fixup! pb-rust: schemafy only Bundles

Signed-off-by: Jack Leightcap <jack.leightcap@trailofbits.com>
sigstore · Aug 2, 2023 · 0421499 · 0421499
1 parent 7c84e63
commit 0421499
Show file tree

Hide file tree

Showing 34 changed files with 3,842 additions and 0 deletions.
diff --git a/gen/pb-rust/schemas/Artifact.schema.json b/gen/pb-rust/schemas/Artifact.schema.json
@@ -0,0 +1,35 @@
+{
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/Artifact",
+ "definitions": {
+ "Artifact": {
+ "properties": {
+ "artifact_uri": {
+ "type": "string",
+ "description": "Location of the artifact"
+ },
+ "artifact": {
+ "type": "string",
+ "description": "The raw bytes of the artifact",
+ "format": "binary",
+ "binaryEncoding": "base64"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "oneOf": [
+ {
+ "required": [
+ "artifact_uri"
+ ]
+ },
+ {
+ "required": [
+ "artifact"
+ ]
+ }
+ ],
+ "title": "Artifact"
+ }
+ }
+}
diff --git a/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json b/gen/pb-rust/schemas/ArtifactVerificationOptions.schema.json
@@ -0,0 +1,332 @@
+{
+ "$schema": "http://json-schema.org/draft-04/schema#",
+ "$ref": "#/definitions/ArtifactVerificationOptions",
+ "definitions": {
+ "ArtifactVerificationOptions": {
+ "properties": {
+ "certificate_identities": {
+ "$ref": "#/definitions/dev.sigstore.verification.v1.CertificateIdentities",
+ "additionalProperties": false
+ },
+ "public_keys": {
+ "$ref": "#/definitions/dev.sigstore.verification.v1.PublicKeyIdentities",
+ "additionalProperties": false,
+ "description": "To simplify verification implementation, the logic for bundle verification should be implemented as a higher-order function, where one of argument should be an interface over the set of trusted public keys, like this: `Verify(bytes artifact, bytes signature, string key_id)`. This way the caller is in full control of mapping the identified (or hinted) key in the bundle to one of the trusted keys, as this process is inherently application specific."
+ },
+ "tlog_options": {
+ "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions",
+ "additionalProperties": false,
+ "description": "Optional options for artifact transparency log verification. If none is provided, the default verification options are: Threshold: 1 Online verification: false Disable: false"
+ },
+ "ctlog_options": {
+ "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions",
+ "additionalProperties": false,
+ "description": "Optional options for certificate transparency log verification. If none is provided, the default verification options are: Threshold: 1 Detached SCT: false Disable: false"
+ },
+ "tsa_options": {
+ "$ref": "#/definitions/dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions",
+ "additionalProperties": false,
+ "description": "Optional options for certificate signed timestamp verification. If none is provided, the default verification options are: Threshold: 1 Disable: false"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "oneOf": [
+ {
+ "required": [
+ "certificate_identities"
+ ]
+ },
+ {
+ "required": [
+ "public_keys"
+ ]
+ },
+ {
+ "required": [
+ "tlog_options"
+ ]
+ },
+ {
+ "required": [
+ "ctlog_options"
+ ]
+ },
+ {
+ "required": [
+ "tsa_options"
+ ]
+ }
+ ],
+ "title": "Artifact Verification Options",
+ "description": "A light-weight set of options/policies for identifying trusted signers, used during verification of a single artifact."
+ },
+ "dev.sigstore.common.v1.ObjectIdentifier": {
+ "properties": {
+ "id": {
+ "items": {
+ "type": "integer"
+ },
+ "type": "array"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "title": "Object Identifier",
+ "description": "An ASN.1 OBJECT IDENTIFIER"
+ },
+ "dev.sigstore.common.v1.ObjectIdentifierValuePair": {
+ "properties": {
+ "oid": {
+ "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifier",
+ "additionalProperties": false
+ },
+ "value": {
+ "type": "string",
+ "format": "binary",
+ "binaryEncoding": "base64"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "title": "Object Identifier Value Pair",
+ "description": "An OID and the corresponding (byte) value."
+ },
+ "dev.sigstore.common.v1.PublicKey": {
+ "properties": {
+ "raw_bytes": {
+ "type": "string",
+ "description": "DER-encoded public key, encoding method is specified by the key_details attribute.",
+ "format": "binary",
+ "binaryEncoding": "base64"
+ },
+ "key_details": {
+ "enum": [
+ "PUBLIC_KEY_DETAILS_UNSPECIFIED",
+ 0,
+ "PKCS1_RSA_PKCS1V5",
+ 1,
+ "PKCS1_RSA_PSS",
+ 2,
+ "PKIX_RSA_PKCS1V5",
+ 3,
+ "PKIX_RSA_PSS",
+ 4,
+ "PKIX_ECDSA_P256_SHA_256",
+ 5,
+ "PKIX_ECDSA_P256_HMAC_SHA_256",
+ 6,
+ "PKIX_ED25519",
+ 7
+ ],
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "integer"
+ }
+ ],
+ "title": "Public Key Details",
+ "description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)."
+ },
+ "valid_for": {
+ "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",
+ "additionalProperties": false,
+ "description": "Optional validity period for this key, *inclusive* of the endpoints."
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "oneOf": [
+ {
+ "required": [
+ "raw_bytes"
+ ]
+ },
+ {
+ "required": [
+ "valid_for"
+ ]
+ }
+ ],
+ "title": "Public Key"
+ },
+ "dev.sigstore.common.v1.SubjectAlternativeName": {
+ "properties": {
+ "type": {
+ "enum": [
+ "SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED",
+ 0,
+ "EMAIL",
+ 1,
+ "URI",
+ 2,
+ "OTHER_NAME",
+ 3
+ ],
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "integer"
+ }
+ ],
+ "title": "Subject Alternative Name Type"
+ },
+ "regexp": {
+ "type": "string",
+ "description": "A regular expression describing the expected value for the SAN."
+ },
+ "value": {
+ "type": "string",
+ "description": "The exact value to match against."
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "oneOf": [
+ {
+ "required": [
+ "regexp"
+ ]
+ },
+ {
+ "required": [
+ "value"
+ ]
+ }
+ ],
+ "title": "Subject Alternative Name"
+ },
+ "dev.sigstore.common.v1.TimeRange": {
+ "properties": {
+ "start": {
+ "type": "string",
+ "format": "date-time"
+ },
+ "end": {
+ "type": "string",
+ "format": "date-time"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "oneOf": [
+ {
+ "required": [
+ "end"
+ ]
+ }
+ ],
+ "title": "Time Range",
+ "description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end."
+ },
+ "dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions": {
+ "properties": {
+ "threshold": {
+ "type": "integer",
+ "description": "The number of ct transparency logs the certificate must appear on."
+ },
+ "detached_sct": {
+ "type": "boolean",
+ "description": "Expect detached SCTs. This is not supported right now as we can't capture an detached SCT in the bundle."
+ },
+ "disable": {
+ "type": "boolean",
+ "description": "Disable ct transparency log verification"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "title": "Ctlog Options"
+ },
+ "dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions": {
+ "properties": {
+ "threshold": {
+ "type": "integer",
+ "description": "The number of signed timestamps that are expected."
+ },
+ "disable": {
+ "type": "boolean",
+ "description": "Disable signed timestamp verification."
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "title": "Timestamp Authority Options"
+ },
+ "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions": {
+ "properties": {
+ "threshold": {
+ "type": "integer",
+ "description": "Number of transparency logs the entry must appear on."
+ },
+ "perform_online_verification": {
+ "type": "boolean",
+ "description": "Perform an online inclusion proof."
+ },
+ "disable": {
+ "type": "boolean",
+ "description": "Disable verification for transparency logs."
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "title": "Tlog Options"
+ },
+ "dev.sigstore.verification.v1.CertificateIdentities": {
+ "properties": {
+ "identities": {
+ "items": {
+ "$ref": "#/definitions/dev.sigstore.verification.v1.CertificateIdentity"
+ },
+ "additionalProperties": false,
+ "type": "array"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "title": "Certificate Identities"
+ },
+ "dev.sigstore.verification.v1.CertificateIdentity": {
+ "properties": {
+ "issuer": {
+ "type": "string",
+ "description": "The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1)"
+ },
+ "san": {
+ "$ref": "#/definitions/dev.sigstore.common.v1.SubjectAlternativeName",
+ "additionalProperties": false
+ },
+ "oids": {
+ "items": {
+ "$ref": "#/definitions/dev.sigstore.common.v1.ObjectIdentifierValuePair"
+ },
+ "additionalProperties": false,
+ "type": "array",
+ "description": "An unordered list of OIDs that must be verified. All OID/values provided in this list MUST exactly match against the values in the certificate for verification to be successful."
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "title": "Certificate Identity",
+ "description": "The identity of a X.509 Certificate signer."
+ },
+ "dev.sigstore.verification.v1.PublicKeyIdentities": {
+ "properties": {
+ "public_keys": {
+ "items": {
+ "$ref": "#/definitions/dev.sigstore.common.v1.PublicKey"
+ },
+ "additionalProperties": false,
+ "type": "array"
+ }
+ },
+ "additionalProperties": false,
+ "type": "object",
+ "title": "Public Key Identities"
+ }
+ }
+}