Skip to content

Commit

Permalink
gen, protos: 0.3, single cert (#191)
Browse files Browse the repository at this point in the history 
* gen, protos: 0.3, single cert

Signed-off-by: William Woodruff <[email protected]>

* gen, protos: feedback

Signed-off-by: William Woodruff <[email protected]>

* clarify order with a SHOULD

Signed-off-by: William Woodruff <[email protected]>

* fix rust tests

Signed-off-by: William Woodruff <[email protected]>

* Update protos/sigstore_common.proto

Co-authored-by: Fredrik Skogman <[email protected]>
Signed-off-by: William Woodruff <[email protected]>

* gen: bump

Signed-off-by: William Woodruff <[email protected]>

---------

Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Co-authored-by: Fredrik Skogman <[email protected]>
  • Loading branch information
@woodruffw @kommendorkapten
woodruffw and kommendorkapten authored Jan 15, 2024
1 parent 1d1f3fe commit 66063f0
Show file tree
Hide file tree
Showing 24 changed files with 309 additions and 168 deletions.
19 changes: 14 additions & 5 deletions gen/jsonschema/schemas/Bundle.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"properties": {
"mediaType": {
"type": "string",
"description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 when encoded as JSON."
"description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 or application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON."
},
"verificationMaterial": {
"$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial",
Expand Down Expand Up @@ -52,8 +52,8 @@
},
"additionalProperties": false,
"type": "object",
"title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.",
"description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future."
"title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.",
"description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future."
},
"dev.sigstore.bundle.v1.VerificationMaterial": {
"properties": {
Expand All @@ -65,6 +65,10 @@
"$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain",
"additionalProperties": false
},
"certificate": {
"$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate",
"additionalProperties": false
},
"tlogEntries": {
"items": {
"$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry"
Expand All @@ -91,6 +95,11 @@
"required": [
"x509_certificate_chain"
]
},
{
"required": [
"certificate"
]
}
],
"title": "Verification Material",
Expand Down Expand Up @@ -199,13 +208,13 @@
},
"additionalProperties": false,
"type": "array",
"description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates."
"description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order."
}
},
"additionalProperties": false,
"type": "object",
"title": "X 509 Certificate Chain",
"description": "A chain of X.509 certificates."
"description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building."
},
"dev.sigstore.rekor.v1.Checkpoint": {
"properties": {
Expand Down
4 changes: 2 additions & 2 deletions gen/jsonschema/schemas/CertificateAuthority.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,13 +86,13 @@
},
"additionalProperties": false,
"type": "array",
"description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates."
"description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order."
}
},
"additionalProperties": false,
"type": "object",
"title": "X 509 Certificate Chain",
"description": "A chain of X.509 certificates."
"description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building."
}
}
}
19 changes: 14 additions & 5 deletions gen/jsonschema/schemas/Input.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@
"properties": {
"mediaType": {
"type": "string",
"description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 when encoded as JSON."
"description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 or application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON."
},
"verificationMaterial": {
"$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial",
Expand Down Expand Up @@ -85,8 +85,8 @@
},
"additionalProperties": false,
"type": "object",
"title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.",
"description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future."
"title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.",
"description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future."
},
"dev.sigstore.bundle.v1.VerificationMaterial": {
"properties": {
Expand All @@ -98,6 +98,10 @@
"$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain",
"additionalProperties": false
},
"certificate": {
"$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate",
"additionalProperties": false
},
"tlogEntries": {
"items": {
"$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry"
Expand All @@ -124,6 +128,11 @@
"required": [
"x509_certificate_chain"
]
},
{
"required": [
"certificate"
]
}
],
"title": "Verification Material",
Expand Down Expand Up @@ -381,13 +390,13 @@
},
"additionalProperties": false,
"type": "array",
"description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates."
"description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order."
}
},
"additionalProperties": false,
"type": "object",
"title": "X 509 Certificate Chain",
"description": "A chain of X.509 certificates."
"description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building."
},
"dev.sigstore.rekor.v1.Checkpoint": {
"properties": {
Expand Down
4 changes: 2 additions & 2 deletions gen/jsonschema/schemas/TimestampVerificationData.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@
},
"additionalProperties": false,
"type": "object",
"title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.",
"description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future."
"title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.",
"description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future."
},
"dev.sigstore.common.v1.RFC3161SignedTimestamp": {
"properties": {
Expand Down
4 changes: 2 additions & 2 deletions gen/jsonschema/schemas/TrustedRoot.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,13 +162,13 @@
},
"additionalProperties": false,
"type": "array",
"description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates."
"description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order."
}
},
"additionalProperties": false,
"type": "object",
"title": "X 509 Certificate Chain",
"description": "A chain of X.509 certificates."
"description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building."
},
"dev.sigstore.trustroot.v1.CertificateAuthority": {
"properties": {
Expand Down
17 changes: 13 additions & 4 deletions gen/jsonschema/schemas/VerificationMaterial.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@
"$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain",
"additionalProperties": false
},
"certificate": {
"$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate",
"additionalProperties": false
},
"tlogEntries": {
"items": {
"$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry"
Expand All @@ -38,6 +42,11 @@
"required": [
"x509_certificate_chain"
]
},
{
"required": [
"certificate"
]
}
],
"title": "Verification Material",
Expand All @@ -56,8 +65,8 @@
},
"additionalProperties": false,
"type": "object",
"title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.",
"description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future."
"title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.",
"description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future."
},
"dev.sigstore.common.v1.LogId": {
"properties": {
Expand Down Expand Up @@ -120,13 +129,13 @@
},
"additionalProperties": false,
"type": "array",
"description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates."
"description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order."
}
},
"additionalProperties": false,
"type": "object",
"title": "X 509 Certificate Chain",
"description": "A chain of X.509 certificates."
"description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building."
},
"dev.sigstore.rekor.v1.Checkpoint": {
"properties": {
Expand Down
Loading

0 comments on commit 66063f0

Please sign in to comment.