wsc 0.9.0

WebAssembly Signature Component - WASM signing and verification toolkit
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192

//! A proof of concept implementation of the WebAssembly module signature proposal.

// The `PublicKey::verify()` function is what most runtimes should use or reimplement if they don't need partial verification.
// The `SecretKey::sign()` function is what most 3rd-party signing tools can use or reimplement if they don't need support for multiple signatures.

#![allow(clippy::vec_init_then_push)]
#![forbid(unsafe_code)]

// Compile-time guard: async feature requires native target (until WASI 0.3)
#[cfg(all(target_arch = "wasm32", feature = "async"))]
compile_error!(
    "The 'async' feature is not supported on WASM targets until WASI 0.3 (expected Feb 2026). \
    Use the default 'sync' feature for WASM builds."
);

mod error;
mod signature;
mod split;
mod wasm_module;

/// Secure file operations with restrictive permissions
///
/// Provides utilities for securely reading and writing sensitive files
/// such as private keys and tokens. On Unix systems, it enforces restrictive
/// permissions (0600 = owner read/write only) to prevent credential theft.
pub mod secure_file;

/// Time validation for offline-first verification
///
/// Provides time source abstraction for embedded and edge devices that may not
/// have reliable system clocks. Supports multiple strategies including build-time
/// lower bounds and custom time sources (RTC, GPS, NTP).
pub mod time;

/// Platform-specific hardware security integration
///
/// Provides unified interface for hardware-backed cryptographic operations
/// across TPM 2.0, Secure Elements, TrustZone, and software fallback.
pub mod platform;

/// Certificate provisioning for IoT devices
///
/// Provides tools for offline certificate provisioning in factory/manufacturing
/// environments. Includes CA management, device identity, and provisioning workflows.
pub mod provisioning;

/// Component composition and provenance tracking
///
/// Provides support for WebAssembly component composition with full provenance
/// tracking, enabling supply chain security and compliance with SLSA, in-toto,
/// and SBOM standards.
pub mod composition;

/// Metrics collection for signing operations (Issue #3)
///
/// Provides observability for signing and validation operations with
/// Prometheus-compatible export format.
pub mod metrics;

/// Air-gapped verification for embedded devices
///
/// Enables offline verification of Sigstore keyless signatures using
/// pre-provisioned trust bundles. Designed for IoT, automotive, and
/// edge devices without network access at runtime.
pub mod airgapped;

/// Audit logging for security-sensitive operations
///
/// Provides structured audit logging for signing and verification operations,
/// designed for compliance with ISO/SAE 21434, IEC 62443, and SOC 2 requirements.
/// Supports JSON output for SIEM integration.
pub mod audit;

/// Supply chain verification policy engine
///
/// Provides a TOML-based policy engine for enforcing SLSA levels and
/// supply chain security policies on WebAssembly transformation chains.
/// Supports per-rule enforcement modes (strict vs report).
pub mod policy;

/// Format-agnostic artifact signing and verification
///
/// Provides a trait-based abstraction for signing different artifact formats
/// (WASM, ELF, MCUboot) with the same Ed25519 signing core. Includes format
/// detection, consistency validation, and per-format signature embedding.
pub mod format;

/// DSSE (Dead Simple Signing Envelope) implementation
///
/// Provides the standard DSSE envelope format for signing attestations.
/// Used as the wrapper for all embedded attestations, enabling extraction
/// and verification with standard tooling (cosign, sigstore-rs, etc.).
/// See: https://github.com/secure-systems-lab/dsse
pub mod dsse;

/// in-toto Statement v1.0 implementation
///
/// Provides the in-toto attestation framework Statement layer.
/// Statements bind predicates (SLSA provenance, etc.) to subjects (artifacts).
/// See: https://github.com/in-toto/attestation
pub mod intoto;

/// SLSA v1.0 Provenance predicate
///
/// Provides SLSA Build provenance attestation format for supply chain security.
/// Describes how artifacts were built, including inputs, builder, and metadata.
/// See: https://slsa.dev/spec/v1.0/provenance
pub mod slsa;

/// Transcoding attestation protocol for WASM-to-native compilation
///
/// Provides the attestation format for recording provenance when compiling
/// WASM modules to native code (ARM ELF, MCUboot). Uses in-toto Statement
/// with a custom predicate to capture source verification, compiler identity,
/// target platform, and compilation parameters.
pub mod transcoding;

/// Container image signing via cosign delegation
///
/// Provides safe cosign subprocess delegation with binary integrity
/// verification, tag-to-digest resolution, and digest-bound signatures.
/// Addresses UCA-18 through UCA-21 from STPA-Sec analysis.
pub mod container;

/// Post-quantum cryptography support (SLH-DSA / FIPS 205)
///
/// Trait-based abstraction for post-quantum signature schemes alongside
/// classical Ed25519. Defines SLH-DSA parameter sets and hybrid signing
/// for the PQC transition period.
pub mod pqc;

/// Signed Certificate Timestamp (SCT) monitoring (Phase 4.2)
///
/// Monitors Certificate Transparency logs for certificate mis-issuance.
/// SCTs prove a certificate was submitted to a CT log before issuance,
/// enabling detection of rogue CA certificates.
pub mod sct;

/// Build environment attestation for SLSA provenance
///
/// Captures build environment metadata (Rust, Bazel, Nix versions, platform)
/// for embedding in SLSA provenance as internal parameters. Supports both
/// automatic detection and CI environment variable configuration via WSC_*
/// prefix. Addresses Ferrocene RUSTC_CSTR_0030 for tool version verification.
pub mod build_env;

/// HTTP client abstraction for sync/async support
///
/// Provides a unified HTTP client interface using `maybe_async` for compile-time
/// sync/async selection. Uses `ureq` in sync mode (default) and `reqwest` in async mode.
/// Not available on WASM targets - use WASI HTTP instead.
#[cfg(not(target_arch = "wasm32"))]
pub mod http;

/// Wasmtime runtime for hosting WASM components with hardware crypto
///
/// Provides a wasmtime-based execution environment that implements the
/// `wsc:crypto` WIT interface, allowing WASM components to access
/// hardware-backed cryptographic operations (TPM, HSM, Secure Element)
/// through opaque key handles.
///
/// # Feature Flag
///
/// This module requires the `runtime` feature:
///
/// ```toml
/// [dependencies]
/// wsc = { version = "0.5", features = ["runtime"] }
/// ```
#[cfg(all(feature = "runtime", not(target_arch = "wasm32")))]
pub mod runtime;

#[allow(unused_imports)]
pub use error::*;
#[allow(unused_imports)]
pub use signature::*;
#[allow(unused_imports)]
pub use split::*;
#[allow(unused_imports)]
pub use wasm_module::*;

// Re-export keyless module for public API
pub use signature::keyless;

pub mod reexports {
    pub use {anyhow, ct_codecs, getrandom, hmac_sha256, log, regex, thiserror};
}

const SIGNATURE_WASM_DOMAIN: &str = "wasmsig";
const SIGNATURE_VERSION: u8 = 0x01;
const SIGNATURE_WASM_MODULE_CONTENT_TYPE: u8 = 0x01;
const SIGNATURE_HASH_FUNCTION: u8 = 0x01;