From 8bdab9b4021566e4b7b0db4f16cdafc415b69bd5 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Fri, 30 Jun 2023 10:24:28 -0700 Subject: [PATCH] deps: sigstore@1.7.0 Signed-off-by: Brian DeHamer --- DEPENDENCIES.md | 2 - node_modules/@sigstore/tuf/package.json | 12 +- node_modules/sigstore/dist/merkle/digest.js | 48 -------- node_modules/sigstore/dist/merkle/index.js | 22 ---- node_modules/sigstore/dist/merkle/verify.js | 78 ------------- node_modules/sigstore/dist/sigstore-utils.js | 2 +- node_modules/sigstore/dist/sigstore.js | 24 +++- .../sigstore/dist/tlog/verify/index.js | 10 +- .../sigstore/dist/tlog/verify/merkle.js | 109 ++++++++++++++++++ .../sigstore/dist/types/sigstore/index.js | 67 +++++------ .../sigstore/dist/types/sigstore/validate.js | 15 +++ node_modules/sigstore/package.json | 17 +-- .../store/public-good-instance-root.json | 1 - package-lock.json | 22 ++-- package.json | 2 +- 15 files changed, 207 insertions(+), 224 deletions(-) delete mode 100644 node_modules/sigstore/dist/merkle/digest.js delete mode 100644 node_modules/sigstore/dist/merkle/index.js delete mode 100644 node_modules/sigstore/dist/merkle/verify.js create mode 100644 node_modules/sigstore/dist/tlog/verify/merkle.js delete mode 100644 node_modules/sigstore/store/public-good-instance-root.json diff --git a/DEPENDENCIES.md b/DEPENDENCIES.md index 64de1e5a27a4d..0c8c7812b1831 100644 --- a/DEPENDENCIES.md +++ b/DEPENDENCIES.md @@ -769,8 +769,6 @@ graph LR; sigstore-->make-fetch-happen; sigstore-->sigstore-protobuf-specs["@sigstore/protobuf-specs"]; sigstore-->sigstore-tuf["@sigstore/tuf"]; - sigstore-->tuf-js; - sigstore-tuf-->make-fetch-happen; sigstore-tuf-->sigstore-protobuf-specs["@sigstore/protobuf-specs"]; sigstore-tuf-->tuf-js; socks-->ip; diff --git a/node_modules/@sigstore/tuf/package.json b/node_modules/@sigstore/tuf/package.json index 241dc32b3c8a9..286d481a4d39f 100644 --- a/node_modules/@sigstore/tuf/package.json +++ b/node_modules/@sigstore/tuf/package.json @@ -1,6 +1,6 @@ { "name": "@sigstore/tuf", - "version": "1.0.0", + "version": "1.0.2", "description": "Client for the Sigstore TUF repository", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -27,17 +27,13 @@ "provenance": true }, "devDependencies": { - "@total-typescript/shoehorn": "^0.1.0", + "@sigstore/jest": "^0.0.0", "@tufjs/repo-mock": "^1.1.0", - "@types/node": "^20.2.5", - "nock": "^13.2.4", - "shx": "^0.3.3", - "typescript": "^5.1.3" + "@types/make-fetch-happen": "^10.0.0" }, "dependencies": { "@sigstore/protobuf-specs": "^0.1.0", - "tuf-js": "^1.1.3", - "make-fetch-happen": "^11.0.1" + "tuf-js": "^1.1.7" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" diff --git a/node_modules/sigstore/dist/merkle/digest.js b/node_modules/sigstore/dist/merkle/digest.js deleted file mode 100644 index 5b7ff04a506ae..0000000000000 --- a/node_modules/sigstore/dist/merkle/digest.js +++ /dev/null @@ -1,48 +0,0 @@ -"use strict"; -/* -Copyright 2022 GitHub, Inc - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -var __importDefault = (this && this.__importDefault) || function (mod) { - return (mod && mod.__esModule) ? mod : { "default": mod }; -}; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.Hasher = void 0; -const crypto_1 = __importDefault(require("crypto")); -const RFC6962LeafHashPrefix = Buffer.from([0x00]); -const RFC6962NodeHashPrefix = Buffer.from([0x01]); -// Implements Merkle Tree Hash logic according to RFC6962. -// https://datatracker.ietf.org/doc/html/rfc6962#section-2 -class Hasher { - constructor(algorithm = 'sha256') { - this.algorithm = algorithm; - } - size() { - return crypto_1.default.createHash(this.algorithm).digest().length; - } - hashLeaf(leaf) { - const hasher = crypto_1.default.createHash(this.algorithm); - hasher.update(RFC6962LeafHashPrefix); - hasher.update(leaf); - return hasher.digest(); - } - hashChildren(l, r) { - const hasher = crypto_1.default.createHash(this.algorithm); - hasher.update(RFC6962NodeHashPrefix); - hasher.update(l); - hasher.update(r); - return hasher.digest(); - } -} -exports.Hasher = Hasher; diff --git a/node_modules/sigstore/dist/merkle/index.js b/node_modules/sigstore/dist/merkle/index.js deleted file mode 100644 index 2dd39f10b646d..0000000000000 --- a/node_modules/sigstore/dist/merkle/index.js +++ /dev/null @@ -1,22 +0,0 @@ -"use strict"; -/* -Copyright 2022 GitHub, Inc - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -Object.defineProperty(exports, "__esModule", { value: true }); -exports.verifyInclusion = exports.Hasher = void 0; -var digest_1 = require("./digest"); -Object.defineProperty(exports, "Hasher", { enumerable: true, get: function () { return digest_1.Hasher; } }); -var verify_1 = require("./verify"); -Object.defineProperty(exports, "verifyInclusion", { enumerable: true, get: function () { return verify_1.verifyInclusion; } }); diff --git a/node_modules/sigstore/dist/merkle/verify.js b/node_modules/sigstore/dist/merkle/verify.js deleted file mode 100644 index 345543425aa08..0000000000000 --- a/node_modules/sigstore/dist/merkle/verify.js +++ /dev/null @@ -1,78 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.verifyInclusion = void 0; -/* -Copyright 2022 GitHub, Inc - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -// Implementation largely copied from -// https://github.com/transparency-dev/merkle/blob/main/proof/verify.go#L46 -// Verifies the correctness of the inclusion proof for the given leaf hash -// and index relative to the tree of the given size and root hash. -function verifyInclusion(hasher, index, size, leafHash, proof, root) { - const calcroot = rootFromInclusionProof(hasher, index, size, leafHash, proof); - return calcroot.equals(root); -} -exports.verifyInclusion = verifyInclusion; -// Calculates the expected root hash for a tree of the given size, provided a -// leaf index and hash with corresponding inclusion proof. -function rootFromInclusionProof(hasher, index, size, leafHash, proof) { - if (index >= size) { - throw new Error('index exceeds size of tree'); - } - if (leafHash.length !== hasher.size()) { - throw new Error('leafHash has unexpected size'); - } - const { inner, border } = decompInclProof(index, size); - if (proof.length != inner + border) { - throw new Error('invalid proof length'); - } - let hash = chainInner(hasher, leafHash, proof.slice(0, inner), index); - hash = chainBorderRight(hasher, hash, proof.slice(inner)); - return hash; -} -// Breaks down inclusion proof for a leaf at the specified index in a tree of -// the specified size. The split point is where paths to the index leaf and -// the (size - 1) leaf diverge. Returns lengths of the bottom and upper proof -// parts. -function decompInclProof(index, size) { - const inner = innerProofSize(index, size); - const border = onesCount(index >> BigInt(inner)); - return { inner, border }; -} -// Computes a subtree hash for an node on or below the tree's right border. -// Assumes the provided proof hashes are ordered from lower to higher levels -// and seed is the initial hash of the node specified by the index. -function chainInner(hasher, seed, proof, index) { - return proof.reduce((acc, h, i) => { - if ((index >> BigInt(i)) & BigInt(1)) { - return hasher.hashChildren(h, acc); - } - else { - return hasher.hashChildren(acc, h); - } - }, seed); -} -// Computes a subtree hash for nodes along the tree's right border. -function chainBorderRight(hasher, seed, proof) { - return proof.reduce((acc, h) => hasher.hashChildren(h, acc), seed); -} -function innerProofSize(index, size) { - return (index ^ (size - BigInt(1))).toString(2).length; -} -// Counts the number of ones in the binary representation of the given number. -// https://en.wikipedia.org/wiki/Hamming_weight -function onesCount(x) { - return x.toString(2).split('1').length - 1; -} diff --git a/node_modules/sigstore/dist/sigstore-utils.js b/node_modules/sigstore/dist/sigstore-utils.js index 1341052047229..dc75692f40bf0 100644 --- a/node_modules/sigstore/dist/sigstore-utils.js +++ b/node_modules/sigstore/dist/sigstore-utils.js @@ -75,6 +75,6 @@ async function createRekorEntry(dsseEnvelope, publicKey, options = {}) { signature: sigMaterial, tlogEntry: entry, }); - return sigstore.Bundle.toJSON(bundle); + return sigstore.bundleToJSON(bundle); } exports.createRekorEntry = createRekorEntry; diff --git a/node_modules/sigstore/dist/sigstore.js b/node_modules/sigstore/dist/sigstore.js index a14c5957954d8..dca476dd29203 100644 --- a/node_modules/sigstore/dist/sigstore.js +++ b/node_modules/sigstore/dist/sigstore.js @@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) { return result; }; Object.defineProperty(exports, "__esModule", { value: true }); -exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.ValidationError = exports.PolicyError = exports.InternalError = exports.verify = exports.attest = exports.sign = void 0; +exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.ValidationError = exports.PolicyError = exports.InternalError = exports.createVerifier = exports.verify = exports.attest = exports.sign = void 0; /* Copyright 2023 The Sigstore Authors. @@ -57,7 +57,7 @@ async function sign(payload, options = {}) { tlogUpload: options.tlogUpload, }); const bundle = await signer.signBlob(payload); - return sigstore.Bundle.toJSON(bundle); + return sigstore.bundleToJSON(bundle); } exports.sign = sign; async function attest(payload, payloadType, options = {}) { @@ -75,7 +75,7 @@ async function attest(payload, payloadType, options = {}) { tlogUpload: options.tlogUpload, }); const bundle = await signer.signAttestation(payload, payloadType); - return sigstore.Bundle.toJSON(bundle); + return sigstore.bundleToJSON(bundle); } exports.attest = attest; async function verify(bundle, payload, options = {}) { @@ -92,6 +92,24 @@ async function verify(bundle, payload, options = {}) { return verifier.verify(deserializedBundle, opts, payload); } exports.verify = verify; +async function createVerifier(options) { + const trustedRoot = await tuf.getTrustedRoot({ + mirrorURL: options.tufMirrorURL, + rootPath: options.tufRootPath, + cachePath: options.tufCachePath, + retry: options.retry ?? config.DEFAULT_RETRY, + timeout: options.timeout ?? config.DEFAULT_TIMEOUT, + }); + const verifier = new verify_1.Verifier(trustedRoot, options.keySelector); + const verifyOpts = config.artifactVerificationOptions(options); + return { + verify: (bundle) => { + const deserializedBundle = sigstore.bundleFromJSON(bundle); + return verifier.verify(deserializedBundle, verifyOpts); + }, + }; +} +exports.createVerifier = createVerifier; const tufUtils = { client: (options = {}) => { return tuf.initTUF({ diff --git a/node_modules/sigstore/dist/tlog/verify/index.js b/node_modules/sigstore/dist/tlog/verify/index.js index ad655b643e109..cbb93133c2685 100644 --- a/node_modules/sigstore/dist/tlog/verify/index.js +++ b/node_modules/sigstore/dist/tlog/verify/index.js @@ -41,6 +41,7 @@ limitations under the License. */ const error_1 = require("../../error"); const sigstore = __importStar(require("../../types/sigstore")); +const cert_1 = require("../../x509/cert"); const body_1 = require("./body"); const set_1 = require("./set"); // Verifies that the number of tlog entries that pass offline verification @@ -50,7 +51,7 @@ function verifyTLogEntries(bundle, trustedRoot, options) { throw new error_1.VerificationError('Online verification not implemented'); } // Extract the signing cert, if available - const signingCert = sigstore.signingCertificate(bundle); + const signingCert = signingCertificate(bundle); // Iterate over the tlog entries and verify each one const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryOffline(entry, bundle.content, trustedRoot.tlogs, signingCert)); if (verifiedEntries.length < options.threshold) { @@ -73,3 +74,10 @@ function verifyTLogEntryOffline(entry, bundleContent, tlogs, signingCert) { (0, set_1.verifyTLogSET)(entry, tlogs) && verifyTLogIntegrationTime()); } +function signingCertificate(bundle) { + if (!sigstore.isBundleWithCertificateChain(bundle)) { + return undefined; + } + const signingCert = bundle.verificationMaterial.content.x509CertificateChain.certificates[0]; + return cert_1.x509Certificate.parse(signingCert.rawBytes); +} diff --git a/node_modules/sigstore/dist/tlog/verify/merkle.js b/node_modules/sigstore/dist/tlog/verify/merkle.js new file mode 100644 index 0000000000000..90609cb73576f --- /dev/null +++ b/node_modules/sigstore/dist/tlog/verify/merkle.js @@ -0,0 +1,109 @@ +"use strict"; +var __importDefault = (this && this.__importDefault) || function (mod) { + return (mod && mod.__esModule) ? mod : { "default": mod }; +}; +Object.defineProperty(exports, "__esModule", { value: true }); +exports.verifyMerkleInclusion = void 0; +/* +Copyright 2023 The Sigstore Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +const crypto_1 = __importDefault(require("crypto")); +const error_1 = require("../../error"); +const RFC6962_LEAF_HASH_PREFIX = Buffer.from([0x00]); +const RFC6962_NODE_HASH_PREFIX = Buffer.from([0x01]); +function verifyMerkleInclusion(entry) { + const inclusionProof = entry.inclusionProof; + if (!inclusionProof) { + throw new error_1.VerificationError('tlog entry has no inclusion proof'); + } + const logIndex = BigInt(inclusionProof.logIndex); + const treeSize = BigInt(inclusionProof.treeSize); + if (logIndex < 0n || logIndex >= treeSize) { + throw new error_1.VerificationError('invalid inclusion proof index'); + } + // Figure out which subset of hashes corresponds to the inner and border + // nodes + const { inner, border } = decompInclProof(logIndex, treeSize); + if (inclusionProof.hashes.length !== inner + border) { + throw new error_1.VerificationError('invalid inclusion proof length'); + } + const innerHashes = inclusionProof.hashes.slice(0, inner); + const borderHashes = inclusionProof.hashes.slice(inner); + // The entry's hash is the leaf hash + const leafHash = hashLeaf(entry.canonicalizedBody); + // Chain the hashes belonging to the inner and border portions + const calculatedHash = chainBorderRight(chainInner(leafHash, innerHashes, logIndex), borderHashes); + // Calculated hash should match the root hash in the inclusion proof + return bufferEqual(calculatedHash, inclusionProof.rootHash); +} +exports.verifyMerkleInclusion = verifyMerkleInclusion; +// Breaks down inclusion proof for a leaf at the specified index in a tree of +// the specified size. The split point is where paths to the index leaf and +// the (size - 1) leaf diverge. Returns lengths of the bottom and upper proof +// parts. +function decompInclProof(index, size) { + const inner = innerProofSize(index, size); + const border = onesCount(index >> BigInt(inner)); + return { inner, border }; +} +// Computes a subtree hash for a node on or below the tree's right border. +// Assumes the provided proof hashes are ordered from lower to higher levels +// and seed is the initial hash of the node specified by the index. +function chainInner(seed, hashes, index) { + return hashes.reduce((acc, h, i) => { + if ((index >> BigInt(i)) & BigInt(1)) { + return hashChildren(h, acc); + } + else { + return hashChildren(acc, h); + } + }, seed); +} +// Computes a subtree hash for nodes along the tree's right border. +function chainBorderRight(seed, hashes) { + return hashes.reduce((acc, h) => hashChildren(h, acc), seed); +} +function innerProofSize(index, size) { + return (index ^ (size - BigInt(1))).toString(2).length; +} +// Counts the number of ones in the binary representation of the given number. +// https://en.wikipedia.org/wiki/Hamming_weight +function onesCount(x) { + return x.toString(2).split('1').length - 1; +} +// Hashing logic according to RFC6962. +// https://datatracker.ietf.org/doc/html/rfc6962#section-2 +function hashChildren(left, right) { + const hasher = crypto_1.default.createHash('sha256'); + hasher.update(RFC6962_NODE_HASH_PREFIX); + hasher.update(left); + hasher.update(right); + return hasher.digest(); +} +function hashLeaf(leaf) { + const hasher = crypto_1.default.createHash('sha256'); + hasher.update(RFC6962_LEAF_HASH_PREFIX); + hasher.update(leaf); + return hasher.digest(); +} +function bufferEqual(a, b) { + try { + return crypto_1.default.timingSafeEqual(a, b); + } + catch { + /* istanbul ignore next */ + return false; + } +} diff --git a/node_modules/sigstore/dist/types/sigstore/index.js b/node_modules/sigstore/dist/types/sigstore/index.js index 4d9f6003744da..2c240c865cf37 100644 --- a/node_modules/sigstore/dist/types/sigstore/index.js +++ b/node_modules/sigstore/dist/types/sigstore/index.js @@ -1,20 +1,6 @@ "use strict"; -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - var desc = Object.getOwnPropertyDescriptor(m, k); - if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { - desc = { enumerable: true, get: function() { return m[k]; } }; - } - Object.defineProperty(o, k2, desc); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __exportStar = (this && this.__exportStar) || function(m, exports) { - for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p); -}; Object.defineProperty(exports, "__esModule", { value: true }); -exports.signingCertificate = exports.toMessageSignatureBundle = exports.toDSSEBundle = exports.isVerifiableTransparencyLogEntry = exports.isCAVerificationOptions = exports.isBundleWithCertificateChain = exports.isBundleWithVerificationMaterial = exports.bundleFromJSON = void 0; +exports.toMessageSignatureBundle = exports.toDSSEBundle = exports.isVerifiableTransparencyLogEntry = exports.isCAVerificationOptions = exports.isBundleWithCertificateChain = exports.bundleToJSON = exports.bundleFromJSON = exports.SubjectAlternativeNameType = exports.PublicKeyDetails = exports.HashAlgorithm = exports.Envelope = void 0; /* Copyright 2023 The Sigstore Authors. @@ -32,11 +18,14 @@ limitations under the License. */ const protobuf_specs_1 = require("@sigstore/protobuf-specs"); const util_1 = require("../../util"); -const cert_1 = require("../../x509/cert"); const validate_1 = require("./validate"); -__exportStar(require("@sigstore/protobuf-specs"), exports); -__exportStar(require("./serialized"), exports); -__exportStar(require("./validate"), exports); +// Enums from protobuf-specs +// TODO: Move Envelope to "type" export once @sigstore/sign is a thing +var protobuf_specs_2 = require("@sigstore/protobuf-specs"); +Object.defineProperty(exports, "Envelope", { enumerable: true, get: function () { return protobuf_specs_2.Envelope; } }); +Object.defineProperty(exports, "HashAlgorithm", { enumerable: true, get: function () { return protobuf_specs_2.HashAlgorithm; } }); +Object.defineProperty(exports, "PublicKeyDetails", { enumerable: true, get: function () { return protobuf_specs_2.PublicKeyDetails; } }); +Object.defineProperty(exports, "SubjectAlternativeNameType", { enumerable: true, get: function () { return protobuf_specs_2.SubjectAlternativeNameType; } }); // eslint-disable-next-line @typescript-eslint/no-explicit-any const bundleFromJSON = (obj) => { const bundle = protobuf_specs_1.Bundle.fromJSON(obj); @@ -44,16 +33,15 @@ const bundleFromJSON = (obj) => { return bundle; }; exports.bundleFromJSON = bundleFromJSON; +// eslint-disable-next-line @typescript-eslint/no-explicit-any +const bundleToJSON = (bundle) => { + return protobuf_specs_1.Bundle.toJSON(bundle); +}; +exports.bundleToJSON = bundleToJSON; const BUNDLE_MEDIA_TYPE = 'application/vnd.dev.sigstore.bundle+json;version=0.1'; -// Type guard for narrowing a Bundle to a BundleWithVerificationMaterial -function isBundleWithVerificationMaterial(bundle) { - return bundle.verificationMaterial !== undefined; -} -exports.isBundleWithVerificationMaterial = isBundleWithVerificationMaterial; // Type guard for narrowing a Bundle to a BundleWithCertificateChain function isBundleWithCertificateChain(bundle) { - return (isBundleWithVerificationMaterial(bundle) && - bundle.verificationMaterial.content !== undefined && + return (bundle.verificationMaterial.content !== undefined && bundle.verificationMaterial.content.$case === 'x509CertificateChain'); } exports.isBundleWithCertificateChain = isBundleWithCertificateChain; @@ -69,6 +57,9 @@ function isVerifiableTransparencyLogEntry(entry) { entry.kindVersion !== undefined); } exports.isVerifiableTransparencyLogEntry = isVerifiableTransparencyLogEntry; +// All of the following functions are used to construct a ValidBundle +// from various types of input. When this code moves into the +// @sigstore/sign package, these functions will be exported from there. function toDSSEBundle({ envelope, signature, tlogEntry, timestamp, }) { return { mediaType: BUNDLE_MEDIA_TYPE, @@ -106,6 +97,9 @@ function toTransparencyLogEntry(entry) { const b64SET = entry.verification?.signedEntryTimestamp || ''; const set = Buffer.from(b64SET, 'base64'); const logID = Buffer.from(entry.logID, 'hex'); + const proof = entry.verification?.inclusionProof + ? toInclusionProof(entry.verification.inclusionProof) + : undefined; // Parse entry body so we can extract the kind and version. const bodyJSON = util_1.encoding.base64Decode(entry.body); const entryBody = JSON.parse(bodyJSON); @@ -122,10 +116,21 @@ function toTransparencyLogEntry(entry) { kind: entryBody.kind, version: entryBody.apiVersion, }, - inclusionProof: undefined, + inclusionProof: proof, canonicalizedBody: Buffer.from(entry.body, 'base64'), }; } +function toInclusionProof(proof) { + return { + logIndex: proof.logIndex.toString(), + rootHash: Buffer.from(proof.rootHash, 'hex'), + treeSize: proof.treeSize.toString(), + checkpoint: { + envelope: proof.checkpoint, + }, + hashes: proof.hashes.map((h) => Buffer.from(h, 'hex')), + }; +} function toVerificationMaterial({ signature, tlogEntry, timestamp, }) { return { content: signature.certificates @@ -155,11 +160,3 @@ function toTimestampVerificationData(timestamp) { rfc3161Timestamps: [{ signedTimestamp: timestamp }], }; } -function signingCertificate(bundle) { - if (!isBundleWithCertificateChain(bundle)) { - return undefined; - } - const signingCert = bundle.verificationMaterial.content.x509CertificateChain.certificates[0]; - return cert_1.x509Certificate.parse(signingCert.rawBytes); -} -exports.signingCertificate = signingCertificate; diff --git a/node_modules/sigstore/dist/types/sigstore/validate.js b/node_modules/sigstore/dist/types/sigstore/validate.js index efd873ab65701..a19d8ad3ec702 100644 --- a/node_modules/sigstore/dist/types/sigstore/validate.js +++ b/node_modules/sigstore/dist/types/sigstore/validate.js @@ -1,6 +1,21 @@ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.assertValidBundle = void 0; +/* +Copyright 2023 The Sigstore Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ const error_1 = require("../../error"); // Performs basic validation of a Sigstore bundle to ensure that all required // fields are populated. This is not a complete validation of the bundle, but diff --git a/node_modules/sigstore/package.json b/node_modules/sigstore/package.json index b7dc6e30f0dcd..02655a6c79bc8 100644 --- a/node_modules/sigstore/package.json +++ b/node_modules/sigstore/package.json @@ -1,6 +1,6 @@ { "name": "sigstore", - "version": "1.6.0", + "version": "1.7.0", "description": "code-signing for npm packages", "main": "dist/index.js", "types": "dist/index.d.ts", @@ -31,21 +31,14 @@ }, "devDependencies": { "@sigstore/rekor-types": "^1.0.0", - "@total-typescript/shoehorn": "^0.1.0", + "@sigstore/jest": "^0.0.0", "@tufjs/repo-mock": "^1.1.0", - "@types/make-fetch-happen": "^10.0.0", - "@types/sigstore-jest-extended": "^0.0.0", - "@types/node": "^20.2.5", - "json-schema-to-typescript": "^13.0.0", - "nock": "^13.2.4", - "shx": "^0.3.3", - "typescript": "^5.1.3" + "@types/make-fetch-happen": "^10.0.0" }, "dependencies": { "@sigstore/protobuf-specs": "^0.1.0", - "@sigstore/tuf": "^1.0.0", - "make-fetch-happen": "^11.0.1", - "tuf-js": "^1.1.3" + "@sigstore/tuf": "^1.0.1", + "make-fetch-happen": "^11.0.1" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" diff --git a/node_modules/sigstore/store/public-good-instance-root.json b/node_modules/sigstore/store/public-good-instance-root.json deleted file mode 100644 index e95c7e88cdf09..0000000000000 --- a/node_modules/sigstore/store/public-good-instance-root.json +++ /dev/null @@ -1 +0,0 @@ -{"signed":{"_type":"root","spec_version":"1.0","version":7,"expires":"2023-10-04T13:08:11Z","keys":{"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEXsz3SZXFb8jMV42j6pJlyjbjR8K\nN3Bwocexq6LMIb5qsWKOQvLN16NUefLc4HswOoumRsVVaajSpQS6fobkRw==\n-----END PUBLIC KEY-----\n"}},"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0ghrh92Lw1Yr3idGV5WqCtMDB8Cx\n+D8hdC4w2ZLNIplVRoVGLskYa3gheMyOjiJ8kPi15aQ2//7P+oj7UvJPGw==\n-----END PUBLIC KEY-----\n"}},"45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELrWvNt94v4R085ELeeCMxHp7PldF\n0/T1GxukUh2ODuggLGJE0pc1e8CSBf6CS91Fwo9FUOuRsjBUld+VqSyCdQ==\n-----END PUBLIC KEY-----\n"}},"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEinikSsAQmYkNeH5eYq/CnIzLaacO\nxlSaawQDOwqKy/tCqxq5xxPSJc21K4WIhs9GyOkKfzueY3GILzcMJZ4cWw==\n-----END PUBLIC KEY-----\n"}},"e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWRiGr5+j+3J5SsH+Ztr5nE2H2wO7\nBV+nO3s93gLca18qTOzHY1oWyAGDykMSsGTUBSt9D+An0KfKsD2mfSM42Q==\n-----END PUBLIC KEY-----\n"}},"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEzBzVOmHCPojMVLSI364WiiV8NPrD\n6IgRxVliskz/v+y3JER5mcVGcONliDcWMC5J2lfHmjPNPhb4H7xm8LzfSA==\n-----END PUBLIC KEY-----\n"}},"ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c":{"keytype":"ecdsa-sha2-nistp256","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEy8XKsmhBYDI8Jc0GwzBxeKax0cm5\nSTKEU65HPFunUn41sT8pi0FjM4IkHz/YUmwmLUO0Wt7lxhj6BkLIK4qYAw==\n-----END PUBLIC KEY-----\n"}}},"roles":{"root":{"keyids":["ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c","25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99","f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f","7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b","2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de"],"threshold":3},"snapshot":{"keyids":["45b283825eb184cabd582eb17b74fc8ed404f68cf452acabdad2ed6f90ce216b"],"threshold":1},"targets":{"keyids":["ff51e17fcf253119b7033f6f57512631da4a0969442afcf9fc8b141c7f2be99c","25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99","f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f","7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b","2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de"],"threshold":3},"timestamp":{"keyids":["e1863ba02070322ebc626dcecf9d881a3a38c35c3b41a83765b6ad6c37eaec2a"],"threshold":1}},"consistent_snapshot":true},"signatures":[{"keyid":"25a0eb450fd3ee2bd79218c963dce3f1cc6118badf251bf149f0bd07d5cabe99","sig":"3046022100c0610c0055ce5c4a52d054d7322e7b514d55baf44423d63aa4daa077cc60fd1f022100a097f2803f090fb66c42ead915a2c46ebe7db53a32bf18f2188275cc936f8bdd"},{"keyid":"f5312f542c21273d9485a49394386c4575804770667f2ddb59b3bf0669fddd2f","sig":"304502203134f0468810299d5493a867c40630b341296b92e59c29821311d353343bb3a4022100e667ae3d304e7e3da0894c7425f6b9ecd917106841280e5cf6f3496ad5f8f68e"},{"keyid":"7f7513b25429a64473e10ce3ad2f3da372bbdd14b65d07bbaf547e7c8bbbe62b","sig":"3045022037fe5f45426f21eaaf4730d2136f2b1611d6379688f79b9d1e3f61719997135c022100b63b022d7b79d4694b96f416d88aa4d7b1a3bff8a01f4fb51e0f42137c7d2d06"},{"keyid":"2e61cd0cbf4a8f45809bda9f7f78c0d33ad11842ff94ae340873e2664dc843de","sig":"3044022007cc8fcc4940809f2751ad5b535f4c5f53f5b4952f5b5696b09668e743306ac1022006dfcdf94e94c92163eeb1b47796db62cedaa730aa13aa61b573fe23714730f2"}]} diff --git a/package-lock.json b/package-lock.json index a165f8ad35955..ac4ba66c3c26f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -140,7 +140,7 @@ "qrcode-terminal": "^0.12.0", "read": "^2.1.0", "semver": "^7.5.2", - "sigstore": "^1.6.0", + "sigstore": "^1.7.0", "ssri": "^10.0.4", "supports-color": "^9.3.1", "tar": "^6.1.15", @@ -2765,14 +2765,13 @@ } }, "node_modules/@sigstore/tuf": { - "version": "1.0.0", - "resolved": "https://registry.npmjs.org/@sigstore/tuf/-/tuf-1.0.0.tgz", - "integrity": "sha512-bLzi9GeZgMCvjJeLUIfs8LJYCxrPRA8IXQkzUtaFKKVPTz0mucRyqFcV2U20yg9K+kYAD0YSitzGfRZCFLjdHQ==", + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/@sigstore/tuf/-/tuf-1.0.2.tgz", + "integrity": "sha512-vjwcYePJzM01Ha6oWWZ9gNcdIgnzyFxfqfWzph483DPJTH8Tb7f7bQRRll3CYVkyH56j0AgcPAcl6Vg95DPF+Q==", "inBundle": true, "dependencies": { "@sigstore/protobuf-specs": "^0.1.0", - "make-fetch-happen": "^11.0.1", - "tuf-js": "^1.1.3" + "tuf-js": "^1.1.7" }, "engines": { "node": "^14.17.0 || ^16.13.0 || >=18.0.0" @@ -11535,15 +11534,14 @@ } }, "node_modules/sigstore": { - "version": "1.6.0", - "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.6.0.tgz", - "integrity": "sha512-QODKff/qW/TXOZI6V/Clqu74xnInAS6it05mufj4/fSewexLtfEntgLZZcBtUK44CDQyUE5TUXYy1ARYzlfG9g==", + "version": "1.7.0", + "resolved": "https://registry.npmjs.org/sigstore/-/sigstore-1.7.0.tgz", + "integrity": "sha512-KP7QULhWdlu3hlp+jw2EvgWKlOGOY9McLj/jrchLjHNlNPK0KWIwF919cbmOp6QiKXLmPijR2qH/5KYWlbtG9Q==", "inBundle": true, "dependencies": { "@sigstore/protobuf-specs": "^0.1.0", - "@sigstore/tuf": "^1.0.0", - "make-fetch-happen": "^11.0.1", - "tuf-js": "^1.1.3" + "@sigstore/tuf": "^1.0.1", + "make-fetch-happen": "^11.0.1" }, "bin": { "sigstore": "bin/sigstore.js" diff --git a/package.json b/package.json index f345781248e43..d335bb8dabed3 100644 --- a/package.json +++ b/package.json @@ -107,7 +107,7 @@ "qrcode-terminal": "^0.12.0", "read": "^2.1.0", "semver": "^7.5.2", - "sigstore": "^1.6.0", + "sigstore": "^1.7.0", "ssri": "^10.0.4", "supports-color": "^9.3.1", "tar": "^6.1.15",