Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py: 98%

Shortcuts on this page

r m x   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

57 statements  

1# Generated by the protocol buffer compiler. DO NOT EDIT! 

2# sources: sigstore_trustroot.proto 

3# plugin: python-betterproto 

4# This file has been @generated 

5 

6from dataclasses import dataclass 

7from typing import List 

8 

9import betterproto 

10 

11from ...common import v1 as __common_v1__ 

12 

13 

14@dataclass(eq=False, repr=False) 

15class TransparencyLogInstance(betterproto.Message): 

16 """ 

17 TransparencyLogInstance describes the immutable parameters from a 

18 transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log- 

19 parameters for more details. The included parameters are the minimal set 

20 required to identify a log, and verify an inclusion proof/promise. 

21 """ 

22 

23 base_url: str = betterproto.string_field(1) 

24 """The base URL at which can be used to URLs for the client.""" 

25 

26 hash_algorithm: "__common_v1__.HashAlgorithm" = betterproto.enum_field(2) 

27 """The hash algorithm used for the Merkle Tree.""" 

28 

29 public_key: "__common_v1__.PublicKey" = betterproto.message_field(3) 

30 """ 

31 The public key used to verify signatures generated by the log. This 

32 attribute contains the signature algorithm used by the log. 

33 """ 

34 

35 log_id: "__common_v1__.LogId" = betterproto.message_field(4) 

36 """ 

37 The unique identifier for this transparency log. Represented as the SHA-256 

38 hash of the log's public key, calculated over the DER encoding of the key 

39 represented as SubjectPublicKeyInfo. See https://www.rfc- 

40 editor.org/rfc/rfc6962#section-3.2 

41 """ 

42 

43 checkpoint_key_id: "__common_v1__.LogId" = betterproto.message_field(5) 

44 """ 

45 The checkpoint key identifier for the log used in a checkpoint. Optional, 

46 not provided for logs that do not generate checkpoints. For logs that do 

47 generate checkpoints, if not set, assume log_id equals checkpoint_key_id. 

48 Follows the specification described here for ECDSA and Ed25519 signatures: 

49 https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures For RSA 

50 signatures, the key ID will match the ECDSA format, the hashed DER-encoded 

51 SPKI public key. Publicly witnessed logs MUST NOT use RSA-signed 

52 checkpoints, since witnesses do not support RSA signatures. This is 

53 provided for convenience. Clients can also calculate the checkpoint key ID 

54 given the log's public key. SHOULD be set for logs generating Ed25519 

55 signatures. SHOULD be 4 bytes long, as a truncated hash. 

56 """ 

57 

58 

59@dataclass(eq=False, repr=False) 

60class CertificateAuthority(betterproto.Message): 

61 """ 

62 CertificateAuthority enlists the information required to identify which CA 

63 to use and perform signature verification. 

64 """ 

65 

66 subject: "__common_v1__.DistinguishedName" = betterproto.message_field(1) 

67 """ 

68 The root certificate MUST be self-signed, and so the subject and issuer are 

69 the same. 

70 """ 

71 

72 uri: str = betterproto.string_field(2) 

73 """ 

74 The URI identifies the certificate authority. It is RECOMMENDED that the 

75 URI is the base URL for the certificate authority, that can be provided to 

76 any SDK/client provided by the certificate authority to interact with the 

77 certificate authority. 

78 """ 

79 

80 cert_chain: "__common_v1__.X509CertificateChain" = betterproto.message_field(3) 

81 """ 

82 The certificate chain for this CA. The last certificate in the chain MUST 

83 be the trust anchor. The trust anchor MAY be a self-signed root CA 

84 certificate or MAY be an intermediate CA certificate. 

85 """ 

86 

87 valid_for: "__common_v1__.TimeRange" = betterproto.message_field(4) 

88 """ 

89 The time the *entire* chain was valid. This is at max the longest interval 

90 when *all* certificates in the chain were valid, but it MAY be shorter. 

91 Clients MUST check timestamps against *both* the `valid_for` time range 

92 *and* the entire certificate chain. The TimeRange should be considered 

93 valid *inclusive* of the endpoints. 

94 """ 

95 

96 

97@dataclass(eq=False, repr=False) 

98class TrustedRoot(betterproto.Message): 

99 """ 

100 TrustedRoot describes the client's complete set of trusted entities. How 

101 the TrustedRoot is populated is not specified, but can be a combination of 

102 many sources such as TUF repositories, files on disk etc. The TrustedRoot 

103 is not meant to be used for any artifact verification, only to capture the 

104 complete/global set of trusted verification materials. When verifying an 

105 artifact, based on the artifact and policies, a selection of 

106 keys/authorities are expected to be extracted and provided to the 

107 verification function. This way the set of keys/authorities can be kept to 

108 a minimal set by the policy to gain better control over what signatures 

109 that are allowed. The embedded transparency logs, CT logs, CAs and TSAs 

110 MUST include any previously used instance -- otherwise signatures made in 

111 the past cannot be verified. All the listed instances SHOULD be sorted by 

112 the 'valid_for' in ascending order, that is, the oldest instance first. 

113 Only the last instance is allowed to have their 'end' timestamp unset. All 

114 previous instances MUST have a closed interval of validity. The last 

115 instance MAY have a closed interval. Clients MUST accept instances that 

116 overlaps in time, if not clients may experience problems during rotations 

117 of verification materials. To be able to manage planned rotations of either 

118 transparency logs or certificate authorities, clienst MUST accept lists of 

119 instances where the last instance have a 'valid_for' that belongs to the 

120 future. This should not be a problem as clients SHOULD first seek the trust 

121 root for a suitable instance before creating a per artifact trust root 

122 (that is, a sub-set of the complete trust root) that is used for 

123 verification. 

124 """ 

125 

126 media_type: str = betterproto.string_field(1) 

127 """ 

128 MUST be application/vnd.dev.sigstore.trustedroot.v0.1+json when encoded as 

129 JSON. Clients MUST be able to process and parse content with the media type 

130 defined in the old format: 

131 application/vnd.dev.sigstore.trustedroot+json;version=0.1 

132 """ 

133 

134 tlogs: List["TransparencyLogInstance"] = betterproto.message_field(2) 

135 """A set of trusted Rekor servers.""" 

136 

137 certificate_authorities: List["CertificateAuthority"] = betterproto.message_field(3) 

138 """ 

139 A set of trusted certificate authorities (e.g Fulcio), and any intermediate 

140 certificates they provide. If a CA is issuing multiple intermediate 

141 certificate, each combination shall be represented as separate chain. I.e, 

142 a single root cert may appear in multiple chains but with different 

143 intermediate and/or leaf certificates. The certificates are intended to be 

144 used for verifying artifact signatures. 

145 """ 

146 

147 ctlogs: List["TransparencyLogInstance"] = betterproto.message_field(4) 

148 """A set of trusted certificate transparency logs.""" 

149 

150 timestamp_authorities: List["CertificateAuthority"] = betterproto.message_field(5) 

151 """A set of trusted timestamping authorities.""" 

152 

153 

154@dataclass(eq=False, repr=False) 

155class SigningConfig(betterproto.Message): 

156 """ 

157 SigningConfig represents the trusted entities/state needed by Sigstore 

158 signing. In particular, it primarily contains service URLs that a Sigstore 

159 signer may need to connect to for the online aspects of signing. 

160 """ 

161 

162 ca_url: str = betterproto.string_field(1) 

163 """ 

164 A URL to a Fulcio-compatible CA, capable of receiving Certificate Signing 

165 Requests (CSRs) and responding with issued certificates. This URL **MUST** 

166 be the "base" URL for the CA, which clients should construct an appropriate 

167 CSR endpoint on top of. For example, if `ca_url` is 

168 `https://example.com/ca`, then the client **MAY** construct the CSR 

169 endpoint as `https://example.com/ca/api/v2/signingCert`. 

170 """ 

171 

172 oidc_url: str = betterproto.string_field(2) 

173 """ 

174 A URL to an OpenID Connect identity provider. This URL **MUST** be the 

175 "base" URL for the OIDC IdP, which clients should perform well-known OpenID 

176 Connect discovery against. 

177 """ 

178 

179 tlog_urls: List[str] = betterproto.string_field(3) 

180 """ 

181 One or more URLs to Rekor-compatible transparency log. Each URL **MUST** be 

182 the "base" URL for the transparency log, which clients should construct 

183 appropriate API endpoints on top of. 

184 """ 

185 

186 tsa_urls: List[str] = betterproto.string_field(4) 

187 """ 

188 One ore more URLs to RFC 3161 Time Stamping Authority (TSA). Each URL 

189 **MUST** be the **full** URL for the TSA, meaning that it should be 

190 suitable for submitting Time Stamp Requests (TSRs) to via HTTP, per RFC 

191 3161. 

192 """ 

193 

194 

195@dataclass(eq=False, repr=False) 

196class ClientTrustConfig(betterproto.Message): 

197 """ 

198 ClientTrustConfig describes the complete state needed by a client to 

199 perform both signing and verification operations against a particular 

200 instance of Sigstore. 

201 """ 

202 

203 media_type: str = betterproto.string_field(1) 

204 """MUST be application/vnd.dev.sigstore.clienttrustconfig.v0.1+json""" 

205 

206 trusted_root: "TrustedRoot" = betterproto.message_field(2) 

207 """The root of trust, which MUST be present.""" 

208 

209 signing_config: "SigningConfig" = betterproto.message_field(3) 

210 """Configuration for signing clients, which MUST be present."""