核心要点证明包含构建器ID、材料清单与主语摘要;哈希使用 `SHA-256`。时间窗口与 `kid` 校验;仅在有效期内接受证明。产物与证明双向绑定以支持回溯与审计。实现示例type Digest = { alg: 'SHA-256'; hex: string }
type Material = { uri: string; digest: Digest }
type Subject = { name: string; digest: Digest }
type Attestation = { builderId: string; materials: Material[]; subject: Subject; created: number; expires: number }
function hex64(h: string): boolean {
return /^[A-Fa-f0-9]{64}$/.test(h)
}
function validAtt(a: Attestation): boolean {
return !!a.builderId && a.materials.length > 0 && hex64(a.subject.digest.hex) && a.materials.every(m => hex64(m.digest.hex))
}
function within(created: number, expires: number, now: number, leewaySec: number): boolean {
if (expires <= created) return false
return now + leewaySec * 1000 >= created && now - leewaySec * 1000 <= expires
}
async function signAtt(a: Attestation, jwk: JsonWebKey, kid: string): Promise<{ kid: string; alg: string; sig: string }> {
const data = Buffer.from(JSON.stringify(a))
const key = await crypto.subtle.importKey('jwk', jwk, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, false, ['sign'])
const sig = await crypto.subtle.sign({ name: 'RSASSA-PKCS1-v1_5' }, key, data)
return { kid, alg: 'RS256', sig: Buffer.from(sig).toString('base64') }
}
async function verifyAtt(a: Attestation, signed: { kid: string; alg: string; sig: string }, jwk: JsonWebKey, now: number): Promise<boolean> {
if (!validAtt(a) || signed.alg !== 'RS256') return false
if (!within(a.created, a.expires, now, 60)) return false
const data = Buffer.from(JSON.stringify(a))
const key = await crypto.subtle.importKey('jwk', jwk, { name: 'RSASSA-PKCS1-v1_5', hash: 'SHA-256' }, false, ['verify'])
return crypto.subtle.verify({ name: 'RSASSA-PKCS1-v1_5' }, key, Buffer.from(signed.sig, 'base64'), data)
}
审计与发布治理发布存档包含证明与签名指纹;不合规或过期证明阻断部署。证明与产物摘要对齐,支持离线验证与快速回溯。
发表评论 取消回复