wasm

package

v1.0.1 Latest Latest Go to latest Published: Oct 9, 2025 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sonr-io/crypto

Links

Open Source Insights

Documentation ¶

Overview ¶

Package wasm provides cryptographic signing and verification for WebAssembly modules

Package wasm provides cryptographic verification for WebAssembly modules

Index ¶

func ExportManifest(manifest *SignatureManifest) ([]byte, error)
func VerifySignedModule(verifier *SignatureVerifier, module *SignedModule) error
func VerifyWithManifest(module []byte, manifest *SignatureManifest) error
type HashChain
- func NewHashChain() *HashChain
- func (hc *HashChain) AddEntry(version, hash string, timestamp int64) error
- func (hc *HashChain) GetLatestEntry() (*HashEntry, error)
- func (hc *HashChain) VerifyChain() error
type HashEntry
type HashVerifier
- func NewHashVerifier() *HashVerifier
- func (v *HashVerifier) AddTrustedHash(name, hash string)
- func (v *HashVerifier) ClearTrustedHashes()
- func (v *HashVerifier) ComputeHash(wasmBytes []byte) string
- func (v *HashVerifier) GetTrustedHash(name string) (string, bool)
- func (v *HashVerifier) VerifyHash(name string, wasmBytes []byte) error
- func (v *HashVerifier) VerifyHashWithFallback(name string, wasmBytes []byte, fallbackHashes []string) error
type SecurityPolicy
- func DefaultSecurityPolicy() *SecurityPolicy
- func (p *SecurityPolicy) Validate(wasmBytes []byte) error
type SignatureEntry
type SignatureManifest
- func CreateSignatureManifest(module []byte, signer *Signer, signerID string) (*SignatureManifest, error)
- func ImportManifest(data []byte) (*SignatureManifest, error)
type SignatureVerifier
- func NewSignatureVerifier() *SignatureVerifier
- func (v *SignatureVerifier) AddTrustedKey(keyID string, publicKey ed25519.PublicKey) error
- func (v *SignatureVerifier) AddTrustedKeyFromHex(keyID string, publicKeyHex string) error
- func (v *SignatureVerifier) GetTrustedKeyIDs() []string
- func (v *SignatureVerifier) RemoveTrustedKey(keyID string)
- func (v *SignatureVerifier) Verify(wasmBytes []byte, signature []byte) error
- func (v *SignatureVerifier) VerifyWithKey(keyID string, wasmBytes []byte, signature []byte) error
type SignedModule
- func SignModule(signer *Signer, module []byte, signerID string, version string) (*SignedModule, error)
type Signer
- func NewSigner() (*Signer, error)
- func NewSignerFromPrivateKey(privateKey ed25519.PrivateKey) (*Signer, error)
- func (s *Signer) ExportPrivateKey() []byte
- func (s *Signer) GetPublicKey() []byte
- func (s *Signer) GetPublicKeyHex() string
- func (s *Signer) Sign(wasmBytes []byte) ([]byte, error)
type TrustedKeyEntry
type VerificationError
- func (e *VerificationError) Error() string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ExportManifest ¶

func ExportManifest(manifest *SignatureManifest) ([]byte, error)

ExportManifest exports a signature manifest as JSON

func VerifySignedModule ¶

func VerifySignedModule(verifier *SignatureVerifier, module *SignedModule) error

VerifySignedModule verifies a signed module

func VerifyWithManifest ¶

func VerifyWithManifest(module []byte, manifest *SignatureManifest) error

VerifyWithManifest verifies a module using a signature manifest

Types ¶

type HashChain ¶

type HashChain struct {
	// contains filtered or unexported fields
}

HashChain provides hash chain verification for plugin updates

func NewHashChain ¶

func NewHashChain() *HashChain

NewHashChain creates a new hash chain

func (*HashChain) AddEntry ¶

func (hc *HashChain) AddEntry(version, hash string, timestamp int64) error

AddEntry adds a new entry to the hash chain

func (*HashChain) GetLatestEntry ¶

func (hc *HashChain) GetLatestEntry() (*HashEntry, error)

GetLatestEntry returns the most recent hash chain entry

func (*HashChain) VerifyChain ¶

func (hc *HashChain) VerifyChain() error

VerifyChain verifies the integrity of the hash chain

type HashEntry ¶

type HashEntry struct {
	Version      string `json:"version"`
	Hash         string `json:"hash"`
	PreviousHash string `json:"previous_hash"`
	Timestamp    int64  `json:"timestamp"`
}

HashEntry represents a single entry in the hash chain

type HashVerifier ¶

type HashVerifier struct {
	// contains filtered or unexported fields
}

HashVerifier provides SHA256 hash verification for WASM modules

func NewHashVerifier ¶

func NewHashVerifier() *HashVerifier

NewHashVerifier creates a new WASM hash verifier

func (*HashVerifier) AddTrustedHash ¶

func (v *HashVerifier) AddTrustedHash(name, hash string)

AddTrustedHash adds a trusted hash for a named WASM module

func (*HashVerifier) ClearTrustedHashes ¶

func (v *HashVerifier) ClearTrustedHashes()

ClearTrustedHashes removes all trusted hashes

func (*HashVerifier) ComputeHash ¶

func (v *HashVerifier) ComputeHash(wasmBytes []byte) string

ComputeHash calculates SHA256 hash of WASM bytecode

func (*HashVerifier) GetTrustedHash ¶

func (v *HashVerifier) GetTrustedHash(name string) (string, bool)

GetTrustedHash retrieves the trusted hash for a module

func (*HashVerifier) VerifyHash ¶

func (v *HashVerifier) VerifyHash(name string, wasmBytes []byte) error

VerifyHash verifies WASM bytecode against trusted hash

func (*HashVerifier) VerifyHashWithFallback ¶

func (v *HashVerifier) VerifyHashWithFallback(name string, wasmBytes []byte, fallbackHashes []string) error

VerifyHashWithFallback verifies against primary hash or fallback list

type SecurityPolicy ¶

type SecurityPolicy struct {
	RequireHashVerification bool
	RequireSignature        bool
	AllowedHashes           []string
	MaxModuleSize           int64
}

SecurityPolicy defines verification requirements

func DefaultSecurityPolicy ¶

func DefaultSecurityPolicy() *SecurityPolicy

DefaultSecurityPolicy returns a secure default policy

func (*SecurityPolicy) Validate ¶

func (p *SecurityPolicy) Validate(wasmBytes []byte) error

Validate checks if WASM module meets security policy

type SignatureEntry ¶

type SignatureEntry struct {
	Signature string    `json:"signature"` // Base64 encoded
	SignerID  string    `json:"signer_id"`
	Timestamp time.Time `json:"timestamp"`
	Algorithm string    `json:"algorithm"` // Always "Ed25519"
}

SignatureEntry represents a single signature in the manifest

type SignatureManifest ¶

type SignatureManifest struct {
	ModuleHash  string            `json:"module_hash"`
	Signatures  []SignatureEntry  `json:"signatures"`
	TrustedKeys []TrustedKeyEntry `json:"trusted_keys"`
	CreatedAt   time.Time         `json:"created_at"`
	ExpiresAt   *time.Time        `json:"expires_at,omitempty"`
}

SignatureManifest contains signature metadata for a WASM module

func CreateSignatureManifest ¶

func CreateSignatureManifest(module []byte, signer *Signer, signerID string) (*SignatureManifest, error)

CreateSignatureManifest creates a manifest for module signatures

func ImportManifest ¶

func ImportManifest(data []byte) (*SignatureManifest, error)

ImportManifest imports a signature manifest from JSON

type SignatureVerifier ¶

type SignatureVerifier struct {
	// contains filtered or unexported fields
}

SignatureVerifier verifies Ed25519 signatures on WASM modules

func NewSignatureVerifier ¶

func NewSignatureVerifier() *SignatureVerifier

NewSignatureVerifier creates a new signature verifier

func (*SignatureVerifier) AddTrustedKey ¶

func (v *SignatureVerifier) AddTrustedKey(keyID string, publicKey ed25519.PublicKey) error

AddTrustedKey adds a trusted public key for signature verification

func (*SignatureVerifier) AddTrustedKeyFromHex ¶

func (v *SignatureVerifier) AddTrustedKeyFromHex(keyID string, publicKeyHex string) error

AddTrustedKeyFromHex adds a trusted public key from hex string

func (*SignatureVerifier) GetTrustedKeyIDs ¶

func (v *SignatureVerifier) GetTrustedKeyIDs() []string

GetTrustedKeyIDs returns all trusted key IDs

func (*SignatureVerifier) RemoveTrustedKey ¶

func (v *SignatureVerifier) RemoveTrustedKey(keyID string)

RemoveTrustedKey removes a trusted key

func (*SignatureVerifier) Verify ¶

func (v *SignatureVerifier) Verify(wasmBytes []byte, signature []byte) error

Verify verifies a signature against trusted public keys

func (*SignatureVerifier) VerifyWithKey ¶

func (v *SignatureVerifier) VerifyWithKey(keyID string, wasmBytes []byte, signature []byte) error

VerifyWithKey verifies a signature with a specific key

type SignedModule ¶

type SignedModule struct {
	Module    []byte    `json:"-"`         // WASM bytecode (excluded from JSON)
	Hash      string    `json:"hash"`      // SHA256 hash of module
	Signature []byte    `json:"signature"` // Ed25519 signature
	SignerID  string    `json:"signer_id"` // ID of signing key
	Timestamp time.Time `json:"timestamp"` // Signing timestamp
	Version   string    `json:"version"`   // Module version
}

SignedModule represents a WASM module with its signature

func SignModule ¶

func SignModule(signer *Signer, module []byte, signerID string, version string) (*SignedModule, error)

SignModule creates a signed module package

type Signer ¶

type Signer struct {
	// contains filtered or unexported fields
}

Signer provides Ed25519 digital signature operations for WASM modules

func NewSigner ¶

func NewSigner() (*Signer, error)

NewSigner creates a new signer with a generated Ed25519 key pair

func NewSignerFromPrivateKey ¶

func NewSignerFromPrivateKey(privateKey ed25519.PrivateKey) (*Signer, error)

NewSignerFromPrivateKey creates a signer from an existing private key

func (*Signer) ExportPrivateKey ¶

func (s *Signer) ExportPrivateKey() []byte

ExportPrivateKey exports the private key (handle with care)

func (*Signer) GetPublicKey ¶

func (s *Signer) GetPublicKey() []byte

GetPublicKey returns the public key bytes

func (*Signer) GetPublicKeyHex ¶

func (s *Signer) GetPublicKeyHex() string

GetPublicKeyHex returns the public key as hex string

func (*Signer) Sign ¶

func (s *Signer) Sign(wasmBytes []byte) ([]byte, error)

Sign creates an Ed25519 signature for the given WASM bytecode

type TrustedKeyEntry ¶

type TrustedKeyEntry struct {
	KeyID     string     `json:"key_id"`
	PublicKey string     `json:"public_key"` // Base64 encoded
	AddedAt   time.Time  `json:"added_at"`
	ExpiresAt *time.Time `json:"expires_at,omitempty"`
	Purpose   string     `json:"purpose"` // e.g., "code-signing"
}

TrustedKeyEntry represents a trusted public key

type VerificationError ¶

type VerificationError struct {
	Module       string
	ExpectedHash string
	ActualHash   string
	Reason       string
}

VerificationError represents a WASM verification failure

func (*VerificationError) Error ¶

func (e *VerificationError) Error() string

Error implements the error interface

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL