Documentation
¶
Index ¶
- Constants
- func KeySpecHashString(k signature.KeySpec) string
- func KeySpecString(k signature.KeySpec) string
- func ParseKeySpec(raw string) (keySpec signature.KeySpec, err error)
- func ParseSigningAlgorithm(raw string) (signature.Algorithm, error)
- func SigningAlgorithmString(alg signature.Algorithm) string
- type Capability
- type Command
- type CriticalAttributes
- type DescribeKeyRequest
- type DescribeKeyResponse
- type ErrorCode
- type GenerateEnvelopeRequest
- type GenerateEnvelopeResponse
- type GenerateSignatureRequest
- type GenerateSignatureResponse
- type GetMetadataRequest
- type Metadata
- type Request
- type RequestError
- type Runner
- type Signature
- type SigningScheme
- type TrustPolicy
- type VerificationCapability
- type VerificationResult
- type VerifySignatureRequest
- type VerifySignatureResponse
Constants ¶
View Source
const ( RSA_2048 = "RSA-2048" RSA_3072 = "RSA-3072" RSA_4096 = "RSA-4096" EC_256 = "EC-256" EC_384 = "EC-384" EC_521 = "EC-521" )
one of the following supported key spec names.
View Source
const ( SHA_256 = "SHA-256" SHA_384 = "SHA-384" SHA_512 = "SHA-512" )
one of the following supported hash algorithm names.
View Source
const ( ECDSA_SHA_256 = "ECDSA-SHA-256" ECDSA_SHA_384 = "ECDSA-SHA-384" ECDSA_SHA_512 = "ECDSA-SHA-512" RSASSA_PSS_SHA_256 = "RSASSA-PSS-SHA-256" RSASSA_PSS_SHA_384 = "RSASSA-PSS-SHA-384" RSASSA_PSS_SHA_512 = "RSASSA-PSS-SHA-512" )
one of the following supported signing algorithm names.
View Source
const ( // CapabilitySignatureGenerator is the name of the capability // for a plugin to support generating raw signatures. CapabilitySignatureGenerator Capability = "SIGNATURE_GENERATOR.RAW" // CapabilityEnvelopeGenerator is the name of the capability // for a plugin to support generating envelope signatures. CapabilityEnvelopeGenerator Capability = "SIGNATURE_GENERATOR.ENVELOPE" // CapabilityTrustedIdentityVerifier is the name of the capability // for a plugin to support verifying trusted identities. CapabilityTrustedIdentityVerifier = Capability(VerificationCapabilityTrustedIdentity) // CapabilityRevocationCheckVerifier is the name of the capability // for a plugin to support verifying revocation checks. CapabilityRevocationCheckVerifier = Capability(VerificationCapabilityRevocationCheck) )
View Source
const ContractVersion = "1.0"
ContractVersion is the <major>.<minor> version of the plugin contract.
View Source
const Prefix = "notation-"
Prefix is the prefix required on all plugin binary names.
Variables ¶
This section is empty.
Functions ¶
func KeySpecHashString ¶
KeySpecHashName returns the name of hash function according to the spec.
func KeySpecString ¶
KeySpecName returns the name of a keySpec according to the spec.
func ParseKeySpec ¶
ParseKeySpecFromName parses keySpec name to a signature.keySpec type.
func ParseSigningAlgorithm ¶
ParseSigningAlgorithFromName parses the signing algorithm name from a given string.
func SigningAlgorithmString ¶
SigningAlgorithmName returns the signing algorithm name of an algorithm according to the spec.
Types ¶
type Capability ¶
type Capability string
Capability is a feature available in the plugin contract.
func (Capability) In ¶
func (c Capability) In(capabilities []Capability) bool
In returns true if the Capability is present in the given array of capabilities
type Command ¶
type Command string
Command is a CLI command available in the plugin contract.
const ( // CommandGetMetadata is the name of the plugin command // which must be supported by every plugin and returns the // plugin metadata. CommandGetMetadata Command = "get-plugin-metadata" // CommandDescribeKey is the name of the plugin command // which must be supported by every plugin that has the // SIGNATURE_GENERATOR.RAW capability. CommandDescribeKey Command = "describe-key" // CommandGenerateSignature is the name of the plugin command // which must be supported by every plugin that has the // SIGNATURE_GENERATOR.RAW capability. CommandGenerateSignature Command = "generate-signature" // CommandGenerateEnvelope is the name of the plugin command // which must be supported by every plugin that has the // SIGNATURE_GENERATOR.ENVELOPE capability. CommandGenerateEnvelope Command = "generate-envelope" // CommandVerifySignature is the name of the plugin command // which must be supported by every plugin that has // any SIGNATURE_VERIFIER.* capability CommandVerifySignature Command = "verify-signature" )
type CriticalAttributes ¶
type CriticalAttributes struct {
ContentType string `json:"contentType"`
SigningScheme string `json:"signingScheme"`
Expiry *time.Time `json:"expiry,omitempty"`
AuthenticSigningTime *time.Time `json:"authenticSigningTime,omitempty"`
ExtendedAttributes map[string]interface{} `json:"extendedAttributes,omitempty"`
}
CriticalAttributes contains all Notary V2 defined critical attributes and their values in the signature envelope
type DescribeKeyRequest ¶
type DescribeKeyRequest struct {
ContractVersion string `json:"contractVersion"`
KeyID string `json:"keyId"`
PluginConfig map[string]string `json:"pluginConfig,omitempty"`
}
DescribeKeyRequest contains the parameters passed in a describe-key request.
func (DescribeKeyRequest) Command ¶
func (DescribeKeyRequest) Command() Command
type DescribeKeyResponse ¶
type DescribeKeyResponse struct {
// The same key id as passed in the request.
KeyID string `json:"keyId"`
// One of following supported key types:
// https://github.com/notaryproject/notaryproject/blob/main/signature-specification.md#algorithm-selection
KeySpec string `json:"keySpec"`
}
DescribeKeyResponse is the response of a describe-key request.
type ErrorCode ¶
type ErrorCode string
const ( // Any of the required request fields was empty, // or a value was malformed/invalid. ErrorCodeValidation ErrorCode = "VALIDATION_ERROR" // The contract version used in the request is unsupported. ErrorCodeUnsupportedContractVersion ErrorCode = "UNSUPPORTED_CONTRACT_VERSION" // Authentication/authorization error to use given key. ErrorCodeAccessDenied ErrorCode = "ACCESS_DENIED" // The operation to generate signature timed out // and can be retried by Notation. ErrorCodeTimeout ErrorCode = "TIMEOUT" // The operation to generate signature was throttles // and can be retried by Notation. ErrorCodeThrottled ErrorCode = "THROTTLED" // Any general error that does not fall into any categories. ErrorCodeGeneric ErrorCode = "ERROR" )
type GenerateEnvelopeRequest ¶
type GenerateEnvelopeRequest struct {
ContractVersion string `json:"contractVersion"`
KeyID string `json:"keyId"`
PayloadType string `json:"payloadType"`
SignatureEnvelopeType string `json:"signatureEnvelopeType"`
Payload []byte `json:"payload"`
PluginConfig map[string]string `json:"pluginConfig,omitempty"`
}
GenerateEnvelopeRequest contains the parameters passed in a generate-envelope request.
func (GenerateEnvelopeRequest) Command ¶
func (GenerateEnvelopeRequest) Command() Command
type GenerateEnvelopeResponse ¶
type GenerateEnvelopeResponse struct {
SignatureEnvelope []byte `json:"signatureEnvelope"`
SignatureEnvelopeType string `json:"signatureEnvelopeType"`
Annotations map[string]string `json:"annotations,omitempty"`
}
GenerateEnvelopeResponse is the response of a generate-envelope request.
type GenerateSignatureRequest ¶
type GenerateSignatureRequest struct {
ContractVersion string `json:"contractVersion"`
KeyID string `json:"keyId"`
KeySpec string `json:"keySpec"`
Hash string `json:"hashAlgorithm"`
Payload []byte `json:"payload"`
PluginConfig map[string]string `json:"pluginConfig,omitempty"`
}
GenerateSignatureRequest contains the parameters passed in a generate-signature request.
func (GenerateSignatureRequest) Command ¶
func (GenerateSignatureRequest) Command() Command
type GenerateSignatureResponse ¶
type GenerateSignatureResponse struct {
KeyID string `json:"keyId"`
Signature []byte `json:"signature"`
SigningAlgorithm string `json:"signingAlgorithm"`
// Ordered list of certificates starting with leaf certificate
// and ending with root certificate.
CertificateChain [][]byte `json:"certificateChain"`
}
GenerateSignatureResponse is the response of a generate-signature request.
type GetMetadataRequest ¶
GetMetadataRequest contains the parameters passed in a get-plugin-metadata request.
func (GetMetadataRequest) Command ¶
func (GetMetadataRequest) Command() Command
type Metadata ¶
type Metadata struct {
Name string `json:"name"`
Description string `json:"description"`
Version string `json:"version"`
URL string `json:"url"`
SupportedContractVersions []string `json:"supportedContractVersions"`
Capabilities []Capability `json:"capabilities"`
}
Metadata provided by the plugin.
func (*Metadata) HasCapability ¶
func (m *Metadata) HasCapability(capability Capability) bool
HasCapability return true if the metadata states that the capability is supported. Returns true if capability is empty.
func (*Metadata) SupportsContract ¶
SupportsContract return true if the metadata states that the contract version is supported.
type Request ¶
type Request interface {
Command() Command
}
Request defines a plugin request, which is always associated to a command.
type RequestError ¶
RequestError is the common error response for any request.
func (RequestError) Error ¶
func (e RequestError) Error() string
func (RequestError) Is ¶
func (e RequestError) Is(target error) bool
func (RequestError) MarshalJSON ¶
func (e RequestError) MarshalJSON() ([]byte, error)
func (*RequestError) UnmarshalJSON ¶
func (e *RequestError) UnmarshalJSON(data []byte) error
func (RequestError) Unwrap ¶
func (e RequestError) Unwrap() error
type Runner ¶
type Runner interface {
// Run executes the specified command and waits for it to complete.
//
// When the returned object is not nil, its type is guaranteed to remain always the same for a given Command.
//
// The returned error is nil if:
// - the plugin exists
// - the command runs and exits with a zero exit status
// - the command stdout contains a valid json object which can be unmarshal-ed.
//
// If the command starts but does not complete successfully, the error is of type RequestError wrapping a *exec.ExitError.
// Other error types may be returned for other situations.
Run(ctx context.Context, req Request) (interface{}, error)
}
Runner is an interface for running commands against a plugin.
type Signature ¶
type Signature struct {
CriticalAttributes CriticalAttributes `json:"criticalAttributes"`
UnprocessedAttributes []string `json:"unprocessedAttributes"`
CertificateChain [][]byte `json:"certificateChain"`
}
Signature represents a signature pulled from the envelope
type SigningScheme ¶
type SigningScheme string
SigningScheme formalizes the feature set provided by the signature produced using a signing scheme
const ( // SigningSchemeDefault defines a signing scheme that uses the traditional signing workflow // in which an end user generates signatures using X.509 certificates SigningSchemeDefault SigningScheme = "notary.default.x509" // SigningSchemeAuthority defines a signing scheme in which a signing authority // generates signatures on behalf of an end user using X.509 certificates SigningSchemeAuthority SigningScheme = "notary.signingAuthority.x509" )
type TrustPolicy ¶
type TrustPolicy struct {
TrustedIdentities []string `json:"trustedIdentities"`
SignatureVerification []VerificationCapability `json:"signatureVerification"`
}
TrustPolicy represents trusted identities that sign the artifacts
type VerificationCapability ¶
type VerificationCapability string
VerificationCapability is a verification feature available in the plugin contract.
const ( // VerificationCapabilityTrustedIdentity is the name of the capability // for a plugin to support verifying trusted identities. VerificationCapabilityTrustedIdentity VerificationCapability = "SIGNATURE_VERIFIER.TRUSTED_IDENTITY" // VerificationCapabilityRevocationCheck is the name of the capability // for a plugin to support verifying revocation checks. VerificationCapabilityRevocationCheck VerificationCapability = "SIGNATURE_VERIFIER.REVOCATION_CHECK" )
type VerificationResult ¶
type VerificationResult struct {
Success bool `json:"success"`
Reason string `json:"reason,omitempty"`
}
VerificationResult is the result of a verification performed by the plugin
type VerifySignatureRequest ¶
type VerifySignatureRequest struct {
ContractVersion string `json:"contractVersion"`
Signature Signature `json:"signature"`
TrustPolicy TrustPolicy `json:"trustPolicy"`
PluginConfig map[string]string `json:"pluginConfig,omitempty"`
}
VerifySignatureRequest contains the parameters passed in a verify-signature request.
func (VerifySignatureRequest) Command ¶
func (VerifySignatureRequest) Command() Command
type VerifySignatureResponse ¶
type VerifySignatureResponse struct {
VerificationResults map[VerificationCapability]*VerificationResult `json:"verificationResults"`
ProcessedAttributes []string `json:"processedAttributes"`
}
VerifySignatureResponse is the response of a verify-signature request.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.