signedattestation

package module

v0.0.0-...-5ebc1df Latest Latest Go to latest Published: Jan 17, 2024 License: Apache-2.0 Imports: 28 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/openpubkey/signed-attestation

Links

Open Source Insights

README ¶

Signed attestations with OpenPubkey

This library is for signing in-toto attestations with OpenPubkey.

Two functions are provided:

SignInTotoStatement takes an in-toto statement and returns a signed DSSE envelope.
VerifyInTotoEnvelope takes a signed DSSE envelope, verifies the signature, and returns the in-toto statement

That's it!

Documentation ¶

Index ¶

Constants
Variables
func NewOPKSignerVerifier(provider client.OpenIdProvider) dsse.SignerVerifier
func SignInTotoStatement(ctx context.Context, stmt intoto.Statement, provider client.OpenIdProvider) (*dsse.Envelope, error)
func VerifyInTotoEnvelope(ctx context.Context, env *dsse.Envelope, provider client.OpenIdProvider) (*intoto.Statement, error)
func VerifyInTotoEnvelopeExt(ctx context.Context, env *Envelope, provider client.OpenIdProvider) (*intoto.Statement, error)
func VerifyPayloadSignature(ctx context.Context, pkToken, payload []byte, signature string) (bool, error)
func WithTL(ctx context.Context, tl TL) context.Context
type Envelope
- func SignInTotoStatementExt(ctx context.Context, stmt intoto.Statement, provider client.OpenIdProvider) (*Envelope, error)
type Extension
type MockTL
type RekorTL
type Signature
type TL
- func GetTL(ctx context.Context) TL
type TlPayload

Constants ¶

View Source

const (
	DefaultRekorURL = "https://rekor.sigstore.dev"
	DefaultCtxKey   = "tl"
)

View Source

const (
	OpkSignatureID = "OPK"
)

Variables ¶

View Source

var TlCtxKey tlCtxKeyType

Functions ¶

func NewOPKSignerVerifier ¶

func NewOPKSignerVerifier(provider client.OpenIdProvider) dsse.SignerVerifier

func SignInTotoStatement ¶

func SignInTotoStatement(ctx context.Context, stmt intoto.Statement, provider client.OpenIdProvider) (*dsse.Envelope, error)

func VerifyInTotoEnvelope ¶

func VerifyInTotoEnvelope(ctx context.Context, env *dsse.Envelope, provider client.OpenIdProvider) (*intoto.Statement, error)

func VerifyInTotoEnvelopeExt ¶

func VerifyInTotoEnvelopeExt(ctx context.Context, env *Envelope, provider client.OpenIdProvider) (*intoto.Statement, error)

func VerifyPayloadSignature ¶

func VerifyPayloadSignature(ctx context.Context, pkToken, payload []byte, signature string) (bool, error)

VerifyPayloadSignature extracts the ephemeral ecdsa public key from a PK token and verifies the provided signature

func WithTL ¶

func WithTL(ctx context.Context, tl TL) context.Context

sets TL in context

Types ¶

type Envelope ¶

type Envelope struct {
	PayloadType string      `json:"payloadType"`
	Payload     string      `json:"payload"`
	Signatures  []Signature `json:"signatures"`
}

the following types are needed until https://github.com/secure-systems-lab/dsse/pull/61 is merged

func SignInTotoStatementExt ¶

func SignInTotoStatementExt(ctx context.Context, stmt intoto.Statement, provider client.OpenIdProvider) (*Envelope, error)

type Extension ¶

type Extension struct {
	Kind string         `json:"kind"`
	Ext  map[string]any `json:"ext"`
}

type MockTL ¶

type MockTL struct {
	UploadLogEntryFunc     func(ctx context.Context, pkToken *pktoken.PKToken, payload, signature []byte, signer crypto.Signer) ([]byte, error)
	VerifyLogEntryFunc     func(ctx context.Context, entryBytes []byte) error
	VerifyEntryPayloadFunc func(entryBytes, payload, pkToken []byte) error
	UnmarshalEntryFunc     func(entryBytes []byte) (any, error)
}

func (*MockTL) UnmarshalEntry ¶

func (tl *MockTL) UnmarshalEntry(entryBytes []byte) (any, error)

func (*MockTL) UploadLogEntry ¶

func (tl *MockTL) UploadLogEntry(ctx context.Context, pkToken *pktoken.PKToken, payload, signature []byte, signer crypto.Signer) ([]byte, error)

func (*MockTL) VerifyEntryPayload ¶

func (tl *MockTL) VerifyEntryPayload(entryBytes, payload, pkToken []byte) error

func (*MockTL) VerifyLogEntry ¶

func (tl *MockTL) VerifyLogEntry(ctx context.Context, entryBytes []byte) error

type RekorTL ¶

type RekorTL struct{}

func (*RekorTL) UnmarshalEntry ¶

func (tl *RekorTL) UnmarshalEntry(entry []byte) (any, error)

func (*RekorTL) UploadLogEntry ¶

func (tl *RekorTL) UploadLogEntry(ctx context.Context, pkToken *pktoken.PKToken, payload, signature []byte, signer crypto.Signer) ([]byte, error)

UploadLogEntry submits a PK token signature to the transparency log

func (*RekorTL) VerifyEntryPayload ¶

func (tl *RekorTL) VerifyEntryPayload(entryBytes, payload, pkToken []byte) error

VerifyEntryPayload checks that the TL entry payload matches envelope payload

func (*RekorTL) VerifyLogEntry ¶

func (tl *RekorTL) VerifyLogEntry(ctx context.Context, entryBytes []byte) error

VerifyLogEntry verifies a transparency log entry

type Signature ¶

type Signature struct {
	KeyID     string    `json:"keyid"`
	Sig       string    `json:"sig"`
	Extension Extension `json:"extension"`
}

type TL ¶

type TL interface {
	UploadLogEntry(ctx context.Context, pkToken *pktoken.PKToken, payload, signature []byte, signer crypto.Signer) ([]byte, error)
	VerifyLogEntry(ctx context.Context, entryBytes []byte) error
	VerifyEntryPayload(entryBytes, payload, pkToken []byte) error
	UnmarshalEntry(entryBytes []byte) (any, error)
}

func GetTL ¶

func GetTL(ctx context.Context) TL

gets TL from context, defaults to Rekor TL if not set

type TlPayload ¶

type TlPayload struct {
	Algorithm string
	Hash      string
	Signature string
	PublicKey string
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL