Supply Chain Integrity, Transparency, and Trust (IETF SCITT)
ocaml-scitt: add Vds.pp and enable mdx on scitt.mli
- Vds.pp prints [<vds alg=N size=N root=hex>] using the existing accessors
(E305 on type t).
- Wrap the scitt.mli example in a [let run] taking keys / clock / payload
as parameters, fix the use sites that didn't compile against the real
signatures, and add the [(mdx ...)] stanza to lib/dune so the example is
typechecked on every build.
scitt + scitt_atp tests pass; merlint clean on ocaml-scitt.
+49
-29
+4
lib/dune
+4
lib/dune
+38
-29
lib/scitt.mli
+38
-29
lib/scitt.mli
···
12
12
{2 Example}
13
13
14
14
{[
15
-
(* Create a transparency service with RFC 9162 VDS *)
16
-
let vds = Scitt.Vds_rfc9162.in_memory () in
17
-
let ts =
18
-
Scitt.Transparency_service.v ~service_id:"my-ts" ~vds
19
-
~algorithm:Cose.Algorithm.ES256
20
-
~sign:(Scitt.Signer.of_key ts_private_key)
21
-
clock
22
-
in
23
-
24
-
(* Register a signed statement *)
25
-
let statement =
26
-
Scitt.Statement.v ~issuer:"did:web:parsimoni.co"
27
-
~subject:"sha256:abcdef..." ~content_type:"application/spdx+json"
28
-
~payload:sbom_json
29
-
in
30
-
let signed = Scitt.Signed_statement.sign ~key:issuer_key statement in
31
-
let receipt = Scitt.Transparency_service.register ts signed in
32
-
33
-
(* Create transparent statement *)
34
-
let transparent = Scitt.Transparent_statement.v signed [ receipt ] in
35
-
36
-
(* Verify offline *)
37
-
match
38
-
Scitt.Transparent_statement.verify
39
-
~ts_keys:(fun ~service_id:_ -> Some ts_public_key)
40
-
~issuer_key transparent
41
-
with
42
-
| Ok stmt -> Format.printf "Verified: %s\n" (Scitt.Statement.issuer stmt)
43
-
| Error e -> Format.eprintf "Failed: %a\n" Scitt.pp_error e
15
+
(* End-to-end SCITT round-trip: register a signed statement against a
16
+
transparency service and verify the resulting transparent statement
17
+
offline. Keys and clock are passed in so the example stays focused on
18
+
the SCITT verbs rather than COSE key generation. *)
19
+
let run ~ts_private_key ~ts_public_key ~issuer_key ~issuer_public_key ~clock
20
+
~payload =
21
+
let vds = Scitt.Vds_rfc9162.in_memory () in
22
+
let ts =
23
+
Scitt.Transparency_service.v ~service_id:"my-ts" ~vds
24
+
~algorithm:Cose.Algorithm.ES256
25
+
~sign:(Scitt.Signer.of_key ts_private_key)
26
+
clock
27
+
in
28
+
let statement =
29
+
Scitt.Statement.v ~issuer:"did:web:parsimoni.co"
30
+
~subject:"sha256:abcdef..." ~content_type:"application/spdx+json"
31
+
~payload
32
+
in
33
+
match Scitt.Signed_statement.sign ~key:issuer_key statement with
34
+
| Error e -> Fmt.epr "sign failed: %a@." Scitt.pp_error e
35
+
| Ok signed -> (
36
+
match
37
+
Scitt.Transparency_service.register ts ~issuer_key:issuer_public_key
38
+
signed
39
+
with
40
+
| Error e -> Fmt.epr "register failed: %a@." Scitt.pp_error e
41
+
| Ok receipt -> (
42
+
let transparent =
43
+
Scitt.Transparent_statement.v signed [ receipt ]
44
+
in
45
+
match
46
+
Scitt.Transparent_statement.verify
47
+
~ts_keys:(fun ~service_id:_ -> Some ts_public_key)
48
+
~issuer_key:issuer_public_key transparent
49
+
with
50
+
| Ok (stmt, _level, _summary) ->
51
+
Fmt.pr "Verified: %s@." (Scitt.Statement.issuer stmt)
52
+
| Error e -> Fmt.epr "Failed: %a@." Scitt.pp_error e))
44
53
]}
45
54
46
55
{2 References}
+4
lib/vds.ml
+4
lib/vds.ml
···
122
122
let root (T { impl = (module I); state }) = I.root state
123
123
let size (T { impl = (module I); state }) = I.size state
124
124
125
+
let pp ppf t =
126
+
Fmt.pf ppf "<vds alg=%d size=%d root=%s>" (algorithm_id t) (size t)
127
+
(Ohex.encode (root t))
128
+
125
129
let consistency (T { impl = (module I); state }) ~first =
126
130
I.consistency state ~first
127
131
+3
lib/vds.mli
+3
lib/vds.mli
···
67
67
type t
68
68
(** A verifiable data structure. *)
69
69
70
+
val pp : Format.formatter -> t -> unit
71
+
(** [pp ppf t] formats [t] as [<vds alg=N size=N root=hex>] for diagnostics. *)
72
+
70
73
module Make (B : S) : sig
71
74
val v : B.t -> t
72
75
(** [v state] wraps [state] of backend [B] as an opaque {!t}. Call it at