116 lines
4.1 KiB
JavaScript
Executable file
116 lines
4.1 KiB
JavaScript
Executable file
"use strict";
|
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
exports.createVerificationPolicy = exports.createKeyFinder = exports.createBundleBuilder = exports.DEFAULT_TIMEOUT = exports.DEFAULT_RETRY = void 0;
|
|
/*
|
|
Copyright 2023 The Sigstore Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
const core_1 = require("@sigstore/core");
|
|
const sign_1 = require("@sigstore/sign");
|
|
const verify_1 = require("@sigstore/verify");
|
|
exports.DEFAULT_RETRY = { retries: 2 };
|
|
exports.DEFAULT_TIMEOUT = 5000;
|
|
function createBundleBuilder(bundleType, options) {
|
|
const bundlerOptions = {
|
|
signer: initSigner(options),
|
|
witnesses: initWitnesses(options),
|
|
};
|
|
switch (bundleType) {
|
|
case 'messageSignature':
|
|
return new sign_1.MessageSignatureBundleBuilder(bundlerOptions);
|
|
case 'dsseEnvelope':
|
|
return new sign_1.DSSEBundleBuilder(bundlerOptions);
|
|
}
|
|
}
|
|
exports.createBundleBuilder = createBundleBuilder;
|
|
// Translates the public KeySelector type into the KeyFinderFunc type needed by
|
|
// the verifier.
|
|
function createKeyFinder(keySelector) {
|
|
return (hint) => {
|
|
const key = keySelector(hint);
|
|
if (!key) {
|
|
throw new verify_1.VerificationError({
|
|
code: 'PUBLIC_KEY_ERROR',
|
|
message: `key not found: ${hint}`,
|
|
});
|
|
}
|
|
return {
|
|
publicKey: core_1.crypto.createPublicKey(key),
|
|
validFor: () => true,
|
|
};
|
|
};
|
|
}
|
|
exports.createKeyFinder = createKeyFinder;
|
|
function createVerificationPolicy(options) {
|
|
const policy = {};
|
|
const san = options.certificateIdentityEmail || options.certificateIdentityURI;
|
|
if (san) {
|
|
policy.subjectAlternativeName = san;
|
|
}
|
|
if (options.certificateIssuer) {
|
|
policy.extensions = { issuer: options.certificateIssuer };
|
|
}
|
|
return policy;
|
|
}
|
|
exports.createVerificationPolicy = createVerificationPolicy;
|
|
// Instantiate the FulcioSigner based on the supplied options.
|
|
function initSigner(options) {
|
|
return new sign_1.FulcioSigner({
|
|
fulcioBaseURL: options.fulcioURL,
|
|
identityProvider: options.identityProvider || initIdentityProvider(options),
|
|
retry: options.retry ?? exports.DEFAULT_RETRY,
|
|
timeout: options.timeout ?? exports.DEFAULT_TIMEOUT,
|
|
});
|
|
}
|
|
// Instantiate an identity provider based on the supplied options. If an
|
|
// explicit identity token is provided, use that. Otherwise, use the CI
|
|
// context provider.
|
|
function initIdentityProvider(options) {
|
|
const token = options.identityToken;
|
|
if (token) {
|
|
/* istanbul ignore next */
|
|
return { getToken: () => Promise.resolve(token) };
|
|
}
|
|
else {
|
|
return new sign_1.CIContextProvider('sigstore');
|
|
}
|
|
}
|
|
// Instantiate a collection of witnesses based on the supplied options.
|
|
function initWitnesses(options) {
|
|
const witnesses = [];
|
|
if (isRekorEnabled(options)) {
|
|
witnesses.push(new sign_1.RekorWitness({
|
|
rekorBaseURL: options.rekorURL,
|
|
fetchOnConflict: false,
|
|
retry: options.retry ?? exports.DEFAULT_RETRY,
|
|
timeout: options.timeout ?? exports.DEFAULT_TIMEOUT,
|
|
}));
|
|
}
|
|
if (isTSAEnabled(options)) {
|
|
witnesses.push(new sign_1.TSAWitness({
|
|
tsaBaseURL: options.tsaServerURL,
|
|
retry: options.retry ?? exports.DEFAULT_RETRY,
|
|
timeout: options.timeout ?? exports.DEFAULT_TIMEOUT,
|
|
}));
|
|
}
|
|
return witnesses;
|
|
}
|
|
// Type assertion to ensure that Rekor is enabled
|
|
function isRekorEnabled(options) {
|
|
return options.tlogUpload !== false;
|
|
}
|
|
// Type assertion to ensure that TSA is enabled
|
|
function isTSAEnabled(options) {
|
|
return options.tsaServerURL !== undefined;
|
|
}
|