forked from TrueCloudLab/distribution
67 lines
1.4 KiB
Go
67 lines
1.4 KiB
Go
|
package manifest
|
||
|
|
||
|
import (
|
||
|
"crypto/x509"
|
||
|
"encoding/json"
|
||
|
|
||
|
"github.com/docker/libtrust"
|
||
|
)
|
||
|
|
||
|
// Sign signs the manifest with the provided private key, returning a
|
||
|
// SignedManifest. This typically won't be used within the registry, except
|
||
|
// for testing.
|
||
|
func Sign(m *Manifest, pk libtrust.PrivateKey) (*SignedManifest, error) {
|
||
|
p, err := json.MarshalIndent(m, "", " ")
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
js, err := libtrust.NewJSONSignature(p)
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
if err := js.Sign(pk); err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
pretty, err := js.PrettySignature("signatures")
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
return &SignedManifest{
|
||
|
Manifest: *m,
|
||
|
Raw: pretty,
|
||
|
}, nil
|
||
|
}
|
||
|
|
||
|
// SignWithChain signs the manifest with the given private key and x509 chain.
|
||
|
// The public key of the first element in the chain must be the public key
|
||
|
// corresponding with the sign key.
|
||
|
func SignWithChain(m *Manifest, key libtrust.PrivateKey, chain []*x509.Certificate) (*SignedManifest, error) {
|
||
|
p, err := json.MarshalIndent(m, "", " ")
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
js, err := libtrust.NewJSONSignature(p)
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
if err := js.SignWithChain(key, chain); err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
pretty, err := js.PrettySignature("signatures")
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
return &SignedManifest{
|
||
|
Manifest: *m,
|
||
|
Raw: pretty,
|
||
|
}, nil
|
||
|
}
|