Shortcuts on this page
r m x toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
1# Generated by the protocol buffer compiler. DO NOT EDIT!
2# sources: sigstore_common.proto
3# plugin: python-betterproto
4# This file has been @generated
6from typing import TYPE_CHECKING
9if TYPE_CHECKING:
10 from dataclasses import dataclass
11else:
12 from pydantic.dataclasses import dataclass
14from datetime import datetime
15from typing import (
16 List,
17 Optional,
18)
20import betterproto
21from pydantic import model_validator
22from pydantic.dataclasses import rebuild_dataclass
25class HashAlgorithm(betterproto.Enum):
26 """
27 Only a subset of the secure hash standard algorithms are supported.
28 See <https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf> for more
29 details.
30 UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force
31 any proto JSON serialization to emit the used hash algorithm, as default
32 option is to *omit* the default value of an enum (which is the first
33 value, represented by '0'.
34 """
36 UNSPECIFIED = 0
37 SHA2_256 = 1
38 SHA2_384 = 2
39 SHA2_512 = 3
40 SHA3_256 = 4
41 SHA3_384 = 5
43 @classmethod
44 def __get_pydantic_core_schema__(cls, _source_type, _handler):
45 from pydantic_core import core_schema
47 return core_schema.int_schema(ge=0)
50class PublicKeyDetails(betterproto.Enum):
51 """
52 Details of a specific public key, capturing the the key encoding method,
53 and signature algorithm.
55 PublicKeyDetails captures the public key/hash algorithm combinations
56 recommended in the Sigstore ecosystem.
58 This is modelled as a linear set as we want to provide a small number of
59 opinionated options instead of allowing every possible permutation.
61 Any changes to this enum MUST be reflected in the algorithm registry.
63 See: <https://github.com/sigstore/architecture-docs/blob/main/algorithm-registry.md>
65 To avoid the possibility of contradicting formats such as PKCS1 with
66 ED25519 the valid permutations are listed as a linear set instead of a
67 cartesian set (i.e one combined variable instead of two, one for encoding
68 and one for the signature algorithm).
69 """
71 UNSPECIFIED = 0
72 PKCS1_RSA_PKCS1V5 = 1
73 """RSA"""
75 PKCS1_RSA_PSS = 2
76 PKIX_RSA_PKCS1V5 = 3
77 PKIX_RSA_PSS = 4
78 PKIX_RSA_PKCS1V15_2048_SHA256 = 9
79 """RSA public key in PKIX format, PKCS#1v1.5 signature"""
81 PKIX_RSA_PKCS1V15_3072_SHA256 = 10
82 PKIX_RSA_PKCS1V15_4096_SHA256 = 11
83 PKIX_RSA_PSS_2048_SHA256 = 16
84 """RSA public key in PKIX format, RSASSA-PSS signature"""
86 PKIX_RSA_PSS_3072_SHA256 = 17
87 PKIX_RSA_PSS_4096_SHA256 = 18
88 PKIX_ECDSA_P256_HMAC_SHA_256 = 6
89 """ECDSA"""
91 PKIX_ECDSA_P256_SHA_256 = 5
92 PKIX_ECDSA_P384_SHA_384 = 12
93 PKIX_ECDSA_P521_SHA_512 = 13
94 PKIX_ED25519 = 7
95 """Ed 25519"""
97 PKIX_ED25519_PH = 8
98 PKIX_ECDSA_P384_SHA_256 = 19
99 """
100 These algorithms are deprecated and should not be used, but they
101 were/are being used by most Sigstore clients implementations.
102 """
104 PKIX_ECDSA_P521_SHA_256 = 20
105 LMS_SHA256 = 14
106 """
107 LMS and LM-OTS
109 These algorithms are deprecated and should not be used.
110 Keys and signatures MAY be used by private Sigstore
111 deployments, but will not be supported by the public
112 good instance.
114 USER WARNING: LMS and LM-OTS are both stateful signature schemes.
115 Using them correctly requires discretion and careful consideration
116 to ensure that individual secret keys are not used more than once.
117 In addition, LM-OTS is a single-use scheme, meaning that it
118 MUST NOT be used for more than one signature per LM-OTS key.
119 If you cannot maintain these invariants, you MUST NOT use these
120 schemes.
121 """
123 LMOTS_SHA256 = 15
124 ML_DSA_65 = 21
125 """
126 ML-DSA
128 These ML_DSA_65 and ML-DSA_87 algorithms are the pure variants that
129 take data to sign rather than the prehash variants (HashML-DSA), which
130 take digests. While considered quantum-resistant, their usage
131 involves tradeoffs in that signatures and keys are much larger, and
132 this makes deployments more costly.
134 USER WARNING: ML_DSA_65 and ML_DSA_87 are experimental algorithms.
135 In the future they MAY be used by private Sigstore deployments, but
136 they are not yet fully functional. This warning will be removed when
137 these algorithms are widely supported by Sigstore clients and servers,
138 but care should still be taken for production environments.
139 """
141 ML_DSA_87 = 22
143 @classmethod
144 def __get_pydantic_core_schema__(cls, _source_type, _handler):
145 from pydantic_core import core_schema
147 return core_schema.int_schema(ge=0)
150class SubjectAlternativeNameType(betterproto.Enum):
151 UNSPECIFIED = 0
152 EMAIL = 1
153 URI = 2
154 OTHER_NAME = 3
155 """
156 OID 1.3.6.1.4.1.57264.1.7
157 See https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#1361415726417--othername-san
158 for more details.
159 """
161 @classmethod
162 def __get_pydantic_core_schema__(cls, _source_type, _handler):
163 from pydantic_core import core_schema
165 return core_schema.int_schema(ge=0)
168@dataclass(eq=False, repr=False)
169class HashOutput(betterproto.Message):
170 """
171 HashOutput captures a digest of a 'message' (generic octet sequence)
172 and the corresponding hash algorithm used.
173 """
175 algorithm: "HashAlgorithm" = betterproto.enum_field(1)
176 digest: bytes = betterproto.bytes_field(2)
177 """
178 This is the raw octets of the message digest as computed by
179 the hash algorithm.
180 """
183@dataclass(eq=False, repr=False)
184class MessageSignature(betterproto.Message):
185 """MessageSignature stores the computed signature over a message."""
187 message_digest: "HashOutput" = betterproto.message_field(1)
188 """
189 Message digest can be used to identify the artifact.
190 Clients MUST NOT attempt to use this digest to verify the associated
191 signature; it is intended solely for identification.
192 """
194 signature: bytes = betterproto.bytes_field(2)
195 """
196 The raw bytes as returned from the signature algorithm.
197 The signature algorithm (and so the format of the signature bytes)
198 are determined by the contents of the 'verification_material',
199 either a key-pair or a certificate. If using a certificate, the
200 certificate contains the required information on the signature
201 algorithm.
202 When using a key pair, the algorithm MUST be part of the public
203 key, which MUST be communicated out-of-band.
204 """
207@dataclass(eq=False, repr=False)
208class LogId(betterproto.Message):
209 """LogId captures the identity of a transparency log."""
211 key_id: bytes = betterproto.bytes_field(1)
212 """The unique identity of the log, represented by its public key."""
215@dataclass(eq=False, repr=False)
216class Rfc3161SignedTimestamp(betterproto.Message):
217 """This message holds a RFC 3161 timestamp."""
219 signed_timestamp: bytes = betterproto.bytes_field(1)
220 """
221 Signed timestamp is the DER encoded TimeStampResponse.
222 See https://www.rfc-editor.org/rfc/rfc3161.html#section-2.4.2
223 """
226@dataclass(eq=False, repr=False)
227class PublicKey(betterproto.Message):
228 raw_bytes: Optional[bytes] = betterproto.bytes_field(1, optional=True)
229 """
230 DER-encoded public key, encoding method is specified by the
231 key_details attribute.
232 """
234 key_details: "PublicKeyDetails" = betterproto.enum_field(2)
235 """Key encoding and signature algorithm to use for this key."""
237 valid_for: Optional["TimeRange"] = betterproto.message_field(3, optional=True)
238 """Optional validity period for this key, *inclusive* of the endpoints."""
241@dataclass(eq=False, repr=False)
242class PublicKeyIdentifier(betterproto.Message):
243 """
244 PublicKeyIdentifier can be used to identify an (out of band) delivered
245 key, to verify a signature.
246 """
248 hint: str = betterproto.string_field(1)
249 """
250 Optional unauthenticated hint on which key to use.
251 The format of the hint must be agreed upon out of band by the
252 signer and the verifiers, and so is not subject to this
253 specification.
254 Example use-case is to specify the public key to use, from a
255 trusted key-ring.
256 Implementors are RECOMMENDED to derive the value from the public
257 key as described in RFC 6962.
258 See: <https://www.rfc-editor.org/rfc/rfc6962#section-3.2>
259 """
262@dataclass(eq=False, repr=False)
263class ObjectIdentifier(betterproto.Message):
264 """An ASN.1 OBJECT IDENTIFIER"""
266 id: List[int] = betterproto.int32_field(1)
269@dataclass(eq=False, repr=False)
270class ObjectIdentifierValuePair(betterproto.Message):
271 """An OID and the corresponding (byte) value."""
273 oid: "ObjectIdentifier" = betterproto.message_field(1)
274 value: bytes = betterproto.bytes_field(2)
277@dataclass(eq=False, repr=False)
278class DistinguishedName(betterproto.Message):
279 organization: str = betterproto.string_field(1)
280 common_name: str = betterproto.string_field(2)
283@dataclass(eq=False, repr=False)
284class X509Certificate(betterproto.Message):
285 raw_bytes: bytes = betterproto.bytes_field(1)
286 """DER-encoded X.509 certificate."""
289@dataclass(eq=False, repr=False)
290class SubjectAlternativeName(betterproto.Message):
291 type: "SubjectAlternativeNameType" = betterproto.enum_field(1)
292 regexp: Optional[str] = betterproto.string_field(2, optional=True, group="identity")
293 """
294 A regular expression describing the expected value for
295 the SAN.
296 """
298 value: Optional[str] = betterproto.string_field(3, optional=True, group="identity")
299 """The exact value to match against."""
301 @model_validator(mode="after")
302 def check_oneof(cls, values):
303 return cls._validate_field_groups(values)
306@dataclass(eq=False, repr=False)
307class X509CertificateChain(betterproto.Message):
308 """
309 A collection of X.509 certificates.
311 This "chain" can be used in multiple contexts, such as providing a root CA
312 certificate within a TUF root of trust or multiple untrusted certificates for
313 the purpose of chain building.
314 """
316 certificates: List["X509Certificate"] = betterproto.message_field(1)
317 """
318 One or more DER-encoded certificates.
320 In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence
321 has an imposed order. Unless explicitly specified, there is otherwise no
322 guaranteed order.
323 """
326@dataclass(eq=False, repr=False)
327class TimeRange(betterproto.Message):
328 """
329 The time range is closed and includes both the start and end times,
330 (i.e., [start, end]).
331 End is optional to be able to capture a period that has started but
332 has no known end.
333 """
335 start: datetime = betterproto.message_field(1)
336 end: Optional[datetime] = betterproto.message_field(2, optional=True)
339rebuild_dataclass(HashOutput) # type: ignore
340rebuild_dataclass(MessageSignature) # type: ignore
341rebuild_dataclass(PublicKey) # type: ignore
342rebuild_dataclass(ObjectIdentifierValuePair) # type: ignore
343rebuild_dataclass(SubjectAlternativeName) # type: ignore
344rebuild_dataclass(X509CertificateChain) # type: ignore
345rebuild_dataclass(TimeRange) # type: ignore