MyRepo-Ums/node_modules/sigstore/dist/tlog/verify/set.js

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.verifyTLogSET = void 0;
const util_1 = require("../../util");
// Verifies the SET for the given entry against the list of trusted
// transparency logs. Returns true if the SET can be verified against at least
// one of the trusted logs; otherwise, returns false.
function verifyTLogSET(entry, tlogs) {
    // Filter the list of tlog instances to only those which might be able to
    // verify the SET
    const validTLogs = filterTLogInstances(tlogs, entry.logId.keyId, entry.integratedTime);
    // Check to see if we can verify the SET against any of the valid tlogs
    return validTLogs.some((tlog) => {
        const publicKey = util_1.crypto.createPublicKey(tlog.publicKey.rawBytes);
        // Re-create the original Rekor verification payload
        const payload = toVerificationPayload(entry);
        // Canonicalize the payload and turn into a buffer for verification
        const data = Buffer.from(util_1.json.canonicalize(payload), 'utf8');
        // Extract the SET from the tlog entry
        const signature = entry.inclusionPromise.signedEntryTimestamp;
        return util_1.crypto.verifyBlob(data, publicKey, signature);
    });
}
exports.verifyTLogSET = verifyTLogSET;
// Returns a properly formatted "VerificationPayload" for one of the
// transaction log entires in the given bundle which can be used for SET
// verification.
function toVerificationPayload(entry) {
    const { integratedTime, logIndex, logId, canonicalizedBody } = entry;
    return {
        body: canonicalizedBody.toString('base64'),
        integratedTime: Number(integratedTime),
        logIndex: Number(logIndex),
        logID: logId.keyId.toString('hex'),
    };
}
// Filter the list of tlog instances to only those which match the given log
// ID and have public keys which are valid for the given integrated time.
function filterTLogInstances(tlogInstances, logID, integratedTime) {
    const targetDate = new Date(Number(integratedTime) * 1000);
    return tlogInstances.filter((tlog) => {
        // If the log IDs don't match, we can't use this tlog
        if (!tlog.logId?.keyId.equals(logID)) {
            return false;
        }
        // If the tlog doesn't have a public key, we can't use it
        const publicKey = tlog.publicKey;
        if (publicKey === undefined) {
            return false;
        }
        // If the tlog doesn't have a rawBytes field, we can't use it
        if (publicKey.rawBytes === undefined) {
            return false;
        }
        // If the tlog doesn't have a validFor field, we don't need to check it
        if (publicKey.validFor === undefined) {
            return true;
        }
        // Check that the integrated time is within the validFor range
        return (publicKey.validFor.start !== undefined &&
            publicKey.validFor.start <= targetDate &&
            (!publicKey.validFor.end || targetDate <= publicKey.validFor.end));
    });
}
first commit 2024-01-19 10:09:11 +00:00			`"use strict";`
			`Object.defineProperty(exports, "__esModule", { value: true });`
			`exports.verifyTLogSET = void 0;`
			`const util_1 = require("../../util");`
			`// Verifies the SET for the given entry against the list of trusted`
			`// transparency logs. Returns true if the SET can be verified against at least`
			`// one of the trusted logs; otherwise, returns false.`
			`function verifyTLogSET(entry, tlogs) {`
			`// Filter the list of tlog instances to only those which might be able to`
			`// verify the SET`
			`const validTLogs = filterTLogInstances(tlogs, entry.logId.keyId, entry.integratedTime);`
			`// Check to see if we can verify the SET against any of the valid tlogs`
			`return validTLogs.some((tlog) => {`
			`const publicKey = util_1.crypto.createPublicKey(tlog.publicKey.rawBytes);`
			`// Re-create the original Rekor verification payload`
			`const payload = toVerificationPayload(entry);`
			`// Canonicalize the payload and turn into a buffer for verification`
			`const data = Buffer.from(util_1.json.canonicalize(payload), 'utf8');`
			`// Extract the SET from the tlog entry`
			`const signature = entry.inclusionPromise.signedEntryTimestamp;`
			`return util_1.crypto.verifyBlob(data, publicKey, signature);`
			`});`
			`}`
			`exports.verifyTLogSET = verifyTLogSET;`
			`// Returns a properly formatted "VerificationPayload" for one of the`
			`// transaction log entires in the given bundle which can be used for SET`
			`// verification.`
			`function toVerificationPayload(entry) {`
			`const { integratedTime, logIndex, logId, canonicalizedBody } = entry;`
			`return {`
			`body: canonicalizedBody.toString('base64'),`
			`integratedTime: Number(integratedTime),`
			`logIndex: Number(logIndex),`
			`logID: logId.keyId.toString('hex'),`
			`};`
			`}`
			`// Filter the list of tlog instances to only those which match the given log`
			`// ID and have public keys which are valid for the given integrated time.`
			`function filterTLogInstances(tlogInstances, logID, integratedTime) {`
			`const targetDate = new Date(Number(integratedTime) * 1000);`
			`return tlogInstances.filter((tlog) => {`
			`// If the log IDs don't match, we can't use this tlog`
			`if (!tlog.logId?.keyId.equals(logID)) {`
			`return false;`
			`}`
			`// If the tlog doesn't have a public key, we can't use it`
			`const publicKey = tlog.publicKey;`
			`if (publicKey === undefined) {`
			`return false;`
			`}`
			`// If the tlog doesn't have a rawBytes field, we can't use it`
			`if (publicKey.rawBytes === undefined) {`
			`return false;`
			`}`
			`// If the tlog doesn't have a validFor field, we don't need to check it`
			`if (publicKey.validFor === undefined) {`
			`return true;`
			`}`
			`// Check that the integrated time is within the validFor range`
			`return (publicKey.validFor.start !== undefined &&`
			`publicKey.validFor.start <= targetDate &&`
			`(!publicKey.validFor.end \|\| targetDate <= publicKey.validFor.end));`
			`});`
			`}`