From 924b051f411d586623cded9e262c22d70f6ddce5 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 10 Jan 2024 12:13:03 -0500 Subject: [PATCH] gen, protos: 0.3, single cert Signed-off-by: William Woodruff --- gen/jsonschema/schemas/Bundle.schema.json | 19 +- .../schemas/CertificateAuthority.schema.json | 4 +- gen/jsonschema/schemas/Input.schema.json | 19 +- .../TimestampVerificationData.schema.json | 4 +- .../schemas/TrustedRoot.schema.json | 4 +- .../schemas/VerificationMaterial.schema.json | 17 +- .../schemas/X509CertificateChain.schema.json | 4 +- gen/pb-go/bundle/v1/sigstore_bundle.pb.go | 162 ++++++++++++------ gen/pb-go/common/v1/sigstore_common.pb.go | 26 +-- .../dev/sigstore/bundle/v1/__init__.py | 6 +- .../dev/sigstore/common/v1/__init__.py | 21 +-- gen/pb-ruby/lib/sigstore_bundle_pb.rb | 1 + gen/pb-rust/schemas/Bundle.schema.json | 19 +- .../schemas/CertificateAuthority.schema.json | 4 +- gen/pb-rust/schemas/Input.schema.json | 19 +- .../TimestampVerificationData.schema.json | 4 +- gen/pb-rust/schemas/TrustedRoot.schema.json | 4 +- .../schemas/VerificationMaterial.schema.json | 17 +- .../schemas/X509CertificateChain.schema.json | 4 +- .../src/__generated__/sigstore_bundle.ts | 18 +- .../src/__generated__/sigstore_common.ts | 28 ++- protos/sigstore_bundle.proto | 34 +++- protos/sigstore_common.proto | 26 +-- 23 files changed, 297 insertions(+), 167 deletions(-) diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json index fb44fade..eae013ed 100644 --- a/gen/jsonschema/schemas/Bundle.schema.json +++ b/gen/jsonschema/schemas/Bundle.schema.json @@ -6,7 +6,7 @@ "properties": { "mediaType": { "type": "string", - "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 when encoded as JSON." + "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 or application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON." }, "verificationMaterial": { "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial", @@ -52,8 +52,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.bundle.v1.VerificationMaterial": { "properties": { @@ -65,6 +65,10 @@ "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", "additionalProperties": false }, + "certificate": { + "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", + "additionalProperties": false + }, "tlogEntries": { "items": { "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" @@ -91,6 +95,11 @@ "required": [ "x509_certificate_chain" ] + }, + { + "required": [ + "certificate" + ] } ], "title": "Verification Material", @@ -199,13 +208,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/jsonschema/schemas/CertificateAuthority.schema.json b/gen/jsonschema/schemas/CertificateAuthority.schema.json index 2fcd80e8..876baffd 100644 --- a/gen/jsonschema/schemas/CertificateAuthority.schema.json +++ b/gen/jsonschema/schemas/CertificateAuthority.schema.json @@ -86,13 +86,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." } } } \ No newline at end of file diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index b5fe5060..91df20e2 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -39,7 +39,7 @@ "properties": { "mediaType": { "type": "string", - "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 when encoded as JSON." + "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 or application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON." }, "verificationMaterial": { "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial", @@ -85,8 +85,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.bundle.v1.VerificationMaterial": { "properties": { @@ -98,6 +98,10 @@ "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", "additionalProperties": false }, + "certificate": { + "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", + "additionalProperties": false + }, "tlogEntries": { "items": { "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" @@ -124,6 +128,11 @@ "required": [ "x509_certificate_chain" ] + }, + { + "required": [ + "certificate" + ] } ], "title": "Verification Material", @@ -381,13 +390,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/jsonschema/schemas/TimestampVerificationData.schema.json b/gen/jsonschema/schemas/TimestampVerificationData.schema.json index 9d202449..d47fe95e 100644 --- a/gen/jsonschema/schemas/TimestampVerificationData.schema.json +++ b/gen/jsonschema/schemas/TimestampVerificationData.schema.json @@ -15,8 +15,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.common.v1.RFC3161SignedTimestamp": { "properties": { diff --git a/gen/jsonschema/schemas/TrustedRoot.schema.json b/gen/jsonschema/schemas/TrustedRoot.schema.json index 623a9911..033fa0b2 100644 --- a/gen/jsonschema/schemas/TrustedRoot.schema.json +++ b/gen/jsonschema/schemas/TrustedRoot.schema.json @@ -162,13 +162,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.trustroot.v1.CertificateAuthority": { "properties": { diff --git a/gen/jsonschema/schemas/VerificationMaterial.schema.json b/gen/jsonschema/schemas/VerificationMaterial.schema.json index 0a742626..b6732320 100644 --- a/gen/jsonschema/schemas/VerificationMaterial.schema.json +++ b/gen/jsonschema/schemas/VerificationMaterial.schema.json @@ -12,6 +12,10 @@ "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", "additionalProperties": false }, + "certificate": { + "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", + "additionalProperties": false + }, "tlogEntries": { "items": { "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" @@ -38,6 +42,11 @@ "required": [ "x509_certificate_chain" ] + }, + { + "required": [ + "certificate" + ] } ], "title": "Verification Material", @@ -56,8 +65,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.common.v1.LogId": { "properties": { @@ -120,13 +129,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/jsonschema/schemas/X509CertificateChain.schema.json b/gen/jsonschema/schemas/X509CertificateChain.schema.json index a2bfb087..6847101c 100644 --- a/gen/jsonschema/schemas/X509CertificateChain.schema.json +++ b/gen/jsonschema/schemas/X509CertificateChain.schema.json @@ -10,13 +10,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.common.v1.X509Certificate": { "properties": { diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go index 75db040c..664b2d70 100644 --- a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go +++ b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go @@ -107,10 +107,40 @@ type VerificationMaterial struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields + // The key material for verification purposes. + // + // This allows key material to be conveyed in one of three forms: + // + // 1. An unspecified public key identifier, for retrieving a key + // from an out-of-band mechanism (such as a keyring); + // + // 2. A sequence of one or more X.509 certificates, of which the first member + // MUST be a leaf certificate conveying the signing key. + // + // Signers MUST NOT include root CA certificates in bundles, and SHOULD NOT + // include intermediate CA certificates that appear in an independent root of trust + // (such as the Public Good Instance's trusted root). + // + // Verifiers MUST validate the chain carefully to ensure that it chains up + // to a CA certificate that they independently trust. Verifiers SHOULD + // handle old or non-complying bundles that have additional intermediate and/or + // root CA certificates. + // + // 3. A single X.509 certificate, which MUST be a leaf certificate conveying + // the signing key. + // + // When used with the Public Good Instance (PGI) of Sigstore, form (1) MUST NOT be used, + // regardless of bundle version. + // + // When used in a `0.1` or `0.2` bundle with the PGI, form (2) MUST be used. + // + // When used in a `0.3` bundle with the PGI, form (3) MUST be used. + // // Types that are assignable to Content: // // *VerificationMaterial_PublicKey // *VerificationMaterial_X509CertificateChain + // *VerificationMaterial_Certificate Content isVerificationMaterial_Content `protobuf_oneof:"content"` // An inclusion proof and an optional signed timestamp from the log. // Client verification libraries MAY provide an option to support v0.1 @@ -178,6 +208,13 @@ func (x *VerificationMaterial) GetX509CertificateChain() *v1.X509CertificateChai return nil } +func (x *VerificationMaterial) GetCertificate() *v1.X509Certificate { + if x, ok := x.GetContent().(*VerificationMaterial_Certificate); ok { + return x.Certificate + } + return nil +} + func (x *VerificationMaterial) GetTlogEntries() []*v11.TransparencyLogEntry { if x != nil { return x.TlogEntries @@ -204,10 +241,16 @@ type VerificationMaterial_X509CertificateChain struct { X509CertificateChain *v1.X509CertificateChain `protobuf:"bytes,2,opt,name=x509_certificate_chain,json=x509CertificateChain,proto3,oneof"` } +type VerificationMaterial_Certificate struct { + Certificate *v1.X509Certificate `protobuf:"bytes,5,opt,name=certificate,proto3,oneof"` +} + func (*VerificationMaterial_PublicKey) isVerificationMaterial_Content() {} func (*VerificationMaterial_X509CertificateChain) isVerificationMaterial_Content() {} +func (*VerificationMaterial_Certificate) isVerificationMaterial_Content() {} + type Bundle struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -215,6 +258,7 @@ type Bundle struct { // MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 // or application/vnd.dev.sigstore.bundle+json;version=0.2 + // or application/vnd.dev.sigstore.bundle+json;version=0.3 // when encoded as JSON. MediaType string `protobuf:"bytes,1,opt,name=media_type,json=mediaType,proto3" json:"media_type,omitempty"` // When a signer is identified by a X.509 certificate, a verifier MUST @@ -341,7 +385,7 @@ var file_sigstore_bundle_proto_rawDesc = []byte{ 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x46, 0x43, 0x33, 0x31, 0x36, 0x31, 0x53, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x11, 0x72, 0x66, 0x63, 0x33, 0x31, 0x36, 0x31, 0x54, - 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x73, 0x22, 0xa2, 0x03, 0x0a, 0x14, 0x56, 0x65, + 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x73, 0x22, 0xf4, 0x03, 0x0a, 0x14, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x51, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, @@ -355,48 +399,53 @@ var file_sigstore_bundle_proto_rawDesc = []byte{ 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x48, 0x00, 0x52, 0x14, 0x78, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, - 0x12, 0x4e, 0x0a, 0x0c, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x65, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, - 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, - 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x54, - 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, 0x45, 0x6e, - 0x74, 0x72, 0x79, 0x52, 0x0b, 0x74, 0x6c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, - 0x12, 0x71, 0x0a, 0x1b, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x5f, 0x76, 0x65, - 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, - 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x54, - 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x61, 0x74, 0x61, 0x52, 0x19, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, - 0x61, 0x6d, 0x70, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x44, - 0x61, 0x74, 0x61, 0x42, 0x09, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x22, 0xbf, - 0x02, 0x0a, 0x06, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x65, 0x64, - 0x69, 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, - 0x65, 0x64, 0x69, 0x61, 0x54, 0x79, 0x70, 0x65, 0x12, 0x66, 0x0a, 0x15, 0x76, 0x65, 0x72, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61, - 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, + 0x12, 0x50, 0x0a, 0x0b, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, + 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x58, + 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x42, 0x03, + 0xe0, 0x41, 0x02, 0x48, 0x00, 0x52, 0x0b, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x12, 0x4e, 0x0a, 0x0c, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x65, 0x6e, 0x74, 0x72, 0x69, + 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, + 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x31, + 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, + 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0b, 0x74, 0x6c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x69, + 0x65, 0x73, 0x12, 0x71, 0x0a, 0x1b, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x5f, + 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x64, 0x61, 0x74, + 0x61, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, 0x76, 0x31, - 0x2e, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74, - 0x65, 0x72, 0x69, 0x61, 0x6c, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x14, 0x76, 0x65, 0x72, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61, 0x6c, - 0x12, 0x5c, 0x0a, 0x11, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x5f, 0x73, 0x69, 0x67, 0x6e, - 0x61, 0x74, 0x75, 0x72, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, - 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x53, 0x69, 0x67, 0x6e, - 0x61, 0x74, 0x75, 0x72, 0x65, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x48, 0x00, 0x52, 0x10, 0x6d, 0x65, - 0x73, 0x73, 0x61, 0x67, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x12, 0x3f, - 0x0a, 0x0d, 0x64, 0x73, 0x73, 0x65, 0x5f, 0x65, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x69, 0x6f, 0x2e, 0x69, 0x6e, 0x74, 0x6f, 0x74, - 0x6f, 0x2e, 0x45, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x48, - 0x00, 0x52, 0x0c, 0x64, 0x73, 0x73, 0x65, 0x45, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x42, - 0x09, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x33, - 0x42, 0x7c, 0x0a, 0x1c, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, 0x76, 0x31, - 0x42, 0x0b, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, - 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, - 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, - 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x62, 0x75, - 0x6e, 0x64, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x14, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, - 0x72, 0x65, 0x3a, 0x3a, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x61, 0x74, 0x61, 0x52, 0x19, 0x74, 0x69, 0x6d, 0x65, + 0x73, 0x74, 0x61, 0x6d, 0x70, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x44, 0x61, 0x74, 0x61, 0x42, 0x09, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, + 0x22, 0xbf, 0x02, 0x0a, 0x06, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, + 0x65, 0x64, 0x69, 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x09, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x54, 0x79, 0x70, 0x65, 0x12, 0x66, 0x0a, 0x15, 0x76, 0x65, + 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x74, 0x65, 0x72, + 0x69, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x64, 0x65, 0x76, 0x2e, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, + 0x76, 0x31, 0x2e, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, + 0x61, 0x74, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x14, 0x76, 0x65, + 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74, 0x65, 0x72, 0x69, + 0x61, 0x6c, 0x12, 0x5c, 0x0a, 0x11, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x5f, 0x73, 0x69, + 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, + 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, + 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x53, 0x69, + 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x48, 0x00, 0x52, 0x10, + 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, + 0x12, 0x3f, 0x0a, 0x0d, 0x64, 0x73, 0x73, 0x65, 0x5f, 0x65, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, + 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x69, 0x6f, 0x2e, 0x69, 0x6e, 0x74, + 0x6f, 0x74, 0x6f, 0x2e, 0x45, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x42, 0x03, 0xe0, 0x41, + 0x02, 0x48, 0x00, 0x52, 0x0c, 0x64, 0x73, 0x73, 0x65, 0x45, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, + 0x65, 0x42, 0x09, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x4a, 0x04, 0x08, 0x05, + 0x10, 0x33, 0x42, 0x7c, 0x0a, 0x1c, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, + 0x76, 0x31, 0x42, 0x0b, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, + 0x01, 0x5a, 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, + 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, + 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, + 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x14, 0x53, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x3a, 0x3a, 0x56, 0x31, + 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -419,24 +468,26 @@ var file_sigstore_bundle_proto_goTypes = []interface{}{ (*v1.RFC3161SignedTimestamp)(nil), // 3: dev.sigstore.common.v1.RFC3161SignedTimestamp (*v1.PublicKeyIdentifier)(nil), // 4: dev.sigstore.common.v1.PublicKeyIdentifier (*v1.X509CertificateChain)(nil), // 5: dev.sigstore.common.v1.X509CertificateChain - (*v11.TransparencyLogEntry)(nil), // 6: dev.sigstore.rekor.v1.TransparencyLogEntry - (*v1.MessageSignature)(nil), // 7: dev.sigstore.common.v1.MessageSignature - (*dsse.Envelope)(nil), // 8: io.intoto.Envelope + (*v1.X509Certificate)(nil), // 6: dev.sigstore.common.v1.X509Certificate + (*v11.TransparencyLogEntry)(nil), // 7: dev.sigstore.rekor.v1.TransparencyLogEntry + (*v1.MessageSignature)(nil), // 8: dev.sigstore.common.v1.MessageSignature + (*dsse.Envelope)(nil), // 9: io.intoto.Envelope } var file_sigstore_bundle_proto_depIdxs = []int32{ 3, // 0: dev.sigstore.bundle.v1.TimestampVerificationData.rfc3161_timestamps:type_name -> dev.sigstore.common.v1.RFC3161SignedTimestamp 4, // 1: dev.sigstore.bundle.v1.VerificationMaterial.public_key:type_name -> dev.sigstore.common.v1.PublicKeyIdentifier 5, // 2: dev.sigstore.bundle.v1.VerificationMaterial.x509_certificate_chain:type_name -> dev.sigstore.common.v1.X509CertificateChain - 6, // 3: dev.sigstore.bundle.v1.VerificationMaterial.tlog_entries:type_name -> dev.sigstore.rekor.v1.TransparencyLogEntry - 0, // 4: dev.sigstore.bundle.v1.VerificationMaterial.timestamp_verification_data:type_name -> dev.sigstore.bundle.v1.TimestampVerificationData - 1, // 5: dev.sigstore.bundle.v1.Bundle.verification_material:type_name -> dev.sigstore.bundle.v1.VerificationMaterial - 7, // 6: dev.sigstore.bundle.v1.Bundle.message_signature:type_name -> dev.sigstore.common.v1.MessageSignature - 8, // 7: dev.sigstore.bundle.v1.Bundle.dsse_envelope:type_name -> io.intoto.Envelope - 8, // [8:8] is the sub-list for method output_type - 8, // [8:8] is the sub-list for method input_type - 8, // [8:8] is the sub-list for extension type_name - 8, // [8:8] is the sub-list for extension extendee - 0, // [0:8] is the sub-list for field type_name + 6, // 3: dev.sigstore.bundle.v1.VerificationMaterial.certificate:type_name -> dev.sigstore.common.v1.X509Certificate + 7, // 4: dev.sigstore.bundle.v1.VerificationMaterial.tlog_entries:type_name -> dev.sigstore.rekor.v1.TransparencyLogEntry + 0, // 5: dev.sigstore.bundle.v1.VerificationMaterial.timestamp_verification_data:type_name -> dev.sigstore.bundle.v1.TimestampVerificationData + 1, // 6: dev.sigstore.bundle.v1.Bundle.verification_material:type_name -> dev.sigstore.bundle.v1.VerificationMaterial + 8, // 7: dev.sigstore.bundle.v1.Bundle.message_signature:type_name -> dev.sigstore.common.v1.MessageSignature + 9, // 8: dev.sigstore.bundle.v1.Bundle.dsse_envelope:type_name -> io.intoto.Envelope + 9, // [9:9] is the sub-list for method output_type + 9, // [9:9] is the sub-list for method input_type + 9, // [9:9] is the sub-list for extension type_name + 9, // [9:9] is the sub-list for extension extendee + 0, // [0:9] is the sub-list for field type_name } func init() { file_sigstore_bundle_proto_init() } @@ -485,6 +536,7 @@ func file_sigstore_bundle_proto_init() { file_sigstore_bundle_proto_msgTypes[1].OneofWrappers = []interface{}{ (*VerificationMaterial_PublicKey)(nil), (*VerificationMaterial_X509CertificateChain)(nil), + (*VerificationMaterial_Certificate)(nil), } file_sigstore_bundle_proto_msgTypes[2].OneofWrappers = []interface{}{ (*Bundle_MessageSignature)(nil), diff --git a/gen/pb-go/common/v1/sigstore_common.pb.go b/gen/pb-go/common/v1/sigstore_common.pb.go index 295baba0..fe286d67 100644 --- a/gen/pb-go/common/v1/sigstore_common.pb.go +++ b/gen/pb-go/common/v1/sigstore_common.pb.go @@ -869,29 +869,21 @@ func (*SubjectAlternativeName_Regexp) isSubjectAlternativeName_Identity() {} func (*SubjectAlternativeName_Value) isSubjectAlternativeName_Identity() {} -// A chain of X.509 certificates. +// A collection of X.509 certificates. +// +// NOTE: "Chain" is a misnomer in this context, since there is no one true certificate chain +// in most PKI schemes. This message should be treated as a generic collection of certificates +// for path construction. type X509CertificateChain struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // The chain of certificates, with indices 0 to n. - // The first certificate in the array must be the leaf - // certificate used for signing. - // - // Signers MUST NOT include their root CA certificates in their embedded - // certificate chains, and SHOULD NOT include intermediate CA - // certificates that appear in independent roots of trust. - // - // Verifiers MUST validate the chain carefully to ensure that it chains - // up to a root CA certificate that they trust, regardless of whether - // the chain includes additional intermediate/root CA certificates. - // Verifiers MAY enforce additional constraints, such as requiring that - // all intermediate CA certificates appear in an independent root of - // trust. + // One or more DER-encoded certificates. // - // Verifiers SHOULD handle old or non-complying bundles that have - // additional intermediate/root CA certificates. + // In some contexts (such as `VerificationMaterial.certificate`), this sequence + // has an imposed order. Unless explicitly specified, there is otherwise no + // guaranteed order. Certificates []*X509Certificate `protobuf:"bytes,1,rep,name=certificates,proto3" json:"certificates,omitempty"` } diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py index 60016c56..d3096736 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py @@ -50,6 +50,9 @@ class VerificationMaterial(betterproto.Message): x509_certificate_chain: "__common_v1__.X509CertificateChain" = ( betterproto.message_field(2, group="content") ) + certificate: "__common_v1__.X509Certificate" = betterproto.message_field( + 5, group="content" + ) tlog_entries: List["__rekor_v1__.TransparencyLogEntry"] = betterproto.message_field( 3 ) @@ -76,7 +79,8 @@ class Bundle(betterproto.Message): media_type: str = betterproto.string_field(1) """ MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or - application/vnd.dev.sigstore.bundle+json;version=0.2 when encoded as JSON. + application/vnd.dev.sigstore.bundle+json;version=0.2 or + application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON. """ verification_material: "VerificationMaterial" = betterproto.message_field(2) diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py index 1bc20331..114aa7a4 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py @@ -199,21 +199,18 @@ class SubjectAlternativeName(betterproto.Message): @dataclass(eq=False, repr=False) class X509CertificateChain(betterproto.Message): - """A chain of X.509 certificates.""" + """ + A collection of X.509 certificates. NOTE: "Chain" is a misnomer in this + context, since there is no one true certificate chain in most PKI schemes. + This message should be treated as a generic collection of certificates for + path construction. + """ certificates: List["X509Certificate"] = betterproto.message_field(1) """ - The chain of certificates, with indices 0 to n. The first certificate in - the array must be the leaf certificate used for signing. Signers MUST NOT - include their root CA certificates in their embedded certificate chains, - and SHOULD NOT include intermediate CA certificates that appear in - independent roots of trust. Verifiers MUST validate the chain carefully to - ensure that it chains up to a root CA certificate that they trust, - regardless of whether the chain includes additional intermediate/root CA - certificates. Verifiers MAY enforce additional constraints, such as - requiring that all intermediate CA certificates appear in an independent - root of trust. Verifiers SHOULD handle old or non-complying bundles that - have additional intermediate/root CA certificates. + One or more DER-encoded certificates. In some contexts (such as + `VerificationMaterial.certificate`), this sequence has an imposed order. + Unless explicitly specified, there is otherwise no guaranteed order. """ diff --git a/gen/pb-ruby/lib/sigstore_bundle_pb.rb b/gen/pb-ruby/lib/sigstore_bundle_pb.rb index 4799ea20..08447685 100644 --- a/gen/pb-ruby/lib/sigstore_bundle_pb.rb +++ b/gen/pb-ruby/lib/sigstore_bundle_pb.rb @@ -19,6 +19,7 @@ oneof :content do optional :public_key, :message, 1, "dev.sigstore.common.v1.PublicKeyIdentifier" optional :x509_certificate_chain, :message, 2, "dev.sigstore.common.v1.X509CertificateChain" + optional :certificate, :message, 5, "dev.sigstore.common.v1.X509Certificate" end end add_message "dev.sigstore.bundle.v1.Bundle" do diff --git a/gen/pb-rust/schemas/Bundle.schema.json b/gen/pb-rust/schemas/Bundle.schema.json index fb44fade..eae013ed 100644 --- a/gen/pb-rust/schemas/Bundle.schema.json +++ b/gen/pb-rust/schemas/Bundle.schema.json @@ -6,7 +6,7 @@ "properties": { "mediaType": { "type": "string", - "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 when encoded as JSON." + "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 or application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON." }, "verificationMaterial": { "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial", @@ -52,8 +52,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.bundle.v1.VerificationMaterial": { "properties": { @@ -65,6 +65,10 @@ "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", "additionalProperties": false }, + "certificate": { + "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", + "additionalProperties": false + }, "tlogEntries": { "items": { "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" @@ -91,6 +95,11 @@ "required": [ "x509_certificate_chain" ] + }, + { + "required": [ + "certificate" + ] } ], "title": "Verification Material", @@ -199,13 +208,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/pb-rust/schemas/CertificateAuthority.schema.json b/gen/pb-rust/schemas/CertificateAuthority.schema.json index 2fcd80e8..876baffd 100644 --- a/gen/pb-rust/schemas/CertificateAuthority.schema.json +++ b/gen/pb-rust/schemas/CertificateAuthority.schema.json @@ -86,13 +86,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." } } } \ No newline at end of file diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json index b5fe5060..91df20e2 100644 --- a/gen/pb-rust/schemas/Input.schema.json +++ b/gen/pb-rust/schemas/Input.schema.json @@ -39,7 +39,7 @@ "properties": { "mediaType": { "type": "string", - "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 when encoded as JSON." + "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 or application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON." }, "verificationMaterial": { "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial", @@ -85,8 +85,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.bundle.v1.VerificationMaterial": { "properties": { @@ -98,6 +98,10 @@ "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", "additionalProperties": false }, + "certificate": { + "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", + "additionalProperties": false + }, "tlogEntries": { "items": { "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" @@ -124,6 +128,11 @@ "required": [ "x509_certificate_chain" ] + }, + { + "required": [ + "certificate" + ] } ], "title": "Verification Material", @@ -381,13 +390,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/pb-rust/schemas/TimestampVerificationData.schema.json b/gen/pb-rust/schemas/TimestampVerificationData.schema.json index 9d202449..d47fe95e 100644 --- a/gen/pb-rust/schemas/TimestampVerificationData.schema.json +++ b/gen/pb-rust/schemas/TimestampVerificationData.schema.json @@ -15,8 +15,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.common.v1.RFC3161SignedTimestamp": { "properties": { diff --git a/gen/pb-rust/schemas/TrustedRoot.schema.json b/gen/pb-rust/schemas/TrustedRoot.schema.json index 623a9911..033fa0b2 100644 --- a/gen/pb-rust/schemas/TrustedRoot.schema.json +++ b/gen/pb-rust/schemas/TrustedRoot.schema.json @@ -162,13 +162,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.trustroot.v1.CertificateAuthority": { "properties": { diff --git a/gen/pb-rust/schemas/VerificationMaterial.schema.json b/gen/pb-rust/schemas/VerificationMaterial.schema.json index 0a742626..b6732320 100644 --- a/gen/pb-rust/schemas/VerificationMaterial.schema.json +++ b/gen/pb-rust/schemas/VerificationMaterial.schema.json @@ -12,6 +12,10 @@ "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", "additionalProperties": false }, + "certificate": { + "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", + "additionalProperties": false + }, "tlogEntries": { "items": { "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" @@ -38,6 +42,11 @@ "required": [ "x509_certificate_chain" ] + }, + { + "required": [ + "certificate" + ] } ], "title": "Verification Material", @@ -56,8 +65,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.common.v1.LogId": { "properties": { @@ -120,13 +129,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/pb-rust/schemas/X509CertificateChain.schema.json b/gen/pb-rust/schemas/X509CertificateChain.schema.json index a2bfb087..6847101c 100644 --- a/gen/pb-rust/schemas/X509CertificateChain.schema.json +++ b/gen/pb-rust/schemas/X509CertificateChain.schema.json @@ -10,13 +10,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.common.v1.X509Certificate": { "properties": { diff --git a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts index 33e69c6b..60166eb4 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts @@ -1,6 +1,12 @@ /* eslint-disable */ import { Envelope } from "./envelope"; -import { MessageSignature, PublicKeyIdentifier, RFC3161SignedTimestamp, X509CertificateChain } from "./sigstore_common"; +import { + MessageSignature, + PublicKeyIdentifier, + RFC3161SignedTimestamp, + X509Certificate, + X509CertificateChain, +} from "./sigstore_common"; import { TransparencyLogEntry } from "./sigstore_rekor"; /** @@ -33,7 +39,8 @@ export interface TimestampVerificationData { export interface VerificationMaterial { content?: | { $case: "publicKey"; publicKey: PublicKeyIdentifier } - | { $case: "x509CertificateChain"; x509CertificateChain: X509CertificateChain }; + | { $case: "x509CertificateChain"; x509CertificateChain: X509CertificateChain } + | { $case: "certificate"; certificate: X509Certificate }; /** * An inclusion proof and an optional signed timestamp from the log. * Client verification libraries MAY provide an option to support v0.1 @@ -55,6 +62,7 @@ export interface Bundle { /** * MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 * or application/vnd.dev.sigstore.bundle+json;version=0.2 + * or application/vnd.dev.sigstore.bundle+json;version=0.3 * when encoded as JSON. */ mediaType: string; @@ -114,6 +122,8 @@ export const VerificationMaterial = { $case: "x509CertificateChain", x509CertificateChain: X509CertificateChain.fromJSON(object.x509CertificateChain), } + : isSet(object.certificate) + ? { $case: "certificate", certificate: X509Certificate.fromJSON(object.certificate) } : undefined, tlogEntries: Array.isArray(object?.tlogEntries) ? object.tlogEntries.map((e: any) => TransparencyLogEntry.fromJSON(e)) @@ -132,6 +142,10 @@ export const VerificationMaterial = { (obj.x509CertificateChain = message.content?.x509CertificateChain ? X509CertificateChain.toJSON(message.content?.x509CertificateChain) : undefined); + message.content?.$case === "certificate" && + (obj.certificate = message.content?.certificate + ? X509Certificate.toJSON(message.content?.certificate) + : undefined); if (message.tlogEntries) { obj.tlogEntries = message.tlogEntries.map((e) => e ? TransparencyLogEntry.toJSON(e) : undefined); } else { diff --git a/gen/pb-typescript/src/__generated__/sigstore_common.ts b/gen/pb-typescript/src/__generated__/sigstore_common.ts index 65d56d2b..d2cf1e2a 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_common.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_common.ts @@ -278,26 +278,20 @@ export interface SubjectAlternativeName { identity?: { $case: "regexp"; regexp: string } | { $case: "value"; value: string }; } -/** A chain of X.509 certificates. */ +/** + * A collection of X.509 certificates. + * + * NOTE: "Chain" is a misnomer in this context, since there is no one true certificate chain + * in most PKI schemes. This message should be treated as a generic collection of certificates + * for path construction. + */ export interface X509CertificateChain { /** - * The chain of certificates, with indices 0 to n. - * The first certificate in the array must be the leaf - * certificate used for signing. - * - * Signers MUST NOT include their root CA certificates in their embedded - * certificate chains, and SHOULD NOT include intermediate CA - * certificates that appear in independent roots of trust. - * - * Verifiers MUST validate the chain carefully to ensure that it chains - * up to a root CA certificate that they trust, regardless of whether - * the chain includes additional intermediate/root CA certificates. - * Verifiers MAY enforce additional constraints, such as requiring that - * all intermediate CA certificates appear in an independent root of - * trust. + * One or more DER-encoded certificates. * - * Verifiers SHOULD handle old or non-complying bundles that have - * additional intermediate/root CA certificates. + * In some contexts (such as `VerificationMaterial.certificate`), this sequence + * has an imposed order. Unless explicitly specified, there is otherwise no + * guaranteed order. */ certificates: X509Certificate[]; } diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto index 3d4c5e0f..2553c342 100644 --- a/protos/sigstore_bundle.proto +++ b/protos/sigstore_bundle.proto @@ -32,8 +32,8 @@ option ruby_package = "Sigstore::Bundle::V1"; // The primary message ('Bundle') MUST be versioned, by populating the // 'media_type' field. Semver-ish (only major/minor versions) scheme MUST // be used. The current version as specified by this file is: -// application/vnd.dev.sigstore.bundle+json;version=0.2 -// The semantic version is thus '0.2'. +// application/vnd.dev.sigstore.bundle+json;version=0.3 +// The semantic version is thus '0.3'. // Various timestamped counter signatures over the artifacts signature. // Currently only RFC3161 signatures are provided. More formats may be added @@ -57,9 +57,38 @@ message TimestampVerificationData { // the key identifier, it MUST match the `keyid` field of the signature the // extension is attached to. message VerificationMaterial { + // The key material for verification purposes. + // + // This allows key material to be conveyed in one of three forms: + // + // 1. An unspecified public key identifier, for retrieving a key + // from an out-of-band mechanism (such as a keyring); + // + // 2. A sequence of one or more X.509 certificates, of which the first member + // MUST be a leaf certificate conveying the signing key. + // + // Signers MUST NOT include root CA certificates in bundles, and SHOULD NOT + // include intermediate CA certificates that appear in an independent root of trust + // (such as the Public Good Instance's trusted root). + // + // Verifiers MUST validate the chain carefully to ensure that it chains up + // to a CA certificate that they independently trust. Verifiers SHOULD + // handle old or non-complying bundles that have additional intermediate and/or + // root CA certificates. + // + // 3. A single X.509 certificate, which MUST be a leaf certificate conveying + // the signing key. + // + // When used with the Public Good Instance (PGI) of Sigstore, form (1) MUST NOT be used, + // regardless of bundle version. + // + // When used in a `0.1` or `0.2` bundle with the PGI, form (2) MUST be used. + // + // When used in a `0.3` bundle with the PGI, form (3) MUST be used. oneof content { dev.sigstore.common.v1.PublicKeyIdentifier public_key = 1 [(google.api.field_behavior) = REQUIRED]; dev.sigstore.common.v1.X509CertificateChain x509_certificate_chain = 2 [(google.api.field_behavior) = REQUIRED]; + dev.sigstore.common.v1.X509Certificate certificate = 5 [(google.api.field_behavior) = REQUIRED]; } // An inclusion proof and an optional signed timestamp from the log. // Client verification libraries MAY provide an option to support v0.1 @@ -77,6 +106,7 @@ message VerificationMaterial { message Bundle { // MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 // or application/vnd.dev.sigstore.bundle+json;version=0.2 + // or application/vnd.dev.sigstore.bundle+json;version=0.3 // when encoded as JSON. string media_type = 1; // When a signer is identified by a X.509 certificate, a verifier MUST diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index 574b5661..40593ef8 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -168,25 +168,17 @@ message SubjectAlternativeName { } } -// A chain of X.509 certificates. +// A collection of X.509 certificates. +// +// NOTE: "Chain" is a misnomer in this context, since there is no one true certificate chain +// in most PKI schemes. This message should be treated as a generic collection of certificates +// for path construction. message X509CertificateChain { - // The chain of certificates, with indices 0 to n. - // The first certificate in the array must be the leaf - // certificate used for signing. - // - // Signers MUST NOT include their root CA certificates in their embedded - // certificate chains, and SHOULD NOT include intermediate CA - // certificates that appear in independent roots of trust. - // - // Verifiers MUST validate the chain carefully to ensure that it chains - // up to a root CA certificate that they trust, regardless of whether - // the chain includes additional intermediate/root CA certificates. - // Verifiers MAY enforce additional constraints, such as requiring that - // all intermediate CA certificates appear in an independent root of - // trust. + // One or more DER-encoded certificates. // - // Verifiers SHOULD handle old or non-complying bundles that have - // additional intermediate/root CA certificates. + // In some contexts (such as `VerificationMaterial.certificate`), this sequence + // has an imposed order. Unless explicitly specified, there is otherwise no + // guaranteed order. repeated X509Certificate certificates = 1; }