Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion in_toto/keylib.go
Original file line number Diff line number Diff line change
Expand Up @@ -285,6 +285,8 @@ On success it will return nil. The following errors can happen:
- no valid PKCS8/PKCS1 private key or PKIX public key
- errors while marshalling
- unsupported key types

Deprecated: This method has been deprecated.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand having just "This method has been deprecated." for where there's a whole package deprecation note.
But for packages where only specific functions are deprecated so far do we want a longer comment which links to go-witness?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure how far we want to go. At first I thought of putting the deprecation notice only on package level, but then I realized that many IDEs and code editors do not pick up these deprecation notices and they only pick it up for method comments.

Adding a comment to EVERY method seems really toilsome for me, so I tried adding it only to the most important method to make clear that we deprecate this.

We can link to go-witness from there as well, but I kinda want to avoid putting a big notice on every exported variable and method.

*/
func (k *Key) LoadKey(path string, scheme string, KeyIDHashAlgorithms []string) error {
pemFile, err := os.Open(path)
Expand All @@ -301,6 +303,9 @@ func (k *Key) LoadKey(path string, scheme string, KeyIDHashAlgorithms []string)
return pemFile.Close()
}

// LoadKeyDefaults has been deprecated.
//
// Deprecated: This method has been deprecated.
func (k *Key) LoadKeyDefaults(path string) error {
pemFile, err := os.Open(path)
if err != nil {
Expand All @@ -317,6 +322,8 @@ func (k *Key) LoadKeyDefaults(path string) error {
}

// LoadKeyReader loads the key from a supplied reader. The logic matches LoadKey otherwise.
//
// Deprecated: This method has been deprecated.
func (k *Key) LoadKeyReader(r io.Reader, scheme string, KeyIDHashAlgorithms []string) error {
if r == nil {
return ErrNoPEMBlock
Expand All @@ -336,6 +343,9 @@ func (k *Key) LoadKeyReader(r io.Reader, scheme string, KeyIDHashAlgorithms []st
return k.loadKey(key, pemData, scheme, KeyIDHashAlgorithms)
}

// LoadKeyReaderDefaults has been deprecated.
//
// Deprecated: This method has been deprecated.
func (k *Key) LoadKeyReaderDefaults(r io.Reader) error {
if r == nil {
return ErrNoPEMBlock
Expand Down Expand Up @@ -447,7 +457,9 @@ func (k *Key) loadKey(keyObj interface{}, pemData *pem.Block, scheme string, key
/*
VerifyCertificateTrust verifies that the certificate has a chain of trust
to a root in rootCertPool, possibly using any intermediates in
intermediateCertPool
intermediateCertPool.

Deprecated: This method has been deprecated.
*/
func VerifyCertificateTrust(cert *x509.Certificate, rootCertPool, intermediateCertPool *x509.CertPool) ([][]*x509.Certificate, error) {
verifyOptions := x509.VerifyOptions{
Expand Down
14 changes: 14 additions & 0 deletions in_toto/model.go
Original file line number Diff line number Diff line change
Expand Up @@ -816,6 +816,8 @@ a valid JSON formatted Metablock that contains a Link or Layout.

Deprecated: Use LoadMetadata for a signature wrapper agnostic way to load an
envelope.

Deprecated: This method has been deprecated.
*/
func (mb *Metablock) Load(path string) error {
// Read entire file
Expand Down Expand Up @@ -858,6 +860,8 @@ func (mb *Metablock) Load(path string) error {
/*
Dump JSON serializes and writes the Metablock on which it was called to the
passed path. It returns an error if JSON serialization or writing fails.

Deprecated: This method has been deprecated.
*/
func (mb *Metablock) Dump(path string) error {
// JSON encode Metablock formatted with newlines and indentation
Expand All @@ -880,6 +884,8 @@ func (mb *Metablock) Dump(path string) error {
GetSignableRepresentation returns the canonical JSON representation of the
Signed field of the Metablock on which it was called. If canonicalization
fails the first return value is nil and the second return value is the error.

Deprecated: This method has been deprecated.
*/
func (mb *Metablock) GetSignableRepresentation() ([]byte, error) {
return cjson.EncodeCanonical(mb.Signed)
Expand All @@ -899,6 +905,8 @@ that it finds in the Signatures field of the Metablock on which it was called.
It returns an error if Signatures does not contain a Signature corresponding to
the passed Key, the object in Signed cannot be canonicalized, or the Signature
is invalid.

Deprecated: This method has been deprecated.
*/
func (mb *Metablock) VerifySignature(key Key) error {
sig, err := mb.GetSignatureForKeyID(key.KeyID)
Expand Down Expand Up @@ -930,6 +938,8 @@ func (mb *Metablock) VerifySignature(key Key) error {
}

// GetSignatureForKeyID returns the signature that was created by the provided keyID, if it exists.
//
// Deprecated: This method has been deprecated.
func (mb *Metablock) GetSignatureForKeyID(keyID string) (Signature, error) {
for _, s := range mb.Signatures {
if s.KeyID == keyID {
Expand All @@ -943,6 +953,8 @@ func (mb *Metablock) GetSignatureForKeyID(keyID string) (Signature, error) {
/*
ValidateMetablock ensures that a passed Metablock object is valid. It indirectly
validates the Link or Layout that the Metablock object contains.

Deprecated: This method has been deprecated.
*/
func ValidateMetablock(mb Metablock) error {
switch mbSignedType := mb.Signed.(type) {
Expand Down Expand Up @@ -971,6 +983,8 @@ Sign creates a signature over the signed portion of the metablock using the Key
object provided. It then appends the resulting signature to the signatures
field as provided. It returns an error if the Signed object cannot be
canonicalized, or if the key is invalid or not supported.

Deprecated: This method has been deprecated.
*/
func (mb *Metablock) Sign(key Key) error {
signer, err := getSignerVerifierFromKey(key)
Expand Down
14 changes: 14 additions & 0 deletions in_toto/runlib.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ If reading the file fails, the first return value is nil and the second return
value is the error.
NOTE: For cross-platform consistency Windows-style line separators (CRLF) are
normalized to Unix-style line separators (LF) before hashing file contents.

Deprecated: This method has been deprecated.
*/
func RecordArtifact(path string, hashAlgorithms []string, lineNormalization bool) (HashObj, error) {
supportedHashMappings := getHashMapping()
Expand Down Expand Up @@ -91,6 +93,8 @@ the following format:

If recording an artifact fails the first return value is nil and the second
return value is the error.

Deprecated: This method has been deprecated.
*/
func RecordArtifacts(paths []string, hashAlgorithms []string, gitignorePatterns []string, lStripPaths []string, lineNormalization bool, followSymlinkDirs bool) (evalArtifacts map[string]HashObj, err error) {
// Make sure to initialize a fresh hashset for every RecordArtifacts call
Expand Down Expand Up @@ -273,6 +277,8 @@ If the command cannot be executed or no pipes for stdout or stderr can be
created the first return value is nil and the second return value is the error.
NOTE: Since stdout and stderr are captured, they cannot be seen during the
command execution.

Deprecated: This method has been deprecated.
*/
func RunCommand(cmdArgs []string, runDir string) (map[string]interface{}, error) {
if len(cmdArgs) == 0 {
Expand Down Expand Up @@ -318,6 +324,8 @@ metadata. Link metadata contains recorded products at the passed productPaths
and materials at the passed materialPaths. The returned link is wrapped in a
Metablock object. If command execution or artifact recording fails the first
return value is an empty Metablock and the second return value is the error.

Deprecated: This method has been deprecated.
*/
func InTotoRun(name string, runDir string, materialPaths []string, productPaths []string, cmdArgs []string, key Key, hashAlgorithms []string, gitignorePatterns []string, lStripPaths []string, lineNormalization bool, followSymlinkDirs bool, useDSSE bool) (Metadata, error) {
materials, err := RecordArtifacts(materialPaths, hashAlgorithms, gitignorePatterns, lStripPaths, lineNormalization, followSymlinkDirs)
Expand Down Expand Up @@ -379,6 +387,8 @@ InTotoRecordStart begins the creation of a link metablock file in two steps,
in order to provide evidence for supply chain steps that cannot be carries out
by a single command. InTotoRecordStart collects the hashes of the materials
before any commands are run, signs the unfinished link, and returns the link.

Deprecated: This method has been deprecated.
*/
func InTotoRecordStart(name string, materialPaths []string, key Key, hashAlgorithms, gitignorePatterns []string, lStripPaths []string, lineNormalization bool, followSymlinkDirs bool, useDSSE bool) (Metadata, error) {
materials, err := RecordArtifacts(materialPaths, hashAlgorithms, gitignorePatterns, lStripPaths, lineNormalization, followSymlinkDirs)
Expand Down Expand Up @@ -428,6 +438,8 @@ InTotoRecordStart. InTotoRecordStop takes in a signed unfinished link metablock
created by InTotoRecordStart and records the hashes of any products created by
commands run between InTotoRecordStart and InTotoRecordStop. The resultant
finished link metablock is then signed by the provided key and returned.

Deprecated: This method has been deprecated.
*/
func InTotoRecordStop(prelimLinkEnv Metadata, productPaths []string, key Key, hashAlgorithms, gitignorePatterns []string, lStripPaths []string, lineNormalization bool, followSymlinkDirs bool, useDSSE bool) (Metadata, error) {
if err := prelimLinkEnv.VerifySignature(key); err != nil {
Expand Down Expand Up @@ -475,6 +487,8 @@ func InTotoRecordStop(prelimLinkEnv Metadata, productPaths []string, key Key, ha
InTotoMatchProducts checks if local artifacts match products in passed link.

NOTE: Does not check integrity or authenticity of passed link!

Deprecated: This method has been deprecated.
*/
func InTotoMatchProducts(link *Link, paths []string, hashAlgorithms []string, excludePatterns []string, lstripPaths []string) ([]string, []string, []string, error) {
if len(paths) == 0 {
Expand Down
2 changes: 1 addition & 1 deletion in_toto/runlib_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -450,7 +450,7 @@ func TestInTotoRun(t *testing.T) {
},
},
Products: map[string]HashObj{
"foo.tar.gz": HashObj{
"foo.tar.gz": {
"sha256": "52947cb78b91ad01fe81cd6aef42d1f6817e92b9e6936c1e5aabb7c98514f355",
},
},
Expand Down
1 change: 1 addition & 0 deletions in_toto/slsa_provenance/common/common.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness
package common

// DigestSet contains a set of digests. It is represented as a map from
Expand Down
1 change: 1 addition & 0 deletions in_toto/slsa_provenance/v0.1/provenance.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness
package v01

import (
Expand Down
1 change: 1 addition & 0 deletions in_toto/slsa_provenance/v0.2/provenance.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness
package v02

import (
Expand Down
1 change: 1 addition & 0 deletions in_toto/slsa_provenance/v1/provenance.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness
package v1

import (
Expand Down
30 changes: 30 additions & 0 deletions in_toto/verifylib.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
Package in_toto implements types and routines to verify a software supply chain
according to the in-toto specification.
See https://github.com/in-toto/docs/blob/master/in-toto-spec.md

Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness
*/
package in_toto

Expand Down Expand Up @@ -41,6 +43,8 @@ returned. The format is:
If executing the inspection command fails, or if the executed command has a
non-zero exit code, the first return value is an empty Metablock map and the
second return value is the error.

Deprecated: This method has been deprecated.
*/
func RunInspections(layout Layout, runDir string, lineNormalization bool, useDSSE bool) (map[string]Metadata, error) {
inspectionMetadata := make(map[string]Metadata)
Expand Down Expand Up @@ -189,6 +193,8 @@ All rules except for DISALLOW consume queued artifacts on success, and
leave the queue unchanged on failure. Hence, it is left to a terminal
DISALLOW rule to fail overall verification, if artifacts are left in the queue
that should have been consumed by preceding rules.

Deprecated: This method has been deprecated.
*/
func VerifyArtifacts(items []interface{},
itemsMetadata map[string]Metadata) error {
Expand Down Expand Up @@ -384,6 +390,8 @@ step. The function returns a map with one Metablock (link) per step:
If links corresponding to the same step report different Materials or different
Products, the first return value is an empty Metablock map and the second
return value is the error.

Deprecated: This method has been deprecated.
*/
func ReduceStepsMetadata(layout Layout,
stepsMetadata map[string]map[string]Metadata) (map[string]Metadata,
Expand Down Expand Up @@ -447,6 +455,8 @@ VerifyStepCommandAlignment (soft) verifies that for each step of the passed
layout the command executed, as per the passed link, matches the expected
command, as per the layout. Soft verification means that, in case a command
does not align, a warning is issued.

Deprecated: This method has been deprecated.
*/
func VerifyStepCommandAlignment(layout Layout,
stepsMetadata map[string]map[string]Metadata) {
Expand Down Expand Up @@ -482,6 +492,8 @@ LoadLayoutCertificates loads the root and intermediate CAs from the layout if in
This will be used to check signatures that were used to sign links but not configured
in the PubKeys section of the step. No configured CAs means we don't want to allow this.
Returned CertPools will be empty in this case.

Deprecated: This method has been deprecated.
*/
func LoadLayoutCertificates(layout Layout, intermediatePems [][]byte) (*x509.CertPool, *x509.CertPool, error) {
rootPool := x509.NewCertPool()
Expand Down Expand Up @@ -533,6 +545,8 @@ links with valid signatures from distinct functionaries and has the format:
If for any step of the layout there are not enough links available, the first
return value is an empty map of Metablock maps and the second return value is
the error.

Deprecated: This method has been deprecated.
*/
func VerifyLinkSignatureThesholds(layout Layout,
stepsMetadata map[string]map[string]Metadata, rootCertPool, intermediateCertPool *x509.CertPool) (
Expand Down Expand Up @@ -646,6 +660,8 @@ If a link cannot be loaded at a constructed link name or is invalid, it is
ignored. Only a preliminary threshold check is performed, that is, if there
aren't at least Threshold links for any given step, the first return value
is an empty map of Metablock maps and the second return value is the error.

Deprecated: This method has been deprecated.
*/
func LoadLinksForLayout(layout Layout, linkDir string) (map[string]map[string]Metadata, error) {
stepsMetadata := make(map[string]map[string]Metadata)
Expand Down Expand Up @@ -690,6 +706,8 @@ func LoadLinksForLayout(layout Layout, linkDir string) (map[string]map[string]Me
/*
VerifyLayoutExpiration verifies that the passed Layout has not expired. It
returns an error if the (zulu) date in the Expires field is in the past.

Deprecated: This method has been deprecated.
*/
func VerifyLayoutExpiration(layout Layout) error {
expires, err := time.Parse(ISO8601DateSchema, layout.Expires)
Expand All @@ -709,6 +727,8 @@ corresponding signature of the Layout in the passed Metablock's Signed field.
Signatures and keys are associated by key id. If the key map is empty, or the
Metablock's Signature field does not have a signature for one or more of the
passed keys, or a matching signature is invalid, an error is returned.

Deprecated: This method has been deprecated.
*/
func VerifyLayoutSignatures(layoutEnv Metadata,
layoutKeys map[string]Key) error {
Expand All @@ -732,6 +752,8 @@ chain.
NOTE: The assumption is that the steps mentioned in the layout are to be
performed sequentially. So, the first step mentioned in the layout denotes what
comes into the supply chain and the last step denotes what goes out.

Deprecated: This method has been deprecated.
*/
func GetSummaryLink(layout Layout, stepsMetadataReduced map[string]Metadata,
stepName string, useDSSE bool) (Metadata, error) {
Expand Down Expand Up @@ -776,6 +798,8 @@ func GetSummaryLink(layout Layout, stepsMetadataReduced map[string]Metadata,
VerifySublayouts checks if any step in the supply chain is a sublayout, and if
so, recursively resolves it and replaces it with a summary link summarizing the
steps carried out in the sublayout.

Deprecated: This method has been deprecated.
*/
func VerifySublayouts(layout Layout,
stepsMetadataVerified map[string]map[string]Metadata,
Expand Down Expand Up @@ -832,6 +856,8 @@ in the following fields:
The substitution marker is '{}' and the keyword within the braces is replaced
by a value found in the substitution map passed, parameterDictionary. The
layout with parameters substituted is returned to the calling function.

Deprecated: This method has been deprecated.
*/
func SubstituteParameters(layout Layout,
parameterDictionary map[string]string) (Layout, error) {
Expand Down Expand Up @@ -907,6 +933,8 @@ Metablock object.

NOTE: Artifact rules of type "create", "modify"
and "delete" are currently not supported.

Deprecated: This method has been deprecated.
*/
func InTotoVerify(layoutEnv Metadata, layoutKeys map[string]Key,
linkDir string, stepName string, parameterDictionary map[string]string, intermediatePems [][]byte, lineNormalization bool) (
Expand Down Expand Up @@ -1010,6 +1038,8 @@ func InTotoVerify(layoutEnv Metadata, layoutKeys map[string]Key,
/*
InTotoVerifyWithDirectory provides the same functionality as InTotoVerify, but
adds the possibility to select a local directory from where the inspections are run.

Deprecated: This method has been deprecated.
*/
func InTotoVerifyWithDirectory(layoutEnv Metadata, layoutKeys map[string]Key,
linkDir string, runDir string, stepName string, parameterDictionary map[string]string, intermediatePems [][]byte, lineNormalization bool) (
Expand Down
6 changes: 3 additions & 3 deletions in_toto/verifylib_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -579,7 +579,7 @@ func TestVerifyArtifact(t *testing.T) {
{
name: "Consuming filename material in inspection",
item: []interface{}{Inspection{SupplyChainItem: SupplyChainItem{Name: "foo", ExpectedMaterials: [][]string{{"ALLOW", "foo.py"}, {"DISALLOW", "*"}}}}},
metadata: map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"./bar/..//foo.py": HashObj{"sha265": "abc"}}}}},
metadata: map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"./bar/..//foo.py": {"sha265": "abc"}}}}},
expectErr: "",
},
{
Expand Down Expand Up @@ -636,14 +636,14 @@ func TestVerifyMatchRule(t *testing.T) {
name: "Match material foo.py with foo.d/foo.py",
rule: map[string]string{"pattern": "*", "dstName": "foo", "dstType": "materials", "dstPrefix": "foo.d"},
srcArtifact: map[string]HashObj{"foo.py": {"sha265": "abc"}},
item: map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"foo.d/foo.py": HashObj{"sha265": "abc"}}}}},
item: map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"foo.d/foo.py": {"sha265": "abc"}}}}},
expectSet: NewSet("foo.py"),
},
{
name: "Match material foo.d/foo.py with foo.py",
rule: map[string]string{"pattern": "*", "dstName": "foo", "dstType": "materials", "srcPrefix": "foo.d"},
srcArtifact: map[string]HashObj{"foo.d/foo.py": {"sha265": "abc"}},
item: map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"foo.py": HashObj{"sha265": "abc"}}}}},
item: map[string]Metadata{"foo": &Metablock{Signed: Link{Name: "foo", Materials: map[string]HashObj{"foo.py": {"sha265": "abc"}}}}},
expectSet: NewSet("foo.d/foo.py"),
},
{
Expand Down
1 change: 1 addition & 0 deletions internal/spiffe/spiffe.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
// Deprecated: This package has been deprecated in favor of https://github.com/in-toto/go-witness
package spiffe

import (
Expand Down
Loading