No public description

PiperOrigin-RevId: 719327141

server/coscel/cos_tlv.go

@@ -1,3 +1,4 @@
+// Package coscel contains the COS TLV event type and related functions.
 package coscel
 
 import (
@@ -54,7 +55,7 @@ type COSTLV struct {
 	EventContent []byte
 }
 
-// GetTLV returns the TLV representation of the COS TLV.
+// TLV returns the TLV representation of the COS TLV.
 func (c COSTLV) TLV() (cel.TLV, error) {
 	data, err := cel.TLV{uint8(c.EventType), c.EventContent}.MarshalBinary()
 	if err != nil {

server/extract/cos_state.go

@@ -1,3 +1,4 @@
+// Package extract contains functions to extract information from the COS event log.
 package extract
 
 import (
@@ -8,7 +9,8 @@ import (
 	pb "github.com/google/go-tpm-tools/proto/attest"
 )
 
-func VerifiedCOSState(event_log cel.CEL, registerType uint8) (*pb.AttestedCosState, error) {
+// VerifiedCOSState returns the AttestedCosState from the given event log.
+func VerifiedCOSState(eventLog cel.CEL, registerType uint8) (*pb.AttestedCosState, error) {
 	cosState := &pb.AttestedCosState{}
 	cosState.Container = &pb.ContainerState{}
 	cosState.HealthMonitoring = &pb.HealthMonitoringState{}
@@ -17,7 +19,7 @@ func VerifiedCOSState(event_log cel.CEL, registerType uint8) (*pb.AttestedCosSta
 	cosState.Container.OverriddenEnvVars = make(map[string]string)
 
 	seenSeparator := false
-	for _, record := range event_log.Records() {
+	for _, record := range eventLog.Records() {
 		if record.IndexType != registerType {
 			return nil, fmt.Errorf("expect registerType: %d, but get %d in a CEL record", registerType, record.IndexType)
 		}

server/extract/cos_state_test.go

@@ -14,7 +14,7 @@ import (
 )
 
 func TestVerifiedCosStateRTMR(t *testing.T) {
-	cos_event_log := cel.NewConfComputeMR()
+	cosEventLog := cel.NewConfComputeMR()
 
 	// add events
 	testCELEvents := []struct {
@@ -60,16 +60,15 @@ func TestVerifiedCosStateRTMR(t *testing.T) {
 	for _, testEvent := range testCELEvents {
 		cosEvent := coscel.COSTLV{EventType: testEvent.cosNestedEventType, EventContent: testEvent.eventPayload}
 
-		err := cos_event_log.AppendEvent(cosEvent, []crypto.Hash{crypto.SHA384}, coscel.COSCCELMRIndex, func(_ crypto.Hash, ccmrIdx int, dgst []byte) error {
+		err := cosEventLog.AppendEvent(cosEvent, []crypto.Hash{crypto.SHA384}, coscel.COSCCELMRIndex, func(_ crypto.Hash, ccmrIdx int, dgst []byte) error {
 			return rtmr.ExtendDigestClient(fakeRTMR, ccmrIdx-1, dgst)
 		})
-		// err := cos_event_log.AppendEventRTMR(fakeRTMR, testEvent.register, cosEvent);
 		if err != nil {
 			t.Fatal(err)
 		}
 	}
 
-	cosState, err := VerifiedCOSState(cos_event_log, uint8(cel.CCMRType))
+	cosState, err := VerifiedCOSState(cosEventLog, uint8(cel.CCMRType))
 	if err != nil {
 		t.Error(err)
 	}

server/gcpcredential/test_with_token/test_with_token.go

@@ -1,3 +1,4 @@
+// Package main is a simple program to test the gcpcredential library against a GCP-issued token.
 package main
 
 import (

server/gcpcredential/validate.go

@@ -1,3 +1,4 @@
+// Package gcpcredential contains functions to validate Google-issued ID tokens.
 package gcpcredential
 
 import (
@@ -83,6 +84,7 @@ func Validate(ctx context.Context, client *http.Client, credentials []string, ex
 	return validateAndParse(credentials, validator)
 }
 
+// JWK is a subset of the JSON Web Key (JWK) format.
 type JWK struct {
 	Alg string `json:"alg"`
 	Crv string `json:"crv"`
@@ -95,6 +97,7 @@ type JWK struct {
 	Y   string `json:"y"`
 }
 
+// JWKS is a subset of the JSON Web Key Set (JWKSet) format.
 type JWKS struct {
 	Keys []JWK `json:"keys"`
 }
@@ -132,7 +135,7 @@ func ecdsaPubKey(key JWK) (*ecdsa.PublicKey, error) {
 	}, nil
 }
 
-// Validates the provided credentials using the provided public keys.
+// ValidateWithJWKS validates the provided credentials using the provided public keys.
 // It is the caller's responsibility to retrieve and provide Google's JWKs (https://www.googleapis.com/oauth2/v3/certs).
 func ValidateWithJWKS(jwks *JWKS, credentials []string, expectedAudience string) ([]string, error) {
 	// For JWT validation - finds the JWK that corresponds to the tokens Key ID and parses it into its respective key type.
@@ -253,8 +256,8 @@ func parseEmailClaims(mapClaims map[string]any) (*emailClaims, error) {
 // The subset of claims we care about in Google-issued OpenID tokens.
 // Full claims documented at:
 //
-//		https://cloud.google.com/compute/docs/instances/verifying-instance-identity#payload
-//		https://developers.google.com/identity/protocols/oauth2/openid-connect
+//	https://cloud.google.com/compute/docs/instances/verifying-instance-identity#payload
+//	https://developers.google.com/identity/protocols/oauth2/openid-connect
 type emailClaims struct {
 	Email         string `json:"email"`
 	EmailVerified bool   `json:"email_verified"`

server/signedcontainer/internal/convert/convert.go

@@ -1,3 +1,4 @@
+// Package convert contains functions to innitialize Tink keysets from PEM-encoded data.
 package convert
 
 // TODO: Remove this package and migrate to the Tink API when they publish it.

server/signedcontainer/payload.go

@@ -24,22 +24,22 @@ const (
 	// Unspecified signing algorithm.
 	unspecified = 0
 	// RSASSA-PSS with a SHA256 digest.
-	rsassa_pss_sha256 = 1
+	rsassaPssSha256 = 1
 	// RSASSA-PKCS1 v1.5 with a SHA256 digest.
-	rsasaa_pkcs1v15_sha256 = 2
+	rsasaaPkcs1v15Sha256 = 2
 	// ECDSA on the P-256 Curve with a SHA256 digest.
-	ecdsa_p256_sha256 = 3
+	ecdsaP256Sha256 = 3
 )
 
 func (s signingAlgorithm) string() string {
 	switch s {
 	case unspecified:
 		return "SIGNING_ALGORITHM_UNSPECIFIED"
-	case rsassa_pss_sha256:
+	case rsassaPssSha256:
 		return "RSASSA_PSS_SHA256"
-	case rsasaa_pkcs1v15_sha256:
+	case rsasaaPkcs1v15Sha256:
 		return "RSASSA_PKCS1V15_SHA256"
-	case ecdsa_p256_sha256:
+	case ecdsaP256Sha256:
 		return "ECDSA_P256_SHA256"
 	}
 
@@ -93,11 +93,11 @@ func (p *payload) publicKey() ([]byte, error) {
 	return publicKeyBytes, nil
 }
 
-var signingAlgorithm_value = map[string]signingAlgorithm{
+var signingAlgorithmValue = map[string]signingAlgorithm{
 	"SIGNING_ALGORITHM_UNSPECIFIED": unspecified,
-	"RSASSA_PSS_SHA256":             rsassa_pss_sha256,
-	"RSASSA_PKCS1V15_SHA256":        rsasaa_pkcs1v15_sha256,
-	"ECDSA_P256_SHA256":             ecdsa_p256_sha256,
+	"RSASSA_PSS_SHA256":             rsassaPssSha256,
+	"RSASSA_PKCS1V15_SHA256":        rsasaaPkcs1v15Sha256,
+	"ECDSA_P256_SHA256":             ecdsaP256Sha256,
 }
 
 // sigAlg retrieves the signing algorithm from the `optional` field of the payload.
@@ -106,7 +106,7 @@ func (p *payload) sigAlg() (signingAlgorithm, error) {
 	if !ok {
 		return unspecified, fmt.Errorf("signing algorithm not found in the Optional field of payload: %v", p)
 	}
-	algVal, ok := signingAlgorithm_value[alg]
+	algVal, ok := signingAlgorithmValue[alg]
 	if !ok || algVal == unspecified {
 		return unspecified, fmt.Errorf("unsupported signing algorithm: %s", alg)
 	}

server/signedcontainer/payload_test.go

@@ -124,15 +124,15 @@ func TestSigAlg(t *testing.T) {
 	}{
 		{
 			annotations: map[string]any{sigAlgURL: "RSASSA_PSS_SHA256"},
-			expected:    rsassa_pss_sha256,
+			expected:    rsassaPssSha256,
 		},
 		{
 			annotations: map[string]any{sigAlgURL: "RSASSA_PKCS1V15_SHA256"},
-			expected:    rsasaa_pkcs1v15_sha256,
+			expected:    rsasaaPkcs1v15Sha256,
 		},
 		{
 			annotations: map[string]any{sigAlgURL: "ECDSA_P256_SHA256"},
-			expected:    ecdsa_p256_sha256,
+			expected:    ecdsaP256Sha256,
 		},
 	}
 

server/signedcontainer/verify.go

@@ -1,3 +1,4 @@
+// Package signedcontainer contains functions to verify container image signatures.
 package signedcontainer
 
 import (
@@ -14,19 +15,22 @@ import (
 	tinksig "github.com/tink-crypto/tink-go/v2/signature"
 )
 
+// ImageSignature represents a container image signature.
 type ImageSignature struct {
 	Payload   []byte
 	Signature []byte
 }
 
 const maxSignatureCount = 300
 
+// VerifiedSignature contains information about a successfully verified signature.
 type VerifiedSignature struct {
 	KeyID     string `json:"key_id,omitempty"`
 	Signature string `json:"signature,omitempty"`
 	Alg       string `json:"signature_algorithm,omitempty"`
 }
 
+// VerifyResult contains the results of verifying a list of signatures.
 type VerifyResult struct {
 	Verified []*VerifiedSignature
 	Errors   []error
@@ -156,11 +160,11 @@ func verifySignature(imageDigest string, sig *ImageSignature) (*VerifiedSignatur
 // createPublicKeysetHandle takes in the given PEM-encoded public key and creates a public keyset handle based on the signing algorithm.
 func createPublicKeysetHandle(publicKey []byte, sigAlg signingAlgorithm) (*keyset.Handle, error) {
 	switch sigAlg {
-	case ecdsa_p256_sha256:
+	case ecdsaP256Sha256:
 		return convert.PemToECDSAP256Sha256WithDEREncodingKeysetHandle(publicKey)
-	case rsasaa_pkcs1v15_sha256:
+	case rsasaaPkcs1v15Sha256:
 		return convert.PemToRsaSsaPkcs1Sha256KeysetHandle(publicKey)
-	case rsassa_pss_sha256:
+	case rsassaPssSha256:
 		return convert.PemToRsaSsaPssSha256KeysetHandle(publicKey)
 	default:
 		return nil, fmt.Errorf("unsupported signing algorithm: %v", sigAlg)

server/signedcontainer/verify_test.go

@@ -49,11 +49,11 @@ JwIDAQAB
 // base64-encoded signatures over byte slices of the corresponding payloads:
 var base64Sigs = map[signingAlgorithm]string{
 	// openssl dgst -sign ec_private.pem -sha256 | base64
-	ecdsa_p256_sha256: "MEUCIDWVapx3r93lFmKRR3v2AzYUui2Pdur3AYSYkiicZKcEAiEAj3GC2+1JdRXxypXrUmTqtFrPxneCY3jQAdqoCDmjVx0=",
+	ecdsaP256Sha256: "MEUCIDWVapx3r93lFmKRR3v2AzYUui2Pdur3AYSYkiicZKcEAiEAj3GC2+1JdRXxypXrUmTqtFrPxneCY3jQAdqoCDmjVx0=",
 	// openssl dgst -sign rsa_private.pem -sha256 | base64
-	rsasaa_pkcs1v15_sha256: "PxShLjtQfmju/mKLtHJ5gsX1M8nlkEv2uYpKuNvVeANSrH3Px4hAOw302G2YLPaLRMcsBnLKIVL4lHr0FqqDQluVj/eJJ+PHvcmSltbLhCvw2f1ZTjt/NcgThfL5gpywgAHVXSYESettaCezWsPvRlyf6vypKMbnaO8D6gWX96hAiAFdHbTnVlpQ5rBjbyErx5NkyZhaGPOqXk6FAtZDHFy7Cg+vaq9wItZzp/7+JC7dEIRQel9xSKYUKIG4W563Q/7i8DGMg+rETOxgpBR9oco3QNev7YIuDUd++Dk3M/Wv9b1u6I9aqBdVe86TU+5Ur2nyNxw9chzhNmtdu5zTyA==",
+	rsasaaPkcs1v15Sha256: "PxShLjtQfmju/mKLtHJ5gsX1M8nlkEv2uYpKuNvVeANSrH3Px4hAOw302G2YLPaLRMcsBnLKIVL4lHr0FqqDQluVj/eJJ+PHvcmSltbLhCvw2f1ZTjt/NcgThfL5gpywgAHVXSYESettaCezWsPvRlyf6vypKMbnaO8D6gWX96hAiAFdHbTnVlpQ5rBjbyErx5NkyZhaGPOqXk6FAtZDHFy7Cg+vaq9wItZzp/7+JC7dEIRQel9xSKYUKIG4W563Q/7i8DGMg+rETOxgpBR9oco3QNev7YIuDUd++Dk3M/Wv9b1u6I9aqBdVe86TU+5Ur2nyNxw9chzhNmtdu5zTyA==",
 	// openssl dgst -sign rsa_private.pem -sigopt rsa_padding_mode:pss -sha256 | base64
-	rsassa_pss_sha256: "egqyxSJnAqS/GJ0ryeL2RXz2xCl53ynSt2Nk09VjP20IffO3uAjMsfneJOQjOljJRzMknsp4S0yr7E+6pBIi9x3Qkcs+KTpUNMpEAtXhn/qloE1SUx/j7uTUSQBkaxnlQvwrmMup+PChDNL6aRRfzEiV/rmywAicWCS4kLtHXNFOcV3emd1t3Vzp00ywfGFKjTzFnJlyxsLjO+uEsYlpUWjGaJ4n2f0wOthEGHH02wVEYNHS5wEYpu0GbcaL7C3pdBsYfpQHZWhHTNcalLBASbQ5ienMn17ZDm0bXplEbtjd2hj+xFIy0iKD39YV94vtsA0yjIkRSiXHVCWEKKWIUA==",
+	rsassaPssSha256: "egqyxSJnAqS/GJ0ryeL2RXz2xCl53ynSt2Nk09VjP20IffO3uAjMsfneJOQjOljJRzMknsp4S0yr7E+6pBIi9x3Qkcs+KTpUNMpEAtXhn/qloE1SUx/j7uTUSQBkaxnlQvwrmMup+PChDNL6aRRfzEiV/rmywAicWCS4kLtHXNFOcV3emd1t3Vzp00ywfGFKjTzFnJlyxsLjO+uEsYlpUWjGaJ4n2f0wOthEGHH02wVEYNHS5wEYpu0GbcaL7C3pdBsYfpQHZWhHTNcalLBASbQ5ienMn17ZDm0bXplEbtjd2hj+xFIy0iKD39YV94vtsA0yjIkRSiXHVCWEKKWIUA==",
 }
 
 func decodedSig(t *testing.T, alg signingAlgorithm) []byte {
@@ -194,17 +194,17 @@ func TestVerifySignature(t *testing.T) {
 		{
 			name:      "ECDSA",
 			publicKey: ecdsaPubKey,
-			sigAlg:    ecdsa_p256_sha256,
+			sigAlg:    ecdsaP256Sha256,
 		},
 		{
 			name:      "RSASSAPKCS1V15",
 			publicKey: rsaPubKey,
-			sigAlg:    rsasaa_pkcs1v15_sha256,
+			sigAlg:    rsasaaPkcs1v15Sha256,
 		},
 		{
 			name:      "RSASSAPSS",
 			publicKey: rsaPubKey,
-			sigAlg:    rsassa_pss_sha256,
+			sigAlg:    rsassaPssSha256,
 		},
 	}
 
@@ -234,17 +234,17 @@ func TestVerifySignatureWithInvalidDigest(t *testing.T) {
 		{
 			name:      "ECDSA",
 			publicKey: ecdsaPubKey,
-			sigAlg:    ecdsa_p256_sha256,
+			sigAlg:    ecdsaP256Sha256,
 		},
 		{
 			name:      "RSASSAPKCS1V15",
 			publicKey: rsaPubKey,
-			sigAlg:    rsasaa_pkcs1v15_sha256,
+			sigAlg:    rsasaaPkcs1v15Sha256,
 		},
 		{
 			name:      "RSASSAPSS",
 			publicKey: rsaPubKey,
-			sigAlg:    rsassa_pss_sha256,
+			sigAlg:    rsassaPssSha256,
 		},
 	}
 
@@ -278,17 +278,17 @@ func TestVerifySignatureWithInvalidSignature(t *testing.T) {
 		{
 			name:      "ECDSA",
 			publicKey: ecdsaPubKey,
-			sigAlg:    ecdsa_p256_sha256,
+			sigAlg:    ecdsaP256Sha256,
 		},
 		{
 			name:      "RSASSAPKCS1V15",
 			publicKey: rsaPubKey,
-			sigAlg:    rsasaa_pkcs1v15_sha256,
+			sigAlg:    rsasaaPkcs1v15Sha256,
 		},
 		{
 			name:      "RSASSAPSS",
 			publicKey: rsaPubKey,
-			sigAlg:    rsassa_pss_sha256,
+			sigAlg:    rsassaPssSha256,
 		},
 	}
 
@@ -331,37 +331,37 @@ SQIDAQAB
 		{
 			name:      "ECDSA with mismatched key",
 			publicKey: mismatchedECDSA,
-			sigAlg:    ecdsa_p256_sha256,
+			sigAlg:    ecdsaP256Sha256,
 			expectErr: "invalid signature",
 		},
 		{
 			name:      "RSASSA_PKCS1V15_SHA256 with mismatched key",
 			publicKey: mismatchedRSA,
-			sigAlg:    rsasaa_pkcs1v15_sha256,
+			sigAlg:    rsasaaPkcs1v15Sha256,
 			expectErr: "invalid signature",
 		},
 		{
 			name:      "RSASSA_PSS_SHA256 with mismatched key",
 			publicKey: mismatchedRSA,
-			sigAlg:    rsassa_pss_sha256,
+			sigAlg:    rsassaPssSha256,
 			expectErr: "invalid signature",
 		},
 		{
 			name:      "ECDSA with RSA key",
 			publicKey: rsaPubKey,
-			sigAlg:    ecdsa_p256_sha256,
+			sigAlg:    ecdsaP256Sha256,
 			expectErr: "public key is not an ECDSA public key",
 		},
 		{
 			name:      "RSASSA_PKCS1V15_SHA256 with ECDSA key",
 			publicKey: ecdsaPubKey,
-			sigAlg:    rsasaa_pkcs1v15_sha256,
+			sigAlg:    rsasaaPkcs1v15Sha256,
 			expectErr: "public key is not a RSA public key",
 		},
 		{
 			name:      "RSASSA_PSS_SHA256 with ECDSA key",
 			publicKey: ecdsaPubKey,
-			sigAlg:    rsassa_pss_sha256,
+			sigAlg:    rsassaPssSha256,
 			expectErr: "public key is not a RSA public key",
 		},
 	}
@@ -390,19 +390,19 @@ func TestCreatePublicKeysetHandle(t *testing.T) {
 		{
 			name:      "RSASSA_PKCS1V15_SHA256 createPublicKeyset",
 			publicKey: rsaPubKey,
-			sigAlg:    rsasaa_pkcs1v15_sha256,
+			sigAlg:    rsasaaPkcs1v15Sha256,
 			wantPass:  true,
 		},
 		{
 			name:      "RSASSA_PSS_SHA256 createPublicKeyset",
 			publicKey: rsaPubKey,
-			sigAlg:    rsassa_pss_sha256,
+			sigAlg:    rsassaPssSha256,
 			wantPass:  true,
 		},
 		{
 			name:      "ECDSA_P256_SHA256 createPublicKeyset",
 			publicKey: ecdsaPubKey,
-			sigAlg:    ecdsa_p256_sha256,
+			sigAlg:    ecdsaP256Sha256,
 			wantPass:  true,
 		},
 		{