signedattestation

package module

v0.0.0-...-5ebc1df Latest Latest Go to latest Published: Jan 17, 2024 License: Apache-2.0 Imports: 28 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/openpubkey/signed-attestation

Links

Open Source Insights

README ¶

Signed attestations with OpenPubkey

This library is for signing in-toto attestations with OpenPubkey.

Two functions are provided:

SignInTotoStatement takes an in-toto statement and returns a signed DSSE envelope.
VerifyInTotoEnvelope takes a signed DSSE envelope, verifies the signature, and returns the in-toto statement

That's it!

Documentation ¶

Index ¶

Constants
Variables
func NewOPKSignerVerifier(provider client.OpenIdProvider) dsse.SignerVerifier
func SignInTotoStatement(ctx context.Context, stmt intoto.Statement, provider client.OpenIdProvider) (*dsse.Envelope, error)
func VerifyInTotoEnvelope(ctx context.Context, env *dsse.Envelope, provider client.OpenIdProvider) (*intoto.Statement, error)
func VerifyInTotoEnvelopeExt(ctx context.Context, env *Envelope, provider client.OpenIdProvider) (*intoto.Statement, error)
func VerifyPayloadSignature(ctx context.Context, pkToken, payload []byte, signature string) (bool, error)
func WithTL(ctx context.Context, tl TL) context.Context
type Envelope
- func SignInTotoStatementExt(ctx context.Context, stmt intoto.Statement, provider client.OpenIdProvider) (*Envelope, error)
type Extension
type MockTL
type RekorTL
type Signature
type TL
- func GetTL(ctx context.Context) TL
type TlPayload

Constants ¶

View Source

const (
	DefaultRekorURL = "https://rekor.sigstore.dev"
	DefaultCtxKey   = "tl"
)

View Source

const (
	OpkSignatureID = "OPK"
)

Variables ¶

View Source

var TlCtxKey tlCtxKeyType

Functions ¶

func NewOPKSignerVerifier ¶

func NewOPKSignerVerifier(provider client.OpenIdProvider) dsse.SignerVerifier

func SignInTotoStatement ¶

func SignInTotoStatement(ctx context.Context, stmt intoto.Statement, provider client.OpenIdProvider) (*dsse.Envelope, error)

func VerifyInTotoEnvelope ¶

func VerifyInTotoEnvelope(ctx context.Context, env *dsse.Envelope, provider client.OpenIdProvider) (*intoto.Statement, error)

func VerifyInTotoEnvelopeExt ¶

func VerifyInTotoEnvelopeExt(ctx context.Context, env *Envelope, provider client.OpenIdProvider) (*intoto.Statement, error)

func VerifyPayloadSignature ¶

func VerifyPayloadSignature(ctx context.Context, pkToken, payload []byte, signature string) (bool, error)

VerifyPayloadSignature extracts the ephemeral ecdsa public key from a PK token and verifies the provided signature

func WithTL ¶

func WithTL(ctx context.Context, tl TL) context.Context

sets TL in context

Types ¶

type Envelope ¶

type Envelope struct {
	PayloadType string      `json:"payloadType"`
	Payload     string      `json:"payload"`
	Signatures  []Signature `json:"signatures"`
}

the following types are needed until https://github.com/secure-systems-lab/dsse/pull/61 is merged

func SignInTotoStatementExt ¶

func SignInTotoStatementExt(ctx context.Context, stmt intoto.Statement, provider client.OpenIdProvider) (*Envelope, error)

type Extension ¶

type Extension struct {
	Kind string         `json:"kind"`
	Ext  map[string]any `json:"ext"`
}

type MockTL ¶

type MockTL struct {
	UploadLogEntryFunc     func(ctx context.Context, pkToken *pktoken.PKToken, payload, signature []byte, signer crypto.Signer) ([]byte, error)
	VerifyLogEntryFunc     func(ctx context.Context, entryBytes []byte) error
	VerifyEntryPayloadFunc func(entryBytes, payload, pkToken []byte) error
	UnmarshalEntryFunc     func(entryBytes []byte) (any, error)
}

func (*MockTL) UnmarshalEntry ¶

func (tl *MockTL) UnmarshalEntry(entryBytes []byte) (any, error)

func (*MockTL) UploadLogEntry ¶

func (tl *MockTL) UploadLogEntry(ctx context.Context, pkToken *pktoken.PKToken, payload, signature []byte, signer crypto.Signer) ([]byte, error)

func (*MockTL) VerifyEntryPayload ¶

func (tl *MockTL) VerifyEntryPayload(entryBytes, payload, pkToken []byte) error

func (*MockTL) VerifyLogEntry ¶

func (tl *MockTL) VerifyLogEntry(ctx context.Context, entryBytes []byte) error

type RekorTL ¶

type RekorTL struct{}

func (*RekorTL) UnmarshalEntry ¶

func (tl *RekorTL) UnmarshalEntry(entry []byte) (any, error)

func (*RekorTL) UploadLogEntry ¶

func (tl *RekorTL) UploadLogEntry(ctx context.Context, pkToken *pktoken.PKToken, payload, signature []byte, signer crypto.Signer) ([]byte, error)

UploadLogEntry submits a PK token signature to the transparency log

func (*RekorTL) VerifyEntryPayload ¶

func (tl *RekorTL) VerifyEntryPayload(entryBytes, payload, pkToken []byte) error

VerifyEntryPayload checks that the TL entry payload matches envelope payload

func (*RekorTL) VerifyLogEntry ¶

func (tl *RekorTL) VerifyLogEntry(ctx context.Context, entryBytes []byte) error

VerifyLogEntry verifies a transparency log entry

type Signature ¶

type Signature struct {
	KeyID     string    `json:"keyid"`
	Sig       string    `json:"sig"`
	Extension Extension `json:"extension"`
}

type TL ¶

type TL interface {
	UploadLogEntry(ctx context.Context, pkToken *pktoken.PKToken, payload, signature []byte, signer crypto.Signer) ([]byte, error)
	VerifyLogEntry(ctx context.Context, entryBytes []byte) error
	VerifyEntryPayload(entryBytes, payload, pkToken []byte) error
	UnmarshalEntry(entryBytes []byte) (any, error)
}

func GetTL ¶

func GetTL(ctx context.Context) TL

gets TL from context, defaults to Rekor TL if not set

type TlPayload ¶

type TlPayload struct {
	Algorithm string
	Hash      string
	Signature string
	PublicKey string
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL