Documentation
¶
Overview ¶
Package note provides note-compatible signature verifiers and signers.
Index ¶
- Constants
- func CoSigV1Timestamp(s note.Signature) (time.Time, error)
- func GenerateMLDSAKey(name string) (skey string, vkey string, err error)
- func NewECDSAVerifier(key string) (note.Verifier, error)
- func NewEd25519SignerVerifier(skey string) (note.Signer, note.Verifier, error)
- func NewRFC6962Verifier(vkey string) (note.Verifier, error)
- func NewVerifier(key string) (note.Verifier, error)
- func NewVerifierForCosignatureV1(vkey string) (note.Verifier, error)
- func RFC6962STHTimestamp(s note.Signature) (time.Time, error)
- func RFC6962STHToCheckpoint(j []byte, v note.Verifier) ([]byte, error)
- func RFC6962VerifierString(logURL string, pubK crypto.PublicKey) (string, error)
- func VKeyToCosignatureV1(vkey string) (string, error)
- type Signer
- type SubtreeSigner
- type SubtreeVerifier
- type Verifier
Constants ¶
const (
V1 uint8 = 0
)
CT Version constants from section 3.2.
Variables ¶
This section is empty.
Functions ¶
func CoSigV1Timestamp ¶
CoSigV1Timestamp extracts the embedded timestamp from a CoSigV1 signature.
func GenerateMLDSAKey ¶ added in v0.1.1
GenerateMLDSAKey generates a named signer and verifier key pair. The signer key skey is private and must be kept secret.
func NewECDSAVerifier ¶
NewECDSAVerifier creates a new note verifier for checking ECDSA signatures over SHA256 digests. This implementation is compatible with the signature scheme used by the Sigstore Rékor Log.
The key is expected to be provided as a string in the following form:
<key_name>+<key_hash>+<key_bytes>
Where
<key_name> is a human readable identifier for the key, containing no whitespace or "+" symbols
<key_bytes> is base64 encoded blob starting with a 0x02 (algECDSAWithSHA256) byte and followed
by the DER encoded public key in SPKI format.
<key_hash> is a 32bit hash of the key DER
e.g.:
"rekor.sigstore.dev+12345678+AjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNhtmPtrWm3U1eQXBogSMdGvXwBcK5AW5i0hrZLOC96l+smGNM7nwZ4QvFK/4sueRoVj//QP22Ni4Qt9DPfkWLc=
func NewEd25519SignerVerifier ¶
NewEd25519SignerVerifier returns a note Signer and Verifier given an Ed25519 private key in the standard note-formatted form, e.g. `PRIVATE+KEY+logandmap+38581672+AXJ0FKWOcO2ch6WC8kP705Ed3Gxu7pVtZLhfHAQwp+FE`.
func NewRFC6962Verifier ¶
NewRFC6962Verifier creates a note verifier for Sunlight/RFC6962 checkpoint signatures.
func NewVerifier ¶
NewVerifier returns a verifier for the given key, if the key's algo is known.
func NewVerifierForCosignatureV1 ¶
NewVerifierForCosignatureV1 constructs a new Verifier for timestamped cosignature/v1 signatures from the provided vkey-formatted public key.
Supported vkey types are: - a standard Ed25519 verifier key (type 0x01) - an Ed25519 CosignatureV1 key (type 0x04) - an ML-DSA-44 CosignatureV1 key (type 0x06)
Note: If a standard Ed25519 verifier key (type 0x01) is provided, it will be internally treated as an Ed25519 CosignatureV1 key (type 0x04), meaning the returned Verifier has a different key hash from a non-timestamped Ed25519 verifier key.
func RFC6962STHTimestamp ¶
RFC6962STHTimestamp extracts the embedded timestamp from a translated RFC6962 STH signature.
func RFC6962STHToCheckpoint ¶
RFC6962STHToCheckpoint converts the provided RFC6962 JSON representation of a CT Signed Tree Head structure to a sunlight style signed checkpoint. The passed in verifier must be an RFC6929Verifier containing the correct details for the log which signed the STH.
func RFC6962VerifierString ¶
RFC6962VerifierString creates a note style verifier string for use with NewRFC6962Verifier below. logURL is the root URL of the log. pubK is the public key of the log.
func VKeyToCosignatureV1 ¶
VKeyToCosignatureV1 converts a standard Ed25519 vkey to an Ed25519CosignatureV1 vkey.
Types ¶
type Signer ¶
type Signer struct {
// contains filtered or unexported fields
}
Signer is a note.Signer which also provides access to the corresponding Verifier.
func NewSignerForCosignatureV1 ¶
NewSignerForCosignatureV1 constructs a new Signer that produces timestamped cosignature/v1 signatures using the provided skey-formated key.
Supported skey algorithms are: - a standard Ed25519 encoded signer key (algo ID 0x01) - an Ed25519 cosignature/v1 encoded signer key (algo ID 0x04) - an ML-DSA-44 cosignature/v1 encoded signer key (algo ID 0x06)
See https://c2sp.org/tlog-cosignature for more details.
type SubtreeSigner ¶ added in v0.1.1
type SubtreeSigner struct {
// contains filtered or unexported fields
}
SubtreeSigner is a signer that can produce both note and subtree signatures.
func NewMLDSASigner ¶ added in v0.1.1
func NewMLDSASigner(skey string) (*SubtreeSigner, error)
NewMLDSASigner returns a signer for MLDSA cosignature v1.
func (*SubtreeSigner) KeyHash ¶ added in v0.1.1
func (s *SubtreeSigner) KeyHash() uint32
func (*SubtreeSigner) Name ¶ added in v0.1.1
func (s *SubtreeSigner) Name() string
func (*SubtreeSigner) Sign ¶ added in v0.1.1
func (s *SubtreeSigner) Sign(msg []byte) ([]byte, error)
func (*SubtreeSigner) SignSubtree ¶ added in v0.1.1
type SubtreeVerifier ¶ added in v0.1.1
type SubtreeVerifier struct {
// contains filtered or unexported fields
}
SubtreeVerifier is a verifier that supports the verification of subtree signatures.
This struct implements the note.Verifier interface to facilitate cosigning operations against tree roots represented as checkpoints, but it can also be used to verify arbitrary subtree roots using the VerifySubtree method.
func NewMLDSAVerifier ¶ added in v0.1.1
func NewMLDSAVerifier(vkey string) (*SubtreeVerifier, error)
NewMLDSAVerifier constructs a verifier for MLDSA cosignature v1.
func (*SubtreeVerifier) KeyHash ¶ added in v0.1.1
func (v *SubtreeVerifier) KeyHash() uint32
func (*SubtreeVerifier) Name ¶ added in v0.1.1
func (v *SubtreeVerifier) Name() string
func (*SubtreeVerifier) Verify ¶ added in v0.1.1
func (v *SubtreeVerifier) Verify(msg, sig []byte) bool
Source Files