npm · wraithgar · Mar 30, 2023 · Mar 30, 2023
@@ -1,14 +1,20 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.toCertificateRequest = void 0;
-function toCertificateRequest(publicKey, challenge) {
+function toCertificateRequest(identityToken, publicKey, challenge) {
     return {
-        publicKey: {
-            content: publicKey
-                .export({ type: 'spki', format: 'der' })
-                .toString('base64'),
+        credentials: {
+            oidcIdentityToken: identityToken,
+        },
+        publicKeyRequest: {
+            publicKey: {
+                algorithm: 'ECDSA',
+                content: publicKey
+                    .export({ format: 'pem', type: 'spki' })
+                    .toString('ascii'),
+            },
+            proofOfPossession: challenge.toString('base64'),
         },
-        signedEmailAddress: challenge.toString('base64'),
     };
 }
 exports.toCertificateRequest = toCertificateRequest;
@@ -3,17 +3,16 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.CAClient = void 0;
 const client_1 = require("../client");
 const error_1 = require("../error");
-const util_1 = require("../util");
 const format_1 = require("./format");
 class CAClient {
     constructor(options) {
         this.fulcio = new client_1.Fulcio({ baseURL: options.fulcioBaseURL });
     }
     async createSigningCertificate(identityToken, publicKey, challenge) {
-        const request = (0, format_1.toCertificateRequest)(publicKey, challenge);
+        const request = (0, format_1.toCertificateRequest)(identityToken, publicKey, challenge);
         try {
-            const certificate = await this.fulcio.createSigningCertificate(identityToken, request);
-            return util_1.pem.split(certificate);
+            const certificate = await this.fulcio.createSigningCertificate(request);
+            return certificate.signedCertificateEmbeddedSct.chain.certificates;
         }
         catch (err) {
             throw new error_1.InternalError('error creating signing certificate', err);

@@ -65,6 +65,7 @@ function printUsage() {
 const signOptions = {
     oidcClientID: 'sigstore',
     oidcIssuer: 'https://oauth2.sigstore.dev/auth',
+    oidcRedirectURL: process.env.OIDC_REDIRECT_URL,
     rekorURL: index_1.sigstore.DEFAULT_REKOR_URL,
 };
 async function sign(artifactPath) {

@@ -31,22 +31,20 @@ class Fulcio {
             retry: { retries: 2 },
             timeout: 5000,
             headers: {
-                Accept: 'application/pem-certificate-chain',
                 'Content-Type': 'application/json',
                 'User-Agent': util_1.ua.getUserAgent(),
             },
         });
         this.baseUrl = options.baseURL;
     }
-    async createSigningCertificate(idToken, request) {
-        const url = `${this.baseUrl}/api/v1/signingCert`;
+    async createSigningCertificate(request) {
+        const url = `${this.baseUrl}/api/v2/signingCert`;
         const response = await this.fetch(url, {
             method: 'POST',
-            headers: { Authorization: `Bearer ${idToken}` },
             body: JSON.stringify(request),
         });
         (0, error_1.checkStatus)(response);
-        const data = await response.text();
+        const data = await response.json();
         return data;
     }
 }

@@ -27,8 +27,13 @@ const oauth_1 = require("./oauth");
  * @param clientSecret Client secret for the issuer (optional)
  * @returns {Provider}
  */
-function oauthProvider(issuer, clientID, clientSecret) {
-    return new oauth_1.OAuthProvider(new issuer_1.Issuer(issuer), clientID, clientSecret);
+function oauthProvider(options) {
+    return new oauth_1.OAuthProvider({
+        issuer: new issuer_1.Issuer(options.issuer),
+        clientID: options.clientID,
+        clientSecret: options.clientSecret,
+        redirectURL: options.redirectURL,
+    });
 }
 /**
  * ciContextProvider returns a new Provider instance which attempts to retrieve

@@ -26,10 +26,11 @@ const make_fetch_happen_1 = __importDefault(require("make-fetch-happen"));
 const url_1 = require("url");
 const util_1 = require("../util");
 class OAuthProvider {
-    constructor(issuer, clientID, clientSecret) {
-        this.clientID = clientID;
-        this.clientSecret = clientSecret || '';
-        this.issuer = issuer;
+    constructor(options) {
+        this.clientID = options.clientID;
+        this.clientSecret = options.clientSecret || '';
+        this.issuer = options.issuer;
+        this.redirectURI = options.redirectURL;
         this.codeVerifier = generateRandomString(32);
         this.state = generateRandomString(16);
     }
@@ -43,9 +44,20 @@ class OAuthProvider {
     async initiateAuthRequest() {
         const server = http_1.default.createServer();
         const sockets = new Set();
-        // Start server and wait till it is listening
+        // Start server and wait till it is listening. If a redirect URL was
+        // provided, use that. Otherwise, use a random port and construct the
+        // redirect URL.
         await new Promise((resolve) => {
-            server.listen(0, resolve);
+            if (this.redirectURI) {
+                const url = new url_1.URL(this.redirectURI);
+                server.listen(Number(url.port), url.hostname, resolve);
+            }
+            else {
+                server.listen(0, resolve);
+                // Get port the server is listening on and construct the server URL
+                const port = server.address().port;
+                this.redirectURI = `http://localhost:${port}`;
+            }
         });
         // Keep track of connections to the server so we can force a shutdown
         server.on('connection', (socket) => {
@@ -54,9 +66,6 @@ class OAuthProvider {
                 sockets.delete(socket);
             });
         });
-        // Get port the server is listening on and construct the server URL
-        const port = server.address().port;
-        this.redirectURI = `http://localhost:${port}`;
         const result = new Promise((resolve, reject) => {
             // Set-up handler for post-auth redirect
             server.on('request', (req, res) => {

@@ -115,7 +115,12 @@ function configureIdentityProviders(options) {
     else {
         idps.push(identity_1.default.ciContextProvider());
         if (options.oidcIssuer && options.oidcClientID) {
-            idps.push(identity_1.default.oauthProvider(options.oidcIssuer, options.oidcClientID, options.oidcClientSecret));
+            idps.push(identity_1.default.oauthProvider({
+                issuer: options.oidcIssuer,
+                clientID: options.oidcClientID,
+                clientSecret: options.oidcClientSecret,
+                redirectURL: options.oidcRedirectURL,
+            }));
         }
     }
     return idps;

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.fromDER = exports.toDER = exports.split = void 0;
+exports.fromDER = exports.toDER = void 0;
 /*
 Copyright 2022 The Sigstore Authors.
 
@@ -18,27 +18,6 @@ limitations under the License.
 */
 const PEM_HEADER = /-----BEGIN (.*)-----/;
 const PEM_FOOTER = /-----END (.*)-----/;
-// Given a set of PEM-encoded certificates bundled in a single string, returns
-// an array of certificates. Standard PEM encoding dictates that each certificate
-// should have a trailing newline after the footer.
-function split(certificate) {
-    const certs = [];
-    let cert = [];
-    certificate.split('\n').forEach((line) => {
-        line.includes;
-        if (line.match(PEM_HEADER)) {
-            cert = [];
-        }
-        if (line.length > 0) {
-            cert.push(line);
-        }
-        if (line.match(PEM_FOOTER)) {
-            certs.push(cert.join('\n').concat('\n'));
-        }
-    });
-    return certs;
-}
-exports.split = split;
 function toDER(certificate) {
     let der = '';
     certificate.split('\n').forEach((line) => {

@@ -112,5 +112,5 @@ class ByteStream {
         this.view = newView;
     }
 }
-exports.ByteStream = ByteStream;
 ByteStream.BLOCK_SIZE = 1024;
+exports.ByteStream = ByteStream;
@@ -22,28 +22,15 @@ const length_1 = require("./length");
 const parse_1 = require("./parse");
 const tag_1 = require("./tag");
 class ASN1Obj {
-    constructor(tag, headerLength, buf, subs) {
+    constructor(tag, value, subs) {
         this.tag = tag;
-        this.headerLength = headerLength;
-        this.buf = buf;
+        this.value = value;
         this.subs = subs;
     }
     // Constructs an ASN.1 object from a Buffer of DER-encoded bytes.
     static parseBuffer(buf) {
         return parseStream(new stream_1.ByteStream(buf));
     }
-    // Returns the raw bytes of the ASN.1 object's value. For constructed objects,
-    // this is the concatenation of the raw bytes of the values of its children.
-    // For primitive objects, this is the raw bytes of the object's value.
-    // Use the various to* methods to parse the value into a specific type.
-    get value() {
-        return this.buf.subarray(this.headerLength);
-    }
-    // Returns the raw bytes of the entire ASN.1 object (including tag, length,
-    // and value)
-    get raw() {
-        return this.buf;
-    }
     toDER() {
         const valueStream = new stream_1.ByteStream();
         if (this.subs.length > 0) {
@@ -114,13 +101,11 @@ exports.ASN1Obj = ASN1Obj;
 /////////////////////////////////////////////////////////////////////////////
 // Internal stream parsing functions
 function parseStream(stream) {
-    // Capture current stream position so we know where this object starts
-    const startPos = stream.position;
-    // Parse tag and length from stream
+    // Parse tag, length, and value from stream
     const tag = new tag_1.ASN1Tag(stream.getUint8());
     const len = (0, length_1.decodeLength)(stream);
-    // Calculate length of header (tag + length)
-    const header = stream.position - startPos;
+    const value = stream.slice(stream.position, len);
+    const start = stream.position;
     let subs = [];
     // If the object is constructed, parse its children. Sometimes, children
     // are embedded in OCTESTRING objects, so we need to check those
@@ -140,11 +125,9 @@ function parseStream(stream) {
     }
     // If there are no children, move stream cursor to the end of the object
     if (subs.length === 0) {
-        stream.seek(startPos + header + len);
+        stream.seek(start + len);
     }
-    // Capture the raw bytes of the object (including tag, length, and value)
-    const buf = stream.slice(startPos, header + len);
-    return new ASN1Obj(tag, header, buf, subs);
+    return new ASN1Obj(tag, value, subs);
 }
 function collectSubs(stream, len) {
     // Calculate end of object content

@@ -59,7 +59,7 @@ class x509Certificate {
         return this.subjectObj.value;
     }
     get publicKey() {
-        return this.subjectPublicKeyInfoObj.raw;
+        return this.subjectPublicKeyInfoObj.toDER();
     }
     get signatureAlgorithm() {
         const oid = this.signatureAlgorithmObj.subs[0].toOID();
@@ -115,13 +115,13 @@ class x509Certificate {
         // Use the issuer's public key if provided, otherwise use the subject's
         const publicKey = issuerCertificate?.publicKey || this.publicKey;
         const key = util_1.crypto.createPublicKey(publicKey);
-        return util_1.crypto.verifyBlob(this.tbsCertificate.raw, key, this.signatureValue, this.signatureAlgorithm);
+        return util_1.crypto.verifyBlob(this.tbsCertificate.toDER(), key, this.signatureValue, this.signatureAlgorithm);
     }
     validForDate(date) {
         return this.notBefore <= date && date <= this.notAfter;
     }
     equals(other) {
-        return this.root.raw.equals(other.root.raw);
+        return this.root.toDER().equals(other.root.toDER());
     }
     verifySCTs(issuer, logs) {
         let extSCT;
@@ -167,8 +167,9 @@ class x509Certificate {
     }
     // Creates a copy of the certificate with a new buffer
     clone() {
-        const clone = Buffer.alloc(this.root.raw.length);
-        this.root.raw.copy(clone);
+        const der = this.root.toDER();
+        const clone = Buffer.alloc(der.length);
+        der.copy(clone);
         return x509Certificate.parse(clone);
     }
     findExtension(oid) {

@@ -1,6 +1,6 @@
 {
   "name": "sigstore",
-  "version": "1.1.1",
+  "version": "1.2.0",
   "description": "code-signing for npm packages",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -51,7 +51,7 @@
     "nock": "^13.2.4",
     "prettier": "^2.6.2",
     "ts-jest": "^29.0.5",
-    "typescript": "^4.7.2"
+    "typescript": "^5.0.2"
   },
   "dependencies": {
     "@sigstore/protobuf-specs": "^0.1.0",

@@ -11174,9 +11174,9 @@
       "inBundle": true
     },
     "node_modules/sigstore": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.1.1.tgz",
-      "integrity": "sha512-4hR3tPP1y59YWlaoAgAWFVZ7srTjNWOrrpkQXWu05qP0BvwFYyt3K3l848+IHo+mKhkOzGcNDf7ktASXLEPC+A==",
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.2.0.tgz",
+      "integrity": "sha512-Fr9+W1nkBSIZCkJQR7jDn/zI0UXNsVpp+7mDQkCnZOIxG9p6yNXBx9xntHsfUyYHE55XDkkVV3+rYbrkzAeesA==",
       "inBundle": true,
       "dependencies": {
         "@sigstore/protobuf-specs": "^0.1.0",