deps: sigstore@1.7.0 (#6623)

Signed-off-by: Brian DeHamer <bdehamer@github.com>

DEPENDENCIES.md

@@ -769,8 +769,6 @@ graph LR;
   sigstore-->make-fetch-happen;
   sigstore-->sigstore-protobuf-specs["@sigstore/protobuf-specs"];
   sigstore-->sigstore-tuf["@sigstore/tuf"];
-  sigstore-->tuf-js;
-  sigstore-tuf-->make-fetch-happen;
   sigstore-tuf-->sigstore-protobuf-specs["@sigstore/protobuf-specs"];
   sigstore-tuf-->tuf-js;
   socks-->ip;

node_modules/@sigstore/tuf/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sigstore/tuf",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "Client for the Sigstore TUF repository",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -27,17 +27,13 @@
     "provenance": true
   },
   "devDependencies": {
-    "@total-typescript/shoehorn": "^0.1.0",
+    "@sigstore/jest": "^0.0.0",
     "@tufjs/repo-mock": "^1.1.0",
-    "@types/node": "^20.2.5",
-    "nock": "^13.2.4",
-    "shx": "^0.3.3",
-    "typescript": "^5.1.3"
+    "@types/make-fetch-happen": "^10.0.0"
   },
   "dependencies": {
     "@sigstore/protobuf-specs": "^0.1.0",
-    "tuf-js": "^1.1.3",
-    "make-fetch-happen": "^11.0.1"
+    "tuf-js": "^1.1.7"
   },
   "engines": {
     "node": "^14.17.0 || ^16.13.0 || >=18.0.0"

node_modules/sigstore/dist/sigstore-utils.js

@@ -75,6 +75,6 @@ async function createRekorEntry(dsseEnvelope, publicKey, options = {}) {
         signature: sigMaterial,
         tlogEntry: entry,
     });
-    return sigstore.Bundle.toJSON(bundle);
+    return sigstore.bundleToJSON(bundle);
 }
 exports.createRekorEntry = createRekorEntry;

node_modules/sigstore/dist/sigstore.js

@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.ValidationError = exports.PolicyError = exports.InternalError = exports.verify = exports.attest = exports.sign = void 0;
+exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.ValidationError = exports.PolicyError = exports.InternalError = exports.createVerifier = exports.verify = exports.attest = exports.sign = void 0;
 /*
 Copyright 2023 The Sigstore Authors.
 
@@ -57,7 +57,7 @@ async function sign(payload, options = {}) {
         tlogUpload: options.tlogUpload,
     });
     const bundle = await signer.signBlob(payload);
-    return sigstore.Bundle.toJSON(bundle);
+    return sigstore.bundleToJSON(bundle);
 }
 exports.sign = sign;
 async function attest(payload, payloadType, options = {}) {
@@ -75,7 +75,7 @@ async function attest(payload, payloadType, options = {}) {
         tlogUpload: options.tlogUpload,
     });
     const bundle = await signer.signAttestation(payload, payloadType);
-    return sigstore.Bundle.toJSON(bundle);
+    return sigstore.bundleToJSON(bundle);
 }
 exports.attest = attest;
 async function verify(bundle, payload, options = {}) {
@@ -92,6 +92,24 @@ async function verify(bundle, payload, options = {}) {
     return verifier.verify(deserializedBundle, opts, payload);
 }
 exports.verify = verify;
+async function createVerifier(options) {
+    const trustedRoot = await tuf.getTrustedRoot({
+        mirrorURL: options.tufMirrorURL,
+        rootPath: options.tufRootPath,
+        cachePath: options.tufCachePath,
+        retry: options.retry ?? config.DEFAULT_RETRY,
+        timeout: options.timeout ?? config.DEFAULT_TIMEOUT,
+    });
+    const verifier = new verify_1.Verifier(trustedRoot, options.keySelector);
+    const verifyOpts = config.artifactVerificationOptions(options);
+    return {
+        verify: (bundle) => {
+            const deserializedBundle = sigstore.bundleFromJSON(bundle);
+            return verifier.verify(deserializedBundle, verifyOpts);
+        },
+    };
+}
+exports.createVerifier = createVerifier;
 const tufUtils = {
     client: (options = {}) => {
         return tuf.initTUF({

node_modules/sigstore/dist/tlog/verify/index.js

@@ -41,6 +41,7 @@ limitations under the License.
 */
 const error_1 = require("../../error");
 const sigstore = __importStar(require("../../types/sigstore"));
+const cert_1 = require("../../x509/cert");
 const body_1 = require("./body");
 const set_1 = require("./set");
 // Verifies that the number of tlog entries that pass offline verification
@@ -50,7 +51,7 @@ function verifyTLogEntries(bundle, trustedRoot, options) {
         throw new error_1.VerificationError('Online verification not implemented');
     }
     // Extract the signing cert, if available
-    const signingCert = sigstore.signingCertificate(bundle);
+    const signingCert = signingCertificate(bundle);
     // Iterate over the tlog entries and verify each one
     const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryOffline(entry, bundle.content, trustedRoot.tlogs, signingCert));
     if (verifiedEntries.length < options.threshold) {
@@ -73,3 +74,10 @@ function verifyTLogEntryOffline(entry, bundleContent, tlogs, signingCert) {
         (0, set_1.verifyTLogSET)(entry, tlogs) &&
         verifyTLogIntegrationTime());
 }
+function signingCertificate(bundle) {
+    if (!sigstore.isBundleWithCertificateChain(bundle)) {
+        return undefined;
+    }
+    const signingCert = bundle.verificationMaterial.content.x509CertificateChain.certificates[0];
+    return cert_1.x509Certificate.parse(signingCert.rawBytes);
+}

node_modules/sigstore/dist/tlog/verify/merkle.js

@@ -0,0 +1,109 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyMerkleInclusion = void 0;
+/*
+Copyright 2023 The Sigstore Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+const crypto_1 = __importDefault(require("crypto"));
+const error_1 = require("../../error");
+const RFC6962_LEAF_HASH_PREFIX = Buffer.from([0x00]);
+const RFC6962_NODE_HASH_PREFIX = Buffer.from([0x01]);
+function verifyMerkleInclusion(entry) {
+    const inclusionProof = entry.inclusionProof;
+    if (!inclusionProof) {
+        throw new error_1.VerificationError('tlog entry has no inclusion proof');
+    }
+    const logIndex = BigInt(inclusionProof.logIndex);
+    const treeSize = BigInt(inclusionProof.treeSize);
+    if (logIndex < 0n || logIndex >= treeSize) {
+        throw new error_1.VerificationError('invalid inclusion proof index');
+    }
+    // Figure out which subset of hashes corresponds to the inner and border
+    // nodes
+    const { inner, border } = decompInclProof(logIndex, treeSize);
+    if (inclusionProof.hashes.length !== inner + border) {
+        throw new error_1.VerificationError('invalid inclusion proof length');
+    }
+    const innerHashes = inclusionProof.hashes.slice(0, inner);
+    const borderHashes = inclusionProof.hashes.slice(inner);
+    // The entry's hash is the leaf hash
+    const leafHash = hashLeaf(entry.canonicalizedBody);
+    // Chain the hashes belonging to the inner and border portions
+    const calculatedHash = chainBorderRight(chainInner(leafHash, innerHashes, logIndex), borderHashes);
+    // Calculated hash should match the root hash in the inclusion proof
+    return bufferEqual(calculatedHash, inclusionProof.rootHash);
+}
+exports.verifyMerkleInclusion = verifyMerkleInclusion;
+// Breaks down inclusion proof for a leaf at the specified index in a tree of
+// the specified size. The split point is where paths to the index leaf and
+// the (size - 1) leaf diverge. Returns lengths of the bottom and upper proof
+// parts.
+function decompInclProof(index, size) {
+    const inner = innerProofSize(index, size);
+    const border = onesCount(index >> BigInt(inner));
+    return { inner, border };
+}
+// Computes a subtree hash for a node on or below the tree's right border.
+// Assumes the provided proof hashes are ordered from lower to higher levels
+// and seed is the initial hash of the node specified by the index.
+function chainInner(seed, hashes, index) {
+    return hashes.reduce((acc, h, i) => {
+        if ((index >> BigInt(i)) & BigInt(1)) {
+            return hashChildren(h, acc);
+        }
+        else {
+            return hashChildren(acc, h);
+        }
+    }, seed);
+}
+// Computes a subtree hash for nodes along the tree's right border.
+function chainBorderRight(seed, hashes) {
+    return hashes.reduce((acc, h) => hashChildren(h, acc), seed);
+}
+function innerProofSize(index, size) {
+    return (index ^ (size - BigInt(1))).toString(2).length;
+}
+// Counts the number of ones in the binary representation of the given number.
+// https://en.wikipedia.org/wiki/Hamming_weight
+function onesCount(x) {
+    return x.toString(2).split('1').length - 1;
+}
+// Hashing logic according to RFC6962.
+// https://datatracker.ietf.org/doc/html/rfc6962#section-2
+function hashChildren(left, right) {
+    const hasher = crypto_1.default.createHash('sha256');
+    hasher.update(RFC6962_NODE_HASH_PREFIX);
+    hasher.update(left);
+    hasher.update(right);
+    return hasher.digest();
+}
+function hashLeaf(leaf) {
+    const hasher = crypto_1.default.createHash('sha256');
+    hasher.update(RFC6962_LEAF_HASH_PREFIX);
+    hasher.update(leaf);
+    return hasher.digest();
+}
+function bufferEqual(a, b) {
+    try {
+        return crypto_1.default.timingSafeEqual(a, b);
+    }
+    catch {
+        /* istanbul ignore next */
+        return false;
+    }
+}