Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py: 99%

Shortcuts on this page

r m x   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

105 statements  

1# Generated by the protocol buffer compiler. DO NOT EDIT! 

2# sources: sigstore_common.proto 

3# plugin: python-betterproto 

4# This file has been @generated 

5 

6from dataclasses import dataclass 

7from datetime import datetime 

8from typing import ( 

9 List, 

10 Optional, 

11) 

12 

13import betterproto 

14 

15 

16class HashAlgorithm(betterproto.Enum): 

17 """ 

18 Only a subset of the secure hash standard algorithms are supported. See 

19 <https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf> for more 

20 details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to 

21 force any proto JSON serialization to emit the used hash algorithm, as 

22 default option is to *omit* the default value of an enum (which is the 

23 first value, represented by '0'. 

24 """ 

25 

26 HASH_ALGORITHM_UNSPECIFIED = 0 

27 SHA2_256 = 1 

28 SHA2_384 = 2 

29 SHA2_512 = 3 

30 SHA3_256 = 4 

31 SHA3_384 = 5 

32 

33 

34class PublicKeyDetails(betterproto.Enum): 

35 """ 

36 Details of a specific public key, capturing the the key encoding method, 

37 and signature algorithm. PublicKeyDetails captures the public key/hash 

38 algorithm combinations recommended in the Sigstore ecosystem. This is 

39 modelled as a linear set as we want to provide a small number of 

40 opinionated options instead of allowing every possible permutation. Any 

41 changes to this enum MUST be reflected in the algorithm registry. See: 

42 docs/algorithm-registry.md To avoid the possibility of contradicting 

43 formats such as PKCS1 with ED25519 the valid permutations are listed as a 

44 linear set instead of a cartesian set (i.e one combined variable instead of 

45 two, one for encoding and one for the signature algorithm). 

46 """ 

47 

48 PUBLIC_KEY_DETAILS_UNSPECIFIED = 0 

49 PKCS1_RSA_PKCS1V5 = 1 

50 """RSA""" 

51 

52 PKCS1_RSA_PSS = 2 

53 PKIX_RSA_PKCS1V5 = 3 

54 PKIX_RSA_PSS = 4 

55 PKIX_RSA_PKCS1V15_2048_SHA256 = 9 

56 """RSA public key in PKIX format, PKCS#1v1.5 signature""" 

57 

58 PKIX_RSA_PKCS1V15_3072_SHA256 = 10 

59 PKIX_RSA_PKCS1V15_4096_SHA256 = 11 

60 PKIX_RSA_PSS_2048_SHA256 = 16 

61 """RSA public key in PKIX format, RSASSA-PSS signature""" 

62 

63 PKIX_RSA_PSS_3072_SHA256 = 17 

64 PKIX_RSA_PSS_4096_SHA256 = 18 

65 PKIX_ECDSA_P256_HMAC_SHA_256 = 6 

66 """ECDSA""" 

67 

68 PKIX_ECDSA_P256_SHA_256 = 5 

69 PKIX_ECDSA_P384_SHA_384 = 12 

70 PKIX_ECDSA_P521_SHA_512 = 13 

71 PKIX_ED25519 = 7 

72 """Ed 25519""" 

73 

74 PKIX_ED25519_PH = 8 

75 LMS_SHA256 = 14 

76 """ 

77 LMS and LM-OTS These keys and signatures may be used by private Sigstore 

78 deployments, but are not currently supported by the public good instance. 

79 USER WARNING: LMS and LM-OTS are both stateful signature schemes. Using 

80 them correctly requires discretion and careful consideration to ensure that 

81 individual secret keys are not used more than once. In addition, LM-OTS is 

82 a single-use scheme, meaning that it MUST NOT be used for more than one 

83 signature per LM-OTS key. If you cannot maintain these invariants, you MUST 

84 NOT use these schemes. 

85 """ 

86 

87 LMOTS_SHA256 = 15 

88 

89 

90class SubjectAlternativeNameType(betterproto.Enum): 

91 SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED = 0 

92 EMAIL = 1 

93 URI = 2 

94 OTHER_NAME = 3 

95 """ 

96 OID 1.3.6.1.4.1.57264.1.7 See 

97 https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#1361415726417 

98 --othername-san for more details. 

99 """ 

100 

101 

102@dataclass(eq=False, repr=False) 

103class HashOutput(betterproto.Message): 

104 """ 

105 HashOutput captures a digest of a 'message' (generic octet sequence) and 

106 the corresponding hash algorithm used. 

107 """ 

108 

109 algorithm: "HashAlgorithm" = betterproto.enum_field(1) 

110 digest: bytes = betterproto.bytes_field(2) 

111 """ 

112 This is the raw octets of the message digest as computed by the hash 

113 algorithm. 

114 """ 

115 

116 

117@dataclass(eq=False, repr=False) 

118class MessageSignature(betterproto.Message): 

119 """MessageSignature stores the computed signature over a message.""" 

120 

121 message_digest: "HashOutput" = betterproto.message_field(1) 

122 """ 

123 Message digest can be used to identify the artifact. Clients MUST NOT 

124 attempt to use this digest to verify the associated signature; it is 

125 intended solely for identification. 

126 """ 

127 

128 signature: bytes = betterproto.bytes_field(2) 

129 """ 

130 The raw bytes as returned from the signature algorithm. The signature 

131 algorithm (and so the format of the signature bytes) are determined by the 

132 contents of the 'verification_material', either a key-pair or a 

133 certificate. If using a certificate, the certificate contains the required 

134 information on the signature algorithm. When using a key pair, the 

135 algorithm MUST be part of the public key, which MUST be communicated out- 

136 of-band. 

137 """ 

138 

139 

140@dataclass(eq=False, repr=False) 

141class LogId(betterproto.Message): 

142 """LogId captures the identity of a transparency log.""" 

143 

144 key_id: bytes = betterproto.bytes_field(1) 

145 """The unique identity of the log, represented by its public key.""" 

146 

147 

148@dataclass(eq=False, repr=False) 

149class Rfc3161SignedTimestamp(betterproto.Message): 

150 """This message holds a RFC 3161 timestamp.""" 

151 

152 signed_timestamp: bytes = betterproto.bytes_field(1) 

153 """ 

154 Signed timestamp is the DER encoded TimeStampResponse. See https://www.rfc- 

155 editor.org/rfc/rfc3161.html#section-2.4.2 

156 """ 

157 

158 

159@dataclass(eq=False, repr=False) 

160class PublicKey(betterproto.Message): 

161 raw_bytes: Optional[bytes] = betterproto.bytes_field( 

162 1, optional=True, group="_raw_bytes" 

163 ) 

164 """ 

165 DER-encoded public key, encoding method is specified by the key_details 

166 attribute. 

167 """ 

168 

169 key_details: "PublicKeyDetails" = betterproto.enum_field(2) 

170 """Key encoding and signature algorithm to use for this key.""" 

171 

172 valid_for: Optional["TimeRange"] = betterproto.message_field( 

173 3, optional=True, group="_valid_for" 

174 ) 

175 """Optional validity period for this key, *inclusive* of the endpoints.""" 

176 

177 

178@dataclass(eq=False, repr=False) 

179class PublicKeyIdentifier(betterproto.Message): 

180 """ 

181 PublicKeyIdentifier can be used to identify an (out of band) delivered key, 

182 to verify a signature. 

183 """ 

184 

185 hint: str = betterproto.string_field(1) 

186 """ 

187 Optional unauthenticated hint on which key to use. The format of the hint 

188 must be agreed upon out of band by the signer and the verifiers, and so is 

189 not subject to this specification. Example use-case is to specify the 

190 public key to use, from a trusted key-ring. Implementors are RECOMMENDED to 

191 derive the value from the public key as described in RFC 6962. See: 

192 <https://www.rfc-editor.org/rfc/rfc6962#section-3.2> 

193 """ 

194 

195 

196@dataclass(eq=False, repr=False) 

197class ObjectIdentifier(betterproto.Message): 

198 """An ASN.1 OBJECT IDENTIFIER""" 

199 

200 id: List[int] = betterproto.int32_field(1) 

201 

202 

203@dataclass(eq=False, repr=False) 

204class ObjectIdentifierValuePair(betterproto.Message): 

205 """An OID and the corresponding (byte) value.""" 

206 

207 oid: "ObjectIdentifier" = betterproto.message_field(1) 

208 value: bytes = betterproto.bytes_field(2) 

209 

210 

211@dataclass(eq=False, repr=False) 

212class DistinguishedName(betterproto.Message): 

213 organization: str = betterproto.string_field(1) 

214 common_name: str = betterproto.string_field(2) 

215 

216 

217@dataclass(eq=False, repr=False) 

218class X509Certificate(betterproto.Message): 

219 raw_bytes: bytes = betterproto.bytes_field(1) 

220 """DER-encoded X.509 certificate.""" 

221 

222 

223@dataclass(eq=False, repr=False) 

224class SubjectAlternativeName(betterproto.Message): 

225 type: "SubjectAlternativeNameType" = betterproto.enum_field(1) 

226 regexp: str = betterproto.string_field(2, group="identity") 

227 """A regular expression describing the expected value for the SAN.""" 

228 

229 value: str = betterproto.string_field(3, group="identity") 

230 """The exact value to match against.""" 

231 

232 

233@dataclass(eq=False, repr=False) 

234class X509CertificateChain(betterproto.Message): 

235 """ 

236 A collection of X.509 certificates. This "chain" can be used in multiple 

237 contexts, such as providing a root CA certificate within a TUF root of 

238 trust or multiple untrusted certificates for the purpose of chain building. 

239 """ 

240 

241 certificates: List["X509Certificate"] = betterproto.message_field(1) 

242 """ 

243 One or more DER-encoded certificates. In some contexts (such as 

244 `VerificationMaterial.x509_certificate_chain`), this sequence has an 

245 imposed order. Unless explicitly specified, there is otherwise no 

246 guaranteed order. 

247 """ 

248 

249 

250@dataclass(eq=False, repr=False) 

251class TimeRange(betterproto.Message): 

252 """ 

253 The time range is closed and includes both the start and end times, (i.e., 

254 [start, end]). End is optional to be able to capture a period that has 

255 started but has no known end. 

256 """ 

257 

258 start: datetime = betterproto.message_field(1) 

259 end: Optional[datetime] = betterproto.message_field(2, optional=True, group="_end")