-
Notifications
You must be signed in to change notification settings - Fork 50
Expand file tree
/
Copy pathTransparencyLogInstance.schema.json
More file actions
134 lines (134 loc) · 7.64 KB
/
TransparencyLogInstance.schema.json
File metadata and controls
134 lines (134 loc) · 7.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
{
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/TransparencyLogInstance",
"definitions": {
"TransparencyLogInstance": {
"properties": {
"baseUrl": {
"type": "string",
"description": "The base URL at which can be used to URLs for the client."
},
"hashAlgorithm": {
"enum": [
"HASH_ALGORITHM_UNSPECIFIED",
"SHA2_256",
"SHA2_384",
"SHA2_512",
"SHA3_256",
"SHA3_384"
],
"type": "string",
"title": "This package defines commonly used message types within the Sigstore\n community.",
"description": "This package defines commonly used message types within the Sigstore community. Only a subset of the secure hash standard algorithms are supported. See \u003chttps://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf\u003e for more details. UNSPECIFIED SHOULD not be used, primary reason for inclusion is to force any proto JSON serialization to emit the used hash algorithm, as default option is to *omit* the default value of an enum (which is the first value, represented by '0'."
},
"publicKey": {
"$ref": "#/definitions/dev.sigstore.common.v1.PublicKey",
"additionalProperties": false,
"description": "The public key used to verify signatures generated by the log. This attribute contains the signature algorithm used by the log."
},
"logId": {
"$ref": "#/definitions/dev.sigstore.common.v1.LogId",
"additionalProperties": false,
"description": "The unique identifier for this transparency log. Represented as the SHA-256 hash of the log's public key, calculated over the DER encoding of the key represented as SubjectPublicKeyInfo. See https://www.rfc-editor.org/rfc/rfc6962#section-3.2"
},
"checkpointKeyId": {
"$ref": "#/definitions/dev.sigstore.common.v1.LogId",
"additionalProperties": false,
"description": "The checkpoint key identifier for the log used in a checkpoint. Optional, not provided for logs that do not generate checkpoints. For logs that do generate checkpoints, if not set, assume log_id equals checkpoint_key_id. Follows the specification described here for ECDSA and Ed25519 signatures: https://github.com/C2SP/C2SP/blob/main/signed-note.md#signatures For RSA signatures, the key ID will match the ECDSA format, the hashed DER-encoded SPKI public key. Publicly witnessed logs MUST NOT use RSA-signed checkpoints, since witnesses do not support RSA signatures. This is provided for convenience. Clients can also calculate the checkpoint key ID given the log's public key. SHOULD be set for logs generating Ed25519 signatures. SHOULD be 4 bytes long, as a truncated hash."
}
},
"additionalProperties": false,
"type": "object",
"title": "Transparency Log Instance",
"description": "TransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters for more details. The included parameters are the minimal set required to identify a log, and verify an inclusion proof/promise."
},
"dev.sigstore.common.v1.LogId": {
"properties": {
"keyId": {
"type": "string",
"description": "The unique identity of the log, represented by its public key.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": false,
"type": "object",
"title": "Log Id",
"description": "LogId captures the identity of a transparency log."
},
"dev.sigstore.common.v1.PublicKey": {
"properties": {
"rawBytes": {
"type": "string",
"description": "DER-encoded public key, encoding method is specified by the key_details attribute.",
"format": "binary",
"binaryEncoding": "base64"
},
"keyDetails": {
"enum": [
"PUBLIC_KEY_DETAILS_UNSPECIFIED",
"PKCS1_RSA_PKCS1V5",
"PKCS1_RSA_PSS",
"PKIX_RSA_PKCS1V5",
"PKIX_RSA_PSS",
"PKIX_RSA_PKCS1V15_2048_SHA256",
"PKIX_RSA_PKCS1V15_3072_SHA256",
"PKIX_RSA_PKCS1V15_4096_SHA256",
"PKIX_RSA_PSS_2048_SHA256",
"PKIX_RSA_PSS_3072_SHA256",
"PKIX_RSA_PSS_4096_SHA256",
"PKIX_ECDSA_P256_HMAC_SHA_256",
"PKIX_ECDSA_P256_SHA_256",
"PKIX_ECDSA_P384_SHA_384",
"PKIX_ECDSA_P521_SHA_512",
"PKIX_ED25519",
"PKIX_ED25519_PH",
"LMS_SHA256",
"LMOTS_SHA256"
],
"type": "string",
"title": "Public Key Details",
"description": "Details of a specific public key, capturing the the key encoding method, and signature algorithm. PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem. This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation. Any changes to this enum MUST be reflected in the algorithm registry. See: docs/algorithm-registry.md To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm)."
},
"validFor": {
"$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",
"additionalProperties": false,
"description": "Optional validity period for this key, *inclusive* of the endpoints."
}
},
"additionalProperties": false,
"type": "object",
"oneOf": [
{
"required": [
"valid_for"
]
}
],
"title": "Public Key"
},
"dev.sigstore.common.v1.TimeRange": {
"properties": {
"start": {
"type": "string",
"format": "date-time"
},
"end": {
"type": "string",
"format": "date-time"
}
},
"additionalProperties": false,
"type": "object",
"oneOf": [
{
"required": [
"end"
]
}
],
"title": "Time Range",
"description": "The time range is closed and includes both the start and end times, (i.e., [start, end]). End is optional to be able to capture a period that has started but has no known end."
}
}
}