Documentation
¶
Index ¶
Constants ¶
const CacheDir = ".autogov"
default cache dir
const CacheExpirationHours = 24
default cache expiration
const CacheFile = "cert-identities.json"
default cache file
Variables ¶
This section is empty.
Functions ¶
func ResolveAcceptedIdentities ¶ added in v0.28.1
func ResolveAcceptedIdentities(ctx context.Context, certIdentity string, listOpts *Options) ([]string, error)
builds the effective signer allowlist (union): certIdentity accepted as-typed (operator vouches — NOT revocation-checked) unioned with the revocation-checked valid SANs from the configured list (if any). The list is loaded at most once. Fail-closed: any validator/load/resolution error is returned, and a configured list that resolves to zero acceptable identities (with no --cert-identity) is rejected rather than degrading to accept-any — per SLSA, a verifier must only accept provenance proving it came from an acceptable builder. Returns an empty slice ONLY when NEITHER a --cert-identity NOR a list is configured (the deliberate, separately-warned backward-compat unsafe case handled at the policy sites).
Types ¶
type Identity ¶
type Identity struct {
Version string `json:"version"`
Sha string `json:"sha"`
Status string `json:"status"`
Identities []string `json:"identities"`
Added string `json:"added"`
Expires string `json:"expires,omitempty"`
Revoked string `json:"revoked,omitempty"`
Reason string `json:"reason,omitempty"`
}
represents a single certificate identity
type IdentityList ¶
type IdentityList struct {
Identities []Identity `json:"identities,omitempty"`
Metadata struct {
LastUpdated string `json:"last_updated"`
Version string `json:"version"`
Maintainer string `json:"maintainer"`
} `json:"metadata"`
}
contains categorized lists of cert-ids
type Options ¶
type Options struct {
// url to fetch the identity list from
URL string
// disables caching
DisableCache bool
// dir to store cached identity lists
CacheDir string
}
configures the identity validator
type Validator ¶
type Validator struct {
// contains filtered or unexported fields
}
handles certificate identity validation
func NewValidator ¶
creates a new cert-id validator
func (*Validator) GetValidIdentities ¶
returns the loaded cert-id list returns all valid identities from both latest and approved lists
func (*Validator) GetValidIdentitySANs ¶ added in v0.28.1
returns the flat, deduped set of SANs from all valid identities, with each SAN re-checked through IsValidIdentity. GetValidIdentities filters by status/expiry only; running each candidate SAN through IsValidIdentity re-applies checkIfRevoked across ALL entries, so a SAN named in a separate status:"revoked" entry (by SAN or sha) is dropped — preserving the revocation rigor of the single-identity guard this enables removing.
func (*Validator) IsValidIdentity ¶
checks if the given cert-id is valid