Documentation ¶
Overview ¶
Package jws signs and verifies artifacts with signatures in JWS format. The specification is currently underdiscussion and is not yet finalized. Reference: https://github.com/notaryproject/notaryproject/pull/93
Index ¶
Constants ¶
const MediaTypeNotationPayload = "application/vnd.cncf.notary.v2.jws.v1"
MediaTypeNotationPayload describes the media type of the payload of notation signature.
Variables ¶
This section is empty.
Functions ¶
func SigningMethodFromKey ¶
func SigningMethodFromKey(key interface{}) (jwt.SigningMethod, error)
SigningMethodFromKey picks up a recommended algorithm for private and public keys. Reference: RFC 7518 3.1 "alg" (Algorithm) Header Parameter Values for JWS.
Types ¶
type Signer ¶
type Signer struct { // TSA is the TimeStamp Authority to timestamp the resulted signature if present. TSA timestamp.Timestamper // TSAVerifyOptions is the verify option to verify the fetched timestamp signature. // The `Intermediates` in the verify options will be ignored and re-contrusted using // the certificates in the fetched timestamp signature. // An empty list of `KeyUsages` in the verify options implies ExtKeyUsageTimeStamping. TSAVerifyOptions x509.VerifyOptions // contains filtered or unexported fields }
Signer signs artifacts and generates JWS signatures.
func NewSigner ¶
func NewSigner(key crypto.PrivateKey, certChain []*x509.Certificate) (*Signer, error)
NewSigner creates a signer with the recommended signing method and a signing key bundled with a certificate chain. The relation of the provided siging key and its certificate chain is not verified, and should be verified by the caller.
func NewSignerWithCertificateChain ¶
func NewSignerWithCertificateChain(method jwt.SigningMethod, key crypto.PrivateKey, certChain []*x509.Certificate) (*Signer, error)
NewSignerWithCertificateChain creates a signer with the specified signing method and a signing key bundled with a (partial) certificate chain. Since the provided signing key could potentially be a remote key, the relation of the siging key and its certificate chain is not verified, and should be verified by the caller.
type Verifier ¶
type Verifier struct { // ValidMethods contains a list of acceptable signing methods. // Only signing methods in this list are considerred valid if populated. ValidMethods []string // ResolveSigningMethod resolves the signing method used to verify the certificate in the // certificate chain. // If not present, `SigningMethodFromKey` will be used to pick up a recommended method. ResolveSigningMethod func(interface{}) (jwt.SigningMethod, error) // EnforceExpiryValidation enforces the verifier to verify the timestamp signature even if // the certificate is valid. // Reference: https://github.com/notaryproject/notaryproject/discussions/98 EnforceExpiryValidation bool // VerifyOptions is the verify option to verify the certificate of the incoming signature. // The `Intermediates` in the verify options will be ignored and re-contrusted using // the certificates in the incoming signature. // An empty list of `KeyUsages` in the verify options implies `ExtKeyUsageCodeSigning`. VerifyOptions x509.VerifyOptions // TSAVerifyOptions is the verify option to verify the fetched timestamp signature. // The `Intermediates` in the verify options will be ignored and re-contrusted using // the certificates in the fetched timestamp signature. // An empty list of `KeyUsages` in the verify options implies `ExtKeyUsageTimeStamping`. TSAVerifyOptions x509.VerifyOptions }
Verifier verifies artifacts against JWS signatures.
func NewVerifier ¶
func NewVerifier() *Verifier
NewVerifier creates a verifier with a set of trusted verification keys. Callers may be interested in options in the public field of the Verifier, especially VerifyOptions for setting up trusted certificates.