Class: Sigstore::Common::V1::PublicKeyDetails
- Inherits:
-
Object
- Object
- Sigstore::Common::V1::PublicKeyDetails
- Extended by:
- Protobug::Enum
- Defined in:
- lib/sigstore/common/v1/sigstore_common_pb.rb
Overview
Details of a specific public key, capturing the the key encoding method, and signature algorithm.
PublicKeyDetails captures the public key/hash algorithm combinations recommended in the Sigstore ecosystem.
This is modelled as a linear set as we want to provide a small number of opinionated options instead of allowing every possible permutation.
Any changes to this enum MUST be reflected in the algorithm registry.
See: <github.com/sigstore/architecture-docs/blob/main/algorithm-registry.md>
To avoid the possibility of contradicting formats such as PKCS1 with ED25519 the valid permutations are listed as a linear set instead of a cartesian set (i.e one combined variable instead of two, one for encoding and one for the signature algorithm).
Constant Summary collapse
- PUBLIC_KEY_DETAILS_UNSPECIFIED =
new( "PUBLIC_KEY_DETAILS_UNSPECIFIED", 0 ).freeze
- PKCS1_RSA_PKCS1V5 =
RSA
new("PKCS1_RSA_PKCS1V5", 1).freeze
- PKCS1_RSA_PSS =
See RFC8017
new("PKCS1_RSA_PSS", 2).freeze
- PKIX_RSA_PKCS1V5 =
new("PKIX_RSA_PKCS1V5", 3).freeze
- PKIX_RSA_PSS =
new("PKIX_RSA_PSS", 4).freeze
- PKIX_RSA_PKCS1V15_2048_SHA256 =
RSA public key in PKIX format, PKCS#1v1.5 signature
new( "PKIX_RSA_PKCS1V15_2048_SHA256", 9 ).freeze
- PKIX_RSA_PKCS1V15_3072_SHA256 =
new( "PKIX_RSA_PKCS1V15_3072_SHA256", 10 ).freeze
- PKIX_RSA_PKCS1V15_4096_SHA256 =
new( "PKIX_RSA_PKCS1V15_4096_SHA256", 11 ).freeze
- PKIX_RSA_PSS_2048_SHA256 =
RSA public key in PKIX format, RSASSA-PSS signature
new( "PKIX_RSA_PSS_2048_SHA256", 16 ).freeze
- PKIX_RSA_PSS_3072_SHA256 =
See RFC4055
new("PKIX_RSA_PSS_3072_SHA256", 17).freeze
- PKIX_RSA_PSS_4096_SHA256 =
new("PKIX_RSA_PSS_4096_SHA256", 18).freeze
- PKIX_ECDSA_P256_HMAC_SHA_256 =
ECDSA
new( "PKIX_ECDSA_P256_HMAC_SHA_256", 6 ).freeze
- PKIX_ECDSA_P256_SHA_256 =
See RFC6979
new( "PKIX_ECDSA_P256_SHA_256", 5 ).freeze
- PKIX_ECDSA_P384_SHA_384 =
See NIST FIPS 186-4
new("PKIX_ECDSA_P384_SHA_384", 12).freeze
- PKIX_ECDSA_P521_SHA_512 =
new("PKIX_ECDSA_P521_SHA_512", 13).freeze
- PKIX_ED25519 =
Ed 25519
new("PKIX_ED25519", 7).freeze
- PKIX_ED25519_PH =
new("PKIX_ED25519_PH", 8).freeze
- PKIX_ECDSA_P384_SHA_256 =
These algorithms are deprecated and should not be used, but they were/are being used by most Sigstore clients implementations.
new("PKIX_ECDSA_P384_SHA_256", 19).freeze
- PKIX_ECDSA_P521_SHA_256 =
new("PKIX_ECDSA_P521_SHA_256", 20).freeze
- LMS_SHA256 =
LMS and LM-OTS
These algorithms are deprecated and should not be used. There are no plans to support SLH-DSA at this time.
USER WARNING: LMS and LM-OTS are both stateful signature schemes. Using them correctly requires discretion and careful consideration to ensure that individual secret keys are not used more than once. In addition, LM-OTS is a single-use scheme, meaning that it MUST NOT be used for more than one signature per LM-OTS key. If you cannot maintain these invariants, you MUST NOT use these schemes.
new("LMS_SHA256", 14).freeze
- LMOTS_SHA256 =
new("LMOTS_SHA256", 15).freeze
- ML_DSA_44 =
ML-DSA
These ML_DSA_44, ML_DSA_65 and ML-DSA_87 algorithms are the pure variants that take data to sign rather than the prehash variants (HashML-DSA), which take digests. While considered quantum-resistant, their usage involves tradeoffs in that signatures and keys are much larger, and this makes deployments more costly.
USER WARNING: ML_DSA_44, ML_DSA_65 and ML_DSA_87 are experimental algorithms. In the future they MAY be used by private Sigstore deployments, but they are not yet fully functional. This warning will be removed when these algorithms are widely supported by Sigstore clients and servers, but care should still be taken for production environments.
See NIST FIPS 204, RFC 9881 for algorithm identifiers
new("ML_DSA_44", 23).freeze
- ML_DSA_65 =
new("ML_DSA_65", 21).freeze
- ML_DSA_87 =
new("ML_DSA_87", 22).freeze