ErrNoSignature indicates that an envelope did not contain any signatures.
var ErrNoSignature = errors.New("no signature found")
ErrNoSigners indicates that no signer was provided.
var ErrNoSigners = errors.New("no signers provided")
func PAE(payloadType string, payload []byte) []byte
PAE implementes the DSSE Pre-Authentic Encoding https://github.com/secure-systems-lab/dsse/blob/master/protocol.md#signature-definition
func SHA256KeyID(pub crypto.PublicKey) (string, error)
type AcceptedKey struct {
Public crypto.PublicKey
KeyID string
Sig Signature
}
Envelope captures an envelope as described by the DSSE specification. See here: https://github.com/secure-systems-lab/dsse/blob/master/envelope.md
type Envelope struct {
PayloadType string `json:"payloadType"`
Payload string `json:"payload"`
Signatures []Signature `json:"signatures"`
}
func (e *Envelope) DecodeB64Payload() ([]byte, error)
DecodeB64Payload returns the serialized body, decoded from the envelope's payload field. A flexible decoder is used, first trying standard base64, then URL-encoded base64.
EnvelopeSigner creates signed Envelopes.
type EnvelopeSigner struct {
// contains filtered or unexported fields
}
func NewEnvelopeSigner(p ...Signer) (*EnvelopeSigner, error)
NewEnvelopeSigner creates an EnvelopeSigner that uses 1+ Signer algorithms to sign the data.
func NewMultiEnvelopeSigner(threshold int, p ...Signer) (*EnvelopeSigner, error)
NewMultiEnvelopeSigner creates an EnvelopeSigner that uses 1+ Signer algorithms to sign the data. The threshold parameter is legacy and is ignored.
Deprecated: This function simply calls NewEnvelopeSigner, and that function should be preferred.
func (es *EnvelopeSigner) SignPayload(ctx context.Context, payloadType string, body []byte) (*Envelope, error)
SignPayload signs a payload and payload type according to DSSE. Returned is an envelope as defined here: https://github.com/secure-systems-lab/dsse/blob/master/envelope.md One signature will be added for each Signer in the EnvelopeSigner.
type EnvelopeVerifier struct {
// contains filtered or unexported fields
}
func NewEnvelopeVerifier(v ...Verifier) (*EnvelopeVerifier, error)
func NewMultiEnvelopeVerifier(threshold int, p ...Verifier) (*EnvelopeVerifier, error)
func (ev *EnvelopeVerifier) Verify(ctx context.Context, e *Envelope) ([]AcceptedKey, error)
Deprecated: switch to renamed SignerVerifier. This is currently aliased for backwards compatibility.
type SignVerifier = SignerVerifier
Signature represents a generic in-toto signature that contains the identifier of the key which was used to create the signature. The used signature scheme has to be agreed upon by the signer and verifer out of band. The signature is a base64 encoding of the raw bytes from the signature algorithm.
type Signature struct {
KeyID string `json:"keyid"`
Sig string `json:"sig"`
}
Signer defines the interface for an abstract signing algorithm. The Signer interface is used to inject signature algorithm implementations into the EnvelopeSigner. This decoupling allows for any signing algorithm and key management system can be used. The full message is provided as the parameter. If the signature algorithm depends on hashing of the message prior to signature calculation, the implementor of this interface must perform such hashing. The function must return raw bytes representing the calculated signature using the current algorithm, and the key used (if applicable).
type Signer interface {
Sign(ctx context.Context, data []byte) ([]byte, error)
KeyID() (string, error)
}
SignerVerifier provides both the signing and verification interface.
type SignerVerifier interface {
Signer
Verifier
}
Verifier verifies a complete message against a signature and key. If the message was hashed prior to signature generation, the verifier must perform the same steps. If KeyID returns successfully, only signature matching the key ID will be verified.
type Verifier interface {
Verify(ctx context.Context, data, sig []byte) error
KeyID() (string, error)
Public() crypto.PublicKey
}