1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
//! Air-gapped verification for embedded devices
//!
//! This module enables offline verification of Sigstore keyless signatures
//! on devices without network access. It uses a **Trust Bundle** - a signed,
//! versioned container of trust anchors (Fulcio roots, Rekor keys) that is
//! provisioned to devices at manufacturing or via secure update.
//!
//! # Architecture
//!
//! ```text
//! SIGNING (CI - Online) VERIFICATION (Device - Offline)
//! ───────────────────── ────────────────────────────────
//!
//! GitHub Actions Embedded Device
//! (OIDC → Fulcio → Rekor) ┌─────────────────────────────┐
//! │ │ Trust Bundle (provisioned) │
//! ▼ │ • Fulcio root certs │
//! ┌─────────────────┐ │ • Rekor public key │
//! │ Signed WASM │ distribute │ • Bundle version │
//! │ • Signature │ ───────────► └─────────────┬───────────────┘
//! │ • Cert chain │ │ verifies
//! │ • Rekor entry │ ▼
//! └─────────────────┘ ┌─────────────────────────────┐
//! │ Signed WASM (verified) │
//! └─────────────────────────────┘
//! ```
//!
//! # Trust Model
//!
//! The trust chain for air-gapped verification:
//!
//! 1. **Bundle Verifier Key** (public, provisioned to device at factory)
//! 2. Verifies → **Trust Bundle signature**
//! 3. Bundle contains → **Fulcio root certificates**
//! 4. Anchors → **Certificate chain** in WASM signature
//! 5. Leaf cert contains → **Public key**
//! 6. Verifies → **WASM signature**
//!
//! # Storage Abstraction
//!
//! Like [`TimeSource`](crate::time::TimeSource), storage is abstracted via traits:
//!
//! - [`TrustStore`] - Load trust bundles (from HSM, TPM, flash, or compiled-in)
//! - [`KeyStore`] - Load verifier keys (from secure element, fuses, or files)
//!
//! This allows the same verification code to work across development and production.
//!
//! # Example: Using Storage Traits
//!
//! ```rust,ignore
//! use wsc::airgapped::{
//! AirGappedVerifier, AirGappedConfig,
//! CompiledTrustStore, CompiledKeyStore, // Embedded
//! FileTrustStore, FileKeyStore, // Development
//! };
//!
//! // For embedded: compiled into firmware
//! static BUNDLE: &[u8] = include_bytes!("trust-bundle.json");
//! static VERIFIER_KEY: &[u8] = include_bytes!("verifier.pub");
//!
//! let verifier = AirGappedVerifier::from_stores(
//! &CompiledTrustStore::new(BUNDLE),
//! &CompiledKeyStore::new(VERIFIER_KEY),
//! AirGappedConfig::default(),
//! )?;
//!
//! // For development: file-based
//! let verifier = AirGappedVerifier::from_stores(
//! &FileTrustStore::new("bundle.json"),
//! &FileKeyStore::new("verifier.pub"),
//! AirGappedConfig::default(),
//! )?;
//!
//! // For production: implement traits for your HSM/TPM
//! struct HsmKeyStore { slot: u32 }
//! impl KeyStore for HsmKeyStore {
//! fn load_verifier_key(&self) -> Result<Vec<u8>, WSError> {
//! hsm_read_public_key(self.slot)
//! }
//! fn is_hardware_backed(&self) -> bool { true }
//! }
//! ```
//!
//! # Example: Direct API
//!
//! ```rust,ignore
//! use wsc::airgapped::{AirGappedVerifier, SignedTrustBundle};
//!
//! // Bundle verifier key (compiled into firmware)
//! const BUNDLE_VERIFIER_KEY: &[u8] = include_bytes!("bundle-verifier.pub");
//!
//! // Load signed trust bundle
//! let bundle: SignedTrustBundle = SignedTrustBundle::from_json(&data)?;
//!
//! // Create verifier
//! let verifier = AirGappedVerifier::new(&bundle, BUNDLE_VERIFIER_KEY, config)?;
//!
//! // Verify signature
//! let result = verifier.verify_signature(&keyless_sig, &module_hash)?;
//! ```
pub use *;
pub use *;
pub use *;
pub use *;
pub use *;
// Re-export key TUF types
pub use ;