Documentation
¶
Index ¶
- Constants
- func CertificateExtensionValue(certificate *x509.Certificate, oid asn1.ObjectIdentifier) (string, bool, error)
- func DecodeBase64Bytes(raw []byte) ([]byte, error)
- func OIDCIssuerExtensionOID() asn1.ObjectIdentifier
- func ReadBase64EncodedFile(filePath string) ([]byte, error)
- func ReadCosignCertificate(filePath string) (*x509.Certificate, error)
- func ValidateCosignCertificate(certificate *x509.Certificate, expectedIdentity, expectedOIDCIssuer string, ...) error
- func VerifyBlobSignature(certificate *x509.Certificate, payload, signature []byte) error
- func VerifyCertificateChain(certificate *x509.Certificate, rootPEM, intermediatePEM string) error
- func VerifyFulcioCertificateChain(certificate *x509.Certificate) error
- func VerifySignedChecksums(checksumsPath, signaturePath, certificatePath, expectedIdentity, ... string, ...) error
- func VerifySignedChecksumsBundle(checksumsPath, bundlePath, expectedIdentity, expectedOIDCIssuer string, ...) error
Constants ¶
const ( // FulcioIntermediatePEM is the pinned Sigstore Fulcio intermediate certificate. // Source: https://fulcio.sigstore.dev/api/v1/rootCert FulcioIntermediatePEM = `` /* 789-byte string literal not displayed */ // FulcioRootPEM is the pinned Sigstore Fulcio root certificate. // Source: https://fulcio.sigstore.dev/api/v1/rootCert FulcioRootPEM = `` /* 740-byte string literal not displayed */ )
Variables ¶
This section is empty.
Functions ¶
func CertificateExtensionValue ¶
func CertificateExtensionValue(certificate *x509.Certificate, oid asn1.ObjectIdentifier) (string, bool, error)
CertificateExtensionValue extracts a string value from a certificate extension by OID.
func DecodeBase64Bytes ¶
DecodeBase64Bytes decodes base64 data, trying standard then raw encoding.
func OIDCIssuerExtensionOID ¶
func OIDCIssuerExtensionOID() asn1.ObjectIdentifier
OIDCIssuerExtensionOID returns a copy of the Sigstore Fulcio OIDC issuer certificate extension OID.
func ReadBase64EncodedFile ¶
ReadBase64EncodedFile reads a file and decodes its base64 content.
func ReadCosignCertificate ¶
func ReadCosignCertificate(filePath string) (*x509.Certificate, error)
ReadCosignCertificate reads and parses a PEM or base64-encoded X.509 certificate.
func ValidateCosignCertificate ¶
func ValidateCosignCertificate(certificate *x509.Certificate, expectedIdentity, expectedOIDCIssuer string, chainVerifier func(*x509.Certificate) error) error
ValidateCosignCertificate validates a Sigstore Fulcio certificate's identity, OIDC issuer, and chain.
func VerifyBlobSignature ¶
func VerifyBlobSignature(certificate *x509.Certificate, payload, signature []byte) error
VerifyBlobSignature verifies a signature over payload using the certificate's public key.
func VerifyCertificateChain ¶
func VerifyCertificateChain(certificate *x509.Certificate, rootPEM, intermediatePEM string) error
VerifyCertificateChain verifies a leaf certificate against the given root and intermediate PEMs.
func VerifyFulcioCertificateChain ¶
func VerifyFulcioCertificateChain(certificate *x509.Certificate) error
VerifyFulcioCertificateChain verifies the certificate against the pinned Sigstore Fulcio trust anchors.
func VerifySignedChecksums ¶
func VerifySignedChecksums(checksumsPath, signaturePath, certificatePath, expectedIdentity, expectedOIDCIssuer string, chainVerifier func(*x509.Certificate) error) error
VerifySignedChecksums verifies a cosign-signed checksums file.
func VerifySignedChecksumsBundle ¶ added in v0.4.1
func VerifySignedChecksumsBundle(checksumsPath, bundlePath, expectedIdentity, expectedOIDCIssuer string, chainVerifier func(*x509.Certificate) error) error
VerifySignedChecksumsBundle verifies a sigstore bundle JSON for a checksums file.
Types ¶
This section is empty.
Source Files