protobug_sigstore_protos 0.1.0

data/lib/sigstore/common/v1/sigstore_common_pb.rb

@@ -0,0 +1,441 @@
+# frozen_string_literal: true
+
+# Code generated by protoc-gen-protobug. DO NOT EDIT.
+
+# source: sigstore_common.proto
+# syntax: proto3
+# package: dev.sigstore.common.v1
+# options:
+#   java_package: "dev.sigstore.proto.common.v1"
+#   java_outer_classname: "CommonProto"
+#   java_multiple_files: true
+#   go_package: "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
+#   ruby_package: "Sigstore::Common::V1"
+
+# Copyright 2022 The Sigstore Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "protobug"
+
+require "google/api/field_behavior_pb"
+require "google/protobuf/timestamp_pb"
+
+module Sigstore
+  module Common
+    module V1
+      # This package defines commonly used message types within the Sigstore
+      # community.
+
+      # Only a subset of the secure hash standard algorithms are supported.
+      # See <https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf> for more
+      # details.
+      # UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force
+      # any proto JSON serialization to emit the used hash algorithm, as default
+      # option is to *omit* the default value of an enum (which is the first
+      # value, represented by '0'.
+      class HashAlgorithm
+        extend Protobug::Enum
+
+        self.full_name = "dev.sigstore.common.v1.HashAlgorithm"
+
+        HASH_ALGORITHM_UNSPECIFIED = new("HASH_ALGORITHM_UNSPECIFIED", 0).freeze
+        SHA2_256 = new("SHA2_256", 1).freeze
+        SHA2_384 = new("SHA2_384", 2).freeze
+        SHA2_512 = new("SHA2_512", 3).freeze
+        SHA3_256 = new("SHA3_256", 4).freeze
+        SHA3_384 = new("SHA3_384", 5).freeze
+      end
+
+      # Details of a specific public key, capturing the the key encoding method,
+      # and signature algorithm.
+      #
+      # PublicKeyDetails captures the public key/hash algorithm combinations
+      # recommended in the Sigstore ecosystem.
+      #
+      # This is modelled as a linear set as we want to provide a small number of
+      # opinionated options instead of allowing every possible permutation.
+      #
+      # Any changes to this enum MUST be reflected in the algorithm registry.
+      # See: docs/algorithm-registry.md
+      #
+      # To avoid the possibility of contradicting formats such as PKCS1 with
+      # ED25519 the valid permutations are listed as a linear set instead of a
+      # cartesian set (i.e one combined variable instead of two, one for encoding
+      # and one for the signature algorithm).
+      class PublicKeyDetails
+        extend Protobug::Enum
+
+        self.full_name = "dev.sigstore.common.v1.PublicKeyDetails"
+
+        PUBLIC_KEY_DETAILS_UNSPECIFIED = new(
+          "PUBLIC_KEY_DETAILS_UNSPECIFIED",
+          0
+        ).freeze
+        # RSA
+        PKCS1_RSA_PKCS1V5 = new("PKCS1_RSA_PKCS1V5", 1).freeze # See RFC8017
+        PKCS1_RSA_PSS = new("PKCS1_RSA_PSS", 2).freeze # See RFC8017
+        PKIX_RSA_PKCS1V5 = new("PKIX_RSA_PKCS1V5", 3).freeze
+        PKIX_RSA_PSS = new("PKIX_RSA_PSS", 4).freeze
+        # RSA public key in PKIX format, PKCS#1v1.5 signature
+        PKIX_RSA_PKCS1V15_2048_SHA256 = new(
+          "PKIX_RSA_PKCS1V15_2048_SHA256",
+          9
+        ).freeze
+        PKIX_RSA_PKCS1V15_3072_SHA256 = new(
+          "PKIX_RSA_PKCS1V15_3072_SHA256",
+          10
+        ).freeze
+        PKIX_RSA_PKCS1V15_4096_SHA256 = new(
+          "PKIX_RSA_PKCS1V15_4096_SHA256",
+          11
+        ).freeze
+        # RSA public key in PKIX format, RSASSA-PSS signature
+        PKIX_RSA_PSS_2048_SHA256 = new(
+          "PKIX_RSA_PSS_2048_SHA256",
+          16
+        ).freeze # See RFC4055
+        PKIX_RSA_PSS_3072_SHA256 = new("PKIX_RSA_PSS_3072_SHA256", 17).freeze
+        PKIX_RSA_PSS_4096_SHA256 = new("PKIX_RSA_PSS_4096_SHA256", 18).freeze
+        # ECDSA
+        PKIX_ECDSA_P256_HMAC_SHA_256 = new(
+          "PKIX_ECDSA_P256_HMAC_SHA_256",
+          6
+        ).freeze # See RFC6979
+        PKIX_ECDSA_P256_SHA_256 = new(
+          "PKIX_ECDSA_P256_SHA_256",
+          5
+        ).freeze # See NIST FIPS 186-4
+        PKIX_ECDSA_P384_SHA_384 = new("PKIX_ECDSA_P384_SHA_384", 12).freeze
+        PKIX_ECDSA_P521_SHA_512 = new("PKIX_ECDSA_P521_SHA_512", 13).freeze
+        # Ed 25519
+        PKIX_ED25519 = new("PKIX_ED25519", 7).freeze # See RFC8032
+        PKIX_ED25519_PH = new("PKIX_ED25519_PH", 8).freeze
+        # LMS and LM-OTS
+        #
+        # These keys and signatures may be used by private Sigstore
+        # deployments, but are not currently supported by the public
+        # good instance.
+        #
+        # USER WARNING: LMS and LM-OTS are both stateful signature schemes.
+        # Using them correctly requires discretion and careful consideration
+        # to ensure that individual secret keys are not used more than once.
+        # In addition, LM-OTS is a single-use scheme, meaning that it
+        # MUST NOT be used for more than one signature per LM-OTS key.
+        # If you cannot maintain these invariants, you MUST NOT use these
+        # schemes.
+        LMS_SHA256 = new("LMS_SHA256", 14).freeze
+        LMOTS_SHA256 = new("LMOTS_SHA256", 15).freeze
+
+        reserved_range(19..49)
+      end
+
+      # HashOutput captures a digest of a 'message' (generic octet sequence)
+      # and the corresponding hash algorithm used.
+      class HashOutput
+        extend Protobug::Message
+
+        self.full_name = "dev.sigstore.common.v1.HashOutput"
+
+        optional(
+          1,
+          "algorithm",
+          type: :enum,
+          enum_type: "dev.sigstore.common.v1.HashAlgorithm",
+          proto3_optional: false
+        )
+        # This is the raw octets of the message digest as computed by
+        # the hash algorithm.
+        optional(2, "digest", type: :bytes, proto3_optional: false)
+      end
+
+      # MessageSignature stores the computed signature over a message.
+      class MessageSignature
+        extend Protobug::Message
+
+        self.full_name = "dev.sigstore.common.v1.MessageSignature"
+
+        # Message digest can be used to identify the artifact.
+        # Clients MUST NOT attempt to use this digest to verify the associated
+        # signature; it is intended solely for identification.
+        optional(
+          1,
+          "message_digest",
+          type: :message,
+          message_type: "dev.sigstore.common.v1.HashOutput",
+          json_name: "messageDigest",
+          proto3_optional: false
+        )
+        # The raw bytes as returned from the signature algorithm.
+        # The signature algorithm (and so the format of the signature bytes)
+        # are determined by the contents of the 'verification_material',
+        # either a key-pair or a certificate. If using a certificate, the
+        # certificate contains the required information on the signature
+        # algorithm.
+        # When using a key pair, the algorithm MUST be part of the public
+        # key, which MUST be communicated out-of-band.
+        optional(2, "signature", type: :bytes, proto3_optional: false)
+      end
+
+      # LogId captures the identity of a transparency log.
+      class LogId
+        extend Protobug::Message
+
+        self.full_name = "dev.sigstore.common.v1.LogId"
+
+        # The unique identity of the log, represented by its public key.
+        optional(
+          1,
+          "key_id",
+          type: :bytes,
+          json_name: "keyId",
+          proto3_optional: false
+        )
+      end
+
+      # This message holds a RFC 3161 timestamp.
+      class RFC3161SignedTimestamp
+        extend Protobug::Message
+
+        self.full_name = "dev.sigstore.common.v1.RFC3161SignedTimestamp"
+
+        # Signed timestamp is the DER encoded TimeStampResponse.
+        # See https://www.rfc-editor.org/rfc/rfc3161.html#section-2.4.2
+        optional(
+          1,
+          "signed_timestamp",
+          type: :bytes,
+          json_name: "signedTimestamp",
+          proto3_optional: false
+        )
+      end
+
+      class PublicKey
+        extend Protobug::Message
+
+        self.full_name = "dev.sigstore.common.v1.PublicKey"
+
+        # DER-encoded public key, encoding method is specified by the
+        # key_details attribute.
+        optional(1, "raw_bytes", type: :bytes, json_name: "rawBytes")
+        # Key encoding and signature algorithm to use for this key.
+        optional(
+          2,
+          "key_details",
+          type: :enum,
+          enum_type: "dev.sigstore.common.v1.PublicKeyDetails",
+          json_name: "keyDetails",
+          proto3_optional: false
+        )
+        # Optional validity period for this key, *inclusive* of the endpoints.
+        optional(
+          3,
+          "valid_for",
+          type: :message,
+          message_type: "dev.sigstore.common.v1.TimeRange",
+          json_name: "validFor"
+        )
+      end
+
+      # PublicKeyIdentifier can be used to identify an (out of band) delivered
+      # key, to verify a signature.
+      class PublicKeyIdentifier
+        extend Protobug::Message
+
+        self.full_name = "dev.sigstore.common.v1.PublicKeyIdentifier"
+
+        # Optional unauthenticated hint on which key to use.
+        # The format of the hint must be agreed upon out of band by the
+        # signer and the verifiers, and so is not subject to this
+        # specification.
+        # Example use-case is to specify the public key to use, from a
+        # trusted key-ring.
+        # Implementors are RECOMMENDED to derive the value from the public
+        # key as described in RFC 6962.
+        # See: <https://www.rfc-editor.org/rfc/rfc6962#section-3.2>
+        optional(1, "hint", type: :string, proto3_optional: false)
+      end
+
+      # An ASN.1 OBJECT IDENTIFIER
+      class ObjectIdentifier
+        extend Protobug::Message
+
+        self.full_name = "dev.sigstore.common.v1.ObjectIdentifier"
+
+        repeated(1, "id", type: :int32, packed: true)
+      end
+
+      # An OID and the corresponding (byte) value.
+      class ObjectIdentifierValuePair
+        extend Protobug::Message
+
+        self.full_name = "dev.sigstore.common.v1.ObjectIdentifierValuePair"
+
+        optional(
+          1,
+          "oid",
+          type: :message,
+          message_type: "dev.sigstore.common.v1.ObjectIdentifier",
+          proto3_optional: false
+        )
+        optional(2, "value", type: :bytes, proto3_optional: false)
+      end
+
+      class DistinguishedName
+        extend Protobug::Message
+
+        self.full_name = "dev.sigstore.common.v1.DistinguishedName"
+
+        optional(1, "organization", type: :string, proto3_optional: false)
+        optional(
+          2,
+          "common_name",
+          type: :string,
+          json_name: "commonName",
+          proto3_optional: false
+        )
+      end
+
+      class X509Certificate
+        extend Protobug::Message
+
+        self.full_name = "dev.sigstore.common.v1.X509Certificate"
+
+        # DER-encoded X.509 certificate.
+        optional(
+          1,
+          "raw_bytes",
+          type: :bytes,
+          json_name: "rawBytes",
+          proto3_optional: false
+        )
+      end
+
+      class SubjectAlternativeNameType
+        extend Protobug::Enum
+
+        self.full_name = "dev.sigstore.common.v1.SubjectAlternativeNameType"
+
+        SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED = new(
+          "SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED",
+          0
+        ).freeze
+        EMAIL = new("EMAIL", 1).freeze
+        URI = new("URI", 2).freeze
+        # OID 1.3.6.1.4.1.57264.1.7
+        # See https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#1361415726417--othername-san
+        # for more details.
+        OTHER_NAME = new("OTHER_NAME", 3).freeze
+      end
+
+      class SubjectAlternativeName
+        extend Protobug::Message
+
+        self.full_name = "dev.sigstore.common.v1.SubjectAlternativeName"
+
+        optional(
+          1,
+          "type",
+          type: :enum,
+          enum_type: "dev.sigstore.common.v1.SubjectAlternativeNameType",
+          proto3_optional: false
+        )
+        # A regular expression describing the expected value for
+        # the SAN.
+        optional(
+          2,
+          "regexp",
+          type: :string,
+          oneof: :identity,
+          proto3_optional: false
+        )
+        # The exact value to match against.
+        optional(
+          3,
+          "value",
+          type: :string,
+          oneof: :identity,
+          proto3_optional: false
+        )
+      end
+
+      # A collection of X.509 certificates.
+      #
+      # This "chain" can be used in multiple contexts, such as providing a root CA
+      # certificate within a TUF root of trust or multiple untrusted certificates for
+      # the purpose of chain building.
+      class X509CertificateChain
+        extend Protobug::Message
+
+        self.full_name = "dev.sigstore.common.v1.X509CertificateChain"
+
+        # One or more DER-encoded certificates.
+        #
+        # In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence
+        # has an imposed order. Unless explicitly specified, there is otherwise no
+        # guaranteed order.
+        repeated(
+          1,
+          "certificates",
+          type: :message,
+          message_type: "dev.sigstore.common.v1.X509Certificate"
+        )
+      end
+
+      # The time range is closed and includes both the start and end times,
+      # (i.e., [start, end]).
+      # End is optional to be able to capture a period that has started but
+      # has no known end.
+      class TimeRange
+        extend Protobug::Message
+
+        self.full_name = "dev.sigstore.common.v1.TimeRange"
+
+        optional(
+          1,
+          "start",
+          type: :message,
+          message_type: "google.protobuf.Timestamp",
+          proto3_optional: false
+        )
+        optional(
+          2,
+          "end",
+          type: :message,
+          message_type: "google.protobuf.Timestamp"
+        )
+      end
+
+      def self.register_sigstore_common_protos(registry)
+        Google::Api.register_field_behavior_protos(registry)
+        Google::Protobuf.register_timestamp_protos(registry)
+        registry.register(Sigstore::Common::V1::HashAlgorithm)
+        registry.register(Sigstore::Common::V1::PublicKeyDetails)
+        registry.register(Sigstore::Common::V1::HashOutput)
+        registry.register(Sigstore::Common::V1::MessageSignature)
+        registry.register(Sigstore::Common::V1::LogId)
+        registry.register(Sigstore::Common::V1::RFC3161SignedTimestamp)
+        registry.register(Sigstore::Common::V1::PublicKey)
+        registry.register(Sigstore::Common::V1::PublicKeyIdentifier)
+        registry.register(Sigstore::Common::V1::ObjectIdentifier)
+        registry.register(Sigstore::Common::V1::ObjectIdentifierValuePair)
+        registry.register(Sigstore::Common::V1::DistinguishedName)
+        registry.register(Sigstore::Common::V1::X509Certificate)
+        registry.register(Sigstore::Common::V1::SubjectAlternativeNameType)
+        registry.register(Sigstore::Common::V1::SubjectAlternativeName)
+        registry.register(Sigstore::Common::V1::X509CertificateChain)
+        registry.register(Sigstore::Common::V1::TimeRange)
+      end
+    end
+  end
+end

data/lib/sigstore/dsse/envelope_pb.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+# Code generated by protoc-gen-protobug. DO NOT EDIT.
+
+# source: envelope.proto
+# syntax: proto3
+# package: io.intoto
+# options:
+#   go_package: "github.com/sigstore/protobuf-specs/gen/pb-go/dsse"
+#   ruby_package: "Sigstore::DSSE"
+
+# https://raw.githubusercontent.com/secure-systems-lab/dsse/9c813476bd36de70a5738c72e784f123ecea16af/envelope.proto
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "protobug"
+
+module Sigstore
+  module DSSE
+    # An authenticated message of arbitrary type.
+    class Envelope
+      extend Protobug::Message
+
+      self.full_name = "io.intoto.Envelope"
+
+      # Message to be signed. (In JSON, this is encoded as base64.)
+      # REQUIRED.
+      optional(1, "payload", type: :bytes, proto3_optional: false)
+      # String unambiguously identifying how to interpret payload.
+      # REQUIRED.
+      optional(2, "payloadType", type: :string, proto3_optional: false)
+      # Signature over:
+      #     PAE(type, payload)
+      # Where PAE is defined as:
+      # PAE(type, payload) = "DSSEv1" + SP + LEN(type) + SP + type + SP + LEN(payload) + SP + payload
+      # +               = concatenation
+      # SP              = ASCII space [0x20]
+      # "DSSEv1"        = ASCII [0x44, 0x53, 0x53, 0x45, 0x76, 0x31]
+      # LEN(s)          = ASCII decimal encoding of the byte length of s, with no leading zeros
+      # REQUIRED (length >= 1).
+      repeated(
+        3,
+        "signatures",
+        type: :message,
+        message_type: "io.intoto.Signature"
+      )
+    end
+
+    class Signature
+      extend Protobug::Message
+
+      self.full_name = "io.intoto.Signature"
+
+      # Signature itself. (In JSON, this is encoded as base64.)
+      # REQUIRED.
+      optional(1, "sig", type: :bytes, proto3_optional: false)
+      # *Unauthenticated* hint identifying which public key was used.
+      # OPTIONAL.
+      optional(2, "keyid", type: :string, proto3_optional: false)
+    end
+
+    def self.register_envelope_protos(registry)
+      registry.register(Sigstore::DSSE::Envelope)
+      registry.register(Sigstore::DSSE::Signature)
+    end
+  end
+end

data/lib/sigstore/events/events_pb.rb

@@ -0,0 +1,194 @@
+# frozen_string_literal: true
+
+# Code generated by protoc-gen-protobug. DO NOT EDIT.
+
+# source: events.proto
+# syntax: proto3
+# package: dev.sigstore.events.v1
+# options:
+#   java_package: "dev.sigstore.proto.events.v1"
+#   java_multiple_files: true
+#   go_package: "github.com/sigstore/protobuf-specs/gen/pb-go/events/v1"
+#   ruby_package: "Sigstore::Events"
+
+# https://github.com/cloudevents/spec/blob/v1.0.2/cloudevents/formats/cloudevents.proto
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# *
+#  CloudEvent Protobuf Format
+#
+#  - Required context attributes are explicity represented.
+#  - Optional and Extension context attributes are carried in a map structure.
+#  - Data may be represented as binary, text, or protobuf messages.
+
+require "protobug"
+
+require "google/protobuf/any_pb"
+require "google/protobuf/timestamp_pb"
+
+module Sigstore
+  module Events
+    class CloudEvent
+      extend Protobug::Message
+
+      self.full_name = "dev.sigstore.events.v1.CloudEvent"
+
+      # -- CloudEvent Context Attributes
+
+      # Required Attributes
+      optional(1, "id", type: :string, proto3_optional: false)
+      optional(
+        2,
+        "source",
+        type: :string,
+        proto3_optional: false
+      ) # URI-reference
+      optional(
+        3,
+        "spec_version",
+        type: :string,
+        json_name: "specVersion",
+        proto3_optional: false
+      )
+      optional(4, "type", type: :string, proto3_optional: false)
+      # Optional & Extension Attributes
+      map(
+        5,
+        "attributes",
+        key_type: :string,
+        value_type: :message,
+        message_type:
+        "dev.sigstore.events.v1.CloudEvent.CloudEventAttributeValue"
+      )
+      # -- CloudEvent Data (Bytes, Text, or Proto)
+
+      optional(
+        6,
+        "binary_data",
+        type: :bytes,
+        json_name: "binaryData",
+        oneof: :data,
+        proto3_optional: false
+      )
+      optional(
+        7,
+        "text_data",
+        type: :string,
+        json_name: "textData",
+        oneof: :data,
+        proto3_optional: false
+      )
+      optional(
+        8,
+        "proto_data",
+        type: :message,
+        message_type: "google.protobuf.Any",
+        json_name: "protoData",
+        oneof: :data,
+        proto3_optional: false
+      )
+      # *
+      #  The CloudEvent specification defines
+      #  seven attribute value types...
+
+      class CloudEventAttributeValue
+        extend Protobug::Message
+
+        self.full_name = "dev.sigstore.events.v1.CloudEvent.CloudEventAttributeValue"
+
+        optional(
+          1,
+          "ce_boolean",
+          type: :bool,
+          json_name: "ceBoolean",
+          oneof: :attr,
+          proto3_optional: false
+        )
+        optional(
+          2,
+          "ce_integer",
+          type: :int32,
+          json_name: "ceInteger",
+          oneof: :attr,
+          proto3_optional: false
+        )
+        optional(
+          3,
+          "ce_string",
+          type: :string,
+          json_name: "ceString",
+          oneof: :attr,
+          proto3_optional: false
+        )
+        optional(
+          4,
+          "ce_bytes",
+          type: :bytes,
+          json_name: "ceBytes",
+          oneof: :attr,
+          proto3_optional: false
+        )
+        optional(
+          5,
+          "ce_uri",
+          type: :string,
+          json_name: "ceUri",
+          oneof: :attr,
+          proto3_optional: false
+        )
+        optional(
+          6,
+          "ce_uri_ref",
+          type: :string,
+          json_name: "ceUriRef",
+          oneof: :attr,
+          proto3_optional: false
+        )
+        optional(
+          7,
+          "ce_timestamp",
+          type: :message,
+          message_type: "google.protobuf.Timestamp",
+          json_name: "ceTimestamp",
+          oneof: :attr,
+          proto3_optional: false
+        )
+      end
+    end
+
+    # *
+    #  CloudEvent Protobuf Batch Format
+
+    class CloudEventBatch
+      extend Protobug::Message
+
+      self.full_name = "dev.sigstore.events.v1.CloudEventBatch"
+
+      repeated(
+        1,
+        "events",
+        type: :message,
+        message_type: "dev.sigstore.events.v1.CloudEvent"
+      )
+    end
+
+    def self.register_events_protos(registry)
+      Google::Protobuf.register_any_protos(registry)
+      Google::Protobuf.register_timestamp_protos(registry)
+      registry.register(Sigstore::Events::CloudEvent)
+      registry.register(Sigstore::Events::CloudEvent::CloudEventAttributeValue)
+      registry.register(Sigstore::Events::CloudEventBatch)
+    end
+  end
+end