Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Attestation ¶
type Attestation struct {
// PublicKeyID is the ID of the public key that can verify the Attestation.
PublicKeyID string
// Signature stores the signature content for the Attestation. For PKIX,
// this is only the raw signature. For PGP, this is an attached signature,
// containing both the signature and message payload. For JWT, this is a
// signed and serialized JWT.
Signature []byte
// SerializedPayload stores the payload over which the signature was
// signed. This field is only used for PKIX Attestations.
SerializedPayload []byte
}
Attestation is a generic wrapper for an attestation. It can store signatures generated by PGP or PKIX keys. Alternatively, it can store an attestation represented as a JWT.
type PublicKey ¶
type PublicKey struct {
// KeyType stores the type of the public key, one of Pgp, Pkix, or Jwt.
KeyType KeyType
// KeyData holds the raw key material which can verify a signature.
KeyData []byte
// ID uniquely identifies this public key. For PGP, this should be the
// OpenPGP RFC4880 V4 fingerprint of the key.
ID string
}
PublicKey stores public key material for all key types.
func NewPublicKey ¶
NewPublicKey creates a new PublicKey. `keyType` contains the type of the public key, one of Pgp, Pkix or Jwt. `keyData` contains the raw key material. `keyID` contains a unique identifier for the public key. For PGP, this should be the OpenPGP RFC4880 V4 fingerprint of the key.
type SignatureAlgorithm ¶
type SignatureAlgorithm int
SignatureAlgorithm specifies the algorithm and hashing functions used to sign PKIX and JWT Attestations.
const ( UnknownSigningAlgorithm SignatureAlgorithm = iota // RSASSA-PSS 2048 bit key with a SHA256 digest. RsaPss2048Sha256 // RSASSA-PSS 3072 bit key with a SHA256 digest. RsaPss3072Sha256 // RSASSA-PSS 4096 bit key with a SHA256 digest. RsaPss4096Sha256 // RSASSA-PSS 4096 bit key with a SHA512 digest. RsaPss4096Sha512 // RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest. RsaSignPkcs12048Sha256 // RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest. RsaSignPkcs13072Sha256 // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest. RsaSignPkcs14096Sha256 // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest. RsaSignPkcs14096Sha512 // ECDSA on the NIST P-256 curve with a SHA256 digest. EcdsaP256Sha256 // ECDSA on the NIST P-384 curve with a SHA384 digest. EcdsaP384Sha384 // ECDSA on the NIST P-521 curve with a SHA512 digest. EcdsaP521Sha512 )
Enumeration of SignatureAlgorithm
type Signer ¶
type Signer interface {
// CreateAttestation creates an Attestation whose signature is generated by
// signing the given payload with the private key. For PGP and PKIX, `payload`
// should be the raw payload data. For JWT, `payload` should be a serialized
// but unsigned token.
CreateAttestation(payload []byte) (*Attestation, error)
}
Signer contains methods to create a signed Attestation.
func NewJwtSigner ¶
func NewJwtSigner(privateKey []byte, publicKeyID string, alg SignatureAlgorithm) (Signer, error)
NewJwtSigner creates a Signer interface for JWT Attestations. `publicKeyID` is the ID of the public key that can verify the Attestation signature. TODO: Explain formatting of JWT private keys.
func NewPgpSigner ¶
NewPgpSigner creates a Signer interface for PGP Attestations. `privateKey` contains the ASCII-armored private key.
func NewPkixSigner ¶
func NewPkixSigner(privateKey []byte, publicKeyID string, alg SignatureAlgorithm) (Signer, error)
NewPkixSigner creates a Signer interface for PKIX Attestations. `privateKey` contains the PEM-encoded private key. `publicKeyID` is the ID of the public key that can verify the Attestation signature.
type Verifier ¶
type Verifier interface {
// VerifyAttestation verifies whether an Attestation satisfies at least one
// of the public keys under an image. This function finds the public key
// whose ID matches the attestation's PublicKeyID, and uses this key to
// verify the signature.
VerifyAttestation(att *Attestation) error
}
Verifier contains methods to validate an Attestation.
func NewVerifier ¶
NewVerifier creates a Verifier interface for verifying Attestations. `image` contains the untruncated image name <image_name@digest> of the image that was signed. This should be provided directly by the policy evaluator, NOT by the Attestation. `publicKeySet` contains a list of PublicKeys that the Verifier will use to try to verify an Attestation.
Source Files