package dsse

import "github.com/secure-systems-lab/go-securesystemslib/dsse"

Package dsse implements the Dead Simple Signing Envelope (DSSE) https://github.com/secure-systems-lab/dsse

Package dsse implements the Dead Simple Signing Envelope (DSSE) https://github.com/secure-systems-lab/dsse

Index ¶

• Variables
• func PAE(payloadType string, payload []byte) []byte
• type Envelope
• type EnvelopeSigner
• func NewEnvelopeSigner(p ...SignVerifier) (*EnvelopeSigner, error)
• func (es *EnvelopeSigner) SignPayload(payloadType string, body []byte) (*Envelope, error)
• func (es *EnvelopeSigner) Verify(e *Envelope) error
• type EnvelopeVerifier
• func NewEnvelopeVerifier(p ...Verifier) EnvelopeVerifier
• func (ev *EnvelopeVerifier) Verify(e *Envelope) error
• type SignVerifier
• type Signature
• type Signer
• type Verifier

Variables ¶

var ErrNoSignature = errors.New("no signature found")

ErrNoSignature indicates that an envelope did not contain any signatures.

var ErrNoSigners = errors.New("no signers provided")

ErrNoSigners indicates that no signer was provided.

var ErrUnknownKey = errors.New("unknown key")

ErrUnknownKey indicates that the implementation does not recognize the key.

Functions ¶

func PAE ¶

func PAE(payloadType string, payload []byte) []byte

PAE implementes the DSSE Pre-Authentic Encoding https://github.com/secure-systems-lab/dsse/blob/master/protocol.md#signature-definition

Types ¶

type Envelope ¶

type Envelope struct {
	PayloadType string      `json:"payloadType"`
	Payload     string      `json:"payload"`
	Signatures  []Signature `json:"signatures"`
}

Envelope captures an envelope as described by the Secure Systems Lab Signing Specification. See here: https://github.com/secure-systems-lab/signing-spec/blob/master/envelope.md

type EnvelopeSigner ¶

type EnvelopeSigner struct {
	// contains filtered or unexported fields
}

EnvelopeSigner creates signed Envelopes.

func NewEnvelopeSigner ¶

func NewEnvelopeSigner(p ...SignVerifier) (*EnvelopeSigner, error)

NewEnvelopeSigner creates an EnvelopeSigner that uses 1+ Signer algorithms to sign the data.

func (*EnvelopeSigner) SignPayload ¶

func (es *EnvelopeSigner) SignPayload(payloadType string, body []byte) (*Envelope, error)

SignPayload signs a payload and payload type according to DSSE. Returned is an envelope as defined here: https://github.com/secure-systems-lab/dsse/blob/master/envelope.md One signature will be added for each Signer in the EnvelopeSigner.

func (*EnvelopeSigner) Verify ¶

func (es *EnvelopeSigner) Verify(e *Envelope) error

Verify decodes the payload and verifies the signature. Any domain specific validation such as parsing the decoded body and validating the payload type is left out to the caller.

type EnvelopeVerifier ¶

type EnvelopeVerifier struct {
	// contains filtered or unexported fields
}

func NewEnvelopeVerifier ¶

func NewEnvelopeVerifier(p ...Verifier) EnvelopeVerifier

func (*EnvelopeVerifier) Verify ¶

func (ev *EnvelopeVerifier) Verify(e *Envelope) error

type SignVerifier ¶

type SignVerifier interface {
	Signer
	Verifier
}

SignVerifer provides both the signing and verification interface.

type Signature ¶

type Signature struct {
	KeyID string `json:"keyid"`
	Sig   string `json:"sig"`
}

Signature represents a generic in-toto signature that contains the identifier of the key which was used to create the signature. The used signature scheme has to be agreed upon by the signer and verifer out of band. The signature is a base64 encoding of the raw bytes from the signature algorithm.

type Signer ¶

type Signer interface {
	Sign(data []byte) ([]byte, string, error)
}

Signer defines the interface for an abstract signing algorithm. The Signer interface is used to inject signature algorithm implementations into the EnevelopeSigner. This decoupling allows for any signing algorithm and key management system can be used. The full message is provided as the parameter. If the signature algorithm depends on hashing of the message prior to signature calculation, the implementor of this interface must perform such hashing. The function must return raw bytes representing the calculated signature using the current algorithm, and the key used (if applicable). For an example see EcdsaSigner in sign_test.go.

type Verifier ¶

type Verifier interface {
	Verify(keyID string, data, sig []byte) error
}

Verifier verifies a complete message against a signature and key. If the message was hashed prior to signature generation, the verifier must perform the same steps. If the key is not recognized ErrUnknownKey shall be returned.

Source Files ¶

sign.go verify.go