From 9bbc08f60b1064633513947ee1a0d1c7732d6bf9 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 5 Feb 2024 13:01:58 +0100 Subject: [PATCH] Add RSA variants, experimental LMS and LM-OTS to algorithm registry (#199) * algorithm-registry: add LMS and LM-OTS Signed-off-by: William Woodruff * add LMS and LM-OTS to algo registry Signed-off-by: William Woodruff * add RSA PSS variants Signed-off-by: William Woodruff * document PSS variants, make it clear they're PKIX encoded Signed-off-by: William Woodruff * linearize all RSA variants Signed-off-by: William Woodruff * drop PCKS1 key encodings Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- docs/algorithm-registry.md | 37 ++++-- .../ArtifactVerificationOptions.schema.json | 13 +- gen/jsonschema/schemas/Input.schema.json | 13 +- gen/jsonschema/schemas/PublicKey.schema.json | 13 +- .../schemas/PublicKeyIdentities.schema.json | 13 +- .../TransparencyLogInstance.schema.json | 13 +- .../schemas/TrustedRoot.schema.json | 13 +- gen/pb-go/common/v1/sigstore_common.pb.go | 116 +++++++++++------- .../dev/sigstore/common/v1/__init__.py | 17 ++- gen/pb-ruby/lib/sigstore_common_pb.rb | 11 +- .../ArtifactVerificationOptions.schema.json | 13 +- gen/pb-rust/schemas/Input.schema.json | 13 +- gen/pb-rust/schemas/PublicKey.schema.json | 13 +- .../schemas/PublicKeyIdentities.schema.json | 13 +- .../TransparencyLogInstance.schema.json | 13 +- gen/pb-rust/schemas/TrustedRoot.schema.json | 13 +- .../src/__generated__/sigstore_common.ts | 63 +++++++--- protos/sigstore_common.proto | 18 ++- 18 files changed, 292 insertions(+), 126 deletions(-) diff --git a/docs/algorithm-registry.md b/docs/algorithm-registry.md index 09c84562..3fa54056 100644 --- a/docs/algorithm-registry.md +++ b/docs/algorithm-registry.md @@ -15,16 +15,33 @@ specification for the design rationale for this registry. ## Signature Algorithms -| Algorithm | Name | Usage | -|-----------|----------------------------|---------------------------------------------------| -| RSA | rsa-sign-pkcs1-2048-sha256 | verify only | -| | rsa-sign-pkcs1-3072-sha256 | sign/verify | -| | rsa-sign-pkcs1-4096-sha256 | sign/verify | -| ECDSA | ecdsa-sha2-256-nistp256 | sign/verify | -| | ecdsa-sha2-384-nistp384 | sign/verify | -| | ecdsa-sha2-512-nistp521 | sign/verify | -| EdDSA | ed25519 | sign/verify | -| | ed25519-ph | sign/verify (recommended only for `hashedrekord`) | +| Algorithm | Name | Usage | Notes | +|-----------|----------------------------|-------------| -------------------------------------------------------------------------------- | +| RSA | rsa-sign-pkcs1-2048-sha256 | verify only | Not recommended. | +| | rsa-sign-pkcs1-3072-sha256 | sign/verify | | +| | rsa-sign-pkcs1-4096-sha256 | sign/verify | | +| | rsa-sign-pss-2048-sha256 | verify only | Not recommended. | +| | rsa-sign-pss-3072-sha256 | sign/verify | | +| | rsa-sign-pss-4096-sha256 | sign/verify | | +| ECDSA | ecdsa-sha2-256-nistp256 | sign/verify | | +| | ecdsa-sha2-384-nistp384 | sign/verify | | +| | ecdsa-sha2-512-nistp521 | sign/verify | | +| EdDSA | ed25519 | sign/verify | | +| | ed25519-ph | sign/verify | Recommended only for `hashedrekord`. | +| LMS | lms-sha256 | sign/verify | Stateful; signer selects the `H` parameter. Not recommended for keyless signing. | +| LM-OTS | lmots-sha256 | sign/verify | One-time use only; signer selects `n` and `w`. | + +### Parameter configuration for LMS and LM-OTS + +LMS and LM-OTS are both hash-based signature schemes. Both require the signing party +to make parameter choices during key generation. + +In both cases, the selected parameters are encoded in the public key representation. +See [RFC 8554 S5.3](https://www.rfc-editor.org/rfc/rfc8554.html#section-5.3) for LMS and +[RFC 8554 S4.3](https://www.rfc-editor.org/rfc/rfc8554.html#section-4.3) for LM-OTS public key +formats. Additionally, see [RFC 8708 S4](https://www.rfc-editor.org/rfc/rfc8708.html) for +`SubjectPublicKeyInfo` and `AlgorithmIdentifier` encodings for both LMS and LM-OTS +public keys. ## Hash Algorithms diff --git a/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json b/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json index af233021..88c1e8ca 100644 --- a/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json +++ b/gen/jsonschema/schemas/ArtifactVerificationOptions.schema.json @@ -127,15 +127,20 @@ "PKCS1_RSA_PSS", "PKIX_RSA_PKCS1V5", "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", + "PKIX_RSA_PKCS1V15_2048_SHA256", + "PKIX_RSA_PKCS1V15_3072_SHA256", + "PKIX_RSA_PKCS1V15_4096_SHA256", + "PKIX_RSA_PSS_2048_SHA256", + "PKIX_RSA_PSS_3072_SHA256", + "PKIX_RSA_PSS_4096_SHA256", "PKIX_ECDSA_P256_HMAC_SHA_256", "PKIX_ECDSA_P256_SHA_256", "PKIX_ECDSA_P384_SHA_384", "PKIX_ECDSA_P521_SHA_512", "PKIX_ED25519", - "PKIX_ED25519_PH" + "PKIX_ED25519_PH", + "EXPERIMENTAL_LMS_SHA256", + "EXPERIMENTAL_LMOTS_SHA256" ], "type": "string", "title": "Public Key Details", diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json index 58f938ea..ce70b141 100644 --- a/gen/jsonschema/schemas/Input.schema.json +++ b/gen/jsonschema/schemas/Input.schema.json @@ -257,15 +257,20 @@ "PKCS1_RSA_PSS", "PKIX_RSA_PKCS1V5", "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", + "PKIX_RSA_PKCS1V15_2048_SHA256", + "PKIX_RSA_PKCS1V15_3072_SHA256", + "PKIX_RSA_PKCS1V15_4096_SHA256", + "PKIX_RSA_PSS_2048_SHA256", + "PKIX_RSA_PSS_3072_SHA256", + "PKIX_RSA_PSS_4096_SHA256", "PKIX_ECDSA_P256_HMAC_SHA_256", "PKIX_ECDSA_P256_SHA_256", "PKIX_ECDSA_P384_SHA_384", "PKIX_ECDSA_P521_SHA_512", "PKIX_ED25519", - "PKIX_ED25519_PH" + "PKIX_ED25519_PH", + "EXPERIMENTAL_LMS_SHA256", + "EXPERIMENTAL_LMOTS_SHA256" ], "type": "string", "title": "Public Key Details", diff --git a/gen/jsonschema/schemas/PublicKey.schema.json b/gen/jsonschema/schemas/PublicKey.schema.json index 62acbd86..2e7f6756 100644 --- a/gen/jsonschema/schemas/PublicKey.schema.json +++ b/gen/jsonschema/schemas/PublicKey.schema.json @@ -17,15 +17,20 @@ "PKCS1_RSA_PSS", "PKIX_RSA_PKCS1V5", "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", + "PKIX_RSA_PKCS1V15_2048_SHA256", + "PKIX_RSA_PKCS1V15_3072_SHA256", + "PKIX_RSA_PKCS1V15_4096_SHA256", + "PKIX_RSA_PSS_2048_SHA256", + "PKIX_RSA_PSS_3072_SHA256", + "PKIX_RSA_PSS_4096_SHA256", "PKIX_ECDSA_P256_HMAC_SHA_256", "PKIX_ECDSA_P256_SHA_256", "PKIX_ECDSA_P384_SHA_384", "PKIX_ECDSA_P521_SHA_512", "PKIX_ED25519", - "PKIX_ED25519_PH" + "PKIX_ED25519_PH", + "EXPERIMENTAL_LMS_SHA256", + "EXPERIMENTAL_LMOTS_SHA256" ], "type": "string", "title": "Public Key Details", diff --git a/gen/jsonschema/schemas/PublicKeyIdentities.schema.json b/gen/jsonschema/schemas/PublicKeyIdentities.schema.json index f17c0d64..f52c73f3 100644 --- a/gen/jsonschema/schemas/PublicKeyIdentities.schema.json +++ b/gen/jsonschema/schemas/PublicKeyIdentities.schema.json @@ -31,15 +31,20 @@ "PKCS1_RSA_PSS", "PKIX_RSA_PKCS1V5", "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", + "PKIX_RSA_PKCS1V15_2048_SHA256", + "PKIX_RSA_PKCS1V15_3072_SHA256", + "PKIX_RSA_PKCS1V15_4096_SHA256", + "PKIX_RSA_PSS_2048_SHA256", + "PKIX_RSA_PSS_3072_SHA256", + "PKIX_RSA_PSS_4096_SHA256", "PKIX_ECDSA_P256_HMAC_SHA_256", "PKIX_ECDSA_P256_SHA_256", "PKIX_ECDSA_P384_SHA_384", "PKIX_ECDSA_P521_SHA_512", "PKIX_ED25519", - "PKIX_ED25519_PH" + "PKIX_ED25519_PH", + "EXPERIMENTAL_LMS_SHA256", + "EXPERIMENTAL_LMOTS_SHA256" ], "type": "string", "title": "Public Key Details", diff --git a/gen/jsonschema/schemas/TransparencyLogInstance.schema.json b/gen/jsonschema/schemas/TransparencyLogInstance.schema.json index 2e46024f..d53179ea 100644 --- a/gen/jsonschema/schemas/TransparencyLogInstance.schema.json +++ b/gen/jsonschema/schemas/TransparencyLogInstance.schema.json @@ -66,15 +66,20 @@ "PKCS1_RSA_PSS", "PKIX_RSA_PKCS1V5", "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", + "PKIX_RSA_PKCS1V15_2048_SHA256", + "PKIX_RSA_PKCS1V15_3072_SHA256", + "PKIX_RSA_PKCS1V15_4096_SHA256", + "PKIX_RSA_PSS_2048_SHA256", + "PKIX_RSA_PSS_3072_SHA256", + "PKIX_RSA_PSS_4096_SHA256", "PKIX_ECDSA_P256_HMAC_SHA_256", "PKIX_ECDSA_P256_SHA_256", "PKIX_ECDSA_P384_SHA_384", "PKIX_ECDSA_P521_SHA_512", "PKIX_ED25519", - "PKIX_ED25519_PH" + "PKIX_ED25519_PH", + "EXPERIMENTAL_LMS_SHA256", + "EXPERIMENTAL_LMOTS_SHA256" ], "type": "string", "title": "Public Key Details", diff --git a/gen/jsonschema/schemas/TrustedRoot.schema.json b/gen/jsonschema/schemas/TrustedRoot.schema.json index 44719ae3..13dd6e4b 100644 --- a/gen/jsonschema/schemas/TrustedRoot.schema.json +++ b/gen/jsonschema/schemas/TrustedRoot.schema.json @@ -88,15 +88,20 @@ "PKCS1_RSA_PSS", "PKIX_RSA_PKCS1V5", "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", + "PKIX_RSA_PKCS1V15_2048_SHA256", + "PKIX_RSA_PKCS1V15_3072_SHA256", + "PKIX_RSA_PKCS1V15_4096_SHA256", + "PKIX_RSA_PSS_2048_SHA256", + "PKIX_RSA_PSS_3072_SHA256", + "PKIX_RSA_PSS_4096_SHA256", "PKIX_ECDSA_P256_HMAC_SHA_256", "PKIX_ECDSA_P256_SHA_256", "PKIX_ECDSA_P384_SHA_384", "PKIX_ECDSA_P521_SHA_512", "PKIX_ED25519", - "PKIX_ED25519_PH" + "PKIX_ED25519_PH", + "EXPERIMENTAL_LMS_SHA256", + "EXPERIMENTAL_LMOTS_SHA256" ], "type": "string", "title": "Public Key Details", diff --git a/gen/pb-go/common/v1/sigstore_common.pb.go b/gen/pb-go/common/v1/sigstore_common.pb.go index 285aa19a..61db9b36 100644 --- a/gen/pb-go/common/v1/sigstore_common.pb.go +++ b/gen/pb-go/common/v1/sigstore_common.pb.go @@ -130,10 +130,15 @@ const ( // Deprecated: Do not use. PublicKeyDetails_PKIX_RSA_PKCS1V5 PublicKeyDetails = 3 // Deprecated: Do not use. - PublicKeyDetails_PKIX_RSA_PSS PublicKeyDetails = 4 - PublicKeyDetails_PKIX_RSA_PKCS1_2048_SHA256 PublicKeyDetails = 9 - PublicKeyDetails_PKIX_RSA_PKCS1_3072_SHA256 PublicKeyDetails = 10 - PublicKeyDetails_PKIX_RSA_PKCS1_4096_SHA256 PublicKeyDetails = 11 + PublicKeyDetails_PKIX_RSA_PSS PublicKeyDetails = 4 + // RSA public key in PKIX format, PKCS#1v1.5 signature + PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256 PublicKeyDetails = 9 + PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256 PublicKeyDetails = 10 + PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256 PublicKeyDetails = 11 + // RSA public key in PKIX format, RSASSA-PSS signature + PublicKeyDetails_PKIX_RSA_PSS_2048_SHA256 PublicKeyDetails = 16 // See RFC4055 + PublicKeyDetails_PKIX_RSA_PSS_3072_SHA256 PublicKeyDetails = 17 + PublicKeyDetails_PKIX_RSA_PSS_4096_SHA256 PublicKeyDetails = 18 // ECDSA // // Deprecated: Do not use. @@ -144,6 +149,9 @@ const ( // Ed 25519 PublicKeyDetails_PKIX_ED25519 PublicKeyDetails = 7 // See RFC8032 PublicKeyDetails_PKIX_ED25519_PH PublicKeyDetails = 8 + // **EXPERIMENTAL**: LMS and LM-OTS variants. + PublicKeyDetails_EXPERIMENTAL_LMS_SHA256 PublicKeyDetails = 14 + PublicKeyDetails_EXPERIMENTAL_LMOTS_SHA256 PublicKeyDetails = 15 ) // Enum value maps for PublicKeyDetails. @@ -154,15 +162,20 @@ var ( 2: "PKCS1_RSA_PSS", 3: "PKIX_RSA_PKCS1V5", 4: "PKIX_RSA_PSS", - 9: "PKIX_RSA_PKCS1_2048_SHA256", - 10: "PKIX_RSA_PKCS1_3072_SHA256", - 11: "PKIX_RSA_PKCS1_4096_SHA256", + 9: "PKIX_RSA_PKCS1V15_2048_SHA256", + 10: "PKIX_RSA_PKCS1V15_3072_SHA256", + 11: "PKIX_RSA_PKCS1V15_4096_SHA256", + 16: "PKIX_RSA_PSS_2048_SHA256", + 17: "PKIX_RSA_PSS_3072_SHA256", + 18: "PKIX_RSA_PSS_4096_SHA256", 6: "PKIX_ECDSA_P256_HMAC_SHA_256", 5: "PKIX_ECDSA_P256_SHA_256", 12: "PKIX_ECDSA_P384_SHA_384", 13: "PKIX_ECDSA_P521_SHA_512", 7: "PKIX_ED25519", 8: "PKIX_ED25519_PH", + 14: "EXPERIMENTAL_LMS_SHA256", + 15: "EXPERIMENTAL_LMOTS_SHA256", } PublicKeyDetails_value = map[string]int32{ "PUBLIC_KEY_DETAILS_UNSPECIFIED": 0, @@ -170,15 +183,20 @@ var ( "PKCS1_RSA_PSS": 2, "PKIX_RSA_PKCS1V5": 3, "PKIX_RSA_PSS": 4, - "PKIX_RSA_PKCS1_2048_SHA256": 9, - "PKIX_RSA_PKCS1_3072_SHA256": 10, - "PKIX_RSA_PKCS1_4096_SHA256": 11, + "PKIX_RSA_PKCS1V15_2048_SHA256": 9, + "PKIX_RSA_PKCS1V15_3072_SHA256": 10, + "PKIX_RSA_PKCS1V15_4096_SHA256": 11, + "PKIX_RSA_PSS_2048_SHA256": 16, + "PKIX_RSA_PSS_3072_SHA256": 17, + "PKIX_RSA_PSS_4096_SHA256": 18, "PKIX_ECDSA_P256_HMAC_SHA_256": 6, "PKIX_ECDSA_P256_SHA_256": 5, "PKIX_ECDSA_P384_SHA_384": 12, "PKIX_ECDSA_P521_SHA_512": 13, "PKIX_ED25519": 7, "PKIX_ED25519_PH": 8, + "EXPERIMENTAL_LMS_SHA256": 14, + "EXPERIMENTAL_LMOTS_SHA256": 15, } ) @@ -1130,7 +1148,7 @@ var file_sigstore_common_proto_rawDesc = []byte{ 0x48, 0x41, 0x32, 0x5f, 0x33, 0x38, 0x34, 0x10, 0x02, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x32, 0x5f, 0x35, 0x31, 0x32, 0x10, 0x03, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x33, 0x5f, 0x32, 0x35, 0x36, 0x10, 0x04, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x33, 0x5f, 0x33, 0x38, - 0x34, 0x10, 0x05, 0x2a, 0x9c, 0x03, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, + 0x34, 0x10, 0x05, 0x2a, 0xc1, 0x04, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x12, 0x22, 0x0a, 0x1e, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x44, 0x45, 0x54, 0x41, 0x49, 0x4c, 0x53, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x19, 0x0a, 0x11, @@ -1139,39 +1157,49 @@ var file_sigstore_common_proto_rawDesc = []byte{ 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x10, 0x02, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x18, 0x0a, 0x10, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, 0x56, 0x35, 0x10, 0x03, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x14, 0x0a, 0x0c, 0x50, 0x4b, 0x49, 0x58, - 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x10, 0x04, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x1e, - 0x0a, 0x1a, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, - 0x5f, 0x32, 0x30, 0x34, 0x38, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x09, 0x12, 0x1e, - 0x0a, 0x1a, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, - 0x5f, 0x33, 0x30, 0x37, 0x32, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x0a, 0x12, 0x1e, - 0x0a, 0x1a, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, - 0x5f, 0x34, 0x30, 0x39, 0x36, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x0b, 0x12, 0x24, - 0x0a, 0x1c, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, 0x50, 0x32, 0x35, - 0x36, 0x5f, 0x48, 0x4d, 0x41, 0x43, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, 0x35, 0x36, 0x10, 0x06, - 0x1a, 0x02, 0x08, 0x01, 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, - 0x53, 0x41, 0x5f, 0x50, 0x32, 0x35, 0x36, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, 0x35, 0x36, 0x10, - 0x05, 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, - 0x50, 0x33, 0x38, 0x34, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x33, 0x38, 0x34, 0x10, 0x0c, 0x12, 0x1b, - 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, 0x50, 0x35, 0x32, - 0x31, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x35, 0x31, 0x32, 0x10, 0x0d, 0x12, 0x10, 0x0a, 0x0c, 0x50, - 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x10, 0x07, 0x12, 0x13, 0x0a, - 0x0f, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x5f, 0x50, 0x48, - 0x10, 0x08, 0x2a, 0x6f, 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74, - 0x65, 0x72, 0x6e, 0x61, 0x74, 0x69, 0x76, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x54, 0x79, 0x70, 0x65, - 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x41, 0x4c, 0x54, 0x45, - 0x52, 0x4e, 0x41, 0x54, 0x49, 0x56, 0x45, 0x5f, 0x4e, 0x41, 0x4d, 0x45, 0x5f, 0x54, 0x59, 0x50, - 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, - 0x09, 0x0a, 0x05, 0x45, 0x4d, 0x41, 0x49, 0x4c, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x52, - 0x49, 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x4f, 0x54, 0x48, 0x45, 0x52, 0x5f, 0x4e, 0x41, 0x4d, - 0x45, 0x10, 0x03, 0x42, 0x7c, 0x0a, 0x1c, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, - 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x2e, 0x76, 0x31, 0x42, 0x0b, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, - 0x50, 0x01, 0x5a, 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, - 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, - 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, - 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0xea, 0x02, 0x14, 0x53, 0x69, 0x67, - 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x3a, 0x3a, 0x56, - 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x10, 0x04, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x21, + 0x0a, 0x1d, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, + 0x56, 0x31, 0x35, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, + 0x09, 0x12, 0x21, 0x0a, 0x1d, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, + 0x43, 0x53, 0x31, 0x56, 0x31, 0x35, 0x5f, 0x33, 0x30, 0x37, 0x32, 0x5f, 0x53, 0x48, 0x41, 0x32, + 0x35, 0x36, 0x10, 0x0a, 0x12, 0x21, 0x0a, 0x1d, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, + 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, 0x56, 0x31, 0x35, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x5f, 0x53, + 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, 0x0b, 0x12, 0x1c, 0x0a, 0x18, 0x50, 0x4b, 0x49, 0x58, 0x5f, + 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x5f, 0x53, 0x48, 0x41, + 0x32, 0x35, 0x36, 0x10, 0x10, 0x12, 0x1c, 0x0a, 0x18, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, + 0x41, 0x5f, 0x50, 0x53, 0x53, 0x5f, 0x33, 0x30, 0x37, 0x32, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, + 0x36, 0x10, 0x11, 0x12, 0x1c, 0x0a, 0x18, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, + 0x50, 0x53, 0x53, 0x5f, 0x34, 0x30, 0x39, 0x36, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, + 0x12, 0x12, 0x24, 0x0a, 0x1c, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, + 0x50, 0x32, 0x35, 0x36, 0x5f, 0x48, 0x4d, 0x41, 0x43, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, 0x35, + 0x36, 0x10, 0x06, 0x1a, 0x02, 0x08, 0x01, 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, + 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, 0x50, 0x32, 0x35, 0x36, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, + 0x35, 0x36, 0x10, 0x05, 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, + 0x53, 0x41, 0x5f, 0x50, 0x33, 0x38, 0x34, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x33, 0x38, 0x34, 0x10, + 0x0c, 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, + 0x50, 0x35, 0x32, 0x31, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x35, 0x31, 0x32, 0x10, 0x0d, 0x12, 0x10, + 0x0a, 0x0c, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x10, 0x07, + 0x12, 0x13, 0x0a, 0x0f, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, + 0x5f, 0x50, 0x48, 0x10, 0x08, 0x12, 0x1b, 0x0a, 0x17, 0x45, 0x58, 0x50, 0x45, 0x52, 0x49, 0x4d, + 0x45, 0x4e, 0x54, 0x41, 0x4c, 0x5f, 0x4c, 0x4d, 0x53, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, + 0x10, 0x0e, 0x12, 0x1d, 0x0a, 0x19, 0x45, 0x58, 0x50, 0x45, 0x52, 0x49, 0x4d, 0x45, 0x4e, 0x54, + 0x41, 0x4c, 0x5f, 0x4c, 0x4d, 0x4f, 0x54, 0x53, 0x5f, 0x53, 0x48, 0x41, 0x32, 0x35, 0x36, 0x10, + 0x0f, 0x22, 0x04, 0x08, 0x13, 0x10, 0x32, 0x2a, 0x6f, 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, 0x69, 0x76, 0x65, 0x4e, 0x61, 0x6d, + 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, + 0x5f, 0x41, 0x4c, 0x54, 0x45, 0x52, 0x4e, 0x41, 0x54, 0x49, 0x56, 0x45, 0x5f, 0x4e, 0x41, 0x4d, + 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, + 0x45, 0x44, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x45, 0x4d, 0x41, 0x49, 0x4c, 0x10, 0x01, 0x12, + 0x07, 0x0a, 0x03, 0x55, 0x52, 0x49, 0x10, 0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x4f, 0x54, 0x48, 0x45, + 0x52, 0x5f, 0x4e, 0x41, 0x4d, 0x45, 0x10, 0x03, 0x42, 0x7c, 0x0a, 0x1c, 0x64, 0x65, 0x76, 0x2e, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x63, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x42, 0x0b, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, + 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, + 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, + 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0xea, + 0x02, 0x14, 0x53, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x3a, 0x3a, 0x43, 0x6f, 0x6d, 0x6d, + 0x6f, 0x6e, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py index 3afc31f3..8679c035 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py @@ -52,9 +52,16 @@ class PublicKeyDetails(betterproto.Enum): PKCS1_RSA_PSS = 2 PKIX_RSA_PKCS1V5 = 3 PKIX_RSA_PSS = 4 - PKIX_RSA_PKCS1_2048_SHA256 = 9 - PKIX_RSA_PKCS1_3072_SHA256 = 10 - PKIX_RSA_PKCS1_4096_SHA256 = 11 + PKIX_RSA_PKCS1V15_2048_SHA256 = 9 + """RSA public key in PKIX format, PKCS#1v1.5 signature""" + + PKIX_RSA_PKCS1V15_3072_SHA256 = 10 + PKIX_RSA_PKCS1V15_4096_SHA256 = 11 + PKIX_RSA_PSS_2048_SHA256 = 16 + """RSA public key in PKIX format, RSASSA-PSS signature""" + + PKIX_RSA_PSS_3072_SHA256 = 17 + PKIX_RSA_PSS_4096_SHA256 = 18 PKIX_ECDSA_P256_HMAC_SHA_256 = 6 """ECDSA""" @@ -65,6 +72,10 @@ class PublicKeyDetails(betterproto.Enum): """Ed 25519""" PKIX_ED25519_PH = 8 + EXPERIMENTAL_LMS_SHA256 = 14 + """**EXPERIMENTAL**: LMS and LM-OTS variants.""" + + EXPERIMENTAL_LMOTS_SHA256 = 15 class SubjectAlternativeNameType(betterproto.Enum): diff --git a/gen/pb-ruby/lib/sigstore_common_pb.rb b/gen/pb-ruby/lib/sigstore_common_pb.rb index 86877e48..a76a563f 100644 --- a/gen/pb-ruby/lib/sigstore_common_pb.rb +++ b/gen/pb-ruby/lib/sigstore_common_pb.rb @@ -72,15 +72,20 @@ value :PKCS1_RSA_PSS, 2 value :PKIX_RSA_PKCS1V5, 3 value :PKIX_RSA_PSS, 4 - value :PKIX_RSA_PKCS1_2048_SHA256, 9 - value :PKIX_RSA_PKCS1_3072_SHA256, 10 - value :PKIX_RSA_PKCS1_4096_SHA256, 11 + value :PKIX_RSA_PKCS1V15_2048_SHA256, 9 + value :PKIX_RSA_PKCS1V15_3072_SHA256, 10 + value :PKIX_RSA_PKCS1V15_4096_SHA256, 11 + value :PKIX_RSA_PSS_2048_SHA256, 16 + value :PKIX_RSA_PSS_3072_SHA256, 17 + value :PKIX_RSA_PSS_4096_SHA256, 18 value :PKIX_ECDSA_P256_HMAC_SHA_256, 6 value :PKIX_ECDSA_P256_SHA_256, 5 value :PKIX_ECDSA_P384_SHA_384, 12 value :PKIX_ECDSA_P521_SHA_512, 13 value :PKIX_ED25519, 7 value :PKIX_ED25519_PH, 8 + value :EXPERIMENTAL_LMS_SHA256, 14 + value :EXPERIMENTAL_LMOTS_SHA256, 15 end add_enum "dev.sigstore.common.v1.SubjectAlternativeNameType" do value :SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED, 0 diff --git a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json b/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json index af233021..88c1e8ca 100644 --- a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json +++ b/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json @@ -127,15 +127,20 @@ "PKCS1_RSA_PSS", "PKIX_RSA_PKCS1V5", "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", + "PKIX_RSA_PKCS1V15_2048_SHA256", + "PKIX_RSA_PKCS1V15_3072_SHA256", + "PKIX_RSA_PKCS1V15_4096_SHA256", + "PKIX_RSA_PSS_2048_SHA256", + "PKIX_RSA_PSS_3072_SHA256", + "PKIX_RSA_PSS_4096_SHA256", "PKIX_ECDSA_P256_HMAC_SHA_256", "PKIX_ECDSA_P256_SHA_256", "PKIX_ECDSA_P384_SHA_384", "PKIX_ECDSA_P521_SHA_512", "PKIX_ED25519", - "PKIX_ED25519_PH" + "PKIX_ED25519_PH", + "EXPERIMENTAL_LMS_SHA256", + "EXPERIMENTAL_LMOTS_SHA256" ], "type": "string", "title": "Public Key Details", diff --git a/gen/pb-rust/schemas/Input.schema.json b/gen/pb-rust/schemas/Input.schema.json index 58f938ea..ce70b141 100644 --- a/gen/pb-rust/schemas/Input.schema.json +++ b/gen/pb-rust/schemas/Input.schema.json @@ -257,15 +257,20 @@ "PKCS1_RSA_PSS", "PKIX_RSA_PKCS1V5", "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", + "PKIX_RSA_PKCS1V15_2048_SHA256", + "PKIX_RSA_PKCS1V15_3072_SHA256", + "PKIX_RSA_PKCS1V15_4096_SHA256", + "PKIX_RSA_PSS_2048_SHA256", + "PKIX_RSA_PSS_3072_SHA256", + "PKIX_RSA_PSS_4096_SHA256", "PKIX_ECDSA_P256_HMAC_SHA_256", "PKIX_ECDSA_P256_SHA_256", "PKIX_ECDSA_P384_SHA_384", "PKIX_ECDSA_P521_SHA_512", "PKIX_ED25519", - "PKIX_ED25519_PH" + "PKIX_ED25519_PH", + "EXPERIMENTAL_LMS_SHA256", + "EXPERIMENTAL_LMOTS_SHA256" ], "type": "string", "title": "Public Key Details", diff --git a/gen/pb-rust/schemas/PublicKey.schema.json b/gen/pb-rust/schemas/PublicKey.schema.json index 62acbd86..2e7f6756 100644 --- a/gen/pb-rust/schemas/PublicKey.schema.json +++ b/gen/pb-rust/schemas/PublicKey.schema.json @@ -17,15 +17,20 @@ "PKCS1_RSA_PSS", "PKIX_RSA_PKCS1V5", "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", + "PKIX_RSA_PKCS1V15_2048_SHA256", + "PKIX_RSA_PKCS1V15_3072_SHA256", + "PKIX_RSA_PKCS1V15_4096_SHA256", + "PKIX_RSA_PSS_2048_SHA256", + "PKIX_RSA_PSS_3072_SHA256", + "PKIX_RSA_PSS_4096_SHA256", "PKIX_ECDSA_P256_HMAC_SHA_256", "PKIX_ECDSA_P256_SHA_256", "PKIX_ECDSA_P384_SHA_384", "PKIX_ECDSA_P521_SHA_512", "PKIX_ED25519", - "PKIX_ED25519_PH" + "PKIX_ED25519_PH", + "EXPERIMENTAL_LMS_SHA256", + "EXPERIMENTAL_LMOTS_SHA256" ], "type": "string", "title": "Public Key Details", diff --git a/gen/pb-rust/schemas/PublicKeyIdentities.schema.json b/gen/pb-rust/schemas/PublicKeyIdentities.schema.json index f17c0d64..f52c73f3 100644 --- a/gen/pb-rust/schemas/PublicKeyIdentities.schema.json +++ b/gen/pb-rust/schemas/PublicKeyIdentities.schema.json @@ -31,15 +31,20 @@ "PKCS1_RSA_PSS", "PKIX_RSA_PKCS1V5", "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", + "PKIX_RSA_PKCS1V15_2048_SHA256", + "PKIX_RSA_PKCS1V15_3072_SHA256", + "PKIX_RSA_PKCS1V15_4096_SHA256", + "PKIX_RSA_PSS_2048_SHA256", + "PKIX_RSA_PSS_3072_SHA256", + "PKIX_RSA_PSS_4096_SHA256", "PKIX_ECDSA_P256_HMAC_SHA_256", "PKIX_ECDSA_P256_SHA_256", "PKIX_ECDSA_P384_SHA_384", "PKIX_ECDSA_P521_SHA_512", "PKIX_ED25519", - "PKIX_ED25519_PH" + "PKIX_ED25519_PH", + "EXPERIMENTAL_LMS_SHA256", + "EXPERIMENTAL_LMOTS_SHA256" ], "type": "string", "title": "Public Key Details", diff --git a/gen/pb-rust/schemas/TransparencyLogInstance.schema.json b/gen/pb-rust/schemas/TransparencyLogInstance.schema.json index 2e46024f..d53179ea 100644 --- a/gen/pb-rust/schemas/TransparencyLogInstance.schema.json +++ b/gen/pb-rust/schemas/TransparencyLogInstance.schema.json @@ -66,15 +66,20 @@ "PKCS1_RSA_PSS", "PKIX_RSA_PKCS1V5", "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", + "PKIX_RSA_PKCS1V15_2048_SHA256", + "PKIX_RSA_PKCS1V15_3072_SHA256", + "PKIX_RSA_PKCS1V15_4096_SHA256", + "PKIX_RSA_PSS_2048_SHA256", + "PKIX_RSA_PSS_3072_SHA256", + "PKIX_RSA_PSS_4096_SHA256", "PKIX_ECDSA_P256_HMAC_SHA_256", "PKIX_ECDSA_P256_SHA_256", "PKIX_ECDSA_P384_SHA_384", "PKIX_ECDSA_P521_SHA_512", "PKIX_ED25519", - "PKIX_ED25519_PH" + "PKIX_ED25519_PH", + "EXPERIMENTAL_LMS_SHA256", + "EXPERIMENTAL_LMOTS_SHA256" ], "type": "string", "title": "Public Key Details", diff --git a/gen/pb-rust/schemas/TrustedRoot.schema.json b/gen/pb-rust/schemas/TrustedRoot.schema.json index 44719ae3..13dd6e4b 100644 --- a/gen/pb-rust/schemas/TrustedRoot.schema.json +++ b/gen/pb-rust/schemas/TrustedRoot.schema.json @@ -88,15 +88,20 @@ "PKCS1_RSA_PSS", "PKIX_RSA_PKCS1V5", "PKIX_RSA_PSS", - "PKIX_RSA_PKCS1_2048_SHA256", - "PKIX_RSA_PKCS1_3072_SHA256", - "PKIX_RSA_PKCS1_4096_SHA256", + "PKIX_RSA_PKCS1V15_2048_SHA256", + "PKIX_RSA_PKCS1V15_3072_SHA256", + "PKIX_RSA_PKCS1V15_4096_SHA256", + "PKIX_RSA_PSS_2048_SHA256", + "PKIX_RSA_PSS_3072_SHA256", + "PKIX_RSA_PSS_4096_SHA256", "PKIX_ECDSA_P256_HMAC_SHA_256", "PKIX_ECDSA_P256_SHA_256", "PKIX_ECDSA_P384_SHA_384", "PKIX_ECDSA_P521_SHA_512", "PKIX_ED25519", - "PKIX_ED25519_PH" + "PKIX_ED25519_PH", + "EXPERIMENTAL_LMS_SHA256", + "EXPERIMENTAL_LMOTS_SHA256" ], "type": "string", "title": "Public Key Details", diff --git a/gen/pb-typescript/src/__generated__/sigstore_common.ts b/gen/pb-typescript/src/__generated__/sigstore_common.ts index 7c7d393e..5a199582 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_common.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_common.ts @@ -99,9 +99,14 @@ export enum PublicKeyDetails { PKIX_RSA_PKCS1V5 = 3, /** @deprecated */ PKIX_RSA_PSS = 4, - PKIX_RSA_PKCS1_2048_SHA256 = 9, - PKIX_RSA_PKCS1_3072_SHA256 = 10, - PKIX_RSA_PKCS1_4096_SHA256 = 11, + /** PKIX_RSA_PKCS1V15_2048_SHA256 - RSA public key in PKIX format, PKCS#1v1.5 signature */ + PKIX_RSA_PKCS1V15_2048_SHA256 = 9, + PKIX_RSA_PKCS1V15_3072_SHA256 = 10, + PKIX_RSA_PKCS1V15_4096_SHA256 = 11, + /** PKIX_RSA_PSS_2048_SHA256 - RSA public key in PKIX format, RSASSA-PSS signature */ + PKIX_RSA_PSS_2048_SHA256 = 16, + PKIX_RSA_PSS_3072_SHA256 = 17, + PKIX_RSA_PSS_4096_SHA256 = 18, /** * PKIX_ECDSA_P256_HMAC_SHA_256 - ECDSA * @@ -115,6 +120,9 @@ export enum PublicKeyDetails { /** PKIX_ED25519 - Ed 25519 */ PKIX_ED25519 = 7, PKIX_ED25519_PH = 8, + /** EXPERIMENTAL_LMS_SHA256 - *EXPERIMENTAL**: LMS and LM-OTS variants. */ + EXPERIMENTAL_LMS_SHA256 = 14, + EXPERIMENTAL_LMOTS_SHA256 = 15, } export function publicKeyDetailsFromJSON(object: any): PublicKeyDetails { @@ -135,14 +143,23 @@ export function publicKeyDetailsFromJSON(object: any): PublicKeyDetails { case "PKIX_RSA_PSS": return PublicKeyDetails.PKIX_RSA_PSS; case 9: - case "PKIX_RSA_PKCS1_2048_SHA256": - return PublicKeyDetails.PKIX_RSA_PKCS1_2048_SHA256; + case "PKIX_RSA_PKCS1V15_2048_SHA256": + return PublicKeyDetails.PKIX_RSA_PKCS1V15_2048_SHA256; case 10: - case "PKIX_RSA_PKCS1_3072_SHA256": - return PublicKeyDetails.PKIX_RSA_PKCS1_3072_SHA256; + case "PKIX_RSA_PKCS1V15_3072_SHA256": + return PublicKeyDetails.PKIX_RSA_PKCS1V15_3072_SHA256; case 11: - case "PKIX_RSA_PKCS1_4096_SHA256": - return PublicKeyDetails.PKIX_RSA_PKCS1_4096_SHA256; + case "PKIX_RSA_PKCS1V15_4096_SHA256": + return PublicKeyDetails.PKIX_RSA_PKCS1V15_4096_SHA256; + case 16: + case "PKIX_RSA_PSS_2048_SHA256": + return PublicKeyDetails.PKIX_RSA_PSS_2048_SHA256; + case 17: + case "PKIX_RSA_PSS_3072_SHA256": + return PublicKeyDetails.PKIX_RSA_PSS_3072_SHA256; + case 18: + case "PKIX_RSA_PSS_4096_SHA256": + return PublicKeyDetails.PKIX_RSA_PSS_4096_SHA256; case 6: case "PKIX_ECDSA_P256_HMAC_SHA_256": return PublicKeyDetails.PKIX_ECDSA_P256_HMAC_SHA_256; @@ -161,6 +178,12 @@ export function publicKeyDetailsFromJSON(object: any): PublicKeyDetails { case 8: case "PKIX_ED25519_PH": return PublicKeyDetails.PKIX_ED25519_PH; + case 14: + case "EXPERIMENTAL_LMS_SHA256": + return PublicKeyDetails.EXPERIMENTAL_LMS_SHA256; + case 15: + case "EXPERIMENTAL_LMOTS_SHA256": + return PublicKeyDetails.EXPERIMENTAL_LMOTS_SHA256; default: throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum PublicKeyDetails"); } @@ -178,12 +201,18 @@ export function publicKeyDetailsToJSON(object: PublicKeyDetails): string { return "PKIX_RSA_PKCS1V5"; case PublicKeyDetails.PKIX_RSA_PSS: return "PKIX_RSA_PSS"; - case PublicKeyDetails.PKIX_RSA_PKCS1_2048_SHA256: - return "PKIX_RSA_PKCS1_2048_SHA256"; - case PublicKeyDetails.PKIX_RSA_PKCS1_3072_SHA256: - return "PKIX_RSA_PKCS1_3072_SHA256"; - case PublicKeyDetails.PKIX_RSA_PKCS1_4096_SHA256: - return "PKIX_RSA_PKCS1_4096_SHA256"; + case PublicKeyDetails.PKIX_RSA_PKCS1V15_2048_SHA256: + return "PKIX_RSA_PKCS1V15_2048_SHA256"; + case PublicKeyDetails.PKIX_RSA_PKCS1V15_3072_SHA256: + return "PKIX_RSA_PKCS1V15_3072_SHA256"; + case PublicKeyDetails.PKIX_RSA_PKCS1V15_4096_SHA256: + return "PKIX_RSA_PKCS1V15_4096_SHA256"; + case PublicKeyDetails.PKIX_RSA_PSS_2048_SHA256: + return "PKIX_RSA_PSS_2048_SHA256"; + case PublicKeyDetails.PKIX_RSA_PSS_3072_SHA256: + return "PKIX_RSA_PSS_3072_SHA256"; + case PublicKeyDetails.PKIX_RSA_PSS_4096_SHA256: + return "PKIX_RSA_PSS_4096_SHA256"; case PublicKeyDetails.PKIX_ECDSA_P256_HMAC_SHA_256: return "PKIX_ECDSA_P256_HMAC_SHA_256"; case PublicKeyDetails.PKIX_ECDSA_P256_SHA_256: @@ -196,6 +225,10 @@ export function publicKeyDetailsToJSON(object: PublicKeyDetails): string { return "PKIX_ED25519"; case PublicKeyDetails.PKIX_ED25519_PH: return "PKIX_ED25519_PH"; + case PublicKeyDetails.EXPERIMENTAL_LMS_SHA256: + return "EXPERIMENTAL_LMS_SHA256"; + case PublicKeyDetails.EXPERIMENTAL_LMOTS_SHA256: + return "EXPERIMENTAL_LMOTS_SHA256"; default: throw new tsProtoGlobalThis.Error("Unrecognized enum value " + object + " for enum PublicKeyDetails"); } diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index 1370bd6b..13a87ab5 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -66,9 +66,14 @@ enum PublicKeyDetails { PKCS1_RSA_PSS = 2 [deprecated = true]; // See RFC8017 PKIX_RSA_PKCS1V5 = 3 [deprecated = true]; PKIX_RSA_PSS = 4 [deprecated = true]; - PKIX_RSA_PKCS1_2048_SHA256 = 9; - PKIX_RSA_PKCS1_3072_SHA256 = 10; - PKIX_RSA_PKCS1_4096_SHA256 = 11; + // RSA public key in PKIX format, PKCS#1v1.5 signature + PKIX_RSA_PKCS1V15_2048_SHA256 = 9; + PKIX_RSA_PKCS1V15_3072_SHA256 = 10; + PKIX_RSA_PKCS1V15_4096_SHA256 = 11; + // RSA public key in PKIX format, RSASSA-PSS signature + PKIX_RSA_PSS_2048_SHA256 = 16; // See RFC4055 + PKIX_RSA_PSS_3072_SHA256 = 17; + PKIX_RSA_PSS_4096_SHA256 = 18; // ECDSA PKIX_ECDSA_P256_HMAC_SHA_256 = 6 [deprecated = true]; // See RFC6979 @@ -79,6 +84,13 @@ enum PublicKeyDetails { // Ed 25519 PKIX_ED25519 = 7; // See RFC8032 PKIX_ED25519_PH = 8; + + // **EXPERIMENTAL**: LMS and LM-OTS variants. + EXPERIMENTAL_LMS_SHA256 = 14; + EXPERIMENTAL_LMOTS_SHA256 = 15; + + // Reserved for future additions of public key/signature algorithm types. + reserved 19 to 50; } // HashOutput captures a digest of a 'message' (generic octet sequence)