From 924b051f411d586623cded9e262c22d70f6ddce5 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 10 Jan 2024 12:13:03 -0500 Subject: [PATCH 1/6] gen, protos: 0.3, single cert Signed-off-by: William Woodruff --- gen/jsonschema/schemas/Bundle.schema.json | 19 +- .../schemas/CertificateAuthority.schema.json | 4 +- gen/jsonschema/schemas/Input.schema.json | 19 +- .../TimestampVerificationData.schema.json | 4 +- .../schemas/TrustedRoot.schema.json | 4 +- .../schemas/VerificationMaterial.schema.json | 17 +- .../schemas/X509CertificateChain.schema.json | 4 +- gen/pb-go/bundle/v1/sigstore_bundle.pb.go | 162 ++++++++++++------ gen/pb-go/common/v1/sigstore_common.pb.go | 26 +-- .../dev/sigstore/bundle/v1/__init__.py | 6 +- .../dev/sigstore/common/v1/__init__.py | 21 +-- gen/pb-ruby/lib/sigstore_bundle_pb.rb | 1 + gen/pb-rust/schemas/Bundle.schema.json | 19 +- .../schemas/CertificateAuthority.schema.json | 4 +- gen/pb-rust/schemas/Input.schema.json | 19 +- .../TimestampVerificationData.schema.json | 4 +- gen/pb-rust/schemas/TrustedRoot.schema.json | 4 +- .../schemas/VerificationMaterial.schema.json | 17 +- .../schemas/X509CertificateChain.schema.json | 4 +- .../src/__generated__/sigstore_bundle.ts | 18 +- .../src/__generated__/sigstore_common.ts | 28 ++- protos/sigstore_bundle.proto | 34 +++- protos/sigstore_common.proto | 26 +-- 23 files changed, 297 insertions(+), 167 deletions(-) diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json index fb44fade..eae013ed 100644 --- a/gen/jsonschema/schemas/Bundle.schema.json +++ b/gen/jsonschema/schemas/Bundle.schema.json @@ -6,7 +6,7 @@ "properties": { "mediaType": { "type": "string", - "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 when encoded as JSON." + "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 or application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON." }, "verificationMaterial": { "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial", @@ -52,8 +52,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.bundle.v1.VerificationMaterial": { "properties": { @@ -65,6 +65,10 @@ "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", "additionalProperties": false }, + "certificate": { + "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", + "additionalProperties": false + }, "tlogEntries": { "items": { "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" @@ -91,6 +95,11 @@ "required": [ "x509_certificate_chain" ] + }, + { + "required": [ + "certificate" + ] } ], "title": "Verification Material", @@ -199,13 +208,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/jsonschema/schemas/CertificateAuthority.schema.json b/gen/jsonschema/schemas/CertificateAuthority.schema.json index 2fcd80e8..876baffd 100644 --- a/gen/jsonschema/schemas/CertificateAuthority.schema.json +++ b/gen/jsonschema/schemas/CertificateAuthority.schema.json @@ -86,13 +86,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." } } } \ No newline at end of file diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index b5fe5060..91df20e2 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -39,7 +39,7 @@ "properties": { "mediaType": { "type": "string", - "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 when encoded as JSON." + "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 or application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON." }, "verificationMaterial": { "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial", @@ -85,8 +85,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.bundle.v1.VerificationMaterial": { "properties": { @@ -98,6 +98,10 @@ "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", "additionalProperties": false }, + "certificate": { + "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", + "additionalProperties": false + }, "tlogEntries": { "items": { "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" @@ -124,6 +128,11 @@ "required": [ "x509_certificate_chain" ] + }, + { + "required": [ + "certificate" + ] } ], "title": "Verification Material", @@ -381,13 +390,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/jsonschema/schemas/TimestampVerificationData.schema.json b/gen/jsonschema/schemas/TimestampVerificationData.schema.json index 9d202449..d47fe95e 100644 --- a/gen/jsonschema/schemas/TimestampVerificationData.schema.json +++ b/gen/jsonschema/schemas/TimestampVerificationData.schema.json @@ -15,8 +15,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.common.v1.RFC3161SignedTimestamp": { "properties": { diff --git a/gen/jsonschema/schemas/TrustedRoot.schema.json b/gen/jsonschema/schemas/TrustedRoot.schema.json index 623a9911..033fa0b2 100644 --- a/gen/jsonschema/schemas/TrustedRoot.schema.json +++ b/gen/jsonschema/schemas/TrustedRoot.schema.json @@ -162,13 +162,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.trustroot.v1.CertificateAuthority": { "properties": { diff --git a/gen/jsonschema/schemas/VerificationMaterial.schema.json b/gen/jsonschema/schemas/VerificationMaterial.schema.json index 0a742626..b6732320 100644 --- a/gen/jsonschema/schemas/VerificationMaterial.schema.json +++ b/gen/jsonschema/schemas/VerificationMaterial.schema.json @@ -12,6 +12,10 @@ "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", "additionalProperties": false }, + "certificate": { + "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", + "additionalProperties": false + }, "tlogEntries": { "items": { "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" @@ -38,6 +42,11 @@ "required": [ "x509_certificate_chain" ] + }, + { + "required": [ + "certificate" + ] } ], "title": "Verification Material", @@ -56,8 +65,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.common.v1.LogId": { "properties": { @@ -120,13 +129,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/jsonschema/schemas/X509CertificateChain.schema.json b/gen/jsonschema/schemas/X509CertificateChain.schema.json index a2bfb087..6847101c 100644 --- a/gen/jsonschema/schemas/X509CertificateChain.schema.json +++ b/gen/jsonschema/schemas/X509CertificateChain.schema.json @@ -10,13 +10,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.common.v1.X509Certificate": { "properties": { diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go index 75db040c..664b2d70 100644 --- a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go +++ b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go @@ -107,10 +107,40 @@ type VerificationMaterial struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields + // The key material for verification purposes. + // + // This allows key material to be conveyed in one of three forms: + // + // 1. An unspecified public key identifier, for retrieving a key + // from an out-of-band mechanism (such as a keyring); + // + // 2. A sequence of one or more X.509 certificates, of which the first member + // MUST be a leaf certificate conveying the signing key. + // + // Signers MUST NOT include root CA certificates in bundles, and SHOULD NOT + // include intermediate CA certificates that appear in an independent root of trust + // (such as the Public Good Instance's trusted root). + // + // Verifiers MUST validate the chain carefully to ensure that it chains up + // to a CA certificate that they independently trust. Verifiers SHOULD + // handle old or non-complying bundles that have additional intermediate and/or + // root CA certificates. + // + // 3. A single X.509 certificate, which MUST be a leaf certificate conveying + // the signing key. + // + // When used with the Public Good Instance (PGI) of Sigstore, form (1) MUST NOT be used, + // regardless of bundle version. + // + // When used in a `0.1` or `0.2` bundle with the PGI, form (2) MUST be used. + // + // When used in a `0.3` bundle with the PGI, form (3) MUST be used. + // // Types that are assignable to Content: // // *VerificationMaterial_PublicKey // *VerificationMaterial_X509CertificateChain + // *VerificationMaterial_Certificate Content isVerificationMaterial_Content `protobuf_oneof:"content"` // An inclusion proof and an optional signed timestamp from the log. // Client verification libraries MAY provide an option to support v0.1 @@ -178,6 +208,13 @@ func (x *VerificationMaterial) GetX509CertificateChain() *v1.X509CertificateChai return nil } +func (x *VerificationMaterial) GetCertificate() *v1.X509Certificate { + if x, ok := x.GetContent().(*VerificationMaterial_Certificate); ok { + return x.Certificate + } + return nil +} + func (x *VerificationMaterial) GetTlogEntries() []*v11.TransparencyLogEntry { if x != nil { return x.TlogEntries @@ -204,10 +241,16 @@ type VerificationMaterial_X509CertificateChain struct { X509CertificateChain *v1.X509CertificateChain `protobuf:"bytes,2,opt,name=x509_certificate_chain,json=x509CertificateChain,proto3,oneof"` } +type VerificationMaterial_Certificate struct { + Certificate *v1.X509Certificate `protobuf:"bytes,5,opt,name=certificate,proto3,oneof"` +} + func (*VerificationMaterial_PublicKey) isVerificationMaterial_Content() {} func (*VerificationMaterial_X509CertificateChain) isVerificationMaterial_Content() {} +func (*VerificationMaterial_Certificate) isVerificationMaterial_Content() {} + type Bundle struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -215,6 +258,7 @@ type Bundle struct { // MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 // or application/vnd.dev.sigstore.bundle+json;version=0.2 + // or application/vnd.dev.sigstore.bundle+json;version=0.3 // when encoded as JSON. MediaType string `protobuf:"bytes,1,opt,name=media_type,json=mediaType,proto3" json:"media_type,omitempty"` // When a signer is identified by a X.509 certificate, a verifier MUST @@ -341,7 +385,7 @@ var file_sigstore_bundle_proto_rawDesc = []byte{ 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x46, 0x43, 0x33, 0x31, 0x36, 0x31, 0x53, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x11, 0x72, 0x66, 0x63, 0x33, 0x31, 0x36, 0x31, 0x54, - 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x73, 0x22, 0xa2, 0x03, 0x0a, 0x14, 0x56, 0x65, + 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x73, 0x22, 0xf4, 0x03, 0x0a, 0x14, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x51, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, @@ -355,48 +399,53 @@ var file_sigstore_bundle_proto_rawDesc = []byte{ 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x48, 0x00, 0x52, 0x14, 0x78, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, - 0x12, 0x4e, 0x0a, 0x0c, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x65, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, - 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, - 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x54, - 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, 0x45, 0x6e, - 0x74, 0x72, 0x79, 0x52, 0x0b, 0x74, 0x6c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x69, 0x65, 0x73, - 0x12, 0x71, 0x0a, 0x1b, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x5f, 0x76, 0x65, - 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, - 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x54, - 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x61, 0x74, 0x61, 0x52, 0x19, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, - 0x61, 0x6d, 0x70, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x44, - 0x61, 0x74, 0x61, 0x42, 0x09, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x22, 0xbf, - 0x02, 0x0a, 0x06, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x65, 0x64, - 0x69, 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6d, - 0x65, 0x64, 0x69, 0x61, 0x54, 0x79, 0x70, 0x65, 0x12, 0x66, 0x0a, 0x15, 0x76, 0x65, 0x72, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61, - 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, + 0x12, 0x50, 0x0a, 0x0b, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, + 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x58, + 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x42, 0x03, + 0xe0, 0x41, 0x02, 0x48, 0x00, 0x52, 0x0b, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x12, 0x4e, 0x0a, 0x0c, 0x74, 0x6c, 0x6f, 0x67, 0x5f, 0x65, 0x6e, 0x74, 0x72, 0x69, + 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, + 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x31, + 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, + 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0b, 0x74, 0x6c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x69, + 0x65, 0x73, 0x12, 0x71, 0x0a, 0x1b, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x5f, + 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x64, 0x61, 0x74, + 0x61, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, 0x76, 0x31, - 0x2e, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74, - 0x65, 0x72, 0x69, 0x61, 0x6c, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x14, 0x76, 0x65, 0x72, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61, 0x6c, - 0x12, 0x5c, 0x0a, 0x11, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x5f, 0x73, 0x69, 0x67, 0x6e, - 0x61, 0x74, 0x75, 0x72, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, - 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, - 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x53, 0x69, 0x67, 0x6e, - 0x61, 0x74, 0x75, 0x72, 0x65, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x48, 0x00, 0x52, 0x10, 0x6d, 0x65, - 0x73, 0x73, 0x61, 0x67, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x12, 0x3f, - 0x0a, 0x0d, 0x64, 0x73, 0x73, 0x65, 0x5f, 0x65, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x69, 0x6f, 0x2e, 0x69, 0x6e, 0x74, 0x6f, 0x74, - 0x6f, 0x2e, 0x45, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x48, - 0x00, 0x52, 0x0c, 0x64, 0x73, 0x73, 0x65, 0x45, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x42, - 0x09, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x4a, 0x04, 0x08, 0x05, 0x10, 0x33, - 0x42, 0x7c, 0x0a, 0x1c, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, 0x76, 0x31, - 0x42, 0x0b, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, - 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, - 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, - 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x62, 0x75, - 0x6e, 0x64, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x14, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, - 0x72, 0x65, 0x3a, 0x3a, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x44, 0x61, 0x74, 0x61, 0x52, 0x19, 0x74, 0x69, 0x6d, 0x65, + 0x73, 0x74, 0x61, 0x6d, 0x70, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x44, 0x61, 0x74, 0x61, 0x42, 0x09, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, + 0x22, 0xbf, 0x02, 0x0a, 0x06, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, + 0x65, 0x64, 0x69, 0x61, 0x5f, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x09, 0x6d, 0x65, 0x64, 0x69, 0x61, 0x54, 0x79, 0x70, 0x65, 0x12, 0x66, 0x0a, 0x15, 0x76, 0x65, + 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6d, 0x61, 0x74, 0x65, 0x72, + 0x69, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x64, 0x65, 0x76, 0x2e, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, + 0x76, 0x31, 0x2e, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, + 0x61, 0x74, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x14, 0x76, 0x65, + 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74, 0x65, 0x72, 0x69, + 0x61, 0x6c, 0x12, 0x5c, 0x0a, 0x11, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x5f, 0x73, 0x69, + 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, + 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, + 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x53, 0x69, + 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x48, 0x00, 0x52, 0x10, + 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, + 0x12, 0x3f, 0x0a, 0x0d, 0x64, 0x73, 0x73, 0x65, 0x5f, 0x65, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, + 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x69, 0x6f, 0x2e, 0x69, 0x6e, 0x74, + 0x6f, 0x74, 0x6f, 0x2e, 0x45, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x42, 0x03, 0xe0, 0x41, + 0x02, 0x48, 0x00, 0x52, 0x0c, 0x64, 0x73, 0x73, 0x65, 0x45, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, + 0x65, 0x42, 0x09, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x4a, 0x04, 0x08, 0x05, + 0x10, 0x33, 0x42, 0x7c, 0x0a, 0x1c, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, + 0x76, 0x31, 0x42, 0x0b, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, + 0x01, 0x5a, 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, + 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, + 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, + 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x14, 0x53, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x3a, 0x3a, 0x56, 0x31, + 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -419,24 +468,26 @@ var file_sigstore_bundle_proto_goTypes = []interface{}{ (*v1.RFC3161SignedTimestamp)(nil), // 3: dev.sigstore.common.v1.RFC3161SignedTimestamp (*v1.PublicKeyIdentifier)(nil), // 4: dev.sigstore.common.v1.PublicKeyIdentifier (*v1.X509CertificateChain)(nil), // 5: dev.sigstore.common.v1.X509CertificateChain - (*v11.TransparencyLogEntry)(nil), // 6: dev.sigstore.rekor.v1.TransparencyLogEntry - (*v1.MessageSignature)(nil), // 7: dev.sigstore.common.v1.MessageSignature - (*dsse.Envelope)(nil), // 8: io.intoto.Envelope + (*v1.X509Certificate)(nil), // 6: dev.sigstore.common.v1.X509Certificate + (*v11.TransparencyLogEntry)(nil), // 7: dev.sigstore.rekor.v1.TransparencyLogEntry + (*v1.MessageSignature)(nil), // 8: dev.sigstore.common.v1.MessageSignature + (*dsse.Envelope)(nil), // 9: io.intoto.Envelope } var file_sigstore_bundle_proto_depIdxs = []int32{ 3, // 0: dev.sigstore.bundle.v1.TimestampVerificationData.rfc3161_timestamps:type_name -> dev.sigstore.common.v1.RFC3161SignedTimestamp 4, // 1: dev.sigstore.bundle.v1.VerificationMaterial.public_key:type_name -> dev.sigstore.common.v1.PublicKeyIdentifier 5, // 2: dev.sigstore.bundle.v1.VerificationMaterial.x509_certificate_chain:type_name -> dev.sigstore.common.v1.X509CertificateChain - 6, // 3: dev.sigstore.bundle.v1.VerificationMaterial.tlog_entries:type_name -> dev.sigstore.rekor.v1.TransparencyLogEntry - 0, // 4: dev.sigstore.bundle.v1.VerificationMaterial.timestamp_verification_data:type_name -> dev.sigstore.bundle.v1.TimestampVerificationData - 1, // 5: dev.sigstore.bundle.v1.Bundle.verification_material:type_name -> dev.sigstore.bundle.v1.VerificationMaterial - 7, // 6: dev.sigstore.bundle.v1.Bundle.message_signature:type_name -> dev.sigstore.common.v1.MessageSignature - 8, // 7: dev.sigstore.bundle.v1.Bundle.dsse_envelope:type_name -> io.intoto.Envelope - 8, // [8:8] is the sub-list for method output_type - 8, // [8:8] is the sub-list for method input_type - 8, // [8:8] is the sub-list for extension type_name - 8, // [8:8] is the sub-list for extension extendee - 0, // [0:8] is the sub-list for field type_name + 6, // 3: dev.sigstore.bundle.v1.VerificationMaterial.certificate:type_name -> dev.sigstore.common.v1.X509Certificate + 7, // 4: dev.sigstore.bundle.v1.VerificationMaterial.tlog_entries:type_name -> dev.sigstore.rekor.v1.TransparencyLogEntry + 0, // 5: dev.sigstore.bundle.v1.VerificationMaterial.timestamp_verification_data:type_name -> dev.sigstore.bundle.v1.TimestampVerificationData + 1, // 6: dev.sigstore.bundle.v1.Bundle.verification_material:type_name -> dev.sigstore.bundle.v1.VerificationMaterial + 8, // 7: dev.sigstore.bundle.v1.Bundle.message_signature:type_name -> dev.sigstore.common.v1.MessageSignature + 9, // 8: dev.sigstore.bundle.v1.Bundle.dsse_envelope:type_name -> io.intoto.Envelope + 9, // [9:9] is the sub-list for method output_type + 9, // [9:9] is the sub-list for method input_type + 9, // [9:9] is the sub-list for extension type_name + 9, // [9:9] is the sub-list for extension extendee + 0, // [0:9] is the sub-list for field type_name } func init() { file_sigstore_bundle_proto_init() } @@ -485,6 +536,7 @@ func file_sigstore_bundle_proto_init() { file_sigstore_bundle_proto_msgTypes[1].OneofWrappers = []interface{}{ (*VerificationMaterial_PublicKey)(nil), (*VerificationMaterial_X509CertificateChain)(nil), + (*VerificationMaterial_Certificate)(nil), } file_sigstore_bundle_proto_msgTypes[2].OneofWrappers = []interface{}{ (*Bundle_MessageSignature)(nil), diff --git a/gen/pb-go/common/v1/sigstore_common.pb.go b/gen/pb-go/common/v1/sigstore_common.pb.go index 295baba0..fe286d67 100644 --- a/gen/pb-go/common/v1/sigstore_common.pb.go +++ b/gen/pb-go/common/v1/sigstore_common.pb.go @@ -869,29 +869,21 @@ func (*SubjectAlternativeName_Regexp) isSubjectAlternativeName_Identity() {} func (*SubjectAlternativeName_Value) isSubjectAlternativeName_Identity() {} -// A chain of X.509 certificates. +// A collection of X.509 certificates. +// +// NOTE: "Chain" is a misnomer in this context, since there is no one true certificate chain +// in most PKI schemes. This message should be treated as a generic collection of certificates +// for path construction. type X509CertificateChain struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // The chain of certificates, with indices 0 to n. - // The first certificate in the array must be the leaf - // certificate used for signing. - // - // Signers MUST NOT include their root CA certificates in their embedded - // certificate chains, and SHOULD NOT include intermediate CA - // certificates that appear in independent roots of trust. - // - // Verifiers MUST validate the chain carefully to ensure that it chains - // up to a root CA certificate that they trust, regardless of whether - // the chain includes additional intermediate/root CA certificates. - // Verifiers MAY enforce additional constraints, such as requiring that - // all intermediate CA certificates appear in an independent root of - // trust. + // One or more DER-encoded certificates. // - // Verifiers SHOULD handle old or non-complying bundles that have - // additional intermediate/root CA certificates. + // In some contexts (such as `VerificationMaterial.certificate`), this sequence + // has an imposed order. Unless explicitly specified, there is otherwise no + // guaranteed order. Certificates []*X509Certificate `protobuf:"bytes,1,rep,name=certificates,proto3" json:"certificates,omitempty"` } diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py index 60016c56..d3096736 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/bundle/v1/__init__.py @@ -50,6 +50,9 @@ class VerificationMaterial(betterproto.Message): x509_certificate_chain: "__common_v1__.X509CertificateChain" = ( betterproto.message_field(2, group="content") ) + certificate: "__common_v1__.X509Certificate" = betterproto.message_field( + 5, group="content" + ) tlog_entries: List["__rekor_v1__.TransparencyLogEntry"] = betterproto.message_field( 3 ) @@ -76,7 +79,8 @@ class Bundle(betterproto.Message): media_type: str = betterproto.string_field(1) """ MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or - application/vnd.dev.sigstore.bundle+json;version=0.2 when encoded as JSON. + application/vnd.dev.sigstore.bundle+json;version=0.2 or + application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON. """ verification_material: "VerificationMaterial" = betterproto.message_field(2) diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py index 1bc20331..114aa7a4 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py @@ -199,21 +199,18 @@ class SubjectAlternativeName(betterproto.Message): @dataclass(eq=False, repr=False) class X509CertificateChain(betterproto.Message): - """A chain of X.509 certificates.""" + """ + A collection of X.509 certificates. NOTE: "Chain" is a misnomer in this + context, since there is no one true certificate chain in most PKI schemes. + This message should be treated as a generic collection of certificates for + path construction. + """ certificates: List["X509Certificate"] = betterproto.message_field(1) """ - The chain of certificates, with indices 0 to n. The first certificate in - the array must be the leaf certificate used for signing. Signers MUST NOT - include their root CA certificates in their embedded certificate chains, - and SHOULD NOT include intermediate CA certificates that appear in - independent roots of trust. Verifiers MUST validate the chain carefully to - ensure that it chains up to a root CA certificate that they trust, - regardless of whether the chain includes additional intermediate/root CA - certificates. Verifiers MAY enforce additional constraints, such as - requiring that all intermediate CA certificates appear in an independent - root of trust. Verifiers SHOULD handle old or non-complying bundles that - have additional intermediate/root CA certificates. + One or more DER-encoded certificates. In some contexts (such as + `VerificationMaterial.certificate`), this sequence has an imposed order. + Unless explicitly specified, there is otherwise no guaranteed order. """ diff --git a/gen/pb-ruby/lib/sigstore_bundle_pb.rb b/gen/pb-ruby/lib/sigstore_bundle_pb.rb index 4799ea20..08447685 100644 --- a/gen/pb-ruby/lib/sigstore_bundle_pb.rb +++ b/gen/pb-ruby/lib/sigstore_bundle_pb.rb @@ -19,6 +19,7 @@ oneof :content do optional :public_key, :message, 1, "dev.sigstore.common.v1.PublicKeyIdentifier" optional :x509_certificate_chain, :message, 2, "dev.sigstore.common.v1.X509CertificateChain" + optional :certificate, :message, 5, "dev.sigstore.common.v1.X509Certificate" end end add_message "dev.sigstore.bundle.v1.Bundle" do diff --git a/gen/pb-rust/schemas/Bundle.schema.json b/gen/pb-rust/schemas/Bundle.schema.json index fb44fade..eae013ed 100644 --- a/gen/pb-rust/schemas/Bundle.schema.json +++ b/gen/pb-rust/schemas/Bundle.schema.json @@ -6,7 +6,7 @@ "properties": { "mediaType": { "type": "string", - "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 when encoded as JSON." + "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 or application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON." }, "verificationMaterial": { "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial", @@ -52,8 +52,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.bundle.v1.VerificationMaterial": { "properties": { @@ -65,6 +65,10 @@ "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", "additionalProperties": false }, + "certificate": { + "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", + "additionalProperties": false + }, "tlogEntries": { "items": { "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" @@ -91,6 +95,11 @@ "required": [ "x509_certificate_chain" ] + }, + { + "required": [ + "certificate" + ] } ], "title": "Verification Material", @@ -199,13 +208,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/pb-rust/schemas/CertificateAuthority.schema.json b/gen/pb-rust/schemas/CertificateAuthority.schema.json index 2fcd80e8..876baffd 100644 --- a/gen/pb-rust/schemas/CertificateAuthority.schema.json +++ b/gen/pb-rust/schemas/CertificateAuthority.schema.json @@ -86,13 +86,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." } } } \ No newline at end of file diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json index b5fe5060..91df20e2 100644 --- a/gen/pb-rust/schemas/Input.schema.json +++ b/gen/pb-rust/schemas/Input.schema.json @@ -39,7 +39,7 @@ "properties": { "mediaType": { "type": "string", - "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 when encoded as JSON." + "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 or application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON." }, "verificationMaterial": { "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial", @@ -85,8 +85,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.bundle.v1.VerificationMaterial": { "properties": { @@ -98,6 +98,10 @@ "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", "additionalProperties": false }, + "certificate": { + "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", + "additionalProperties": false + }, "tlogEntries": { "items": { "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" @@ -124,6 +128,11 @@ "required": [ "x509_certificate_chain" ] + }, + { + "required": [ + "certificate" + ] } ], "title": "Verification Material", @@ -381,13 +390,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/pb-rust/schemas/TimestampVerificationData.schema.json b/gen/pb-rust/schemas/TimestampVerificationData.schema.json index 9d202449..d47fe95e 100644 --- a/gen/pb-rust/schemas/TimestampVerificationData.schema.json +++ b/gen/pb-rust/schemas/TimestampVerificationData.schema.json @@ -15,8 +15,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.common.v1.RFC3161SignedTimestamp": { "properties": { diff --git a/gen/pb-rust/schemas/TrustedRoot.schema.json b/gen/pb-rust/schemas/TrustedRoot.schema.json index 623a9911..033fa0b2 100644 --- a/gen/pb-rust/schemas/TrustedRoot.schema.json +++ b/gen/pb-rust/schemas/TrustedRoot.schema.json @@ -162,13 +162,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.trustroot.v1.CertificateAuthority": { "properties": { diff --git a/gen/pb-rust/schemas/VerificationMaterial.schema.json b/gen/pb-rust/schemas/VerificationMaterial.schema.json index 0a742626..b6732320 100644 --- a/gen/pb-rust/schemas/VerificationMaterial.schema.json +++ b/gen/pb-rust/schemas/VerificationMaterial.schema.json @@ -12,6 +12,10 @@ "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", "additionalProperties": false }, + "certificate": { + "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", + "additionalProperties": false + }, "tlogEntries": { "items": { "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" @@ -38,6 +42,11 @@ "required": [ "x509_certificate_chain" ] + }, + { + "required": [ + "certificate" + ] } ], "title": "Verification Material", @@ -56,8 +65,8 @@ }, "additionalProperties": false, "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.2\n The semantic version is thus '0.2'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.2 The semantic version is thus '0.2'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." + "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", + "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." }, "dev.sigstore.common.v1.LogId": { "properties": { @@ -120,13 +129,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/pb-rust/schemas/X509CertificateChain.schema.json b/gen/pb-rust/schemas/X509CertificateChain.schema.json index a2bfb087..6847101c 100644 --- a/gen/pb-rust/schemas/X509CertificateChain.schema.json +++ b/gen/pb-rust/schemas/X509CertificateChain.schema.json @@ -10,13 +10,13 @@ }, "additionalProperties": false, "type": "array", - "description": "The chain of certificates, with indices 0 to n. The first certificate in the array must be the leaf certificate used for signing. Signers MUST NOT include their root CA certificates in their embedded certificate chains, and SHOULD NOT include intermediate CA certificates that appear in independent roots of trust. Verifiers MUST validate the chain carefully to ensure that it chains up to a root CA certificate that they trust, regardless of whether the chain includes additional intermediate/root CA certificates. Verifiers MAY enforce additional constraints, such as requiring that all intermediate CA certificates appear in an independent root of trust. Verifiers SHOULD handle old or non-complying bundles that have additional intermediate/root CA certificates." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A chain of X.509 certificates." + "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." }, "dev.sigstore.common.v1.X509Certificate": { "properties": { diff --git a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts index 33e69c6b..60166eb4 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_bundle.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_bundle.ts @@ -1,6 +1,12 @@ /* eslint-disable */ import { Envelope } from "./envelope"; -import { MessageSignature, PublicKeyIdentifier, RFC3161SignedTimestamp, X509CertificateChain } from "./sigstore_common"; +import { + MessageSignature, + PublicKeyIdentifier, + RFC3161SignedTimestamp, + X509Certificate, + X509CertificateChain, +} from "./sigstore_common"; import { TransparencyLogEntry } from "./sigstore_rekor"; /** @@ -33,7 +39,8 @@ export interface TimestampVerificationData { export interface VerificationMaterial { content?: | { $case: "publicKey"; publicKey: PublicKeyIdentifier } - | { $case: "x509CertificateChain"; x509CertificateChain: X509CertificateChain }; + | { $case: "x509CertificateChain"; x509CertificateChain: X509CertificateChain } + | { $case: "certificate"; certificate: X509Certificate }; /** * An inclusion proof and an optional signed timestamp from the log. * Client verification libraries MAY provide an option to support v0.1 @@ -55,6 +62,7 @@ export interface Bundle { /** * MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 * or application/vnd.dev.sigstore.bundle+json;version=0.2 + * or application/vnd.dev.sigstore.bundle+json;version=0.3 * when encoded as JSON. */ mediaType: string; @@ -114,6 +122,8 @@ export const VerificationMaterial = { $case: "x509CertificateChain", x509CertificateChain: X509CertificateChain.fromJSON(object.x509CertificateChain), } + : isSet(object.certificate) + ? { $case: "certificate", certificate: X509Certificate.fromJSON(object.certificate) } : undefined, tlogEntries: Array.isArray(object?.tlogEntries) ? object.tlogEntries.map((e: any) => TransparencyLogEntry.fromJSON(e)) @@ -132,6 +142,10 @@ export const VerificationMaterial = { (obj.x509CertificateChain = message.content?.x509CertificateChain ? X509CertificateChain.toJSON(message.content?.x509CertificateChain) : undefined); + message.content?.$case === "certificate" && + (obj.certificate = message.content?.certificate + ? X509Certificate.toJSON(message.content?.certificate) + : undefined); if (message.tlogEntries) { obj.tlogEntries = message.tlogEntries.map((e) => e ? TransparencyLogEntry.toJSON(e) : undefined); } else { diff --git a/gen/pb-typescript/src/__generated__/sigstore_common.ts b/gen/pb-typescript/src/__generated__/sigstore_common.ts index 65d56d2b..d2cf1e2a 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_common.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_common.ts @@ -278,26 +278,20 @@ export interface SubjectAlternativeName { identity?: { $case: "regexp"; regexp: string } | { $case: "value"; value: string }; } -/** A chain of X.509 certificates. */ +/** + * A collection of X.509 certificates. + * + * NOTE: "Chain" is a misnomer in this context, since there is no one true certificate chain + * in most PKI schemes. This message should be treated as a generic collection of certificates + * for path construction. + */ export interface X509CertificateChain { /** - * The chain of certificates, with indices 0 to n. - * The first certificate in the array must be the leaf - * certificate used for signing. - * - * Signers MUST NOT include their root CA certificates in their embedded - * certificate chains, and SHOULD NOT include intermediate CA - * certificates that appear in independent roots of trust. - * - * Verifiers MUST validate the chain carefully to ensure that it chains - * up to a root CA certificate that they trust, regardless of whether - * the chain includes additional intermediate/root CA certificates. - * Verifiers MAY enforce additional constraints, such as requiring that - * all intermediate CA certificates appear in an independent root of - * trust. + * One or more DER-encoded certificates. * - * Verifiers SHOULD handle old or non-complying bundles that have - * additional intermediate/root CA certificates. + * In some contexts (such as `VerificationMaterial.certificate`), this sequence + * has an imposed order. Unless explicitly specified, there is otherwise no + * guaranteed order. */ certificates: X509Certificate[]; } diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto index 3d4c5e0f..2553c342 100644 --- a/protos/sigstore_bundle.proto +++ b/protos/sigstore_bundle.proto @@ -32,8 +32,8 @@ option ruby_package = "Sigstore::Bundle::V1"; // The primary message ('Bundle') MUST be versioned, by populating the // 'media_type' field. Semver-ish (only major/minor versions) scheme MUST // be used. The current version as specified by this file is: -// application/vnd.dev.sigstore.bundle+json;version=0.2 -// The semantic version is thus '0.2'. +// application/vnd.dev.sigstore.bundle+json;version=0.3 +// The semantic version is thus '0.3'. // Various timestamped counter signatures over the artifacts signature. // Currently only RFC3161 signatures are provided. More formats may be added @@ -57,9 +57,38 @@ message TimestampVerificationData { // the key identifier, it MUST match the `keyid` field of the signature the // extension is attached to. message VerificationMaterial { + // The key material for verification purposes. + // + // This allows key material to be conveyed in one of three forms: + // + // 1. An unspecified public key identifier, for retrieving a key + // from an out-of-band mechanism (such as a keyring); + // + // 2. A sequence of one or more X.509 certificates, of which the first member + // MUST be a leaf certificate conveying the signing key. + // + // Signers MUST NOT include root CA certificates in bundles, and SHOULD NOT + // include intermediate CA certificates that appear in an independent root of trust + // (such as the Public Good Instance's trusted root). + // + // Verifiers MUST validate the chain carefully to ensure that it chains up + // to a CA certificate that they independently trust. Verifiers SHOULD + // handle old or non-complying bundles that have additional intermediate and/or + // root CA certificates. + // + // 3. A single X.509 certificate, which MUST be a leaf certificate conveying + // the signing key. + // + // When used with the Public Good Instance (PGI) of Sigstore, form (1) MUST NOT be used, + // regardless of bundle version. + // + // When used in a `0.1` or `0.2` bundle with the PGI, form (2) MUST be used. + // + // When used in a `0.3` bundle with the PGI, form (3) MUST be used. oneof content { dev.sigstore.common.v1.PublicKeyIdentifier public_key = 1 [(google.api.field_behavior) = REQUIRED]; dev.sigstore.common.v1.X509CertificateChain x509_certificate_chain = 2 [(google.api.field_behavior) = REQUIRED]; + dev.sigstore.common.v1.X509Certificate certificate = 5 [(google.api.field_behavior) = REQUIRED]; } // An inclusion proof and an optional signed timestamp from the log. // Client verification libraries MAY provide an option to support v0.1 @@ -77,6 +106,7 @@ message VerificationMaterial { message Bundle { // MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 // or application/vnd.dev.sigstore.bundle+json;version=0.2 + // or application/vnd.dev.sigstore.bundle+json;version=0.3 // when encoded as JSON. string media_type = 1; // When a signer is identified by a X.509 certificate, a verifier MUST diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index 574b5661..40593ef8 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -168,25 +168,17 @@ message SubjectAlternativeName { } } -// A chain of X.509 certificates. +// A collection of X.509 certificates. +// +// NOTE: "Chain" is a misnomer in this context, since there is no one true certificate chain +// in most PKI schemes. This message should be treated as a generic collection of certificates +// for path construction. message X509CertificateChain { - // The chain of certificates, with indices 0 to n. - // The first certificate in the array must be the leaf - // certificate used for signing. - // - // Signers MUST NOT include their root CA certificates in their embedded - // certificate chains, and SHOULD NOT include intermediate CA - // certificates that appear in independent roots of trust. - // - // Verifiers MUST validate the chain carefully to ensure that it chains - // up to a root CA certificate that they trust, regardless of whether - // the chain includes additional intermediate/root CA certificates. - // Verifiers MAY enforce additional constraints, such as requiring that - // all intermediate CA certificates appear in an independent root of - // trust. + // One or more DER-encoded certificates. // - // Verifiers SHOULD handle old or non-complying bundles that have - // additional intermediate/root CA certificates. + // In some contexts (such as `VerificationMaterial.certificate`), this sequence + // has an imposed order. Unless explicitly specified, there is otherwise no + // guaranteed order. repeated X509Certificate certificates = 1; } From dfb746fa54f8ee9c6695a54b5427f15fc50426ea Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Wed, 10 Jan 2024 14:22:12 -0500 Subject: [PATCH 2/6] gen, protos: feedback Signed-off-by: William Woodruff --- gen/jsonschema/schemas/Bundle.schema.json | 2 +- .../schemas/CertificateAuthority.schema.json | 2 +- gen/jsonschema/schemas/Input.schema.json | 2 +- gen/jsonschema/schemas/TrustedRoot.schema.json | 2 +- .../schemas/VerificationMaterial.schema.json | 2 +- .../schemas/X509CertificateChain.schema.json | 2 +- gen/pb-go/bundle/v1/sigstore_bundle.pb.go | 16 ++++++++++------ gen/pb-go/common/v1/sigstore_common.pb.go | 6 +++--- .../dev/sigstore/common/v1/__init__.py | 7 +++---- gen/pb-rust/schemas/Bundle.schema.json | 2 +- .../schemas/CertificateAuthority.schema.json | 2 +- gen/pb-rust/schemas/Input.schema.json | 2 +- gen/pb-rust/schemas/TrustedRoot.schema.json | 2 +- .../schemas/VerificationMaterial.schema.json | 2 +- .../schemas/X509CertificateChain.schema.json | 2 +- .../src/__generated__/sigstore_common.ts | 6 +++--- protos/sigstore_bundle.proto | 16 ++++++++++------ protos/sigstore_common.proto | 6 +++--- 18 files changed, 44 insertions(+), 37 deletions(-) diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json index eae013ed..b262af70 100644 --- a/gen/jsonschema/schemas/Bundle.schema.json +++ b/gen/jsonschema/schemas/Bundle.schema.json @@ -214,7 +214,7 @@ "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." + "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/jsonschema/schemas/CertificateAuthority.schema.json b/gen/jsonschema/schemas/CertificateAuthority.schema.json index 876baffd..a7838e8f 100644 --- a/gen/jsonschema/schemas/CertificateAuthority.schema.json +++ b/gen/jsonschema/schemas/CertificateAuthority.schema.json @@ -92,7 +92,7 @@ "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." + "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." } } } \ No newline at end of file diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index 91df20e2..6bb6138c 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -396,7 +396,7 @@ "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." + "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/jsonschema/schemas/TrustedRoot.schema.json b/gen/jsonschema/schemas/TrustedRoot.schema.json index 033fa0b2..bb124cf1 100644 --- a/gen/jsonschema/schemas/TrustedRoot.schema.json +++ b/gen/jsonschema/schemas/TrustedRoot.schema.json @@ -168,7 +168,7 @@ "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." + "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." }, "dev.sigstore.trustroot.v1.CertificateAuthority": { "properties": { diff --git a/gen/jsonschema/schemas/VerificationMaterial.schema.json b/gen/jsonschema/schemas/VerificationMaterial.schema.json index b6732320..2e4f1ec1 100644 --- a/gen/jsonschema/schemas/VerificationMaterial.schema.json +++ b/gen/jsonschema/schemas/VerificationMaterial.schema.json @@ -135,7 +135,7 @@ "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." + "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/jsonschema/schemas/X509CertificateChain.schema.json b/gen/jsonschema/schemas/X509CertificateChain.schema.json index 6847101c..f06b6f2a 100644 --- a/gen/jsonschema/schemas/X509CertificateChain.schema.json +++ b/gen/jsonschema/schemas/X509CertificateChain.schema.json @@ -16,7 +16,7 @@ "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." + "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." }, "dev.sigstore.common.v1.X509Certificate": { "properties": { diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go index 664b2d70..14de0cb5 100644 --- a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go +++ b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go @@ -123,18 +123,22 @@ type VerificationMaterial struct { // // Verifiers MUST validate the chain carefully to ensure that it chains up // to a CA certificate that they independently trust. Verifiers SHOULD - // handle old or non-complying bundles that have additional intermediate and/or - // root CA certificates. + // handle old or non-complying bundles that have superfluous intermediate and/or + // root CA certificates by either ignoring them or explicitly considering them + // untrusted for the purposes of chain building. // // 3. A single X.509 certificate, which MUST be a leaf certificate conveying // the signing key. // - // When used with the Public Good Instance (PGI) of Sigstore, form (1) MUST NOT be used, - // regardless of bundle version. + // When used with the Public Good Instance (PGI) of Sigstore for "keyless" signing + // via Fulcio, form (1) MUST NOT be used, regardless of bundle version. Form (1) + // MAY be used with the PGI for self-managed keys. // - // When used in a `0.1` or `0.2` bundle with the PGI, form (2) MUST be used. + // When used in a `0.1` or `0.2` bundle with the PGI and "keyless" signing, + // form (2) MUST be used. // - // When used in a `0.3` bundle with the PGI, form (3) MUST be used. + // When used in a `0.3` bundle with the PGI and "keyless" signing, + // form (3) MUST be used. // // Types that are assignable to Content: // diff --git a/gen/pb-go/common/v1/sigstore_common.pb.go b/gen/pb-go/common/v1/sigstore_common.pb.go index fe286d67..ad73e6c9 100644 --- a/gen/pb-go/common/v1/sigstore_common.pb.go +++ b/gen/pb-go/common/v1/sigstore_common.pb.go @@ -871,9 +871,9 @@ func (*SubjectAlternativeName_Value) isSubjectAlternativeName_Identity() {} // A collection of X.509 certificates. // -// NOTE: "Chain" is a misnomer in this context, since there is no one true certificate chain -// in most PKI schemes. This message should be treated as a generic collection of certificates -// for path construction. +// This "chain" can be used in multiple contexts, such as providing a root CA +// certificate within a TUF root of trust or multiple untrusted certificates for +// the purpose of chain building. type X509CertificateChain struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py index 114aa7a4..b084ee92 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py @@ -200,10 +200,9 @@ class SubjectAlternativeName(betterproto.Message): @dataclass(eq=False, repr=False) class X509CertificateChain(betterproto.Message): """ - A collection of X.509 certificates. NOTE: "Chain" is a misnomer in this - context, since there is no one true certificate chain in most PKI schemes. - This message should be treated as a generic collection of certificates for - path construction. + A collection of X.509 certificates. This "chain" can be used in multiple + contexts, such as providing a root CA certificate within a TUF root of + trust or multiple untrusted certificates for the purpose of chain building. """ certificates: List["X509Certificate"] = betterproto.message_field(1) diff --git a/gen/pb-rust/schemas/Bundle.schema.json b/gen/pb-rust/schemas/Bundle.schema.json index eae013ed..b262af70 100644 --- a/gen/pb-rust/schemas/Bundle.schema.json +++ b/gen/pb-rust/schemas/Bundle.schema.json @@ -214,7 +214,7 @@ "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." + "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/pb-rust/schemas/CertificateAuthority.schema.json b/gen/pb-rust/schemas/CertificateAuthority.schema.json index 876baffd..a7838e8f 100644 --- a/gen/pb-rust/schemas/CertificateAuthority.schema.json +++ b/gen/pb-rust/schemas/CertificateAuthority.schema.json @@ -92,7 +92,7 @@ "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." + "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." } } } \ No newline at end of file diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json index 91df20e2..6bb6138c 100644 --- a/gen/pb-rust/schemas/Input.schema.json +++ b/gen/pb-rust/schemas/Input.schema.json @@ -396,7 +396,7 @@ "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." + "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/pb-rust/schemas/TrustedRoot.schema.json b/gen/pb-rust/schemas/TrustedRoot.schema.json index 033fa0b2..bb124cf1 100644 --- a/gen/pb-rust/schemas/TrustedRoot.schema.json +++ b/gen/pb-rust/schemas/TrustedRoot.schema.json @@ -168,7 +168,7 @@ "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." + "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." }, "dev.sigstore.trustroot.v1.CertificateAuthority": { "properties": { diff --git a/gen/pb-rust/schemas/VerificationMaterial.schema.json b/gen/pb-rust/schemas/VerificationMaterial.schema.json index b6732320..2e4f1ec1 100644 --- a/gen/pb-rust/schemas/VerificationMaterial.schema.json +++ b/gen/pb-rust/schemas/VerificationMaterial.schema.json @@ -135,7 +135,7 @@ "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." + "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." }, "dev.sigstore.rekor.v1.Checkpoint": { "properties": { diff --git a/gen/pb-rust/schemas/X509CertificateChain.schema.json b/gen/pb-rust/schemas/X509CertificateChain.schema.json index 6847101c..f06b6f2a 100644 --- a/gen/pb-rust/schemas/X509CertificateChain.schema.json +++ b/gen/pb-rust/schemas/X509CertificateChain.schema.json @@ -16,7 +16,7 @@ "additionalProperties": false, "type": "object", "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. NOTE: \"Chain\" is a misnomer in this context, since there is no one true certificate chain in most PKI schemes. This message should be treated as a generic collection of certificates for path construction." + "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." }, "dev.sigstore.common.v1.X509Certificate": { "properties": { diff --git a/gen/pb-typescript/src/__generated__/sigstore_common.ts b/gen/pb-typescript/src/__generated__/sigstore_common.ts index d2cf1e2a..57e2be35 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_common.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_common.ts @@ -281,9 +281,9 @@ export interface SubjectAlternativeName { /** * A collection of X.509 certificates. * - * NOTE: "Chain" is a misnomer in this context, since there is no one true certificate chain - * in most PKI schemes. This message should be treated as a generic collection of certificates - * for path construction. + * This "chain" can be used in multiple contexts, such as providing a root CA + * certificate within a TUF root of trust or multiple untrusted certificates for + * the purpose of chain building. */ export interface X509CertificateChain { /** diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto index 2553c342..cff37360 100644 --- a/protos/sigstore_bundle.proto +++ b/protos/sigstore_bundle.proto @@ -73,18 +73,22 @@ message VerificationMaterial { // // Verifiers MUST validate the chain carefully to ensure that it chains up // to a CA certificate that they independently trust. Verifiers SHOULD - // handle old or non-complying bundles that have additional intermediate and/or - // root CA certificates. + // handle old or non-complying bundles that have superfluous intermediate and/or + // root CA certificates by either ignoring them or explicitly considering them + // untrusted for the purposes of chain building. // // 3. A single X.509 certificate, which MUST be a leaf certificate conveying // the signing key. // - // When used with the Public Good Instance (PGI) of Sigstore, form (1) MUST NOT be used, - // regardless of bundle version. + // When used with the Public Good Instance (PGI) of Sigstore for "keyless" signing + // via Fulcio, form (1) MUST NOT be used, regardless of bundle version. Form (1) + // MAY be used with the PGI for self-managed keys. // - // When used in a `0.1` or `0.2` bundle with the PGI, form (2) MUST be used. + // When used in a `0.1` or `0.2` bundle with the PGI and "keyless" signing, + // form (2) MUST be used. // - // When used in a `0.3` bundle with the PGI, form (3) MUST be used. + // When used in a `0.3` bundle with the PGI and "keyless" signing, + // form (3) MUST be used. oneof content { dev.sigstore.common.v1.PublicKeyIdentifier public_key = 1 [(google.api.field_behavior) = REQUIRED]; dev.sigstore.common.v1.X509CertificateChain x509_certificate_chain = 2 [(google.api.field_behavior) = REQUIRED]; diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index 40593ef8..c7518d7d 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -170,9 +170,9 @@ message SubjectAlternativeName { // A collection of X.509 certificates. // -// NOTE: "Chain" is a misnomer in this context, since there is no one true certificate chain -// in most PKI schemes. This message should be treated as a generic collection of certificates -// for path construction. +// This "chain" can be used in multiple contexts, such as providing a root CA +// certificate within a TUF root of trust or multiple untrusted certificates for +// the purpose of chain building. message X509CertificateChain { // One or more DER-encoded certificates. // From 6d2a28863a695b622159b5b9805456b265388273 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 11 Jan 2024 13:49:27 -0500 Subject: [PATCH 3/6] clarify order with a SHOULD Signed-off-by: William Woodruff --- gen/pb-go/bundle/v1/sigstore_bundle.pb.go | 3 ++- protos/sigstore_bundle.proto | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go index 14de0cb5..6803954b 100644 --- a/gen/pb-go/bundle/v1/sigstore_bundle.pb.go +++ b/gen/pb-go/bundle/v1/sigstore_bundle.pb.go @@ -115,7 +115,8 @@ type VerificationMaterial struct { // from an out-of-band mechanism (such as a keyring); // // 2. A sequence of one or more X.509 certificates, of which the first member - // MUST be a leaf certificate conveying the signing key. + // MUST be a leaf certificate conveying the signing key. Subsequent members + // SHOULD be in issuing order, meaning that `n + 1` should be an issuer for `n`. // // Signers MUST NOT include root CA certificates in bundles, and SHOULD NOT // include intermediate CA certificates that appear in an independent root of trust diff --git a/protos/sigstore_bundle.proto b/protos/sigstore_bundle.proto index cff37360..3503065e 100644 --- a/protos/sigstore_bundle.proto +++ b/protos/sigstore_bundle.proto @@ -65,7 +65,8 @@ message VerificationMaterial { // from an out-of-band mechanism (such as a keyring); // // 2. A sequence of one or more X.509 certificates, of which the first member - // MUST be a leaf certificate conveying the signing key. + // MUST be a leaf certificate conveying the signing key. Subsequent members + // SHOULD be in issuing order, meaning that `n + 1` should be an issuer for `n`. // // Signers MUST NOT include root CA certificates in bundles, and SHOULD NOT // include intermediate CA certificates that appear in an independent root of trust From ac7a831792d4113a896002fbff4cf693653452e9 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Thu, 11 Jan 2024 13:51:52 -0500 Subject: [PATCH 4/6] fix rust tests Signed-off-by: William Woodruff --- gen/pb-rust/tests/integration.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gen/pb-rust/tests/integration.rs b/gen/pb-rust/tests/integration.rs index 6ef078f9..99760fc3 100644 --- a/gen/pb-rust/tests/integration.rs +++ b/gen/pb-rust/tests/integration.rs @@ -1,4 +1,4 @@ -use pretty_assertions::{assert_eq, assert_ne}; +use pretty_assertions::assert_eq; use serde_json; use sigstore_protobuf_specs::{ Bundle, DevSigstoreBundleV1VerificationMaterial as VerificationMaterial, @@ -25,6 +25,7 @@ fn bundle() { media_type: Some(String::from("application/vnd.dev.sigstore.bundle+json;version=0.1")), verification_material: Some(VerificationMaterial{ public_key: None, + certificate: None, x_509_certificate_chain: Some(X509CertificateChain{ certificates: Some(vec![ X509Certificate{ From dbe405daf004151699ea19663c3a51fb37bdc662 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 12 Jan 2024 10:42:25 -0500 Subject: [PATCH 5/6] Update protos/sigstore_common.proto Co-authored-by: Fredrik Skogman Signed-off-by: William Woodruff --- protos/sigstore_common.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index c7518d7d..05a0fde4 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -176,7 +176,7 @@ message SubjectAlternativeName { message X509CertificateChain { // One or more DER-encoded certificates. // - // In some contexts (such as `VerificationMaterial.certificate`), this sequence + // In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence // has an imposed order. Unless explicitly specified, there is otherwise no // guaranteed order. repeated X509Certificate certificates = 1; From 501a18196d2eed3b8d831864a187db3301e53cfa Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Fri, 12 Jan 2024 11:00:22 -0500 Subject: [PATCH 6/6] gen: bump Signed-off-by: William Woodruff --- gen/jsonschema/schemas/Bundle.schema.json | 2 +- gen/jsonschema/schemas/CertificateAuthority.schema.json | 2 +- gen/jsonschema/schemas/Input.schema.json | 2 +- gen/jsonschema/schemas/TrustedRoot.schema.json | 2 +- gen/jsonschema/schemas/VerificationMaterial.schema.json | 2 +- gen/jsonschema/schemas/X509CertificateChain.schema.json | 2 +- gen/pb-go/common/v1/sigstore_common.pb.go | 2 +- .../dev/sigstore/common/v1/__init__.py | 5 +++-- gen/pb-rust/schemas/Bundle.schema.json | 2 +- gen/pb-rust/schemas/CertificateAuthority.schema.json | 2 +- gen/pb-rust/schemas/Input.schema.json | 2 +- gen/pb-rust/schemas/TrustedRoot.schema.json | 2 +- gen/pb-rust/schemas/VerificationMaterial.schema.json | 2 +- gen/pb-rust/schemas/X509CertificateChain.schema.json | 2 +- gen/pb-typescript/src/__generated__/sigstore_common.ts | 2 +- 15 files changed, 17 insertions(+), 16 deletions(-) diff --git a/gen/jsonschema/schemas/Bundle.schema.json b/gen/jsonschema/schemas/Bundle.schema.json index b262af70..d863ff23 100644 --- a/gen/jsonschema/schemas/Bundle.schema.json +++ b/gen/jsonschema/schemas/Bundle.schema.json @@ -208,7 +208,7 @@ }, "additionalProperties": false, "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/CertificateAuthority.schema.json b/gen/jsonschema/schemas/CertificateAuthority.schema.json index a7838e8f..f8bbffad 100644 --- a/gen/jsonschema/schemas/CertificateAuthority.schema.json +++ b/gen/jsonschema/schemas/CertificateAuthority.schema.json @@ -86,7 +86,7 @@ }, "additionalProperties": false, "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index 6bb6138c..ea8cc9a3 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -390,7 +390,7 @@ }, "additionalProperties": false, "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/TrustedRoot.schema.json b/gen/jsonschema/schemas/TrustedRoot.schema.json index bb124cf1..8b36bb4d 100644 --- a/gen/jsonschema/schemas/TrustedRoot.schema.json +++ b/gen/jsonschema/schemas/TrustedRoot.schema.json @@ -162,7 +162,7 @@ }, "additionalProperties": false, "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/VerificationMaterial.schema.json b/gen/jsonschema/schemas/VerificationMaterial.schema.json index 2e4f1ec1..6120e4b8 100644 --- a/gen/jsonschema/schemas/VerificationMaterial.schema.json +++ b/gen/jsonschema/schemas/VerificationMaterial.schema.json @@ -129,7 +129,7 @@ }, "additionalProperties": false, "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, diff --git a/gen/jsonschema/schemas/X509CertificateChain.schema.json b/gen/jsonschema/schemas/X509CertificateChain.schema.json index f06b6f2a..a1a130c2 100644 --- a/gen/jsonschema/schemas/X509CertificateChain.schema.json +++ b/gen/jsonschema/schemas/X509CertificateChain.schema.json @@ -10,7 +10,7 @@ }, "additionalProperties": false, "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, diff --git a/gen/pb-go/common/v1/sigstore_common.pb.go b/gen/pb-go/common/v1/sigstore_common.pb.go index ad73e6c9..14268bae 100644 --- a/gen/pb-go/common/v1/sigstore_common.pb.go +++ b/gen/pb-go/common/v1/sigstore_common.pb.go @@ -881,7 +881,7 @@ type X509CertificateChain struct { // One or more DER-encoded certificates. // - // In some contexts (such as `VerificationMaterial.certificate`), this sequence + // In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence // has an imposed order. Unless explicitly specified, there is otherwise no // guaranteed order. Certificates []*X509Certificate `protobuf:"bytes,1,rep,name=certificates,proto3" json:"certificates,omitempty"` diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py index b084ee92..ea56b33d 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py @@ -208,8 +208,9 @@ class X509CertificateChain(betterproto.Message): certificates: List["X509Certificate"] = betterproto.message_field(1) """ One or more DER-encoded certificates. In some contexts (such as - `VerificationMaterial.certificate`), this sequence has an imposed order. - Unless explicitly specified, there is otherwise no guaranteed order. + `VerificationMaterial.x509_certificate_chain`), this sequence has an + imposed order. Unless explicitly specified, there is otherwise no + guaranteed order. """ diff --git a/gen/pb-rust/schemas/Bundle.schema.json b/gen/pb-rust/schemas/Bundle.schema.json index b262af70..d863ff23 100644 --- a/gen/pb-rust/schemas/Bundle.schema.json +++ b/gen/pb-rust/schemas/Bundle.schema.json @@ -208,7 +208,7 @@ }, "additionalProperties": false, "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, diff --git a/gen/pb-rust/schemas/CertificateAuthority.schema.json b/gen/pb-rust/schemas/CertificateAuthority.schema.json index a7838e8f..f8bbffad 100644 --- a/gen/pb-rust/schemas/CertificateAuthority.schema.json +++ b/gen/pb-rust/schemas/CertificateAuthority.schema.json @@ -86,7 +86,7 @@ }, "additionalProperties": false, "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json index 6bb6138c..ea8cc9a3 100644 --- a/gen/pb-rust/schemas/Input.schema.json +++ b/gen/pb-rust/schemas/Input.schema.json @@ -390,7 +390,7 @@ }, "additionalProperties": false, "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, diff --git a/gen/pb-rust/schemas/TrustedRoot.schema.json b/gen/pb-rust/schemas/TrustedRoot.schema.json index bb124cf1..8b36bb4d 100644 --- a/gen/pb-rust/schemas/TrustedRoot.schema.json +++ b/gen/pb-rust/schemas/TrustedRoot.schema.json @@ -162,7 +162,7 @@ }, "additionalProperties": false, "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, diff --git a/gen/pb-rust/schemas/VerificationMaterial.schema.json b/gen/pb-rust/schemas/VerificationMaterial.schema.json index 2e4f1ec1..6120e4b8 100644 --- a/gen/pb-rust/schemas/VerificationMaterial.schema.json +++ b/gen/pb-rust/schemas/VerificationMaterial.schema.json @@ -129,7 +129,7 @@ }, "additionalProperties": false, "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, diff --git a/gen/pb-rust/schemas/X509CertificateChain.schema.json b/gen/pb-rust/schemas/X509CertificateChain.schema.json index f06b6f2a..a1a130c2 100644 --- a/gen/pb-rust/schemas/X509CertificateChain.schema.json +++ b/gen/pb-rust/schemas/X509CertificateChain.schema.json @@ -10,7 +10,7 @@ }, "additionalProperties": false, "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.certificate`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." + "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." } }, "additionalProperties": false, diff --git a/gen/pb-typescript/src/__generated__/sigstore_common.ts b/gen/pb-typescript/src/__generated__/sigstore_common.ts index 57e2be35..e45ddab2 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_common.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_common.ts @@ -289,7 +289,7 @@ export interface X509CertificateChain { /** * One or more DER-encoded certificates. * - * In some contexts (such as `VerificationMaterial.certificate`), this sequence + * In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence * has an imposed order. Unless explicitly specified, there is otherwise no * guaranteed order. */