require trust root in constructor, remove more unused code, update readme

Author: wolfv

README.md

@@ -114,6 +114,17 @@ let bundle_json = serde_json::to_string_pretty(&bundle)?;
 - Identity-based verification policies
 - Ambient credential detection for CI/CD environments
 
+## Cryptography
+
+This library uses [aws-lc-rs](https://github.com/aws/aws-lc-rs) as its cryptographic backend. AWS-LC is a general-purpose cryptographic library maintained by AWS, based on code from BoringSSL. It provides:
+
+- ECDSA (P-256, P-384) signature verification and signing
+- Ed25519 signature support
+- SHA-256/SHA-384/SHA-512 hashing
+- X.509 certificate parsing and validation
+
+AWS-LC is [FIPS 140-3 validated](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4816), making this library suitable for environments with compliance requirements.
+
 ## Minimum Supported Rust Version
 
 Rust 1.70 or later.

crates/sigstore-conformance/src/main.rs

@@ -12,7 +12,7 @@ use sigstore_oidc::parse_identity_token;
 use sigstore_rekor::RekorClient;
 use sigstore_trust_root::TrustedRoot;
 use sigstore_types::{Bundle, MediaType, Sha256Hash, SignatureContent};
-use sigstore_verify::{verify_with_trusted_root, VerificationPolicy};
+use sigstore_verify::{verify, VerificationPolicy};
 
 use std::env;
 use std::fs;
@@ -453,8 +453,7 @@ fn verify_bundle(args: &[String]) -> Result<(), Box<dyn std::error::Error>> {
         let dummy_artifact = vec![];
 
         // Verify the signature with trusted root
-        let result =
-            verify_with_trusted_root(&dummy_artifact, &bundle, &digest_policy, &trusted_root)?;
+        let result = verify(&dummy_artifact, &bundle, &digest_policy, &trusted_root)?;
 
         if !result.success {
             return Err("Verification failed".into());
@@ -466,7 +465,7 @@ fn verify_bundle(args: &[String]) -> Result<(), Box<dyn std::error::Error>> {
         let artifact_data = fs::read(&artifact_or_digest)?;
 
         // Verify with trusted root
-        let result = verify_with_trusted_root(&artifact_data, &bundle, &policy, &trusted_root)?;
+        let result = verify(&artifact_data, &bundle, &policy, &trusted_root)?;
 
         if !result.success {
             return Err("Verification failed".into());

crates/sigstore-tsa/src/lib.rs

@@ -6,13 +6,11 @@
 pub mod asn1;
 pub mod client;
 pub mod error;
-pub mod parse;
 pub mod verify;
 
 pub use asn1::{
     AlgorithmIdentifier, Asn1MessageImprint, PkiStatus, TimeStampReq, TimeStampResp, TstInfo,
 };
 pub use client::{timestamp_sigstore, TimestampClient};
 pub use error::{Error, Result};
-pub use parse::parse_timestamp;
 pub use verify::{verify_timestamp_response, TimestampResult, VerifyOpts};

crates/sigstore-tsa/src/parse.rs

@@ -20,7 +20,7 @@ use webpki::{anchor_from_trusted_cert, EndEntityCert, KeyUsage, ALL_VERIFICATION
 
 // Define OIDs as constants using const_oid::db
 const ID_KP_TIME_STAMPING: ObjectIdentifier = const_oid::db::rfc5280::ID_KP_TIME_STAMPING;
-const ID_SIGNED_DATA_STR: ObjectIdentifier = ObjectIdentifier::new_unwrap("1.2.840.113549.1.7.2");
+const ID_SIGNED_DATA: ObjectIdentifier = const_oid::db::rfc5911::ID_SIGNED_DATA;
 const OID_MESSAGE_DIGEST: ObjectIdentifier = const_oid::db::rfc6268::ID_MESSAGE_DIGEST;
 const OID_SHA256: ObjectIdentifier = const_oid::db::rfc5912::ID_SHA_256;
 const OID_SHA384: ObjectIdentifier = const_oid::db::rfc5912::ID_SHA_384;
@@ -173,7 +173,7 @@ pub fn verify_timestamp_response(
     };
 
     // Verify content type is SignedData
-    if content_info.content_type != ID_SIGNED_DATA_STR {
+    if content_info.content_type != ID_SIGNED_DATA {
         return Err(Error::ParseError(
             "ContentInfo content type is not SignedData".to_string(),
         ));

crates/sigstore-tsa/src/verify.rs

@@ -5,7 +5,7 @@
 //! # Example
 //!
 //! ```no_run
-//! use sigstore_verify::{verify_with_trusted_root, VerificationPolicy};
+//! use sigstore_verify::{verify, VerificationPolicy};
 //! use sigstore_trust_root::TrustedRoot;
 //! use sigstore_types::Bundle;
 //!
@@ -19,7 +19,7 @@
 //!     .require_identity("user@example.com")
 //!     .require_issuer("https://accounts.google.com");
 //!
-//! let result = verify_with_trusted_root(&artifact, &bundle, &policy, &trusted_root)?;
+//! let result = verify(&artifact, &bundle, &policy, &trusted_root)?;
 //! assert!(result.success);
 //! # Ok(())
 //! # }
@@ -41,6 +41,5 @@ pub use sigstore_types as types;
 
 pub use error::{Error, Result};
 pub use verify::{
-    verify, verify_with_trusted_root, VerificationPolicy, VerificationResult, Verifier,
-    DEFAULT_CLOCK_SKEW_SECONDS,
+    verify, VerificationPolicy, VerificationResult, Verifier, DEFAULT_CLOCK_SKEW_SECONDS,
 };