diff --git a/.github/workflows/rust-build.yml b/.github/workflows/rust-build.yml index 8756c43a..46639356 100644 --- a/.github/workflows/rust-build.yml +++ b/.github/workflows/rust-build.yml @@ -46,6 +46,8 @@ jobs: - run: rustup update ${{ matrix.toolchain }} && rustup default ${{ matrix.toolchain }} - run: | make rust + - run: | + RUST_ACTION="publish -p sigstore_protobuf_specs --dry-run" make rust test: runs-on: ubuntu-latest diff --git a/Makefile b/Makefile index fcf68d5c..8fc4f2e9 100644 --- a/Makefile +++ b/Makefile @@ -16,7 +16,7 @@ PROTOC_IMAGE = protobuf-specs-build JSONSCHEMA_IMAGE = jsonschema-specs-build -RUST_ACTION ?= build +RUST_ACTION ?= run -p sigstore-protobuf-specs-codegen # generate all language protobuf code all: go python typescript ruby rust jsonschema diff --git a/gen/pb-rust/Cargo.lock b/gen/pb-rust/Cargo.lock index 00fca83b..eafa44da 100644 --- a/gen/pb-rust/Cargo.lock +++ b/gen/pb-rust/Cargo.lock @@ -404,6 +404,17 @@ dependencies = [ "serde", ] +[[package]] +name = "sigstore-protobuf-specs-codegen" +version = "0.0.1" +dependencies = [ + "anyhow", + "glob", + "prost-build", + "prost-reflect-build", + "which 6.0.0", +] + [[package]] name = "sigstore-protobuf-specs-derive" version = "0.0.1" diff --git a/gen/pb-rust/Cargo.toml b/gen/pb-rust/Cargo.toml index 08fc933f..772eb7a2 100644 --- a/gen/pb-rust/Cargo.toml +++ b/gen/pb-rust/Cargo.toml @@ -2,5 +2,6 @@ resolver = "2" members = [ "sigstore-protobuf-specs", - "sigstore-protobuf-specs-derive" + "sigstore-protobuf-specs-codegen", + "sigstore-protobuf-specs-derive", ] diff --git a/gen/pb-rust/sigstore-protobuf-specs-codegen/Cargo.toml b/gen/pb-rust/sigstore-protobuf-specs-codegen/Cargo.toml new file mode 100644 index 00000000..98e56505 --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs-codegen/Cargo.toml @@ -0,0 +1,11 @@ +[package] +name = "sigstore-protobuf-specs-codegen" +version = "0.0.1" +edition = "2021" + +[dependencies] +anyhow = "1.0.72" +glob = "0.3" +prost-build = "0.12.3" +prost-reflect-build = "0.12.0" +which = "6.0.0" diff --git a/gen/pb-rust/sigstore-protobuf-specs/build.rs b/gen/pb-rust/sigstore-protobuf-specs-codegen/src/main.rs similarity index 75% rename from gen/pb-rust/sigstore-protobuf-specs/build.rs rename to gen/pb-rust/sigstore-protobuf-specs-codegen/src/main.rs index d864bb08..9c2fa4e7 100644 --- a/gen/pb-rust/sigstore-protobuf-specs/build.rs +++ b/gen/pb-rust/sigstore-protobuf-specs-codegen/src/main.rs @@ -1,3 +1,5 @@ +use std::path::Path; + /// Find the standard protobuf include directory. fn protobuf_include_path() -> String { let mut protobuf_root = which::which("protoc") @@ -14,10 +16,17 @@ fn main() -> anyhow::Result<()> { concat!(env!("CARGO_MANIFEST_DIR"), "/../../../protos").to_owned(), // WKTs path protobuf_include_path(), - // googleapi types path + // googleapis types path: set `SIGSTORE_PROTOBUF_EXTRA_INCLUDE` to override. std::env::var("SIGSTORE_PROTOBUF_EXTRA_INCLUDE").unwrap_or("/opt/include".to_owned()), ]; + for include in &includes { + let include = Path::new(include); + if !include.is_dir() { + panic!("invalid include dir: {:?}", include); + } + } + let mut config = prost_build::Config::new(); config .include_file("mod.rs") @@ -26,10 +35,12 @@ fn main() -> anyhow::Result<()> { "#[derive(sigstore_protobuf_specs_derive::Deserialize_proto, sigstore_protobuf_specs_derive::Serialize_proto)]", ) // Disable problematic comments interpreted as doctests. - .disable_comments([".io.intoto.Envelope"]); + .disable_comments([".io.intoto.Envelope"]) + .out_dir("sigstore-protobuf-specs/src/generated/"); prost_reflect_build::Builder::new() .file_descriptor_set_bytes("crate::FILE_DESCRIPTOR_SET_BYTES") + .file_descriptor_set_path("sigstore-protobuf-specs/src/generated/file_descriptor_set.bin") .compile_protos_with_config( config, &glob::glob(concat!( diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.bundle.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.bundle.v1.rs new file mode 100644 index 00000000..9a49169c --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.bundle.v1.rs @@ -0,0 +1,193 @@ +/// Various timestamped counter signatures over the artifacts signature. +/// Currently only RFC3161 signatures are provided. More formats may be added +/// in the future. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.bundle.v1.TimestampVerificationData")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct TimestampVerificationData { + /// A list of RFC3161 signed timestamps provided by the user. + /// This can be used when the entry has not been stored on a + /// transparency log, or in conjunction for a stronger trust model. + /// Clients MUST verify the hashed message in the message imprint + /// against the signature in the bundle. + #[prost(message, repeated, tag = "1")] + pub rfc3161_timestamps: ::prost::alloc::vec::Vec< + super::super::common::v1::Rfc3161SignedTimestamp, + >, +} +/// VerificationMaterial captures details on the materials used to verify +/// signatures. This message may be embedded in a DSSE envelope as a signature +/// extension. Specifically, the `ext` field of the extension will expect this +/// message when the signature extension is for Sigstore. This is identified by +/// the `kind` field in the extension, which must be set to +/// application/vnd.dev.sigstore.verificationmaterial;version=0.1 for Sigstore. +/// When used as a DSSE extension, if the `public_key` field is used to indicate +/// the key identifier, it MUST match the `keyid` field of the signature the +/// extension is attached to. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.bundle.v1.VerificationMaterial")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct VerificationMaterial { + /// An inclusion proof and an optional signed timestamp from the log. + /// Client verification libraries MAY provide an option to support v0.1 + /// bundles for backwards compatibility, which may contain an inclusion + /// promise and not an inclusion proof. In this case, the client MUST + /// validate the promise. + /// Verifiers SHOULD NOT allow v0.1 bundles if they're used in an + /// ecosystem which never produced them. + #[prost(message, repeated, tag = "3")] + pub tlog_entries: ::prost::alloc::vec::Vec< + super::super::rekor::v1::TransparencyLogEntry, + >, + /// Timestamp may also come from + /// tlog_entries.inclusion_promise.signed_entry_timestamp. + #[prost(message, optional, tag = "4")] + pub timestamp_verification_data: ::core::option::Option, + /// The key material for verification purposes. + /// + /// This allows key material to be conveyed in one of three forms: + /// + /// 1. An unspecified public key identifier, for retrieving a key + /// from an out-of-band mechanism (such as a keyring); + /// + /// 2. A sequence of one or more X.509 certificates, of which the first member + /// MUST be a leaf certificate conveying the signing key. Subsequent members + /// SHOULD be in issuing order, meaning that `n + 1` should be an issuer for `n`. + /// + /// Signers MUST NOT include root CA certificates in bundles, and SHOULD NOT + /// include intermediate CA certificates that appear in an independent root of trust + /// (such as the Public Good Instance's trusted root). + /// + /// Verifiers MUST validate the chain carefully to ensure that it chains up + /// to a CA certificate that they independently trust. Verifiers SHOULD + /// handle old or non-complying bundles that have superfluous intermediate and/or + /// root CA certificates by either ignoring them or explicitly considering them + /// untrusted for the purposes of chain building. + /// + /// 3. A single X.509 certificate, which MUST be a leaf certificate conveying + /// the signing key. + /// + /// When used with the Public Good Instance (PGI) of Sigstore for "keyless" signing + /// via Fulcio, form (1) MUST NOT be used, regardless of bundle version. Form (1) + /// MAY be used with the PGI for self-managed keys. + /// + /// When used in a `0.1` or `0.2` bundle with the PGI and "keyless" signing, + /// form (2) MUST be used. + /// + /// When used in a `0.3` bundle with the PGI and "keyless" signing, + /// form (3) MUST be used. + #[prost(oneof = "verification_material::Content", tags = "1, 2, 5")] + pub content: ::core::option::Option, +} +/// Nested message and enum types in `VerificationMaterial`. +pub mod verification_material { + /// The key material for verification purposes. + /// + /// This allows key material to be conveyed in one of three forms: + /// + /// 1. An unspecified public key identifier, for retrieving a key + /// from an out-of-band mechanism (such as a keyring); + /// + /// 2. A sequence of one or more X.509 certificates, of which the first member + /// MUST be a leaf certificate conveying the signing key. Subsequent members + /// SHOULD be in issuing order, meaning that `n + 1` should be an issuer for `n`. + /// + /// Signers MUST NOT include root CA certificates in bundles, and SHOULD NOT + /// include intermediate CA certificates that appear in an independent root of trust + /// (such as the Public Good Instance's trusted root). + /// + /// Verifiers MUST validate the chain carefully to ensure that it chains up + /// to a CA certificate that they independently trust. Verifiers SHOULD + /// handle old or non-complying bundles that have superfluous intermediate and/or + /// root CA certificates by either ignoring them or explicitly considering them + /// untrusted for the purposes of chain building. + /// + /// 3. A single X.509 certificate, which MUST be a leaf certificate conveying + /// the signing key. + /// + /// When used with the Public Good Instance (PGI) of Sigstore for "keyless" signing + /// via Fulcio, form (1) MUST NOT be used, regardless of bundle version. Form (1) + /// MAY be used with the PGI for self-managed keys. + /// + /// When used in a `0.1` or `0.2` bundle with the PGI and "keyless" signing, + /// form (2) MUST be used. + /// + /// When used in a `0.3` bundle with the PGI and "keyless" signing, + /// form (3) MUST be used. + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[allow(clippy::derive_partial_eq_without_eq)] + #[derive(Clone, PartialEq, ::prost::Oneof)] + pub enum Content { + #[prost(message, tag = "1")] + PublicKey(super::super::super::common::v1::PublicKeyIdentifier), + #[prost(message, tag = "2")] + X509CertificateChain(super::super::super::common::v1::X509CertificateChain), + #[prost(message, tag = "5")] + Certificate(super::super::super::common::v1::X509Certificate), + } +} +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.bundle.v1.Bundle")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct Bundle { + /// MUST be application/vnd.dev.sigstore.bundle+json;version=0.1 + /// or application/vnd.dev.sigstore.bundle+json;version=0.2 + /// or application/vnd.dev.sigstore.bundle+json;version=0.3 + /// when encoded as JSON. + #[prost(string, tag = "1")] + pub media_type: ::prost::alloc::string::String, + /// When a signer is identified by a X.509 certificate, a verifier MUST + /// verify that the signature was computed at the time the certificate + /// was valid as described in the Sigstore client spec: "Verification + /// using a Bundle". + /// <> + /// If the verification material contains a public key identifier + /// (key hint) and the `content` is a DSSE envelope, the key hints + /// MUST be exactly the same in the verification material and in the + /// DSSE envelope. + #[prost(message, optional, tag = "2")] + pub verification_material: ::core::option::Option, + #[prost(oneof = "bundle::Content", tags = "3, 4")] + pub content: ::core::option::Option, +} +/// Nested message and enum types in `Bundle`. +pub mod bundle { + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[allow(clippy::derive_partial_eq_without_eq)] + #[derive(Clone, PartialEq, ::prost::Oneof)] + pub enum Content { + #[prost(message, tag = "3")] + MessageSignature(super::super::super::common::v1::MessageSignature), + /// A DSSE envelope can contain arbitrary payloads. + /// Verifiers must verify that the payload type is a + /// supported and expected type. This is part of the DSSE + /// protocol which is defined here: + /// <> + #[prost(message, tag = "4")] + DsseEnvelope(super::super::super::super::super::io::intoto::Envelope), + } +} diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.common.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.common.v1.rs new file mode 100644 index 00000000..6e5d37cc --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.common.v1.rs @@ -0,0 +1,480 @@ +/// HashOutput captures a digest of a 'message' (generic octet sequence) +/// and the corresponding hash algorithm used. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.common.v1.HashOutput")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct HashOutput { + #[prost(enumeration = "HashAlgorithm", tag = "1")] + pub algorithm: i32, + /// This is the raw octets of the message digest as computed by + /// the hash algorithm. + #[prost(bytes = "vec", tag = "2")] + pub digest: ::prost::alloc::vec::Vec, +} +/// MessageSignature stores the computed signature over a message. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.common.v1.MessageSignature")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct MessageSignature { + /// Message digest can be used to identify the artifact. + /// Clients MUST NOT attempt to use this digest to verify the associated + /// signature; it is intended solely for identification. + #[prost(message, optional, tag = "1")] + pub message_digest: ::core::option::Option, + /// The raw bytes as returned from the signature algorithm. + /// The signature algorithm (and so the format of the signature bytes) + /// are determined by the contents of the 'verification_material', + /// either a key-pair or a certificate. If using a certificate, the + /// certificate contains the required information on the signature + /// algorithm. + /// When using a key pair, the algorithm MUST be part of the public + /// key, which MUST be communicated out-of-band. + #[prost(bytes = "vec", tag = "2")] + pub signature: ::prost::alloc::vec::Vec, +} +/// LogId captures the identity of a transparency log. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.common.v1.LogId")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct LogId { + /// The unique id of the log, represented as the SHA-256 hash + /// of the log's public key, calculated over the DER encoding + /// of the key represented as SubjectPublicKeyInfo. + /// See + #[prost(bytes = "vec", tag = "1")] + pub key_id: ::prost::alloc::vec::Vec, +} +/// This message holds a RFC 3161 timestamp. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.common.v1.RFC3161SignedTimestamp")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct Rfc3161SignedTimestamp { + /// Signed timestamp is the DER encoded TimeStampResponse. + /// See + #[prost(bytes = "vec", tag = "1")] + pub signed_timestamp: ::prost::alloc::vec::Vec, +} +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.common.v1.PublicKey")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct PublicKey { + /// DER-encoded public key, encoding method is specified by the + /// key_details attribute. + #[prost(bytes = "vec", optional, tag = "1")] + pub raw_bytes: ::core::option::Option<::prost::alloc::vec::Vec>, + /// Key encoding and signature algorithm to use for this key. + #[prost(enumeration = "PublicKeyDetails", tag = "2")] + pub key_details: i32, + /// Optional validity period for this key, *inclusive* of the endpoints. + #[prost(message, optional, tag = "3")] + pub valid_for: ::core::option::Option, +} +/// PublicKeyIdentifier can be used to identify an (out of band) delivered +/// key, to verify a signature. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.common.v1.PublicKeyIdentifier")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct PublicKeyIdentifier { + /// Optional unauthenticated hint on which key to use. + /// The format of the hint must be agreed upon out of band by the + /// signer and the verifiers, and so is not subject to this + /// specification. + /// Example use-case is to specify the public key to use, from a + /// trusted key-ring. + /// Implementors are RECOMMENDED to derive the value from the public + /// key as described in RFC 6962. + /// See: <> + #[prost(string, tag = "1")] + pub hint: ::prost::alloc::string::String, +} +/// An ASN.1 OBJECT IDENTIFIER +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.common.v1.ObjectIdentifier")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct ObjectIdentifier { + #[prost(int32, repeated, packed = "false", tag = "1")] + pub id: ::prost::alloc::vec::Vec, +} +/// An OID and the corresponding (byte) value. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.common.v1.ObjectIdentifierValuePair")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct ObjectIdentifierValuePair { + #[prost(message, optional, tag = "1")] + pub oid: ::core::option::Option, + #[prost(bytes = "vec", tag = "2")] + pub value: ::prost::alloc::vec::Vec, +} +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.common.v1.DistinguishedName")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct DistinguishedName { + #[prost(string, tag = "1")] + pub organization: ::prost::alloc::string::String, + #[prost(string, tag = "2")] + pub common_name: ::prost::alloc::string::String, +} +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.common.v1.X509Certificate")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct X509Certificate { + /// DER-encoded X.509 certificate. + #[prost(bytes = "vec", tag = "1")] + pub raw_bytes: ::prost::alloc::vec::Vec, +} +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.common.v1.SubjectAlternativeName")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct SubjectAlternativeName { + #[prost(enumeration = "SubjectAlternativeNameType", tag = "1")] + pub r#type: i32, + #[prost(oneof = "subject_alternative_name::Identity", tags = "2, 3")] + pub identity: ::core::option::Option, +} +/// Nested message and enum types in `SubjectAlternativeName`. +pub mod subject_alternative_name { + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[allow(clippy::derive_partial_eq_without_eq)] + #[derive(Clone, PartialEq, ::prost::Oneof)] + pub enum Identity { + /// A regular expression describing the expected value for + /// the SAN. + #[prost(string, tag = "2")] + Regexp(::prost::alloc::string::String), + /// The exact value to match against. + #[prost(string, tag = "3")] + Value(::prost::alloc::string::String), + } +} +/// A collection of X.509 certificates. +/// +/// This "chain" can be used in multiple contexts, such as providing a root CA +/// certificate within a TUF root of trust or multiple untrusted certificates for +/// the purpose of chain building. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.common.v1.X509CertificateChain")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct X509CertificateChain { + /// One or more DER-encoded certificates. + /// + /// In some contexts (such as `VerificationMaterial.x509_certificate_chain`), this sequence + /// has an imposed order. Unless explicitly specified, there is otherwise no + /// guaranteed order. + #[prost(message, repeated, tag = "1")] + pub certificates: ::prost::alloc::vec::Vec, +} +/// The time range is closed and includes both the start and end times, +/// (i.e., \[start, end\]). +/// End is optional to be able to capture a period that has started but +/// has no known end. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.common.v1.TimeRange")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct TimeRange { + #[prost(message, optional, tag = "1")] + pub start: ::core::option::Option<::prost_types::Timestamp>, + #[prost(message, optional, tag = "2")] + pub end: ::core::option::Option<::prost_types::Timestamp>, +} +/// Only a subset of the secure hash standard algorithms are supported. +/// See <> for more +/// details. +/// UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force +/// any proto JSON serialization to emit the used hash algorithm, as default +/// option is to *omit* the default value of an enum (which is the first +/// value, represented by '0'. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)] +#[repr(i32)] +pub enum HashAlgorithm { + Unspecified = 0, + Sha2256 = 1, + Sha2384 = 2, + Sha2512 = 3, + Sha3256 = 4, + Sha3384 = 5, +} +impl HashAlgorithm { + /// String value of the enum field names used in the ProtoBuf definition. + /// + /// The values are not transformed in any way and thus are considered stable + /// (if the ProtoBuf definition does not change) and safe for programmatic use. + pub fn as_str_name(&self) -> &'static str { + match self { + HashAlgorithm::Unspecified => "HASH_ALGORITHM_UNSPECIFIED", + HashAlgorithm::Sha2256 => "SHA2_256", + HashAlgorithm::Sha2384 => "SHA2_384", + HashAlgorithm::Sha2512 => "SHA2_512", + HashAlgorithm::Sha3256 => "SHA3_256", + HashAlgorithm::Sha3384 => "SHA3_384", + } + } + /// Creates an enum from field names used in the ProtoBuf definition. + pub fn from_str_name(value: &str) -> ::core::option::Option { + match value { + "HASH_ALGORITHM_UNSPECIFIED" => Some(Self::Unspecified), + "SHA2_256" => Some(Self::Sha2256), + "SHA2_384" => Some(Self::Sha2384), + "SHA2_512" => Some(Self::Sha2512), + "SHA3_256" => Some(Self::Sha3256), + "SHA3_384" => Some(Self::Sha3384), + _ => None, + } + } +} +/// Details of a specific public key, capturing the the key encoding method, +/// and signature algorithm. +/// +/// PublicKeyDetails captures the public key/hash algorithm combinations +/// recommended in the Sigstore ecosystem. +/// +/// This is modelled as a linear set as we want to provide a small number of +/// opinionated options instead of allowing every possible permutation. +/// +/// Any changes to this enum MUST be reflected in the algorithm registry. +/// See: docs/algorithm-registry.md +/// +/// To avoid the possibility of contradicting formats such as PKCS1 with +/// ED25519 the valid permutations are listed as a linear set instead of a +/// cartesian set (i.e one combined variable instead of two, one for encoding +/// and one for the signature algorithm). +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)] +#[repr(i32)] +pub enum PublicKeyDetails { + Unspecified = 0, + /// RSA + /// + /// See RFC8017 + Pkcs1RsaPkcs1v5 = 1, + /// See RFC8017 + Pkcs1RsaPss = 2, + PkixRsaPkcs1v5 = 3, + PkixRsaPss = 4, + /// RSA public key in PKIX format, PKCS#1v1.5 signature + PkixRsaPkcs1v152048Sha256 = 9, + PkixRsaPkcs1v153072Sha256 = 10, + PkixRsaPkcs1v154096Sha256 = 11, + /// RSA public key in PKIX format, RSASSA-PSS signature + /// + /// See RFC4055 + PkixRsaPss2048Sha256 = 16, + PkixRsaPss3072Sha256 = 17, + PkixRsaPss4096Sha256 = 18, + /// ECDSA + /// + /// See RFC6979 + PkixEcdsaP256HmacSha256 = 6, + /// See NIST FIPS 186-4 + PkixEcdsaP256Sha256 = 5, + PkixEcdsaP384Sha384 = 12, + PkixEcdsaP521Sha512 = 13, + /// Ed 25519 + /// + /// See RFC8032 + PkixEd25519 = 7, + PkixEd25519Ph = 8, + /// LMS and LM-OTS + /// + /// These keys and signatures may be used by private Sigstore + /// deployments, but are not currently supported by the public + /// good instance. + /// + /// USER WARNING: LMS and LM-OTS are both stateful signature schemes. + /// Using them correctly requires discretion and careful consideration + /// to ensure that individual secret keys are not used more than once. + /// In addition, LM-OTS is a single-use scheme, meaning that it + /// MUST NOT be used for more than one signature per LM-OTS key. + /// If you cannot maintain these invariants, you MUST NOT use these + /// schemes. + LmsSha256 = 14, + LmotsSha256 = 15, +} +impl PublicKeyDetails { + /// String value of the enum field names used in the ProtoBuf definition. + /// + /// The values are not transformed in any way and thus are considered stable + /// (if the ProtoBuf definition does not change) and safe for programmatic use. + pub fn as_str_name(&self) -> &'static str { + match self { + PublicKeyDetails::Unspecified => "PUBLIC_KEY_DETAILS_UNSPECIFIED", + PublicKeyDetails::Pkcs1RsaPkcs1v5 => "PKCS1_RSA_PKCS1V5", + PublicKeyDetails::Pkcs1RsaPss => "PKCS1_RSA_PSS", + PublicKeyDetails::PkixRsaPkcs1v5 => "PKIX_RSA_PKCS1V5", + PublicKeyDetails::PkixRsaPss => "PKIX_RSA_PSS", + PublicKeyDetails::PkixRsaPkcs1v152048Sha256 => { + "PKIX_RSA_PKCS1V15_2048_SHA256" + } + PublicKeyDetails::PkixRsaPkcs1v153072Sha256 => { + "PKIX_RSA_PKCS1V15_3072_SHA256" + } + PublicKeyDetails::PkixRsaPkcs1v154096Sha256 => { + "PKIX_RSA_PKCS1V15_4096_SHA256" + } + PublicKeyDetails::PkixRsaPss2048Sha256 => "PKIX_RSA_PSS_2048_SHA256", + PublicKeyDetails::PkixRsaPss3072Sha256 => "PKIX_RSA_PSS_3072_SHA256", + PublicKeyDetails::PkixRsaPss4096Sha256 => "PKIX_RSA_PSS_4096_SHA256", + PublicKeyDetails::PkixEcdsaP256HmacSha256 => "PKIX_ECDSA_P256_HMAC_SHA_256", + PublicKeyDetails::PkixEcdsaP256Sha256 => "PKIX_ECDSA_P256_SHA_256", + PublicKeyDetails::PkixEcdsaP384Sha384 => "PKIX_ECDSA_P384_SHA_384", + PublicKeyDetails::PkixEcdsaP521Sha512 => "PKIX_ECDSA_P521_SHA_512", + PublicKeyDetails::PkixEd25519 => "PKIX_ED25519", + PublicKeyDetails::PkixEd25519Ph => "PKIX_ED25519_PH", + PublicKeyDetails::LmsSha256 => "LMS_SHA256", + PublicKeyDetails::LmotsSha256 => "LMOTS_SHA256", + } + } + /// Creates an enum from field names used in the ProtoBuf definition. + pub fn from_str_name(value: &str) -> ::core::option::Option { + match value { + "PUBLIC_KEY_DETAILS_UNSPECIFIED" => Some(Self::Unspecified), + "PKCS1_RSA_PKCS1V5" => Some(Self::Pkcs1RsaPkcs1v5), + "PKCS1_RSA_PSS" => Some(Self::Pkcs1RsaPss), + "PKIX_RSA_PKCS1V5" => Some(Self::PkixRsaPkcs1v5), + "PKIX_RSA_PSS" => Some(Self::PkixRsaPss), + "PKIX_RSA_PKCS1V15_2048_SHA256" => Some(Self::PkixRsaPkcs1v152048Sha256), + "PKIX_RSA_PKCS1V15_3072_SHA256" => Some(Self::PkixRsaPkcs1v153072Sha256), + "PKIX_RSA_PKCS1V15_4096_SHA256" => Some(Self::PkixRsaPkcs1v154096Sha256), + "PKIX_RSA_PSS_2048_SHA256" => Some(Self::PkixRsaPss2048Sha256), + "PKIX_RSA_PSS_3072_SHA256" => Some(Self::PkixRsaPss3072Sha256), + "PKIX_RSA_PSS_4096_SHA256" => Some(Self::PkixRsaPss4096Sha256), + "PKIX_ECDSA_P256_HMAC_SHA_256" => Some(Self::PkixEcdsaP256HmacSha256), + "PKIX_ECDSA_P256_SHA_256" => Some(Self::PkixEcdsaP256Sha256), + "PKIX_ECDSA_P384_SHA_384" => Some(Self::PkixEcdsaP384Sha384), + "PKIX_ECDSA_P521_SHA_512" => Some(Self::PkixEcdsaP521Sha512), + "PKIX_ED25519" => Some(Self::PkixEd25519), + "PKIX_ED25519_PH" => Some(Self::PkixEd25519Ph), + "LMS_SHA256" => Some(Self::LmsSha256), + "LMOTS_SHA256" => Some(Self::LmotsSha256), + _ => None, + } + } +} +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)] +#[repr(i32)] +pub enum SubjectAlternativeNameType { + Unspecified = 0, + Email = 1, + Uri = 2, + /// OID 1.3.6.1.4.1.57264.1.7 + /// See + /// for more details. + OtherName = 3, +} +impl SubjectAlternativeNameType { + /// String value of the enum field names used in the ProtoBuf definition. + /// + /// The values are not transformed in any way and thus are considered stable + /// (if the ProtoBuf definition does not change) and safe for programmatic use. + pub fn as_str_name(&self) -> &'static str { + match self { + SubjectAlternativeNameType::Unspecified => { + "SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED" + } + SubjectAlternativeNameType::Email => "EMAIL", + SubjectAlternativeNameType::Uri => "URI", + SubjectAlternativeNameType::OtherName => "OTHER_NAME", + } + } + /// Creates an enum from field names used in the ProtoBuf definition. + pub fn from_str_name(value: &str) -> ::core::option::Option { + match value { + "SUBJECT_ALTERNATIVE_NAME_TYPE_UNSPECIFIED" => Some(Self::Unspecified), + "EMAIL" => Some(Self::Email), + "URI" => Some(Self::Uri), + "OTHER_NAME" => Some(Self::OtherName), + _ => None, + } + } +} diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.events.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.events.v1.rs new file mode 100644 index 00000000..1bc03c44 --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.events.v1.rs @@ -0,0 +1,104 @@ +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.events.v1.CloudEvent")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct CloudEvent { + /// Required Attributes + #[prost(string, tag = "1")] + pub id: ::prost::alloc::string::String, + /// URI-reference + #[prost(string, tag = "2")] + pub source: ::prost::alloc::string::String, + #[prost(string, tag = "3")] + pub spec_version: ::prost::alloc::string::String, + #[prost(string, tag = "4")] + pub r#type: ::prost::alloc::string::String, + /// Optional & Extension Attributes + #[prost(map = "string, message", tag = "5")] + pub attributes: ::std::collections::HashMap< + ::prost::alloc::string::String, + cloud_event::CloudEventAttributeValue, + >, + /// -- CloudEvent Data (Bytes, Text, or Proto) + #[prost(oneof = "cloud_event::Data", tags = "6, 7, 8")] + pub data: ::core::option::Option, +} +/// Nested message and enum types in `CloudEvent`. +pub mod cloud_event { + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[derive(::prost_reflect::ReflectMessage)] + #[prost_reflect( + message_name = "dev.sigstore.events.v1.CloudEvent.CloudEventAttributeValue" + )] + #[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] + #[allow(clippy::derive_partial_eq_without_eq)] + #[derive(Clone, PartialEq, ::prost::Message)] + pub struct CloudEventAttributeValue { + #[prost( + oneof = "cloud_event_attribute_value::Attr", + tags = "1, 2, 3, 4, 5, 6, 7" + )] + pub attr: ::core::option::Option, + } + /// Nested message and enum types in `CloudEventAttributeValue`. + pub mod cloud_event_attribute_value { + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[allow(clippy::derive_partial_eq_without_eq)] + #[derive(Clone, PartialEq, ::prost::Oneof)] + pub enum Attr { + #[prost(bool, tag = "1")] + CeBoolean(bool), + #[prost(int32, tag = "2")] + CeInteger(i32), + #[prost(string, tag = "3")] + CeString(::prost::alloc::string::String), + #[prost(bytes, tag = "4")] + CeBytes(::prost::alloc::vec::Vec), + #[prost(string, tag = "5")] + CeUri(::prost::alloc::string::String), + #[prost(string, tag = "6")] + CeUriRef(::prost::alloc::string::String), + #[prost(message, tag = "7")] + CeTimestamp(::prost_types::Timestamp), + } + } + /// -- CloudEvent Data (Bytes, Text, or Proto) + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[allow(clippy::derive_partial_eq_without_eq)] + #[derive(Clone, PartialEq, ::prost::Oneof)] + pub enum Data { + #[prost(bytes, tag = "6")] + BinaryData(::prost::alloc::vec::Vec), + #[prost(string, tag = "7")] + TextData(::prost::alloc::string::String), + #[prost(message, tag = "8")] + ProtoData(::prost_types::Any), + } +} +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.events.v1.CloudEventBatch")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct CloudEventBatch { + #[prost(message, repeated, tag = "1")] + pub events: ::prost::alloc::vec::Vec, +} diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs new file mode 100644 index 00000000..c849b5d3 --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.rekor.v1.rs @@ -0,0 +1,161 @@ +/// KindVersion contains the entry's kind and api version. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v1.KindVersion")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct KindVersion { + /// Kind is the type of entry being stored in the log. + /// See here for a list: + #[prost(string, tag = "1")] + pub kind: ::prost::alloc::string::String, + /// The specific api version of the type. + #[prost(string, tag = "2")] + pub version: ::prost::alloc::string::String, +} +/// The checkpoint contains a signature of the tree head (root hash), +/// size of the tree, the transparency log's unique identifier (log ID), +/// hostname and the current time. +/// The result is a string, the format is described here +/// +/// The details are here +/// The signature has the same format as +/// InclusionPromise.signed_entry_timestamp. See below for more details. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v1.Checkpoint")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct Checkpoint { + #[prost(string, tag = "1")] + pub envelope: ::prost::alloc::string::String, +} +/// InclusionProof is the proof returned from the transparency log. Can +/// be used for offline or online verification against the log. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v1.InclusionProof")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct InclusionProof { + /// The index of the entry in the tree it was written to. + #[prost(int64, tag = "1")] + pub log_index: i64, + /// The hash digest stored at the root of the merkle tree at the time + /// the proof was generated. + #[prost(bytes = "vec", tag = "2")] + pub root_hash: ::prost::alloc::vec::Vec, + /// The size of the merkle tree at the time the proof was generated. + #[prost(int64, tag = "3")] + pub tree_size: i64, + /// A list of hashes required to compute the inclusion proof, sorted + /// in order from leaf to root. + /// Note that leaf and root hashes are not included. + /// The root hash is available separately in this message, and the + /// leaf hash should be calculated by the client. + #[prost(bytes = "vec", repeated, tag = "4")] + pub hashes: ::prost::alloc::vec::Vec<::prost::alloc::vec::Vec>, + /// Signature of the tree head, as of the time of this proof was + /// generated. See above info on 'Checkpoint' for more details. + #[prost(message, optional, tag = "5")] + pub checkpoint: ::core::option::Option, +} +/// The inclusion promise is calculated by Rekor. It's calculated as a +/// signature over a canonical JSON serialization of the persisted entry, the +/// log ID, log index and the integration timestamp. +/// See +/// The format of the signature depends on the transparency log's public key. +/// If the signature algorithm requires a hash function and/or a signature +/// scheme (e.g. RSA) those has to be retrieved out-of-band from the log's +/// operators, together with the public key. +/// This is used to verify the integration timestamp's value and that the log +/// has promised to include the entry. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v1.InclusionPromise")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct InclusionPromise { + #[prost(bytes = "vec", tag = "1")] + pub signed_entry_timestamp: ::prost::alloc::vec::Vec, +} +/// TransparencyLogEntry captures all the details required from Rekor to +/// reconstruct an entry, given that the payload is provided via other means. +/// This type can easily be created from the existing response from Rekor. +/// Future iterations could rely on Rekor returning the minimal set of +/// attributes (excluding the payload) that are required for verifying the +/// inclusion promise. The inclusion promise (called SignedEntryTimestamp in +/// the response from Rekor) is similar to a Signed Certificate Timestamp +/// as described here +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.rekor.v1.TransparencyLogEntry")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct TransparencyLogEntry { + /// The global index of the entry, used when querying the log by index. + #[prost(int64, tag = "1")] + pub log_index: i64, + /// The unique identifier of the log. + #[prost(message, optional, tag = "2")] + pub log_id: ::core::option::Option, + /// The kind (type) and version of the object associated with this + /// entry. These values are required to construct the entry during + /// verification. + #[prost(message, optional, tag = "3")] + pub kind_version: ::core::option::Option, + /// The UNIX timestamp from the log when the entry was persisted. + #[prost(int64, tag = "4")] + pub integrated_time: i64, + /// The inclusion promise/signed entry timestamp from the log. + /// Required for v0.1 bundles, and MUST be verified. + /// Optional for >= v0.2 bundles, and SHOULD be verified when present. + /// Also may be used as a signed timestamp. + #[prost(message, optional, tag = "5")] + pub inclusion_promise: ::core::option::Option, + /// The inclusion proof can be used for offline or online verification + /// that the entry was appended to the log, and that the log has not been + /// altered. + #[prost(message, optional, tag = "6")] + pub inclusion_proof: ::core::option::Option, + /// Optional. The canonicalized transparency log entry, used to + /// reconstruct the Signed Entry Timestamp (SET) during verification. + /// The contents of this field are the same as the `body` field in + /// a Rekor response, meaning that it does **not** include the "full" + /// canonicalized form (of log index, ID, etc.) which are + /// exposed as separate fields. The verifier is responsible for + /// combining the `canonicalized_body`, `log_index`, `log_id`, + /// and `integrated_time` into the payload that the SET's signature + /// is generated over. + /// This field is intended to be used in cases where the SET cannot be + /// produced determinisitically (e.g. inconsistent JSON field ordering, + /// differing whitespace, etc). + /// + /// If set, clients MUST verify that the signature referenced in the + /// `canonicalized_body` matches the signature provided in the + /// `Bundle.content`. + /// If not set, clients are responsible for constructing an equivalent + /// payload from other sources to verify the signature. + #[prost(bytes = "vec", tag = "7")] + pub canonicalized_body: ::prost::alloc::vec::Vec, +} diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs new file mode 100644 index 00000000..662c35ee --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs @@ -0,0 +1,132 @@ +/// TransparencyLogInstance describes the immutable parameters from a +/// transparency log. +/// See +/// for more details. +/// The included parameters are the minimal set required to identify a log, +/// and verify an inclusion proof/promise. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.trustroot.v1.TransparencyLogInstance")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct TransparencyLogInstance { + /// The base URL at which can be used to URLs for the client. + #[prost(string, tag = "1")] + pub base_url: ::prost::alloc::string::String, + /// The hash algorithm used for the Merkle Tree. + #[prost(enumeration = "super::super::common::v1::HashAlgorithm", tag = "2")] + pub hash_algorithm: i32, + /// The public key used to verify signatures generated by the log. + /// This attribute contains the signature algorithm used by the log. + #[prost(message, optional, tag = "3")] + pub public_key: ::core::option::Option, + /// The unique identifier for this transparency log. + #[prost(message, optional, tag = "4")] + pub log_id: ::core::option::Option, +} +/// CertificateAuthority enlists the information required to identify which +/// CA to use and perform signature verification. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.trustroot.v1.CertificateAuthority")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct CertificateAuthority { + /// The root certificate MUST be self-signed, and so the subject and + /// issuer are the same. + #[prost(message, optional, tag = "1")] + pub subject: ::core::option::Option, + /// The URI identifies the certificate authority. + /// + /// It is RECOMMENDED that the URI is the base URL for the certificate + /// authority, that can be provided to any SDK/client provided + /// by the certificate authority to interact with the certificate + /// authority. + #[prost(string, tag = "2")] + pub uri: ::prost::alloc::string::String, + /// The certificate chain for this CA. + #[prost(message, optional, tag = "3")] + pub cert_chain: ::core::option::Option< + super::super::common::v1::X509CertificateChain, + >, + /// The time the *entire* chain was valid. This is at max the + /// longest interval when *all* certificates in the chain were valid, + /// but it MAY be shorter. Clients MUST check timestamps against *both* + /// the `valid_for` time range *and* the entire certificate chain. + /// + /// The TimeRange should be considered valid *inclusive* of the + /// endpoints. + #[prost(message, optional, tag = "4")] + pub valid_for: ::core::option::Option, +} +/// TrustedRoot describes the client's complete set of trusted entities. +/// How the TrustedRoot is populated is not specified, but can be a +/// combination of many sources such as TUF repositories, files on disk etc. +/// +/// The TrustedRoot is not meant to be used for any artifact verification, only +/// to capture the complete/global set of trusted verification materials. +/// When verifying an artifact, based on the artifact and policies, a selection +/// of keys/authorities are expected to be extracted and provided to the +/// verification function. This way the set of keys/authorities can be kept to +/// a minimal set by the policy to gain better control over what signatures +/// that are allowed. +/// +/// The embedded transparency logs, CT logs, CAs and TSAs MUST include any +/// previously used instance -- otherwise signatures made in the past cannot +/// be verified. +/// +/// All the listed instances SHOULD be sorted by the 'valid_for' in ascending +/// order, that is, the oldest instance first. Only the last instance is +/// allowed to have their 'end' timestamp unset. All previous instances MUST +/// have a closed interval of validity. The last instance MAY have a closed +/// interval. Clients MUST accept instances that overlaps in time, if not +/// clients may experience problems during rotations of verification +/// materials. +/// +/// To be able to manage planned rotations of either transparency logs or +/// certificate authorities, clienst MUST accept lists of instances where +/// the last instance have a 'valid_for' that belongs to the future. +/// This should not be a problem as clients SHOULD first seek the trust root +/// for a suitable instance before creating a per artifact trust root (that +/// is, a sub-set of the complete trust root) that is used for verification. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.trustroot.v1.TrustedRoot")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct TrustedRoot { + /// MUST be application/vnd.dev.sigstore.trustedroot+json;version=0.1 + #[prost(string, tag = "1")] + pub media_type: ::prost::alloc::string::String, + /// A set of trusted Rekor servers. + #[prost(message, repeated, tag = "2")] + pub tlogs: ::prost::alloc::vec::Vec, + /// A set of trusted certificate authorities (e.g Fulcio), and any + /// intermediate certificates they provide. + /// If a CA is issuing multiple intermediate certificate, each + /// combination shall be represented as separate chain. I.e, a single + /// root cert may appear in multiple chains but with different + /// intermediate and/or leaf certificates. + /// The certificates are intended to be used for verifying artifact + /// signatures. + #[prost(message, repeated, tag = "3")] + pub certificate_authorities: ::prost::alloc::vec::Vec, + /// A set of trusted certificate transparency logs. + #[prost(message, repeated, tag = "4")] + pub ctlogs: ::prost::alloc::vec::Vec, + /// A set of trusted timestamping authorities. + #[prost(message, repeated, tag = "5")] + pub timestamp_authorities: ::prost::alloc::vec::Vec, +} diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.verification.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.verification.v1.rs new file mode 100644 index 00000000..f67aa991 --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.verification.v1.rs @@ -0,0 +1,304 @@ +/// The identity of a X.509 Certificate signer. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.verification.v1.CertificateIdentity")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct CertificateIdentity { + /// The X.509v3 issuer extension (OID 1.3.6.1.4.1.57264.1.1) + #[prost(string, tag = "1")] + pub issuer: ::prost::alloc::string::String, + #[prost(message, optional, tag = "2")] + pub san: ::core::option::Option, + /// An unordered list of OIDs that must be verified. + /// All OID/values provided in this list MUST exactly match against + /// the values in the certificate for verification to be successful. + #[prost(message, repeated, tag = "3")] + pub oids: ::prost::alloc::vec::Vec< + super::super::common::v1::ObjectIdentifierValuePair, + >, +} +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.verification.v1.CertificateIdentities")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct CertificateIdentities { + #[prost(message, repeated, tag = "1")] + pub identities: ::prost::alloc::vec::Vec, +} +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.verification.v1.PublicKeyIdentities")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct PublicKeyIdentities { + #[prost(message, repeated, tag = "1")] + pub public_keys: ::prost::alloc::vec::Vec, +} +/// A light-weight set of options/policies for identifying trusted signers, +/// used during verification of a single artifact. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect( + message_name = "dev.sigstore.verification.v1.ArtifactVerificationOptions" +)] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct ArtifactVerificationOptions { + /// Optional options for artifact transparency log verification. + /// If none is provided, the default verification options are: + /// Threshold: 1 + /// Online verification: false + /// Disable: false + #[prost(message, optional, tag = "3")] + pub tlog_options: ::core::option::Option, + /// Optional options for certificate transparency log verification. + /// If none is provided, the default verification options are: + /// Threshold: 1 + /// Disable: false + #[prost(message, optional, tag = "4")] + pub ctlog_options: ::core::option::Option< + artifact_verification_options::CtlogOptions, + >, + /// Optional options for certificate signed timestamp verification. + /// If none is provided, the default verification options are: + /// Threshold: 0 + /// Disable: true + #[prost(message, optional, tag = "5")] + pub tsa_options: ::core::option::Option< + artifact_verification_options::TimestampAuthorityOptions, + >, + /// Optional options for integrated timestamp verification. + /// If none is provided, the default verification options are: + /// Threshold: 0 + /// Disable: true + #[prost(message, optional, tag = "6")] + pub integrated_ts_options: ::core::option::Option< + artifact_verification_options::TlogIntegratedTimestampOptions, + >, + /// Optional options for observed timestamp verification. + /// If none is provided, the default verification options are: + /// Threshold 1 + /// Disable: false + #[prost(message, optional, tag = "7")] + pub observer_options: ::core::option::Option< + artifact_verification_options::ObserverTimestampOptions, + >, + /// At least one identity MUST be provided. Providing zero identities + /// is an error. If at least one provided identity is found as a + /// signer, the verification is considered successful. + #[prost(oneof = "artifact_verification_options::Signers", tags = "1, 2")] + pub signers: ::core::option::Option, +} +/// Nested message and enum types in `ArtifactVerificationOptions`. +pub mod artifact_verification_options { + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[derive(::prost_reflect::ReflectMessage)] + #[prost_reflect( + message_name = "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogOptions" + )] + #[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] + #[allow(clippy::derive_partial_eq_without_eq)] + #[derive(Clone, PartialEq, ::prost::Message)] + pub struct TlogOptions { + /// Number of transparency logs the entry must appear on. + #[prost(int32, tag = "1")] + pub threshold: i32, + /// Perform an online inclusion proof. + #[prost(bool, tag = "2")] + pub perform_online_verification: bool, + /// Disable verification for transparency logs. + #[prost(bool, tag = "3")] + pub disable: bool, + } + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[derive(::prost_reflect::ReflectMessage)] + #[prost_reflect( + message_name = "dev.sigstore.verification.v1.ArtifactVerificationOptions.CtlogOptions" + )] + #[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] + #[allow(clippy::derive_partial_eq_without_eq)] + #[derive(Clone, PartialEq, ::prost::Message)] + pub struct CtlogOptions { + /// The number of ct transparency logs the certificate must + /// appear on. + #[prost(int32, tag = "1")] + pub threshold: i32, + /// Disable ct transparency log verification + #[prost(bool, tag = "3")] + pub disable: bool, + } + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[derive(::prost_reflect::ReflectMessage)] + #[prost_reflect( + message_name = "dev.sigstore.verification.v1.ArtifactVerificationOptions.TimestampAuthorityOptions" + )] + #[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] + #[allow(clippy::derive_partial_eq_without_eq)] + #[derive(Clone, PartialEq, ::prost::Message)] + pub struct TimestampAuthorityOptions { + /// The number of signed timestamps that are expected. + #[prost(int32, tag = "1")] + pub threshold: i32, + /// Disable signed timestamp verification. + #[prost(bool, tag = "2")] + pub disable: bool, + } + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[derive(::prost_reflect::ReflectMessage)] + #[prost_reflect( + message_name = "dev.sigstore.verification.v1.ArtifactVerificationOptions.TlogIntegratedTimestampOptions" + )] + #[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] + #[allow(clippy::derive_partial_eq_without_eq)] + #[derive(Clone, PartialEq, ::prost::Message)] + pub struct TlogIntegratedTimestampOptions { + /// The number of integrated timestamps that are expected. + #[prost(int32, tag = "1")] + pub threshold: i32, + /// Disable integrated timestamp verification. + #[prost(bool, tag = "2")] + pub disable: bool, + } + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[derive(::prost_reflect::ReflectMessage)] + #[prost_reflect( + message_name = "dev.sigstore.verification.v1.ArtifactVerificationOptions.ObserverTimestampOptions" + )] + #[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] + #[allow(clippy::derive_partial_eq_without_eq)] + #[derive(Clone, PartialEq, ::prost::Message)] + pub struct ObserverTimestampOptions { + /// The number of external observers of the timestamp. + /// This is a union of RFC3161 signed timestamps, and + /// integrated timestamps from a transparency log, that + /// could include additional timestamp sources in the + /// future. + #[prost(int32, tag = "1")] + pub threshold: i32, + /// Disable observer timestamp verification. + #[prost(bool, tag = "2")] + pub disable: bool, + } + /// At least one identity MUST be provided. Providing zero identities + /// is an error. If at least one provided identity is found as a + /// signer, the verification is considered successful. + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[allow(clippy::derive_partial_eq_without_eq)] + #[derive(Clone, PartialEq, ::prost::Oneof)] + pub enum Signers { + #[prost(message, tag = "1")] + CertificateIdentities(super::CertificateIdentities), + /// To simplify verification implementation, the logic for + /// bundle verification should be implemented as a + /// higher-order function, where one of argument should be an + /// interface over the set of trusted public keys, like this: + /// `Verify(bytes artifact, bytes signature, string key_id)`. + /// This way the caller is in full control of mapping the + /// identified (or hinted) key in the bundle to one of the + /// trusted keys, as this process is inherently application + /// specific. + #[prost(message, tag = "2")] + PublicKeys(super::PublicKeyIdentities), + } +} +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.verification.v1.Artifact")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct Artifact { + #[prost(oneof = "artifact::Data", tags = "1, 2")] + pub data: ::core::option::Option, +} +/// Nested message and enum types in `Artifact`. +pub mod artifact { + #[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto + )] + #[allow(clippy::derive_partial_eq_without_eq)] + #[derive(Clone, PartialEq, ::prost::Oneof)] + pub enum Data { + /// Location of the artifact + #[prost(string, tag = "1")] + ArtifactUri(::prost::alloc::string::String), + /// The raw bytes of the artifact + #[prost(bytes, tag = "2")] + Artifact(::prost::alloc::vec::Vec), + } +} +/// Input captures all that is needed to call the bundle verification method, +/// to verify a single artifact referenced by the bundle. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "dev.sigstore.verification.v1.Input")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct Input { + /// The verification materials provided during a bundle verification. + /// The running process is usually preloaded with a "global" + /// dev.sisgtore.trustroot.TrustedRoot.v1 instance. Prior to + /// verifying an artifact (i.e a bundle), and/or based on current + /// policy, some selection is expected to happen, to filter out the + /// exact certificate authority to use, which transparency logs are + /// relevant etc. The result should b ecaptured in the + /// `artifact_trust_root`. + #[prost(message, optional, tag = "1")] + pub artifact_trust_root: ::core::option::Option< + super::super::trustroot::v1::TrustedRoot, + >, + #[prost(message, optional, tag = "2")] + pub artifact_verification_options: ::core::option::Option< + ArtifactVerificationOptions, + >, + #[prost(message, optional, tag = "3")] + pub bundle: ::core::option::Option, + /// If the bundle contains a message signature, the artifact must be + /// provided. + #[prost(message, optional, tag = "4")] + pub artifact: ::core::option::Option, +} diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin new file mode 100644 index 00000000..5b5997e3 Binary files /dev/null and b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin differ diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/google.api.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/google.api.rs new file mode 100644 index 00000000..aec83179 --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/google.api.rs @@ -0,0 +1,72 @@ +/// An indicator of the behavior of a given field (for example, that a field +/// is required in requests, or given as output but ignored as input). +/// This **does not** change the behavior in protocol buffers itself; it only +/// denotes the behavior and may affect how API tooling handles the field. +/// +/// Note: This enum **may** receive new values in the future. +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)] +#[repr(i32)] +pub enum FieldBehavior { + /// Conventional default for enums. Do not use this. + Unspecified = 0, + /// Specifically denotes a field as optional. + /// While all fields in protocol buffers are optional, this may be specified + /// for emphasis if appropriate. + Optional = 1, + /// Denotes a field as required. + /// This indicates that the field **must** be provided as part of the request, + /// and failure to do so will cause an error (usually `INVALID_ARGUMENT`). + Required = 2, + /// Denotes a field as output only. + /// This indicates that the field is provided in responses, but including the + /// field in a request does nothing (the server *must* ignore it and + /// *must not* throw an error as a result of the field's presence). + OutputOnly = 3, + /// Denotes a field as input only. + /// This indicates that the field is provided in requests, and the + /// corresponding field is not included in output. + InputOnly = 4, + /// Denotes a field as immutable. + /// This indicates that the field may be set once in a request to create a + /// resource, but may not be changed thereafter. + Immutable = 5, + /// Denotes that a (repeated) field is an unordered list. + /// This indicates that the service may provide the elements of the list + /// in any arbitrary order, rather than the order the user originally + /// provided. Additionally, the list's order may or may not be stable. + UnorderedList = 6, +} +impl FieldBehavior { + /// String value of the enum field names used in the ProtoBuf definition. + /// + /// The values are not transformed in any way and thus are considered stable + /// (if the ProtoBuf definition does not change) and safe for programmatic use. + pub fn as_str_name(&self) -> &'static str { + match self { + FieldBehavior::Unspecified => "FIELD_BEHAVIOR_UNSPECIFIED", + FieldBehavior::Optional => "OPTIONAL", + FieldBehavior::Required => "REQUIRED", + FieldBehavior::OutputOnly => "OUTPUT_ONLY", + FieldBehavior::InputOnly => "INPUT_ONLY", + FieldBehavior::Immutable => "IMMUTABLE", + FieldBehavior::UnorderedList => "UNORDERED_LIST", + } + } + /// Creates an enum from field names used in the ProtoBuf definition. + pub fn from_str_name(value: &str) -> ::core::option::Option { + match value { + "FIELD_BEHAVIOR_UNSPECIFIED" => Some(Self::Unspecified), + "OPTIONAL" => Some(Self::Optional), + "REQUIRED" => Some(Self::Required), + "OUTPUT_ONLY" => Some(Self::OutputOnly), + "INPUT_ONLY" => Some(Self::InputOnly), + "IMMUTABLE" => Some(Self::Immutable), + "UNORDERED_LIST" => Some(Self::UnorderedList), + _ => None, + } + } +} diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/io.intoto.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/io.intoto.rs new file mode 100644 index 00000000..110deaf1 --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/io.intoto.rs @@ -0,0 +1,36 @@ +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "io.intoto.Envelope")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct Envelope { + #[prost(bytes = "vec", tag = "1")] + pub payload: ::prost::alloc::vec::Vec, + #[prost(string, tag = "2")] + pub payload_type: ::prost::alloc::string::String, + #[prost(message, repeated, tag = "3")] + pub signatures: ::prost::alloc::vec::Vec, +} +#[derive( + sigstore_protobuf_specs_derive::Deserialize_proto, + sigstore_protobuf_specs_derive::Serialize_proto +)] +#[derive(::prost_reflect::ReflectMessage)] +#[prost_reflect(message_name = "io.intoto.Signature")] +#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")] +#[allow(clippy::derive_partial_eq_without_eq)] +#[derive(Clone, PartialEq, ::prost::Message)] +pub struct Signature { + /// Signature itself. (In JSON, this is encoded as base64.) + /// REQUIRED. + #[prost(bytes = "vec", tag = "1")] + pub sig: ::prost::alloc::vec::Vec, + /// *Unauthenticated* hint identifying which public key was used. + /// OPTIONAL. + #[prost(string, tag = "2")] + pub keyid: ::prost::alloc::string::String, +} diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/mod.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/mod.rs new file mode 100644 index 00000000..4c37c273 --- /dev/null +++ b/gen/pb-rust/sigstore-protobuf-specs/src/generated/mod.rs @@ -0,0 +1,44 @@ +pub mod dev { + pub mod sigstore { + pub mod bundle { + pub mod v1 { + include!("dev.sigstore.bundle.v1.rs"); + } + } + pub mod common { + pub mod v1 { + include!("dev.sigstore.common.v1.rs"); + } + } + pub mod events { + pub mod v1 { + include!("dev.sigstore.events.v1.rs"); + } + } + pub mod rekor { + pub mod v1 { + include!("dev.sigstore.rekor.v1.rs"); + } + } + pub mod trustroot { + pub mod v1 { + include!("dev.sigstore.trustroot.v1.rs"); + } + } + pub mod verification { + pub mod v1 { + include!("dev.sigstore.verification.v1.rs"); + } + } + } +} +pub mod google { + pub mod api { + include!("google.api.rs"); + } +} +pub mod io { + pub mod intoto { + include!("io.intoto.rs"); + } +} diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/lib.rs b/gen/pb-rust/sigstore-protobuf-specs/src/lib.rs index c2b4a954..10975ba2 100644 --- a/gen/pb-rust/sigstore-protobuf-specs/src/lib.rs +++ b/gen/pb-rust/sigstore-protobuf-specs/src/lib.rs @@ -1,4 +1,7 @@ -static FILE_DESCRIPTOR_SET_BYTES: &'static [u8] = - include_bytes!(concat!(env!("OUT_DIR"), "/file_descriptor_set.bin")); +static FILE_DESCRIPTOR_SET_BYTES: &'static [u8] = include_bytes!(concat!( + env!("CARGO_MANIFEST_DIR"), + "/src/generated/file_descriptor_set.bin" +)); -include!(concat!(env!("OUT_DIR"), "/mod.rs")); +mod generated; +pub use generated::*;