|
|
| |
| from __future__ import annotations |
|
|
| import argparse |
| import json |
| from pathlib import Path |
| from typing import Any, Dict, List, Optional |
|
|
| from sovereign_crypto_seal import SovereignCryptoSeal |
|
|
|
|
| def _load_json(path: str) -> Dict[str, Any]: |
| p = Path(path) |
| if not p.exists(): |
| raise FileNotFoundError(f"File not found: {path}") |
| data = json.loads(p.read_text(encoding="utf-8")) |
| if not isinstance(data, dict): |
| raise ValueError(f"JSON root must be an object: {path}") |
| return data |
|
|
|
|
| class SovereignExternalVerifierV11: |
| """ |
| Extended independent verifier for Sovereign artifacts (bank-grade). |
| |
| Added in v11: |
| - Hardening profile verification |
| - Hardening report verification |
| """ |
|
|
| def __init__(self, sealer: Optional[SovereignCryptoSeal] = None) -> None: |
| self.sealer = sealer or SovereignCryptoSeal() |
|
|
| |
| |
| |
| def _verify_object_with_seal( |
| self, |
| *, |
| artifact_type: str, |
| obj: Dict[str, Any], |
| seal: Dict[str, Any], |
| ) -> Dict[str, Any]: |
| verified = self.sealer.verify_object(obj, seal) |
| return { |
| "ok": bool(verified.get("ok")), |
| "artifact_type": artifact_type, |
| "verified": bool(verified.get("verified")), |
| "verification": verified, |
| } |
|
|
| |
| |
| |
| def verify_hardening_profile_bundle(self, bundle: Dict[str, Any]) -> Dict[str, Any]: |
| seal = bundle.get("crypto_seal") |
| profile = bundle.get("hardening_profile") |
|
|
| if not isinstance(seal, dict): |
| return { |
| "ok": False, |
| "artifact_type": "hardening_profile_bundle", |
| "verified": False, |
| "error": "missing_hardening_crypto_seal", |
| } |
|
|
| if not isinstance(profile, dict): |
| return { |
| "ok": False, |
| "artifact_type": "hardening_profile_bundle", |
| "verified": False, |
| "error": "missing_hardening_profile", |
| } |
|
|
| return self._verify_object_with_seal( |
| artifact_type="hardening_profile_bundle", |
| obj=profile, |
| seal=seal, |
| ) |
|
|
| def verify_hardening_report_bundle(self, bundle: Dict[str, Any]) -> Dict[str, Any]: |
| inner = bundle.get("bundle") |
| if not isinstance(inner, dict): |
| return { |
| "ok": False, |
| "artifact_type": "hardening_report_bundle", |
| "verified": False, |
| "error": "missing_inner_hardening_bundle", |
| } |
|
|
| verified = self.verify_hardening_profile_bundle(inner) |
| return { |
| "ok": bool(verified.get("ok")), |
| "artifact_type": "hardening_report_bundle", |
| "verified": bool(verified.get("verified")), |
| "inner_verification": verified, |
| } |
|
|
| |
| |
| |
| def verify_runtime_result_bundle(self, bundle: Dict[str, Any]) -> Dict[str, Any]: |
| seal = bundle.get("crypto_seal") |
|
|
| if not isinstance(seal, dict): |
| return { |
| "ok": False, |
| "artifact_type": "runtime_result", |
| "verified": False, |
| "error": "missing_runtime_crypto_seal", |
| } |
|
|
| obj = dict(bundle) |
| obj.pop("crypto_seal", None) |
| obj.pop("sealed", None) |
|
|
| return self._verify_object_with_seal( |
| artifact_type="runtime_result", |
| obj=obj, |
| seal=seal, |
| ) |
|
|
| |
| |
| |
| def verify_technical_identity_bundle(self, bundle: Dict[str, Any]) -> Dict[str, Any]: |
| identity = bundle.get("technical_identity") |
| if not isinstance(identity, dict): |
| return { |
| "ok": False, |
| "artifact_type": "technical_identity_bundle", |
| "verified": False, |
| "error": "missing_technical_identity", |
| } |
|
|
| seal = identity.get("crypto_seal") |
| if not isinstance(seal, dict): |
| return { |
| "ok": False, |
| "artifact_type": "technical_identity_bundle", |
| "verified": False, |
| "error": "missing_technical_identity_seal", |
| } |
|
|
| identity_obj = dict(identity) |
| identity_obj.pop("crypto_seal", None) |
| identity_obj.pop("sealed", None) |
|
|
| identity_verification = self._verify_object_with_seal( |
| artifact_type="technical_identity", |
| obj=identity_obj, |
| seal=seal, |
| ) |
|
|
| nested_checks: List[Dict[str, Any]] = [] |
|
|
| hardening_bundle = bundle.get("hardening_bundle") |
| if isinstance(hardening_bundle, dict): |
| if "hardening_profile" in hardening_bundle and "crypto_seal" in hardening_bundle: |
| nested_checks.append(self.verify_hardening_profile_bundle(hardening_bundle)) |
| elif "bundle" in hardening_bundle: |
| nested_checks.append(self.verify_hardening_report_bundle(hardening_bundle)) |
|
|
| runtime_result = bundle.get("runtime_result") |
| if isinstance(runtime_result, dict): |
| nested_checks.append(self.verify_runtime_result_bundle(runtime_result)) |
|
|
| all_nested_ok = all(bool(x.get("verified")) for x in nested_checks) if nested_checks else True |
|
|
| return { |
| "ok": bool(identity_verification.get("ok")) and all_nested_ok, |
| "artifact_type": "technical_identity_bundle", |
| "verified": bool(identity_verification.get("verified")) and all_nested_ok, |
| "technical_identity_verification": identity_verification, |
| "nested_verifications": nested_checks, |
| } |
|
|
| |
| |
| |
| def verify_auto(self, obj: Dict[str, Any]) -> Dict[str, Any]: |
| if "technical_identity" in obj: |
| return self.verify_technical_identity_bundle(obj) |
|
|
| if "bundle" in obj and isinstance(obj.get("bundle"), dict): |
| inner = obj["bundle"] |
|
|
| if "hardening_profile" in inner and "crypto_seal" in inner: |
| return self.verify_hardening_report_bundle(obj) |
|
|
| if "hardening_profile" in obj and "crypto_seal" in obj: |
| return self.verify_hardening_profile_bundle(obj) |
|
|
| if "crypto_seal" in obj: |
| return self.verify_runtime_result_bundle(obj) |
|
|
| return { |
| "ok": False, |
| "verified": False, |
| "artifact_type": "unknown", |
| "error": "could_not_detect_artifact_type", |
| } |
|
|
| def verify_file(self, path: str) -> Dict[str, Any]: |
| obj = _load_json(path) |
| result = self.verify_auto(obj) |
| result["source_file"] = path |
| return result |
|
|
|
|
| VERIFIER = SovereignExternalVerifierV11() |
|
|
|
|
| def verify_artifact_file_v11(path: str) -> Dict[str, Any]: |
| return VERIFIER.verify_file(path) |
|
|
|
|
| def _build_arg_parser() -> argparse.ArgumentParser: |
| parser = argparse.ArgumentParser( |
| description="Verifier v11 (with hardening support)." |
| ) |
| parser.add_argument("--file", required=True) |
| return parser |
|
|
|
|
| if __name__ == "__main__": |
| parser = _build_arg_parser() |
| args = parser.parse_args() |
|
|
| result = verify_artifact_file_v11(args.file) |
| print(json.dumps(result, indent=2, ensure_ascii=False)) |
|
|
|
|