Coverage for /pythoncovmergedfiles/medio/medio/usr/local/lib/python3.11/site-packages/sigstore_protobuf_specs/dev/sigstore/rekor/v1/__init__.py: 96%

Shortcuts on this page

r m x   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

51 statements  

1# Generated by the protocol buffer compiler. DO NOT EDIT! 

2# sources: sigstore_rekor.proto 

3# plugin: python-betterproto 

4# This file has been @generated 

5 

6from typing import TYPE_CHECKING 

7 

8 

9if TYPE_CHECKING: 

10 from dataclasses import dataclass 

11else: 

12 from pydantic.dataclasses import dataclass 

13 

14from typing import List 

15 

16import betterproto 

17from pydantic.dataclasses import rebuild_dataclass 

18 

19from ...common import v1 as __common_v1__ 

20 

21 

22@dataclass(eq=False, repr=False) 

23class KindVersion(betterproto.Message): 

24 """KindVersion contains the entry's kind and api version.""" 

25 

26 kind: str = betterproto.string_field(1) 

27 """ 

28 Kind is the type of entry being stored in the log. 

29 See here for a list: https://github.com/sigstore/rekor/tree/main/pkg/types 

30 """ 

31 

32 version: str = betterproto.string_field(2) 

33 """The specific api version of the type.""" 

34 

35 

36@dataclass(eq=False, repr=False) 

37class Checkpoint(betterproto.Message): 

38 """ 

39 The checkpoint MUST contain an origin string as a unique log identifier, 

40 the tree size, and the root hash. It MAY also be followed by optional data, 

41 and clients MUST NOT assume optional data. The checkpoint MUST also contain 

42 a signature over the root hash (tree head). The checkpoint MAY contain additional 

43 signatures, but the first SHOULD be the signature from the log. Checkpoint contents 

44 are concatenated with newlines into a single string. 

45 The checkpoint format is described in 

46 https://github.com/transparency-dev/formats/blob/main/log/README.md 

47 and https://github.com/C2SP/C2SP/blob/main/tlog-checkpoint.md. 

48 An example implementation can be found in https://github.com/sigstore/rekor/blob/main/pkg/util/signed_note.go 

49 """ 

50 

51 envelope: str = betterproto.string_field(1) 

52 

53 

54@dataclass(eq=False, repr=False) 

55class InclusionProof(betterproto.Message): 

56 """ 

57 InclusionProof is the proof returned from the transparency log. Can 

58 be used for offline or online verification against the log. 

59 """ 

60 

61 log_index: int = betterproto.int64_field(1) 

62 """The index of the entry in the tree it was written to.""" 

63 

64 root_hash: bytes = betterproto.bytes_field(2) 

65 """ 

66 The hash digest stored at the root of the merkle tree at the time 

67 the proof was generated. 

68 """ 

69 

70 tree_size: int = betterproto.int64_field(3) 

71 """The size of the merkle tree at the time the proof was generated.""" 

72 

73 hashes: List[bytes] = betterproto.bytes_field(4) 

74 """ 

75 A list of hashes required to compute the inclusion proof, sorted 

76 in order from leaf to root. 

77 Note that leaf and root hashes are not included. 

78 The root hash is available separately in this message, and the 

79 leaf hash should be calculated by the client. 

80 """ 

81 

82 checkpoint: "Checkpoint" = betterproto.message_field(5) 

83 """ 

84 Signature of the tree head, as of the time of this proof was 

85 generated. See above info on 'Checkpoint' for more details. 

86 """ 

87 

88 

89@dataclass(eq=False, repr=False) 

90class InclusionPromise(betterproto.Message): 

91 """ 

92 The inclusion promise is calculated by Rekor. It's calculated as a 

93 signature over a canonical JSON serialization of the persisted entry, the 

94 log ID, log index and the integration timestamp. 

95 See https://github.com/sigstore/rekor/blob/a6e58f72b6b18cc06cefe61808efd562b9726330/pkg/api/entries.go#L54 

96 The format of the signature depends on the transparency log's public key. 

97 If the signature algorithm requires a hash function and/or a signature 

98 scheme (e.g. RSA) those has to be retrieved out-of-band from the log's 

99 operators, together with the public key. 

100 This is used to verify the integration timestamp's value and that the log 

101 has promised to include the entry. 

102 """ 

103 

104 signed_entry_timestamp: bytes = betterproto.bytes_field(1) 

105 

106 

107@dataclass(eq=False, repr=False) 

108class TransparencyLogEntry(betterproto.Message): 

109 """ 

110 TransparencyLogEntry captures all the details required from Rekor to 

111 reconstruct an entry, given that the payload is provided via other means. 

112 This type can easily be created from the existing response from Rekor. 

113 Future iterations could rely on Rekor returning the minimal set of 

114 attributes (excluding the payload) that are required for verifying the 

115 inclusion promise. The inclusion promise (called SignedEntryTimestamp in 

116 the response from Rekor) is similar to a Signed Certificate Timestamp 

117 as described here https://www.rfc-editor.org/rfc/rfc6962.html#section-3.2. 

118 """ 

119 

120 log_index: int = betterproto.int64_field(1) 

121 """The global index of the entry, used when querying the log by index.""" 

122 

123 log_id: "__common_v1__.LogId" = betterproto.message_field(2) 

124 """The unique identifier of the log.""" 

125 

126 kind_version: "KindVersion" = betterproto.message_field(3) 

127 """ 

128 The kind (type) and version of the object associated with this 

129 entry. These values are required to construct the entry during 

130 verification. 

131 """ 

132 

133 integrated_time: int = betterproto.int64_field(4) 

134 """ 

135 The UNIX timestamp from the log when the entry was persisted. 

136 The integration time MUST NOT be trusted if inclusion_promise 

137 is omitted. 

138 """ 

139 

140 inclusion_promise: "InclusionPromise" = betterproto.message_field(5) 

141 """ 

142 The inclusion promise/signed entry timestamp from the log. 

143 Required for v0.1 bundles, and MUST be verified. 

144 Optional for >= v0.2 bundles if another suitable source of 

145 time is present (such as another source of signed time, 

146 or the current system time for long-lived certificates). 

147 MUST be verified if no other suitable source of time is present, 

148 and SHOULD be verified otherwise. 

149 """ 

150 

151 inclusion_proof: "InclusionProof" = betterproto.message_field(6) 

152 """ 

153 The inclusion proof can be used for offline or online verification 

154 that the entry was appended to the log, and that the log has not been 

155 altered. 

156 """ 

157 

158 canonicalized_body: bytes = betterproto.bytes_field(7) 

159 """ 

160 Optional. The canonicalized transparency log entry, used to 

161 reconstruct the Signed Entry Timestamp (SET) during verification. 

162 The contents of this field are the same as the `body` field in 

163 a Rekor response, meaning that it does **not** include the "full" 

164 canonicalized form (of log index, ID, etc.) which are 

165 exposed as separate fields. The verifier is responsible for 

166 combining the `canonicalized_body`, `log_index`, `log_id`, 

167 and `integrated_time` into the payload that the SET's signature 

168 is generated over. 

169 This field is intended to be used in cases where the SET cannot be 

170 produced determinisitically (e.g. inconsistent JSON field ordering, 

171 differing whitespace, etc). 

172  

173 If set, clients MUST verify that the signature referenced in the 

174 `canonicalized_body` matches the signature provided in the 

175 `Bundle.content`. 

176 If not set, clients are responsible for constructing an equivalent 

177 payload from other sources to verify the signature. 

178 """ 

179 

180 

181rebuild_dataclass(InclusionProof) # type: ignore 

182rebuild_dataclass(TransparencyLogEntry) # type: ignore