Documentation
¶
Overview ¶
Package jws signs and verifies artifacts with signatures in JWS format. The specification is currently underdiscussion and is not yet finalized. Reference: https://github.com/notaryproject/notaryproject/pull/93
Index ¶
Constants ¶
const MediaTypeNotationPayload = "application/vnd.cncf.notary.v2.jws.v1"
MediaTypeNotationPayload describes the media type of the payload of notation signature.
Variables ¶
This section is empty.
Functions ¶
func SigningMethodFromKey ¶
func SigningMethodFromKey(key interface{}) (jwt.SigningMethod, error)
SigningMethodFromKey picks up a recommended algorithm for private and public keys. Reference: RFC 7518 3.1 "alg" (Algorithm) Header Parameter Values for JWS.
Types ¶
type Signer ¶
type Signer struct {
// TSA is the TimeStamp Authority to timestamp the resulted signature if present.
TSA timestamp.Timestamper
// TSAVerifyOptions is the verify option to verify the fetched timestamp signature.
// The `Intermediates` in the verify options will be ignored and re-contrusted using
// the certificates in the fetched timestamp signature.
// An empty list of `KeyUsages` in the verify options implies ExtKeyUsageTimeStamping.
TSAVerifyOptions x509.VerifyOptions
// contains filtered or unexported fields
}
Signer signs artifacts and generates JWS signatures.
func NewSigner ¶
func NewSigner(key crypto.PrivateKey, certChain []*x509.Certificate) (*Signer, error)
NewSigner creates a signer with the recommended signing method and a signing key bundled with a certificate chain. The relation of the provided siging key and its certificate chain is not verified, and should be verified by the caller.
func NewSignerWithCertificateChain ¶
func NewSignerWithCertificateChain(method jwt.SigningMethod, key crypto.PrivateKey, certChain []*x509.Certificate) (*Signer, error)
NewSignerWithCertificateChain creates a signer with the specified signing method and a signing key bundled with a (partial) certificate chain. Since the provided signing key could potentially be a remote key, the relation of the siging key and its certificate chain is not verified, and should be verified by the caller.
type Verifier ¶
type Verifier struct {
// ValidMethods contains a list of acceptable signing methods.
// Only signing methods in this list are considerred valid if populated.
ValidMethods []string
// ResolveSigningMethod resolves the signing method used to verify the certificate in the
// certificate chain.
// If not present, `SigningMethodFromKey` will be used to pick up a recommended method.
ResolveSigningMethod func(interface{}) (jwt.SigningMethod, error)
// EnforceExpiryValidation enforces the verifier to verify the timestamp signature even if
// the certificate is valid.
// Reference: https://github.com/notaryproject/notaryproject/discussions/98
EnforceExpiryValidation bool
// VerifyOptions is the verify option to verify the certificate of the incoming signature.
// The `Intermediates` in the verify options will be ignored and re-contrusted using
// the certificates in the incoming signature.
// An empty list of `KeyUsages` in the verify options implies `ExtKeyUsageCodeSigning`.
VerifyOptions x509.VerifyOptions
// TSAVerifyOptions is the verify option to verify the fetched timestamp signature.
// The `Intermediates` in the verify options will be ignored and re-contrusted using
// the certificates in the fetched timestamp signature.
// An empty list of `KeyUsages` in the verify options implies `ExtKeyUsageTimeStamping`.
TSAVerifyOptions x509.VerifyOptions
}
Verifier verifies artifacts against JWS signatures.
func NewVerifier ¶
func NewVerifier() *Verifier
NewVerifier creates a verifier with a set of trusted verification keys. Callers may be interested in options in the public field of the Verifier, especially VerifyOptions for setting up trusted certificates.
Source Files