1"use strict"; 2Object.defineProperty(exports, "__esModule", { value: true }); 3exports.createVerificationPolicy = exports.createKeyFinder = exports.createBundleBuilder = exports.DEFAULT_TIMEOUT = exports.DEFAULT_RETRY = void 0; 4/* 5Copyright 2023 The Sigstore Authors. 6 7Licensed under the Apache License, Version 2.0 (the "License"); 8you may not use this file except in compliance with the License. 9You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13Unless required by applicable law or agreed to in writing, software 14distributed under the License is distributed on an "AS IS" BASIS, 15WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16See the License for the specific language governing permissions and 17limitations under the License. 18*/ 19const core_1 = require("@sigstore/core"); 20const sign_1 = require("@sigstore/sign"); 21const verify_1 = require("@sigstore/verify"); 22exports.DEFAULT_RETRY = { retries: 2 }; 23exports.DEFAULT_TIMEOUT = 5000; 24function createBundleBuilder(bundleType, options) { 25 const bundlerOptions = { 26 signer: initSigner(options), 27 witnesses: initWitnesses(options), 28 }; 29 switch (bundleType) { 30 case 'messageSignature': 31 return new sign_1.MessageSignatureBundleBuilder(bundlerOptions); 32 case 'dsseEnvelope': 33 return new sign_1.DSSEBundleBuilder(bundlerOptions); 34 } 35} 36exports.createBundleBuilder = createBundleBuilder; 37// Translates the public KeySelector type into the KeyFinderFunc type needed by 38// the verifier. 39function createKeyFinder(keySelector) { 40 return (hint) => { 41 const key = keySelector(hint); 42 if (!key) { 43 throw new verify_1.VerificationError({ 44 code: 'PUBLIC_KEY_ERROR', 45 message: `key not found: ${hint}`, 46 }); 47 } 48 return { 49 publicKey: core_1.crypto.createPublicKey(key), 50 validFor: () => true, 51 }; 52 }; 53} 54exports.createKeyFinder = createKeyFinder; 55function createVerificationPolicy(options) { 56 const policy = {}; 57 const san = options.certificateIdentityEmail || options.certificateIdentityURI; 58 if (san) { 59 policy.subjectAlternativeName = san; 60 } 61 if (options.certificateIssuer) { 62 policy.extensions = { issuer: options.certificateIssuer }; 63 } 64 return policy; 65} 66exports.createVerificationPolicy = createVerificationPolicy; 67// Instantiate the FulcioSigner based on the supplied options. 68function initSigner(options) { 69 return new sign_1.FulcioSigner({ 70 fulcioBaseURL: options.fulcioURL, 71 identityProvider: options.identityProvider || initIdentityProvider(options), 72 retry: options.retry ?? exports.DEFAULT_RETRY, 73 timeout: options.timeout ?? exports.DEFAULT_TIMEOUT, 74 }); 75} 76// Instantiate an identity provider based on the supplied options. If an 77// explicit identity token is provided, use that. Otherwise, use the CI 78// context provider. 79function initIdentityProvider(options) { 80 const token = options.identityToken; 81 if (token) { 82 /* istanbul ignore next */ 83 return { getToken: () => Promise.resolve(token) }; 84 } 85 else { 86 return new sign_1.CIContextProvider('sigstore'); 87 } 88} 89// Instantiate a collection of witnesses based on the supplied options. 90function initWitnesses(options) { 91 const witnesses = []; 92 if (isRekorEnabled(options)) { 93 witnesses.push(new sign_1.RekorWitness({ 94 rekorBaseURL: options.rekorURL, 95 fetchOnConflict: false, 96 retry: options.retry ?? exports.DEFAULT_RETRY, 97 timeout: options.timeout ?? exports.DEFAULT_TIMEOUT, 98 })); 99 } 100 if (isTSAEnabled(options)) { 101 witnesses.push(new sign_1.TSAWitness({ 102 tsaBaseURL: options.tsaServerURL, 103 retry: options.retry ?? exports.DEFAULT_RETRY, 104 timeout: options.timeout ?? exports.DEFAULT_TIMEOUT, 105 })); 106 } 107 return witnesses; 108} 109// Type assertion to ensure that Rekor is enabled 110function isRekorEnabled(options) { 111 return options.tlogUpload !== false; 112} 113// Type assertion to ensure that TSA is enabled 114function isTSAEnabled(options) { 115 return options.tsaServerURL !== undefined; 116} 117