certid

package
v0.32.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 26, 2026 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source
const CacheDir = ".autogov"

default cache dir

View Source
const CacheExpirationHours = 24

default cache expiration

View Source
const CacheFile = "cert-identities.json"

default cache file

Variables

This section is empty.

Functions

func ResolveAcceptedIdentities added in v0.28.1

func ResolveAcceptedIdentities(ctx context.Context, certIdentity string, listOpts *Options) ([]string, error)

builds the effective signer allowlist (union): certIdentity accepted as-typed (operator vouches — NOT revocation-checked) unioned with the revocation-checked valid SANs from the configured list (if any). The list is loaded at most once. Fail-closed: any validator/load/resolution error is returned, and a configured list that resolves to zero acceptable identities (with no --cert-identity) is rejected rather than degrading to accept-any — per SLSA, a verifier must only accept provenance proving it came from an acceptable builder. Returns an empty slice ONLY when NEITHER a --cert-identity NOR a list is configured (the deliberate, separately-warned backward-compat unsafe case handled at the policy sites).

Types

type Identity

type Identity struct {
	Version    string   `json:"version"`
	Sha        string   `json:"sha"`
	Status     string   `json:"status"`
	Identities []string `json:"identities"`
	Added      string   `json:"added"`
	Expires    string   `json:"expires,omitempty"`
	Revoked    string   `json:"revoked,omitempty"`
	Reason     string   `json:"reason,omitempty"`
}

represents a single certificate identity

type IdentityList

type IdentityList struct {
	Identities []Identity `json:"identities,omitempty"`
	Metadata   struct {
		LastUpdated string `json:"last_updated"`
		Version     string `json:"version"`
		Maintainer  string `json:"maintainer"`
	} `json:"metadata"`
}

contains categorized lists of cert-ids

type Options

type Options struct {
	// url to fetch the identity list from
	URL string
	// disables caching
	DisableCache bool
	// dir to store cached identity lists
	CacheDir string
}

configures the identity validator

func DefaultOptions

func DefaultOptions() Options

returns the default id validator options

type Validator

type Validator struct {
	// contains filtered or unexported fields
}

handles certificate identity validation

func NewValidator

func NewValidator(opts Options) (*Validator, error)

creates a new cert-id validator

func (*Validator) GetValidIdentities

func (v *Validator) GetValidIdentities() ([]Identity, error)

returns the loaded cert-id list returns all valid identities from both latest and approved lists

func (*Validator) GetValidIdentitySANs added in v0.28.1

func (v *Validator) GetValidIdentitySANs() ([]string, error)

returns the flat, deduped set of SANs from all valid identities, with each SAN re-checked through IsValidIdentity. GetValidIdentities filters by status/expiry only; running each candidate SAN through IsValidIdentity re-applies checkIfRevoked across ALL entries, so a SAN named in a separate status:"revoked" entry (by SAN or sha) is dropped — preserving the revocation rigor of the single-identity guard this enables removing.

func (*Validator) IsValidIdentity

func (v *Validator) IsValidIdentity(certIdentity string) (bool, error)

checks if the given cert-id is valid

func (*Validator) LoadIdentities

func (v *Validator) LoadIdentities(ctx context.Context) error

loads the cert-id list from the remote source, local file, or cache

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL