cernont/pyrofetes-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avancement planning

Browse Source
This commit is contained in:
timothe
2026-05-26 11:58:39 +02:00
parent 619a2b240a
commit 150b97cd2e
4892 changed files with 99214 additions and 429382 deletions
Download Patch File Download Diff File Expand all files Collapse all files
node_modules/@sigstore/verify/dist/bundle/dsse.js
Generated Vendored
+1
View File
@@ -18,6 +18,7 @@ limitations under the License.
*/
const core_1 = require("@sigstore/core");
class DSSESignatureContent {
env;
constructor(env) {
this.env = env;
}
node_modules/@sigstore/verify/dist/bundle/index.js
Generated Vendored
+10 -8
View File
@@ -9,15 +9,17 @@ function toSignedEntity(bundle, artifact) {
const { tlogEntries, timestampVerificationData } = bundle.verificationMaterial;
const timestamps = [];
for (const entry of tlogEntries) {
timestamps.push({
$case: 'transparency-log',
tlogEntry: entry,
});
if (entry.integratedTime && entry.integratedTime !== '0') {
timestamps.push({
$case: 'transparency-log',
tlogEntry: entry,
});
}
}
for (const ts of timestampVerificationData?.rfc3161Timestamps ?? []) {
timestamps.push({
$case: 'timestamp-authority',
timestamp: core_1.RFC3161Timestamp.parse(ts.signedTimestamp),
timestamp: core_1.RFC3161Timestamp.parse(Buffer.from(ts.signedTimestamp)),
});
}
return {
@@ -45,13 +47,13 @@ function key(bundle) {
case 'x509CertificateChain':
return {
$case: 'certificate',
certificate: core_1.X509Certificate.parse(bundle.verificationMaterial.content.x509CertificateChain
.certificates[0].rawBytes),
certificate: core_1.X509Certificate.parse(Buffer.from(bundle.verificationMaterial.content.x509CertificateChain
.certificates[0].rawBytes)),
};
case 'certificate':
return {
$case: 'certificate',
certificate: core_1.X509Certificate.parse(bundle.verificationMaterial.content.certificate.rawBytes),
certificate: core_1.X509Certificate.parse(Buffer.from(bundle.verificationMaterial.content.certificate.rawBytes)),
};
}
}
node_modules/@sigstore/verify/dist/bundle/message.d.ts
Generated Vendored
+1
View File
@@ -5,6 +5,7 @@ export declare class MessageSignatureContent implements SignatureContent {
readonly signature: Buffer;
private readonly messageDigest;
private readonly artifact;
private readonly hashAlgorithm;
constructor(messageSignature: MessageSignature, artifact: Buffer);
compareSignature(signature: Buffer): boolean;
compareDigest(digest: Buffer): boolean;
node_modules/@sigstore/verify/dist/bundle/message.js
Generated Vendored
+19 -1
View File
@@ -17,11 +17,29 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
const core_1 = require("@sigstore/core");
const protobuf_specs_1 = require("@sigstore/protobuf-specs");
// Map from the Sigstore protobuf HashAlgorithm enum to
// the string values used by the Node.js crypto module.
const HASH_ALGORITHM_MAP = {
[protobuf_specs_1.HashAlgorithm.HASH_ALGORITHM_UNSPECIFIED]: 'sha256',
[protobuf_specs_1.HashAlgorithm.SHA2_256]: 'sha256',
[protobuf_specs_1.HashAlgorithm.SHA2_384]: 'sha384',
[protobuf_specs_1.HashAlgorithm.SHA2_512]: 'sha512',
[protobuf_specs_1.HashAlgorithm.SHA3_256]: 'sha3-256',
[protobuf_specs_1.HashAlgorithm.SHA3_384]: 'sha3-384',
};
class MessageSignatureContent {
signature;
messageDigest;
artifact;
hashAlgorithm;
constructor(messageSignature, artifact) {
this.signature = messageSignature.signature;
this.messageDigest = messageSignature.messageDigest.digest;
this.artifact = artifact;
this.hashAlgorithm =
HASH_ALGORITHM_MAP[messageSignature.messageDigest.algorithm] ??
/* istanbul ignore next */ 'sha256';
}
compareSignature(signature) {
return core_1.crypto.bufferEqual(signature, this.signature);
@@ -30,7 +48,7 @@ class MessageSignatureContent {
return core_1.crypto.bufferEqual(digest, this.messageDigest);
}
verifySignature(key) {
return core_1.crypto.verify(this.artifact, key, this.signature);
return core_1.crypto.verify(this.artifact, key, this.signature, this.hashAlgorithm);
}
}
exports.MessageSignatureContent = MessageSignatureContent;
node_modules/@sigstore/verify/dist/error.d.ts
Generated Vendored
+1 -1
View File
@@ -7,7 +7,7 @@ declare class BaseError<T extends string> extends Error {
cause?: any;
});
}
type VerificationErrorCode = 'NOT_IMPLEMENTED_ERROR' | 'TLOG_INCLUSION_PROOF_ERROR' | 'TLOG_INCLUSION_PROMISE_ERROR' | 'TLOG_MISSING_INCLUSION_ERROR' | 'TLOG_BODY_ERROR' | 'CERTIFICATE_ERROR' | 'PUBLIC_KEY_ERROR' | 'SIGNATURE_ERROR' | 'TIMESTAMP_ERROR';
type VerificationErrorCode = 'NOT_IMPLEMENTED_ERROR' | 'TLOG_ERROR' | 'TLOG_INCLUSION_PROOF_ERROR' | 'TLOG_INCLUSION_PROMISE_ERROR' | 'TLOG_MISSING_INCLUSION_ERROR' | 'TLOG_BODY_ERROR' | 'CERTIFICATE_ERROR' | 'PUBLIC_KEY_ERROR' | 'SIGNATURE_ERROR' | 'TIMESTAMP_ERROR';
export declare class VerificationError extends BaseError<VerificationErrorCode> {
}
type PolicyErrorCode = 'UNTRUSTED_SIGNER_ERROR';
node_modules/@sigstore/verify/dist/error.js
Generated Vendored
+2
View File
@@ -17,6 +17,8 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
class BaseError extends Error {
code;
cause; /* eslint-disable-line @typescript-eslint/no-explicit-any */
constructor({ code, message, cause, }) {
super(message);
this.code = code;
node_modules/@sigstore/verify/dist/index.d.ts
Generated Vendored
+1
View File
@@ -3,3 +3,4 @@ export { PolicyError, VerificationError } from './error';
export { KeyFinderFunc, TrustMaterial, toTrustMaterial } from './trust';
export { Verifier, VerifierOptions } from './verifier';
export type { SignedEntity, Signer, VerificationPolicy } from './shared.types';
export type { ObjectIdentifierValuePair } from '@sigstore/protobuf-specs';
node_modules/@sigstore/verify/dist/key/certificate.js
Generated Vendored
+5
View File
@@ -32,6 +32,10 @@ function verifyCertificateChain(timestamp, leaf, certificateAuthorities) {
});
}
class CertificateChainVerifier {
untrustedCert;
trustedCerts;
localCerts;
timestamp;
constructor(opts) {
this.untrustedCert = opts.untrustedCert;
this.trustedCerts = opts.trustedCerts;
@@ -123,6 +127,7 @@ class CertificateChainVerifier {
// or issuer/subject. Potential issuers are added to the result array.
this.localCerts.forEach((possibleIssuer) => {
if (keyIdentifier) {
/* istanbul ignore else */
if (possibleIssuer.extSubjectKeyID) {
if (possibleIssuer.extSubjectKeyID.keyIdentifier.equals(keyIdentifier)) {
issuers.push(possibleIssuer);
node_modules/@sigstore/verify/dist/key/index.js
Generated Vendored
+8
View File
@@ -56,9 +56,17 @@ function getSigner(cert) {
else {
issuer = cert.extension(OID_FULCIO_ISSUER_V1)?.value.toString('ascii');
}
const oids = cert.extensions.map((ext) => {
const oid = ext.subs[0].toOID();
return {
oid: { id: oid.split('.').map(Number) },
value: ext.subs[ext.subs.length - 1].value,
};
});
const identity = {
extensions: { issuer },
subjectAlternativeName: cert.subjectAltName,
oids,
};
return {
key: core_1.crypto.createPublicKey(cert.publicKey),
node_modules/@sigstore/verify/dist/policy.d.ts
Generated Vendored
+2
View File
@@ -1,3 +1,5 @@
import { CertificateExtensions } from './shared.types';
import type { ObjectIdentifierValuePair } from '@sigstore/protobuf-specs';
export declare function verifySubjectAlternativeName(policyIdentity: string, signerIdentity: string | undefined): void;
export declare function verifyExtensions(policyExtensions: CertificateExtensions, signerExtensions?: CertificateExtensions): void;
export declare function verifyOIDs(policyOIDs: ObjectIdentifierValuePair[], signerOIDs?: ObjectIdentifierValuePair[]): void;
node_modules/@sigstore/verify/dist/policy.js
Generated Vendored
+26
View File
@@ -2,7 +2,12 @@
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifySubjectAlternativeName = verifySubjectAlternativeName;
exports.verifyExtensions = verifyExtensions;
exports.verifyOIDs = verifyOIDs;
const error_1 = require("./error");
// Verifies that the signer's SAN matches the policy identity. The
// policyIdentity is treated as a JavaScript regular expression pattern and
// tested against the full signerIdentity string. For exact matching, use
// anchored patterns (e.g. '^user@example\\.com$').
function verifySubjectAlternativeName(policyIdentity, signerIdentity) {
if (signerIdentity === undefined || !signerIdentity.match(policyIdentity)) {
throw new error_1.PolicyError({
@@ -22,3 +27,24 @@ function verifyExtensions(policyExtensions, signerExtensions = {}) {
}
}
}
function verifyOIDs(policyOIDs, signerOIDs = []) {
for (const policyOID of policyOIDs) {
const match = signerOIDs.find((signerOID) => oidEquals(policyOID.oid?.id, signerOID.oid?.id) &&
policyOID.value.equals(signerOID.value));
if (!match) {
/* istanbul ignore next */
const oid = policyOID.oid?.id.join('.') ?? '<unknown>';
throw new error_1.PolicyError({
code: 'UNTRUSTED_SIGNER_ERROR',
message: `invalid certificate extension - missing OID ${oid}`,
});
}
}
}
function oidEquals(a, b) {
/* istanbul ignore if */
if (a === undefined || b === undefined) {
return false;
}
return a.length === b.length && a.every((v, i) => v === b[i]);
}
node_modules/@sigstore/verify/dist/shared.types.d.ts
Generated Vendored
+2
View File
@@ -1,5 +1,6 @@
import type { TransparencyLogEntry } from '@sigstore/bundle';
import type { RFC3161Timestamp, X509Certificate, crypto } from '@sigstore/core';
import type { ObjectIdentifierValuePair } from '@sigstore/protobuf-specs';
export type CertificateExtensionName = 'issuer';
export type CertificateExtensions = {
[key in CertificateExtensionName]?: string;
@@ -7,6 +8,7 @@ export type CertificateExtensions = {
export type CertificateIdentity = {
subjectAlternativeName?: string;
extensions?: CertificateExtensions;
oids?: ObjectIdentifierValuePair[];
};
export type VerificationPolicy = CertificateIdentity;
export type Signer = {
node_modules/@sigstore/verify/dist/timestamp/checkpoint.d.ts
Generated Vendored
-3
View File
@@ -1,3 +0,0 @@
import { TLogAuthority } from '../trust';
import type { TLogEntryWithInclusionProof } from '@sigstore/bundle';
export declare function verifyCheckpoint(entry: TLogEntryWithInclusionProof, tlogs: TLogAuthority[]): void;
node_modules/@sigstore/verify/dist/timestamp/checkpoint.js
Generated Vendored
-157
View File
@@ -1,157 +0,0 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyCheckpoint = verifyCheckpoint;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const core_1 = require("@sigstore/core");
const error_1 = require("../error");
const trust_1 = require("../trust");
// Separator between the note and the signatures in a checkpoint
const CHECKPOINT_SEPARATOR = '\n\n';
// Checkpoint signatures are of the following form:
// " <identity> <key_hint+signature_bytes>\n"
// where:
// - the prefix is an emdash (U+2014).
// - <identity> gives a human-readable representation of the signing ID.
// - <key_hint+signature_bytes> is the first 4 bytes of the SHA256 hash of the
// associated public key followed by the signature bytes.
const SIGNATURE_REGEX = /\u2014 (\S+) (\S+)\n/g;
// Verifies the checkpoint value in the given tlog entry. There are two steps
// to the verification:
// 1. Verify that all signatures in the checkpoint can be verified against a
// trusted public key
// 2. Verify that the root hash in the checkpoint matches the root hash in the
// inclusion proof
// See: https://github.com/transparency-dev/formats/blob/main/log/README.md
function verifyCheckpoint(entry, tlogs) {
// Filter tlog instances to just those which were valid at the time of the
// entry
const validTLogs = (0, trust_1.filterTLogAuthorities)(tlogs, {
targetDate: new Date(Number(entry.integratedTime) * 1000),
});
const inclusionProof = entry.inclusionProof;
const signedNote = SignedNote.fromString(inclusionProof.checkpoint.envelope);
const checkpoint = LogCheckpoint.fromString(signedNote.note);
// Verify that the signatures in the checkpoint are all valid
if (!verifySignedNote(signedNote, validTLogs)) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'invalid checkpoint signature',
});
}
// Verify that the root hash from the checkpoint matches the root hash in the
// inclusion proof
if (!core_1.crypto.bufferEqual(checkpoint.logHash, inclusionProof.rootHash)) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'root hash mismatch',
});
}
}
// Verifies the signatures in the SignedNote. For each signature, the
// corresponding transparency log is looked up by the key hint and the
// signature is verified against the public key in the transparency log.
// Throws an error if any of the signatures are invalid.
function verifySignedNote(signedNote, tlogs) {
const data = Buffer.from(signedNote.note, 'utf-8');
return signedNote.signatures.every((signature) => {
// Find the transparency log instance with the matching key hint
const tlog = tlogs.find((tlog) => core_1.crypto.bufferEqual(tlog.logID.subarray(0, 4), signature.keyHint));
if (!tlog) {
return false;
}
return core_1.crypto.verify(data, tlog.publicKey, signature.signature);
});
}
// SignedNote represents a signed note from a transparency log checkpoint. Consists
// of a body (or note) and one more signatures calculated over the body. See
// https://github.com/transparency-dev/formats/blob/main/log/README.md#signed-envelope
class SignedNote {
constructor(note, signatures) {
this.note = note;
this.signatures = signatures;
}
// Deserialize a SignedNote from a string
static fromString(envelope) {
if (!envelope.includes(CHECKPOINT_SEPARATOR)) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'missing checkpoint separator',
});
}
// Split the note into the header and the data portions at the separator
const split = envelope.indexOf(CHECKPOINT_SEPARATOR);
const header = envelope.slice(0, split + 1);
const data = envelope.slice(split + CHECKPOINT_SEPARATOR.length);
// Find all the signature lines in the data portion
const matches = data.matchAll(SIGNATURE_REGEX);
// Parse each of the matched signature lines into the name and signature.
// The first four bytes of the signature are the key hint (should match the
// first four bytes of the log ID), and the rest is the signature itself.
const signatures = Array.from(matches, (match) => {
const [, name, signature] = match;
const sigBytes = Buffer.from(signature, 'base64');
if (sigBytes.length < 5) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'malformed checkpoint signature',
});
}
return {
name,
keyHint: sigBytes.subarray(0, 4),
signature: sigBytes.subarray(4),
};
});
if (signatures.length === 0) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'no signatures found in checkpoint',
});
}
return new SignedNote(header, signatures);
}
}
// LogCheckpoint represents a transparency log checkpoint. Consists of the
// following:
// - origin: the name of the transparency log
// - logSize: the size of the log at the time of the checkpoint
// - logHash: the root hash of the log at the time of the checkpoint
// - rest: the rest of the checkpoint body, which is a list of log entries
// See:
// https://github.com/transparency-dev/formats/blob/main/log/README.md#checkpoint-body
class LogCheckpoint {
constructor(origin, logSize, logHash, rest) {
this.origin = origin;
this.logSize = logSize;
this.logHash = logHash;
this.rest = rest;
}
static fromString(note) {
const lines = note.trimEnd().split('\n');
if (lines.length < 3) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'too few lines in checkpoint header',
});
}
const origin = lines[0];
const logSize = BigInt(lines[1]);
const rootHash = Buffer.from(lines[2], 'base64');
const rest = lines.slice(3);
return new LogCheckpoint(origin, logSize, rootHash, rest);
}
}
node_modules/@sigstore/verify/dist/timestamp/index.d.ts
Generated Vendored
+3 -3
View File
@@ -1,11 +1,11 @@
import { RFC3161Timestamp } from '@sigstore/core';
import type { TransparencyLogEntry } from '@sigstore/bundle';
import type { CertAuthority, TLogAuthority } from '../trust';
import type { CertAuthority } from '../trust';
export type TimestampType = 'transparency-log' | 'timestamp-authority';
export type TimestampVerificationResult = {
type: TimestampType;
logID: Buffer;
timestamp: Date;
};
export declare function verifyTSATimestamp(timestamp: RFC3161Timestamp, data: Buffer, timestampAuthorities: CertAuthority[]): TimestampVerificationResult;
export declare function verifyTLogTimestamp(entry: TransparencyLogEntry, tlogAuthorities: TLogAuthority[]): TimestampVerificationResult;
export declare function getTSATimestamp(timestamp: RFC3161Timestamp, data: Buffer, timestampAuthorities: CertAuthority[]): TimestampVerificationResult;
export declare function getTLogTimestamp(entry: TransparencyLogEntry): TimestampVerificationResult | undefined;
node_modules/@sigstore/verify/dist/timestamp/index.js
Generated Vendored
+7 -29
View File
@@ -1,13 +1,9 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyTSATimestamp = verifyTSATimestamp;
exports.verifyTLogTimestamp = verifyTLogTimestamp;
const error_1 = require("../error");
const checkpoint_1 = require("./checkpoint");
const merkle_1 = require("./merkle");
const set_1 = require("./set");
exports.getTSATimestamp = getTSATimestamp;
exports.getTLogTimestamp = getTLogTimestamp;
const tsa_1 = require("./tsa");
function verifyTSATimestamp(timestamp, data, timestampAuthorities) {
function getTSATimestamp(timestamp, data, timestampAuthorities) {
(0, tsa_1.verifyRFC3161Timestamp)(timestamp, data, timestampAuthorities);
return {
type: 'timestamp-authority',
@@ -15,22 +11,10 @@ function verifyTSATimestamp(timestamp, data, timestampAuthorities) {
timestamp: timestamp.signingTime,
};
}
function verifyTLogTimestamp(entry, tlogAuthorities) {
let inclusionVerified = false;
if (isTLogEntryWithInclusionPromise(entry)) {
(0, set_1.verifyTLogSET)(entry, tlogAuthorities);
inclusionVerified = true;
}
if (isTLogEntryWithInclusionProof(entry)) {
(0, merkle_1.verifyMerkleInclusion)(entry);
(0, checkpoint_1.verifyCheckpoint)(entry, tlogAuthorities);
inclusionVerified = true;
}
if (!inclusionVerified) {
throw new error_1.VerificationError({
code: 'TLOG_MISSING_INCLUSION_ERROR',
message: 'inclusion could not be verified',
});
function getTLogTimestamp(entry) {
// Only entries with an inclusion promise provide a verifiable timestamp
if (!entry.inclusionPromise) {
return undefined;
}
return {
type: 'transparency-log',
@@ -38,9 +22,3 @@ function verifyTLogTimestamp(entry, tlogAuthorities) {
timestamp: new Date(Number(entry.integratedTime) * 1000),
};
}
function isTLogEntryWithInclusionPromise(entry) {
return entry.inclusionPromise !== undefined;
}
function isTLogEntryWithInclusionProof(entry) {
return entry.inclusionProof !== undefined;
}
node_modules/@sigstore/verify/dist/timestamp/merkle.d.ts
Generated Vendored
-2
View File
@@ -1,2 +0,0 @@
import type { TLogEntryWithInclusionProof } from '@sigstore/bundle';
export declare function verifyMerkleInclusion(entry: TLogEntryWithInclusionProof): void;
node_modules/@sigstore/verify/dist/timestamp/merkle.js
Generated Vendored
-104
View File
@@ -1,104 +0,0 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyMerkleInclusion = verifyMerkleInclusion;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const core_1 = require("@sigstore/core");
const error_1 = require("../error");
const RFC6962_LEAF_HASH_PREFIX = Buffer.from([0x00]);
const RFC6962_NODE_HASH_PREFIX = Buffer.from([0x01]);
function verifyMerkleInclusion(entry) {
const inclusionProof = entry.inclusionProof;
const logIndex = BigInt(inclusionProof.logIndex);
const treeSize = BigInt(inclusionProof.treeSize);
if (logIndex < 0n || logIndex >= treeSize) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: `invalid index: ${logIndex}`,
});
}
// Figure out which subset of hashes corresponds to the inner and border
// nodes
const { inner, border } = decompInclProof(logIndex, treeSize);
if (inclusionProof.hashes.length !== inner + border) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'invalid hash count',
});
}
const innerHashes = inclusionProof.hashes.slice(0, inner);
const borderHashes = inclusionProof.hashes.slice(inner);
// The entry's hash is the leaf hash
const leafHash = hashLeaf(entry.canonicalizedBody);
// Chain the hashes belonging to the inner and border portions
const calculatedHash = chainBorderRight(chainInner(leafHash, innerHashes, logIndex), borderHashes);
// Calculated hash should match the root hash in the inclusion proof
if (!core_1.crypto.bufferEqual(calculatedHash, inclusionProof.rootHash)) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROOF_ERROR',
message: 'calculated root hash does not match inclusion proof',
});
}
}
// Breaks down inclusion proof for a leaf at the specified index in a tree of
// the specified size. The split point is where paths to the index leaf and
// the (size - 1) leaf diverge. Returns lengths of the bottom and upper proof
// parts.
function decompInclProof(index, size) {
const inner = innerProofSize(index, size);
const border = onesCount(index >> BigInt(inner));
return { inner, border };
}
// Computes a subtree hash for a node on or below the tree's right border.
// Assumes the provided proof hashes are ordered from lower to higher levels
// and seed is the initial hash of the node specified by the index.
function chainInner(seed, hashes, index) {
return hashes.reduce((acc, h, i) => {
if ((index >> BigInt(i)) & BigInt(1)) {
return hashChildren(h, acc);
}
else {
return hashChildren(acc, h);
}
}, seed);
}
// Computes a subtree hash for nodes along the tree's right border.
function chainBorderRight(seed, hashes) {
return hashes.reduce((acc, h) => hashChildren(h, acc), seed);
}
function innerProofSize(index, size) {
return bitLength(index ^ (size - BigInt(1)));
}
// Counts the number of ones in the binary representation of the given number.
// https://en.wikipedia.org/wiki/Hamming_weight
function onesCount(num) {
return num.toString(2).split('1').length - 1;
}
// Returns the number of bits necessary to represent an integer in binary.
function bitLength(n) {
if (n === 0n) {
return 0;
}
return n.toString(2).length;
}
// Hashing logic according to RFC6962.
// https://datatracker.ietf.org/doc/html/rfc6962#section-2
function hashChildren(left, right) {
return core_1.crypto.digest('sha256', RFC6962_NODE_HASH_PREFIX, left, right);
}
function hashLeaf(leaf) {
return core_1.crypto.digest('sha256', RFC6962_LEAF_HASH_PREFIX, leaf);
}
node_modules/@sigstore/verify/dist/timestamp/set.d.ts
Generated Vendored
-3
View File
@@ -1,3 +0,0 @@
import { TLogAuthority } from '../trust';
import type { TLogEntryWithInclusionPromise } from '@sigstore/bundle';
export declare function verifyTLogSET(entry: TLogEntryWithInclusionPromise, tlogs: TLogAuthority[]): void;
node_modules/@sigstore/verify/dist/timestamp/set.js
Generated Vendored
-60
View File
@@ -1,60 +0,0 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyTLogSET = verifyTLogSET;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const core_1 = require("@sigstore/core");
const error_1 = require("../error");
const trust_1 = require("../trust");
// Verifies the SET for the given entry against the list of trusted
// transparency logs. Returns true if the SET can be verified against at least
// one of the trusted logs; otherwise, returns false.
function verifyTLogSET(entry, tlogs) {
// Filter the list of tlog instances to only those which might be able to
// verify the SET
const validTLogs = (0, trust_1.filterTLogAuthorities)(tlogs, {
logID: entry.logId.keyId,
targetDate: new Date(Number(entry.integratedTime) * 1000),
});
// Check to see if we can verify the SET against any of the valid tlogs
const verified = validTLogs.some((tlog) => {
// Re-create the original Rekor verification payload
const payload = toVerificationPayload(entry);
// Canonicalize the payload and turn into a buffer for verification
const data = Buffer.from(core_1.json.canonicalize(payload), 'utf8');
// Extract the SET from the tlog entry
const signature = entry.inclusionPromise.signedEntryTimestamp;
return core_1.crypto.verify(data, tlog.publicKey, signature);
});
if (!verified) {
throw new error_1.VerificationError({
code: 'TLOG_INCLUSION_PROMISE_ERROR',
message: 'inclusion promise could not be verified',
});
}
}
// Returns a properly formatted "VerificationPayload" for one of the
// transaction log entires in the given bundle which can be used for SET
// verification.
function toVerificationPayload(entry) {
const { integratedTime, logIndex, logId, canonicalizedBody } = entry;
return {
body: canonicalizedBody.toString('base64'),
integratedTime: Number(integratedTime),
logIndex: Number(logIndex),
logID: logId.keyId.toString('hex'),
};
}
node_modules/@sigstore/verify/dist/tlog/dsse.d.ts
Generated Vendored
+3
View File
@@ -1,3 +1,6 @@
import type { Entry } from '@sigstore/protobuf-specs/rekor/v2';
import type { ProposedDSSEEntry } from '@sigstore/rekor-types';
import type { SignatureContent } from '../shared.types';
export declare const DSSE_API_VERSION_V1 = "0.0.1";
export declare function verifyDSSETLogBody(tlogEntry: ProposedDSSEEntry, content: SignatureContent): void;
export declare function verifyDSSETLogBodyV2(tlogEntry: Entry, content: SignatureContent): void;
node_modules/@sigstore/verify/dist/tlog/dsse.js
Generated Vendored
+52 -3
View File
@@ -1,8 +1,10 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.DSSE_API_VERSION_V1 = void 0;
exports.verifyDSSETLogBody = verifyDSSETLogBody;
exports.verifyDSSETLogBodyV2 = verifyDSSETLogBodyV2;
/*
Copyright 2023 The Sigstore Authors.
Copyright 2025 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -17,10 +19,11 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
const error_1 = require("../error");
// Compare the given intoto tlog entry to the given bundle
exports.DSSE_API_VERSION_V1 = '0.0.1';
// Compare the given dsse tlog entry to the given bundle
function verifyDSSETLogBody(tlogEntry, content) {
switch (tlogEntry.apiVersion) {
case '0.0.1':
case exports.DSSE_API_VERSION_V1:
return verifyDSSE001TLogBody(tlogEntry, content);
default:
throw new error_1.VerificationError({
@@ -29,6 +32,26 @@ function verifyDSSETLogBody(tlogEntry, content) {
});
}
}
// Compare the given dsse tlog entry to the given bundle. This function is
// specifically for Rekor V2 entries.
function verifyDSSETLogBodyV2(tlogEntry, content) {
const spec = tlogEntry.spec?.spec;
if (!spec) {
throw new error_1.VerificationError({
code: 'TLOG_BODY_ERROR',
message: `missing dsse spec`,
});
}
switch (spec.$case) {
case 'dsseV002':
return verifyDSSE002TLogBody(spec.dsseV002, content);
default:
throw new error_1.VerificationError({
code: 'TLOG_BODY_ERROR',
message: `unsupported version: ${spec.$case}`,
});
}
}
// Compare the given dsse v0.0.1 tlog entry to the given DSSE envelope.
function verifyDSSE001TLogBody(tlogEntry, content) {
// Ensure the bundle's DSSE only contains a single signature
@@ -55,3 +78,29 @@ function verifyDSSE001TLogBody(tlogEntry, content) {
});
}
}
// Compare the given dsse v0.0.2 tlog entry to the given DSSE envelope.
function verifyDSSE002TLogBody(spec, content) {
// Ensure the bundle's DSSE only contains a single signature
if (spec.signatures?.length !== 1) {
throw new error_1.VerificationError({
code: 'TLOG_BODY_ERROR',
message: 'signature count mismatch',
});
}
const tlogSig = spec.signatures[0].content;
// Ensure that the signature in the bundle's DSSE matches tlog entry
if (!content.compareSignature(tlogSig))
throw new error_1.VerificationError({
code: 'TLOG_BODY_ERROR',
message: 'tlog entry signature mismatch',
});
// Ensure the digest of the bundle's DSSE payload matches the digest in the
// tlog entry
const tlogHash = spec.payloadHash?.digest || Buffer.from('');
if (!content.compareDigest(tlogHash)) {
throw new error_1.VerificationError({
code: 'TLOG_BODY_ERROR',
message: 'DSSE payload hash mismatch',
});
}
}
node_modules/@sigstore/verify/dist/tlog/hashedrekord.d.ts
Generated Vendored
+3
View File
@@ -1,3 +1,6 @@
import { Entry } from '@sigstore/protobuf-specs/rekor/v2';
import type { ProposedHashedRekordEntry } from '@sigstore/rekor-types';
import type { SignatureContent } from '../shared.types';
export declare const HASHEDREKORD_API_VERSION_V1 = "0.0.1";
export declare function verifyHashedRekordTLogBody(tlogEntry: ProposedHashedRekordEntry, content: SignatureContent): void;
export declare function verifyHashedRekordTLogBodyV2(tlogEntry: Entry, content: SignatureContent): void;
node_modules/@sigstore/verify/dist/tlog/hashedrekord.js
Generated Vendored
+45 -2
View File
@@ -1,8 +1,10 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.HASHEDREKORD_API_VERSION_V1 = void 0;
exports.verifyHashedRekordTLogBody = verifyHashedRekordTLogBody;
exports.verifyHashedRekordTLogBodyV2 = verifyHashedRekordTLogBodyV2;
/*
Copyright 2023 The Sigstore Authors.
Copyright 2025 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -17,10 +19,11 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
const error_1 = require("../error");
exports.HASHEDREKORD_API_VERSION_V1 = '0.0.1';
// Compare the given hashedrekord tlog entry to the given bundle
function verifyHashedRekordTLogBody(tlogEntry, content) {
switch (tlogEntry.apiVersion) {
case '0.0.1':
case exports.HASHEDREKORD_API_VERSION_V1:
return verifyHashedrekord001TLogBody(tlogEntry, content);
default:
throw new error_1.VerificationError({
@@ -29,6 +32,26 @@ function verifyHashedRekordTLogBody(tlogEntry, content) {
});
}
}
// Compare the given hashedrekor tlog entry to the given bundle. This function is
// specifically for Rekor V2 entries.
function verifyHashedRekordTLogBodyV2(tlogEntry, content) {
const spec = tlogEntry.spec?.spec;
if (!spec) {
throw new error_1.VerificationError({
code: 'TLOG_BODY_ERROR',
message: `missing dsse spec`,
});
}
switch (spec.$case) {
case 'hashedRekordV002':
return verifyHashedrekord002TLogBody(spec.hashedRekordV002, content);
default:
throw new error_1.VerificationError({
code: 'TLOG_BODY_ERROR',
message: `unsupported version: ${spec.$case}`,
});
}
}
// Compare the given hashedrekord v0.0.1 tlog entry to the given message
// signature
function verifyHashedrekord001TLogBody(tlogEntry, content) {
@@ -49,3 +72,23 @@ function verifyHashedrekord001TLogBody(tlogEntry, content) {
});
}
}
// Compare the given hashedrekord v0.0.2 tlog entry to the given message
// signature
function verifyHashedrekord002TLogBody(spec, content) {
// Ensure that the bundles message signature matches the tlog entry
const tlogSig = spec.signature?.content || Buffer.from('');
if (!content.compareSignature(tlogSig)) {
throw new error_1.VerificationError({
code: 'TLOG_BODY_ERROR',
message: 'signature mismatch',
});
}
// Ensure that the bundle's message digest matches the tlog entry
const tlogHash = spec.data?.digest || Buffer.from('');
if (!content.compareDigest(tlogHash)) {
throw new error_1.VerificationError({
code: 'TLOG_BODY_ERROR',
message: 'digest mismatch',
});
}
}
node_modules/@sigstore/verify/dist/tlog/index.d.ts
Generated Vendored
+2
View File
@@ -1,3 +1,5 @@
import type { TransparencyLogEntry } from '@sigstore/bundle';
import type { SignatureContent } from '../shared.types';
import { TLogAuthority } from '../trust';
export declare function verifyTLogBody(entry: TransparencyLogEntry, sigContent: SignatureContent): void;
export declare function verifyTLogInclusion(entry: TransparencyLogEntry, tlogAuthorities: TLogAuthority[]): void;
node_modules/@sigstore/verify/dist/tlog/index.js
Generated Vendored
+48 -3
View File
@@ -1,6 +1,7 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyTLogBody = verifyTLogBody;
exports.verifyTLogInclusion = verifyTLogInclusion;
/*
Copyright 2023 The Sigstore Authors.
@@ -16,27 +17,46 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const v2_1 = require("@sigstore/protobuf-specs/rekor/v2");
const error_1 = require("../error");
const dsse_1 = require("./dsse");
const hashedrekord_1 = require("./hashedrekord");
const intoto_1 = require("./intoto");
const checkpoint_1 = require("./checkpoint");
const merkle_1 = require("./merkle");
const set_1 = require("./set");
// Verifies that the given tlog entry matches the supplied signature content.
function verifyTLogBody(entry, sigContent) {
const { kind, version } = entry.kindVersion;
const body = JSON.parse(entry.canonicalizedBody.toString('utf8'));
// validate body
if (kind !== body.kind || version !== body.apiVersion) {
throw new error_1.VerificationError({
code: 'TLOG_BODY_ERROR',
message: `kind/version mismatch - expected: ${kind}/${version}, received: ${body.kind}/${body.apiVersion}`,
});
}
switch (body.kind) {
switch (kind) {
case 'dsse':
return (0, dsse_1.verifyDSSETLogBody)(body, sigContent);
// Rekor V1 and V2 use incompatible types so we need to branch here based on version
if (version == dsse_1.DSSE_API_VERSION_V1) {
return (0, dsse_1.verifyDSSETLogBody)(body, sigContent);
}
else {
const entryRekorV2 = v2_1.Entry.fromJSON(body);
return (0, dsse_1.verifyDSSETLogBodyV2)(entryRekorV2, sigContent);
}
case 'intoto':
return (0, intoto_1.verifyIntotoTLogBody)(body, sigContent);
case 'hashedrekord':
return (0, hashedrekord_1.verifyHashedRekordTLogBody)(body, sigContent);
// Rekor V1 and V2 use incompatible types so we need to branch here based on version
if (version == hashedrekord_1.HASHEDREKORD_API_VERSION_V1) {
return (0, hashedrekord_1.verifyHashedRekordTLogBody)(body, sigContent);
}
else {
const entryRekorV2 = v2_1.Entry.fromJSON(body);
return (0, hashedrekord_1.verifyHashedRekordTLogBodyV2)(entryRekorV2, sigContent);
}
/* istanbul ignore next */
default:
throw new error_1.VerificationError({
@@ -45,3 +65,28 @@ function verifyTLogBody(entry, sigContent) {
});
}
}
function verifyTLogInclusion(entry, tlogAuthorities) {
let inclusionVerified = false;
if (isTLogEntryWithInclusionPromise(entry)) {
(0, set_1.verifyTLogSET)(entry, tlogAuthorities);
inclusionVerified = true;
}
if (isTLogEntryWithInclusionProof(entry)) {
const checkpoint = (0, checkpoint_1.verifyCheckpoint)(entry, tlogAuthorities);
(0, merkle_1.verifyMerkleInclusion)(entry, checkpoint);
inclusionVerified = true;
}
if (!inclusionVerified) {
throw new error_1.VerificationError({
code: 'TLOG_MISSING_INCLUSION_ERROR',
message: 'inclusion could not be verified',
});
}
return;
}
function isTLogEntryWithInclusionPromise(entry) {
return entry.inclusionPromise !== undefined;
}
function isTLogEntryWithInclusionProof(entry) {
return entry.inclusionProof !== undefined;
}
node_modules/@sigstore/verify/dist/trust/index.js
Generated Vendored
+6 -2
View File
@@ -44,8 +44,12 @@ function createTLogAuthority(tlogInstance) {
keyDetails === protobuf_specs_1.PublicKeyDetails.PKIX_RSA_PKCS1V15_4096_SHA256
? 'pkcs1'
: 'spki';
/* istanbul ignore next */
return {
logID: tlogInstance.logId.keyId,
baseURL: tlogInstance.baseUrl,
logID: tlogInstance.checkpointKeyId
? tlogInstance.checkpointKeyId.keyId
: tlogInstance.logId.keyId,
publicKey: core_1.crypto.createPublicKey(tlogInstance.publicKey.rawBytes, keyType),
validFor: {
start: tlogInstance.publicKey.validFor?.start || BEGINNING_OF_TIME,
@@ -57,7 +61,7 @@ function createCertAuthority(ca) {
/* istanbul ignore next */
return {
certChain: ca.certChain.certificates.map((cert) => {
return core_1.X509Certificate.parse(cert.rawBytes);
return core_1.X509Certificate.parse(Buffer.from(cert.rawBytes));
}),
validFor: {
start: ca.validFor?.start || BEGINNING_OF_TIME,
node_modules/@sigstore/verify/dist/trust/trust.types.d.ts
Generated Vendored
+1
View File
@@ -1,6 +1,7 @@
import type { X509Certificate, crypto } from '@sigstore/core';
export type TLogAuthority = {
logID: Buffer;
baseURL: string;
publicKey: crypto.KeyObject;
validFor: {
start: Date;
node_modules/@sigstore/verify/dist/verifier.d.ts
Generated Vendored
+15 -2
View File
@@ -1,10 +1,23 @@
import type { SignedEntity, Signer, VerificationPolicy } from './shared.types';
import type { TrustMaterial } from './trust';
export type VerifierOptions = {
/**
* Configuration options for the verifier.
*
* @public
*/
export interface VerifierOptions {
/** Minimum number of transparency log entries required for verification */
tlogThreshold?: number;
/** Minimum number of certificate transparency log entries required */
ctlogThreshold?: number;
/**
* Minimum number of timestamp authority timestamps required for verification
* @deprecated Use timestampThreshold instead
*/
tsaThreshold?: number;
};
/** Minimum number of timestamps required for verification */
timestampThreshold?: number;
}
export declare class Verifier {
private trustMaterial;
private options;
node_modules/@sigstore/verify/dist/verifier.js
Generated Vendored
+38 -19
View File
@@ -23,12 +23,15 @@ const policy_1 = require("./policy");
const timestamp_1 = require("./timestamp");
const tlog_1 = require("./tlog");
class Verifier {
trustMaterial;
options;
constructor(trustMaterial, options = {}) {
this.trustMaterial = trustMaterial;
this.options = {
ctlogThreshold: options.ctlogThreshold ?? 1,
tlogThreshold: options.tlogThreshold ?? 1,
tsaThreshold: options.tsaThreshold ?? 0,
timestampThreshold: options.timestampThreshold ?? options.tsaThreshold ?? 1,
tsaThreshold: 0,
};
}
verify(entity, policy) {
@@ -43,18 +46,22 @@ class Verifier {
}
// Checks that all of the timestamps in the entity are valid and returns them
verifyTimestamps(entity) {
let tlogCount = 0;
let tsaCount = 0;
const timestamps = entity.timestamps.map((timestamp) => {
const timestamps = [];
for (const timestamp of entity.timestamps) {
switch (timestamp.$case) {
case 'timestamp-authority':
tsaCount++;
return (0, timestamp_1.verifyTSATimestamp)(timestamp.timestamp, entity.signature.signature, this.trustMaterial.timestampAuthorities);
case 'transparency-log':
tlogCount++;
return (0, timestamp_1.verifyTLogTimestamp)(timestamp.tlogEntry, this.trustMaterial.tlogs);
timestamps.push((0, timestamp_1.getTSATimestamp)(timestamp.timestamp, entity.signature.signature, this.trustMaterial.timestampAuthorities));
break;
case 'transparency-log': {
const result = (0, timestamp_1.getTLogTimestamp)(timestamp.tlogEntry);
/* istanbul ignore else */
if (result) {
timestamps.push(result);
}
break;
}
}
});
}
// Check for duplicate timestamps
if (containsDupes(timestamps)) {
throw new error_1.VerificationError({
@@ -62,16 +69,10 @@ class Verifier {
message: 'duplicate timestamp',
});
}
if (tlogCount < this.options.tlogThreshold) {
if (timestamps.length < this.options.timestampThreshold) {
throw new error_1.VerificationError({
code: 'TIMESTAMP_ERROR',
message: `expected ${this.options.tlogThreshold} tlog timestamps, got ${tlogCount}`,
});
}
if (tsaCount < this.options.tsaThreshold) {
throw new error_1.VerificationError({
code: 'TIMESTAMP_ERROR',
message: `expected ${this.options.tsaThreshold} tsa timestamps, got ${tsaCount}`,
message: `expected ${this.options.timestampThreshold} timestamps, got ${timestamps.length}`,
});
}
return timestamps.map((t) => t.timestamp);
@@ -104,7 +105,18 @@ class Verifier {
}
// Checks that the tlog entries are valid for the supplied content
verifyTLogs({ signature: content, tlogEntries }) {
tlogEntries.forEach((entry) => (0, tlog_1.verifyTLogBody)(entry, content));
let tlogCount = 0;
tlogEntries.forEach((entry) => {
tlogCount++;
(0, tlog_1.verifyTLogInclusion)(entry, this.trustMaterial.tlogs);
(0, tlog_1.verifyTLogBody)(entry, content);
});
if (tlogCount < this.options.tlogThreshold) {
throw new error_1.VerificationError({
code: 'TLOG_ERROR',
message: `expected ${this.options.tlogThreshold} tlog entries, got ${tlogCount}`,
});
}
}
// Checks that the signature is valid for the supplied content
verifySignature(entity, signer) {
@@ -117,13 +129,20 @@ class Verifier {
}
verifyPolicy(policy, identity) {
// Check the subject alternative name of the signer matches the policy
/* istanbul ignore else */
if (policy.subjectAlternativeName) {
(0, policy_1.verifySubjectAlternativeName)(policy.subjectAlternativeName, identity.subjectAlternativeName);
}
// Check that the extensions of the signer match the policy
/* istanbul ignore else */
if (policy.extensions) {
(0, policy_1.verifyExtensions)(policy.extensions, identity.extensions);
}
// Check that the OIDs of the signer match the policy
/* istanbul ignore if */
if (policy.oids) {
(0, policy_1.verifyOIDs)(policy.oids, identity.oids);
}
}
}
exports.Verifier = Verifier;