核心要点证明包含构建器ID、材料清单与主语摘要;哈希使用 `SHA-256`。时间窗口与 `kid` 校验;仅在有效期内接受证明。产物与证明双向绑定以支持回溯与审计。实现示例type Digest = { alg: 'SHA-256'; hex: string } type Material = { uri: string; digest: Digest } type Subject = { name: string; digest: Digest } type Attestation = { builderId: string; materials: Material[]; subject: Subject; created: number; expires: number } function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) } function validAtt(a: Attestation): boolean { return !!a.builderId && a.materials.length > 0 && hex64(a.subject.digest.hex) && a.materials.every(m => hex64(m.digest.hex)) } function within(created: number, expires: number, now: number, leewaySec: number): boolean { if (expires <= created) return false return now + leewaySec * 1000 >= created && now - leewaySec * 1000 <= expires } async function signAtt(a: Attestation, jwk: JsonWebKey, kid: string): Promise<{ kid: string; alg: string; sig: string }> { const data = Buffer.from(JSON.stringify(a)) const key = await crypto.subtle.importKey('jwk', jwk, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, false, ['sign']) const sig = await crypto.subtle.sign({ name: 'RSASSA-PKCS1-v1_5' }, key, data) return { kid, alg: 'RS256', sig: Buffer.from(sig).toString('base64') } } async function verifyAtt(a: Attestation, signed: { kid: string; alg: string; sig: string }, jwk: JsonWebKey, now: number): Promise<boolean> { if (!validAtt(a) || signed.alg !== 'RS256') return false if (!within(a.created, a.expires, now, 60)) return false const data = Buffer.from(JSON.stringify(a)) const key = await crypto.subtle.importKey('jwk', jwk, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, false, ['verify']) return crypto.subtle.verify({ name: 'RSASSA-PKCS1-v1_5' }, key, Buffer.from(signed.sig, 'base64'), data) } 审计与发布治理发布存档包含证明与签名指纹;不合规或过期证明阻断部署。证明与产物摘要对齐,支持离线验证与快速回溯。
投稿
微信公众账号
微信扫一扫加关注
评论 返回
顶部
发表评论 取消回复