notation

package module
v0.9.0-alpha.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 26, 2022 License: Apache-2.0 Imports: 7 Imported by: 21

README

Notation

A collection of libraries for supporting Notation sign, verify, push, pull of oci artifacts. Based on Notary V2 standard.

Table of Contents

Core Documents

Code of Conduct

This project has adopted the CNCF Code of Conduct. See CODE_OF_CONDUCT.md for further details.

License

This project is covered under the Apache 2.0 license. You can read the license here.

Documentation

Index

Constants

View Source 
const (
	// MediaTypeJWSEnvelope describes the media type of the JWS envelope.
	MediaTypeJWSEnvelope = "application/vnd.cncf.notary.v2.jws.v1"
)
View Source 
const MediaTypePayload = "application/vnd.cncf.notary.payload.v1+json"

Media type for Notary payload for OCI artifacts, which contains an artifact descriptor.

Variables

View Source 
var (
	ErrExpiryNotSpecified = errors.New("expiry not specified")
)

SignOptions errors

Functions

This section is empty.

Types

type Descriptor 

type Descriptor struct {
	// The media type of the targeted content.
	MediaType string `json:"mediaType"`

	// The digest of the targeted content.
	Digest digest.Digest `json:"digest"`

	// Specifies the size in bytes of the blob.
	Size int64 `json:"size"`

	// Contains optional user defined attributes.
	Annotations map[string]string `json:"annotations,omitempty"`
}

Descriptor describes the content signed or to be signed.

func (Descriptor) Equal 

func (d Descriptor) Equal(t Descriptor) bool

Equal reports whether d and t points to the same content.

type HashAlgorithm 

type HashAlgorithm string

HashAlgorithm algorithm associated with the key spec. 

const (
	SHA256 HashAlgorithm = "SHA_256"
	SHA384 HashAlgorithm = "SHA_384"
	SHA512 HashAlgorithm = "SHA_512"
)

func (HashAlgorithm) HashFunc 

func (h HashAlgorithm) HashFunc() crypto.Hash

HashFunc returns the Hash associated k.

type JWSEnvelope 

type JWSEnvelope struct {
	// JWSPayload Base64URL-encoded.
	Payload string `json:"payload"`

	// JWSProtectedHeader Base64URL-encoded.
	Protected string `json:"protected"`

	// Signature metadata that is not integrity protected
	Header JWSUnprotectedHeader `json:"header"`

	// Base64URL-encoded signature.
	Signature string `json:"signature"`
}

JWSEnvelope is the final signature envelope.

type JWSPayload 

type JWSPayload struct {
	// Private claim.
	Subject Descriptor `json:"subject"`

	// Identifies the number of seconds since Epoch at which the signature was issued.
	IssuedAt int64 `json:"iat"`

	// Identifies the number of seconds since Epoch at which the signature must not be considered valid.
	ExpiresAt int64 `json:"exp,omitempty"`
}

JWSPayload contains the set of claims used by Notary V2.

type JWSProtectedHeader 

type JWSProtectedHeader struct {
	// Defines which algorithm was used to generate the signature.
	Algorithm string `json:"alg"`

	// Media type of the secured content (the payload).
	ContentType string `json:"cty"`
}

JWSProtectedHeader contains the set of protected headers.

type JWSUnprotectedHeader 

type JWSUnprotectedHeader struct {
	// RFC3161 time stamp token Base64-encoded.
	TimeStampToken []byte `json:"timestamp,omitempty"`

	// List of X.509 Base64-DER-encoded certificates
	// as defined at https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6.
	CertChain [][]byte `json:"x5c"`
}

JWSUnprotectedHeader contains the set of unprotected headers.

type KeySpec 

type KeySpec string

KeySpec defines a key type and size. 

const (
	RSA_2048 KeySpec = "RSA_2048"
	RSA_3072 KeySpec = "RSA_3072"
	RSA_4096 KeySpec = "RSA_4096"
	EC_256   KeySpec = "EC_256"
	EC_384   KeySpec = "EC_384"
	EC_512   KeySpec = "EC_512"
)

One of following supported specs https://github.com/notaryproject/notaryproject/blob/main/signature-specification.md#algorithm-selection

func (KeySpec) SignatureAlgorithm 

func (k KeySpec) SignatureAlgorithm() SignatureAlgorithm

SignatureAlgorithm returns the signing algorithm associated with KeyType k.

type Service 

type Service interface {
	Signer
	Verifier
}

Service combines the signing and verification services.

type SignOptions 

type SignOptions struct {
	// Expiry identifies the expiration time of the resulted signature.
	Expiry time.Time

	// TSA is the TimeStamp Authority to timestamp the resulted signature if present.
	TSA timestamp.Timestamper

	// TSAVerifyOptions is the verify option to verify the fetched timestamp signature.
	// The `Intermediates` in the verify options will be ignored and re-contrusted using
	// the certificates in the fetched timestamp signature.
	// An empty list of `KeyUsages` in the verify options implies ExtKeyUsageTimeStamping.
	TSAVerifyOptions x509.VerifyOptions

	// Sets or overrides the plugin configuration.
	PluginConfig map[string]string
}

SignOptions contains parameters for Signer.Sign.

type SignatureAlgorithm 

type SignatureAlgorithm string

SignatureAlgorithm defines the supported signature algorithms. 

const (
	RSASSA_PSS_SHA_256 SignatureAlgorithm = "RSASSA_PSS_SHA_256"
	RSASSA_PSS_SHA_384 SignatureAlgorithm = "RSASSA_PSS_SHA_384"
	RSASSA_PSS_SHA_512 SignatureAlgorithm = "RSASSA_PSS_SHA_512"
	ECDSA_SHA_256      SignatureAlgorithm = "ECDSA_SHA_256"
	ECDSA_SHA_384      SignatureAlgorithm = "ECDSA_SHA_384"
	ECDSA_SHA_512      SignatureAlgorithm = "ECDSA_SHA_512"
)

func NewSignatureAlgorithmJWS 

func NewSignatureAlgorithmJWS(alg string) SignatureAlgorithm

NewSignatureAlgorithmJWS returns the algorithm associated to alg. It returns an empty string if alg is not supported.

func (SignatureAlgorithm) Hash 

func (s SignatureAlgorithm) Hash() HashAlgorithm

Hash returns the Hash associated s.

func (SignatureAlgorithm) JWS 

func (s SignatureAlgorithm) JWS() string

JWS returns the JWS algorithm name.

type Signer 

type Signer interface {
	// Sign signs the artifact described by its descriptor,
	// and returns the signature.
	Sign(ctx context.Context, desc Descriptor, opts SignOptions) ([]byte, error)
}

Signer is a generic interface for signing an artifact. The interface allows signing with local or remote keys, and packing in various signature formats.

type Verifier 

type Verifier interface {
	// Verify verifies the signature and returns the verified descriptor and
	// metadata of the signed artifact.
	Verify(ctx context.Context, signature []byte, opts VerifyOptions) (Descriptor, error)
}

Verifier is a generic interface for verifying an artifact.

type VerifyOptions 

type VerifyOptions struct{}

VerifyOptions contains parameters for Verifier.Verify.

func (VerifyOptions) Validate 

func (opts VerifyOptions) Validate() error

Validate does basic validation on VerifyOptions.

Source Files

View all Source files

Directories

Path Synopsis
crypto
cryptoutil
jwsutil
Package jwsutil provides serialization utilities for JWT libraries to comfort JWS.
 Package jwsutil provides serialization utilities for JWT libraries to comfort JWS.
timestamp
Package timestamp generates timestamping requests to TSA servers, and fetches the responses according to RFC 3161.
 Package timestamp generates timestamping requests to TSA servers, and fetches the responses according to RFC 3161.
timestamp/timestamptest
Package timestamptest provides utilities for timestamp testing
 Package timestamptest provides utilities for timestamp testing
internal
crypto/cms
Package cms verifies signatures in Cryptographic Message Syntax (CMS) / PKCS7 defined in RFC 5652.
 Package cms verifies signatures in Cryptographic Message Syntax (CMS) / PKCS7 defined in RFC 5652.
crypto/hashutil
Package hashutil provides utilities for hash.
 Package hashutil provides utilities for hash.
crypto/oid
Package oid collects object identifiers for crypto algorithms.
 Package oid collects object identifiers for crypto algorithms.
crypto/pki
Package pki contains certificate management protocol structures defined in RFC 2510.
 Package pki contains certificate management protocol structures defined in RFC 2510.
encoding/asn1
Package asn1 decodes BER-encoded ASN.1 data structures and encodes in DER.
 Package asn1 decodes BER-encoded ASN.1 data structures and encodes in DER.
manager
signature
jws
Package jws signs and verifies artifacts with signatures in JWS format.
 Package jws signs and verifies artifacts with signatures in JWS format.
Package verification provides the utilities for handling verification related logic like Trust Stores and Trust Policies.
 Package verification provides the utilities for handling verification related logic like Trust Stores and Trust Policies.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.