From 00a7c100b861eaa6bc75d2b37965e80af7565351 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Tue, 1 Nov 2022 11:18:58 +0100 Subject: [PATCH 01/20] V1 of the trust root and the verification input. Signed-off-by: Fredrik Skogman --- protos/sigstore_common.proto | 38 ++++++++++++++ protos/sigstore_rekor.proto | 13 ++--- protos/sigstore_trustroot.proto | 74 ++++++++++++++++++++++++++++ protos/sigstore_verification.proto | 79 ++++++++++++++++++++++++++++++ 4 files changed, 194 insertions(+), 10 deletions(-) create mode 100644 protos/sigstore_trustroot.proto create mode 100644 protos/sigstore_verification.proto diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index a94c16fd..afb3c6e1 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -15,6 +15,8 @@ syntax = "proto3"; package dev.sigstore.common.v1; +import "google/protobuf/timestamp.proto"; + option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"; option java_package = "dev.sigstore.proto.common.v1"; option java_multiple_files = true; @@ -60,6 +62,19 @@ message MessageSignature { bytes signature = 2; } +// LogId captures the identity of a transparency log. +message LogId { + oneof id { + // The unique id of the log, represented as the SHA-256 hash + // of the log's public key, computed over the DER encoding. + // https://www.rfc-editor.org/rfc/rfc6962#section-3.2 + bytes key_id = 1; + // Currently not used but proposed by + // https://datatracker.ietf.org/doc/rfc9162/ + string oid = 2; + } +} + // This message holds a RFC 3161 timestamp. message RFC3161SignedTimestamp { // Signed timestamp is the DER encoded TimeStampResponse. @@ -67,6 +82,19 @@ message RFC3161SignedTimestamp { bytes signed_timestamp = 1; } +message PublicKey { + // Optional key identifier. Format must be agreed upon out of band + // by signer and verifier. See PublicKeyIdentifier for more + // information. + // Implementors MAY provide a mapping function from hint to PublicKey. + string key_id = 1; + // DER-encoded public key. + bytes raw_bytes = 2; + // The time range is half-open and does not include the end + // timestamp, i.e [valid_for.start, valid_for.end). + optional TimeRange valid_for = 3; + // TODO: Add details on algorithm and parameters. +} // PublicKeyIdentifier can be used to identify an (out of band) delivered // key, to verify a signature. @@ -82,6 +110,11 @@ message PublicKeyIdentifier { string hint = 1; } +message DistinguishedName { + string organization = 1; + string common_name = 2; +} + message X509Certificate { // DER-encoded X.509 certificate. bytes raw_bytes = 1; @@ -105,3 +138,8 @@ message VerificationMaterial { X509CertificateChain x509_certificate_chain = 2; } } + +message TimeRange { + google.protobuf.Timestamp start = 1; + google.protobuf.Timestamp end = 2; +} diff --git a/protos/sigstore_rekor.proto b/protos/sigstore_rekor.proto index 7977bb82..a878837a 100644 --- a/protos/sigstore_rekor.proto +++ b/protos/sigstore_rekor.proto @@ -15,6 +15,8 @@ syntax = "proto3"; package dev.sigstore.rekor.v1; +import "sigstore_common.proto"; + option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/rekor/v1"; option java_package = "dev.sigstore.proto.rekor.v1"; option java_multiple_files = true; @@ -76,15 +78,6 @@ message InclusionPromise { bytes signed_entry_timestamp = 1; } -// LogId captures the identity of a transparency log. -message LogId { - // The unique id of the log, represented as the SHA-256 hash - // of the log's public key, computed over the DER encoding. - // This is similar to how it works for certificate transparency logs: - // https://www.rfc-editor.org/rfc/rfc6962#section-3.2 - bytes key_id = 1; -} - // TransparencyLogEntry captures all the details required from Rekor to // reconstruct an entry, given that the payload is provided via other means. // This type can easily be created from the existing response from Rekor. @@ -97,7 +90,7 @@ message TransparencyLogEntry { // The index of the entry in the log. int64 log_index = 1; // The unique identifier of the log. - LogId log_id = 2; + dev.sigstore.common.v1.LogId log_id = 2; // The kind (type) and version of the object associated with this // entry. These values are required to construct the entry during // verification. diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto new file mode 100644 index 00000000..cedc6f9e --- /dev/null +++ b/protos/sigstore_trustroot.proto @@ -0,0 +1,74 @@ +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; +package dev.sigstore.trustroot.v1; + +import "sigstore_common.proto"; + +option go_package = "github.com/sigstore/proto/trustroot/v1"; +option java_package = "dev.sigstore.proto.trustroot.v1"; +option java_multiple_files = true; +option java_outer_classname = "TrustRootProto"; + +// TransparencyLogInstance describes the attributes required from a +// transparency log, to successfully identify it and perform verification +// of entries added to it. +message TransparencyLogInstance { + dev.sigstore.common.v1.LogId log_id = 1; + string uri = 2; + dev.sigstore.common.v1.PublicKey public_key = 3; + // The time range is half-open and does not include the end + // timestamp, i.e [valid_for.start, valid_for.end). + dev.sigstore.common.v1.TimeRange valid_for = 4; +} + +// CertificateAuthority enlists the information required to identify which +// CA to use and perform signature verification. +message CertificateAuthority { + // The root certificate MUST be self-signed, and so the subject and + // issuer are the same. + dev.sigstore.common.v1.DistinguishedName subject = 1; + string uri = 2; + dev.sigstore.common.v1.X509CertificateChain cert_chain = 3; + // The time the *entire* chain was valid. This is at max the + // longest interval when *all* certificates in the chain are valid, + // but MAY be less. + // The time range is half-open and does not include the end + // timestamp, i.e [valid_for.start, valid_for.end). + dev.sigstore.common.v1.TimeRange valid_for = 4; +} + +// TrustedRoot describes the client's complete set of trusted entities. +// How the TrustedRoot is populated is not specified, but can be a +// combination of many sources such as TUF repositories, files on disk etc. +message TrustedRoot { + // A set of trusted Rekor servers. + repeated TransparencyLogInstance tlogs = 1; + // A set of trusted certificate authorites, and any intermediate + // certificates they provide. + // If a CA is issuing multiple intermediate certificate, each + // combination shall be represented as separate chain. I.e, a single + // root cert may appear in multiple chains but with different + // intermediate and/or leaf certificates. + // The certificates are intended to be used for verifying artifact + // signatures. + repeated CertificateAuthority certificate_authorities = 2; + // A set of public keys to trust for artifact signing. + repeated dev.sigstore.common.v1.PublicKey public_keys = 3; + // A set of trusted certificate transparency logs. + repeated TransparencyLogInstance ctfes = 4; + // A set of trusted timestamping authorities. + repeated CertificateAuthority timestamp_authorities = 5; +} diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto new file mode 100644 index 00000000..43a26a9d --- /dev/null +++ b/protos/sigstore_verification.proto @@ -0,0 +1,79 @@ +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; +package dev.sigstore.verification.v1; + +import "sigstore_common.proto"; +import "sigstore_trustroot.proto"; +import "sigstore_bundle.proto"; + +option go_package = "github.com/sigstore/proto/verification/v1"; +option java_package = "dev.sigstore.proto.verification.v1"; +option java_multiple_files = true; +option java_outer_classname = "VerificationProto"; + +message Identity { + // The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1) + string issuer = 1; + // A regular expression describing the expected value for the SAN. + string subject_alternative_name = 2; +} + +message TransparencyLogs { + // The set of transparency logs to use during bundle verification. + repeated dev.sigstore.trustroot.v1.TransparencyLogInstance instances = 1; + // The minimim number of logs the entry must appear on. + int32 threshold = 2; + // Perform an online proof of inclusion. + bool require_inclusion_proof = 3; +} + +message TimestampAuthorities { + // The set of trusted timestamp authorities + repeated dev.sigstore.trustroot.v1.CertificateAuthority instances = 1; + // The minimum number of valid countersignatues. + int32 threshold = 2; +} + +// The verification material provided during a bundle verification. +// The "instance" is usually preloaded with a "resolved" +// dev.sisgtore.trustroot.TrustedRoot.v1 instance. Prior to verifying an +// artifact (i.e a bundle) some selection is expected to happen, to filter +// out the exact authorities to use, which is captured in this message. +message Material { + TransparencyLogs tlogs = 1; + oneof signature_verification { + dev.sigstore.trustroot.v1.CertificateAuthority certificate_authority = 2; + dev.sigstore.common.v1.PublicKey public_key = 3; + } + TransparencyLogs ctfes = 4; + TimestampAuthorities timestamp_authorities = 5; +} + +// A light-weight set of options/policies for identifying trusted signers. +message Options { + // At least one identity MUST be provided. + repeated Identity identities = 1; +} + +// Input captures all that is needed to call the bundle verification method. +message Input { + Material verification_material = 1; + Options verification_options = 2; + dev.sigstore.bundle.v1.Bundle bundle = 3; + // If the bundle contains a hashed record, this URI MUST identify + // the location of the artifact. + optional string artifact_uri = 4; +} From 43d65ced1ac24cfa6fd51d44ea6d3eb8f7fe477e Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Tue, 1 Nov 2022 11:29:38 +0100 Subject: [PATCH 02/20] Clarified some comments Signed-off-by: Fredrik Skogman --- protos/sigstore_trustroot.proto | 8 ++++---- protos/sigstore_verification.proto | 3 ++- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index cedc6f9e..148bbf12 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -22,9 +22,9 @@ option java_package = "dev.sigstore.proto.trustroot.v1"; option java_multiple_files = true; option java_outer_classname = "TrustRootProto"; -// TransparencyLogInstance describes the attributes required from a +// TransparencyLogInstance describes the data required from a // transparency log, to successfully identify it and perform verification -// of entries added to it. +// inclusion. message TransparencyLogInstance { dev.sigstore.common.v1.LogId log_id = 1; string uri = 2; @@ -43,8 +43,8 @@ message CertificateAuthority { string uri = 2; dev.sigstore.common.v1.X509CertificateChain cert_chain = 3; // The time the *entire* chain was valid. This is at max the - // longest interval when *all* certificates in the chain are valid, - // but MAY be less. + // longest interval when *all* certificates in the chain where valid, + // but it MAY be shorter. // The time range is half-open and does not include the end // timestamp, i.e [valid_for.start, valid_for.end). dev.sigstore.common.v1.TimeRange valid_for = 4; diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index 43a26a9d..81b0d13f 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -24,6 +24,7 @@ option java_package = "dev.sigstore.proto.verification.v1"; option java_multiple_files = true; option java_outer_classname = "VerificationProto"; +// The identity of a signer. message Identity { // The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1) string issuer = 1; @@ -65,7 +66,7 @@ message Material { // A light-weight set of options/policies for identifying trusted signers. message Options { // At least one identity MUST be provided. - repeated Identity identities = 1; + repeated Identity signers = 1; } // Input captures all that is needed to call the bundle verification method. From 2f9ad4486a3cdbb8e5630c1d5eea0fbfe040ca8e Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Tue, 1 Nov 2022 13:39:16 +0100 Subject: [PATCH 03/20] Better message naming. Signed-off-by: Fredrik Skogman --- protos/sigstore_verification.proto | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index 81b0d13f..918bcba1 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -36,6 +36,7 @@ message TransparencyLogs { // The set of transparency logs to use during bundle verification. repeated dev.sigstore.trustroot.v1.TransparencyLogInstance instances = 1; // The minimim number of logs the entry must appear on. + // Setting this value to zero disables verification. int32 threshold = 2; // Perform an online proof of inclusion. bool require_inclusion_proof = 3; @@ -45,6 +46,7 @@ message TimestampAuthorities { // The set of trusted timestamp authorities repeated dev.sigstore.trustroot.v1.CertificateAuthority instances = 1; // The minimum number of valid countersignatues. + // Setting this value to zero disables verification. int32 threshold = 2; } @@ -53,7 +55,7 @@ message TimestampAuthorities { // dev.sisgtore.trustroot.TrustedRoot.v1 instance. Prior to verifying an // artifact (i.e a bundle) some selection is expected to happen, to filter // out the exact authorities to use, which is captured in this message. -message Material { +message VerificationMaterial { TransparencyLogs tlogs = 1; oneof signature_verification { dev.sigstore.trustroot.v1.CertificateAuthority certificate_authority = 2; @@ -71,7 +73,7 @@ message Options { // Input captures all that is needed to call the bundle verification method. message Input { - Material verification_material = 1; + VerificationMaterial verification_material = 1; Options verification_options = 2; dev.sigstore.bundle.v1.Bundle bundle = 3; // If the bundle contains a hashed record, this URI MUST identify From e857e1cf8f482a673a237b0d86651e2317cb3c2f Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Tue, 1 Nov 2022 13:42:55 +0100 Subject: [PATCH 04/20] Clarified some fields Signed-off-by: Fredrik Skogman --- protos/sigstore_trustroot.proto | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index 148bbf12..79c2965f 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -26,7 +26,9 @@ option java_outer_classname = "TrustRootProto"; // transparency log, to successfully identify it and perform verification // inclusion. message TransparencyLogInstance { + // The unique identifier for this transparency log. dev.sigstore.common.v1.LogId log_id = 1; + // The URI at which the log can be accessed. string uri = 2; dev.sigstore.common.v1.PublicKey public_key = 3; // The time range is half-open and does not include the end @@ -40,7 +42,9 @@ message CertificateAuthority { // The root certificate MUST be self-signed, and so the subject and // issuer are the same. dev.sigstore.common.v1.DistinguishedName subject = 1; + // The URI at which the CA can be accessed. string uri = 2; + // A single chain for a signing certificate. dev.sigstore.common.v1.X509CertificateChain cert_chain = 3; // The time the *entire* chain was valid. This is at max the // longest interval when *all* certificates in the chain where valid, From 18faeb355590e4c0a80872c0a8dc8db88e1841c4 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Thu, 3 Nov 2022 10:21:46 +0100 Subject: [PATCH 05/20] Updated based on comments. Signed-off-by: Fredrik Skogman --- protos/sigstore_common.proto | 21 +++-- protos/sigstore_trustroot.proto | 26 ++++-- protos/sigstore_verification.proto | 139 ++++++++++++++++++++--------- 3 files changed, 132 insertions(+), 54 deletions(-) diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index afb3c6e1..d4cf08ef 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -38,6 +38,14 @@ enum HashAlgorithm { SHA2_512 = 2; } +// Subset of known signature algorithms. +enum SignatureAlgorithm { + SIGNATURE_ALGORITHM_UNSPECIFIED = 0; + ECDSA_P256_SHA_256 = 1; // See NIST FIPS 186-4 + ECDSA_P256_HMAC_SHA_256 = 2; // See RFC6979 + ED25519 = 3; // See RFC8032 +} + // HashOutput captures a digest of a 'message' (generic octet sequence) // and the corresponding hash algorithm used. message HashOutput { @@ -89,11 +97,10 @@ message PublicKey { // Implementors MAY provide a mapping function from hint to PublicKey. string key_id = 1; // DER-encoded public key. - bytes raw_bytes = 2; - // The time range is half-open and does not include the end - // timestamp, i.e [valid_for.start, valid_for.end). - optional TimeRange valid_for = 3; // TODO: Add details on algorithm and parameters. + optional bytes raw_bytes = 2; + // Optional validity period for this key. + optional TimeRange valid_for = 3; } // PublicKeyIdentifier can be used to identify an (out of band) delivered @@ -139,7 +146,11 @@ message VerificationMaterial { } } +// The time range is half-open and does not include the end timestamp, +// i.e [start, end). +// End is optional to be able to capture a period that has started but +// has no known end. message TimeRange { google.protobuf.Timestamp start = 1; - google.protobuf.Timestamp end = 2; + optional google.protobuf.Timestamp end = 2; } diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index 79c2965f..cefc12a9 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -25,15 +25,19 @@ option java_outer_classname = "TrustRootProto"; // TransparencyLogInstance describes the data required from a // transparency log, to successfully identify it and perform verification // inclusion. +// See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters +// for more details. message TransparencyLogInstance { + // The base URL at which can be used to URLs for the client. + string base_urL = 1; + // The hash algorithm used for the Merkle Tree. + dev.sigstore.common.v1.HashAlgorithm hash_algorithm = 2; + // The signature algorithm used. + dev.sigstore.common.v1.SignatureAlgorithm signature_algorithm = 3; + // The public key used to verify signatures generated by the log. + dev.sigstore.common.v1.PublicKey public_key = 4; // The unique identifier for this transparency log. - dev.sigstore.common.v1.LogId log_id = 1; - // The URI at which the log can be accessed. - string uri = 2; - dev.sigstore.common.v1.PublicKey public_key = 3; - // The time range is half-open and does not include the end - // timestamp, i.e [valid_for.start, valid_for.end). - dev.sigstore.common.v1.TimeRange valid_for = 4; + dev.sigstore.common.v1.LogId log_id = 5; } // CertificateAuthority enlists the information required to identify which @@ -57,6 +61,14 @@ message CertificateAuthority { // TrustedRoot describes the client's complete set of trusted entities. // How the TrustedRoot is populated is not specified, but can be a // combination of many sources such as TUF repositories, files on disk etc. +// +// The TrustedRoot is not meant to be used for any artifact verification, only +// to capture the complete/global set of trusted verification materials. +// When verifying an artifact, based on the artifact and policies, a selection +// of keys/authorities are epxected to be extracted and provided to the +// verification function. This way the set of keys/authorities kan be kept to +// a minimal set by the policy to gain better control over what signatures +// that are allowed. message TrustedRoot { // A set of trusted Rekor servers. repeated TransparencyLogInstance tlogs = 1; diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index 918bcba1..6802a850 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -15,7 +15,6 @@ syntax = "proto3"; package dev.sigstore.verification.v1; -import "sigstore_common.proto"; import "sigstore_trustroot.proto"; import "sigstore_bundle.proto"; @@ -24,59 +23,115 @@ option java_package = "dev.sigstore.proto.verification.v1"; option java_multiple_files = true; option java_outer_classname = "VerificationProto"; +enum SubjectAlternativeNameType { + DNS = 0; + Email = 1; + URI = 2; +} + +message SubjectAlternativeName { + SubjectAlternativeNameType type = 1; + // A regular expression describing the expected value for the SAN. + string value = 2; +} + // The identity of a signer. message Identity { // The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1) string issuer = 1; - // A regular expression describing the expected value for the SAN. - string subject_alternative_name = 2; + oneof identity { + SubjectAlternativeName san = 2; + } } -message TransparencyLogs { - // The set of transparency logs to use during bundle verification. - repeated dev.sigstore.trustroot.v1.TransparencyLogInstance instances = 1; - // The minimim number of logs the entry must appear on. - // Setting this value to zero disables verification. - int32 threshold = 2; - // Perform an online proof of inclusion. - bool require_inclusion_proof = 3; -} +// A light-weight set of options/policies for identifying trusted signers, +// used during verification of a single artifact. +message ArtifactVerificationOptions { + message TlogOptions { + // Number of transparency logs the entry must appear on. + int32 threshold = 1; + // Perform an online inclusion proof. + // TODO: @haydentherapper: wanna punt this for now? + bool perform_online_verification = 2; + // Disable verification for transparency logs. + bool disable = 3; + } + message CtfeOptions { + // The number of ct transparency logs the certificate must + // appear on. + int32 threshold = 1; + // Expect detached SCTs. + // This is not supported right now as we can't capture an + // detached SCT in the bundle. + bool detached_sct = 2; + // Disable ct transparency log verification + bool disable = 3; + } + message TsaOptions { + // The number of signed timestamps that are expected. + int32 threshold = 1; + // Disable signed timestamp verification. + bool disable = 2; + } -message TimestampAuthorities { - // The set of trusted timestamp authorities - repeated dev.sigstore.trustroot.v1.CertificateAuthority instances = 1; - // The minimum number of valid countersignatues. - // Setting this value to zero disables verification. - int32 threshold = 2; + // At least one identity MUST be provided. Providing zero identities + // is an error. + repeated Identity signers = 1; + // Optional options for artifact transparency log verification. + // If none is provided, the default verification options are: + // Threshold: 1 + // Online verification: false + // Disable: false + optional TlogOptions tlog_options = 2; + // Optional options for certificate transparency log verification. + // If none is provided, the default verification options are: + // Threshold: 1 + // Detached SCT: false + // Disable: false + optional CtfeOptions ctfe_options = 3; + // Optional options for certificate signed timestamp verification. + // If none is provided, the default verification options are: + // Threshold: 1 + // Disable: false + optional TsaOptions tsa_options = 4; } -// The verification material provided during a bundle verification. -// The "instance" is usually preloaded with a "resolved" -// dev.sisgtore.trustroot.TrustedRoot.v1 instance. Prior to verifying an -// artifact (i.e a bundle) some selection is expected to happen, to filter -// out the exact authorities to use, which is captured in this message. -message VerificationMaterial { - TransparencyLogs tlogs = 1; - oneof signature_verification { - dev.sigstore.trustroot.v1.CertificateAuthority certificate_authority = 2; - dev.sigstore.common.v1.PublicKey public_key = 3; +message Artifact { + oneof data { + // Location of the artifact + string artifact_uri = 1; + // The raw bytes of the artifact + bytes artifact = 2; } - TransparencyLogs ctfes = 4; - TimestampAuthorities timestamp_authorities = 5; -} - -// A light-weight set of options/policies for identifying trusted signers. -message Options { - // At least one identity MUST be provided. - repeated Identity signers = 1; } -// Input captures all that is needed to call the bundle verification method. +// Input captures all that is needed to call the bundle verification method, +// to verify a single artifact referenced by the bundle. message Input { - VerificationMaterial verification_material = 1; - Options verification_options = 2; + // The verification materials provided during a bundle verification. + // The "instance" is usually preloaded with a "resolved" + // dev.sisgtore.trustroot.TrustedRoot.v1 instance. Prior to + // verifying an artifact (i.e a bundle) some selection is expected + // to happen, to filter out the exact authorities to use, which is + // captured in this attribute. + // + // As there can be multiple certificate authorities and public keys + // after the global trust root has ben filtered down to a smaller, + // per artifact set, any implementors of the verification logic MUST + // offer an interface where the calling client can provide a + // function that finds the correct key/certificate authority to use, + // as this selection is inherently dependant on the used key + // mechanism (e.g. a cloud KMS with a versioned key). + // As an example the client can provide a method + // `Verify(bytes artifact, bytes signature, string key_id)` + // that the caller implements over the set of trusted public keys, + // (filtered for this artifact). This way the verification code does + // not need to deal with context depandant key selection, different + // key types etc. + dev.sigstore.trustroot.v1.TrustedRoot artifact_trust_root = 1; + ArtifactVerificationOptions artifact_verification_options = 2; dev.sigstore.bundle.v1.Bundle bundle = 3; - // If the bundle contains a hashed record, this URI MUST identify - // the location of the artifact. - optional string artifact_uri = 4; + // If the bundle contains a message signature, the artifact must be + // provided. + optional Artifact artifact = 4; } From 75e01b8a8520738dd0d434acce566cf0c00d45c0 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Thu, 3 Nov 2022 10:47:12 +0100 Subject: [PATCH 06/20] Updates from review. Signed-off-by: Fredrik Skogman --- protos/sigstore_trustroot.proto | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index cefc12a9..199422e1 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -48,7 +48,7 @@ message CertificateAuthority { dev.sigstore.common.v1.DistinguishedName subject = 1; // The URI at which the CA can be accessed. string uri = 2; - // A single chain for a signing certificate. + // The certificate chain for this CA. dev.sigstore.common.v1.X509CertificateChain cert_chain = 3; // The time the *entire* chain was valid. This is at max the // longest interval when *all* certificates in the chain where valid, @@ -72,8 +72,8 @@ message CertificateAuthority { message TrustedRoot { // A set of trusted Rekor servers. repeated TransparencyLogInstance tlogs = 1; - // A set of trusted certificate authorites, and any intermediate - // certificates they provide. + // A set of trusted certificate authorites (e.g Fulcio), and any + // intermediate certificates they provide. // If a CA is issuing multiple intermediate certificate, each // combination shall be represented as separate chain. I.e, a single // root cert may appear in multiple chains but with different From 88897562e9c87b80791c29548f47bb6900a6ae99 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Thu, 3 Nov 2022 11:24:52 +0100 Subject: [PATCH 07/20] Updated comment parameters for a transparency log. Signed-off-by: Fredrik Skogman --- protos/sigstore_trustroot.proto | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index 199422e1..9efa2f3c 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -22,11 +22,12 @@ option java_package = "dev.sigstore.proto.trustroot.v1"; option java_multiple_files = true; option java_outer_classname = "TrustRootProto"; -// TransparencyLogInstance describes the data required from a -// transparency log, to successfully identify it and perform verification -// inclusion. +// TransparencyLogInstance describes the immutable parameters from a +// transparency log. // See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters // for more details. +// The incluced parameters are the minimal set required to identify a log, +// and verify an inclusion promise. message TransparencyLogInstance { // The base URL at which can be used to URLs for the client. string base_urL = 1; From 5e095a1cf51acb4c8a42b0ccb25bc1ed9001b263 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Fri, 4 Nov 2022 08:57:17 +0100 Subject: [PATCH 08/20] Updates from review. Signed-off-by: Fredrik Skogman --- protos/sigstore_trustroot.proto | 4 ++-- protos/sigstore_verification.proto | 20 ++++++++++---------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index 9efa2f3c..9352e6e9 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -30,7 +30,7 @@ option java_outer_classname = "TrustRootProto"; // and verify an inclusion promise. message TransparencyLogInstance { // The base URL at which can be used to URLs for the client. - string base_urL = 1; + string base_url = 1; // The hash algorithm used for the Merkle Tree. dev.sigstore.common.v1.HashAlgorithm hash_algorithm = 2; // The signature algorithm used. @@ -85,7 +85,7 @@ message TrustedRoot { // A set of public keys to trust for artifact signing. repeated dev.sigstore.common.v1.PublicKey public_keys = 3; // A set of trusted certificate transparency logs. - repeated TransparencyLogInstance ctfes = 4; + repeated TransparencyLogInstance ctlogs = 4; // A set of trusted timestamping authorities. repeated CertificateAuthority timestamp_authorities = 5; } diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index 6802a850..f4c2ebec 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -39,9 +39,8 @@ message SubjectAlternativeName { message Identity { // The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1) string issuer = 1; - oneof identity { - SubjectAlternativeName san = 2; - } + SubjectAlternativeName san = 2; + // TODO: add more optional attributes for identify verification. } // A light-weight set of options/policies for identifying trusted signers, @@ -56,7 +55,7 @@ message ArtifactVerificationOptions { // Disable verification for transparency logs. bool disable = 3; } - message CtfeOptions { + message CtlogOptions { // The number of ct transparency logs the certificate must // appear on. int32 threshold = 1; @@ -67,7 +66,7 @@ message ArtifactVerificationOptions { // Disable ct transparency log verification bool disable = 3; } - message TsaOptions { + message TimestampAuthorityOptions { // The number of signed timestamps that are expected. int32 threshold = 1; // Disable signed timestamp verification. @@ -75,7 +74,8 @@ message ArtifactVerificationOptions { } // At least one identity MUST be provided. Providing zero identities - // is an error. + // is an error. If at least one provided identity is found as a + // signer, the verification is considered successful. repeated Identity signers = 1; // Optional options for artifact transparency log verification. // If none is provided, the default verification options are: @@ -88,12 +88,12 @@ message ArtifactVerificationOptions { // Threshold: 1 // Detached SCT: false // Disable: false - optional CtfeOptions ctfe_options = 3; + optional CtlogOptions ctlog_options = 3; // Optional options for certificate signed timestamp verification. // If none is provided, the default verification options are: // Threshold: 1 // Disable: false - optional TsaOptions tsa_options = 4; + optional TimestampAuthorityOptions tsa_options = 4; } message Artifact { @@ -116,11 +116,11 @@ message Input { // captured in this attribute. // // As there can be multiple certificate authorities and public keys - // after the global trust root has ben filtered down to a smaller, + // after the global trust root has been filtered down to a smaller, // per artifact set, any implementors of the verification logic MUST // offer an interface where the calling client can provide a // function that finds the correct key/certificate authority to use, - // as this selection is inherently dependant on the used key + // as this selection is inherently dependant on the used key // mechanism (e.g. a cloud KMS with a versioned key). // As an example the client can provide a method // `Verify(bytes artifact, bytes signature, string key_id)` From e4783a29609a12f1e43d2cd8e8add2e9068bd161 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Mon, 7 Nov 2022 09:52:13 +0100 Subject: [PATCH 09/20] Updated how custom OIDs can be used for verification of the identity. Signed-off-by: Fredrik Skogman --- protos/sigstore_common.proto | 11 +++++++++++ protos/sigstore_verification.proto | 6 +++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index d4cf08ef..20fc74f2 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -117,6 +117,17 @@ message PublicKeyIdentifier { string hint = 1; } +// An ASN1. OBJECT IDENTIFIER +message ObjectIdentifier { + repeated int32 id = 1; +} + +// An OID and the corresponding (byte) value. +message ObjectIdentifierValuePair { + ObjectIdentifier oid = 1; + bytes value = 2; +} + message DistinguishedName { string organization = 1; string common_name = 2; diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index f4c2ebec..04b56c10 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -15,6 +15,7 @@ syntax = "proto3"; package dev.sigstore.verification.v1; +import "sigstore_common.proto"; import "sigstore_trustroot.proto"; import "sigstore_bundle.proto"; @@ -40,7 +41,10 @@ message Identity { // The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1) string issuer = 1; SubjectAlternativeName san = 2; - // TODO: add more optional attributes for identify verification. + // An unordered list of OIDs that must be verified. + // All OID/values provided in this list MUST exactly match against + // the values in the certificate for verification to be successful. + repeated dev.sigstore.common.v1.ObjectIdentifierValuePair oids = 3; } // A light-weight set of options/policies for identifying trusted signers, From 34af7dc2ffeb6c801e370fe22eee839641125bdd Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Tue, 8 Nov 2022 15:51:51 +0100 Subject: [PATCH 10/20] Added key and signature type to public key. Signed-off-by: Fredrik Skogman --- protos/sigstore_common.proto | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index 20fc74f2..c5e7a8b8 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -44,6 +44,15 @@ enum SignatureAlgorithm { ECDSA_P256_SHA_256 = 1; // See NIST FIPS 186-4 ECDSA_P256_HMAC_SHA_256 = 2; // See RFC6979 ED25519 = 3; // See RFC8032 + RSA_PKCS1V5 = 4; // See RFC8017 + RSA_PSS = 5; // See RFC8017 +} + +// Supported key types +enum KeyType { + KEY_TYPE_UNSPECIFIED = 0; + PKCS1 = 1; // PEM: RSA PUBLIC KEY + PKCS8 = 2; // PEM: PUBLIC KEY } // HashOutput captures a digest of a 'message' (generic octet sequence) @@ -97,10 +106,11 @@ message PublicKey { // Implementors MAY provide a mapping function from hint to PublicKey. string key_id = 1; // DER-encoded public key. - // TODO: Add details on algorithm and parameters. optional bytes raw_bytes = 2; + KeyType key_type = 3; + SignatureAlgorithm signature_algorithm = 4; // Optional validity period for this key. - optional TimeRange valid_for = 3; + optional TimeRange valid_for = 5; } // PublicKeyIdentifier can be used to identify an (out of band) delivered From c0b00e8264dadb93300d02836314957f93c9b3ca Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Tue, 8 Nov 2022 15:53:16 +0100 Subject: [PATCH 11/20] Renamed key type to key encoding Signed-off-by: Fredrik Skogman --- protos/sigstore_common.proto | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index c5e7a8b8..ba66a32b 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -48,8 +48,8 @@ enum SignatureAlgorithm { RSA_PSS = 5; // See RFC8017 } -// Supported key types -enum KeyType { +// Supported key encodings +enum KeyEncoding { KEY_TYPE_UNSPECIFIED = 0; PKCS1 = 1; // PEM: RSA PUBLIC KEY PKCS8 = 2; // PEM: PUBLIC KEY @@ -107,7 +107,7 @@ message PublicKey { string key_id = 1; // DER-encoded public key. optional bytes raw_bytes = 2; - KeyType key_type = 3; + KeyEncoding key_encoding = 3; SignatureAlgorithm signature_algorithm = 4; // Optional validity period for this key. optional TimeRange valid_for = 5; From 8d40c1e1d35ed4917b813a0667a746e073360464 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Wed, 9 Nov 2022 10:15:27 +0100 Subject: [PATCH 12/20] Updates from review. Signed-off-by: Fredrik Skogman --- protos/sigstore_common.proto | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index ba66a32b..24ba5590 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -51,8 +51,8 @@ enum SignatureAlgorithm { // Supported key encodings enum KeyEncoding { KEY_TYPE_UNSPECIFIED = 0; - PKCS1 = 1; // PEM: RSA PUBLIC KEY - PKCS8 = 2; // PEM: PUBLIC KEY + PKCS1 = 1; + PKIX = 2; } // HashOutput captures a digest of a 'message' (generic octet sequence) @@ -104,7 +104,7 @@ message PublicKey { // by signer and verifier. See PublicKeyIdentifier for more // information. // Implementors MAY provide a mapping function from hint to PublicKey. - string key_id = 1; + optional string key_id = 1; // DER-encoded public key. optional bytes raw_bytes = 2; KeyEncoding key_encoding = 3; From 614ebfe84bbeaaf509d4a915e8f1168481676b1a Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Thu, 10 Nov 2022 08:39:35 +0100 Subject: [PATCH 13/20] Updated based on review. Signer identities are moved from trust root to verification options. Key encoding are grouped to key format to include signature algorithm. Signed-off-by: Fredrik Skogman --- protos/sigstore_common.proto | 26 ++++++++++++++++++-------- protos/sigstore_trustroot.proto | 6 ++---- protos/sigstore_verification.proto | 23 +++++++++++++++++------ 3 files changed, 37 insertions(+), 18 deletions(-) diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index 24ba5590..d63d47ec 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -48,11 +48,21 @@ enum SignatureAlgorithm { RSA_PSS = 5; // See RFC8017 } -// Supported key encodings -enum KeyEncoding { - KEY_TYPE_UNSPECIFIED = 0; - PKCS1 = 1; - PKIX = 2; +// The permutations of signature algorithms and encoding schemas. +// To avoid contradicting formats such as PKCS1 with ED25519 the valid +// permutations are listed as a linear set instead of a cartesian set. +enum KeyFormat { + KEY_FORMAT_UNSPECIFIED = 0; + // RSA + PKCS1_RSA_PKCS1V5 = 1; // See RFC8017 + PKCS1_RSA_PSS = 2; // See RFC8017 + PKIX_RSA_PKCS1V5 = 3; + PKIX_RSA_PSS = 4; + // ECDSA + PKIX_ECDSA_P256_SHA_256 = 5; // See NIST FIPS 186-4 + PKIX_ECDSA_P256_HMAC_SHA_256 = 6; // See RFC6979 + // Ed 25519 + PKIX_ED25519 = 7; // See RFC8032 } // HashOutput captures a digest of a 'message' (generic octet sequence) @@ -107,10 +117,10 @@ message PublicKey { optional string key_id = 1; // DER-encoded public key. optional bytes raw_bytes = 2; - KeyEncoding key_encoding = 3; - SignatureAlgorithm signature_algorithm = 4; + // Key encoding and signature algorithm. + KeyFormat key_format = 3; // Optional validity period for this key. - optional TimeRange valid_for = 5; + optional TimeRange valid_for = 4; } // PublicKeyIdentifier can be used to identify an (out of band) delivered diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index 9352e6e9..b391cfab 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -82,10 +82,8 @@ message TrustedRoot { // The certificates are intended to be used for verifying artifact // signatures. repeated CertificateAuthority certificate_authorities = 2; - // A set of public keys to trust for artifact signing. - repeated dev.sigstore.common.v1.PublicKey public_keys = 3; // A set of trusted certificate transparency logs. - repeated TransparencyLogInstance ctlogs = 4; + repeated TransparencyLogInstance ctlogs = 3; // A set of trusted timestamping authorities. - repeated CertificateAuthority timestamp_authorities = 5; + repeated CertificateAuthority timestamp_authorities = 4; } diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index 04b56c10..39d6a472 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -36,8 +36,8 @@ message SubjectAlternativeName { string value = 2; } -// The identity of a signer. -message Identity { +// The identity of a X.509 Certificate signer. +message CertificateIdentity { // The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1) string issuer = 1; SubjectAlternativeName san = 2; @@ -47,6 +47,14 @@ message Identity { repeated dev.sigstore.common.v1.ObjectIdentifierValuePair oids = 3; } +message CertificateIdentities { + repeated CertificateIdentity identities = 1; +} + +message PublicKeyIdentities { + repeated dev.sigstore.common.v1.PublicKey public_keys = 1; +} + // A light-weight set of options/policies for identifying trusted signers, // used during verification of a single artifact. message ArtifactVerificationOptions { @@ -80,24 +88,27 @@ message ArtifactVerificationOptions { // At least one identity MUST be provided. Providing zero identities // is an error. If at least one provided identity is found as a // signer, the verification is considered successful. - repeated Identity signers = 1; + oneof signers { + CertificateIdentities certificate_identities = 1; + PublicKeyIdentities public_keys = 2; + } // Optional options for artifact transparency log verification. // If none is provided, the default verification options are: // Threshold: 1 // Online verification: false // Disable: false - optional TlogOptions tlog_options = 2; + optional TlogOptions tlog_options = 3; // Optional options for certificate transparency log verification. // If none is provided, the default verification options are: // Threshold: 1 // Detached SCT: false // Disable: false - optional CtlogOptions ctlog_options = 3; + optional CtlogOptions ctlog_options = 4; // Optional options for certificate signed timestamp verification. // If none is provided, the default verification options are: // Threshold: 1 // Disable: false - optional TimestampAuthorityOptions tsa_options = 4; + optional TimestampAuthorityOptions tsa_options = 5; } message Artifact { From 73c72f5fe8575bdc92d01e67fc0fc6da281487b0 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Thu, 10 Nov 2022 08:51:43 +0100 Subject: [PATCH 14/20] Use ObjectIdentifier for oid, not string. Signed-off-by: Fredrik Skogman --- protos/sigstore_common.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index d63d47ec..c318237f 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -98,7 +98,7 @@ message LogId { bytes key_id = 1; // Currently not used but proposed by // https://datatracker.ietf.org/doc/rfc9162/ - string oid = 2; + ObjectIdentifier oid = 2; } } From efcd19ba6b1ef06f180f33dcc9fabee61b509b05 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Thu, 10 Nov 2022 09:01:58 +0100 Subject: [PATCH 15/20] Removed unnecessary comment. Signed-off-by: Fredrik Skogman --- protos/sigstore_trustroot.proto | 2 -- 1 file changed, 2 deletions(-) diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index b391cfab..f0b2f149 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -54,8 +54,6 @@ message CertificateAuthority { // The time the *entire* chain was valid. This is at max the // longest interval when *all* certificates in the chain where valid, // but it MAY be shorter. - // The time range is half-open and does not include the end - // timestamp, i.e [valid_for.start, valid_for.end). dev.sigstore.common.v1.TimeRange valid_for = 4; } From 55d36d29d74dc39f9729d0b1062215cff8274f47 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Thu, 10 Nov 2022 09:47:41 +0100 Subject: [PATCH 16/20] Updated some comments. Signed-off-by: Fredrik Skogman --- protos/sigstore_common.proto | 12 ++++++++ protos/sigstore_verification.proto | 48 ++++++++++-------------------- 2 files changed, 28 insertions(+), 32 deletions(-) diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index c318237f..7cf6565f 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -158,6 +158,18 @@ message X509Certificate { bytes raw_bytes = 1; } +enum SubjectAlternativeNameType { + DNS = 0; + Email = 1; + URI = 2; +} + +message SubjectAlternativeName { + SubjectAlternativeNameType type = 1; + // A regular expression describing the expected value for the SAN. + string value = 2; +} + // A chain of X.509 certificates. message X509CertificateChain { // The chain of certificates, with indices 0 to n. diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index 39d6a472..d19f8b78 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -24,23 +24,11 @@ option java_package = "dev.sigstore.proto.verification.v1"; option java_multiple_files = true; option java_outer_classname = "VerificationProto"; -enum SubjectAlternativeNameType { - DNS = 0; - Email = 1; - URI = 2; -} - -message SubjectAlternativeName { - SubjectAlternativeNameType type = 1; - // A regular expression describing the expected value for the SAN. - string value = 2; -} - // The identity of a X.509 Certificate signer. message CertificateIdentity { // The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1) string issuer = 1; - SubjectAlternativeName san = 2; + dev.sigstore.common.v1.SubjectAlternativeName san = 2; // An unordered list of OIDs that must be verified. // All OID/values provided in this list MUST exactly match against // the values in the certificate for verification to be successful. @@ -62,7 +50,6 @@ message ArtifactVerificationOptions { // Number of transparency logs the entry must appear on. int32 threshold = 1; // Perform an online inclusion proof. - // TODO: @haydentherapper: wanna punt this for now? bool perform_online_verification = 2; // Disable verification for transparency logs. bool disable = 3; @@ -90,6 +77,15 @@ message ArtifactVerificationOptions { // signer, the verification is considered successful. oneof signers { CertificateIdentities certificate_identities = 1; + // To simplify verification implementation, the logic for + // bundle verification should be implemented as a + // higher-order function, where one of argument should be an + // interface over the set of trusted public keys, like this: + // `Verify(bytes artifact, bytes signature, string key_id)`. + // This way the caller is in full control of mapping the + // identified (or hinted) key in the bundle to one of the + // trusted keys, as this process is inherently application + // specific. PublicKeyIdentities public_keys = 2; } // Optional options for artifact transparency log verification. @@ -124,25 +120,13 @@ message Artifact { // to verify a single artifact referenced by the bundle. message Input { // The verification materials provided during a bundle verification. - // The "instance" is usually preloaded with a "resolved" + // The running process is usually preloaded with a "global" // dev.sisgtore.trustroot.TrustedRoot.v1 instance. Prior to - // verifying an artifact (i.e a bundle) some selection is expected - // to happen, to filter out the exact authorities to use, which is - // captured in this attribute. - // - // As there can be multiple certificate authorities and public keys - // after the global trust root has been filtered down to a smaller, - // per artifact set, any implementors of the verification logic MUST - // offer an interface where the calling client can provide a - // function that finds the correct key/certificate authority to use, - // as this selection is inherently dependant on the used key - // mechanism (e.g. a cloud KMS with a versioned key). - // As an example the client can provide a method - // `Verify(bytes artifact, bytes signature, string key_id)` - // that the caller implements over the set of trusted public keys, - // (filtered for this artifact). This way the verification code does - // not need to deal with context depandant key selection, different - // key types etc. + // verifying an artifact (i.e a bundle), and/or based on current + // policy, some selection is expected to happen, to filter out the + // exact certificate authority to use, which transparency logs are + // relevant etc. The result should b ecaptured in the + // `artifact_trust_root`. dev.sigstore.trustroot.v1.TrustedRoot artifact_trust_root = 1; ArtifactVerificationOptions artifact_verification_options = 2; dev.sigstore.bundle.v1.Bundle bundle = 3; From a027744152c9e93b331105dc459974bf9d1f947c Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Mon, 14 Nov 2022 10:00:15 +0100 Subject: [PATCH 17/20] Updates based on review. Signed-off-by: Fredrik Skogman --- protos/sigstore_common.proto | 11 +++-------- protos/sigstore_trustroot.proto | 7 +++---- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index 7cf6565f..14aecf34 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -110,17 +110,12 @@ message RFC3161SignedTimestamp { } message PublicKey { - // Optional key identifier. Format must be agreed upon out of band - // by signer and verifier. See PublicKeyIdentifier for more - // information. - // Implementors MAY provide a mapping function from hint to PublicKey. - optional string key_id = 1; // DER-encoded public key. - optional bytes raw_bytes = 2; + optional bytes raw_bytes = 1; // Key encoding and signature algorithm. - KeyFormat key_format = 3; + KeyFormat key_format = 2; // Optional validity period for this key. - optional TimeRange valid_for = 4; + optional TimeRange valid_for = 3; } // PublicKeyIdentifier can be used to identify an (out of band) delivered diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index f0b2f149..1b56b73d 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -33,12 +33,11 @@ message TransparencyLogInstance { string base_url = 1; // The hash algorithm used for the Merkle Tree. dev.sigstore.common.v1.HashAlgorithm hash_algorithm = 2; - // The signature algorithm used. - dev.sigstore.common.v1.SignatureAlgorithm signature_algorithm = 3; // The public key used to verify signatures generated by the log. - dev.sigstore.common.v1.PublicKey public_key = 4; + // This attribute contains the signature algorithm used by the log. + dev.sigstore.common.v1.PublicKey public_key = 3; // The unique identifier for this transparency log. - dev.sigstore.common.v1.LogId log_id = 5; + dev.sigstore.common.v1.LogId log_id = 4; } // CertificateAuthority enlists the information required to identify which From f4e47fbe95f5576a8854efa937f3e49b1f18e645 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Tue, 15 Nov 2022 09:30:56 +0100 Subject: [PATCH 18/20] Corrected some spelling errors on some comments. Signed-off-by: Fredrik Skogman --- protos/sigstore_trustroot.proto | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index 1b56b73d..255c6734 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -51,7 +51,7 @@ message CertificateAuthority { // The certificate chain for this CA. dev.sigstore.common.v1.X509CertificateChain cert_chain = 3; // The time the *entire* chain was valid. This is at max the - // longest interval when *all* certificates in the chain where valid, + // longest interval when *all* certificates in the chain were valid, // but it MAY be shorter. dev.sigstore.common.v1.TimeRange valid_for = 4; } @@ -63,7 +63,7 @@ message CertificateAuthority { // The TrustedRoot is not meant to be used for any artifact verification, only // to capture the complete/global set of trusted verification materials. // When verifying an artifact, based on the artifact and policies, a selection -// of keys/authorities are epxected to be extracted and provided to the +// of keys/authorities are expected to be extracted and provided to the // verification function. This way the set of keys/authorities kan be kept to // a minimal set by the policy to gain better control over what signatures // that are allowed. From 9c9d4bfd5d92e9b1ab1f48ce01c6542c40328a8d Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Tue, 15 Nov 2022 09:31:23 +0100 Subject: [PATCH 19/20] Renamed KeyFormat to PublicKeyDetails to clarify what the message contains. Signed-off-by: Fredrik Skogman --- protos/sigstore_common.proto | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index 14aecf34..876d14a4 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -48,10 +48,13 @@ enum SignatureAlgorithm { RSA_PSS = 5; // See RFC8017 } -// The permutations of signature algorithms and encoding schemas. -// To avoid contradicting formats such as PKCS1 with ED25519 the valid -// permutations are listed as a linear set instead of a cartesian set. -enum KeyFormat { +// Details of a specific public key, capturing the the key encoding method, +// and signature algorithm. +// To avoid the possibility of contradicting formats such as PKCS1 with +// ED25519 the valid permutations are listed as a linear set instead of a +// cartesian set (i.e one combined variable instead of two, one for encoding +// and one for the signature algorithm). +enum PublicKeyDetails { KEY_FORMAT_UNSPECIFIED = 0; // RSA PKCS1_RSA_PKCS1V5 = 1; // See RFC8017 @@ -110,10 +113,11 @@ message RFC3161SignedTimestamp { } message PublicKey { - // DER-encoded public key. + // DER-encoded public key, encoding method is specified by the + // key_details attribute. optional bytes raw_bytes = 1; - // Key encoding and signature algorithm. - KeyFormat key_format = 2; + // Key encoding and signature algorithm to use for this key. + PublicKeyDetails key_details = 2; // Optional validity period for this key. optional TimeRange valid_for = 3; } From ad5ffe19995d693817607c041b16d93745a6fd4d Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Tue, 15 Nov 2022 10:34:20 +0100 Subject: [PATCH 20/20] Updated protobuf files to match new go package. Updated makefile to build all proto files. Signed-off-by: Fredrik Skogman --- gen/pb-go/common/v1/sigstore_common.pb.go | 988 ++++++++++++++-- gen/pb-go/rekor/v1/sigstore_rekor.pb.go | 205 ++-- .../trustroot/v1/sigstore_trustroot.pb.go | 469 ++++++++ .../v1/sigstore_verification.pb.go | 1018 +++++++++++++++++ protos/sigstore_trustroot.proto | 2 +- protos/sigstore_verification.proto | 2 +- 6 files changed, 2452 insertions(+), 232 deletions(-) create mode 100644 gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go create mode 100644 gen/pb-go/verification/v1/sigstore_verification.pb.go diff --git a/gen/pb-go/common/v1/sigstore_common.pb.go b/gen/pb-go/common/v1/sigstore_common.pb.go index fe32e199..24b61cfa 100644 --- a/gen/pb-go/common/v1/sigstore_common.pb.go +++ b/gen/pb-go/common/v1/sigstore_common.pb.go @@ -23,6 +23,7 @@ package v1 import ( protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" + timestamppb "google.golang.org/protobuf/types/known/timestamppb" reflect "reflect" sync "sync" ) @@ -90,6 +91,187 @@ func (HashAlgorithm) EnumDescriptor() ([]byte, []int) { return file_sigstore_common_proto_rawDescGZIP(), []int{0} } +// Subset of known signature algorithms. +type SignatureAlgorithm int32 + +const ( + SignatureAlgorithm_SIGNATURE_ALGORITHM_UNSPECIFIED SignatureAlgorithm = 0 + SignatureAlgorithm_ECDSA_P256_SHA_256 SignatureAlgorithm = 1 // See NIST FIPS 186-4 + SignatureAlgorithm_ECDSA_P256_HMAC_SHA_256 SignatureAlgorithm = 2 // See RFC6979 + SignatureAlgorithm_ED25519 SignatureAlgorithm = 3 // See RFC8032 + SignatureAlgorithm_RSA_PKCS1V5 SignatureAlgorithm = 4 // See RFC8017 + SignatureAlgorithm_RSA_PSS SignatureAlgorithm = 5 // See RFC8017 +) + +// Enum value maps for SignatureAlgorithm. +var ( + SignatureAlgorithm_name = map[int32]string{ + 0: "SIGNATURE_ALGORITHM_UNSPECIFIED", + 1: "ECDSA_P256_SHA_256", + 2: "ECDSA_P256_HMAC_SHA_256", + 3: "ED25519", + 4: "RSA_PKCS1V5", + 5: "RSA_PSS", + } + SignatureAlgorithm_value = map[string]int32{ + "SIGNATURE_ALGORITHM_UNSPECIFIED": 0, + "ECDSA_P256_SHA_256": 1, + "ECDSA_P256_HMAC_SHA_256": 2, + "ED25519": 3, + "RSA_PKCS1V5": 4, + "RSA_PSS": 5, + } +) + +func (x SignatureAlgorithm) Enum() *SignatureAlgorithm { + p := new(SignatureAlgorithm) + *p = x + return p +} + +func (x SignatureAlgorithm) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (SignatureAlgorithm) Descriptor() protoreflect.EnumDescriptor { + return file_sigstore_common_proto_enumTypes[1].Descriptor() +} + +func (SignatureAlgorithm) Type() protoreflect.EnumType { + return &file_sigstore_common_proto_enumTypes[1] +} + +func (x SignatureAlgorithm) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use SignatureAlgorithm.Descriptor instead. +func (SignatureAlgorithm) EnumDescriptor() ([]byte, []int) { + return file_sigstore_common_proto_rawDescGZIP(), []int{1} +} + +// Details of a specific public key, capturing the the key encoding method, +// and signature algorithm. +// To avoid the possibility of contradicting formats such as PKCS1 with +// ED25519 the valid permutations are listed as a linear set instead of a +// cartesian set (i.e one combined variable instead of two, one for encoding +// and one for the signature algorithm). +type PublicKeyDetails int32 + +const ( + PublicKeyDetails_KEY_FORMAT_UNSPECIFIED PublicKeyDetails = 0 + // RSA + PublicKeyDetails_PKCS1_RSA_PKCS1V5 PublicKeyDetails = 1 // See RFC8017 + PublicKeyDetails_PKCS1_RSA_PSS PublicKeyDetails = 2 // See RFC8017 + PublicKeyDetails_PKIX_RSA_PKCS1V5 PublicKeyDetails = 3 + PublicKeyDetails_PKIX_RSA_PSS PublicKeyDetails = 4 + // ECDSA + PublicKeyDetails_PKIX_ECDSA_P256_SHA_256 PublicKeyDetails = 5 // See NIST FIPS 186-4 + PublicKeyDetails_PKIX_ECDSA_P256_HMAC_SHA_256 PublicKeyDetails = 6 // See RFC6979 + // Ed 25519 + PublicKeyDetails_PKIX_ED25519 PublicKeyDetails = 7 // See RFC8032 +) + +// Enum value maps for PublicKeyDetails. +var ( + PublicKeyDetails_name = map[int32]string{ + 0: "KEY_FORMAT_UNSPECIFIED", + 1: "PKCS1_RSA_PKCS1V5", + 2: "PKCS1_RSA_PSS", + 3: "PKIX_RSA_PKCS1V5", + 4: "PKIX_RSA_PSS", + 5: "PKIX_ECDSA_P256_SHA_256", + 6: "PKIX_ECDSA_P256_HMAC_SHA_256", + 7: "PKIX_ED25519", + } + PublicKeyDetails_value = map[string]int32{ + "KEY_FORMAT_UNSPECIFIED": 0, + "PKCS1_RSA_PKCS1V5": 1, + "PKCS1_RSA_PSS": 2, + "PKIX_RSA_PKCS1V5": 3, + "PKIX_RSA_PSS": 4, + "PKIX_ECDSA_P256_SHA_256": 5, + "PKIX_ECDSA_P256_HMAC_SHA_256": 6, + "PKIX_ED25519": 7, + } +) + +func (x PublicKeyDetails) Enum() *PublicKeyDetails { + p := new(PublicKeyDetails) + *p = x + return p +} + +func (x PublicKeyDetails) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (PublicKeyDetails) Descriptor() protoreflect.EnumDescriptor { + return file_sigstore_common_proto_enumTypes[2].Descriptor() +} + +func (PublicKeyDetails) Type() protoreflect.EnumType { + return &file_sigstore_common_proto_enumTypes[2] +} + +func (x PublicKeyDetails) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use PublicKeyDetails.Descriptor instead. +func (PublicKeyDetails) EnumDescriptor() ([]byte, []int) { + return file_sigstore_common_proto_rawDescGZIP(), []int{2} +} + +type SubjectAlternativeNameType int32 + +const ( + SubjectAlternativeNameType_DNS SubjectAlternativeNameType = 0 + SubjectAlternativeNameType_Email SubjectAlternativeNameType = 1 + SubjectAlternativeNameType_URI SubjectAlternativeNameType = 2 +) + +// Enum value maps for SubjectAlternativeNameType. +var ( + SubjectAlternativeNameType_name = map[int32]string{ + 0: "DNS", + 1: "Email", + 2: "URI", + } + SubjectAlternativeNameType_value = map[string]int32{ + "DNS": 0, + "Email": 1, + "URI": 2, + } +) + +func (x SubjectAlternativeNameType) Enum() *SubjectAlternativeNameType { + p := new(SubjectAlternativeNameType) + *p = x + return p +} + +func (x SubjectAlternativeNameType) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (SubjectAlternativeNameType) Descriptor() protoreflect.EnumDescriptor { + return file_sigstore_common_proto_enumTypes[3].Descriptor() +} + +func (SubjectAlternativeNameType) Type() protoreflect.EnumType { + return &file_sigstore_common_proto_enumTypes[3] +} + +func (x SubjectAlternativeNameType) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use SubjectAlternativeNameType.Descriptor instead. +func (SubjectAlternativeNameType) EnumDescriptor() ([]byte, []int) { + return file_sigstore_common_proto_rawDescGZIP(), []int{3} +} + // HashOutput captures a digest of a 'message' (generic octet sequence) // and the corresponding hash algorithm used. type HashOutput struct { @@ -214,6 +396,92 @@ func (x *MessageSignature) GetSignature() []byte { return nil } +// LogId captures the identity of a transparency log. +type LogId struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Types that are assignable to Id: + // *LogId_KeyId + // *LogId_Oid + Id isLogId_Id `protobuf_oneof:"id"` +} + +func (x *LogId) Reset() { + *x = LogId{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_common_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *LogId) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*LogId) ProtoMessage() {} + +func (x *LogId) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_common_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use LogId.ProtoReflect.Descriptor instead. +func (*LogId) Descriptor() ([]byte, []int) { + return file_sigstore_common_proto_rawDescGZIP(), []int{2} +} + +func (m *LogId) GetId() isLogId_Id { + if m != nil { + return m.Id + } + return nil +} + +func (x *LogId) GetKeyId() []byte { + if x, ok := x.GetId().(*LogId_KeyId); ok { + return x.KeyId + } + return nil +} + +func (x *LogId) GetOid() *ObjectIdentifier { + if x, ok := x.GetId().(*LogId_Oid); ok { + return x.Oid + } + return nil +} + +type isLogId_Id interface { + isLogId_Id() +} + +type LogId_KeyId struct { + // The unique id of the log, represented as the SHA-256 hash + // of the log's public key, computed over the DER encoding. + // https://www.rfc-editor.org/rfc/rfc6962#section-3.2 + KeyId []byte `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3,oneof"` +} + +type LogId_Oid struct { + // Currently not used but proposed by + // https://datatracker.ietf.org/doc/rfc9162/ + Oid *ObjectIdentifier `protobuf:"bytes,2,opt,name=oid,proto3,oneof"` +} + +func (*LogId_KeyId) isLogId_Id() {} + +func (*LogId_Oid) isLogId_Id() {} + // This message holds a RFC 3161 timestamp. type RFC3161SignedTimestamp struct { state protoimpl.MessageState @@ -228,7 +496,7 @@ type RFC3161SignedTimestamp struct { func (x *RFC3161SignedTimestamp) Reset() { *x = RFC3161SignedTimestamp{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[2] + mi := &file_sigstore_common_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -241,7 +509,7 @@ func (x *RFC3161SignedTimestamp) String() string { func (*RFC3161SignedTimestamp) ProtoMessage() {} func (x *RFC3161SignedTimestamp) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[2] + mi := &file_sigstore_common_proto_msgTypes[3] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -254,7 +522,7 @@ func (x *RFC3161SignedTimestamp) ProtoReflect() protoreflect.Message { // Deprecated: Use RFC3161SignedTimestamp.ProtoReflect.Descriptor instead. func (*RFC3161SignedTimestamp) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{2} + return file_sigstore_common_proto_rawDescGZIP(), []int{3} } func (x *RFC3161SignedTimestamp) GetSignedTimestamp() []byte { @@ -264,6 +532,73 @@ func (x *RFC3161SignedTimestamp) GetSignedTimestamp() []byte { return nil } +type PublicKey struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // DER-encoded public key, encoding method is specified by the + // key_details attribute. + RawBytes []byte `protobuf:"bytes,1,opt,name=raw_bytes,json=rawBytes,proto3,oneof" json:"raw_bytes,omitempty"` + // Key encoding and signature algorithm to use for this key. + KeyDetails PublicKeyDetails `protobuf:"varint,2,opt,name=key_details,json=keyDetails,proto3,enum=dev.sigstore.common.v1.PublicKeyDetails" json:"key_details,omitempty"` + // Optional validity period for this key. + ValidFor *TimeRange `protobuf:"bytes,3,opt,name=valid_for,json=validFor,proto3,oneof" json:"valid_for,omitempty"` +} + +func (x *PublicKey) Reset() { + *x = PublicKey{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_common_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *PublicKey) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PublicKey) ProtoMessage() {} + +func (x *PublicKey) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_common_proto_msgTypes[4] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PublicKey.ProtoReflect.Descriptor instead. +func (*PublicKey) Descriptor() ([]byte, []int) { + return file_sigstore_common_proto_rawDescGZIP(), []int{4} +} + +func (x *PublicKey) GetRawBytes() []byte { + if x != nil { + return x.RawBytes + } + return nil +} + +func (x *PublicKey) GetKeyDetails() PublicKeyDetails { + if x != nil { + return x.KeyDetails + } + return PublicKeyDetails_KEY_FORMAT_UNSPECIFIED +} + +func (x *PublicKey) GetValidFor() *TimeRange { + if x != nil { + return x.ValidFor + } + return nil +} + // PublicKeyIdentifier can be used to identify an (out of band) delivered // key, to verify a signature. type PublicKeyIdentifier struct { @@ -285,7 +620,7 @@ type PublicKeyIdentifier struct { func (x *PublicKeyIdentifier) Reset() { *x = PublicKeyIdentifier{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[3] + mi := &file_sigstore_common_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -298,7 +633,7 @@ func (x *PublicKeyIdentifier) String() string { func (*PublicKeyIdentifier) ProtoMessage() {} func (x *PublicKeyIdentifier) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[3] + mi := &file_sigstore_common_proto_msgTypes[5] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -311,7 +646,7 @@ func (x *PublicKeyIdentifier) ProtoReflect() protoreflect.Message { // Deprecated: Use PublicKeyIdentifier.ProtoReflect.Descriptor instead. func (*PublicKeyIdentifier) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{3} + return file_sigstore_common_proto_rawDescGZIP(), []int{5} } func (x *PublicKeyIdentifier) GetHint() string { @@ -321,6 +656,165 @@ func (x *PublicKeyIdentifier) GetHint() string { return "" } +// An ASN1. OBJECT IDENTIFIER +type ObjectIdentifier struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Id []int32 `protobuf:"varint,1,rep,packed,name=id,proto3" json:"id,omitempty"` +} + +func (x *ObjectIdentifier) Reset() { + *x = ObjectIdentifier{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_common_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ObjectIdentifier) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ObjectIdentifier) ProtoMessage() {} + +func (x *ObjectIdentifier) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_common_proto_msgTypes[6] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ObjectIdentifier.ProtoReflect.Descriptor instead. +func (*ObjectIdentifier) Descriptor() ([]byte, []int) { + return file_sigstore_common_proto_rawDescGZIP(), []int{6} +} + +func (x *ObjectIdentifier) GetId() []int32 { + if x != nil { + return x.Id + } + return nil +} + +// An OID and the corresponding (byte) value. +type ObjectIdentifierValuePair struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Oid *ObjectIdentifier `protobuf:"bytes,1,opt,name=oid,proto3" json:"oid,omitempty"` + Value []byte `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"` +} + +func (x *ObjectIdentifierValuePair) Reset() { + *x = ObjectIdentifierValuePair{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_common_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ObjectIdentifierValuePair) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ObjectIdentifierValuePair) ProtoMessage() {} + +func (x *ObjectIdentifierValuePair) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_common_proto_msgTypes[7] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ObjectIdentifierValuePair.ProtoReflect.Descriptor instead. +func (*ObjectIdentifierValuePair) Descriptor() ([]byte, []int) { + return file_sigstore_common_proto_rawDescGZIP(), []int{7} +} + +func (x *ObjectIdentifierValuePair) GetOid() *ObjectIdentifier { + if x != nil { + return x.Oid + } + return nil +} + +func (x *ObjectIdentifierValuePair) GetValue() []byte { + if x != nil { + return x.Value + } + return nil +} + +type DistinguishedName struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Organization string `protobuf:"bytes,1,opt,name=organization,proto3" json:"organization,omitempty"` + CommonName string `protobuf:"bytes,2,opt,name=common_name,json=commonName,proto3" json:"common_name,omitempty"` +} + +func (x *DistinguishedName) Reset() { + *x = DistinguishedName{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_common_proto_msgTypes[8] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *DistinguishedName) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*DistinguishedName) ProtoMessage() {} + +func (x *DistinguishedName) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_common_proto_msgTypes[8] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use DistinguishedName.ProtoReflect.Descriptor instead. +func (*DistinguishedName) Descriptor() ([]byte, []int) { + return file_sigstore_common_proto_rawDescGZIP(), []int{8} +} + +func (x *DistinguishedName) GetOrganization() string { + if x != nil { + return x.Organization + } + return "" +} + +func (x *DistinguishedName) GetCommonName() string { + if x != nil { + return x.CommonName + } + return "" +} + type X509Certificate struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -333,7 +827,7 @@ type X509Certificate struct { func (x *X509Certificate) Reset() { *x = X509Certificate{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[4] + mi := &file_sigstore_common_proto_msgTypes[9] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -346,7 +840,7 @@ func (x *X509Certificate) String() string { func (*X509Certificate) ProtoMessage() {} func (x *X509Certificate) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[4] + mi := &file_sigstore_common_proto_msgTypes[9] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -359,7 +853,7 @@ func (x *X509Certificate) ProtoReflect() protoreflect.Message { // Deprecated: Use X509Certificate.ProtoReflect.Descriptor instead. func (*X509Certificate) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{4} + return file_sigstore_common_proto_rawDescGZIP(), []int{9} } func (x *X509Certificate) GetRawBytes() []byte { @@ -369,6 +863,62 @@ func (x *X509Certificate) GetRawBytes() []byte { return nil } +type SubjectAlternativeName struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Type SubjectAlternativeNameType `protobuf:"varint,1,opt,name=type,proto3,enum=dev.sigstore.common.v1.SubjectAlternativeNameType" json:"type,omitempty"` + // A regular expression describing the expected value for the SAN. + Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"` +} + +func (x *SubjectAlternativeName) Reset() { + *x = SubjectAlternativeName{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_common_proto_msgTypes[10] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *SubjectAlternativeName) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*SubjectAlternativeName) ProtoMessage() {} + +func (x *SubjectAlternativeName) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_common_proto_msgTypes[10] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use SubjectAlternativeName.ProtoReflect.Descriptor instead. +func (*SubjectAlternativeName) Descriptor() ([]byte, []int) { + return file_sigstore_common_proto_rawDescGZIP(), []int{10} +} + +func (x *SubjectAlternativeName) GetType() SubjectAlternativeNameType { + if x != nil { + return x.Type + } + return SubjectAlternativeNameType_DNS +} + +func (x *SubjectAlternativeName) GetValue() string { + if x != nil { + return x.Value + } + return "" +} + // A chain of X.509 certificates. type X509CertificateChain struct { state protoimpl.MessageState @@ -386,7 +936,7 @@ type X509CertificateChain struct { func (x *X509CertificateChain) Reset() { *x = X509CertificateChain{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[5] + mi := &file_sigstore_common_proto_msgTypes[11] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -399,7 +949,7 @@ func (x *X509CertificateChain) String() string { func (*X509CertificateChain) ProtoMessage() {} func (x *X509CertificateChain) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[5] + mi := &file_sigstore_common_proto_msgTypes[11] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -412,7 +962,7 @@ func (x *X509CertificateChain) ProtoReflect() protoreflect.Message { // Deprecated: Use X509CertificateChain.ProtoReflect.Descriptor instead. func (*X509CertificateChain) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{5} + return file_sigstore_common_proto_rawDescGZIP(), []int{11} } func (x *X509CertificateChain) GetCertificates() []*X509Certificate { @@ -438,7 +988,7 @@ type VerificationMaterial struct { func (x *VerificationMaterial) Reset() { *x = VerificationMaterial{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_common_proto_msgTypes[6] + mi := &file_sigstore_common_proto_msgTypes[12] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -451,7 +1001,7 @@ func (x *VerificationMaterial) String() string { func (*VerificationMaterial) ProtoMessage() {} func (x *VerificationMaterial) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_common_proto_msgTypes[6] + mi := &file_sigstore_common_proto_msgTypes[12] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -464,7 +1014,7 @@ func (x *VerificationMaterial) ProtoReflect() protoreflect.Message { // Deprecated: Use VerificationMaterial.ProtoReflect.Descriptor instead. func (*VerificationMaterial) Descriptor() ([]byte, []int) { - return file_sigstore_common_proto_rawDescGZIP(), []int{6} + return file_sigstore_common_proto_rawDescGZIP(), []int{12} } func (m *VerificationMaterial) GetContent() isVerificationMaterial_Content { @@ -504,68 +1054,206 @@ func (*VerificationMaterial_PublicKey) isVerificationMaterial_Content() {} func (*VerificationMaterial_X509CertificateChain) isVerificationMaterial_Content() {} +// The time range is half-open and does not include the end timestamp, +// i.e [start, end). +// End is optional to be able to capture a period that has started but +// has no known end. +type TimeRange struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Start *timestamppb.Timestamp `protobuf:"bytes,1,opt,name=start,proto3" json:"start,omitempty"` + End *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=end,proto3,oneof" json:"end,omitempty"` +} + +func (x *TimeRange) Reset() { + *x = TimeRange{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_common_proto_msgTypes[13] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *TimeRange) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*TimeRange) ProtoMessage() {} + +func (x *TimeRange) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_common_proto_msgTypes[13] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use TimeRange.ProtoReflect.Descriptor instead. +func (*TimeRange) Descriptor() ([]byte, []int) { + return file_sigstore_common_proto_rawDescGZIP(), []int{13} +} + +func (x *TimeRange) GetStart() *timestamppb.Timestamp { + if x != nil { + return x.Start + } + return nil +} + +func (x *TimeRange) GetEnd() *timestamppb.Timestamp { + if x != nil { + return x.End + } + return nil +} + var File_sigstore_common_proto protoreflect.FileDescriptor var file_sigstore_common_proto_rawDesc = []byte{ 0x0a, 0x15, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x5f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x16, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, - 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x22, - 0x69, 0x0a, 0x0a, 0x48, 0x61, 0x73, 0x68, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x12, 0x43, 0x0a, - 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, - 0x32, 0x25, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, - 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x61, 0x73, 0x68, 0x41, 0x6c, - 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, - 0x68, 0x6d, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x0c, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x22, 0x7b, 0x0a, 0x10, 0x4d, 0x65, - 0x73, 0x73, 0x61, 0x67, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x12, 0x49, - 0x0a, 0x0e, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x5f, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, - 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, - 0x48, 0x61, 0x73, 0x68, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x52, 0x0d, 0x6d, 0x65, 0x73, 0x73, - 0x61, 0x67, 0x65, 0x44, 0x69, 0x67, 0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x69, 0x67, - 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x73, 0x69, - 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x22, 0x43, 0x0a, 0x16, 0x52, 0x46, 0x43, 0x33, 0x31, - 0x36, 0x31, 0x53, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, - 0x70, 0x12, 0x29, 0x0a, 0x10, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, - 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0f, 0x73, 0x69, 0x67, - 0x6e, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x22, 0x29, 0x0a, 0x13, - 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, - 0x69, 0x65, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x69, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x04, 0x68, 0x69, 0x6e, 0x74, 0x22, 0x2e, 0x0a, 0x0f, 0x58, 0x35, 0x30, 0x39, 0x43, + 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x1a, + 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, + 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x22, 0x69, 0x0a, 0x0a, 0x48, 0x61, 0x73, 0x68, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x12, 0x43, + 0x0a, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0e, 0x32, 0x25, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, + 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x61, 0x73, 0x68, 0x41, + 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x52, 0x09, 0x61, 0x6c, 0x67, 0x6f, 0x72, 0x69, + 0x74, 0x68, 0x6d, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x0c, 0x52, 0x06, 0x64, 0x69, 0x67, 0x65, 0x73, 0x74, 0x22, 0x7b, 0x0a, 0x10, 0x4d, + 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x12, + 0x49, 0x0a, 0x0e, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x5f, 0x64, 0x69, 0x67, 0x65, 0x73, + 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, + 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, + 0x2e, 0x48, 0x61, 0x73, 0x68, 0x4f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x52, 0x0d, 0x6d, 0x65, 0x73, + 0x73, 0x61, 0x67, 0x65, 0x44, 0x69, 0x67, 0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x73, 0x69, + 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x73, + 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x22, 0x64, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x49, + 0x64, 0x12, 0x17, 0x0a, 0x06, 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0c, 0x48, 0x00, 0x52, 0x05, 0x6b, 0x65, 0x79, 0x49, 0x64, 0x12, 0x3c, 0x0a, 0x03, 0x6f, 0x69, + 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, + 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, + 0x2e, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, + 0x72, 0x48, 0x00, 0x52, 0x03, 0x6f, 0x69, 0x64, 0x42, 0x04, 0x0a, 0x02, 0x69, 0x64, 0x22, 0x43, + 0x0a, 0x16, 0x52, 0x46, 0x43, 0x33, 0x31, 0x36, 0x31, 0x53, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x54, + 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x12, 0x29, 0x0a, 0x10, 0x73, 0x69, 0x67, 0x6e, + 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x0c, 0x52, 0x0f, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, + 0x61, 0x6d, 0x70, 0x22, 0xd9, 0x01, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, + 0x79, 0x12, 0x20, 0x0a, 0x09, 0x72, 0x61, 0x77, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x08, 0x72, 0x61, 0x77, 0x42, 0x79, 0x74, 0x65, 0x73, + 0x88, 0x01, 0x01, 0x12, 0x49, 0x0a, 0x0b, 0x6b, 0x65, 0x79, 0x5f, 0x64, 0x65, 0x74, 0x61, 0x69, + 0x6c, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, + 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x44, 0x65, 0x74, 0x61, 0x69, + 0x6c, 0x73, 0x52, 0x0a, 0x6b, 0x65, 0x79, 0x44, 0x65, 0x74, 0x61, 0x69, 0x6c, 0x73, 0x12, 0x43, + 0x0a, 0x09, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, + 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x52, + 0x61, 0x6e, 0x67, 0x65, 0x48, 0x01, 0x52, 0x08, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x46, 0x6f, 0x72, + 0x88, 0x01, 0x01, 0x42, 0x0c, 0x0a, 0x0a, 0x5f, 0x72, 0x61, 0x77, 0x5f, 0x62, 0x79, 0x74, 0x65, + 0x73, 0x42, 0x0c, 0x0a, 0x0a, 0x5f, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x22, + 0x29, 0x0a, 0x13, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x65, 0x6e, + 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x69, 0x6e, 0x74, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x69, 0x6e, 0x74, 0x22, 0x22, 0x0a, 0x10, 0x4f, 0x62, + 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x12, 0x0e, + 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x03, 0x28, 0x05, 0x52, 0x02, 0x69, 0x64, 0x22, 0x6d, + 0x0a, 0x19, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, + 0x65, 0x72, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x50, 0x61, 0x69, 0x72, 0x12, 0x3a, 0x0a, 0x03, 0x6f, + 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, + 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, + 0x31, 0x2e, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, + 0x65, 0x72, 0x52, 0x03, 0x6f, 0x69, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, 0x58, 0x0a, + 0x11, 0x44, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x67, 0x75, 0x69, 0x73, 0x68, 0x65, 0x64, 0x4e, 0x61, + 0x6d, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x6f, 0x72, 0x67, 0x61, 0x6e, 0x69, 0x7a, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x6f, 0x72, 0x67, 0x61, 0x6e, 0x69, + 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, + 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6f, 0x6d, + 0x6d, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x2e, 0x0a, 0x0f, 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x72, 0x61, 0x77, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x72, - 0x61, 0x77, 0x42, 0x79, 0x74, 0x65, 0x73, 0x22, 0x63, 0x0a, 0x14, 0x58, 0x35, 0x30, 0x39, 0x43, - 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x12, - 0x4b, 0x0a, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, - 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, - 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x58, - 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x0c, - 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x22, 0xd5, 0x01, 0x0a, - 0x14, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74, - 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x4c, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, - 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x64, 0x65, 0x76, 0x2e, - 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, - 0x76, 0x31, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x65, 0x6e, - 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x48, 0x00, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, - 0x4b, 0x65, 0x79, 0x12, 0x64, 0x0a, 0x16, 0x78, 0x35, 0x30, 0x39, 0x5f, 0x63, 0x65, 0x72, 0x74, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, - 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x58, 0x35, 0x30, + 0x61, 0x77, 0x42, 0x79, 0x74, 0x65, 0x73, 0x22, 0x76, 0x0a, 0x16, 0x53, 0x75, 0x62, 0x6a, 0x65, + 0x63, 0x74, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, 0x69, 0x76, 0x65, 0x4e, 0x61, 0x6d, + 0x65, 0x12, 0x46, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, + 0x32, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, + 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x41, 0x6c, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, 0x69, 0x76, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x54, + 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, + 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x22, + 0x63, 0x0a, 0x14, 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x12, 0x4b, 0x0a, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e, + 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, + 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x65, 0x73, 0x22, 0xd5, 0x01, 0x0a, 0x14, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4d, 0x61, 0x74, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12, 0x4c, 0x0a, + 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x2b, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, + 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, + 0x63, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x48, 0x00, + 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x64, 0x0a, 0x16, 0x78, + 0x35, 0x30, 0x39, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, + 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, 0x64, 0x65, + 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, + 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x48, 0x00, 0x52, 0x14, 0x78, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, - 0x6e, 0x48, 0x00, 0x52, 0x14, 0x78, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, - 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x42, 0x09, 0x0a, 0x07, 0x63, 0x6f, 0x6e, - 0x74, 0x65, 0x6e, 0x74, 0x2a, 0x4b, 0x0a, 0x0d, 0x48, 0x61, 0x73, 0x68, 0x41, 0x6c, 0x67, 0x6f, - 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x1e, 0x0a, 0x1a, 0x48, 0x41, 0x53, 0x48, 0x5f, 0x41, 0x4c, - 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, - 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x32, 0x5f, 0x32, 0x35, - 0x36, 0x10, 0x01, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x32, 0x5f, 0x35, 0x31, 0x32, 0x10, - 0x02, 0x42, 0x65, 0x0a, 0x1c, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, - 0x31, 0x42, 0x0b, 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, - 0x5a, 0x36, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, - 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, - 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x63, - 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x6e, 0x42, 0x09, 0x0a, 0x07, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x22, 0x78, 0x0a, 0x09, + 0x54, 0x69, 0x6d, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x12, 0x30, 0x0a, 0x05, 0x73, 0x74, 0x61, + 0x72, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, + 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, + 0x74, 0x61, 0x6d, 0x70, 0x52, 0x05, 0x73, 0x74, 0x61, 0x72, 0x74, 0x12, 0x31, 0x0a, 0x03, 0x65, + 0x6e, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, + 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, + 0x74, 0x61, 0x6d, 0x70, 0x48, 0x00, 0x52, 0x03, 0x65, 0x6e, 0x64, 0x88, 0x01, 0x01, 0x42, 0x06, + 0x0a, 0x04, 0x5f, 0x65, 0x6e, 0x64, 0x2a, 0x4b, 0x0a, 0x0d, 0x48, 0x61, 0x73, 0x68, 0x41, 0x6c, + 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x1e, 0x0a, 0x1a, 0x48, 0x41, 0x53, 0x48, 0x5f, + 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, + 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x32, 0x5f, + 0x32, 0x35, 0x36, 0x10, 0x01, 0x12, 0x0c, 0x0a, 0x08, 0x53, 0x48, 0x41, 0x32, 0x5f, 0x35, 0x31, + 0x32, 0x10, 0x02, 0x2a, 0x99, 0x01, 0x0a, 0x12, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, + 0x65, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, 0x6d, 0x12, 0x23, 0x0a, 0x1f, 0x53, 0x49, + 0x47, 0x4e, 0x41, 0x54, 0x55, 0x52, 0x45, 0x5f, 0x41, 0x4c, 0x47, 0x4f, 0x52, 0x49, 0x54, 0x48, + 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, + 0x16, 0x0a, 0x12, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, 0x50, 0x32, 0x35, 0x36, 0x5f, 0x53, 0x48, + 0x41, 0x5f, 0x32, 0x35, 0x36, 0x10, 0x01, 0x12, 0x1b, 0x0a, 0x17, 0x45, 0x43, 0x44, 0x53, 0x41, + 0x5f, 0x50, 0x32, 0x35, 0x36, 0x5f, 0x48, 0x4d, 0x41, 0x43, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, + 0x35, 0x36, 0x10, 0x02, 0x12, 0x0b, 0x0a, 0x07, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, 0x39, 0x10, + 0x03, 0x12, 0x0f, 0x0a, 0x0b, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, 0x56, 0x35, + 0x10, 0x04, 0x12, 0x0b, 0x0a, 0x07, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x10, 0x05, 0x2a, + 0xd1, 0x01, 0x0a, 0x10, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x44, 0x65, 0x74, + 0x61, 0x69, 0x6c, 0x73, 0x12, 0x1a, 0x0a, 0x16, 0x4b, 0x45, 0x59, 0x5f, 0x46, 0x4f, 0x52, 0x4d, + 0x41, 0x54, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, + 0x12, 0x15, 0x0a, 0x11, 0x50, 0x4b, 0x43, 0x53, 0x31, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, + 0x43, 0x53, 0x31, 0x56, 0x35, 0x10, 0x01, 0x12, 0x11, 0x0a, 0x0d, 0x50, 0x4b, 0x43, 0x53, 0x31, + 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, 0x10, 0x02, 0x12, 0x14, 0x0a, 0x10, 0x50, 0x4b, + 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x4b, 0x43, 0x53, 0x31, 0x56, 0x35, 0x10, 0x03, + 0x12, 0x10, 0x0a, 0x0c, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x50, 0x53, 0x53, + 0x10, 0x04, 0x12, 0x1b, 0x0a, 0x17, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, + 0x5f, 0x50, 0x32, 0x35, 0x36, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, 0x35, 0x36, 0x10, 0x05, 0x12, + 0x20, 0x0a, 0x1c, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x43, 0x44, 0x53, 0x41, 0x5f, 0x50, 0x32, + 0x35, 0x36, 0x5f, 0x48, 0x4d, 0x41, 0x43, 0x5f, 0x53, 0x48, 0x41, 0x5f, 0x32, 0x35, 0x36, 0x10, + 0x06, 0x12, 0x10, 0x0a, 0x0c, 0x50, 0x4b, 0x49, 0x58, 0x5f, 0x45, 0x44, 0x32, 0x35, 0x35, 0x31, + 0x39, 0x10, 0x07, 0x2a, 0x39, 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, + 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, 0x69, 0x76, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x54, 0x79, 0x70, + 0x65, 0x12, 0x07, 0x0a, 0x03, 0x44, 0x4e, 0x53, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x45, 0x6d, + 0x61, 0x69, 0x6c, 0x10, 0x01, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x52, 0x49, 0x10, 0x02, 0x42, 0x65, + 0x0a, 0x1c, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x42, 0x0b, + 0x43, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x36, 0x67, + 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, + 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, + 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -580,29 +1268,47 @@ func file_sigstore_common_proto_rawDescGZIP() []byte { return file_sigstore_common_proto_rawDescData } -var file_sigstore_common_proto_enumTypes = make([]protoimpl.EnumInfo, 1) -var file_sigstore_common_proto_msgTypes = make([]protoimpl.MessageInfo, 7) +var file_sigstore_common_proto_enumTypes = make([]protoimpl.EnumInfo, 4) +var file_sigstore_common_proto_msgTypes = make([]protoimpl.MessageInfo, 14) var file_sigstore_common_proto_goTypes = []interface{}{ - (HashAlgorithm)(0), // 0: dev.sigstore.common.v1.HashAlgorithm - (*HashOutput)(nil), // 1: dev.sigstore.common.v1.HashOutput - (*MessageSignature)(nil), // 2: dev.sigstore.common.v1.MessageSignature - (*RFC3161SignedTimestamp)(nil), // 3: dev.sigstore.common.v1.RFC3161SignedTimestamp - (*PublicKeyIdentifier)(nil), // 4: dev.sigstore.common.v1.PublicKeyIdentifier - (*X509Certificate)(nil), // 5: dev.sigstore.common.v1.X509Certificate - (*X509CertificateChain)(nil), // 6: dev.sigstore.common.v1.X509CertificateChain - (*VerificationMaterial)(nil), // 7: dev.sigstore.common.v1.VerificationMaterial + (HashAlgorithm)(0), // 0: dev.sigstore.common.v1.HashAlgorithm + (SignatureAlgorithm)(0), // 1: dev.sigstore.common.v1.SignatureAlgorithm + (PublicKeyDetails)(0), // 2: dev.sigstore.common.v1.PublicKeyDetails + (SubjectAlternativeNameType)(0), // 3: dev.sigstore.common.v1.SubjectAlternativeNameType + (*HashOutput)(nil), // 4: dev.sigstore.common.v1.HashOutput + (*MessageSignature)(nil), // 5: dev.sigstore.common.v1.MessageSignature + (*LogId)(nil), // 6: dev.sigstore.common.v1.LogId + (*RFC3161SignedTimestamp)(nil), // 7: dev.sigstore.common.v1.RFC3161SignedTimestamp + (*PublicKey)(nil), // 8: dev.sigstore.common.v1.PublicKey + (*PublicKeyIdentifier)(nil), // 9: dev.sigstore.common.v1.PublicKeyIdentifier + (*ObjectIdentifier)(nil), // 10: dev.sigstore.common.v1.ObjectIdentifier + (*ObjectIdentifierValuePair)(nil), // 11: dev.sigstore.common.v1.ObjectIdentifierValuePair + (*DistinguishedName)(nil), // 12: dev.sigstore.common.v1.DistinguishedName + (*X509Certificate)(nil), // 13: dev.sigstore.common.v1.X509Certificate + (*SubjectAlternativeName)(nil), // 14: dev.sigstore.common.v1.SubjectAlternativeName + (*X509CertificateChain)(nil), // 15: dev.sigstore.common.v1.X509CertificateChain + (*VerificationMaterial)(nil), // 16: dev.sigstore.common.v1.VerificationMaterial + (*TimeRange)(nil), // 17: dev.sigstore.common.v1.TimeRange + (*timestamppb.Timestamp)(nil), // 18: google.protobuf.Timestamp } var file_sigstore_common_proto_depIdxs = []int32{ - 0, // 0: dev.sigstore.common.v1.HashOutput.algorithm:type_name -> dev.sigstore.common.v1.HashAlgorithm - 1, // 1: dev.sigstore.common.v1.MessageSignature.message_digest:type_name -> dev.sigstore.common.v1.HashOutput - 5, // 2: dev.sigstore.common.v1.X509CertificateChain.certificates:type_name -> dev.sigstore.common.v1.X509Certificate - 4, // 3: dev.sigstore.common.v1.VerificationMaterial.public_key:type_name -> dev.sigstore.common.v1.PublicKeyIdentifier - 6, // 4: dev.sigstore.common.v1.VerificationMaterial.x509_certificate_chain:type_name -> dev.sigstore.common.v1.X509CertificateChain - 5, // [5:5] is the sub-list for method output_type - 5, // [5:5] is the sub-list for method input_type - 5, // [5:5] is the sub-list for extension type_name - 5, // [5:5] is the sub-list for extension extendee - 0, // [0:5] is the sub-list for field type_name + 0, // 0: dev.sigstore.common.v1.HashOutput.algorithm:type_name -> dev.sigstore.common.v1.HashAlgorithm + 4, // 1: dev.sigstore.common.v1.MessageSignature.message_digest:type_name -> dev.sigstore.common.v1.HashOutput + 10, // 2: dev.sigstore.common.v1.LogId.oid:type_name -> dev.sigstore.common.v1.ObjectIdentifier + 2, // 3: dev.sigstore.common.v1.PublicKey.key_details:type_name -> dev.sigstore.common.v1.PublicKeyDetails + 17, // 4: dev.sigstore.common.v1.PublicKey.valid_for:type_name -> dev.sigstore.common.v1.TimeRange + 10, // 5: dev.sigstore.common.v1.ObjectIdentifierValuePair.oid:type_name -> dev.sigstore.common.v1.ObjectIdentifier + 3, // 6: dev.sigstore.common.v1.SubjectAlternativeName.type:type_name -> dev.sigstore.common.v1.SubjectAlternativeNameType + 13, // 7: dev.sigstore.common.v1.X509CertificateChain.certificates:type_name -> dev.sigstore.common.v1.X509Certificate + 9, // 8: dev.sigstore.common.v1.VerificationMaterial.public_key:type_name -> dev.sigstore.common.v1.PublicKeyIdentifier + 15, // 9: dev.sigstore.common.v1.VerificationMaterial.x509_certificate_chain:type_name -> dev.sigstore.common.v1.X509CertificateChain + 18, // 10: dev.sigstore.common.v1.TimeRange.start:type_name -> google.protobuf.Timestamp + 18, // 11: dev.sigstore.common.v1.TimeRange.end:type_name -> google.protobuf.Timestamp + 12, // [12:12] is the sub-list for method output_type + 12, // [12:12] is the sub-list for method input_type + 12, // [12:12] is the sub-list for extension type_name + 12, // [12:12] is the sub-list for extension extendee + 0, // [0:12] is the sub-list for field type_name } func init() { file_sigstore_common_proto_init() } @@ -636,7 +1342,7 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*RFC3161SignedTimestamp); i { + switch v := v.(*LogId); i { case 0: return &v.state case 1: @@ -648,7 +1354,7 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*PublicKeyIdentifier); i { + switch v := v.(*RFC3161SignedTimestamp); i { case 0: return &v.state case 1: @@ -660,7 +1366,7 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*X509Certificate); i { + switch v := v.(*PublicKey); i { case 0: return &v.state case 1: @@ -672,7 +1378,7 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*X509CertificateChain); i { + switch v := v.(*PublicKeyIdentifier); i { case 0: return &v.state case 1: @@ -684,6 +1390,78 @@ func file_sigstore_common_proto_init() { } } file_sigstore_common_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ObjectIdentifier); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_common_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ObjectIdentifierValuePair); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_common_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*DistinguishedName); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_common_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*X509Certificate); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_common_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*SubjectAlternativeName); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_common_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*X509CertificateChain); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_common_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*VerificationMaterial); i { case 0: return &v.state @@ -695,18 +1473,36 @@ func file_sigstore_common_proto_init() { return nil } } + file_sigstore_common_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*TimeRange); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + file_sigstore_common_proto_msgTypes[2].OneofWrappers = []interface{}{ + (*LogId_KeyId)(nil), + (*LogId_Oid)(nil), } - file_sigstore_common_proto_msgTypes[6].OneofWrappers = []interface{}{ + file_sigstore_common_proto_msgTypes[4].OneofWrappers = []interface{}{} + file_sigstore_common_proto_msgTypes[12].OneofWrappers = []interface{}{ (*VerificationMaterial_PublicKey)(nil), (*VerificationMaterial_X509CertificateChain)(nil), } + file_sigstore_common_proto_msgTypes[13].OneofWrappers = []interface{}{} type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_sigstore_common_proto_rawDesc, - NumEnums: 1, - NumMessages: 7, + NumEnums: 4, + NumMessages: 14, NumExtensions: 0, NumServices: 0, }, diff --git a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go index c19bd168..66cf0305 100644 --- a/gen/pb-go/rekor/v1/sigstore_rekor.pb.go +++ b/gen/pb-go/rekor/v1/sigstore_rekor.pb.go @@ -21,6 +21,7 @@ package v1 import ( + v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" @@ -297,58 +298,6 @@ func (x *InclusionPromise) GetSignedEntryTimestamp() []byte { return nil } -// LogId captures the identity of a transparency log. -type LogId struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The unique id of the log, represented as the SHA-256 hash - // of the log's public key, computed over the DER encoding. - // This is similar to how it works for certificate transparency logs: - // https://www.rfc-editor.org/rfc/rfc6962#section-3.2 - KeyId []byte `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` -} - -func (x *LogId) Reset() { - *x = LogId{} - if protoimpl.UnsafeEnabled { - mi := &file_sigstore_rekor_proto_msgTypes[4] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *LogId) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*LogId) ProtoMessage() {} - -func (x *LogId) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_rekor_proto_msgTypes[4] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use LogId.ProtoReflect.Descriptor instead. -func (*LogId) Descriptor() ([]byte, []int) { - return file_sigstore_rekor_proto_rawDescGZIP(), []int{4} -} - -func (x *LogId) GetKeyId() []byte { - if x != nil { - return x.KeyId - } - return nil -} - // TransparencyLogEntry captures all the details required from Rekor to // reconstruct an entry, given that the payload is provided via other means. // This type can easily be created from the existing response from Rekor. @@ -365,7 +314,7 @@ type TransparencyLogEntry struct { // The index of the entry in the log. LogIndex int64 `protobuf:"varint,1,opt,name=log_index,json=logIndex,proto3" json:"log_index,omitempty"` // The unique identifier of the log. - LogId *LogId `protobuf:"bytes,2,opt,name=log_id,json=logId,proto3" json:"log_id,omitempty"` + LogId *v1.LogId `protobuf:"bytes,2,opt,name=log_id,json=logId,proto3" json:"log_id,omitempty"` // The kind (type) and version of the object associated with this // entry. These values are required to construct the entry during // verification. @@ -390,7 +339,7 @@ type TransparencyLogEntry struct { func (x *TransparencyLogEntry) Reset() { *x = TransparencyLogEntry{} if protoimpl.UnsafeEnabled { - mi := &file_sigstore_rekor_proto_msgTypes[5] + mi := &file_sigstore_rekor_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -403,7 +352,7 @@ func (x *TransparencyLogEntry) String() string { func (*TransparencyLogEntry) ProtoMessage() {} func (x *TransparencyLogEntry) ProtoReflect() protoreflect.Message { - mi := &file_sigstore_rekor_proto_msgTypes[5] + mi := &file_sigstore_rekor_proto_msgTypes[4] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -416,7 +365,7 @@ func (x *TransparencyLogEntry) ProtoReflect() protoreflect.Message { // Deprecated: Use TransparencyLogEntry.ProtoReflect.Descriptor instead. func (*TransparencyLogEntry) Descriptor() ([]byte, []int) { - return file_sigstore_rekor_proto_rawDescGZIP(), []int{5} + return file_sigstore_rekor_proto_rawDescGZIP(), []int{4} } func (x *TransparencyLogEntry) GetLogIndex() int64 { @@ -426,7 +375,7 @@ func (x *TransparencyLogEntry) GetLogIndex() int64 { return 0 } -func (x *TransparencyLogEntry) GetLogId() *LogId { +func (x *TransparencyLogEntry) GetLogId() *v1.LogId { if x != nil { return x.LogId } @@ -473,66 +422,66 @@ var File_sigstore_rekor_proto protoreflect.FileDescriptor var file_sigstore_rekor_proto_rawDesc = []byte{ 0x0a, 0x14, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x5f, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x15, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, - 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x22, 0x3b, 0x0a, - 0x0b, 0x4b, 0x69, 0x6e, 0x64, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, - 0x6b, 0x69, 0x6e, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, - 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x28, 0x0a, 0x0a, 0x43, 0x68, - 0x65, 0x63, 0x6b, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x65, 0x6e, 0x76, 0x65, - 0x6c, 0x6f, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x65, 0x6e, 0x76, 0x65, - 0x6c, 0x6f, 0x70, 0x65, 0x22, 0xc2, 0x01, 0x0a, 0x0e, 0x49, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, - 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x6f, 0x66, 0x12, 0x1b, 0x0a, 0x09, 0x6c, 0x6f, 0x67, 0x5f, 0x69, - 0x6e, 0x64, 0x65, 0x78, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x6c, 0x6f, 0x67, 0x49, - 0x6e, 0x64, 0x65, 0x78, 0x12, 0x1b, 0x0a, 0x09, 0x72, 0x6f, 0x6f, 0x74, 0x5f, 0x68, 0x61, 0x73, - 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, 0x72, 0x6f, 0x6f, 0x74, 0x48, 0x61, 0x73, - 0x68, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x72, 0x65, 0x65, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x03, - 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x74, 0x72, 0x65, 0x65, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x16, - 0x0a, 0x06, 0x68, 0x61, 0x73, 0x68, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x06, - 0x68, 0x61, 0x73, 0x68, 0x65, 0x73, 0x12, 0x41, 0x0a, 0x0a, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x70, - 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, - 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, - 0x76, 0x31, 0x2e, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x52, 0x0a, 0x63, - 0x68, 0x65, 0x63, 0x6b, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x22, 0x48, 0x0a, 0x10, 0x49, 0x6e, 0x63, - 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x6d, 0x69, 0x73, 0x65, 0x12, 0x34, 0x0a, - 0x16, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x65, 0x6e, 0x74, 0x72, 0x79, 0x5f, 0x74, 0x69, - 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x14, 0x73, - 0x69, 0x67, 0x6e, 0x65, 0x64, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, - 0x61, 0x6d, 0x70, 0x22, 0x1e, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x49, 0x64, 0x12, 0x15, 0x0a, 0x06, - 0x6b, 0x65, 0x79, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x6b, 0x65, - 0x79, 0x49, 0x64, 0x22, 0xad, 0x03, 0x0a, 0x14, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, - 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x1b, 0x0a, 0x09, - 0x6c, 0x6f, 0x67, 0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, - 0x08, 0x6c, 0x6f, 0x67, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x12, 0x33, 0x0a, 0x06, 0x6c, 0x6f, 0x67, - 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x64, 0x65, 0x76, 0x2e, - 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, - 0x31, 0x2e, 0x4c, 0x6f, 0x67, 0x49, 0x64, 0x52, 0x05, 0x6c, 0x6f, 0x67, 0x49, 0x64, 0x12, 0x45, - 0x0a, 0x0c, 0x6b, 0x69, 0x6e, 0x64, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, - 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x4b, 0x69, 0x6e, - 0x64, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x0b, 0x6b, 0x69, 0x6e, 0x64, 0x56, 0x65, - 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x27, 0x0a, 0x0f, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, - 0x74, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, - 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x54, - 0x0a, 0x11, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x6d, - 0x69, 0x73, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x64, 0x65, 0x76, 0x2e, - 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, - 0x31, 0x2e, 0x49, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x6d, 0x69, - 0x73, 0x65, 0x52, 0x10, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, - 0x6d, 0x69, 0x73, 0x65, 0x12, 0x4e, 0x0a, 0x0f, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, - 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x6f, 0x66, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, - 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, - 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, - 0x72, 0x6f, 0x6f, 0x66, 0x52, 0x0e, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, - 0x72, 0x6f, 0x6f, 0x66, 0x12, 0x2d, 0x0a, 0x12, 0x63, 0x61, 0x6e, 0x6f, 0x6e, 0x69, 0x63, 0x61, - 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x5f, 0x62, 0x6f, 0x64, 0x79, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0c, - 0x52, 0x11, 0x63, 0x61, 0x6e, 0x6f, 0x6e, 0x69, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x42, - 0x6f, 0x64, 0x79, 0x42, 0x62, 0x0a, 0x1b, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, - 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, - 0x76, 0x31, 0x42, 0x0a, 0x52, 0x65, 0x6b, 0x6f, 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, - 0x5a, 0x35, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, - 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, - 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x72, - 0x65, 0x6b, 0x6f, 0x72, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x1a, 0x15, 0x73, + 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x5f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x3b, 0x0a, 0x0b, 0x4b, 0x69, 0x6e, 0x64, 0x56, 0x65, 0x72, 0x73, + 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, + 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, + 0x6e, 0x22, 0x28, 0x0a, 0x0a, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, + 0x1a, 0x0a, 0x08, 0x65, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x09, 0x52, 0x08, 0x65, 0x6e, 0x76, 0x65, 0x6c, 0x6f, 0x70, 0x65, 0x22, 0xc2, 0x01, 0x0a, 0x0e, + 0x49, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x6f, 0x66, 0x12, 0x1b, + 0x0a, 0x09, 0x6c, 0x6f, 0x67, 0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, 0x18, 0x01, 0x20, 0x01, 0x28, + 0x03, 0x52, 0x08, 0x6c, 0x6f, 0x67, 0x49, 0x6e, 0x64, 0x65, 0x78, 0x12, 0x1b, 0x0a, 0x09, 0x72, + 0x6f, 0x6f, 0x74, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x08, + 0x72, 0x6f, 0x6f, 0x74, 0x48, 0x61, 0x73, 0x68, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x72, 0x65, 0x65, + 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x74, 0x72, 0x65, + 0x65, 0x53, 0x69, 0x7a, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x61, 0x73, 0x68, 0x65, 0x73, 0x18, + 0x04, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x06, 0x68, 0x61, 0x73, 0x68, 0x65, 0x73, 0x12, 0x41, 0x0a, + 0x0a, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, + 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x70, + 0x6f, 0x69, 0x6e, 0x74, 0x52, 0x0a, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x70, 0x6f, 0x69, 0x6e, 0x74, + 0x22, 0x48, 0x0a, 0x10, 0x49, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, + 0x6d, 0x69, 0x73, 0x65, 0x12, 0x34, 0x0a, 0x16, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x5f, 0x65, + 0x6e, 0x74, 0x72, 0x79, 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x0c, 0x52, 0x14, 0x73, 0x69, 0x67, 0x6e, 0x65, 0x64, 0x45, 0x6e, 0x74, 0x72, + 0x79, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x22, 0xae, 0x03, 0x0a, 0x14, 0x54, + 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, 0x45, 0x6e, + 0x74, 0x72, 0x79, 0x12, 0x1b, 0x0a, 0x09, 0x6c, 0x6f, 0x67, 0x5f, 0x69, 0x6e, 0x64, 0x65, 0x78, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x08, 0x6c, 0x6f, 0x67, 0x49, 0x6e, 0x64, 0x65, 0x78, + 0x12, 0x34, 0x0a, 0x06, 0x6c, 0x6f, 0x67, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x1d, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, + 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x6f, 0x67, 0x49, 0x64, 0x52, + 0x05, 0x6c, 0x6f, 0x67, 0x49, 0x64, 0x12, 0x45, 0x0a, 0x0c, 0x6b, 0x69, 0x6e, 0x64, 0x5f, 0x76, + 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x64, + 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, + 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x4b, 0x69, 0x6e, 0x64, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, + 0x52, 0x0b, 0x6b, 0x69, 0x6e, 0x64, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x27, 0x0a, + 0x0f, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x74, 0x69, 0x6d, 0x65, + 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x69, 0x6e, 0x74, 0x65, 0x67, 0x72, 0x61, 0x74, + 0x65, 0x64, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x54, 0x0a, 0x11, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x73, + 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x6d, 0x69, 0x73, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x27, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, + 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x6e, 0x63, 0x6c, 0x75, 0x73, + 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x6d, 0x69, 0x73, 0x65, 0x52, 0x10, 0x69, 0x6e, 0x63, 0x6c, + 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x6d, 0x69, 0x73, 0x65, 0x12, 0x4e, 0x0a, 0x0f, + 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x6f, 0x66, 0x18, + 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x2e, 0x49, 0x6e, + 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x6f, 0x66, 0x52, 0x0e, 0x69, 0x6e, + 0x63, 0x6c, 0x75, 0x73, 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x6f, 0x66, 0x12, 0x2d, 0x0a, 0x12, + 0x63, 0x61, 0x6e, 0x6f, 0x6e, 0x69, 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x5f, 0x62, 0x6f, + 0x64, 0x79, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x11, 0x63, 0x61, 0x6e, 0x6f, 0x6e, 0x69, + 0x63, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x64, 0x42, 0x6f, 0x64, 0x79, 0x42, 0x62, 0x0a, 0x1b, 0x64, + 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x2e, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2e, 0x76, 0x31, 0x42, 0x0a, 0x52, 0x65, 0x6b, 0x6f, + 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x35, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, + 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, + 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x72, 0x65, 0x6b, 0x6f, 0x72, 0x2f, 0x76, 0x31, 0x62, + 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -547,18 +496,18 @@ func file_sigstore_rekor_proto_rawDescGZIP() []byte { return file_sigstore_rekor_proto_rawDescData } -var file_sigstore_rekor_proto_msgTypes = make([]protoimpl.MessageInfo, 6) +var file_sigstore_rekor_proto_msgTypes = make([]protoimpl.MessageInfo, 5) var file_sigstore_rekor_proto_goTypes = []interface{}{ (*KindVersion)(nil), // 0: dev.sigstore.rekor.v1.KindVersion (*Checkpoint)(nil), // 1: dev.sigstore.rekor.v1.Checkpoint (*InclusionProof)(nil), // 2: dev.sigstore.rekor.v1.InclusionProof (*InclusionPromise)(nil), // 3: dev.sigstore.rekor.v1.InclusionPromise - (*LogId)(nil), // 4: dev.sigstore.rekor.v1.LogId - (*TransparencyLogEntry)(nil), // 5: dev.sigstore.rekor.v1.TransparencyLogEntry + (*TransparencyLogEntry)(nil), // 4: dev.sigstore.rekor.v1.TransparencyLogEntry + (*v1.LogId)(nil), // 5: dev.sigstore.common.v1.LogId } var file_sigstore_rekor_proto_depIdxs = []int32{ 1, // 0: dev.sigstore.rekor.v1.InclusionProof.checkpoint:type_name -> dev.sigstore.rekor.v1.Checkpoint - 4, // 1: dev.sigstore.rekor.v1.TransparencyLogEntry.log_id:type_name -> dev.sigstore.rekor.v1.LogId + 5, // 1: dev.sigstore.rekor.v1.TransparencyLogEntry.log_id:type_name -> dev.sigstore.common.v1.LogId 0, // 2: dev.sigstore.rekor.v1.TransparencyLogEntry.kind_version:type_name -> dev.sigstore.rekor.v1.KindVersion 3, // 3: dev.sigstore.rekor.v1.TransparencyLogEntry.inclusion_promise:type_name -> dev.sigstore.rekor.v1.InclusionPromise 2, // 4: dev.sigstore.rekor.v1.TransparencyLogEntry.inclusion_proof:type_name -> dev.sigstore.rekor.v1.InclusionProof @@ -624,18 +573,6 @@ func file_sigstore_rekor_proto_init() { } } file_sigstore_rekor_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*LogId); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_sigstore_rekor_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*TransparencyLogEntry); i { case 0: return &v.state @@ -654,7 +591,7 @@ func file_sigstore_rekor_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_sigstore_rekor_proto_rawDesc, NumEnums: 0, - NumMessages: 6, + NumMessages: 5, NumExtensions: 0, NumServices: 0, }, diff --git a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go new file mode 100644 index 00000000..54fe01c9 --- /dev/null +++ b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go @@ -0,0 +1,469 @@ +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.28.1 +// protoc v3.21.6 +// source: sigstore_trustroot.proto + +package v1 + +import ( + v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// TransparencyLogInstance describes the immutable parameters from a +// transparency log. +// See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters +// for more details. +// The incluced parameters are the minimal set required to identify a log, +// and verify an inclusion promise. +type TransparencyLogInstance struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The base URL at which can be used to URLs for the client. + BaseUrl string `protobuf:"bytes,1,opt,name=base_url,json=baseUrl,proto3" json:"base_url,omitempty"` + // The hash algorithm used for the Merkle Tree. + HashAlgorithm v1.HashAlgorithm `protobuf:"varint,2,opt,name=hash_algorithm,json=hashAlgorithm,proto3,enum=dev.sigstore.common.v1.HashAlgorithm" json:"hash_algorithm,omitempty"` + // The public key used to verify signatures generated by the log. + // This attribute contains the signature algorithm used by the log. + PublicKey *v1.PublicKey `protobuf:"bytes,3,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` + // The unique identifier for this transparency log. + LogId *v1.LogId `protobuf:"bytes,4,opt,name=log_id,json=logId,proto3" json:"log_id,omitempty"` +} + +func (x *TransparencyLogInstance) Reset() { + *x = TransparencyLogInstance{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_trustroot_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *TransparencyLogInstance) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*TransparencyLogInstance) ProtoMessage() {} + +func (x *TransparencyLogInstance) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_trustroot_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use TransparencyLogInstance.ProtoReflect.Descriptor instead. +func (*TransparencyLogInstance) Descriptor() ([]byte, []int) { + return file_sigstore_trustroot_proto_rawDescGZIP(), []int{0} +} + +func (x *TransparencyLogInstance) GetBaseUrl() string { + if x != nil { + return x.BaseUrl + } + return "" +} + +func (x *TransparencyLogInstance) GetHashAlgorithm() v1.HashAlgorithm { + if x != nil { + return x.HashAlgorithm + } + return v1.HashAlgorithm(0) +} + +func (x *TransparencyLogInstance) GetPublicKey() *v1.PublicKey { + if x != nil { + return x.PublicKey + } + return nil +} + +func (x *TransparencyLogInstance) GetLogId() *v1.LogId { + if x != nil { + return x.LogId + } + return nil +} + +// CertificateAuthority enlists the information required to identify which +// CA to use and perform signature verification. +type CertificateAuthority struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The root certificate MUST be self-signed, and so the subject and + // issuer are the same. + Subject *v1.DistinguishedName `protobuf:"bytes,1,opt,name=subject,proto3" json:"subject,omitempty"` + // The URI at which the CA can be accessed. + Uri string `protobuf:"bytes,2,opt,name=uri,proto3" json:"uri,omitempty"` + // The certificate chain for this CA. + CertChain *v1.X509CertificateChain `protobuf:"bytes,3,opt,name=cert_chain,json=certChain,proto3" json:"cert_chain,omitempty"` + // The time the *entire* chain was valid. This is at max the + // longest interval when *all* certificates in the chain were valid, + // but it MAY be shorter. + ValidFor *v1.TimeRange `protobuf:"bytes,4,opt,name=valid_for,json=validFor,proto3" json:"valid_for,omitempty"` +} + +func (x *CertificateAuthority) Reset() { + *x = CertificateAuthority{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_trustroot_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *CertificateAuthority) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CertificateAuthority) ProtoMessage() {} + +func (x *CertificateAuthority) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_trustroot_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CertificateAuthority.ProtoReflect.Descriptor instead. +func (*CertificateAuthority) Descriptor() ([]byte, []int) { + return file_sigstore_trustroot_proto_rawDescGZIP(), []int{1} +} + +func (x *CertificateAuthority) GetSubject() *v1.DistinguishedName { + if x != nil { + return x.Subject + } + return nil +} + +func (x *CertificateAuthority) GetUri() string { + if x != nil { + return x.Uri + } + return "" +} + +func (x *CertificateAuthority) GetCertChain() *v1.X509CertificateChain { + if x != nil { + return x.CertChain + } + return nil +} + +func (x *CertificateAuthority) GetValidFor() *v1.TimeRange { + if x != nil { + return x.ValidFor + } + return nil +} + +// TrustedRoot describes the client's complete set of trusted entities. +// How the TrustedRoot is populated is not specified, but can be a +// combination of many sources such as TUF repositories, files on disk etc. +// +// The TrustedRoot is not meant to be used for any artifact verification, only +// to capture the complete/global set of trusted verification materials. +// When verifying an artifact, based on the artifact and policies, a selection +// of keys/authorities are expected to be extracted and provided to the +// verification function. This way the set of keys/authorities kan be kept to +// a minimal set by the policy to gain better control over what signatures +// that are allowed. +type TrustedRoot struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // A set of trusted Rekor servers. + Tlogs []*TransparencyLogInstance `protobuf:"bytes,1,rep,name=tlogs,proto3" json:"tlogs,omitempty"` + // A set of trusted certificate authorites (e.g Fulcio), and any + // intermediate certificates they provide. + // If a CA is issuing multiple intermediate certificate, each + // combination shall be represented as separate chain. I.e, a single + // root cert may appear in multiple chains but with different + // intermediate and/or leaf certificates. + // The certificates are intended to be used for verifying artifact + // signatures. + CertificateAuthorities []*CertificateAuthority `protobuf:"bytes,2,rep,name=certificate_authorities,json=certificateAuthorities,proto3" json:"certificate_authorities,omitempty"` + // A set of trusted certificate transparency logs. + Ctlogs []*TransparencyLogInstance `protobuf:"bytes,3,rep,name=ctlogs,proto3" json:"ctlogs,omitempty"` + // A set of trusted timestamping authorities. + TimestampAuthorities []*CertificateAuthority `protobuf:"bytes,4,rep,name=timestamp_authorities,json=timestampAuthorities,proto3" json:"timestamp_authorities,omitempty"` +} + +func (x *TrustedRoot) Reset() { + *x = TrustedRoot{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_trustroot_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *TrustedRoot) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*TrustedRoot) ProtoMessage() {} + +func (x *TrustedRoot) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_trustroot_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use TrustedRoot.ProtoReflect.Descriptor instead. +func (*TrustedRoot) Descriptor() ([]byte, []int) { + return file_sigstore_trustroot_proto_rawDescGZIP(), []int{2} +} + +func (x *TrustedRoot) GetTlogs() []*TransparencyLogInstance { + if x != nil { + return x.Tlogs + } + return nil +} + +func (x *TrustedRoot) GetCertificateAuthorities() []*CertificateAuthority { + if x != nil { + return x.CertificateAuthorities + } + return nil +} + +func (x *TrustedRoot) GetCtlogs() []*TransparencyLogInstance { + if x != nil { + return x.Ctlogs + } + return nil +} + +func (x *TrustedRoot) GetTimestampAuthorities() []*CertificateAuthority { + if x != nil { + return x.TimestampAuthorities + } + return nil +} + +var File_sigstore_trustroot_proto protoreflect.FileDescriptor + +var file_sigstore_trustroot_proto_rawDesc = []byte{ + 0x0a, 0x18, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, + 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x19, 0x64, 0x65, 0x76, 0x2e, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, + 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x1a, 0x15, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x5f, + 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xfa, 0x01, 0x0a, + 0x17, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, + 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x12, 0x19, 0x0a, 0x08, 0x62, 0x61, 0x73, 0x65, + 0x5f, 0x75, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x62, 0x61, 0x73, 0x65, + 0x55, 0x72, 0x6c, 0x12, 0x4c, 0x0a, 0x0e, 0x68, 0x61, 0x73, 0x68, 0x5f, 0x61, 0x6c, 0x67, 0x6f, + 0x72, 0x69, 0x74, 0x68, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x25, 0x2e, 0x64, 0x65, + 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, + 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x61, 0x73, 0x68, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, + 0x68, 0x6d, 0x52, 0x0d, 0x68, 0x61, 0x73, 0x68, 0x41, 0x6c, 0x67, 0x6f, 0x72, 0x69, 0x74, 0x68, + 0x6d, 0x12, 0x40, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, + 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x50, + 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, + 0x4b, 0x65, 0x79, 0x12, 0x34, 0x0a, 0x06, 0x6c, 0x6f, 0x67, 0x5f, 0x69, 0x64, 0x18, 0x04, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x6f, 0x67, + 0x49, 0x64, 0x52, 0x05, 0x6c, 0x6f, 0x67, 0x49, 0x64, 0x22, 0xfa, 0x01, 0x0a, 0x14, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, + 0x74, 0x79, 0x12, 0x43, 0x0a, 0x07, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x69, 0x73, + 0x74, 0x69, 0x6e, 0x67, 0x75, 0x69, 0x73, 0x68, 0x65, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x52, 0x07, + 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x02, + 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x4b, 0x0a, 0x0a, 0x63, 0x65, 0x72, + 0x74, 0x5f, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2c, 0x2e, + 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, + 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x58, 0x35, 0x30, 0x39, 0x43, 0x65, 0x72, 0x74, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x52, 0x09, 0x63, 0x65, 0x72, + 0x74, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x12, 0x3e, 0x0a, 0x09, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x5f, + 0x66, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, 0x2e, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, + 0x76, 0x31, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x52, 0x08, 0x76, 0x61, + 0x6c, 0x69, 0x64, 0x46, 0x6f, 0x72, 0x22, 0xf3, 0x02, 0x0a, 0x0b, 0x54, 0x72, 0x75, 0x73, 0x74, + 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x12, 0x48, 0x0a, 0x05, 0x74, 0x6c, 0x6f, 0x67, 0x73, 0x18, + 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, + 0x31, 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, 0x6e, 0x63, 0x79, 0x4c, 0x6f, + 0x67, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x05, 0x74, 0x6c, 0x6f, 0x67, 0x73, + 0x12, 0x68, 0x0a, 0x17, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, + 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, + 0x0b, 0x32, 0x2f, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, + 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x65, + 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, + 0x74, 0x79, 0x52, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, + 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x4a, 0x0a, 0x06, 0x63, 0x74, + 0x6c, 0x6f, 0x67, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x64, 0x65, 0x76, + 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, + 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x61, 0x72, 0x65, + 0x6e, 0x63, 0x79, 0x4c, 0x6f, 0x67, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65, 0x52, 0x06, + 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x73, 0x12, 0x64, 0x0a, 0x15, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, + 0x61, 0x6d, 0x70, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, + 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, + 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, + 0x31, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, + 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x52, 0x14, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, + 0x70, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x69, 0x65, 0x73, 0x42, 0x6e, 0x0a, 0x1f, + 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x76, 0x31, 0x42, + 0x0e, 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x6f, 0x6f, 0x74, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, + 0x01, 0x5a, 0x39, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, + 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, + 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, + 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_sigstore_trustroot_proto_rawDescOnce sync.Once + file_sigstore_trustroot_proto_rawDescData = file_sigstore_trustroot_proto_rawDesc +) + +func file_sigstore_trustroot_proto_rawDescGZIP() []byte { + file_sigstore_trustroot_proto_rawDescOnce.Do(func() { + file_sigstore_trustroot_proto_rawDescData = protoimpl.X.CompressGZIP(file_sigstore_trustroot_proto_rawDescData) + }) + return file_sigstore_trustroot_proto_rawDescData +} + +var file_sigstore_trustroot_proto_msgTypes = make([]protoimpl.MessageInfo, 3) +var file_sigstore_trustroot_proto_goTypes = []interface{}{ + (*TransparencyLogInstance)(nil), // 0: dev.sigstore.trustroot.v1.TransparencyLogInstance + (*CertificateAuthority)(nil), // 1: dev.sigstore.trustroot.v1.CertificateAuthority + (*TrustedRoot)(nil), // 2: dev.sigstore.trustroot.v1.TrustedRoot + (v1.HashAlgorithm)(0), // 3: dev.sigstore.common.v1.HashAlgorithm + (*v1.PublicKey)(nil), // 4: dev.sigstore.common.v1.PublicKey + (*v1.LogId)(nil), // 5: dev.sigstore.common.v1.LogId + (*v1.DistinguishedName)(nil), // 6: dev.sigstore.common.v1.DistinguishedName + (*v1.X509CertificateChain)(nil), // 7: dev.sigstore.common.v1.X509CertificateChain + (*v1.TimeRange)(nil), // 8: dev.sigstore.common.v1.TimeRange +} +var file_sigstore_trustroot_proto_depIdxs = []int32{ + 3, // 0: dev.sigstore.trustroot.v1.TransparencyLogInstance.hash_algorithm:type_name -> dev.sigstore.common.v1.HashAlgorithm + 4, // 1: dev.sigstore.trustroot.v1.TransparencyLogInstance.public_key:type_name -> dev.sigstore.common.v1.PublicKey + 5, // 2: dev.sigstore.trustroot.v1.TransparencyLogInstance.log_id:type_name -> dev.sigstore.common.v1.LogId + 6, // 3: dev.sigstore.trustroot.v1.CertificateAuthority.subject:type_name -> dev.sigstore.common.v1.DistinguishedName + 7, // 4: dev.sigstore.trustroot.v1.CertificateAuthority.cert_chain:type_name -> dev.sigstore.common.v1.X509CertificateChain + 8, // 5: dev.sigstore.trustroot.v1.CertificateAuthority.valid_for:type_name -> dev.sigstore.common.v1.TimeRange + 0, // 6: dev.sigstore.trustroot.v1.TrustedRoot.tlogs:type_name -> dev.sigstore.trustroot.v1.TransparencyLogInstance + 1, // 7: dev.sigstore.trustroot.v1.TrustedRoot.certificate_authorities:type_name -> dev.sigstore.trustroot.v1.CertificateAuthority + 0, // 8: dev.sigstore.trustroot.v1.TrustedRoot.ctlogs:type_name -> dev.sigstore.trustroot.v1.TransparencyLogInstance + 1, // 9: dev.sigstore.trustroot.v1.TrustedRoot.timestamp_authorities:type_name -> dev.sigstore.trustroot.v1.CertificateAuthority + 10, // [10:10] is the sub-list for method output_type + 10, // [10:10] is the sub-list for method input_type + 10, // [10:10] is the sub-list for extension type_name + 10, // [10:10] is the sub-list for extension extendee + 0, // [0:10] is the sub-list for field type_name +} + +func init() { file_sigstore_trustroot_proto_init() } +func file_sigstore_trustroot_proto_init() { + if File_sigstore_trustroot_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_sigstore_trustroot_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*TransparencyLogInstance); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_trustroot_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*CertificateAuthority); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_trustroot_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*TrustedRoot); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_sigstore_trustroot_proto_rawDesc, + NumEnums: 0, + NumMessages: 3, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_sigstore_trustroot_proto_goTypes, + DependencyIndexes: file_sigstore_trustroot_proto_depIdxs, + MessageInfos: file_sigstore_trustroot_proto_msgTypes, + }.Build() + File_sigstore_trustroot_proto = out.File + file_sigstore_trustroot_proto_rawDesc = nil + file_sigstore_trustroot_proto_goTypes = nil + file_sigstore_trustroot_proto_depIdxs = nil +} diff --git a/gen/pb-go/verification/v1/sigstore_verification.pb.go b/gen/pb-go/verification/v1/sigstore_verification.pb.go new file mode 100644 index 00000000..9c2d17c2 --- /dev/null +++ b/gen/pb-go/verification/v1/sigstore_verification.pb.go @@ -0,0 +1,1018 @@ +// Copyright 2022 The Sigstore Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.28.1 +// protoc v3.21.6 +// source: sigstore_verification.proto + +package v1 + +import ( + v12 "github.com/sigstore/protobuf-specs/gen/pb-go/bundle/v1" + v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + v11 "github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1" + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// The identity of a X.509 Certificate signer. +type CertificateIdentity struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1) + Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"` + San *v1.SubjectAlternativeName `protobuf:"bytes,2,opt,name=san,proto3" json:"san,omitempty"` + // An unordered list of OIDs that must be verified. + // All OID/values provided in this list MUST exactly match against + // the values in the certificate for verification to be successful. + Oids []*v1.ObjectIdentifierValuePair `protobuf:"bytes,3,rep,name=oids,proto3" json:"oids,omitempty"` +} + +func (x *CertificateIdentity) Reset() { + *x = CertificateIdentity{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_verification_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *CertificateIdentity) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CertificateIdentity) ProtoMessage() {} + +func (x *CertificateIdentity) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_verification_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CertificateIdentity.ProtoReflect.Descriptor instead. +func (*CertificateIdentity) Descriptor() ([]byte, []int) { + return file_sigstore_verification_proto_rawDescGZIP(), []int{0} +} + +func (x *CertificateIdentity) GetIssuer() string { + if x != nil { + return x.Issuer + } + return "" +} + +func (x *CertificateIdentity) GetSan() *v1.SubjectAlternativeName { + if x != nil { + return x.San + } + return nil +} + +func (x *CertificateIdentity) GetOids() []*v1.ObjectIdentifierValuePair { + if x != nil { + return x.Oids + } + return nil +} + +type CertificateIdentities struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Identities []*CertificateIdentity `protobuf:"bytes,1,rep,name=identities,proto3" json:"identities,omitempty"` +} + +func (x *CertificateIdentities) Reset() { + *x = CertificateIdentities{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_verification_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *CertificateIdentities) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CertificateIdentities) ProtoMessage() {} + +func (x *CertificateIdentities) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_verification_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CertificateIdentities.ProtoReflect.Descriptor instead. +func (*CertificateIdentities) Descriptor() ([]byte, []int) { + return file_sigstore_verification_proto_rawDescGZIP(), []int{1} +} + +func (x *CertificateIdentities) GetIdentities() []*CertificateIdentity { + if x != nil { + return x.Identities + } + return nil +} + +type PublicKeyIdentities struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + PublicKeys []*v1.PublicKey `protobuf:"bytes,1,rep,name=public_keys,json=publicKeys,proto3" json:"public_keys,omitempty"` +} + +func (x *PublicKeyIdentities) Reset() { + *x = PublicKeyIdentities{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_verification_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *PublicKeyIdentities) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PublicKeyIdentities) ProtoMessage() {} + +func (x *PublicKeyIdentities) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_verification_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PublicKeyIdentities.ProtoReflect.Descriptor instead. +func (*PublicKeyIdentities) Descriptor() ([]byte, []int) { + return file_sigstore_verification_proto_rawDescGZIP(), []int{2} +} + +func (x *PublicKeyIdentities) GetPublicKeys() []*v1.PublicKey { + if x != nil { + return x.PublicKeys + } + return nil +} + +// A light-weight set of options/policies for identifying trusted signers, +// used during verification of a single artifact. +type ArtifactVerificationOptions struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // At least one identity MUST be provided. Providing zero identities + // is an error. If at least one provided identity is found as a + // signer, the verification is considered successful. + // + // Types that are assignable to Signers: + // *ArtifactVerificationOptions_CertificateIdentities + // *ArtifactVerificationOptions_PublicKeys + Signers isArtifactVerificationOptions_Signers `protobuf_oneof:"signers"` + // Optional options for artifact transparency log verification. + // If none is provided, the default verification options are: + // Threshold: 1 + // Online verification: false + // Disable: false + TlogOptions *ArtifactVerificationOptions_TlogOptions `protobuf:"bytes,3,opt,name=tlog_options,json=tlogOptions,proto3,oneof" json:"tlog_options,omitempty"` + // Optional options for certificate transparency log verification. + // If none is provided, the default verification options are: + // Threshold: 1 + // Detached SCT: false + // Disable: false + CtlogOptions *ArtifactVerificationOptions_CtlogOptions `protobuf:"bytes,4,opt,name=ctlog_options,json=ctlogOptions,proto3,oneof" json:"ctlog_options,omitempty"` + // Optional options for certificate signed timestamp verification. + // If none is provided, the default verification options are: + // Threshold: 1 + // Disable: false + TsaOptions *ArtifactVerificationOptions_TimestampAuthorityOptions `protobuf:"bytes,5,opt,name=tsa_options,json=tsaOptions,proto3,oneof" json:"tsa_options,omitempty"` +} + +func (x *ArtifactVerificationOptions) Reset() { + *x = ArtifactVerificationOptions{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_verification_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ArtifactVerificationOptions) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ArtifactVerificationOptions) ProtoMessage() {} + +func (x *ArtifactVerificationOptions) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_verification_proto_msgTypes[3] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ArtifactVerificationOptions.ProtoReflect.Descriptor instead. +func (*ArtifactVerificationOptions) Descriptor() ([]byte, []int) { + return file_sigstore_verification_proto_rawDescGZIP(), []int{3} +} + +func (m *ArtifactVerificationOptions) GetSigners() isArtifactVerificationOptions_Signers { + if m != nil { + return m.Signers + } + return nil +} + +func (x *ArtifactVerificationOptions) GetCertificateIdentities() *CertificateIdentities { + if x, ok := x.GetSigners().(*ArtifactVerificationOptions_CertificateIdentities); ok { + return x.CertificateIdentities + } + return nil +} + +func (x *ArtifactVerificationOptions) GetPublicKeys() *PublicKeyIdentities { + if x, ok := x.GetSigners().(*ArtifactVerificationOptions_PublicKeys); ok { + return x.PublicKeys + } + return nil +} + +func (x *ArtifactVerificationOptions) GetTlogOptions() *ArtifactVerificationOptions_TlogOptions { + if x != nil { + return x.TlogOptions + } + return nil +} + +func (x *ArtifactVerificationOptions) GetCtlogOptions() *ArtifactVerificationOptions_CtlogOptions { + if x != nil { + return x.CtlogOptions + } + return nil +} + +func (x *ArtifactVerificationOptions) GetTsaOptions() *ArtifactVerificationOptions_TimestampAuthorityOptions { + if x != nil { + return x.TsaOptions + } + return nil +} + +type isArtifactVerificationOptions_Signers interface { + isArtifactVerificationOptions_Signers() +} + +type ArtifactVerificationOptions_CertificateIdentities struct { + CertificateIdentities *CertificateIdentities `protobuf:"bytes,1,opt,name=certificate_identities,json=certificateIdentities,proto3,oneof"` +} + +type ArtifactVerificationOptions_PublicKeys struct { + // To simplify verification implementation, the logic for + // bundle verification should be implemented as a + // higher-order function, where one of argument should be an + // interface over the set of trusted public keys, like this: + // `Verify(bytes artifact, bytes signature, string key_id)`. + // This way the caller is in full control of mapping the + // identified (or hinted) key in the bundle to one of the + // trusted keys, as this process is inherently application + // specific. + PublicKeys *PublicKeyIdentities `protobuf:"bytes,2,opt,name=public_keys,json=publicKeys,proto3,oneof"` +} + +func (*ArtifactVerificationOptions_CertificateIdentities) isArtifactVerificationOptions_Signers() {} + +func (*ArtifactVerificationOptions_PublicKeys) isArtifactVerificationOptions_Signers() {} + +type Artifact struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Types that are assignable to Data: + // *Artifact_ArtifactUri + // *Artifact_Artifact + Data isArtifact_Data `protobuf_oneof:"data"` +} + +func (x *Artifact) Reset() { + *x = Artifact{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_verification_proto_msgTypes[4] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *Artifact) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Artifact) ProtoMessage() {} + +func (x *Artifact) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_verification_proto_msgTypes[4] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Artifact.ProtoReflect.Descriptor instead. +func (*Artifact) Descriptor() ([]byte, []int) { + return file_sigstore_verification_proto_rawDescGZIP(), []int{4} +} + +func (m *Artifact) GetData() isArtifact_Data { + if m != nil { + return m.Data + } + return nil +} + +func (x *Artifact) GetArtifactUri() string { + if x, ok := x.GetData().(*Artifact_ArtifactUri); ok { + return x.ArtifactUri + } + return "" +} + +func (x *Artifact) GetArtifact() []byte { + if x, ok := x.GetData().(*Artifact_Artifact); ok { + return x.Artifact + } + return nil +} + +type isArtifact_Data interface { + isArtifact_Data() +} + +type Artifact_ArtifactUri struct { + // Location of the artifact + ArtifactUri string `protobuf:"bytes,1,opt,name=artifact_uri,json=artifactUri,proto3,oneof"` +} + +type Artifact_Artifact struct { + // The raw bytes of the artifact + Artifact []byte `protobuf:"bytes,2,opt,name=artifact,proto3,oneof"` +} + +func (*Artifact_ArtifactUri) isArtifact_Data() {} + +func (*Artifact_Artifact) isArtifact_Data() {} + +// Input captures all that is needed to call the bundle verification method, +// to verify a single artifact referenced by the bundle. +type Input struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The verification materials provided during a bundle verification. + // The running process is usually preloaded with a "global" + // dev.sisgtore.trustroot.TrustedRoot.v1 instance. Prior to + // verifying an artifact (i.e a bundle), and/or based on current + // policy, some selection is expected to happen, to filter out the + // exact certificate authority to use, which transparency logs are + // relevant etc. The result should b ecaptured in the + // `artifact_trust_root`. + ArtifactTrustRoot *v11.TrustedRoot `protobuf:"bytes,1,opt,name=artifact_trust_root,json=artifactTrustRoot,proto3" json:"artifact_trust_root,omitempty"` + ArtifactVerificationOptions *ArtifactVerificationOptions `protobuf:"bytes,2,opt,name=artifact_verification_options,json=artifactVerificationOptions,proto3" json:"artifact_verification_options,omitempty"` + Bundle *v12.Bundle `protobuf:"bytes,3,opt,name=bundle,proto3" json:"bundle,omitempty"` + // If the bundle contains a message signature, the artifact must be + // provided. + Artifact *Artifact `protobuf:"bytes,4,opt,name=artifact,proto3,oneof" json:"artifact,omitempty"` +} + +func (x *Input) Reset() { + *x = Input{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_verification_proto_msgTypes[5] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *Input) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*Input) ProtoMessage() {} + +func (x *Input) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_verification_proto_msgTypes[5] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use Input.ProtoReflect.Descriptor instead. +func (*Input) Descriptor() ([]byte, []int) { + return file_sigstore_verification_proto_rawDescGZIP(), []int{5} +} + +func (x *Input) GetArtifactTrustRoot() *v11.TrustedRoot { + if x != nil { + return x.ArtifactTrustRoot + } + return nil +} + +func (x *Input) GetArtifactVerificationOptions() *ArtifactVerificationOptions { + if x != nil { + return x.ArtifactVerificationOptions + } + return nil +} + +func (x *Input) GetBundle() *v12.Bundle { + if x != nil { + return x.Bundle + } + return nil +} + +func (x *Input) GetArtifact() *Artifact { + if x != nil { + return x.Artifact + } + return nil +} + +type ArtifactVerificationOptions_TlogOptions struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Number of transparency logs the entry must appear on. + Threshold int32 `protobuf:"varint,1,opt,name=threshold,proto3" json:"threshold,omitempty"` + // Perform an online inclusion proof. + PerformOnlineVerification bool `protobuf:"varint,2,opt,name=perform_online_verification,json=performOnlineVerification,proto3" json:"perform_online_verification,omitempty"` + // Disable verification for transparency logs. + Disable bool `protobuf:"varint,3,opt,name=disable,proto3" json:"disable,omitempty"` +} + +func (x *ArtifactVerificationOptions_TlogOptions) Reset() { + *x = ArtifactVerificationOptions_TlogOptions{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_verification_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ArtifactVerificationOptions_TlogOptions) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ArtifactVerificationOptions_TlogOptions) ProtoMessage() {} + +func (x *ArtifactVerificationOptions_TlogOptions) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_verification_proto_msgTypes[6] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ArtifactVerificationOptions_TlogOptions.ProtoReflect.Descriptor instead. +func (*ArtifactVerificationOptions_TlogOptions) Descriptor() ([]byte, []int) { + return file_sigstore_verification_proto_rawDescGZIP(), []int{3, 0} +} + +func (x *ArtifactVerificationOptions_TlogOptions) GetThreshold() int32 { + if x != nil { + return x.Threshold + } + return 0 +} + +func (x *ArtifactVerificationOptions_TlogOptions) GetPerformOnlineVerification() bool { + if x != nil { + return x.PerformOnlineVerification + } + return false +} + +func (x *ArtifactVerificationOptions_TlogOptions) GetDisable() bool { + if x != nil { + return x.Disable + } + return false +} + +type ArtifactVerificationOptions_CtlogOptions struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The number of ct transparency logs the certificate must + // appear on. + Threshold int32 `protobuf:"varint,1,opt,name=threshold,proto3" json:"threshold,omitempty"` + // Expect detached SCTs. + // This is not supported right now as we can't capture an + // detached SCT in the bundle. + DetachedSct bool `protobuf:"varint,2,opt,name=detached_sct,json=detachedSct,proto3" json:"detached_sct,omitempty"` + // Disable ct transparency log verification + Disable bool `protobuf:"varint,3,opt,name=disable,proto3" json:"disable,omitempty"` +} + +func (x *ArtifactVerificationOptions_CtlogOptions) Reset() { + *x = ArtifactVerificationOptions_CtlogOptions{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_verification_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ArtifactVerificationOptions_CtlogOptions) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ArtifactVerificationOptions_CtlogOptions) ProtoMessage() {} + +func (x *ArtifactVerificationOptions_CtlogOptions) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_verification_proto_msgTypes[7] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ArtifactVerificationOptions_CtlogOptions.ProtoReflect.Descriptor instead. +func (*ArtifactVerificationOptions_CtlogOptions) Descriptor() ([]byte, []int) { + return file_sigstore_verification_proto_rawDescGZIP(), []int{3, 1} +} + +func (x *ArtifactVerificationOptions_CtlogOptions) GetThreshold() int32 { + if x != nil { + return x.Threshold + } + return 0 +} + +func (x *ArtifactVerificationOptions_CtlogOptions) GetDetachedSct() bool { + if x != nil { + return x.DetachedSct + } + return false +} + +func (x *ArtifactVerificationOptions_CtlogOptions) GetDisable() bool { + if x != nil { + return x.Disable + } + return false +} + +type ArtifactVerificationOptions_TimestampAuthorityOptions struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The number of signed timestamps that are expected. + Threshold int32 `protobuf:"varint,1,opt,name=threshold,proto3" json:"threshold,omitempty"` + // Disable signed timestamp verification. + Disable bool `protobuf:"varint,2,opt,name=disable,proto3" json:"disable,omitempty"` +} + +func (x *ArtifactVerificationOptions_TimestampAuthorityOptions) Reset() { + *x = ArtifactVerificationOptions_TimestampAuthorityOptions{} + if protoimpl.UnsafeEnabled { + mi := &file_sigstore_verification_proto_msgTypes[8] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ArtifactVerificationOptions_TimestampAuthorityOptions) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ArtifactVerificationOptions_TimestampAuthorityOptions) ProtoMessage() {} + +func (x *ArtifactVerificationOptions_TimestampAuthorityOptions) ProtoReflect() protoreflect.Message { + mi := &file_sigstore_verification_proto_msgTypes[8] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ArtifactVerificationOptions_TimestampAuthorityOptions.ProtoReflect.Descriptor instead. +func (*ArtifactVerificationOptions_TimestampAuthorityOptions) Descriptor() ([]byte, []int) { + return file_sigstore_verification_proto_rawDescGZIP(), []int{3, 2} +} + +func (x *ArtifactVerificationOptions_TimestampAuthorityOptions) GetThreshold() int32 { + if x != nil { + return x.Threshold + } + return 0 +} + +func (x *ArtifactVerificationOptions_TimestampAuthorityOptions) GetDisable() bool { + if x != nil { + return x.Disable + } + return false +} + +var File_sigstore_verification_proto protoreflect.FileDescriptor + +var file_sigstore_verification_proto_rawDesc = []byte{ + 0x0a, 0x1b, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1c, 0x64, + 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x1a, 0x15, 0x73, 0x69, 0x67, + 0x73, 0x74, 0x6f, 0x72, 0x65, 0x5f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x1a, 0x18, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x5f, 0x74, 0x72, 0x75, + 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x15, 0x73, 0x69, + 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x5f, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x22, 0xb6, 0x01, 0x0a, 0x13, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x16, 0x0a, 0x06, 0x69, + 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x69, 0x73, 0x73, + 0x75, 0x65, 0x72, 0x12, 0x40, 0x0a, 0x03, 0x73, 0x61, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x2e, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, + 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, + 0x74, 0x41, 0x6c, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x74, 0x69, 0x76, 0x65, 0x4e, 0x61, 0x6d, 0x65, + 0x52, 0x03, 0x73, 0x61, 0x6e, 0x12, 0x45, 0x0a, 0x04, 0x6f, 0x69, 0x64, 0x73, 0x18, 0x03, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x4f, 0x62, 0x6a, + 0x65, 0x63, 0x74, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x66, 0x69, 0x65, 0x72, 0x56, 0x61, 0x6c, + 0x75, 0x65, 0x50, 0x61, 0x69, 0x72, 0x52, 0x04, 0x6f, 0x69, 0x64, 0x73, 0x22, 0x6a, 0x0a, 0x15, + 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x51, 0x0a, 0x0a, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, + 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x64, 0x65, 0x76, 0x2e, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, + 0x63, 0x61, 0x74, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x0a, 0x69, 0x64, + 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x22, 0x59, 0x0a, 0x13, 0x50, 0x75, 0x62, 0x6c, + 0x69, 0x63, 0x4b, 0x65, 0x79, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, + 0x42, 0x0a, 0x0b, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, + 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, + 0x6f, 0x72, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75, + 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, + 0x65, 0x79, 0x73, 0x22, 0xc3, 0x07, 0x0a, 0x1b, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, + 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, + 0x6f, 0x6e, 0x73, 0x12, 0x6c, 0x0a, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, + 0x74, 0x65, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, + 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, + 0x76, 0x31, 0x2e, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x49, 0x64, + 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x48, 0x00, 0x52, 0x15, 0x63, 0x65, 0x72, 0x74, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, + 0x73, 0x12, 0x54, 0x0a, 0x0b, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x73, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, + 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x49, + 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x48, 0x00, 0x52, 0x0a, 0x70, 0x75, 0x62, + 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x6d, 0x0a, 0x0c, 0x74, 0x6c, 0x6f, 0x67, 0x5f, + 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x45, 0x2e, + 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, + 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x54, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x73, 0x48, 0x01, 0x52, 0x0b, 0x74, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, 0x69, + 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x12, 0x70, 0x0a, 0x0d, 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x5f, + 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x46, 0x2e, + 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, + 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x43, 0x74, 0x6c, 0x6f, 0x67, 0x4f, 0x70, + 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x48, 0x02, 0x52, 0x0c, 0x63, 0x74, 0x6c, 0x6f, 0x67, 0x4f, 0x70, + 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x88, 0x01, 0x01, 0x12, 0x79, 0x0a, 0x0b, 0x74, 0x73, 0x61, 0x5f, + 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x53, 0x2e, + 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, + 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, + 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, + 0x6d, 0x70, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x4f, 0x70, 0x74, 0x69, 0x6f, + 0x6e, 0x73, 0x48, 0x03, 0x52, 0x0a, 0x74, 0x73, 0x61, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, + 0x88, 0x01, 0x01, 0x1a, 0x85, 0x01, 0x0a, 0x0b, 0x54, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, 0x69, + 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, + 0x64, 0x12, 0x3e, 0x0a, 0x1b, 0x70, 0x65, 0x72, 0x66, 0x6f, 0x72, 0x6d, 0x5f, 0x6f, 0x6e, 0x6c, + 0x69, 0x6e, 0x65, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x19, 0x70, 0x65, 0x72, 0x66, 0x6f, 0x72, 0x6d, 0x4f, + 0x6e, 0x6c, 0x69, 0x6e, 0x65, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, + 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x1a, 0x69, 0x0a, 0x0c, 0x43, + 0x74, 0x6c, 0x6f, 0x67, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, + 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, + 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x64, 0x65, 0x74, + 0x61, 0x63, 0x68, 0x65, 0x64, 0x5f, 0x73, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, + 0x0b, 0x64, 0x65, 0x74, 0x61, 0x63, 0x68, 0x65, 0x64, 0x53, 0x63, 0x74, 0x12, 0x18, 0x0a, 0x07, + 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x64, + 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x1a, 0x53, 0x0a, 0x19, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, + 0x61, 0x6d, 0x70, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x4f, 0x70, 0x74, 0x69, + 0x6f, 0x6e, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, + 0x18, 0x01, 0x20, 0x01, 0x28, 0x05, 0x52, 0x09, 0x74, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, + 0x64, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x08, 0x52, 0x07, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x42, 0x09, 0x0a, 0x07, 0x73, + 0x69, 0x67, 0x6e, 0x65, 0x72, 0x73, 0x42, 0x0f, 0x0a, 0x0d, 0x5f, 0x74, 0x6c, 0x6f, 0x67, 0x5f, + 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x63, 0x74, 0x6c, 0x6f, + 0x67, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0x0e, 0x0a, 0x0c, 0x5f, 0x74, 0x73, + 0x61, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x55, 0x0a, 0x08, 0x41, 0x72, 0x74, + 0x69, 0x66, 0x61, 0x63, 0x74, 0x12, 0x23, 0x0a, 0x0c, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, + 0x74, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x48, 0x00, 0x52, 0x0b, 0x61, + 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x55, 0x72, 0x69, 0x12, 0x1c, 0x0a, 0x08, 0x61, 0x72, + 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x48, 0x00, 0x52, 0x08, + 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x42, 0x06, 0x0a, 0x04, 0x64, 0x61, 0x74, 0x61, + 0x22, 0xec, 0x02, 0x0a, 0x05, 0x49, 0x6e, 0x70, 0x75, 0x74, 0x12, 0x56, 0x0a, 0x13, 0x61, 0x72, + 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x74, 0x72, 0x75, 0x73, 0x74, 0x5f, 0x72, 0x6f, 0x6f, + 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, + 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x72, 0x6f, 0x6f, 0x74, + 0x2e, 0x76, 0x31, 0x2e, 0x54, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x52, 0x6f, 0x6f, 0x74, 0x52, + 0x11, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x54, 0x72, 0x75, 0x73, 0x74, 0x52, 0x6f, + 0x6f, 0x74, 0x12, 0x7d, 0x0a, 0x1d, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x5f, 0x76, + 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x6f, 0x70, 0x74, 0x69, + 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x64, 0x65, 0x76, 0x2e, + 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, + 0x74, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, + 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x1b, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x56, 0x65, + 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, + 0x73, 0x12, 0x36, 0x0a, 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x1e, 0x2e, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, + 0x2e, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x42, 0x75, 0x6e, 0x64, 0x6c, + 0x65, 0x52, 0x06, 0x62, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x12, 0x47, 0x0a, 0x08, 0x61, 0x72, 0x74, + 0x69, 0x66, 0x61, 0x63, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x64, 0x65, + 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, + 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x72, 0x74, 0x69, 0x66, + 0x61, 0x63, 0x74, 0x48, 0x00, 0x52, 0x08, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x88, + 0x01, 0x01, 0x42, 0x0b, 0x0a, 0x09, 0x5f, 0x61, 0x72, 0x74, 0x69, 0x66, 0x61, 0x63, 0x74, 0x42, + 0x77, 0x0a, 0x22, 0x64, 0x65, 0x76, 0x2e, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x42, 0x11, 0x56, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, + 0x69, 0x6f, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x3c, 0x67, 0x69, 0x74, 0x68, + 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x67, 0x73, 0x74, 0x6f, 0x72, 0x65, 0x2f, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2d, 0x73, 0x70, 0x65, 0x63, 0x73, 0x2f, 0x67, + 0x65, 0x6e, 0x2f, 0x70, 0x62, 0x2d, 0x67, 0x6f, 0x2f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, +} + +var ( + file_sigstore_verification_proto_rawDescOnce sync.Once + file_sigstore_verification_proto_rawDescData = file_sigstore_verification_proto_rawDesc +) + +func file_sigstore_verification_proto_rawDescGZIP() []byte { + file_sigstore_verification_proto_rawDescOnce.Do(func() { + file_sigstore_verification_proto_rawDescData = protoimpl.X.CompressGZIP(file_sigstore_verification_proto_rawDescData) + }) + return file_sigstore_verification_proto_rawDescData +} + +var file_sigstore_verification_proto_msgTypes = make([]protoimpl.MessageInfo, 9) +var file_sigstore_verification_proto_goTypes = []interface{}{ + (*CertificateIdentity)(nil), // 0: dev.sigstore.verification.v1.CertificateIdentity + (*CertificateIdentities)(nil), // 1: dev.sigstore.verification.v1.CertificateIdentities + (*PublicKeyIdentities)(nil), // 2: dev.sigstore.verification.v1.PublicKeyIdentities + (*ArtifactVerificationOptions)(nil), // 3: dev.sigstore.verification.v1.ArtifactVerificationOptions + (*Artifact)(nil), // 4: dev.sigstore.verification.v1.Artifact + (*Input)(nil), // 5: dev.sigstore.verification.v1.Input + (*ArtifactVerificationOptions_TlogOptions)(nil), // 6: dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions + (*ArtifactVerificationOptions_CtlogOptions)(nil), // 7: dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions + (*ArtifactVerificationOptions_TimestampAuthorityOptions)(nil), // 8: dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions + (*v1.SubjectAlternativeName)(nil), // 9: dev.sigstore.common.v1.SubjectAlternativeName + (*v1.ObjectIdentifierValuePair)(nil), // 10: dev.sigstore.common.v1.ObjectIdentifierValuePair + (*v1.PublicKey)(nil), // 11: dev.sigstore.common.v1.PublicKey + (*v11.TrustedRoot)(nil), // 12: dev.sigstore.trustroot.v1.TrustedRoot + (*v12.Bundle)(nil), // 13: dev.sigstore.bundle.v1.Bundle +} +var file_sigstore_verification_proto_depIdxs = []int32{ + 9, // 0: dev.sigstore.verification.v1.CertificateIdentity.san:type_name -> dev.sigstore.common.v1.SubjectAlternativeName + 10, // 1: dev.sigstore.verification.v1.CertificateIdentity.oids:type_name -> dev.sigstore.common.v1.ObjectIdentifierValuePair + 0, // 2: dev.sigstore.verification.v1.CertificateIdentities.identities:type_name -> dev.sigstore.verification.v1.CertificateIdentity + 11, // 3: dev.sigstore.verification.v1.PublicKeyIdentities.public_keys:type_name -> dev.sigstore.common.v1.PublicKey + 1, // 4: dev.sigstore.verification.v1.ArtifactVerificationOptions.certificate_identities:type_name -> dev.sigstore.verification.v1.CertificateIdentities + 2, // 5: dev.sigstore.verification.v1.ArtifactVerificationOptions.public_keys:type_name -> dev.sigstore.verification.v1.PublicKeyIdentities + 6, // 6: dev.sigstore.verification.v1.ArtifactVerificationOptions.tlog_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions + 7, // 7: dev.sigstore.verification.v1.ArtifactVerificationOptions.ctlog_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions + 8, // 8: dev.sigstore.verification.v1.ArtifactVerificationOptions.tsa_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions + 12, // 9: dev.sigstore.verification.v1.Input.artifact_trust_root:type_name -> dev.sigstore.trustroot.v1.TrustedRoot + 3, // 10: dev.sigstore.verification.v1.Input.artifact_verification_options:type_name -> dev.sigstore.verification.v1.ArtifactVerificationOptions + 13, // 11: dev.sigstore.verification.v1.Input.bundle:type_name -> dev.sigstore.bundle.v1.Bundle + 4, // 12: dev.sigstore.verification.v1.Input.artifact:type_name -> dev.sigstore.verification.v1.Artifact + 13, // [13:13] is the sub-list for method output_type + 13, // [13:13] is the sub-list for method input_type + 13, // [13:13] is the sub-list for extension type_name + 13, // [13:13] is the sub-list for extension extendee + 0, // [0:13] is the sub-list for field type_name +} + +func init() { file_sigstore_verification_proto_init() } +func file_sigstore_verification_proto_init() { + if File_sigstore_verification_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_sigstore_verification_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*CertificateIdentity); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_verification_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*CertificateIdentities); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_verification_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*PublicKeyIdentities); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_verification_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ArtifactVerificationOptions); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_verification_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*Artifact); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_verification_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*Input); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_verification_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ArtifactVerificationOptions_TlogOptions); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_verification_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ArtifactVerificationOptions_CtlogOptions); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_sigstore_verification_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ArtifactVerificationOptions_TimestampAuthorityOptions); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + file_sigstore_verification_proto_msgTypes[3].OneofWrappers = []interface{}{ + (*ArtifactVerificationOptions_CertificateIdentities)(nil), + (*ArtifactVerificationOptions_PublicKeys)(nil), + } + file_sigstore_verification_proto_msgTypes[4].OneofWrappers = []interface{}{ + (*Artifact_ArtifactUri)(nil), + (*Artifact_Artifact)(nil), + } + file_sigstore_verification_proto_msgTypes[5].OneofWrappers = []interface{}{} + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_sigstore_verification_proto_rawDesc, + NumEnums: 0, + NumMessages: 9, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_sigstore_verification_proto_goTypes, + DependencyIndexes: file_sigstore_verification_proto_depIdxs, + MessageInfos: file_sigstore_verification_proto_msgTypes, + }.Build() + File_sigstore_verification_proto = out.File + file_sigstore_verification_proto_rawDesc = nil + file_sigstore_verification_proto_goTypes = nil + file_sigstore_verification_proto_depIdxs = nil +} diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index 255c6734..da588501 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -17,7 +17,7 @@ package dev.sigstore.trustroot.v1; import "sigstore_common.proto"; -option go_package = "github.com/sigstore/proto/trustroot/v1"; +option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1"; option java_package = "dev.sigstore.proto.trustroot.v1"; option java_multiple_files = true; option java_outer_classname = "TrustRootProto"; diff --git a/protos/sigstore_verification.proto b/protos/sigstore_verification.proto index d19f8b78..51022769 100644 --- a/protos/sigstore_verification.proto +++ b/protos/sigstore_verification.proto @@ -19,7 +19,7 @@ import "sigstore_common.proto"; import "sigstore_trustroot.proto"; import "sigstore_bundle.proto"; -option go_package = "github.com/sigstore/proto/verification/v1"; +option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/verification/v1"; option java_package = "dev.sigstore.proto.verification.v1"; option java_multiple_files = true; option java_outer_classname = "VerificationProto";