n.kolosnaj/SimfonyBasics
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Last commit july 5th

Browse Source
This commit is contained in:
nkolosnjaj
2024-07-05 13:46:23 +02:00
parent dad0d86e8c
commit b0e4dfbb76
24982 changed files with 2621219 additions and 413 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
spa/node_modules/sigstore/dist/ca/verify/chain.d.ts generated vendored Normal file
View File

@@ -0,0 +1,4 @@
import * as sigstore from '../../types/sigstore';
import { x509Certificate } from '../../x509/cert';
import type { X509Certificate } from '@sigstore/bundle';
export declare function verifyChain(certificate: X509Certificate, certificateAuthorities: sigstore.CertificateAuthority[]): x509Certificate[];

63
spa/node_modules/sigstore/dist/ca/verify/chain.js generated vendored Normal file
View File

@@ -0,0 +1,63 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyChain = void 0;
/*
Copyright 2022 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const error_1 = require("../../error");
const cert_1 = require("../../x509/cert");
const verify_1 = require("../../x509/verify");
function verifyChain(certificate, certificateAuthorities) {
const untrustedCert = cert_1.x509Certificate.parse(certificate.rawBytes);
// Filter the list of certificate authorities to those which are valid for the
// signing certificate's notBefore date.
const validCAs = filterCertificateAuthorities(certificateAuthorities, untrustedCert.notBefore);
if (validCAs.length === 0) {
throw new error_1.VerificationError('No valid certificate authorities');
}
let trustedChain = [];
// Loop through all valid CAs and attempt to verify the certificate chain
const verified = validCAs.find((ca) => {
const trustedCerts = parseCerts(ca.certChain?.certificates || []);
try {
trustedChain = (0, verify_1.verifyCertificateChain)({
untrustedCert,
trustedCerts,
validAt: untrustedCert.notBefore,
});
return true;
}
catch (e) {
return false;
}
});
if (!verified) {
throw new error_1.VerificationError('No valid certificate chain');
}
return trustedChain;
}
exports.verifyChain = verifyChain;
// Filter the list of certificate authorities to those which are valid for the
// given date.
function filterCertificateAuthorities(certificateAuthorities, validAt) {
return certificateAuthorities.filter((ca) => ca.validFor &&
ca.validFor.start &&
ca.validFor.start <= validAt &&
(!ca.validFor.end || validAt <= ca.validFor.end));
}
// Parse the raw bytes of a certificate into an x509Certificate object.
function parseCerts(certs) {
return certs.map((cert) => cert_1.x509Certificate.parse(cert.rawBytes));
}

3
spa/node_modules/sigstore/dist/ca/verify/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import * as sigstore from '../../types/sigstore';
import type { BundleWithCertificateChain } from '@sigstore/bundle';
export declare function verifySigningCertificate(bundle: BundleWithCertificateChain, trustedRoot: sigstore.TrustedRoot, options: sigstore.CAArtifactVerificationOptions): void;

22
spa/node_modules/sigstore/dist/ca/verify/index.js generated vendored Normal file
View File

@@ -0,0 +1,22 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifySigningCertificate = void 0;
const chain_1 = require("./chain");
const sct_1 = require("./sct");
const signer_1 = require("./signer");
function verifySigningCertificate(bundle, trustedRoot, options) {
// Check that a trusted certificate chain can be found for the signing
// certificate in the bundle. Only the first certificate in the bundle's
// chain is used -- everything else must come from the trusted root.
const trustedChain = (0, chain_1.verifyChain)(bundle.verificationMaterial.content.x509CertificateChain.certificates[0], trustedRoot.certificateAuthorities);
// Unless disabled, verify the SCTs in the signing certificate
if (options.ctlogOptions.disable === false) {
(0, sct_1.verifySCTs)(trustedChain, trustedRoot.ctlogs, options.ctlogOptions);
}
// Verify the signing certificate against the provided identities
// if provided
if (options.signers) {
(0, signer_1.verifySignerIdentity)(trustedChain[0], options.signers.certificateIdentities);
}
}
exports.verifySigningCertificate = verifySigningCertificate;

3
spa/node_modules/sigstore/dist/ca/verify/sct.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import * as sigstore from '../../types/sigstore';
import { x509Certificate } from '../../x509/cert';
export declare function verifySCTs(certificateChain: x509Certificate[], ctLogs: sigstore.TransparencyLogInstance[], options: sigstore.ArtifactVerificationOptions_CtlogOptions): void;

30
spa/node_modules/sigstore/dist/ca/verify/sct.js generated vendored Normal file
View File

@@ -0,0 +1,30 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifySCTs = void 0;
/*
Copyright 2022 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const error_1 = require("../../error");
function verifySCTs(certificateChain, ctLogs, options) {
const signingCert = certificateChain[0];
const issuerCert = certificateChain[1];
const sctResults = signingCert.verifySCTs(issuerCert, ctLogs);
// Count the number of verified SCTs which were found
const verifiedSCTCount = sctResults.filter((sct) => sct.verified).length;
if (verifiedSCTCount < options.threshold) {
throw new error_1.VerificationError(`Not enough SCTs verified (found ${verifiedSCTCount}, need ${options.threshold})`);
}
}
exports.verifySCTs = verifySCTs;

3
spa/node_modules/sigstore/dist/ca/verify/signer.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import * as sigstore from '../../types/sigstore';
import { x509Certificate } from '../../x509/cert';
export declare function verifySignerIdentity(signingCert: x509Certificate, identities: sigstore.CertificateIdentities): void;

143
spa/node_modules/sigstore/dist/ca/verify/signer.js generated vendored Normal file
View File

@@ -0,0 +1,143 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifySignerIdentity = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const error_1 = require("../../error");
const sigstore = __importStar(require("../../types/sigstore"));
// https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#1361415726411--issuer
const OID_FULCIO_ISSUER = '1.3.6.1.4.1.57264.1.1';
// https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#1361415726417--othername-san
const OID_FULCIO_USERNAME_SUBJECT = '1.3.6.1.4.1.57264.1.7';
// Verifies the identity embedded in a Fulcio-issued signing certificate against
// the list of trusted identities. Returns without error if at least one of the
// identities matches the signing certificate; otherwise, throws a
// VerificationError.
function verifySignerIdentity(signingCert, identities) {
// Check that the signing certificate was issued to at least one of the
// specified identities
const signerVerified = identities.identities.some((identity) => verifyIdentity(signingCert, identity));
if (!signerVerified) {
throw new error_1.PolicyError('Certificate issued to untrusted signer');
}
}
exports.verifySignerIdentity = verifySignerIdentity;
// Checks that the specified certificate was issued to the specified identity.
// The certificate must match the issuer, subject alternative name, and an
// optional list of certificate extensions. Returns true if the certificate was
// issued to the identity; otherwise, returns false.
function verifyIdentity(cert, identity) {
return (verifyIssuer(cert, identity.issuer) &&
verifySAN(cert, identity.san) &&
verifyOIDs(cert, identity.oids));
}
// Checks the Fulcio issuer extension against the expected issuer. Returns true
// if the issuer matches; otherwise, returns false.
function verifyIssuer(cert, issuer) {
const issuerExtension = cert.extension(OID_FULCIO_ISSUER);
return issuerExtension?.value.toString('ascii') === issuer;
}
// Checks the certificate against the expected subject alternative name. Returns
// true if the SAN matches; otherwise, returns false.
function verifySAN(cert, expectedSAN) {
// Fail if the SAN is not specified or is not a supported type
if (expectedSAN === undefined ||
expectedSAN.identity === undefined ||
expectedSAN.type ===
sigstore.SubjectAlternativeNameType
.SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED) {
return false;
}
const sanExtension = cert.extSubjectAltName;
// Fail if the certificate does not have a SAN extension
if (!sanExtension) {
return false;
}
let sanValue;
switch (expectedSAN.type) {
case sigstore.SubjectAlternativeNameType.EMAIL:
sanValue = sanExtension.rfc822Name;
break;
case sigstore.SubjectAlternativeNameType.URI:
sanValue = sanExtension.uri;
break;
case sigstore.SubjectAlternativeNameType.OTHER_NAME:
sanValue = sanExtension.otherName(OID_FULCIO_USERNAME_SUBJECT);
break;
}
// Missing SAN value is an automatic failure
if (sanValue === undefined) {
return false;
}
let match;
switch (expectedSAN.identity.$case) {
case 'value':
match = expectedSAN.identity.value;
break;
case 'regexp':
// TODO support regex
break;
}
return sanValue === match;
}
// Checks that the certificate contains the specified extensions. Returns true
// if all extensions are present and match the expected values; otherwise,
// returns false.
function verifyOIDs(cert, oids) {
return oids.every((expectedExtension) => {
if (!expectedExtension.oid) {
return false;
}
const oid = expectedExtension.oid.id.join('.');
const extension = cert.extension(oid);
// If the extension is not present, or there is no value, return false
const valueObj = extension?.valueObj;
if (!valueObj) {
return false;
}
// Check to see if this is a newer style extension with an embedded
// UTF8String, or an older style extension with a raw string
if (valueObj.subs.length > 0) {
return valueObj.subs[0].value.equals(expectedExtension.value);
}
else {
return valueObj.value.equals(expectedExtension.value);
}
});
}

1
spa/node_modules/sigstore/dist/cli/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1 @@
export declare function processArgv(): Promise<void>;

125
spa/node_modules/sigstore/dist/cli/index.js generated vendored Normal file
View File

@@ -0,0 +1,125 @@
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.processArgv = void 0;
/*
Copyright 2022 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const fs_1 = __importDefault(require("fs"));
const index_1 = require("../index");
const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json';
async function cli(args) {
switch (args[0]) {
case 'sign':
await sign(args[1]);
break;
case 'attest':
await attest(args[1], args[2]);
break;
case 'verify':
await verify(args[1], args[2]);
break;
case 'version':
case '-version':
case '--version':
case '-v':
// eslint-disable-next-line @typescript-eslint/no-var-requires
console.log(require('../../package.json').version);
break;
case 'help':
case '--help':
case '-h':
case '-?':
printUsage();
break;
default:
throw 'Unknown command';
}
}
function printUsage() {
console.log(`sigstore <command> <artifact>
Usage:
sigstore sign sign an artifact
sigstore attest sign an artifact using dsse (Dead Simple Signing Envelope)
sigstore verify verify an artifact
sigstore version print version information
sigstore help print help information
`);
}
function printRekorEntry(bundle, options) {
let url;
if (options.rekorURL === index_1.sigstore.DEFAULT_REKOR_URL) {
url = `https://search.sigstore.dev`;
}
else {
url = `${options.rekorURL}/api/v1/log/entries`;
}
const logIndex = bundle.verificationMaterial?.tlogEntries[0].logIndex;
console.error(`Created entry at index ${logIndex}, available at`);
console.error(`${url}?logIndex=${logIndex}`);
}
// TODO: Allow customing these options
const signOptions = {
oidcClientID: 'sigstore',
oidcIssuer: 'https://oauth2.sigstore.dev/auth',
oidcRedirectURL: process.env.OIDC_REDIRECT_URL,
rekorURL: index_1.sigstore.DEFAULT_REKOR_URL,
};
async function sign(artifactPath) {
const buffer = fs_1.default.readFileSync(artifactPath);
const bundle = await index_1.sigstore.sign(buffer, signOptions);
printRekorEntry(bundle, signOptions);
console.log(JSON.stringify(bundle));
}
async function attest(artifactPath, payloadType = INTOTO_PAYLOAD_TYPE) {
const buffer = fs_1.default.readFileSync(artifactPath);
const bundle = await index_1.sigstore.attest(buffer, payloadType, signOptions);
printRekorEntry(bundle, signOptions);
console.log(JSON.stringify(bundle));
}
async function verify(bundlePath, artifactPath) {
let payload = undefined;
if (artifactPath) {
payload = fs_1.default.readFileSync(artifactPath);
}
const bundleFile = fs_1.default.readFileSync(bundlePath);
const bundle = JSON.parse(bundleFile.toString('utf-8'));
try {
await index_1.sigstore.verify(bundle, payload, {});
console.error('Verified OK');
}
catch (e) {
console.error('Verification failed');
if (e instanceof Error) {
console.error('Error: ' + e.message);
}
process.exit(1);
}
}
async function processArgv() {
try {
await cli(process.argv.slice(2));
process.exit(0);
}
catch (e) {
console.error(e);
process.exit(1);
}
}
exports.processArgv = processArgv;

44
spa/node_modules/sigstore/dist/config.d.ts generated vendored Normal file
View File

@@ -0,0 +1,44 @@
import { DSSEBundleBuilder, IdentityProvider, MessageSignatureBundleBuilder } from '@sigstore/sign';
import { SignerFunc } from './types/signature';
import * as sigstore from './types/sigstore';
import type { FetchOptions, Retry } from './types/fetch';
import type { KeySelector } from './verify';
export type TUFOptions = {
tufMirrorURL?: string;
tufRootPath?: string;
tufCachePath?: string;
} & FetchOptions;
export type SignOptions = {
fulcioURL?: string;
identityProvider?: IdentityProvider;
identityToken?: string;
oidcIssuer?: string;
oidcClientID?: string;
oidcClientSecret?: string;
oidcRedirectURL?: string;
rekorURL?: string;
signer?: SignerFunc;
tlogUpload?: boolean;
tsaServerURL?: string;
} & FetchOptions;
export type VerifyOptions = {
ctLogThreshold?: number;
tlogThreshold?: number;
certificateIssuer?: string;
certificateIdentityEmail?: string;
certificateIdentityURI?: string;
certificateOIDs?: Record<string, string>;
keySelector?: KeySelector;
rekorURL?: string;
} & TUFOptions;
export type CreateVerifierOptions = {
keySelector?: KeySelector;
} & TUFOptions;
export declare const DEFAULT_FULCIO_URL = "https://fulcio.sigstore.dev";
export declare const DEFAULT_REKOR_URL = "https://rekor.sigstore.dev";
export declare const DEFAULT_RETRY: Retry;
export declare const DEFAULT_TIMEOUT = 5000;
export type BundleType = 'messageSignature' | 'dsseEnvelope';
export declare function createBundleBuilder(bundleType: 'messageSignature', options: SignOptions): MessageSignatureBundleBuilder;
export declare function createBundleBuilder(bundleType: 'dsseEnvelope', options: SignOptions): DSSEBundleBuilder;
export declare function artifactVerificationOptions(options: VerifyOptions): sigstore.RequiredArtifactVerificationOptions;

192
spa/node_modules/sigstore/dist/config.js generated vendored Normal file
View File

@@ -0,0 +1,192 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.artifactVerificationOptions = exports.createBundleBuilder = exports.DEFAULT_TIMEOUT = exports.DEFAULT_RETRY = exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const sign_1 = require("@sigstore/sign");
const identity_1 = __importDefault(require("./identity"));
const signature_1 = require("./types/signature");
const sigstore = __importStar(require("./types/sigstore"));
exports.DEFAULT_FULCIO_URL = 'https://fulcio.sigstore.dev';
exports.DEFAULT_REKOR_URL = 'https://rekor.sigstore.dev';
exports.DEFAULT_RETRY = { retries: 2 };
exports.DEFAULT_TIMEOUT = 5000;
function createBundleBuilder(bundleType, options) {
const bundlerOptions = {
signer: initSigner(options),
witnesses: initWitnesses(options),
};
switch (bundleType) {
case 'messageSignature':
return new sign_1.MessageSignatureBundleBuilder(bundlerOptions);
case 'dsseEnvelope':
return new sign_1.DSSEBundleBuilder(bundlerOptions);
}
}
exports.createBundleBuilder = createBundleBuilder;
// Instantiate a signer based on the supplied options. If a signer function is
// provided, use that. Otherwise, if a Fulcio URL is provided, use the Fulcio
// signer. Otherwise, throw an error.
function initSigner(options) {
if (isCallbackSignerEnabled(options)) {
return new signature_1.CallbackSigner(options);
}
else {
return new sign_1.FulcioSigner({
fulcioBaseURL: options.fulcioURL || exports.DEFAULT_FULCIO_URL,
identityProvider: options.identityProvider || initIdentityProvider(options),
retry: options.retry ?? exports.DEFAULT_RETRY,
timeout: options.timeout ?? exports.DEFAULT_TIMEOUT,
});
}
}
// Instantiate an identity provider based on the supplied options. If an
// explicit identity token is provided, use that. Otherwise, if an OIDC issuer
// and client ID are provided, use the OIDC provider. Otherwise, use the CI
// context provider.
function initIdentityProvider(options) {
const token = options.identityToken;
if (token) {
return { getToken: () => Promise.resolve(token) };
}
else if (options.oidcIssuer && options.oidcClientID) {
return identity_1.default.oauthProvider({
issuer: options.oidcIssuer,
clientID: options.oidcClientID,
clientSecret: options.oidcClientSecret,
redirectURL: options.oidcRedirectURL,
});
}
else {
return new sign_1.CIContextProvider('sigstore');
}
}
// Instantiate a collection of witnesses based on the supplied options.
function initWitnesses(options) {
const witnesses = [];
if (isRekorEnabled(options)) {
witnesses.push(new sign_1.RekorWitness({
rekorBaseURL: options.rekorURL || exports.DEFAULT_REKOR_URL,
fetchOnConflict: false,
retry: options.retry ?? exports.DEFAULT_RETRY,
timeout: options.timeout ?? exports.DEFAULT_TIMEOUT,
}));
}
if (isTSAEnabled(options)) {
witnesses.push(new sign_1.TSAWitness({
tsaBaseURL: options.tsaServerURL,
retry: options.retry ?? exports.DEFAULT_RETRY,
timeout: options.timeout ?? exports.DEFAULT_TIMEOUT,
}));
}
return witnesses;
}
// Type assertion to ensure that the signer is enabled
function isCallbackSignerEnabled(options) {
return options.signer !== undefined;
}
// Type assertion to ensure that Rekor is enabled
function isRekorEnabled(options) {
return options.tlogUpload !== false;
}
// Type assertion to ensure that TSA is enabled
function isTSAEnabled(options) {
return options.tsaServerURL !== undefined;
}
// Assembles the AtifactVerificationOptions from the supplied VerifyOptions.
function artifactVerificationOptions(options) {
// The trusted signers are only used if the options contain a certificate
// issuer
let signers;
if (options.certificateIssuer) {
let san = undefined;
if (options.certificateIdentityEmail) {
san = {
type: sigstore.SubjectAlternativeNameType.EMAIL,
identity: {
$case: 'value',
value: options.certificateIdentityEmail,
},
};
}
else if (options.certificateIdentityURI) {
san = {
type: sigstore.SubjectAlternativeNameType.URI,
identity: {
$case: 'value',
value: options.certificateIdentityURI,
},
};
}
const oids = Object.entries(options.certificateOIDs || /* istanbul ignore next */ {}).map(([oid, value]) => ({
oid: { id: oid.split('.').map((s) => parseInt(s, 10)) },
value: Buffer.from(value),
}));
signers = {
$case: 'certificateIdentities',
certificateIdentities: {
identities: [
{
issuer: options.certificateIssuer,
san: san,
oids: oids,
},
],
},
};
}
// Construct the artifact verification options w/ defaults
return {
ctlogOptions: {
disable: options.ctLogThreshold === 0,
threshold: options.ctLogThreshold ?? 1,
detachedSct: false,
},
tlogOptions: {
disable: options.tlogThreshold === 0,
threshold: options.tlogThreshold ?? 1,
performOnlineVerification: false,
},
signers,
};
}
exports.artifactVerificationOptions = artifactVerificationOptions;

23
spa/node_modules/sigstore/dist/error.d.ts generated vendored Normal file
View File

@@ -0,0 +1,23 @@
declare class BaseError extends Error {
cause: any | undefined;
constructor(message: string, cause?: any);
}
declare class ErrorWithCode<T extends string> extends BaseError {
code: T;
constructor({ code, message, cause, }: {
code: T;
message: string;
cause?: any;
});
}
export declare class VerificationError extends BaseError {
}
export declare class PolicyError extends BaseError {
}
type InternalErrorCode = 'TUF_FIND_TARGET_ERROR' | 'TUF_REFRESH_METADATA_ERROR' | 'TUF_DOWNLOAD_TARGET_ERROR' | 'TUF_READ_TARGET_ERROR';
export declare class InternalError extends ErrorWithCode<InternalErrorCode> {
}
type SignatureErrorCode = 'MISSING_SIGNATURE_ERROR' | 'MISSING_PUBLIC_KEY_ERROR';
export declare class SignatureError extends ErrorWithCode<SignatureErrorCode> {
}
export {};

45
spa/node_modules/sigstore/dist/error.js generated vendored Normal file
View File

@@ -0,0 +1,45 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.SignatureError = exports.InternalError = exports.PolicyError = exports.VerificationError = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
/* eslint-disable @typescript-eslint/no-explicit-any */
class BaseError extends Error {
constructor(message, cause) {
super(message);
this.name = this.constructor.name;
this.cause = cause;
}
}
class ErrorWithCode extends BaseError {
constructor({ code, message, cause, }) {
super(message, cause);
this.code = code;
this.name = this.constructor.name;
}
}
class VerificationError extends BaseError {
}
exports.VerificationError = VerificationError;
class PolicyError extends BaseError {
}
exports.PolicyError = PolicyError;
class InternalError extends ErrorWithCode {
}
exports.InternalError = InternalError;
class SignatureError extends ErrorWithCode {
}
exports.SignatureError = SignatureError;

20
spa/node_modules/sigstore/dist/identity/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,20 @@
import { IdentityProvider } from '@sigstore/sign';
/**
* oauthProvider returns a new Provider instance which attempts to retrieve
* an identity token from the configured OAuth2 issuer.
*
* @param issuer Base URL of the issuer
* @param clientID Client ID for the issuer
* @param clientSecret Client secret for the issuer (optional)
* @returns {IdentityProvider}
*/
declare function oauthProvider(options: {
issuer: string;
clientID: string;
clientSecret?: string;
redirectURL?: string;
}): IdentityProvider;
declare const _default: {
oauthProvider: typeof oauthProvider;
};
export default _default;

24
spa/node_modules/sigstore/dist/identity/index.js generated vendored Normal file
View File

@@ -0,0 +1,24 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
const issuer_1 = require("./issuer");
const oauth_1 = require("./oauth");
/**
* oauthProvider returns a new Provider instance which attempts to retrieve
* an identity token from the configured OAuth2 issuer.
*
* @param issuer Base URL of the issuer
* @param clientID Client ID for the issuer
* @param clientSecret Client secret for the issuer (optional)
* @returns {IdentityProvider}
*/
function oauthProvider(options) {
return new oauth_1.OAuthProvider({
issuer: new issuer_1.Issuer(options.issuer),
clientID: options.clientID,
clientSecret: options.clientSecret,
redirectURL: options.redirectURL,
});
}
exports.default = {
oauthProvider,
};

15
spa/node_modules/sigstore/dist/identity/issuer.d.ts generated vendored Normal file
View File

@@ -0,0 +1,15 @@
/**
* The Issuer reperesents a single OAuth2 provider.
*
* The Issuer is configured with a provider's base OAuth2 endpoint which is
* used to retrieve the associated configuration information.
*/
export declare class Issuer {
private baseURL;
private fetch;
private config?;
constructor(baseURL: string);
authEndpoint(): Promise<string>;
tokenEndpoint(): Promise<string>;
private loadOpenIDConfig;
}

53
spa/node_modules/sigstore/dist/identity/issuer.js generated vendored Normal file
View File

@@ -0,0 +1,53 @@
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.Issuer = void 0;
/*
Copyright 2022 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const make_fetch_happen_1 = __importDefault(require("make-fetch-happen"));
// Standard endpoint for retrieving OpenID configuration information
const OPENID_CONFIG_PATH = '/.well-known/openid-configuration';
/**
* The Issuer reperesents a single OAuth2 provider.
*
* The Issuer is configured with a provider's base OAuth2 endpoint which is
* used to retrieve the associated configuration information.
*/
class Issuer {
constructor(baseURL) {
this.baseURL = baseURL;
this.fetch = make_fetch_happen_1.default.defaults({ retry: 2 });
}
async authEndpoint() {
if (!this.config) {
this.config = await this.loadOpenIDConfig();
}
return this.config.authorization_endpoint;
}
async tokenEndpoint() {
if (!this.config) {
this.config = await this.loadOpenIDConfig();
}
return this.config.token_endpoint;
}
async loadOpenIDConfig() {
const url = `${this.baseURL}${OPENID_CONFIG_PATH}`;
return this.fetch(url).then((res) => res.json());
}
}
exports.Issuer = Issuer;

26
spa/node_modules/sigstore/dist/identity/oauth.d.ts generated vendored Normal file
View File

@@ -0,0 +1,26 @@
import { Issuer } from './issuer';
import type { IdentityProvider } from '@sigstore/sign';
interface OAuthProviderOptions {
issuer: Issuer;
clientID: string;
clientSecret?: string;
redirectURL?: string;
}
export declare class OAuthProvider implements IdentityProvider {
private clientID;
private clientSecret;
private issuer;
private codeVerifier;
private state;
private redirectURI?;
constructor(options: OAuthProviderOptions);
getToken(): Promise<string>;
private initiateAuthRequest;
private getIDToken;
private getBasicAuthHeaderValue;
private getAuthRequestURL;
private getAuthRequestParams;
private getCodeChallenge;
private openURL;
}
export {};

197
spa/node_modules/sigstore/dist/identity/oauth.js generated vendored Normal file
View File

@@ -0,0 +1,197 @@
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.OAuthProvider = void 0;
/*
Copyright 2022 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const assert_1 = __importDefault(require("assert"));
const child_process_1 = __importDefault(require("child_process"));
const http_1 = __importDefault(require("http"));
const make_fetch_happen_1 = __importDefault(require("make-fetch-happen"));
const url_1 = require("url");
const util_1 = require("../util");
class OAuthProvider {
constructor(options) {
this.clientID = options.clientID;
this.clientSecret = options.clientSecret || '';
this.issuer = options.issuer;
this.redirectURI = options.redirectURL;
this.codeVerifier = generateRandomString(32);
this.state = generateRandomString(16);
}
async getToken() {
const authCode = await this.initiateAuthRequest();
return this.getIDToken(authCode);
}
// Initates the authorization request. This will start an HTTP server to
// receive the post-auth redirect and then open the user's default browser to
// the provider's authorization page.
async initiateAuthRequest() {
const server = http_1.default.createServer();
const sockets = new Set();
// Start server and wait till it is listening. If a redirect URL was
// provided, use that. Otherwise, use a random port and construct the
// redirect URL.
await new Promise((resolve) => {
if (this.redirectURI) {
const url = new url_1.URL(this.redirectURI);
server.listen(Number(url.port), url.hostname, resolve);
}
else {
server.listen(0, resolve);
// Get port the server is listening on and construct the server URL
const port = server.address().port;
this.redirectURI = `http://localhost:${port}`;
}
});
// Keep track of connections to the server so we can force a shutdown
server.on('connection', (socket) => {
sockets.add(socket);
socket.once('close', () => {
sockets.delete(socket);
});
});
const result = new Promise((resolve, reject) => {
// Set-up handler for post-auth redirect
server.on('request', (req, res) => {
if (!req.url) {
reject('invalid server request');
return;
}
res.writeHead(200);
res.end('Auth Successful');
// Parse incoming request URL
const query = new url_1.URL(req.url, this.redirectURI).searchParams;
// Check to see if the state matches
if (query.get('state') !== this.state) {
reject('invalid state value');
return;
}
const authCode = query.get('code');
// Force-close any open connections to the server so we can get a
// clean shutdown
for (const socket of sockets) {
socket.destroy();
sockets.delete(socket);
}
// Return auth code once we've shutdown server
server.close(() => {
if (!authCode) {
reject('authorization code not found');
}
else {
resolve(authCode);
}
});
});
});
try {
// Open browser to start authorization request
const authBaseURL = await this.issuer.authEndpoint();
const authURL = this.getAuthRequestURL(authBaseURL);
await this.openURL(authURL);
}
catch (err) {
// Prevent leaked server handler on error
server.close();
throw err;
}
return result;
}
// Uses the provided authorization code, to retrieve the ID token from the
// provider
async getIDToken(authCode) {
(0, assert_1.default)(this.redirectURI);
const tokenEndpointURL = await this.issuer.tokenEndpoint();
const params = new url_1.URLSearchParams();
params.append('grant_type', 'authorization_code');
params.append('code', authCode);
params.append('redirect_uri', this.redirectURI);
params.append('code_verifier', this.codeVerifier);
const response = await (0, make_fetch_happen_1.default)(tokenEndpointURL, {
method: 'POST',
headers: { Authorization: `Basic ${this.getBasicAuthHeaderValue()}` },
body: params,
}).then((r) => r.json());
return response.id_token;
}
// Construct the basic auth header value from the client ID and secret
getBasicAuthHeaderValue() {
return util_1.encoding.base64Encode(`${this.clientID}:${this.clientSecret}`);
}
// Generate starting URL for authorization request
getAuthRequestURL(baseURL) {
const params = this.getAuthRequestParams();
return `${baseURL}?${params.toString()}`;
}
// Collect parameters for authorization request
getAuthRequestParams() {
(0, assert_1.default)(this.redirectURI);
const codeChallenge = this.getCodeChallenge();
return new url_1.URLSearchParams({
response_type: 'code',
client_id: this.clientID,
client_secret: this.clientSecret,
scope: 'openid email',
redirect_uri: this.redirectURI,
code_challenge: codeChallenge,
code_challenge_method: 'S256',
state: this.state,
nonce: generateRandomString(16),
});
}
// Generate code challenge for authorization request
getCodeChallenge() {
return util_1.encoding.base64URLEscape(util_1.crypto.hash(this.codeVerifier).toString('base64'));
}
// Open the supplied URL in the user's default browser
async openURL(url) {
return new Promise((resolve, reject) => {
let open = null;
let command = `"${url}"`;
switch (process.platform) {
case 'darwin':
open = 'open';
break;
case 'linux' || 'freebsd' || 'netbsd' || 'openbsd':
open = 'xdg-open';
break;
case 'win32':
open = 'start';
command = `"" ${command}`;
break;
default:
return reject(`OAuth: unsupported platform: ${process.platform}`);
}
console.error(`Your browser will now be opened to: ${url}`);
child_process_1.default.exec(`${open} ${command}`, undefined, (err) => {
if (err) {
reject(err);
}
else {
resolve();
}
});
});
}
}
exports.OAuthProvider = OAuthProvider;
// Generate random code verifier value
function generateRandomString(len) {
return util_1.encoding.base64URLEscape(util_1.crypto.randomBytes(len).toString('base64'));
}

2
spa/node_modules/sigstore/dist/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,2 @@
export type { IdentityProvider } from '@sigstore/sign';
export * as sigstore from './sigstore';

27
spa/node_modules/sigstore/dist/index.js generated vendored Normal file
View File

@@ -0,0 +1,27 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.sigstore = void 0;
exports.sigstore = __importStar(require("./sigstore"));

8
spa/node_modules/sigstore/dist/sigstore-utils.d.ts generated vendored Normal file
View File

@@ -0,0 +1,8 @@
/// <reference types="node" />
import { SerializedBundle, SerializedEnvelope } from '@sigstore/bundle';
import { SignOptions } from './config';
import { SignerFunc } from './types/signature';
export declare function createDSSEEnvelope(payload: Buffer, payloadType: string, options: {
signer: SignerFunc;
}): Promise<SerializedEnvelope>;
export declare function createRekorEntry(dsseEnvelope: SerializedEnvelope, publicKey: string, options?: SignOptions): Promise<SerializedBundle>;

55
spa/node_modules/sigstore/dist/sigstore-utils.js generated vendored Normal file
View File

@@ -0,0 +1,55 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.createRekorEntry = exports.createDSSEEnvelope = void 0;
/*
Copyright 2022 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const bundle_1 = require("@sigstore/bundle");
const sign_1 = require("@sigstore/sign");
const config_1 = require("./config");
async function createDSSEEnvelope(payload, payloadType, options) {
const bundler = (0, config_1.createBundleBuilder)('dsseEnvelope', {
signer: options.signer,
tlogUpload: false,
});
const bundle = await bundler.create({ data: payload, type: payloadType });
return (0, bundle_1.envelopeToJSON)(bundle.content.dsseEnvelope);
}
exports.createDSSEEnvelope = createDSSEEnvelope;
// Accepts a signed DSSE envelope and a PEM-encoded public key to be added to the
// transparency log. Returns a Sigstore bundle suitable for offline verification.
async function createRekorEntry(dsseEnvelope, publicKey,
/* istanbul ignore next */
options = {}) {
const envelope = (0, bundle_1.envelopeFromJSON)(dsseEnvelope);
const bundle = (0, bundle_1.toDSSEBundle)({
artifact: envelope.payload,
artifactType: envelope.payloadType,
signature: envelope.signatures[0].sig,
keyHint: envelope.signatures[0].keyid,
});
const tlog = new sign_1.RekorWitness({
rekorBaseURL: options.rekorURL || /* istanbul ignore next */ config_1.DEFAULT_REKOR_URL,
fetchOnConflict: true,
retry: options.retry ?? config_1.DEFAULT_RETRY,
timeout: options.timeout ?? config_1.DEFAULT_TIMEOUT,
});
// Add entry to transparency log
const vm = await tlog.testify(bundle.content, publicKey);
// Add transparency log entries to bundle
bundle.verificationMaterial.tlogEntries = [...vm.tlogEntries];
return (0, bundle_1.bundleToJSON)(bundle);
}
exports.createRekorEntry = createRekorEntry;

24
spa/node_modules/sigstore/dist/sigstore.d.ts generated vendored Normal file
View File

@@ -0,0 +1,24 @@
/// <reference types="node" />
import { SerializedBundle } from '@sigstore/bundle';
import * as tuf from '@sigstore/tuf';
import * as config from './config';
export declare function sign(payload: Buffer, options?: config.SignOptions): Promise<SerializedBundle>;
export declare function attest(payload: Buffer, payloadType: string, options?: config.SignOptions): Promise<SerializedBundle>;
export declare function verify(bundle: SerializedBundle, payload?: Buffer, options?: config.VerifyOptions): Promise<void>;
export interface BundleVerifier {
verify(bundle: SerializedBundle): void;
}
export declare function createVerifier(options: config.CreateVerifierOptions): Promise<BundleVerifier>;
declare const tufUtils: {
client: (options?: config.TUFOptions) => Promise<tuf.TUF>;
getTarget: (path: string, options?: config.TUFOptions) => Promise<string>;
};
export { ValidationError } from '@sigstore/bundle';
export type { SerializedBundle as Bundle, SerializedEnvelope as Envelope, } from '@sigstore/bundle';
export type { TUF } from '@sigstore/tuf';
export type { SignOptions, VerifyOptions } from './config';
export { InternalError, PolicyError, VerificationError } from './error';
export * as utils from './sigstore-utils';
export { tufUtils as tuf };
export declare const DEFAULT_FULCIO_URL = "https://fulcio.sigstore.dev";
export declare const DEFAULT_REKOR_URL = "https://rekor.sigstore.dev";

124
spa/node_modules/sigstore/dist/sigstore.js generated vendored Normal file
View File

@@ -0,0 +1,124 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.DEFAULT_REKOR_URL = exports.DEFAULT_FULCIO_URL = exports.tuf = exports.utils = exports.VerificationError = exports.PolicyError = exports.InternalError = exports.ValidationError = exports.createVerifier = exports.verify = exports.attest = exports.sign = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const bundle_1 = require("@sigstore/bundle");
const tuf = __importStar(require("@sigstore/tuf"));
const config = __importStar(require("./config"));
const verify_1 = require("./verify");
async function sign(payload, options = {}) {
const bundler = config.createBundleBuilder('messageSignature', options);
const bundle = await bundler.create({ data: payload });
return (0, bundle_1.bundleToJSON)(bundle);
}
exports.sign = sign;
async function attest(payload, payloadType, options = {}) {
const bundler = config.createBundleBuilder('dsseEnvelope', options);
const bundle = await bundler.create({ data: payload, type: payloadType });
return (0, bundle_1.bundleToJSON)(bundle);
}
exports.attest = attest;
async function verify(bundle, payload, options = {}) {
const trustedRoot = await tuf.getTrustedRoot({
mirrorURL: options.tufMirrorURL,
rootPath: options.tufRootPath,
cachePath: options.tufCachePath,
retry: options.retry ?? config.DEFAULT_RETRY,
timeout: options.timeout ?? config.DEFAULT_TIMEOUT,
});
const verifier = new verify_1.Verifier(trustedRoot, options.keySelector);
const deserializedBundle = (0, bundle_1.bundleFromJSON)(bundle);
const opts = config.artifactVerificationOptions(options);
return verifier.verify(deserializedBundle, opts, payload);
}
exports.verify = verify;
async function createVerifier(options) {
const trustedRoot = await tuf.getTrustedRoot({
mirrorURL: options.tufMirrorURL,
rootPath: options.tufRootPath,
cachePath: options.tufCachePath,
retry: options.retry ?? config.DEFAULT_RETRY,
timeout: options.timeout ?? config.DEFAULT_TIMEOUT,
});
const verifier = new verify_1.Verifier(trustedRoot, options.keySelector);
const verifyOpts = config.artifactVerificationOptions(options);
return {
verify: (bundle) => {
const deserializedBundle = (0, bundle_1.bundleFromJSON)(bundle);
return verifier.verify(deserializedBundle, verifyOpts);
},
};
}
exports.createVerifier = createVerifier;
const tufUtils = {
client: (options = {}) => {
return tuf.initTUF({
mirrorURL: options.tufMirrorURL,
rootPath: options.tufRootPath,
cachePath: options.tufCachePath,
retry: options.retry,
timeout: options.timeout,
});
},
/*
* @deprecated Use tufUtils.client instead.
*/
getTarget: (path, options = {}) => {
return tuf
.initTUF({
mirrorURL: options.tufMirrorURL,
rootPath: options.tufRootPath,
cachePath: options.tufCachePath,
retry: options.retry,
timeout: options.timeout,
})
.then((t) => t.getTarget(path));
},
};
exports.tuf = tufUtils;
var bundle_2 = require("@sigstore/bundle");
Object.defineProperty(exports, "ValidationError", { enumerable: true, get: function () { return bundle_2.ValidationError; } });
var error_1 = require("./error");
Object.defineProperty(exports, "InternalError", { enumerable: true, get: function () { return error_1.InternalError; } });
Object.defineProperty(exports, "PolicyError", { enumerable: true, get: function () { return error_1.PolicyError; } });
Object.defineProperty(exports, "VerificationError", { enumerable: true, get: function () { return error_1.VerificationError; } });
exports.utils = __importStar(require("./sigstore-utils"));
exports.DEFAULT_FULCIO_URL = config.DEFAULT_FULCIO_URL;
exports.DEFAULT_REKOR_URL = config.DEFAULT_REKOR_URL;

2
spa/node_modules/sigstore/dist/tlog/verify/body.d.ts generated vendored Normal file
View File

@@ -0,0 +1,2 @@
import type { Bundle, TransparencyLogEntry } from '@sigstore/bundle';
export declare function verifyTLogBody(entry: TransparencyLogEntry, bundleContent: Bundle['content']): boolean;

152
spa/node_modules/sigstore/dist/tlog/verify/body.js generated vendored Normal file
View File

@@ -0,0 +1,152 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyTLogBody = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const error_1 = require("../../error");
const util_1 = require("../../util");
const TLOG_MISMATCH_ERROR_MSG = 'bundle content and tlog entry do not match';
// Compare the given tlog entry to the given bundle
function verifyTLogBody(entry, bundleContent) {
const { kind, version } = entry.kindVersion;
const body = JSON.parse(entry.canonicalizedBody.toString('utf8'));
try {
if (kind !== body.kind || version !== body.apiVersion) {
throw new error_1.VerificationError(TLOG_MISMATCH_ERROR_MSG);
}
switch (body.kind) {
case 'dsse':
verifyDSSETLogBody(body, bundleContent);
break;
case 'intoto':
verifyIntotoTLogBody(body, bundleContent);
break;
case 'hashedrekord':
verifyHashedRekordTLogBody(body, bundleContent);
break;
default:
throw new error_1.VerificationError(`unsupported kind in tlog entry: ${kind}`);
}
return true;
}
catch (e) {
return false;
}
}
exports.verifyTLogBody = verifyTLogBody;
// Compare the given intoto tlog entry to the given bundle
function verifyDSSETLogBody(tlogEntry, content) {
if (content?.$case !== 'dsseEnvelope') {
throw new error_1.VerificationError(`unsupported bundle content: ${content?.$case || 'unknown'}`);
}
const dsse = content.dsseEnvelope;
switch (tlogEntry.apiVersion) {
case '0.0.1':
verifyDSSE001TLogBody(tlogEntry, dsse);
break;
default:
throw new error_1.VerificationError(`unsupported dsse version: ${tlogEntry.apiVersion}`);
}
}
// Compare the given intoto tlog entry to the given bundle
function verifyIntotoTLogBody(tlogEntry, content) {
if (content?.$case !== 'dsseEnvelope') {
throw new error_1.VerificationError(`unsupported bundle content: ${content?.$case || 'unknown'}`);
}
const dsse = content.dsseEnvelope;
switch (tlogEntry.apiVersion) {
case '0.0.2':
verifyIntoto002TLogBody(tlogEntry, dsse);
break;
default:
throw new error_1.VerificationError(`unsupported intoto version: ${tlogEntry.apiVersion}`);
}
}
// Compare the given hashedrekord tlog entry to the given bundle
function verifyHashedRekordTLogBody(tlogEntry, content) {
if (content?.$case !== 'messageSignature') {
throw new error_1.VerificationError(`unsupported bundle content: ${content?.$case || 'unknown'}`);
}
const messageSignature = content.messageSignature;
switch (tlogEntry.apiVersion) {
case '0.0.1':
verifyHashedrekor001TLogBody(tlogEntry, messageSignature);
break;
default:
throw new error_1.VerificationError(`unsupported hashedrekord version: ${tlogEntry.apiVersion}`);
}
}
// Compare the given dsse v0.0.1 tlog entry to the given DSSE envelope.
function verifyDSSE001TLogBody(tlogEntry, dsse) {
// Collect all of the signatures from the DSSE envelope
// Turns them into base64-encoded strings for comparison
const dsseSigs = dsse.signatures.map((signature) => signature.sig.toString('base64'));
// Collect all of the signatures from the tlog entry
const tlogSigs = tlogEntry.spec.signatures?.map((signature) => signature.signature);
// Ensure the bundle's DSSE and the tlog entry contain the same number of signatures
if (dsseSigs.length !== tlogSigs?.length) {
throw new error_1.VerificationError(TLOG_MISMATCH_ERROR_MSG);
}
// Ensure that every signature in the bundle's DSSE is present in the tlog entry
if (!dsseSigs.every((dsseSig) => tlogSigs.includes(dsseSig))) {
throw new error_1.VerificationError(TLOG_MISMATCH_ERROR_MSG);
}
// Ensure the digest of the bundle's DSSE payload matches the digest in the
// tlog entry
const dssePayloadHash = util_1.crypto.hash(dsse.payload).toString('hex');
if (dssePayloadHash !== tlogEntry.spec.payloadHash?.value) {
throw new error_1.VerificationError(TLOG_MISMATCH_ERROR_MSG);
}
}
// Compare the given intoto v0.0.2 tlog entry to the given DSSE envelope.
function verifyIntoto002TLogBody(tlogEntry, dsse) {
// Collect all of the signatures from the DSSE envelope
// Turns them into base64-encoded strings for comparison
const dsseSigs = dsse.signatures.map((signature) => signature.sig.toString('base64'));
// Collect all of the signatures from the tlog entry
// Remember that tlog signastures are double base64-encoded
const tlogSigs = tlogEntry.spec.content.envelope?.signatures.map((signature) => (signature.sig ? util_1.encoding.base64Decode(signature.sig) : ''));
// Ensure the bundle's DSSE and the tlog entry contain the same number of signatures
if (dsseSigs.length !== tlogSigs?.length) {
throw new error_1.VerificationError(TLOG_MISMATCH_ERROR_MSG);
}
// Ensure that every signature in the bundle's DSSE is present in the tlog entry
if (!dsseSigs.every((dsseSig) => tlogSigs.includes(dsseSig))) {
throw new error_1.VerificationError(TLOG_MISMATCH_ERROR_MSG);
}
// Ensure the digest of the bundle's DSSE payload matches the digest in the
// tlog entry
const dssePayloadHash = util_1.crypto.hash(dsse.payload).toString('hex');
if (dssePayloadHash !== tlogEntry.spec.content.payloadHash?.value) {
throw new error_1.VerificationError(TLOG_MISMATCH_ERROR_MSG);
}
}
// Compare the given hashedrekord v0.0.1 tlog entry to the given message
// signature
function verifyHashedrekor001TLogBody(tlogEntry, messageSignature) {
// Ensure that the bundles message signature matches the tlog entry
const msgSig = messageSignature.signature.toString('base64');
const tlogSig = tlogEntry.spec.signature.content;
if (msgSig !== tlogSig) {
throw new error_1.VerificationError(TLOG_MISMATCH_ERROR_MSG);
}
// Ensure that the bundle's message digest matches the tlog entry
const msgDigest = messageSignature.messageDigest?.digest.toString('hex');
const tlogDigest = tlogEntry.spec.data.hash?.value;
if (msgDigest !== tlogDigest) {
throw new error_1.VerificationError(TLOG_MISMATCH_ERROR_MSG);
}
}

3
spa/node_modules/sigstore/dist/tlog/verify/checkpoint.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import type { TLogEntryWithInclusionProof } from '@sigstore/bundle';
import * as sigstore from '../../types/sigstore';
export declare function verifyCheckpoint(entry: TLogEntryWithInclusionProof, tlogs: sigstore.TransparencyLogInstance[]): boolean;

148
spa/node_modules/sigstore/dist/tlog/verify/checkpoint.js generated vendored Normal file
View File

@@ -0,0 +1,148 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyCheckpoint = void 0;
const error_1 = require("../../error");
const util_1 = require("../../util");
// Separator between the note and the signatures in a checkpoint
const CHECKPOINT_SEPARATOR = '\n\n';
// Checkpoint signatures are of the following form:
// " <identity> <key_hint+signature_bytes>\n"
// where:
// - the prefix is an emdash (U+2014).
// - <identity> gives a human-readable representation of the signing ID.
// - <key_hint+signature_bytes> is the first 4 bytes of the SHA256 hash of the
// associated public key followed by the signature bytes.
const SIGNATURE_REGEX = /\u2014 (\S+) (\S+)\n/g;
// Verifies the checkpoint value in the given tlog entry. There are two steps
// to the verification:
// 1. Verify that all signatures in the checkpoint can be verified against a
// trusted public key
// 2. Verify that the root hash in the checkpoint matches the root hash in the
// inclusion proof
// See: https://github.com/transparency-dev/formats/blob/main/log/README.md
function verifyCheckpoint(entry, tlogs) {
// Filter tlog instances to just those which were valid at the time of the
// entry
const validTLogs = filterTLogInstances(tlogs, entry.integratedTime);
const inclusionProof = entry.inclusionProof;
const signedNote = SignedNote.fromString(inclusionProof.checkpoint.envelope);
const checkpoint = LogCheckpoint.fromString(signedNote.note);
// Verify that the signatures in the checkpoint are all valid, also check
// that the root hash from the checkpoint matches the root hash in the
// inclusion proof
return (signedNote.verify(validTLogs) &&
util_1.crypto.bufferEqual(checkpoint.logHash, inclusionProof.rootHash));
}
exports.verifyCheckpoint = verifyCheckpoint;
// SignedNote represents a signed note from a transparency log checkpoint. Consists
// of a body (or note) and one more signatures calculated over the body. See
// https://github.com/transparency-dev/formats/blob/main/log/README.md#signed-envelope
class SignedNote {
constructor(note, signatures) {
this.note = note;
this.signatures = signatures;
}
// Deserialize a SignedNote from a string
static fromString(envelope) {
if (!envelope.includes(CHECKPOINT_SEPARATOR)) {
throw new error_1.VerificationError('malformed checkpoint: no separator');
}
// Split the note into the header and the data portions at the separator
const split = envelope.indexOf(CHECKPOINT_SEPARATOR);
const header = envelope.slice(0, split + 1);
const data = envelope.slice(split + CHECKPOINT_SEPARATOR.length);
// Find all the signature lines in the data portion
const matches = data.matchAll(SIGNATURE_REGEX);
// Parse each of the matched signature lines into the name and signature.
// The first four bytes of the signature are the key hint (should match the
// first four bytes of the log ID), and the rest is the signature itself.
const signatures = Array.from(matches, (match) => {
const [, name, signature] = match;
const sigBytes = Buffer.from(signature, 'base64');
if (sigBytes.length < 5) {
throw new error_1.VerificationError('malformed checkpoint: invalid signature');
}
return {
name,
keyHint: sigBytes.subarray(0, 4),
signature: sigBytes.subarray(4),
};
});
if (signatures.length === 0) {
throw new error_1.VerificationError('malformed checkpoint: no signatures');
}
return new SignedNote(header, signatures);
}
// Verifies the signatures in the SignedNote. For each signature, the
// corresponding transparency log is looked up by the key hint and the
// signature is verified against the public key in the transparency log.
// Throws an error if any of the signatures are invalid.
verify(tlogs) {
const data = Buffer.from(this.note, 'utf-8');
return this.signatures.every((signature) => {
// Find the transparency log instance with the matching key hint
const tlog = tlogs.find((tlog) => util_1.crypto.bufferEqual(tlog.logId.keyId.subarray(0, 4), signature.keyHint));
if (!tlog) {
return false;
}
const publicKey = util_1.crypto.createPublicKey(tlog.publicKey.rawBytes);
return util_1.crypto.verifyBlob(data, publicKey, signature.signature);
});
}
}
// LogCheckpoint represents a transparency log checkpoint. Consists of the
// following:
// - origin: the name of the transparency log
// - logSize: the size of the log at the time of the checkpoint
// - logHash: the root hash of the log at the time of the checkpoint
// - rest: the rest of the checkpoint body, which is a list of log entries
// See:
// https://github.com/transparency-dev/formats/blob/main/log/README.md#checkpoint-body
class LogCheckpoint {
constructor(origin, logSize, logHash, rest) {
this.origin = origin;
this.logSize = logSize;
this.logHash = logHash;
this.rest = rest;
}
static fromString(note) {
const lines = note.trim().split('\n');
if (lines.length < 4) {
throw new error_1.VerificationError('malformed checkpoint: too few lines in header');
}
const origin = lines[0];
const logSize = BigInt(lines[1]);
const rootHash = Buffer.from(lines[2], 'base64');
const rest = lines.slice(3);
return new LogCheckpoint(origin, logSize, rootHash, rest);
}
}
// Filter the list of tlog instances to only those which have usable public
// keys and were valid at the given time.
function filterTLogInstances(tlogInstances, integratedTime) {
const targetDate = new Date(Number(integratedTime) * 1000);
return tlogInstances.filter((tlog) => {
// Must have a log ID
if (!tlog.logId) {
return false;
}
// If the tlog doesn't have a public key, we can't use it
const publicKey = tlog.publicKey;
if (publicKey === undefined) {
return false;
}
// If the tlog doesn't have a rawBytes field, we can't use it
if (publicKey.rawBytes === undefined) {
return false;
}
// If the tlog doesn't have a validFor field, we don't need to check it
const validFor = publicKey.validFor;
if (validFor === undefined) {
return true;
}
// Check that the integrated time is within the validFor range
return (validFor.start !== undefined &&
validFor.start <= targetDate &&
(validFor.end === undefined || targetDate <= validFor.end));
});
}

3
spa/node_modules/sigstore/dist/tlog/verify/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import { Bundle } from '@sigstore/bundle';
import * as sigstore from '../../types/sigstore';
export declare function verifyTLogEntries(bundle: Bundle, trustedRoot: sigstore.TrustedRoot, options: sigstore.ArtifactVerificationOptions_TlogOptions): void;

92
spa/node_modules/sigstore/dist/tlog/verify/index.js generated vendored Normal file
View File

@@ -0,0 +1,92 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyTLogEntries = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const bundle_1 = require("@sigstore/bundle");
const error_1 = require("../../error");
const cert_1 = require("../../x509/cert");
const body_1 = require("./body");
const checkpoint_1 = require("./checkpoint");
const merkle_1 = require("./merkle");
const set_1 = require("./set");
// Verifies that the number of tlog entries that pass offline verification
// is greater than or equal to the threshold specified in the options.
function verifyTLogEntries(bundle, trustedRoot, options) {
if (bundle.mediaType === bundle_1.BUNDLE_V01_MEDIA_TYPE) {
(0, bundle_1.assertBundleV01)(bundle);
verifyTLogEntriesForBundleV01(bundle, trustedRoot, options);
}
else {
(0, bundle_1.assertBundleLatest)(bundle);
verifyTLogEntriesForBundleLatest(bundle, trustedRoot, options);
}
}
exports.verifyTLogEntries = verifyTLogEntries;
function verifyTLogEntriesForBundleV01(bundle, trustedRoot, options) {
if (options.performOnlineVerification) {
throw new error_1.VerificationError('Online verification not implemented');
}
// Extract the signing cert, if available
const signingCert = signingCertificate(bundle);
// Iterate over the tlog entries and verify each one
const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryWithInclusionPromise(entry, bundle.content, trustedRoot.tlogs, signingCert));
if (verifiedEntries.length < options.threshold) {
throw new error_1.VerificationError('tlog verification failed');
}
}
function verifyTLogEntriesForBundleLatest(bundle, trustedRoot, options) {
if (options.performOnlineVerification) {
throw new error_1.VerificationError('Online verification not implemented');
}
// Extract the signing cert, if available
const signingCert = signingCertificate(bundle);
// Iterate over the tlog entries and verify each one
const verifiedEntries = bundle.verificationMaterial.tlogEntries.filter((entry) => verifyTLogEntryWithInclusionProof(entry, bundle.content, trustedRoot.tlogs, signingCert));
if (verifiedEntries.length < options.threshold) {
throw new error_1.VerificationError('tlog verification failed');
}
}
function verifyTLogEntryWithInclusionPromise(entry, bundleContent, tlogs, signingCert) {
// If there is a signing certificate availble, check that the tlog integrated
// time is within the certificate's validity period; otherwise, skip this
// check.
const verifyTLogIntegrationTime = signingCert
? () => signingCert.validForDate(new Date(Number(entry.integratedTime) * 1000))
: () => true;
return ((0, body_1.verifyTLogBody)(entry, bundleContent) &&
(0, set_1.verifyTLogSET)(entry, tlogs) &&
verifyTLogIntegrationTime());
}
function verifyTLogEntryWithInclusionProof(entry, bundleContent, tlogs, signingCert) {
// If there is a signing certificate availble, check that the tlog integrated
// time is within the certificate's validity period; otherwise, skip this
// check.
const verifyTLogIntegrationTime = signingCert
? () => signingCert.validForDate(new Date(Number(entry.integratedTime) * 1000))
: () => true;
return ((0, body_1.verifyTLogBody)(entry, bundleContent) &&
(0, merkle_1.verifyMerkleInclusion)(entry) &&
(0, checkpoint_1.verifyCheckpoint)(entry, tlogs) &&
verifyTLogIntegrationTime());
}
function signingCertificate(bundle) {
if (!(0, bundle_1.isBundleWithCertificateChain)(bundle)) {
return undefined;
}
const signingCert = bundle.verificationMaterial.content.x509CertificateChain.certificates[0];
return cert_1.x509Certificate.parse(signingCert.rawBytes);
}

2
spa/node_modules/sigstore/dist/tlog/verify/merkle.d.ts generated vendored Normal file
View File

@@ -0,0 +1,2 @@
import type { TLogEntryWithInclusionProof } from '@sigstore/bundle';
export declare function verifyMerkleInclusion(entry: TLogEntryWithInclusionProof): boolean;

113
spa/node_modules/sigstore/dist/tlog/verify/merkle.js generated vendored Normal file
View File

@@ -0,0 +1,113 @@
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyMerkleInclusion = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const crypto_1 = __importDefault(require("crypto"));
const error_1 = require("../../error");
const RFC6962_LEAF_HASH_PREFIX = Buffer.from([0x00]);
const RFC6962_NODE_HASH_PREFIX = Buffer.from([0x01]);
function verifyMerkleInclusion(entry) {
const inclusionProof = entry.inclusionProof;
const logIndex = BigInt(inclusionProof.logIndex);
const treeSize = BigInt(inclusionProof.treeSize);
if (logIndex < 0n || logIndex >= treeSize) {
throw new error_1.VerificationError('invalid inclusion proof index');
}
// Figure out which subset of hashes corresponds to the inner and border
// nodes
const { inner, border } = decompInclProof(logIndex, treeSize);
if (inclusionProof.hashes.length !== inner + border) {
throw new error_1.VerificationError('invalid inclusion proof length');
}
const innerHashes = inclusionProof.hashes.slice(0, inner);
const borderHashes = inclusionProof.hashes.slice(inner);
// The entry's hash is the leaf hash
const leafHash = hashLeaf(entry.canonicalizedBody);
// Chain the hashes belonging to the inner and border portions
const calculatedHash = chainBorderRight(chainInner(leafHash, innerHashes, logIndex), borderHashes);
// Calculated hash should match the root hash in the inclusion proof
return bufferEqual(calculatedHash, inclusionProof.rootHash);
}
exports.verifyMerkleInclusion = verifyMerkleInclusion;
// Breaks down inclusion proof for a leaf at the specified index in a tree of
// the specified size. The split point is where paths to the index leaf and
// the (size - 1) leaf diverge. Returns lengths of the bottom and upper proof
// parts.
function decompInclProof(index, size) {
const inner = innerProofSize(index, size);
const border = onesCount(index >> BigInt(inner));
return { inner, border };
}
// Computes a subtree hash for a node on or below the tree's right border.
// Assumes the provided proof hashes are ordered from lower to higher levels
// and seed is the initial hash of the node specified by the index.
function chainInner(seed, hashes, index) {
return hashes.reduce((acc, h, i) => {
if ((index >> BigInt(i)) & BigInt(1)) {
return hashChildren(h, acc);
}
else {
return hashChildren(acc, h);
}
}, seed);
}
// Computes a subtree hash for nodes along the tree's right border.
function chainBorderRight(seed, hashes) {
return hashes.reduce((acc, h) => hashChildren(h, acc), seed);
}
function innerProofSize(index, size) {
return bitLength(index ^ (size - BigInt(1)));
}
// Counts the number of ones in the binary representation of the given number.
// https://en.wikipedia.org/wiki/Hamming_weight
function onesCount(x) {
return x.toString(2).split('1').length - 1;
}
// Returns the number of bits necessary to represent an integer in binary.
function bitLength(n) {
if (n === 0n) {
return 0;
}
return n.toString(2).length;
}
// Hashing logic according to RFC6962.
// https://datatracker.ietf.org/doc/html/rfc6962#section-2
function hashChildren(left, right) {
const hasher = crypto_1.default.createHash('sha256');
hasher.update(RFC6962_NODE_HASH_PREFIX);
hasher.update(left);
hasher.update(right);
return hasher.digest();
}
function hashLeaf(leaf) {
const hasher = crypto_1.default.createHash('sha256');
hasher.update(RFC6962_LEAF_HASH_PREFIX);
hasher.update(leaf);
return hasher.digest();
}
function bufferEqual(a, b) {
try {
return crypto_1.default.timingSafeEqual(a, b);
}
catch {
/* istanbul ignore next */
return false;
}
}

3
spa/node_modules/sigstore/dist/tlog/verify/set.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
import * as sigstore from '../../types/sigstore';
import type { TLogEntryWithInclusionPromise } from '@sigstore/bundle';
export declare function verifyTLogSET(entry: TLogEntryWithInclusionPromise, tlogs: sigstore.TransparencyLogInstance[]): boolean;

64
spa/node_modules/sigstore/dist/tlog/verify/set.js generated vendored Normal file
View File

@@ -0,0 +1,64 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyTLogSET = void 0;
const util_1 = require("../../util");
// Verifies the SET for the given entry against the list of trusted
// transparency logs. Returns true if the SET can be verified against at least
// one of the trusted logs; otherwise, returns false.
function verifyTLogSET(entry, tlogs) {
// Filter the list of tlog instances to only those which might be able to
// verify the SET
const validTLogs = filterTLogInstances(tlogs, entry.logId.keyId, entry.integratedTime);
// Check to see if we can verify the SET against any of the valid tlogs
return validTLogs.some((tlog) => {
const publicKey = util_1.crypto.createPublicKey(tlog.publicKey.rawBytes);
// Re-create the original Rekor verification payload
const payload = toVerificationPayload(entry);
// Canonicalize the payload and turn into a buffer for verification
const data = Buffer.from(util_1.json.canonicalize(payload), 'utf8');
// Extract the SET from the tlog entry
const signature = entry.inclusionPromise.signedEntryTimestamp;
return util_1.crypto.verifyBlob(data, publicKey, signature);
});
}
exports.verifyTLogSET = verifyTLogSET;
// Returns a properly formatted "VerificationPayload" for one of the
// transaction log entires in the given bundle which can be used for SET
// verification.
function toVerificationPayload(entry) {
const { integratedTime, logIndex, logId, canonicalizedBody } = entry;
return {
body: canonicalizedBody.toString('base64'),
integratedTime: Number(integratedTime),
logIndex: Number(logIndex),
logID: logId.keyId.toString('hex'),
};
}
// Filter the list of tlog instances to only those which match the given log
// ID and have public keys which are valid for the given integrated time.
function filterTLogInstances(tlogInstances, logID, integratedTime) {
const targetDate = new Date(Number(integratedTime) * 1000);
return tlogInstances.filter((tlog) => {
// If the log IDs don't match, we can't use this tlog
if (!tlog.logId?.keyId.equals(logID)) {
return false;
}
// If the tlog doesn't have a public key, we can't use it
const publicKey = tlog.publicKey;
if (publicKey === undefined) {
return false;
}
// If the tlog doesn't have a rawBytes field, we can't use it
if (publicKey.rawBytes === undefined) {
return false;
}
// If the tlog doesn't have a validFor field, we don't need to check it
if (publicKey.validFor === undefined) {
return true;
}
// Check that the integrated time is within the validFor range
return (publicKey.validFor.start !== undefined &&
publicKey.validFor.start <= targetDate &&
(!publicKey.validFor.end || targetDate <= publicKey.validFor.end));
});
}

6
spa/node_modules/sigstore/dist/types/fetch.d.ts generated vendored Normal file
View File

@@ -0,0 +1,6 @@
import type { MakeFetchHappenOptions } from 'make-fetch-happen';
export type Retry = MakeFetchHappenOptions['retry'];
export type FetchOptions = {
retry?: Retry;
timeout?: number | undefined;
};

2
spa/node_modules/sigstore/dist/types/fetch.js generated vendored Normal file
View File

@@ -0,0 +1,2 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });

23
spa/node_modules/sigstore/dist/types/signature.d.ts generated vendored Normal file
View File

@@ -0,0 +1,23 @@
/// <reference types="node" />
import { Signature, Signer } from '@sigstore/sign';
import { OneOf } from './utility';
interface VerificationMaterial {
certificates: string[];
key: {
id?: string;
value: string;
};
}
export type SignatureMaterial = {
signature: Buffer;
} & OneOf<VerificationMaterial>;
export type SignerFunc = (payload: Buffer) => Promise<SignatureMaterial>;
type CallbackSignerOptions = {
signer: SignerFunc;
};
export declare class CallbackSigner implements Signer {
private signer;
constructor(options: CallbackSignerOptions);
sign(data: Buffer): Promise<Signature>;
}
export {};

37
spa/node_modules/sigstore/dist/types/signature.js generated vendored Normal file
View File

@@ -0,0 +1,37 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.CallbackSigner = void 0;
const error_1 = require("../error");
// Adapter to allow the legacy SignerFunc callback to be used as a new Signer
// interface.
class CallbackSigner {
constructor(options) {
this.signer = options.signer;
}
async sign(data) {
const sigMaterial = await this.signer(data);
// Since we're getting data from an external source, we need to validate
// that it's well-formed and complete.
if (!sigMaterial.signature) {
throw new error_1.SignatureError({
code: 'MISSING_SIGNATURE_ERROR',
message: 'no signature returned from signer',
});
}
if (!sigMaterial.key?.value) {
throw new error_1.SignatureError({
code: 'MISSING_PUBLIC_KEY_ERROR',
message: 'no key returned from signer',
});
}
return {
signature: sigMaterial.signature,
key: {
$case: 'publicKey',
hint: sigMaterial.key.id,
publicKey: sigMaterial.key.value,
},
};
}
}
exports.CallbackSigner = CallbackSigner;

15
spa/node_modules/sigstore/dist/types/sigstore.d.ts generated vendored Normal file
View File

@@ -0,0 +1,15 @@
import type { ArtifactVerificationOptions, PublicKey, TransparencyLogInstance } from '@sigstore/protobuf-specs';
import type { WithRequired } from './utility';
export { SubjectAlternativeNameType } from '@sigstore/protobuf-specs';
export type { ArtifactVerificationOptions, ArtifactVerificationOptions_CtlogOptions, ArtifactVerificationOptions_TlogOptions, CertificateAuthority, CertificateIdentities, CertificateIdentity, Envelope, ObjectIdentifierValuePair, PublicKey, SubjectAlternativeName, TransparencyLogInstance, TrustedRoot, } from '@sigstore/protobuf-specs';
export type RequiredArtifactVerificationOptions = WithRequired<ArtifactVerificationOptions, 'ctlogOptions' | 'tlogOptions'>;
export type CAArtifactVerificationOptions = WithRequired<ArtifactVerificationOptions, 'ctlogOptions'> & {
signers?: Extract<ArtifactVerificationOptions['signers'], {
$case: 'certificateIdentities';
}>;
};
export declare function isCAVerificationOptions(options: ArtifactVerificationOptions): options is CAArtifactVerificationOptions;
export type ViableTransparencyLogInstance = TransparencyLogInstance & {
logId: NonNullable<TransparencyLogInstance['logId']>;
publicKey: WithRequired<PublicKey, 'rawBytes'>;
};

27
spa/node_modules/sigstore/dist/types/sigstore.js generated vendored Normal file
View File

@@ -0,0 +1,27 @@
"use strict";
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
Object.defineProperty(exports, "__esModule", { value: true });
exports.isCAVerificationOptions = exports.SubjectAlternativeNameType = void 0;
// Enums from protobuf-specs
var protobuf_specs_1 = require("@sigstore/protobuf-specs");
Object.defineProperty(exports, "SubjectAlternativeNameType", { enumerable: true, get: function () { return protobuf_specs_1.SubjectAlternativeNameType; } });
function isCAVerificationOptions(options) {
return (options.ctlogOptions !== undefined &&
(options.signers === undefined ||
options.signers.$case === 'certificateIdentities'));
}
exports.isCAVerificationOptions = isCAVerificationOptions;

14
spa/node_modules/sigstore/dist/types/utility.d.ts generated vendored Normal file
View File

@@ -0,0 +1,14 @@
type ValueOf<Obj> = Obj[keyof Obj];
type OneOnly<Obj, K extends keyof Obj> = {
[key in Exclude<keyof Obj, K>]: undefined;
} & {
[key in K]: Obj[K];
};
type OneOfByKey<Obj> = {
[key in keyof Obj]: OneOnly<Obj, key>;
};
export type OneOf<T> = ValueOf<OneOfByKey<T>>;
export type WithRequired<T, K extends keyof T> = T & {
[P in K]-?: NonNullable<T[P]>;
};
export {};

18
spa/node_modules/sigstore/dist/types/utility.js generated vendored Normal file
View File

@@ -0,0 +1,18 @@
"use strict";
/*
Copyright 2022 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// https://dev.to/maxime1992/implement-a-generic-oneof-type-with-typescript-22em
Object.defineProperty(exports, "__esModule", { value: true });

2
spa/node_modules/sigstore/dist/util/asn1/dump.d.ts generated vendored Normal file
View File

@@ -0,0 +1,2 @@
import { ASN1Obj } from './obj';
export declare function dump(obj: ASN1Obj, indent?: number): void;

97
spa/node_modules/sigstore/dist/util/asn1/dump.js generated vendored Normal file
View File

@@ -0,0 +1,97 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.dump = void 0;
const tag_1 = require("./tag");
// Utility function to dump the contents of an ASN1Obj to the console.
function dump(obj, indent = 0) {
let str = ' '.repeat(indent);
str += tagToString(obj.tag) + ' ';
if (obj.tag.isUniversal()) {
switch (obj.tag.number) {
case tag_1.UNIVERSAL_TAG.BOOLEAN:
str += obj.toBoolean();
break;
case tag_1.UNIVERSAL_TAG.INTEGER:
str += `(${obj.value.length} byte) `;
str += obj.toInteger();
break;
case tag_1.UNIVERSAL_TAG.BIT_STRING: {
const bits = obj.toBitString();
str += `(${bits.length} bit) `;
str += truncate(bits.map((bit) => bit.toString()).join(''));
break;
}
case tag_1.UNIVERSAL_TAG.OBJECT_IDENTIFIER:
str += obj.toOID();
break;
case tag_1.UNIVERSAL_TAG.SEQUENCE:
case tag_1.UNIVERSAL_TAG.SET:
str += `(${obj.subs.length} elem) `;
break;
case tag_1.UNIVERSAL_TAG.PRINTABLE_STRING:
str += obj.value.toString('ascii');
break;
case tag_1.UNIVERSAL_TAG.UTC_TIME:
case tag_1.UNIVERSAL_TAG.GENERALIZED_TIME:
str += obj.toDate().toUTCString();
break;
default:
str += `(${obj.value.length} byte) `;
str += isASCII(obj.value)
? obj.value.toString('ascii')
: truncate(obj.value.toString('hex').toUpperCase());
}
}
else {
if (obj.tag.constructed) {
str += `(${obj.subs.length} elem) `;
}
else {
str += `(${obj.value.length} byte) `;
str += isASCII(obj.value)
? obj.value.toString('ascii')
: obj.value.toString('hex').toUpperCase();
}
}
console.log(str);
// Recursive call for children
obj.subs.forEach((sub) => dump(sub, indent + 2));
}
exports.dump = dump;
function tagToString(tag) {
if (tag.isContextSpecific()) {
return `[${tag.number.toString(16)}]`;
}
else {
switch (tag.number) {
case tag_1.UNIVERSAL_TAG.BOOLEAN:
return 'BOOLEAN';
case tag_1.UNIVERSAL_TAG.INTEGER:
return 'INTEGER';
case tag_1.UNIVERSAL_TAG.BIT_STRING:
return 'BIT STRING';
case tag_1.UNIVERSAL_TAG.OCTET_STRING:
return 'OCTET STRING';
case tag_1.UNIVERSAL_TAG.OBJECT_IDENTIFIER:
return 'OBJECT IDENTIFIER';
case tag_1.UNIVERSAL_TAG.SEQUENCE:
return 'SEQUENCE';
case tag_1.UNIVERSAL_TAG.SET:
return 'SET';
case tag_1.UNIVERSAL_TAG.PRINTABLE_STRING:
return 'PrintableString';
case tag_1.UNIVERSAL_TAG.UTC_TIME:
return 'UTCTime';
case tag_1.UNIVERSAL_TAG.GENERALIZED_TIME:
return 'GeneralizedTime';
default:
return tag.number.toString(16);
}
}
}
function isASCII(buf) {
return buf.every((b) => b >= 32 && b <= 126);
}
function truncate(str) {
return str.length > 70 ? str.substring(0, 69) + '...' : str;
}

4
spa/node_modules/sigstore/dist/util/asn1/error.d.ts generated vendored Normal file
View File

@@ -0,0 +1,4 @@
export declare class ASN1ParseError extends Error {
}
export declare class ASN1TypeError extends Error {
}

24
spa/node_modules/sigstore/dist/util/asn1/error.js generated vendored Normal file
View File

@@ -0,0 +1,24 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.ASN1TypeError = exports.ASN1ParseError = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
class ASN1ParseError extends Error {
}
exports.ASN1ParseError = ASN1ParseError;
class ASN1TypeError extends Error {
}
exports.ASN1TypeError = ASN1TypeError;

1
spa/node_modules/sigstore/dist/util/asn1/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1 @@
export { ASN1Obj } from './obj';

20
spa/node_modules/sigstore/dist/util/asn1/index.js generated vendored Normal file
View File

@@ -0,0 +1,20 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.ASN1Obj = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
var obj_1 = require("./obj");
Object.defineProperty(exports, "ASN1Obj", { enumerable: true, get: function () { return obj_1.ASN1Obj; } });

4
spa/node_modules/sigstore/dist/util/asn1/length.d.ts generated vendored Normal file
View File

@@ -0,0 +1,4 @@
/// <reference types="node" />
import { ByteStream } from '../stream';
export declare function decodeLength(stream: ByteStream): number;
export declare function encodeLength(len: number): Buffer;

63
spa/node_modules/sigstore/dist/util/asn1/length.js generated vendored Normal file
View File

@@ -0,0 +1,63 @@
"use strict";
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
Object.defineProperty(exports, "__esModule", { value: true });
exports.encodeLength = exports.decodeLength = void 0;
const error_1 = require("./error");
// Decodes the length of a DER-encoded ANS.1 element from the supplied stream.
// https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-encoded-length-and-value-bytes
function decodeLength(stream) {
const buf = stream.getUint8();
// If the most significant bit is UNSET the length is just the value of the
// byte.
if ((buf & 0x80) === 0x00) {
return buf;
}
// Otherwise, the lower 7 bits of the first byte indicate the number of bytes
// that follow to encode the length.
const byteCount = buf & 0x7f;
// Ensure the encoded length can safely fit in a JS number.
if (byteCount > 6) {
throw new error_1.ASN1ParseError('length exceeds 6 byte limit');
}
// Iterate over the bytes that encode the length.
let len = 0;
for (let i = 0; i < byteCount; i++) {
len = len * 256 + stream.getUint8();
}
// This is a valid ASN.1 length encoding, but we don't support it.
if (len === 0) {
throw new error_1.ASN1ParseError('indefinite length encoding not supported');
}
return len;
}
exports.decodeLength = decodeLength;
// Translates the supplied value to a DER-encoded length.
function encodeLength(len) {
if (len < 128) {
return Buffer.from([len]);
}
// Bitwise operations on large numbers are not supported in JS, so we need to
// use BigInts.
let val = BigInt(len);
const bytes = [];
while (val > 0n) {
bytes.unshift(Number(val & 255n));
val = val >> 8n;
}
return Buffer.from([0x80 | bytes.length, ...bytes]);
}
exports.encodeLength = encodeLength;

15
spa/node_modules/sigstore/dist/util/asn1/obj.d.ts generated vendored Normal file
View File

@@ -0,0 +1,15 @@
/// <reference types="node" />
import { ASN1Tag } from './tag';
export declare class ASN1Obj {
readonly tag: ASN1Tag;
readonly subs: ASN1Obj[];
readonly value: Buffer;
constructor(tag: ASN1Tag, value: Buffer, subs: ASN1Obj[]);
static parseBuffer(buf: Buffer): ASN1Obj;
toDER(): Buffer;
toBoolean(): boolean;
toInteger(): bigint;
toOID(): string;
toDate(): Date;
toBitString(): number[];
}

152
spa/node_modules/sigstore/dist/util/asn1/obj.js generated vendored Normal file
View File

@@ -0,0 +1,152 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.ASN1Obj = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const stream_1 = require("../stream");
const error_1 = require("./error");
const length_1 = require("./length");
const parse_1 = require("./parse");
const tag_1 = require("./tag");
class ASN1Obj {
constructor(tag, value, subs) {
this.tag = tag;
this.value = value;
this.subs = subs;
}
// Constructs an ASN.1 object from a Buffer of DER-encoded bytes.
static parseBuffer(buf) {
return parseStream(new stream_1.ByteStream(buf));
}
toDER() {
const valueStream = new stream_1.ByteStream();
if (this.subs.length > 0) {
for (const sub of this.subs) {
valueStream.appendView(sub.toDER());
}
}
else {
valueStream.appendView(this.value);
}
const value = valueStream.buffer;
// Concat tag/length/value
const obj = new stream_1.ByteStream();
obj.appendChar(this.tag.toDER());
obj.appendView((0, length_1.encodeLength)(value.length));
obj.appendView(value);
return obj.buffer;
}
/////////////////////////////////////////////////////////////////////////////
// Convenience methods for parsing ASN.1 primitives into JS types
// Returns the ASN.1 object's value as a boolean. Throws an error if the
// object is not a boolean.
toBoolean() {
if (!this.tag.isBoolean()) {
throw new error_1.ASN1TypeError('not a boolean');
}
return (0, parse_1.parseBoolean)(this.value);
}
// Returns the ASN.1 object's value as a BigInt. Throws an error if the
// object is not an integer.
toInteger() {
if (!this.tag.isInteger()) {
throw new error_1.ASN1TypeError('not an integer');
}
return (0, parse_1.parseInteger)(this.value);
}
// Returns the ASN.1 object's value as an OID string. Throws an error if the
// object is not an OID.
toOID() {
if (!this.tag.isOID()) {
throw new error_1.ASN1TypeError('not an OID');
}
return (0, parse_1.parseOID)(this.value);
}
// Returns the ASN.1 object's value as a Date. Throws an error if the object
// is not either a UTCTime or a GeneralizedTime.
toDate() {
switch (true) {
case this.tag.isUTCTime():
return (0, parse_1.parseTime)(this.value, true);
case this.tag.isGeneralizedTime():
return (0, parse_1.parseTime)(this.value, false);
default:
throw new error_1.ASN1TypeError('not a date');
}
}
// Returns the ASN.1 object's value as a number[] where each number is the
// value of a bit in the bit string. Throws an error if the object is not a
// bit string.
toBitString() {
if (!this.tag.isBitString()) {
throw new error_1.ASN1TypeError('not a bit string');
}
return (0, parse_1.parseBitString)(this.value);
}
}
exports.ASN1Obj = ASN1Obj;
/////////////////////////////////////////////////////////////////////////////
// Internal stream parsing functions
function parseStream(stream) {
// Parse tag, length, and value from stream
const tag = new tag_1.ASN1Tag(stream.getUint8());
const len = (0, length_1.decodeLength)(stream);
const value = stream.slice(stream.position, len);
const start = stream.position;
let subs = [];
// If the object is constructed, parse its children. Sometimes, children
// are embedded in OCTESTRING objects, so we need to check those
// for children as well.
if (tag.constructed) {
subs = collectSubs(stream, len);
}
else if (tag.isOctetString()) {
// Attempt to parse children of OCTETSTRING objects. If anything fails,
// assume the object is not constructed and treat as primitive.
try {
subs = collectSubs(stream, len);
}
catch (e) {
// Fail silently and treat as primitive
}
}
// If there are no children, move stream cursor to the end of the object
if (subs.length === 0) {
stream.seek(start + len);
}
return new ASN1Obj(tag, value, subs);
}
function collectSubs(stream, len) {
// Calculate end of object content
const end = stream.position + len;
// Make sure there are enough bytes left in the stream. This should never
// happen, cause it'll get caught when the stream is sliced in parseStream.
// Leaving as an extra check just in case.
/* istanbul ignore if */
if (end > stream.length) {
throw new error_1.ASN1ParseError('invalid length');
}
// Parse all children
const subs = [];
while (stream.position < end) {
subs.push(parseStream(stream));
}
// When we're done parsing children, we should be at the end of the object
if (stream.position !== end) {
throw new error_1.ASN1ParseError('invalid length');
}
return subs;
}

7
spa/node_modules/sigstore/dist/util/asn1/parse.d.ts generated vendored Normal file
View File

@@ -0,0 +1,7 @@
/// <reference types="node" />
export declare function parseInteger(buf: Buffer): bigint;
export declare function parseStringASCII(buf: Buffer): string;
export declare function parseTime(buf: Buffer, shortYear: boolean): Date;
export declare function parseOID(buf: Buffer): string;
export declare function parseBoolean(buf: Buffer): boolean;
export declare function parseBitString(buf: Buffer): number[];

125
spa/node_modules/sigstore/dist/util/asn1/parse.js generated vendored Normal file
View File

@@ -0,0 +1,125 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.parseBitString = exports.parseBoolean = exports.parseOID = exports.parseTime = exports.parseStringASCII = exports.parseInteger = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const RE_TIME_SHORT_YEAR = /^(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/;
const RE_TIME_LONG_YEAR = /^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})Z$/;
// Parse a BigInt from the DER-encoded buffer
// https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-integer
function parseInteger(buf) {
let pos = 0;
const end = buf.length;
let val = buf[pos];
const neg = val > 0x7f;
// Consume any padding bytes
const pad = neg ? 0xff : 0x00;
while (val == pad && ++pos < end) {
val = buf[pos];
}
// Calculate remaining bytes to read
const len = end - pos;
if (len === 0)
return BigInt(neg ? -1 : 0);
// Handle two's complement for negative numbers
val = neg ? val - 256 : val;
// Parse remaining bytes
let n = BigInt(val);
for (let i = pos + 1; i < end; ++i) {
n = n * BigInt(256) + BigInt(buf[i]);
}
return n;
}
exports.parseInteger = parseInteger;
// Parse an ASCII string from the DER-encoded buffer
// https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-basic-types#boolean
function parseStringASCII(buf) {
return buf.toString('ascii');
}
exports.parseStringASCII = parseStringASCII;
// Parse a Date from the DER-encoded buffer
// https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.5.1
function parseTime(buf, shortYear) {
const timeStr = parseStringASCII(buf);
// Parse the time string into matches - captured groups start at index 1
const m = shortYear
? RE_TIME_SHORT_YEAR.exec(timeStr)
: RE_TIME_LONG_YEAR.exec(timeStr);
if (!m) {
throw new Error('invalid time');
}
// Translate dates with a 2-digit year to 4 digits per the spec
if (shortYear) {
let year = Number(m[1]);
year += year >= 50 ? 1900 : 2000;
m[1] = year.toString();
}
// Translate to ISO8601 format and parse
return new Date(`${m[1]}-${m[2]}-${m[3]}T${m[4]}:${m[5]}:${m[6]}Z`);
}
exports.parseTime = parseTime;
// Parse an OID from the DER-encoded buffer
// https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-object-identifier
function parseOID(buf) {
let pos = 0;
const end = buf.length;
// Consume first byte which encodes the first two OID components
let n = buf[pos++];
const first = Math.floor(n / 40);
const second = n % 40;
let oid = `${first}.${second}`;
// Consume remaining bytes
let val = 0;
for (; pos < end; ++pos) {
n = buf[pos];
val = (val << 7) + (n & 0x7f);
// If the left-most bit is NOT set, then this is the last byte in the
// sequence and we can add the value to the OID and reset the accumulator
if ((n & 0x80) === 0) {
oid += `.${val}`;
val = 0;
}
}
return oid;
}
exports.parseOID = parseOID;
// Parse a boolean from the DER-encoded buffer
// https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-basic-types#boolean
function parseBoolean(buf) {
return buf[0] !== 0;
}
exports.parseBoolean = parseBoolean;
// Parse a bit string from the DER-encoded buffer
// https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-bit-string
function parseBitString(buf) {
// First byte tell us how many unused bits are in the last byte
const unused = buf[0];
const start = 1;
const end = buf.length;
const bits = [];
for (let i = start; i < end; ++i) {
const byte = buf[i];
// The skip value is only used for the last byte
const skip = i === end - 1 ? unused : 0;
// Iterate over each bit in the byte (most significant first)
for (let j = 7; j >= skip; --j) {
// Read the bit and add it to the bit string
bits.push((byte >> j) & 0x01);
}
}
return bits;
}
exports.parseBitString = parseBitString;

28
spa/node_modules/sigstore/dist/util/asn1/tag.d.ts generated vendored Normal file
View File

@@ -0,0 +1,28 @@
export declare const UNIVERSAL_TAG: {
BOOLEAN: number;
INTEGER: number;
BIT_STRING: number;
OCTET_STRING: number;
OBJECT_IDENTIFIER: number;
SEQUENCE: number;
SET: number;
PRINTABLE_STRING: number;
UTC_TIME: number;
GENERALIZED_TIME: number;
};
export declare class ASN1Tag {
readonly number: number;
readonly constructed: boolean;
readonly class: number;
constructor(enc: number);
isUniversal(): boolean;
isContextSpecific(num?: number): boolean;
isBoolean(): boolean;
isInteger(): boolean;
isBitString(): boolean;
isOctetString(): boolean;
isOID(): boolean;
isUTCTime(): boolean;
isGeneralizedTime(): boolean;
toDER(): number;
}

86
spa/node_modules/sigstore/dist/util/asn1/tag.js generated vendored Normal file
View File

@@ -0,0 +1,86 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.ASN1Tag = exports.UNIVERSAL_TAG = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const error_1 = require("./error");
exports.UNIVERSAL_TAG = {
BOOLEAN: 0x01,
INTEGER: 0x02,
BIT_STRING: 0x03,
OCTET_STRING: 0x04,
OBJECT_IDENTIFIER: 0x06,
SEQUENCE: 0x10,
SET: 0x11,
PRINTABLE_STRING: 0x13,
UTC_TIME: 0x17,
GENERALIZED_TIME: 0x18,
};
const TAG_CLASS = {
UNIVERSAL: 0x00,
APPLICATION: 0x01,
CONTEXT_SPECIFIC: 0x02,
PRIVATE: 0x03,
};
// https://learn.microsoft.com/en-us/windows/win32/seccertenroll/about-encoded-tag-bytes
class ASN1Tag {
constructor(enc) {
// Bits 0 through 4 are the tag number
this.number = enc & 0x1f;
// Bit 5 is the constructed bit
this.constructed = (enc & 0x20) === 0x20;
// Bit 6 & 7 are the class
this.class = enc >> 6;
if (this.number === 0x1f) {
throw new error_1.ASN1ParseError('long form tags not supported');
}
if (this.class === TAG_CLASS.UNIVERSAL && this.number === 0x00) {
throw new error_1.ASN1ParseError('unsupported tag 0x00');
}
}
isUniversal() {
return this.class === TAG_CLASS.UNIVERSAL;
}
isContextSpecific(num) {
const res = this.class === TAG_CLASS.CONTEXT_SPECIFIC;
return num !== undefined ? res && this.number === num : res;
}
isBoolean() {
return this.isUniversal() && this.number === exports.UNIVERSAL_TAG.BOOLEAN;
}
isInteger() {
return this.isUniversal() && this.number === exports.UNIVERSAL_TAG.INTEGER;
}
isBitString() {
return this.isUniversal() && this.number === exports.UNIVERSAL_TAG.BIT_STRING;
}
isOctetString() {
return this.isUniversal() && this.number === exports.UNIVERSAL_TAG.OCTET_STRING;
}
isOID() {
return (this.isUniversal() && this.number === exports.UNIVERSAL_TAG.OBJECT_IDENTIFIER);
}
isUTCTime() {
return this.isUniversal() && this.number === exports.UNIVERSAL_TAG.UTC_TIME;
}
isGeneralizedTime() {
return this.isUniversal() && this.number === exports.UNIVERSAL_TAG.GENERALIZED_TIME;
}
toDER() {
return this.number | (this.constructed ? 0x20 : 0x00) | (this.class << 6);
}
}
exports.ASN1Tag = ASN1Tag;

8
spa/node_modules/sigstore/dist/util/crypto.d.ts generated vendored Normal file
View File

@@ -0,0 +1,8 @@
/// <reference types="node" />
/// <reference types="node" />
import { BinaryLike, KeyLike } from 'crypto';
export declare function createPublicKey(key: string | Buffer): KeyLike;
export declare function verifyBlob(data: Buffer, key: KeyLike, signature: Buffer, algorithm?: string): boolean;
export declare function hash(data: BinaryLike): Buffer;
export declare function randomBytes(count: number): Buffer;
export declare function bufferEqual(a: Buffer, b: Buffer): boolean;

63
spa/node_modules/sigstore/dist/util/crypto.js generated vendored Normal file
View File

@@ -0,0 +1,63 @@
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.bufferEqual = exports.randomBytes = exports.hash = exports.verifyBlob = exports.createPublicKey = void 0;
/*
Copyright 2022 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const crypto_1 = __importDefault(require("crypto"));
const SHA256_ALGORITHM = 'sha256';
function createPublicKey(key) {
if (typeof key === 'string') {
return crypto_1.default.createPublicKey(key);
}
else {
return crypto_1.default.createPublicKey({ key, format: 'der', type: 'spki' });
}
}
exports.createPublicKey = createPublicKey;
function verifyBlob(data, key, signature, algorithm) {
// The try/catch is to work around an issue in Node 14.x where verify throws
// an error in some scenarios if the signature is invalid.
try {
return crypto_1.default.verify(algorithm, data, key, signature);
}
catch (e) {
/* istanbul ignore next */
return false;
}
}
exports.verifyBlob = verifyBlob;
function hash(data) {
const hash = crypto_1.default.createHash(SHA256_ALGORITHM);
return hash.update(data).digest();
}
exports.hash = hash;
function randomBytes(count) {
return crypto_1.default.randomBytes(count);
}
exports.randomBytes = randomBytes;
function bufferEqual(a, b) {
try {
return crypto_1.default.timingSafeEqual(a, b);
}
catch {
/* istanbul ignore next */
return false;
}
}
exports.bufferEqual = bufferEqual;

2
spa/node_modules/sigstore/dist/util/dsse.d.ts generated vendored Normal file
View File

@@ -0,0 +1,2 @@
/// <reference types="node" />
export declare function preAuthEncoding(payloadType: string, payload: Buffer): Buffer;

25
spa/node_modules/sigstore/dist/util/dsse.js generated vendored Normal file
View File

@@ -0,0 +1,25 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.preAuthEncoding = void 0;
/*
Copyright 2022 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const PAE_PREFIX = 'DSSEv1';
// DSSE Pre-Authentication Encoding
function preAuthEncoding(payloadType, payload) {
const prefix = Buffer.from(`${PAE_PREFIX} ${payloadType.length} ${payloadType} ${payload.length} `, 'ascii');
return Buffer.concat([prefix, payload]);
}
exports.preAuthEncoding = preAuthEncoding;

6
spa/node_modules/sigstore/dist/util/encoding.d.ts generated vendored Normal file
View File

@@ -0,0 +1,6 @@
export declare function base64Encode(str: string): string;
export declare function base64Decode(str: string): string;
export declare function base64URLEncode(str: string): string;
export declare function base64URLDecode(str: string): string;
export declare function base64URLEscape(str: string): string;
export declare function base64URLUnescape(str: string): string;

46
spa/node_modules/sigstore/dist/util/encoding.js generated vendored Normal file
View File

@@ -0,0 +1,46 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.base64URLUnescape = exports.base64URLEscape = exports.base64URLDecode = exports.base64URLEncode = exports.base64Decode = exports.base64Encode = void 0;
/*
Copyright 2022 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const BASE64_ENCODING = 'base64';
const UTF8_ENCODING = 'utf-8';
function base64Encode(str) {
return Buffer.from(str, UTF8_ENCODING).toString(BASE64_ENCODING);
}
exports.base64Encode = base64Encode;
function base64Decode(str) {
return Buffer.from(str, BASE64_ENCODING).toString(UTF8_ENCODING);
}
exports.base64Decode = base64Decode;
function base64URLEncode(str) {
return base64URLEscape(base64Encode(str));
}
exports.base64URLEncode = base64URLEncode;
function base64URLDecode(str) {
return base64Decode(base64URLUnescape(str));
}
exports.base64URLDecode = base64URLDecode;
function base64URLEscape(str) {
return str.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
}
exports.base64URLEscape = base64URLEscape;
function base64URLUnescape(str) {
// Repad the base64 string if necessary
str += '='.repeat((4 - (str.length % 4)) % 4);
return str.replace(/-/g, '+').replace(/_/g, '/');
}
exports.base64URLUnescape = base64URLUnescape;

6
spa/node_modules/sigstore/dist/util/index.d.ts generated vendored Normal file
View File

@@ -0,0 +1,6 @@
export * as asn1 from './asn1';
export * as crypto from './crypto';
export * as dsse from './dsse';
export * as encoding from './encoding';
export * as json from './json';
export * as pem from './pem';

47
spa/node_modules/sigstore/dist/util/index.js generated vendored Normal file
View File

@@ -0,0 +1,47 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.pem = exports.json = exports.encoding = exports.dsse = exports.crypto = exports.asn1 = void 0;
/*
Copyright 2022 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
exports.asn1 = __importStar(require("./asn1"));
exports.crypto = __importStar(require("./crypto"));
exports.dsse = __importStar(require("./dsse"));
exports.encoding = __importStar(require("./encoding"));
exports.json = __importStar(require("./json"));
exports.pem = __importStar(require("./pem"));

1
spa/node_modules/sigstore/dist/util/json.d.ts generated vendored Normal file
View File

@@ -0,0 +1 @@
export declare function canonicalize(object: any): string;

61
spa/node_modules/sigstore/dist/util/json.js generated vendored Normal file
View File

@@ -0,0 +1,61 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.canonicalize = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// JSON canonicalization per https://github.com/cyberphone/json-canonicalization
// eslint-disable-next-line @typescript-eslint/no-explicit-any
function canonicalize(object) {
let buffer = '';
if (object === null || typeof object !== 'object' || object.toJSON != null) {
// Primitives or toJSONable objects
buffer += JSON.stringify(object);
}
else if (Array.isArray(object)) {
// Array - maintain element order
buffer += '[';
let first = true;
object.forEach((element) => {
if (!first) {
buffer += ',';
}
first = false;
// recursive call
buffer += canonicalize(element);
});
buffer += ']';
}
else {
// Object - Sort properties before serializing
buffer += '{';
let first = true;
Object.keys(object)
.sort()
.forEach((property) => {
if (!first) {
buffer += ',';
}
first = false;
buffer += JSON.stringify(property);
buffer += ':';
// recursive call
buffer += canonicalize(object[property]);
});
buffer += '}';
}
return buffer;
}
exports.canonicalize = canonicalize;

3
spa/node_modules/sigstore/dist/util/pem.d.ts generated vendored Normal file
View File

@@ -0,0 +1,3 @@
/// <reference types="node" />
export declare function toDER(certificate: string): Buffer;
export declare function fromDER(certificate: Buffer, type?: string): string;

44
spa/node_modules/sigstore/dist/util/pem.js generated vendored Normal file
View File

@@ -0,0 +1,44 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.fromDER = exports.toDER = void 0;
/*
Copyright 2022 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const PEM_HEADER = /-----BEGIN (.*)-----/;
const PEM_FOOTER = /-----END (.*)-----/;
function toDER(certificate) {
let der = '';
certificate.split('\n').forEach((line) => {
if (line.match(PEM_HEADER) || line.match(PEM_FOOTER)) {
return;
}
der += line;
});
return Buffer.from(der, 'base64');
}
exports.toDER = toDER;
// Translates a DER-encoded buffer into a PEM-encoded string. Standard PEM
// encoding dictates that each certificate should have a trailing newline after
// the footer.
function fromDER(certificate, type = 'CERTIFICATE') {
// Base64-encode the certificate.
const der = certificate.toString('base64');
// Split the certificate into lines of 64 characters.
const lines = der.match(/.{1,64}/g) || '';
return [`-----BEGIN ${type}-----`, ...lines, `-----END ${type}-----`]
.join('\n')
.concat('\n');
}
exports.fromDER = fromDER;

24
spa/node_modules/sigstore/dist/util/stream.d.ts generated vendored Normal file
View File

@@ -0,0 +1,24 @@
/// <reference types="node" />
export declare class StreamError extends Error {
}
export declare class ByteStream {
private static BLOCK_SIZE;
private buf;
private view;
private start;
constructor(buffer?: ArrayBuffer);
get buffer(): Buffer;
get length(): number;
get position(): number;
seek(position: number): void;
slice(start: number, len: number): Buffer;
appendChar(char: number): void;
appendUint16(num: number): void;
appendUint24(num: number): void;
appendView(view: Uint8Array): void;
getBlock(size: number): Buffer;
getUint8(): number;
getUint16(): number;
private ensureCapacity;
private realloc;
}

116
spa/node_modules/sigstore/dist/util/stream.js generated vendored Normal file
View File

@@ -0,0 +1,116 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.ByteStream = exports.StreamError = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
class StreamError extends Error {
}
exports.StreamError = StreamError;
class ByteStream {
constructor(buffer) {
this.start = 0;
if (buffer) {
this.buf = buffer;
this.view = Buffer.from(buffer);
}
else {
this.buf = new ArrayBuffer(0);
this.view = Buffer.from(this.buf);
}
}
get buffer() {
return this.view.subarray(0, this.start);
}
get length() {
return this.view.byteLength;
}
get position() {
return this.start;
}
seek(position) {
this.start = position;
}
// Returns a Buffer containing the specified number of bytes starting at the
// given start position.
slice(start, len) {
const end = start + len;
if (end > this.length) {
throw new StreamError('request past end of buffer');
}
return this.view.subarray(start, end);
}
appendChar(char) {
this.ensureCapacity(1);
this.view[this.start] = char;
this.start += 1;
}
appendUint16(num) {
this.ensureCapacity(2);
const value = new Uint16Array([num]);
const view = new Uint8Array(value.buffer);
this.view[this.start] = view[1];
this.view[this.start + 1] = view[0];
this.start += 2;
}
appendUint24(num) {
this.ensureCapacity(3);
const value = new Uint32Array([num]);
const view = new Uint8Array(value.buffer);
this.view[this.start] = view[2];
this.view[this.start + 1] = view[1];
this.view[this.start + 2] = view[0];
this.start += 3;
}
appendView(view) {
this.ensureCapacity(view.length);
this.view.set(view, this.start);
this.start += view.length;
}
getBlock(size) {
if (size <= 0) {
return Buffer.alloc(0);
}
if (this.start + size > this.view.length) {
throw new Error('request past end of buffer');
}
const result = this.view.subarray(this.start, this.start + size);
this.start += size;
return result;
}
getUint8() {
return this.getBlock(1)[0];
}
getUint16() {
const block = this.getBlock(2);
return (block[0] << 8) | block[1];
}
ensureCapacity(size) {
if (this.start + size > this.view.byteLength) {
const blockSize = ByteStream.BLOCK_SIZE + (size > ByteStream.BLOCK_SIZE ? size : 0);
this.realloc(this.view.byteLength + blockSize);
}
}
realloc(size) {
const newArray = new ArrayBuffer(size);
const newView = Buffer.from(newArray);
// Copy the old buffer into the new one
newView.set(this.view);
this.buf = newArray;
this.view = newView;
}
}
exports.ByteStream = ByteStream;
ByteStream.BLOCK_SIZE = 1024;

14
spa/node_modules/sigstore/dist/verify.d.ts generated vendored Normal file
View File

@@ -0,0 +1,14 @@
/// <reference types="node" />
import { Bundle } from '@sigstore/bundle';
import * as sigstore from './types/sigstore';
export type KeySelector = (hint: string) => string | Buffer | undefined;
export declare class Verifier {
private trustedRoot;
private keySelector;
constructor(trustedRoot: sigstore.TrustedRoot, keySelector?: KeySelector);
verify(bundle: Bundle, options: sigstore.RequiredArtifactVerificationOptions, data?: Buffer): void;
private verifyArtifactSignature;
private verifySigningCertificate;
private verifyTLogEntries;
private getPublicKey;
}

160
spa/node_modules/sigstore/dist/verify.js generated vendored Normal file
View File

@@ -0,0 +1,160 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.Verifier = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const bundle_1 = require("@sigstore/bundle");
const ca = __importStar(require("./ca/verify"));
const error_1 = require("./error");
const tlog = __importStar(require("./tlog/verify"));
const sigstore = __importStar(require("./types/sigstore"));
const util_1 = require("./util");
class Verifier {
constructor(trustedRoot, keySelector) {
this.trustedRoot = trustedRoot;
this.keySelector = keySelector || (() => undefined);
}
// Verifies the bundle signature, the bundle's certificate chain (if present)
// and the bundle's transparency log entries.
verify(bundle, options, data) {
this.verifyArtifactSignature(bundle, data);
if ((0, bundle_1.isBundleWithCertificateChain)(bundle)) {
this.verifySigningCertificate(bundle, options);
}
if (options.tlogOptions.disable === false) {
this.verifyTLogEntries(bundle, options);
}
}
// Performs bundle signature verification. Determines the type of the bundle
// content and delegates to the appropriate signature verification function.
verifyArtifactSignature(bundle, data) {
const publicKey = this.getPublicKey(bundle);
switch (bundle.content?.$case) {
case 'messageSignature':
if (!data) {
throw new error_1.VerificationError('no data provided for message signature verification');
}
verifyMessageSignature(data, bundle.content.messageSignature, publicKey);
break;
case 'dsseEnvelope':
verifyDSSESignature(bundle.content.dsseEnvelope, publicKey);
break;
}
}
// Performs verification of the bundle's certificate chain. The bundle must
// contain a certificate chain and the options must contain the required
// options for CA verification.
// TODO: We've temporarily removed the requirement that the options contain
// the list of trusted signer identities. This will be added back in a future
// release.
verifySigningCertificate(bundle, options) {
if (!sigstore.isCAVerificationOptions(options)) {
throw new error_1.VerificationError('no trusted certificates provided for verification');
}
ca.verifySigningCertificate(bundle, this.trustedRoot, options);
}
// Performs verification of the bundle's transparency log entries. The bundle
// must contain a list of transparency log entries.
verifyTLogEntries(bundle, options) {
tlog.verifyTLogEntries(bundle, this.trustedRoot, options.tlogOptions);
}
// Returns the public key which will be used to verify the bundle signature.
// The public key is selected based on the verification material in the bundle
// and the options provided.
getPublicKey(bundle) {
// Select the key which will be used to verify the signature
switch (bundle.verificationMaterial?.content?.$case) {
// If the bundle contains a certificate chain, the public key is the
// first certificate in the chain (the signing certificate)
case 'x509CertificateChain':
return getPublicKeyFromCertificateChain(bundle.verificationMaterial.content.x509CertificateChain);
// If the bundle contains a public key hint, the public key is selected
// from the list of trusted keys in the options
case 'publicKey':
return getPublicKeyFromHint(bundle.verificationMaterial.content.publicKey, this.keySelector);
}
}
}
exports.Verifier = Verifier;
// Retrieves the public key from the first certificate in the certificate chain
function getPublicKeyFromCertificateChain(certificateChain) {
const cert = util_1.pem.fromDER(certificateChain.certificates[0].rawBytes);
return util_1.crypto.createPublicKey(cert);
}
// Retrieves the public key through the key selector callback, passing the
// public key hint from the bundle
function getPublicKeyFromHint(publicKeyID, keySelector) {
const key = keySelector(publicKeyID.hint);
if (!key) {
throw new error_1.VerificationError('no public key found for signature verification');
}
try {
return util_1.crypto.createPublicKey(key);
}
catch (e) {
throw new error_1.VerificationError('invalid public key');
}
}
// Performs signature verification for bundle containing a message signature.
// Verifies that the digest and signature found in the bundle match the
// provided data.
function verifyMessageSignature(data, messageSignature, publicKey) {
// Extract signature for message
const { signature, messageDigest } = messageSignature;
const calculatedDigest = util_1.crypto.hash(data);
if (!calculatedDigest.equals(messageDigest.digest)) {
throw new error_1.VerificationError('message digest verification failed');
}
if (!util_1.crypto.verifyBlob(data, publicKey, signature)) {
throw new error_1.VerificationError('artifact signature verification failed');
}
}
// Performs signature verification for bundle containing a DSSE envelope.
// Calculates the PAE for the DSSE envelope and verifies it against the
// signature in the envelope.
function verifyDSSESignature(envelope, publicKey) {
// Construct payload over which the signature was originally created
const { payloadType, payload } = envelope;
const data = util_1.dsse.preAuthEncoding(payloadType, payload);
// Only support a single signature in DSSE
const signature = envelope.signatures[0].sig;
if (!util_1.crypto.verifyBlob(data, publicKey, signature)) {
throw new error_1.VerificationError('artifact signature verification failed');
}
}

48
spa/node_modules/sigstore/dist/x509/cert.d.ts generated vendored Normal file
View File

@@ -0,0 +1,48 @@
/// <reference types="node" />
import * as sigstore from '../types/sigstore';
import { ASN1Obj } from '../util/asn1';
import { x509AuthorityKeyIDExtension, x509BasicConstraintsExtension, x509Extension, x509KeyUsageExtension, x509SCTExtension, x509SubjectAlternativeNameExtension, x509SubjectKeyIDExtension } from './ext';
interface SCTVerificationResult {
verified: boolean;
logID: Buffer;
}
export declare class x509Certificate {
root: ASN1Obj;
constructor(asn1: ASN1Obj);
static parse(cert: Buffer | string): x509Certificate;
get tbsCertificate(): ASN1Obj;
get version(): string;
get notBefore(): Date;
get notAfter(): Date;
get issuer(): Buffer;
get subject(): Buffer;
get publicKey(): Buffer;
get signatureAlgorithm(): string;
get signatureValue(): Buffer;
get extensions(): ASN1Obj[];
get extKeyUsage(): x509KeyUsageExtension | undefined;
get extBasicConstraints(): x509BasicConstraintsExtension | undefined;
get extSubjectAltName(): x509SubjectAlternativeNameExtension | undefined;
get extAuthorityKeyID(): x509AuthorityKeyIDExtension | undefined;
get extSubjectKeyID(): x509SubjectKeyIDExtension | undefined;
get extSCT(): x509SCTExtension | undefined;
get isCA(): boolean;
extension(oid: string): x509Extension | undefined;
verify(issuerCertificate?: x509Certificate): boolean;
validForDate(date: Date): boolean;
equals(other: x509Certificate): boolean;
verifySCTs(issuer: x509Certificate, logs: sigstore.TransparencyLogInstance[]): SCTVerificationResult[];
private clone;
private findExtension;
private checkRecognizedExtensions;
private get tbsCertificateObj();
private get signatureAlgorithmObj();
private get signatureValueObj();
private get versionObj();
private get issuerObj();
private get validityObj();
private get subjectObj();
private get subjectPublicKeyInfoObj();
private get extensionsObj();
}
export {};

242
spa/node_modules/sigstore/dist/x509/cert.js generated vendored Normal file
View File

@@ -0,0 +1,242 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.x509Certificate = void 0;
const util_1 = require("../util");
const asn1_1 = require("../util/asn1");
const stream_1 = require("../util/stream");
const ext_1 = require("./ext");
const EXTENSION_OID_SUBJECT_KEY_ID = '2.5.29.14';
const EXTENSION_OID_KEY_USAGE = '2.5.29.15';
const EXTENSION_OID_SUBJECT_ALT_NAME = '2.5.29.17';
const EXTENSION_OID_BASIC_CONSTRAINTS = '2.5.29.19';
const EXTENSION_OID_AUTHORITY_KEY_ID = '2.5.29.35';
const EXTENSION_OID_SCT = '1.3.6.1.4.1.11129.2.4.2';
// List of recognized critical extensions
// https://www.rfc-editor.org/rfc/rfc5280#section-4.2
const RECOGNIZED_EXTENSIONS = [
EXTENSION_OID_KEY_USAGE,
EXTENSION_OID_BASIC_CONSTRAINTS,
EXTENSION_OID_SUBJECT_ALT_NAME,
];
const ECDSA_SIGNATURE_ALGOS = {
'1.2.840.10045.4.3.1': 'sha224',
'1.2.840.10045.4.3.2': 'sha256',
'1.2.840.10045.4.3.3': 'sha384',
'1.2.840.10045.4.3.4': 'sha512',
};
class x509Certificate {
constructor(asn1) {
this.root = asn1;
if (!this.checkRecognizedExtensions()) {
throw new Error('Certificate contains unrecognized critical extensions');
}
}
static parse(cert) {
const der = typeof cert === 'string' ? util_1.pem.toDER(cert) : cert;
const asn1 = asn1_1.ASN1Obj.parseBuffer(der);
return new x509Certificate(asn1);
}
get tbsCertificate() {
return this.tbsCertificateObj;
}
get version() {
// version number is the first element of the version context specific tag
const ver = this.versionObj.subs[0].toInteger();
return `v${(ver + BigInt(1)).toString()}`;
}
get notBefore() {
// notBefore is the first element of the validity sequence
return this.validityObj.subs[0].toDate();
}
get notAfter() {
// notAfter is the second element of the validity sequence
return this.validityObj.subs[1].toDate();
}
get issuer() {
return this.issuerObj.value;
}
get subject() {
return this.subjectObj.value;
}
get publicKey() {
return this.subjectPublicKeyInfoObj.toDER();
}
get signatureAlgorithm() {
const oid = this.signatureAlgorithmObj.subs[0].toOID();
return ECDSA_SIGNATURE_ALGOS[oid];
}
get signatureValue() {
// Signature value is a bit string, so we need to skip the first byte
return this.signatureValueObj.value.subarray(1);
}
get extensions() {
// The extension list is the first (and only) element of the extensions
// context specific tag
const extSeq = this.extensionsObj?.subs[0];
return extSeq?.subs || [];
}
get extKeyUsage() {
const ext = this.findExtension(EXTENSION_OID_KEY_USAGE);
return ext ? new ext_1.x509KeyUsageExtension(ext) : undefined;
}
get extBasicConstraints() {
const ext = this.findExtension(EXTENSION_OID_BASIC_CONSTRAINTS);
return ext ? new ext_1.x509BasicConstraintsExtension(ext) : undefined;
}
get extSubjectAltName() {
const ext = this.findExtension(EXTENSION_OID_SUBJECT_ALT_NAME);
return ext ? new ext_1.x509SubjectAlternativeNameExtension(ext) : undefined;
}
get extAuthorityKeyID() {
const ext = this.findExtension(EXTENSION_OID_AUTHORITY_KEY_ID);
return ext ? new ext_1.x509AuthorityKeyIDExtension(ext) : undefined;
}
get extSubjectKeyID() {
const ext = this.findExtension(EXTENSION_OID_SUBJECT_KEY_ID);
return ext ? new ext_1.x509SubjectKeyIDExtension(ext) : undefined;
}
get extSCT() {
const ext = this.findExtension(EXTENSION_OID_SCT);
return ext ? new ext_1.x509SCTExtension(ext) : undefined;
}
get isCA() {
const ca = this.extBasicConstraints?.isCA || false;
// If the KeyUsage extension is present, keyCertSign must be set
if (this.extKeyUsage) {
ca && this.extKeyUsage.keyCertSign;
}
return ca;
}
extension(oid) {
const ext = this.findExtension(oid);
return ext ? new ext_1.x509Extension(ext) : undefined;
}
verify(issuerCertificate) {
// Use the issuer's public key if provided, otherwise use the subject's
const publicKey = issuerCertificate?.publicKey || this.publicKey;
const key = util_1.crypto.createPublicKey(publicKey);
return util_1.crypto.verifyBlob(this.tbsCertificate.toDER(), key, this.signatureValue, this.signatureAlgorithm);
}
validForDate(date) {
return this.notBefore <= date && date <= this.notAfter;
}
equals(other) {
return this.root.toDER().equals(other.root.toDER());
}
verifySCTs(issuer, logs) {
let extSCT;
// Verifying the SCT requires that we remove the SCT extension and
// re-encode the TBS structure to DER -- this value is part of the data
// over which the signature is calculated. Since this is a destructive action
// we create a copy of the certificate so we can remove the SCT extension
// without affecting the original certificate.
const clone = this.clone();
// Intentionally not using the findExtension method here because we want to
// remove the the SCT extension from the certificate before calculating the
// PreCert structure
for (let i = 0; i < clone.extensions.length; i++) {
const ext = clone.extensions[i];
if (ext.subs[0].toOID() === EXTENSION_OID_SCT) {
extSCT = new ext_1.x509SCTExtension(ext);
// Remove the extension from the certificate
clone.extensions.splice(i, 1);
break;
}
}
if (!extSCT) {
throw new Error('Certificate does not contain SCT extension');
}
if (extSCT?.signedCertificateTimestamps?.length === 0) {
throw new Error('Certificate does not contain any SCTs');
}
// Construct the PreCert structure
// https://www.rfc-editor.org/rfc/rfc6962#section-3.2
const preCert = new stream_1.ByteStream();
// Calculate hash of the issuer's public key
const issuerId = util_1.crypto.hash(issuer.publicKey);
preCert.appendView(issuerId);
// Re-encodes the certificate to DER after removing the SCT extension
const tbs = clone.tbsCertificate.toDER();
preCert.appendUint24(tbs.length);
preCert.appendView(tbs);
// Calculate and return the verification results for each SCT
return extSCT.signedCertificateTimestamps.map((sct) => ({
logID: sct.logID,
verified: sct.verify(preCert.buffer, logs),
}));
}
// Creates a copy of the certificate with a new buffer
clone() {
const der = this.root.toDER();
const clone = Buffer.alloc(der.length);
der.copy(clone);
return x509Certificate.parse(clone);
}
findExtension(oid) {
// Find the extension with the given OID. The OID will always be the first
// element of the extension sequence
return this.extensions.find((ext) => ext.subs[0].toOID() === oid);
}
// A certificate should be considered invalid if it contains critical
// extensions that are not recognized
checkRecognizedExtensions() {
// The extension list is the first (and only) element of the extensions
// context specific tag
const extSeq = this.extensionsObj?.subs[0];
const exts = extSeq?.subs.map((ext) => new ext_1.x509Extension(ext));
// Check for unrecognized critical extensions
return (!exts ||
exts.every((ext) => !ext.critical || RECOGNIZED_EXTENSIONS.includes(ext.oid)));
}
/////////////////////////////////////////////////////////////////////////////
// The following properties use the documented x509 structure to locate the
// desired ASN.1 object
// https://www.rfc-editor.org/rfc/rfc5280#section-4.1
// https://www.rfc-editor.org/rfc/rfc5280#section-4.1.1.1
get tbsCertificateObj() {
// tbsCertificate is the first element of the certificate sequence
return this.root.subs[0];
}
// https://www.rfc-editor.org/rfc/rfc5280#section-4.1.1.2
get signatureAlgorithmObj() {
// signatureAlgorithm is the second element of the certificate sequence
return this.root.subs[1];
}
// https://www.rfc-editor.org/rfc/rfc5280#section-4.1.1.3
get signatureValueObj() {
// signatureValue is the third element of the certificate sequence
return this.root.subs[2];
}
// https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.1
get versionObj() {
// version is the first element of the tbsCertificate sequence
return this.tbsCertificateObj.subs[0];
}
// https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.4
get issuerObj() {
// issuer is the fourth element of the tbsCertificate sequence
return this.tbsCertificateObj.subs[3];
}
// https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.5
get validityObj() {
// version is the fifth element of the tbsCertificate sequence
return this.tbsCertificateObj.subs[4];
}
// https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.6
get subjectObj() {
// subject is the sixth element of the tbsCertificate sequence
return this.tbsCertificateObj.subs[5];
}
// https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.7
get subjectPublicKeyInfoObj() {
// subjectPublicKeyInfo is the seventh element of the tbsCertificate sequence
return this.tbsCertificateObj.subs[6];
}
// Extensions can't be located by index because their position varies. Instead,
// we need to find the extensions context specific tag
// https://www.rfc-editor.org/rfc/rfc5280#section-4.1.2.9
get extensionsObj() {
return this.tbsCertificateObj.subs.find((sub) => sub.tag.isContextSpecific(0x03));
}
}
exports.x509Certificate = x509Certificate;

42
spa/node_modules/sigstore/dist/x509/ext.d.ts generated vendored Normal file
View File

@@ -0,0 +1,42 @@
/// <reference types="node" />
import { ASN1Obj } from '../util/asn1';
import { SignedCertificateTimestamp } from './sct';
export declare class x509Extension {
protected root: ASN1Obj;
constructor(asn1: ASN1Obj);
get oid(): string;
get critical(): boolean;
get value(): Buffer;
get valueObj(): ASN1Obj;
protected get extnValueObj(): ASN1Obj;
}
export declare class x509BasicConstraintsExtension extends x509Extension {
get isCA(): boolean;
get pathLenConstraint(): bigint | undefined;
private get sequence();
}
export declare class x509KeyUsageExtension extends x509Extension {
get digitalSignature(): boolean;
get keyCertSign(): boolean;
get crlSign(): boolean;
private get bitString();
}
export declare class x509SubjectAlternativeNameExtension extends x509Extension {
get rfc822Name(): string | undefined;
get uri(): string | undefined;
otherName(oid: string): string | undefined;
private findGeneralName;
private get generalNames();
}
export declare class x509AuthorityKeyIDExtension extends x509Extension {
get keyIdentifier(): Buffer | undefined;
private findSequenceMember;
private get sequence();
}
export declare class x509SubjectKeyIDExtension extends x509Extension {
get keyIdentifier(): Buffer;
}
export declare class x509SCTExtension extends x509Extension {
constructor(asn1: ASN1Obj);
get signedCertificateTimestamps(): SignedCertificateTimestamp[];
}

145
spa/node_modules/sigstore/dist/x509/ext.js generated vendored Normal file
View File

@@ -0,0 +1,145 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.x509SCTExtension = exports.x509SubjectKeyIDExtension = exports.x509AuthorityKeyIDExtension = exports.x509SubjectAlternativeNameExtension = exports.x509KeyUsageExtension = exports.x509BasicConstraintsExtension = exports.x509Extension = void 0;
const stream_1 = require("../util/stream");
const sct_1 = require("./sct");
// https://www.rfc-editor.org/rfc/rfc5280#section-4.1
class x509Extension {
constructor(asn1) {
this.root = asn1;
}
get oid() {
return this.root.subs[0].toOID();
}
get critical() {
// The critical field is optional and will be the second element of the
// extension sequence if present. Default to false if not present.
return this.root.subs.length === 3 ? this.root.subs[1].toBoolean() : false;
}
get value() {
return this.extnValueObj.value;
}
get valueObj() {
return this.extnValueObj;
}
get extnValueObj() {
// The extnValue field will be the last element of the extension sequence
return this.root.subs[this.root.subs.length - 1];
}
}
exports.x509Extension = x509Extension;
// https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.9
class x509BasicConstraintsExtension extends x509Extension {
get isCA() {
return this.sequence.subs[0].toBoolean();
}
get pathLenConstraint() {
return this.sequence.subs.length > 1
? this.sequence.subs[1].toInteger()
: undefined;
}
// The extnValue field contains a single sequence wrapping the isCA and
// pathLenConstraint.
get sequence() {
return this.extnValueObj.subs[0];
}
}
exports.x509BasicConstraintsExtension = x509BasicConstraintsExtension;
// https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.3
class x509KeyUsageExtension extends x509Extension {
get digitalSignature() {
return this.bitString[0] === 1;
}
get keyCertSign() {
return this.bitString[5] === 1;
}
get crlSign() {
return this.bitString[6] === 1;
}
// The extnValue field contains a single bit string which is a bit mask
// indicating which key usages are enabled.
get bitString() {
return this.extnValueObj.subs[0].toBitString();
}
}
exports.x509KeyUsageExtension = x509KeyUsageExtension;
// https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.6
class x509SubjectAlternativeNameExtension extends x509Extension {
get rfc822Name() {
return this.findGeneralName(0x01)?.value.toString('ascii');
}
get uri() {
return this.findGeneralName(0x06)?.value.toString('ascii');
}
// Retrieve the value of an otherName with the given OID.
otherName(oid) {
const otherName = this.findGeneralName(0x00);
if (otherName === undefined) {
return undefined;
}
// The otherName is a sequence containing an OID and a value.
// Need to check that the OID matches the one we're looking for.
const otherNameOID = otherName.subs[0].toOID();
if (otherNameOID !== oid) {
return undefined;
}
// The otherNameValue is a sequence containing the actual value.
const otherNameValue = otherName.subs[1];
return otherNameValue.subs[0].value.toString('ascii');
}
findGeneralName(tag) {
return this.generalNames.find((gn) => gn.tag.isContextSpecific(tag));
}
// The extnValue field contains a sequence of GeneralNames.
get generalNames() {
return this.extnValueObj.subs[0].subs;
}
}
exports.x509SubjectAlternativeNameExtension = x509SubjectAlternativeNameExtension;
// https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1
class x509AuthorityKeyIDExtension extends x509Extension {
get keyIdentifier() {
return this.findSequenceMember(0x00)?.value;
}
findSequenceMember(tag) {
return this.sequence.subs.find((el) => el.tag.isContextSpecific(tag));
}
// The extnValue field contains a single sequence wrapping the keyIdentifier
get sequence() {
return this.extnValueObj.subs[0];
}
}
exports.x509AuthorityKeyIDExtension = x509AuthorityKeyIDExtension;
// https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.2
class x509SubjectKeyIDExtension extends x509Extension {
get keyIdentifier() {
return this.extnValueObj.subs[0].value;
}
}
exports.x509SubjectKeyIDExtension = x509SubjectKeyIDExtension;
// https://www.rfc-editor.org/rfc/rfc6962#section-3.3
class x509SCTExtension extends x509Extension {
constructor(asn1) {
super(asn1);
}
get signedCertificateTimestamps() {
const buf = this.extnValueObj.subs[0].value;
const stream = new stream_1.ByteStream(buf);
// The overall list length is encoded in the first two bytes -- note this
// is the length of the list in bytes, NOT the number of SCTs in the list
const end = stream.getUint16() + 2;
const sctList = [];
while (stream.position < end) {
// Read the length of the next SCT
const sctLength = stream.getUint16();
// Slice out the bytes for the next SCT and parse it
const sct = stream.getBlock(sctLength);
sctList.push(sct_1.SignedCertificateTimestamp.parse(sct));
}
if (stream.position !== end) {
throw new Error('SCT list length does not match actual length');
}
return sctList;
}
}
exports.x509SCTExtension = x509SCTExtension;

26
spa/node_modules/sigstore/dist/x509/sct.d.ts generated vendored Normal file
View File

@@ -0,0 +1,26 @@
/// <reference types="node" />
import * as sigstore from '../types/sigstore';
interface SCTOptions {
version: number;
logID: Buffer;
timestamp: Buffer;
extensions: Buffer;
hashAlgorithm: number;
signatureAlgorithm: number;
signature: Buffer;
}
export declare class SignedCertificateTimestamp {
readonly version: number;
readonly logID: Buffer;
readonly timestamp: Buffer;
readonly extensions: Buffer;
readonly hashAlgorithm: number;
readonly signatureAlgorithm: number;
readonly signature: Buffer;
constructor(options: SCTOptions);
get datetime(): Date;
get algorithm(): string;
verify(preCert: Buffer, logs: sigstore.TransparencyLogInstance[]): boolean;
static parse(buf: Buffer): SignedCertificateTimestamp;
}
export {};

101
spa/node_modules/sigstore/dist/x509/sct.js generated vendored Normal file
View File

@@ -0,0 +1,101 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.SignedCertificateTimestamp = void 0;
const util_1 = require("../util");
const stream_1 = require("../util/stream");
class SignedCertificateTimestamp {
constructor(options) {
this.version = options.version;
this.logID = options.logID;
this.timestamp = options.timestamp;
this.extensions = options.extensions;
this.hashAlgorithm = options.hashAlgorithm;
this.signatureAlgorithm = options.signatureAlgorithm;
this.signature = options.signature;
}
get datetime() {
return new Date(Number(this.timestamp.readBigInt64BE()));
}
// Returns the hash algorithm used to generate the SCT's signature.
// https://www.rfc-editor.org/rfc/rfc5246#section-7.4.1.4.1
get algorithm() {
switch (this.hashAlgorithm) {
case 0:
return 'none';
case 1:
return 'md5';
case 2:
return 'sha1';
case 3:
return 'sha224';
case 4:
return 'sha256';
case 5:
return 'sha384';
case 6:
return 'sha512';
default:
return 'unknown';
}
}
verify(preCert, logs) {
// Find key for the log reponsible for this signature
const log = logs.find((log) => log.logId?.keyId.equals(this.logID));
if (!log?.publicKey?.rawBytes) {
throw new Error(`No key found for log: ${this.logID.toString('base64')}`);
}
const publicKey = util_1.crypto.createPublicKey(log.publicKey.rawBytes);
// Assemble the digitally-signed struct (the data over which the signature
// was generated).
// https://www.rfc-editor.org/rfc/rfc6962#section-3.2
const stream = new stream_1.ByteStream();
stream.appendChar(this.version);
stream.appendChar(0x00); // SignatureType = certificate_timestamp(0)
stream.appendView(this.timestamp);
stream.appendUint16(0x01); // LogEntryType = precert_entry(1)
stream.appendView(preCert);
stream.appendUint16(this.extensions.byteLength);
if (this.extensions.byteLength > 0) {
stream.appendView(this.extensions);
}
return util_1.crypto.verifyBlob(stream.buffer, publicKey, this.signature, this.algorithm);
}
// Parses a SignedCertificateTimestamp from a buffer. SCTs are encoded using
// TLS encoding which means the fields and lengths of most fields are
// specified as part of the SCT and TLS specs.
// https://www.rfc-editor.org/rfc/rfc6962#section-3.2
// https://www.rfc-editor.org/rfc/rfc5246#section-7.4.1.4.1
static parse(buf) {
const stream = new stream_1.ByteStream(buf);
// Version - enum { v1(0), (255) }
const version = stream.getUint8();
// Log ID - struct { opaque key_id[32]; }
const logID = stream.getBlock(32);
// Timestamp - uint64
const timestamp = stream.getBlock(8);
// Extensions - opaque extensions<0..2^16-1>;
const extenstionLength = stream.getUint16();
const extensions = stream.getBlock(extenstionLength);
// Hash algo - enum { sha256(4), . . . (255) }
const hashAlgorithm = stream.getUint8();
// Signature algo - enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
const signatureAlgorithm = stream.getUint8();
// Signature - opaque signature<0..2^16-1>;
const sigLength = stream.getUint16();
const signature = stream.getBlock(sigLength);
// Check that we read the entire buffer
if (stream.position !== buf.length) {
throw new Error('SCT buffer length mismatch');
}
return new SignedCertificateTimestamp({
version,
logID,
timestamp,
extensions,
hashAlgorithm,
signatureAlgorithm,
signature,
});
}
}
exports.SignedCertificateTimestamp = SignedCertificateTimestamp;

8
spa/node_modules/sigstore/dist/x509/verify.d.ts generated vendored Normal file
View File

@@ -0,0 +1,8 @@
import { x509Certificate } from './cert';
interface VerifyCertificateChainOptions {
trustedCerts: x509Certificate[];
untrustedCert: x509Certificate;
validAt?: Date;
}
export declare function verifyCertificateChain(opts: VerifyCertificateChainOptions): x509Certificate[];
export {};

177
spa/node_modules/sigstore/dist/x509/verify.js generated vendored Normal file
View File

@@ -0,0 +1,177 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyCertificateChain = void 0;
/*
Copyright 2023 The Sigstore Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
const error_1 = require("../error");
function verifyCertificateChain(opts) {
const verifier = new CertificateChainVerifier(opts);
return verifier.verify();
}
exports.verifyCertificateChain = verifyCertificateChain;
class CertificateChainVerifier {
constructor(opts) {
this.untrustedCert = opts.untrustedCert;
this.trustedCerts = opts.trustedCerts;
this.localCerts = dedupeCertificates([
...opts.trustedCerts,
opts.untrustedCert,
]);
this.validAt = opts.validAt || new Date();
}
verify() {
// Construct certificate path from leaf to root
const certificatePath = this.sort();
// Perform validation checks on each certificate in the path
this.checkPath(certificatePath);
// Return verified certificate path
return certificatePath;
}
sort() {
const leafCert = this.untrustedCert;
// Construct all possible paths from the leaf
let paths = this.buildPaths(leafCert);
// Filter for paths which contain a trusted certificate
paths = paths.filter((path) => path.some((cert) => this.trustedCerts.includes(cert)));
if (paths.length === 0) {
throw new error_1.VerificationError('No trusted certificate path found');
}
// Find the shortest of possible paths
const path = paths.reduce((prev, curr) => prev.length < curr.length ? prev : curr);
// Construct chain from shortest path
// Removes the last certificate in the path, which will be a second copy
// of the root certificate given that the root is self-signed.
return [leafCert, ...path].slice(0, -1);
}
// Recursively build all possible paths from the leaf to the root
buildPaths(certificate) {
const paths = [];
const issuers = this.findIssuer(certificate);
if (issuers.length === 0) {
throw new error_1.VerificationError('No valid certificate path found');
}
for (let i = 0; i < issuers.length; i++) {
const issuer = issuers[i];
// Base case - issuer is self
if (issuer.equals(certificate)) {
paths.push([certificate]);
continue;
}
// Recursively build path for the issuer
const subPaths = this.buildPaths(issuer);
// Construct paths by appending the issuer to each subpath
for (let j = 0; j < subPaths.length; j++) {
paths.push([issuer, ...subPaths[j]]);
}
}
return paths;
}
// Return all possible issuers for the given certificate
findIssuer(certificate) {
let issuers = [];
let keyIdentifier;
// Exit early if the certificate is self-signed
if (certificate.subject.equals(certificate.issuer)) {
if (certificate.verify()) {
return [certificate];
}
}
// If the certificate has an authority key identifier, use that
// to find the issuer
if (certificate.extAuthorityKeyID) {
keyIdentifier = certificate.extAuthorityKeyID.keyIdentifier;
// TODO: Add support for authorityCertIssuer/authorityCertSerialNumber
// though Fulcio doesn't appear to use these
}
// Find possible issuers by comparing the authorityKeyID/subjectKeyID
// or issuer/subject. Potential issuers are added to the result array.
this.localCerts.forEach((possibleIssuer) => {
if (keyIdentifier) {
if (possibleIssuer.extSubjectKeyID) {
if (possibleIssuer.extSubjectKeyID.keyIdentifier.equals(keyIdentifier)) {
issuers.push(possibleIssuer);
}
return;
}
}
// Fallback to comparing certificate issuer and subject if
// subjectKey/authorityKey extensions are not present
if (possibleIssuer.subject.equals(certificate.issuer)) {
issuers.push(possibleIssuer);
}
});
// Remove any issuers which fail to verify the certificate
issuers = issuers.filter((issuer) => {
try {
return certificate.verify(issuer);
}
catch (ex) {
return false;
}
});
return issuers;
}
checkPath(path) {
if (path.length < 1) {
throw new error_1.VerificationError('Certificate chain must contain at least one certificate');
}
// Check that all certificates are valid at the check date
const validForDate = path.every((cert) => cert.validForDate(this.validAt));
if (!validForDate) {
throw new error_1.VerificationError('Certificate is not valid or expired at the specified date');
}
// Ensure that all certificates beyond the leaf are CAs
const validCAs = path.slice(1).every((cert) => cert.isCA);
if (!validCAs) {
throw new error_1.VerificationError('Intermediate certificate is not a CA');
}
// Certificate's issuer must match the subject of the next certificate
// in the chain
for (let i = path.length - 2; i >= 0; i--) {
if (!path[i].issuer.equals(path[i + 1].subject)) {
throw new error_1.VerificationError('Incorrect certificate name chaining');
}
}
// Check pathlength constraints
for (let i = 0; i < path.length; i++) {
const cert = path[i];
// If the certificate is a CA, check the path length
if (cert.extBasicConstraints?.isCA) {
const pathLength = cert.extBasicConstraints.pathLenConstraint;
// The path length, if set, indicates how many intermediate
// certificates (NOT including the leaf) are allowed to follow. The
// pathLength constraint of any intermediate CA certificate MUST be
// greater than or equal to it's own depth in the chain (with an
// adjustment for the leaf certificate)
if (pathLength !== undefined && pathLength < i - 1) {
throw new error_1.VerificationError('Path length constraint exceeded');
}
}
}
}
}
// Remove duplicate certificates from the array
function dedupeCertificates(certs) {
for (let i = 0; i < certs.length; i++) {
for (let j = i + 1; j < certs.length; j++) {
if (certs[i].equals(certs[j])) {
certs.splice(j, 1);
j--;
}
}
}
return certs;
}