From 68d3ec15dd064dd2faf054023bf8dcb420406e9f Mon Sep 17 00:00:00 2001 From: Andrew Pan Date: Fri, 2 Feb 2024 11:43:19 -0600 Subject: [PATCH] pb-rust: remove last traces of schemas Signed-off-by: Andrew Pan --- Makefile | 1 - .../ArtifactVerificationOptions.schema.json | 358 ------- gen/pb-rust/schemas/Input.schema.json | 918 ------------------ gen/pb-rust/schemas/PublicKey.schema.json | 80 -- .../schemas/PublicKeyIdentities.schema.json | 94 -- .../TransparencyLogInstance.schema.json | 129 --- gen/pb-rust/schemas/TrustedRoot.schema.json | 242 ----- 7 files changed, 1822 deletions(-) delete mode 100644 gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json delete mode 100644 gen/pb-rust/schemas/Input.schema.json delete mode 100644 gen/pb-rust/schemas/PublicKey.schema.json delete mode 100644 gen/pb-rust/schemas/PublicKeyIdentities.schema.json delete mode 100644 gen/pb-rust/schemas/TransparencyLogInstance.schema.json delete mode 100644 gen/pb-rust/schemas/TrustedRoot.schema.json diff --git a/Makefile b/Makefile index 46527306..11ff54a0 100644 --- a/Makefile +++ b/Makefile @@ -95,7 +95,6 @@ clean: gen/pb-typescript/src/__generated__ \ gen/pb-python/sigstore_protobuf_specs/dev \ gen/pb-python/sigstore_protobuf_specs/io \ - gen/pb-rust/schemas \ gen/pb-rust/target docker rmi -f ${PROTOC_IMAGE} diff --git a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json b/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json deleted file mode 100644 index af233021..00000000 --- a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json +++ /dev/null @@ -1,358 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/ArtifactVerificationOptions", - "definitions": { - "ArtifactVerificationOptions": { - "properties": { - "certificateIdentities": { - "$ref": "#/definitions/dev.sigstore.verification.v1.CertificateIdentities", - "additionalProperties": false - }, - "publicKeys": { - "$ref": "#/definitions/dev.sigstore.verification.v1.PublicKeyIdentities", - "additionalProperties": false, - "description": "To simplify verification implementation, the logic for bundle verification should be implemented as a higher-order function, where one of argument should be an interface over the set of trusted public keys, like this: `Verify(bytes artifact, bytes signature, string key_id)`. This way the caller is in full control of mapping the identified (or hinted) key in the bundle to one of the trusted keys, as this process is inherently application specific." - }, - "tlogOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions", - "additionalProperties": false, - "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false" - }, - "ctlogOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions", - "additionalProperties": false, - "description": "Optional options for certificate transparency log verification. If none is provided, the default verification options are: Threshold: 1 Disable: false" - }, - "tsaOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions", - "additionalProperties": false, - "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" - }, - "integratedTsOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions", - "additionalProperties": false, - "description": "Optional options for integrated timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" - }, - "observerOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions", - "additionalProperties": false, - "description": "Optional options for observed timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "certificate_identities" - ] - }, - { - "required": [ - "public_keys" - ] - }, - { - "required": [ - "tlog_options" - ] - }, - { - "required": [ - "ctlog_options" - ] - }, - { - "required": [ - "tsa_options" - ] - }, - { - "required": [ - "integrated_ts_options" - ] - }, - { - "required": [ - "observer_options" - ] - } - ], - "title": "Artifact Verification Options", - "description": "A light-weight set of options/policies for identifying trusted signers, used during verification of a single artifact." - }, - "dev.sigstore.common.v1.ObjectIdentifier": { - "properties": { - "id": { - "items": { - "type": "integer" - }, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier", - "description": "An ASN.1 OBJECT IDENTIFIER" - }, - "dev.sigstore.common.v1.ObjectIdentifierValuePair": { - "properties": { - "oid": { - "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifier", - "additionalProperties": false - }, - "value": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier Value Pair", - "description": "An OID and the corresponding (byte) value." - }, - "dev.sigstore.common.v1.PublicKey": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded public key, encoding method is specified by the key_details attribute.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyDetails": { - "enum": [ - "PUBLIC_KEY_DETAILS_UNSPECIFIED", - "PKCS1_RSA_PKCS1V5", - "PKCS1_RSA_PSS", - "PKIX_RSA_PKCS1V5", - "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", - "PKIX_ECDSA_P256_HMAC_SHA_256", - "PKIX_ECDSA_P256_SHA_256", - "PKIX_ECDSA_P384_SHA_384", - "PKIX_ECDSA_P521_SHA_512", - "PKIX_ED25519", - "PKIX_ED25519_PH" - ], - "type": "string", - "title": "Public Key Details", - "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "Optional validity period for this key, *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "raw_bytes" - ] - }, - { - "required": [ - "valid_for" - ] - } - ], - "title": "Public Key" - }, - "dev.sigstore.common.v1.SubjectAlternativeName": { - "properties": { - "type": { - "enum": [ - "SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED", - "EMAIL", - "URI", - "OTHER_NAME" - ], - "type": "string", - "title": "Subject Alternative Name Type" - }, - "regexp": { - "type": "string", - "description": "A regular expression describing the expected value for the SAN." - }, - "value": { - "type": "string", - "description": "The exact value to match against." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "regexp" - ] - }, - { - "required": [ - "value" - ] - } - ], - "title": "Subject Alternative Name" - }, - "dev.sigstore.common.v1.TimeRange": { - "properties": { - "start": { - "type": "string", - "format": "date-time" - }, - "end": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "end" - ] - } - ], - "title": "Time Range", - "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end." - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of ct transparency logs the certificate must appear on." - }, - "disable": { - "type": "boolean", - "description": "Disable ct transparency log verification" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Ctlog Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of external observers of the timestamp. This is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log, that could include additional timestamp sources in the future." - }, - "disable": { - "type": "boolean", - "description": "Disable observer timestamp verification." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Observer Timestamp Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of signed timestamps that are expected." - }, - "disable": { - "type": "boolean", - "description": "Disable signed timestamp verification." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Timestamp Authority Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of integrated timestamps that are expected." - }, - "disable": { - "type": "boolean", - "description": "Disable integrated timestamp verification." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Tlog Integrated Timestamp Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "Number of transparency logs the entry must appear on." - }, - "performOnlineVerification": { - "type": "boolean", - "description": "Perform an online inclusion proof." - }, - "disable": { - "type": "boolean", - "description": "Disable verification for transparency logs." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Tlog Options" - }, - "dev.sigstore.verification.v1.CertificateIdentities": { - "properties": { - "identities": { - "items": { - "$ref": "#/definitions/dev.sigstore.verification.v1.CertificateIdentity" - }, - "additionalProperties": false, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Identities" - }, - "dev.sigstore.verification.v1.CertificateIdentity": { - "properties": { - "issuer": { - "type": "string", - "description": "The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1)" - }, - "san": { - "$ref": "#/definitions/dev.sigstore.common.v1.SubjectAlternativeName", - "additionalProperties": false - }, - "oids": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifierValuePair" - }, - "additionalProperties": false, - "type": "array", - "description": "An unordered list of OIDs that must be verified. All OID/values provided in this list MUST exactly match against the values in the certificate for verification to be successful." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Identity", - "description": "The identity of a X.509 Certificate signer." - }, - "dev.sigstore.verification.v1.PublicKeyIdentities": { - "properties": { - "publicKeys": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKey" - }, - "additionalProperties": false, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Public Key Identities" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json deleted file mode 100644 index 58f938ea..00000000 --- a/gen/pb-rust/schemas/Input.schema.json +++ /dev/null @@ -1,918 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/Input", - "definitions": { - "Input": { - "properties": { - "artifactTrustRoot": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.TrustedRoot", - "additionalProperties": false, - "description": "The verification materials provided during a bundle verification. The running process is usually preloaded with a \"global\" dev.sisgtore.trustroot.TrustedRoot.v1 instance. Prior to verifying an artifact (i.e a bundle), and/or based on current policy, some selection is expected to happen, to filter out the exact certificate authority to use, which transparency logs are relevant etc. The result should b ecaptured in the `artifact_trust_root`." - }, - "artifactVerificationOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions", - "additionalProperties": false - }, - "bundle": { - "$ref": "#/definitions/dev.sigstore.bundle.v1.Bundle", - "additionalProperties": false - }, - "artifact": { - "$ref": "#/definitions/dev.sigstore.verification.v1.Artifact", - "additionalProperties": false, - "description": "If the bundle contains a message signature, the artifact must be provided." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "artifact" - ] - } - ], - "title": "Input", - "description": "Input captures all that is needed to call the bundle verification method, to verify a single artifact referenced by the bundle." - }, - "dev.sigstore.bundle.v1.Bundle": { - "properties": { - "mediaType": { - "type": "string", - "description": "MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 or application/vnd.dev.sigstore.bundle+json;version=0.2 or application/vnd.dev.sigstore.bundle+json;version=0.3 when encoded as JSON." - }, - "verificationMaterial": { - "$ref": "#/definitions/dev.sigstore.bundle.v1.VerificationMaterial", - "additionalProperties": false, - "description": "When a signer is identified by a X.509 certificate, a verifier MUST verify that the signature was computed at the time the certificate was valid as described in the Sigstore client spec: \"Verification using a Bundle\". \u003chttps://docs.google.com/document/d/1kbhK2qyPPk8SLavHzYSDM8-Ueul9_oxIMVFuWMWKz0E/edit#heading=h.x8bduppe89ln\u003e If the verification material contains a public key identifier (key hint) and the `content` is a DSSE envelope, the key hints MUST be exactly the same in the verification material and in the DSSE envelope." - }, - "messageSignature": { - "$ref": "#/definitions/dev.sigstore.common.v1.MessageSignature", - "additionalProperties": false - }, - "dsseEnvelope": { - "$ref": "#/definitions/io.intoto.Envelope", - "additionalProperties": false, - "description": "A DSSE envelope can contain arbitrary payloads. Verifiers must verify that the payload type is a supported and expected type. This is part of the DSSE protocol which is defined here: \u003chttps://github.com/secure-systems-lab/dsse/blob/master/protocol.md\u003e" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "message_signature" - ] - }, - { - "required": [ - "dsse_envelope" - ] - } - ], - "title": "Bundle" - }, - "dev.sigstore.bundle.v1.TimestampVerificationData": { - "properties": { - "rfc3161Timestamps": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.RFC3161SignedTimestamp" - }, - "additionalProperties": false, - "type": "array", - "description": "A list of RFC3161 signed timestamps provided by the user. This can be used when the entry has not been stored on a transparency log, or in conjunction for a stronger trust model. Clients MUST verify the hashed message in the message imprint against the signature in the bundle." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Notes on versioning.\n The primary message ('Bundle') MUST be versioned, by populating the\n 'media_type' field. Semver-ish (only major/minor versions) scheme MUST\n be used. The current version as specified by this file is:\n application/vnd.dev.sigstore.bundle+json;version=0.3\n The semantic version is thus '0.3'.", - "description": "Notes on versioning. The primary message ('Bundle') MUST be versioned, by populating the 'media_type' field. Semver-ish (only major/minor versions) scheme MUST be used. The current version as specified by this file is: application/vnd.dev.sigstore.bundle+json;version=0.3 The semantic version is thus '0.3'. Various timestamped counter signatures over the artifacts signature. Currently only RFC3161 signatures are provided. More formats may be added in the future." - }, - "dev.sigstore.bundle.v1.VerificationMaterial": { - "properties": { - "publicKey": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKeyIdentifier", - "additionalProperties": false - }, - "x509CertificateChain": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", - "additionalProperties": false - }, - "certificate": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate", - "additionalProperties": false - }, - "tlogEntries": { - "items": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.TransparencyLogEntry" - }, - "additionalProperties": false, - "type": "array", - "description": "An inclusion proof and an optional signed timestamp from the log. Client verification libraries MAY provide an option to support v0.1 bundles for backwards compatibility, which may contain an inclusion promise and not an inclusion proof. In this case, the client MUST validate the promise. Verifiers SHOULD NOT allow v0.1 bundles if they're used in an ecosystem which never produced them." - }, - "timestampVerificationData": { - "$ref": "#/definitions/dev.sigstore.bundle.v1.TimestampVerificationData", - "additionalProperties": false, - "description": "Timestamp may also come from tlog_entries.inclusion_promise.signed_entry_timestamp." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "public_key" - ] - }, - { - "required": [ - "x509_certificate_chain" - ] - }, - { - "required": [ - "certificate" - ] - } - ], - "title": "Verification Material", - "description": "VerificationMaterial captures details on the materials used to verify signatures. This message may be embedded in a DSSE envelope as a signature extension. Specifically, the `ext` field of the extension will expect this message when the signature extension is for Sigstore. This is identified by the `kind` field in the extension, which must be set to application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. When used as a DSSE extension, if the `public_key` field is used to indicate the key identifier, it MUST match the `keyid` field of the signature the extension is attached to." - }, - "dev.sigstore.common.v1.DistinguishedName": { - "properties": { - "organization": { - "type": "string" - }, - "commonName": { - "type": "string" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Distinguished Name" - }, - "dev.sigstore.common.v1.HashOutput": { - "properties": { - "algorithm": { - "enum": [ - "HASH_ALGORITHM_UNSPECIFIED", - "SHA2_256", - "SHA2_384", - "SHA2_512", - "SHA3_256", - "SHA3_384" - ], - "type": "string", - "title": "This package defines commonly used message types within the Sigstore\n community.", - "description": "This package defines commonly used message types within the Sigstore community. Only a subset of the secure hash standard algorithms are supported. See \u003chttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf\u003e for more details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force any proto JSON serialization to emit the used hash algorithm, as default option is to *omit* the default value of an enum (which is the first value, represented by '0'." - }, - "digest": { - "type": "string", - "description": "This is the raw octets of the message digest as computed by the hash algorithm.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Hash Output", - "description": "HashOutput captures a digest of a 'message' (generic octet sequence) and the corresponding hash algorithm used." - }, - "dev.sigstore.common.v1.LogId": { - "properties": { - "keyId": { - "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Log Id", - "description": "LogId captures the identity of a transparency log." - }, - "dev.sigstore.common.v1.MessageSignature": { - "properties": { - "messageDigest": { - "$ref": "#/definitions/dev.sigstore.common.v1.HashOutput", - "additionalProperties": false, - "description": "Message digest can be used to identify the artifact. Clients MUST NOT attempt to use this digest to verify the associated signature; it is intended solely for identification." - }, - "signature": { - "type": "string", - "description": "The raw bytes as returned from the signature algorithm. The signature algorithm (and so the format of the signature bytes) are determined by the contents of the 'verification_material', either a key-pair or a certificate. If using a certificate, the certificate contains the required information on the signature algorithm. When using a key pair, the algorithm MUST be part of the public key, which MUST be communicated out-of-band.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Message Signature", - "description": "MessageSignature stores the computed signature over a message." - }, - "dev.sigstore.common.v1.ObjectIdentifier": { - "properties": { - "id": { - "items": { - "type": "integer" - }, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier", - "description": "An ASN.1 OBJECT IDENTIFIER" - }, - "dev.sigstore.common.v1.ObjectIdentifierValuePair": { - "properties": { - "oid": { - "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifier", - "additionalProperties": false - }, - "value": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Object Identifier Value Pair", - "description": "An OID and the corresponding (byte) value." - }, - "dev.sigstore.common.v1.PublicKey": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded public key, encoding method is specified by the key_details attribute.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyDetails": { - "enum": [ - "PUBLIC_KEY_DETAILS_UNSPECIFIED", - "PKCS1_RSA_PKCS1V5", - "PKCS1_RSA_PSS", - "PKIX_RSA_PKCS1V5", - "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", - "PKIX_ECDSA_P256_HMAC_SHA_256", - "PKIX_ECDSA_P256_SHA_256", - "PKIX_ECDSA_P384_SHA_384", - "PKIX_ECDSA_P521_SHA_512", - "PKIX_ED25519", - "PKIX_ED25519_PH" - ], - "type": "string", - "title": "Public Key Details", - "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "Optional validity period for this key, *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "raw_bytes" - ] - }, - { - "required": [ - "valid_for" - ] - } - ], - "title": "Public Key" - }, - "dev.sigstore.common.v1.PublicKeyIdentifier": { - "properties": { - "hint": { - "type": "string", - "description": "Optional unauthenticated hint on which key to use. The format of the hint must be agreed upon out of band by the signer and the verifiers, and so is not subject to this specification. Example use-case is to specify the public key to use, from a trusted key-ring. Implementors are RECOMMENDED to derive the value from the public key as described in RFC 6962. See: \u003chttps://www.rfc-editor.org/rfc/rfc6962#section-3.2\u003e" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Public Key Identifier", - "description": "PublicKeyIdentifier can be used to identify an (out of band) delivered key, to verify a signature." - }, - "dev.sigstore.common.v1.RFC3161SignedTimestamp": { - "properties": { - "signedTimestamp": { - "type": "string", - "description": "Signed timestamp is the DER encoded TimeStampResponse. See https://www.rfc-editor.org/rfc/rfc3161.html#section-2.4.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "RFC 3161 Signed Timestamp", - "description": "This message holds a RFC 3161 timestamp." - }, - "dev.sigstore.common.v1.SubjectAlternativeName": { - "properties": { - "type": { - "enum": [ - "SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED", - "EMAIL", - "URI", - "OTHER_NAME" - ], - "type": "string", - "title": "Subject Alternative Name Type" - }, - "regexp": { - "type": "string", - "description": "A regular expression describing the expected value for the SAN." - }, - "value": { - "type": "string", - "description": "The exact value to match against." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "regexp" - ] - }, - { - "required": [ - "value" - ] - } - ], - "title": "Subject Alternative Name" - }, - "dev.sigstore.common.v1.TimeRange": { - "properties": { - "start": { - "type": "string", - "format": "date-time" - }, - "end": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "end" - ] - } - ], - "title": "Time Range", - "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end." - }, - "dev.sigstore.common.v1.X509Certificate": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded X.509 certificate.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate" - }, - "dev.sigstore.common.v1.X509CertificateChain": { - "properties": { - "certificates": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate" - }, - "additionalProperties": false, - "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." - }, - "dev.sigstore.rekor.v1.Checkpoint": { - "properties": { - "envelope": { - "type": "string" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Checkpoint", - "description": "The checkpoint contains a signature of the tree head (root hash), size of the tree, the transparency log's unique identifier (log ID), hostname and the current time. The result is a string, the format is described here https://github.com/transparency-dev/formats/blob/main/log/README.md The details are here https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/util/signed_note.go#L114 The signature has the same format as InclusionPromise.signed_entry_timestamp. See below for more details." - }, - "dev.sigstore.rekor.v1.InclusionPromise": { - "properties": { - "signedEntryTimestamp": { - "type": "string", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Inclusion Promise", - "description": "The inclusion promise is calculated by Rekor. It's calculated as a signature over a canonical JSON serialization of the persisted entry, the log ID, log index and the integration timestamp. See https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/api/entries.go#L54 The format of the signature depends on the transparency log's public key. If the signature algorithm requires a hash function and/or a signature scheme (e.g. RSA) those has to be retrieved out-of-band from the log's operators, together with the public key. This is used to verify the integration timestamp's value and that the log has promised to include the entry." - }, - "dev.sigstore.rekor.v1.InclusionProof": { - "properties": { - "logIndex": { - "type": "string", - "description": "The index of the entry in the tree it was written to." - }, - "rootHash": { - "type": "string", - "description": "The hash digest stored at the root of the merkle tree at the time the proof was generated.", - "format": "binary", - "binaryEncoding": "base64" - }, - "treeSize": { - "type": "string", - "description": "The size of the merkle tree at the time the proof was generated." - }, - "hashes": { - "items": { - "type": "string" - }, - "type": "array", - "description": "A list of hashes required to compute the inclusion proof, sorted in order from leaf to root. Note that leaf and root hashes are not included. The root hash is available separately in this message, and the leaf hash should be calculated by the client.", - "format": "binary", - "binaryEncoding": "base64" - }, - "checkpoint": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.Checkpoint", - "additionalProperties": false, - "description": "Signature of the tree head, as of the time of this proof was generated. See above info on 'Checkpoint' for more details." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Inclusion Proof", - "description": "InclusionProof is the proof returned from the transparency log. Can be used for offline or online verification against the log." - }, - "dev.sigstore.rekor.v1.KindVersion": { - "properties": { - "kind": { - "type": "string", - "description": "Kind is the type of entry being stored in the log. See here for a list: https://github.com/sigstore/rekor/tree/main/pkg/types" - }, - "version": { - "type": "string", - "description": "The specific api version of the type." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Kind Version", - "description": "KindVersion contains the entry's kind and api version." - }, - "dev.sigstore.rekor.v1.TransparencyLogEntry": { - "properties": { - "logIndex": { - "type": "string", - "description": "The global index of the entry, used when querying the log by index." - }, - "logId": { - "$ref": "#/definitions/dev.sigstore.common.v1.LogId", - "additionalProperties": false, - "description": "The unique identifier of the log." - }, - "kindVersion": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.KindVersion", - "additionalProperties": false, - "description": "The kind (type) and version of the object associated with this entry. These values are required to construct the entry during verification." - }, - "integratedTime": { - "type": "string", - "description": "The UNIX timestamp from the log when the entry was persisted." - }, - "inclusionPromise": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionPromise", - "additionalProperties": false, - "description": "The inclusion promise/signed entry timestamp from the log. Required for v0.1 bundles, and MUST be verified. Optional for \u003e= v0.2 bundles, and SHOULD be verified when present. Also may be used as a signed timestamp." - }, - "inclusionProof": { - "$ref": "#/definitions/dev.sigstore.rekor.v1.InclusionProof", - "additionalProperties": false, - "description": "The inclusion proof can be used for offline or online verification that the entry was appended to the log, and that the log has not been altered." - }, - "canonicalizedBody": { - "type": "string", - "description": "Optional. The canonicalized transparency log entry, used to reconstruct the Signed Entry Timestamp (SET) during verification. The contents of this field are the same as the `body` field in a Rekor response, meaning that it does **not** include the \"full\" canonicalized form (of log index, ID, etc.) which are exposed as separate fields. The verifier is responsible for combining the `canonicalized_body`, `log_index`, `log_id`, and `integrated_time` into the payload that the SET's signature is generated over. This field is intended to be used in cases where the SET cannot be produced determinisitically (e.g. inconsistent JSON field ordering, differing whitespace, etc). If set, clients MUST verify that the signature referenced in the `canonicalized_body` matches the signature provided in the `Bundle.content`. If not set, clients are responsible for constructing an equivalent payload from other sources to verify the signature.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Transparency Log Entry", - "description": "TransparencyLogEntry captures all the details required from Rekor to reconstruct an entry, given that the payload is provided via other means. This type can easily be created from the existing response from Rekor. Future iterations could rely on Rekor returning the minimal set of attributes (excluding the payload) that are required for verifying the inclusion promise. The inclusion promise (called SignedEntryTimestamp in the response from Rekor) is similar to a Signed Certificate Timestamp as described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2." - }, - "dev.sigstore.trustroot.v1.CertificateAuthority": { - "properties": { - "subject": { - "$ref": "#/definitions/dev.sigstore.common.v1.DistinguishedName", - "additionalProperties": false, - "description": "The root certificate MUST be self-signed, and so the subject and issuer are the same." - }, - "uri": { - "type": "string", - "description": "The URI identifies the certificate authority. It is RECOMMENDED that the URI is the base URL for the certificate authority, that can be provided to any SDK/client provided by the certificate authority to interact with the certificate authority." - }, - "certChain": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", - "additionalProperties": false, - "description": "The certificate chain for this CA." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "The time the *entire* chain was valid. This is at max the longest interval when *all* certificates in the chain were valid, but it MAY be shorter. Clients MUST check timestamps against *both* the `valid_for` time range *and* the entire certificate chain. The TimeRange should be considered valid *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Authority", - "description": "CertificateAuthority enlists the information required to identify which CA to use and perform signature verification." - }, - "dev.sigstore.trustroot.v1.TransparencyLogInstance": { - "properties": { - "baseUrl": { - "type": "string", - "description": "The base URL at which can be used to URLs for the client." - }, - "hashAlgorithm": { - "enum": [ - "HASH_ALGORITHM_UNSPECIFIED", - "SHA2_256", - "SHA2_384", - "SHA2_512", - "SHA3_256", - "SHA3_384" - ], - "type": "string", - "title": "This package defines commonly used message types within the Sigstore\n community.", - "description": "This package defines commonly used message types within the Sigstore community. Only a subset of the secure hash standard algorithms are supported. See \u003chttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf\u003e for more details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force any proto JSON serialization to emit the used hash algorithm, as default option is to *omit* the default value of an enum (which is the first value, represented by '0'." - }, - "publicKey": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKey", - "additionalProperties": false, - "description": "The public key used to verify signatures generated by the log. This attribute contains the signature algorithm used by the log." - }, - "logId": { - "$ref": "#/definitions/dev.sigstore.common.v1.LogId", - "additionalProperties": false, - "description": "The unique identifier for this transparency log." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Transparency Log Instance", - "description": "TransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters for more details. The included parameters are the minimal set required to identify a log, and verify an inclusion proof/promise." - }, - "dev.sigstore.trustroot.v1.TrustedRoot": { - "properties": { - "mediaType": { - "type": "string", - "description": "MUST be application/vnd.dev.sigstore.trustedroot+json;version=0.1" - }, - "tlogs": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.TransparencyLogInstance" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted Rekor servers." - }, - "certificateAuthorities": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.CertificateAuthority" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted certificate authorities (e.g Fulcio), and any intermediate certificates they provide. If a CA is issuing multiple intermediate certificate, each combination shall be represented as separate chain. I.e, a single root cert may appear in multiple chains but with different intermediate and/or leaf certificates. The certificates are intended to be used for verifying artifact signatures." - }, - "ctlogs": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.TransparencyLogInstance" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted certificate transparency logs." - }, - "timestampAuthorities": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.CertificateAuthority" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted timestamping authorities." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Trusted Root", - "description": "TrustedRoot describes the client's complete set of trusted entities. How the TrustedRoot is populated is not specified, but can be a combination of many sources such as TUF repositories, files on disk etc. The TrustedRoot is not meant to be used for any artifact verification, only to capture the complete/global set of trusted verification materials. When verifying an artifact, based on the artifact and policies, a selection of keys/authorities are expected to be extracted and provided to the verification function. This way the set of keys/authorities can be kept to a minimal set by the policy to gain better control over what signatures that are allowed. The embedded transparency logs, CT logs, CAs and TSAs MUST include any previously used instance -- otherwise signatures made in the past cannot be verified. All the listed instances SHOULD be sorted by the 'valid_for' in ascending order, that is, the oldest instance first. Only the last instance is allowed to have their 'end' timestamp unset. All previous instances MUST have a closed interval of validity. The last instance MAY have a closed interval. Clients MUST accept instances that overlaps in time, if not clients may experience problems during rotations of verification materials. To be able to manage planned rotations of either transparency logs or certificate authorities, clienst MUST accept lists of instances where the last instance have a 'valid_for' that belongs to the future. This should not be a problem as clients SHOULD first seek the trust root for a suitable instance before creating a per artifact trust root (that is, a sub-set of the complete trust root) that is used for verification." - }, - "dev.sigstore.verification.v1.Artifact": { - "properties": { - "artifactUri": { - "type": "string", - "description": "Location of the artifact" - }, - "artifact": { - "type": "string", - "description": "The raw bytes of the artifact", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "artifact_uri" - ] - }, - { - "required": [ - "artifact" - ] - } - ], - "title": "Artifact" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions": { - "properties": { - "certificateIdentities": { - "$ref": "#/definitions/dev.sigstore.verification.v1.CertificateIdentities", - "additionalProperties": false - }, - "publicKeys": { - "$ref": "#/definitions/dev.sigstore.verification.v1.PublicKeyIdentities", - "additionalProperties": false, - "description": "To simplify verification implementation, the logic for bundle verification should be implemented as a higher-order function, where one of argument should be an interface over the set of trusted public keys, like this: `Verify(bytes artifact, bytes signature, string key_id)`. This way the caller is in full control of mapping the identified (or hinted) key in the bundle to one of the trusted keys, as this process is inherently application specific." - }, - "tlogOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions", - "additionalProperties": false, - "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false" - }, - "ctlogOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions", - "additionalProperties": false, - "description": "Optional options for certificate transparency log verification. If none is provided, the default verification options are: Threshold: 1 Disable: false" - }, - "tsaOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions", - "additionalProperties": false, - "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" - }, - "integratedTsOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions", - "additionalProperties": false, - "description": "Optional options for integrated timestamp verification. If none is provided, the default verification options are: Threshold: 0 Disable: true" - }, - "observerOptions": { - "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions", - "additionalProperties": false, - "description": "Optional options for observed timestamp verification. If none is provided, the default verification options are: Threshold 1 Disable: false" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "certificate_identities" - ] - }, - { - "required": [ - "public_keys" - ] - }, - { - "required": [ - "tlog_options" - ] - }, - { - "required": [ - "ctlog_options" - ] - }, - { - "required": [ - "tsa_options" - ] - }, - { - "required": [ - "integrated_ts_options" - ] - }, - { - "required": [ - "observer_options" - ] - } - ], - "title": "Artifact Verification Options", - "description": "A light-weight set of options/policies for identifying trusted signers, used during verification of a single artifact." - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of ct transparency logs the certificate must appear on." - }, - "disable": { - "type": "boolean", - "description": "Disable ct transparency log verification" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Ctlog Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of external observers of the timestamp. This is a union of RFC3161 signed timestamps, and integrated timestamps from a transparency log, that could include additional timestamp sources in the future." - }, - "disable": { - "type": "boolean", - "description": "Disable observer timestamp verification." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Observer Timestamp Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of signed timestamps that are expected." - }, - "disable": { - "type": "boolean", - "description": "Disable signed timestamp verification." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Timestamp Authority Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "The number of integrated timestamps that are expected." - }, - "disable": { - "type": "boolean", - "description": "Disable integrated timestamp verification." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Tlog Integrated Timestamp Options" - }, - "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions": { - "properties": { - "threshold": { - "type": "integer", - "description": "Number of transparency logs the entry must appear on." - }, - "performOnlineVerification": { - "type": "boolean", - "description": "Perform an online inclusion proof." - }, - "disable": { - "type": "boolean", - "description": "Disable verification for transparency logs." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Tlog Options" - }, - "dev.sigstore.verification.v1.CertificateIdentities": { - "properties": { - "identities": { - "items": { - "$ref": "#/definitions/dev.sigstore.verification.v1.CertificateIdentity" - }, - "additionalProperties": false, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Identities" - }, - "dev.sigstore.verification.v1.CertificateIdentity": { - "properties": { - "issuer": { - "type": "string", - "description": "The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1)" - }, - "san": { - "$ref": "#/definitions/dev.sigstore.common.v1.SubjectAlternativeName", - "additionalProperties": false - }, - "oids": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifierValuePair" - }, - "additionalProperties": false, - "type": "array", - "description": "An unordered list of OIDs that must be verified. All OID/values provided in this list MUST exactly match against the values in the certificate for verification to be successful." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Identity", - "description": "The identity of a X.509 Certificate signer." - }, - "dev.sigstore.verification.v1.PublicKeyIdentities": { - "properties": { - "publicKeys": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKey" - }, - "additionalProperties": false, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Public Key Identities" - }, - "io.intoto.Envelope": { - "properties": { - "payload": { - "type": "string", - "description": "Message to be signed. (In JSON, this is encoded as base64.) REQUIRED.", - "format": "binary", - "binaryEncoding": "base64" - }, - "payloadType": { - "type": "string", - "description": "String unambiguously identifying how to interpret payload. REQUIRED." - }, - "signatures": { - "items": { - "$ref": "#/definitions/io.intoto.Signature" - }, - "additionalProperties": false, - "type": "array", - "description": "Signature over: PAE(type, payload) Where PAE is defined as: PAE(type, payload) = \"DSSEv1\" + SP + LEN(type) + SP + type + SP + LEN(payload) + SP + payload + = concatenation SP = ASCII space [0x20] \"DSSEv1\" = ASCII [0x44, 0x53, 0x53, 0x45, 0x76, 0x31] LEN(s) = ASCII decimal encoding of the byte length of s, with no leading zeros REQUIRED (length \u003e= 1)." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Envelope", - "description": "An authenticated message of arbitrary type." - }, - "io.intoto.Signature": { - "properties": { - "sig": { - "type": "string", - "description": "Signature itself. (In JSON, this is encoded as base64.) REQUIRED.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyid": { - "type": "string", - "description": "*Unauthenticated* hint identifying which public key was used. OPTIONAL." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Signature" - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/PublicKey.schema.json b/gen/pb-rust/schemas/PublicKey.schema.json deleted file mode 100644 index 62acbd86..00000000 --- a/gen/pb-rust/schemas/PublicKey.schema.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/PublicKey", - "definitions": { - "PublicKey": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded public key, encoding method is specified by the key_details attribute.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyDetails": { - "enum": [ - "PUBLIC_KEY_DETAILS_UNSPECIFIED", - "PKCS1_RSA_PKCS1V5", - "PKCS1_RSA_PSS", - "PKIX_RSA_PKCS1V5", - "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", - "PKIX_ECDSA_P256_HMAC_SHA_256", - "PKIX_ECDSA_P256_SHA_256", - "PKIX_ECDSA_P384_SHA_384", - "PKIX_ECDSA_P521_SHA_512", - "PKIX_ED25519", - "PKIX_ED25519_PH" - ], - "type": "string", - "title": "Public Key Details", - "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "Optional validity period for this key, *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "raw_bytes" - ] - }, - { - "required": [ - "valid_for" - ] - } - ], - "title": "Public Key" - }, - "dev.sigstore.common.v1.TimeRange": { - "properties": { - "start": { - "type": "string", - "format": "date-time" - }, - "end": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "end" - ] - } - ], - "title": "Time Range", - "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/PublicKeyIdentities.schema.json b/gen/pb-rust/schemas/PublicKeyIdentities.schema.json deleted file mode 100644 index f17c0d64..00000000 --- a/gen/pb-rust/schemas/PublicKeyIdentities.schema.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/PublicKeyIdentities", - "definitions": { - "PublicKeyIdentities": { - "properties": { - "publicKeys": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKey" - }, - "additionalProperties": false, - "type": "array" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Public Key Identities" - }, - "dev.sigstore.common.v1.PublicKey": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded public key, encoding method is specified by the key_details attribute.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyDetails": { - "enum": [ - "PUBLIC_KEY_DETAILS_UNSPECIFIED", - "PKCS1_RSA_PKCS1V5", - "PKCS1_RSA_PSS", - "PKIX_RSA_PKCS1V5", - "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", - "PKIX_ECDSA_P256_HMAC_SHA_256", - "PKIX_ECDSA_P256_SHA_256", - "PKIX_ECDSA_P384_SHA_384", - "PKIX_ECDSA_P521_SHA_512", - "PKIX_ED25519", - "PKIX_ED25519_PH" - ], - "type": "string", - "title": "Public Key Details", - "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "Optional validity period for this key, *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "raw_bytes" - ] - }, - { - "required": [ - "valid_for" - ] - } - ], - "title": "Public Key" - }, - "dev.sigstore.common.v1.TimeRange": { - "properties": { - "start": { - "type": "string", - "format": "date-time" - }, - "end": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "end" - ] - } - ], - "title": "Time Range", - "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/TransparencyLogInstance.schema.json b/gen/pb-rust/schemas/TransparencyLogInstance.schema.json deleted file mode 100644 index 2e46024f..00000000 --- a/gen/pb-rust/schemas/TransparencyLogInstance.schema.json +++ /dev/null @@ -1,129 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/TransparencyLogInstance", - "definitions": { - "TransparencyLogInstance": { - "properties": { - "baseUrl": { - "type": "string", - "description": "The base URL at which can be used to URLs for the client." - }, - "hashAlgorithm": { - "enum": [ - "HASH_ALGORITHM_UNSPECIFIED", - "SHA2_256", - "SHA2_384", - "SHA2_512", - "SHA3_256", - "SHA3_384" - ], - "type": "string", - "title": "This package defines commonly used message types within the Sigstore\n community.", - "description": "This package defines commonly used message types within the Sigstore community. Only a subset of the secure hash standard algorithms are supported. See \u003chttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf\u003e for more details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force any proto JSON serialization to emit the used hash algorithm, as default option is to *omit* the default value of an enum (which is the first value, represented by '0'." - }, - "publicKey": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKey", - "additionalProperties": false, - "description": "The public key used to verify signatures generated by the log. This attribute contains the signature algorithm used by the log." - }, - "logId": { - "$ref": "#/definitions/dev.sigstore.common.v1.LogId", - "additionalProperties": false, - "description": "The unique identifier for this transparency log." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Transparency Log Instance", - "description": "TransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters for more details. The included parameters are the minimal set required to identify a log, and verify an inclusion proof/promise." - }, - "dev.sigstore.common.v1.LogId": { - "properties": { - "keyId": { - "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Log Id", - "description": "LogId captures the identity of a transparency log." - }, - "dev.sigstore.common.v1.PublicKey": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded public key, encoding method is specified by the key_details attribute.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyDetails": { - "enum": [ - "PUBLIC_KEY_DETAILS_UNSPECIFIED", - "PKCS1_RSA_PKCS1V5", - "PKCS1_RSA_PSS", - "PKIX_RSA_PKCS1V5", - "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", - "PKIX_ECDSA_P256_HMAC_SHA_256", - "PKIX_ECDSA_P256_SHA_256", - "PKIX_ECDSA_P384_SHA_384", - "PKIX_ECDSA_P521_SHA_512", - "PKIX_ED25519", - "PKIX_ED25519_PH" - ], - "type": "string", - "title": "Public Key Details", - "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "Optional validity period for this key, *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "raw_bytes" - ] - }, - { - "required": [ - "valid_for" - ] - } - ], - "title": "Public Key" - }, - "dev.sigstore.common.v1.TimeRange": { - "properties": { - "start": { - "type": "string", - "format": "date-time" - }, - "end": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "end" - ] - } - ], - "title": "Time Range", - "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end." - } - } -} \ No newline at end of file diff --git a/gen/pb-rust/schemas/TrustedRoot.schema.json b/gen/pb-rust/schemas/TrustedRoot.schema.json deleted file mode 100644 index 44719ae3..00000000 --- a/gen/pb-rust/schemas/TrustedRoot.schema.json +++ /dev/null @@ -1,242 +0,0 @@ -{ - "$schema": "http://json-schema.org/draft-04/schema#", - "$ref": "#/definitions/TrustedRoot", - "definitions": { - "TrustedRoot": { - "properties": { - "mediaType": { - "type": "string", - "description": "MUST be application/vnd.dev.sigstore.trustedroot+json;version=0.1" - }, - "tlogs": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.TransparencyLogInstance" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted Rekor servers." - }, - "certificateAuthorities": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.CertificateAuthority" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted certificate authorities (e.g Fulcio), and any intermediate certificates they provide. If a CA is issuing multiple intermediate certificate, each combination shall be represented as separate chain. I.e, a single root cert may appear in multiple chains but with different intermediate and/or leaf certificates. The certificates are intended to be used for verifying artifact signatures." - }, - "ctlogs": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.TransparencyLogInstance" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted certificate transparency logs." - }, - "timestampAuthorities": { - "items": { - "$ref": "#/definitions/dev.sigstore.trustroot.v1.CertificateAuthority" - }, - "additionalProperties": false, - "type": "array", - "description": "A set of trusted timestamping authorities." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Trusted Root", - "description": "TrustedRoot describes the client's complete set of trusted entities. How the TrustedRoot is populated is not specified, but can be a combination of many sources such as TUF repositories, files on disk etc. The TrustedRoot is not meant to be used for any artifact verification, only to capture the complete/global set of trusted verification materials. When verifying an artifact, based on the artifact and policies, a selection of keys/authorities are expected to be extracted and provided to the verification function. This way the set of keys/authorities can be kept to a minimal set by the policy to gain better control over what signatures that are allowed. The embedded transparency logs, CT logs, CAs and TSAs MUST include any previously used instance -- otherwise signatures made in the past cannot be verified. All the listed instances SHOULD be sorted by the 'valid_for' in ascending order, that is, the oldest instance first. Only the last instance is allowed to have their 'end' timestamp unset. All previous instances MUST have a closed interval of validity. The last instance MAY have a closed interval. Clients MUST accept instances that overlaps in time, if not clients may experience problems during rotations of verification materials. To be able to manage planned rotations of either transparency logs or certificate authorities, clienst MUST accept lists of instances where the last instance have a 'valid_for' that belongs to the future. This should not be a problem as clients SHOULD first seek the trust root for a suitable instance before creating a per artifact trust root (that is, a sub-set of the complete trust root) that is used for verification." - }, - "dev.sigstore.common.v1.DistinguishedName": { - "properties": { - "organization": { - "type": "string" - }, - "commonName": { - "type": "string" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Distinguished Name" - }, - "dev.sigstore.common.v1.LogId": { - "properties": { - "keyId": { - "type": "string", - "description": "The unique id of the log, represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "Log Id", - "description": "LogId captures the identity of a transparency log." - }, - "dev.sigstore.common.v1.PublicKey": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded public key, encoding method is specified by the key_details attribute.", - "format": "binary", - "binaryEncoding": "base64" - }, - "keyDetails": { - "enum": [ - "PUBLIC_KEY_DETAILS_UNSPECIFIED", - "PKCS1_RSA_PKCS1V5", - "PKCS1_RSA_PSS", - "PKIX_RSA_PKCS1V5", - "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", - "PKIX_ECDSA_P256_HMAC_SHA_256", - "PKIX_ECDSA_P256_SHA_256", - "PKIX_ECDSA_P384_SHA_384", - "PKIX_ECDSA_P521_SHA_512", - "PKIX_ED25519", - "PKIX_ED25519_PH" - ], - "type": "string", - "title": "Public Key Details", - "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "Optional validity period for this key, *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "raw_bytes" - ] - }, - { - "required": [ - "valid_for" - ] - } - ], - "title": "Public Key" - }, - "dev.sigstore.common.v1.TimeRange": { - "properties": { - "start": { - "type": "string", - "format": "date-time" - }, - "end": { - "type": "string", - "format": "date-time" - } - }, - "additionalProperties": false, - "type": "object", - "oneOf": [ - { - "required": [ - "end" - ] - } - ], - "title": "Time Range", - "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end." - }, - "dev.sigstore.common.v1.X509Certificate": { - "properties": { - "rawBytes": { - "type": "string", - "description": "DER-encoded X.509 certificate.", - "format": "binary", - "binaryEncoding": "base64" - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate" - }, - "dev.sigstore.common.v1.X509CertificateChain": { - "properties": { - "certificates": { - "items": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509Certificate" - }, - "additionalProperties": false, - "type": "array", - "description": "One or more DER-encoded certificates. In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence has an imposed order. Unless explicitly specified, there is otherwise no guaranteed order." - } - }, - "additionalProperties": false, - "type": "object", - "title": "X 509 Certificate Chain", - "description": "A collection of X.509 certificates. This \"chain\" can be used in multiple contexts, such as providing a root CA certificate within a TUF root of trust or multiple untrusted certificates for the purpose of chain building." - }, - "dev.sigstore.trustroot.v1.CertificateAuthority": { - "properties": { - "subject": { - "$ref": "#/definitions/dev.sigstore.common.v1.DistinguishedName", - "additionalProperties": false, - "description": "The root certificate MUST be self-signed, and so the subject and issuer are the same." - }, - "uri": { - "type": "string", - "description": "The URI identifies the certificate authority. It is RECOMMENDED that the URI is the base URL for the certificate authority, that can be provided to any SDK/client provided by the certificate authority to interact with the certificate authority." - }, - "certChain": { - "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain", - "additionalProperties": false, - "description": "The certificate chain for this CA." - }, - "validFor": { - "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange", - "additionalProperties": false, - "description": "The time the *entire* chain was valid. This is at max the longest interval when *all* certificates in the chain were valid, but it MAY be shorter. Clients MUST check timestamps against *both* the `valid_for` time range *and* the entire certificate chain. The TimeRange should be considered valid *inclusive* of the endpoints." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Certificate Authority", - "description": "CertificateAuthority enlists the information required to identify which CA to use and perform signature verification." - }, - "dev.sigstore.trustroot.v1.TransparencyLogInstance": { - "properties": { - "baseUrl": { - "type": "string", - "description": "The base URL at which can be used to URLs for the client." - }, - "hashAlgorithm": { - "enum": [ - "HASH_ALGORITHM_UNSPECIFIED", - "SHA2_256", - "SHA2_384", - "SHA2_512", - "SHA3_256", - "SHA3_384" - ], - "type": "string", - "title": "This package defines commonly used message types within the Sigstore\n community.", - "description": "This package defines commonly used message types within the Sigstore community. Only a subset of the secure hash standard algorithms are supported. See \u003chttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf\u003e for more details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force any proto JSON serialization to emit the used hash algorithm, as default option is to *omit* the default value of an enum (which is the first value, represented by '0'." - }, - "publicKey": { - "$ref": "#/definitions/dev.sigstore.common.v1.PublicKey", - "additionalProperties": false, - "description": "The public key used to verify signatures generated by the log. This attribute contains the signature algorithm used by the log." - }, - "logId": { - "$ref": "#/definitions/dev.sigstore.common.v1.LogId", - "additionalProperties": false, - "description": "The unique identifier for this transparency log." - } - }, - "additionalProperties": false, - "type": "object", - "title": "Transparency Log Instance", - "description": "TransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters for more details. The included parameters are the minimal set required to identify a log, and verify an inclusion proof/promise." - } - } -} \ No newline at end of file