublicKey stores public key material for all key types.
func NewPublicKey ¶
NewPublicKey creates a new PublicKey. `keyType` contains the type of the public key, one of Pgp, Pkix or Jwt. `keyData` contains the raw key material. `keyID` contains a unique identifier for the public key. For PGP, this should be the OpenPGP RFC4880 V4 fingerprint of the key.
type SignatureAlgorithm ¶
type SignatureAlgorithm int
SignatureAlgorithm specifies the algorithm and hashing functions used to sign PKIX and JWT Attestations.
const ( UnknownSigningAlgorithm SignatureAlgorithm = iota // RSASSA-PSS 2048 bit key with a SHA256 digest. RsaPss2048Sha256 // RSASSA-PSS 3072 bit key with a SHA256 digest. RsaPss3072Sha256 // RSASSA-PSS 4096 bit key with a SHA256 digest. RsaPss4096Sha256 // RSASSA-PSS 4096 bit key with a SHA512 digest. RsaPss4096Sha512 // RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest. RsaSignPkcs12048Sha256 // RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest. RsaSignPkcs13072Sha256 // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest. RsaSignPkcs14096Sha256 // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest. RsaSignPkcs14096Sha512 // ECDSA on the NIST P-256 curve with a SHA256 digest. EcdsaP256Sha256 // ECDSA on the NIST P-384 curve with a SHA384 digest. EcdsaP384Sha384 // ECDSA on the NIST P-521 curve with a SHA512 digest. EcdsaP521Sha512 )
Enumeration of SignatureAlgorithm
type Signer ¶
type Signer interface { // CreateAttestation creates an Attestation whose signature is generated by // signing the given payload with the private key. For PGP and PKIX, `payload` // should be the raw payload data. For JWT, `payload` should be a serialized // but unsigned token. CreateAttestation(payload []byte) (*Attestation, error) }
Signer contains methods to create a signed Attestation.
func NewJwtSigner ¶
func NewJwtSigner(privateKey []byte, publicKeyID string, alg SignatureAlgorithm) (Signer, error)
NewJwtSigner creates a Signer interface for JWT Attestations. `publicKeyID` is the ID of the public key that can verify the Attestation signature. TODO: Explain formatting of JWT private keys.
func NewPgpSigner ¶
NewPgpSigner creates a Signer interface for PGP Attestations. `privateKey` contains the ASCII-armored private key.
func NewPkixSigner ¶
func NewPkixSigner(privateKey []byte, publicKeyID string, alg SignatureAlgorithm) (Signer, error)
NewPkixSigner creates a Signer interface for PKIX Attestations. `privateKey` contains the PEM-encoded private key. `publicKeyID` is the ID of the public key that can verify the Attestation signature.
type Verifier ¶
type Verifier interface { // VerifyAttestation verifies whether an Attestation satisfies at least one // of the public keys under an image. This function finds the public key // whose ID matches the attestation's PublicKeyID, and uses this key to // verify the signature. VerifyAttestation(att *Attestation) error }
Verifier contains methods to validate an Attestation.
func NewVerifier ¶
NewVerifier creates a Verifier interface for verifying Attestations. `image` contains the untruncated image name <image_name@digest> of the image that was signed. This should be provided directly by the policy evaluator, NOT by the Attestation. `publicKeySet` contains a list of PublicKeys that the Verifier will use to try to verify an Attestation.