Clean up attestation definitions

* Move them into attestations.go
* Remove DSSE signer in favour of go-securesystemslib implementation

Signed-off-by: Aditya Sirish <aditya@saky.in>

in_toto/attestations.go

@@ -0,0 +1,99 @@
+package in_toto
+
+import (
+	"github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
+	slsa01 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.1"
+	slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	slsa1 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1"
+)
+
+const (
+	// StatementInTotoV01 is the statement type for the generalized link format
+	// containing statements. This is constant for all predicate types.
+	StatementInTotoV01 = "https://in-toto.io/Statement/v0.1"
+	// PredicateSPDX represents a SBOM using the SPDX standard.
+	// The SPDX mandates 'spdxVersion' field, so predicate type can omit
+	// version.
+	PredicateSPDX = "https://spdx.dev/Document"
+	// PredicateCycloneDX represents a CycloneDX SBOM
+	PredicateCycloneDX = "https://cyclonedx.org/bom"
+	// PredicateLinkV1 represents an in-toto 0.9 link.
+	PredicateLinkV1 = "https://in-toto.io/Link/v1"
+)
+
+// Subject describes the set of software artifacts the statement applies to.
+type Subject struct {
+	Name   string           `json:"name"`
+	Digest common.DigestSet `json:"digest"`
+}
+
+// StatementHeader defines the common fields for all statements
+type StatementHeader struct {
+	Type          string    `json:"_type"`
+	PredicateType string    `json:"predicateType"`
+	Subject       []Subject `json:"subject"`
+}
+
+/*
+Statement binds the attestation to a particular subject and identifies the
+of the predicate. This struct represents a generic statement.
+*/
+type Statement struct {
+	StatementHeader
+	// Predicate contains type speficic metadata.
+	Predicate interface{} `json:"predicate"`
+}
+
+// ProvenanceStatementSLSA01 is the definition for an entire provenance statement with SLSA 0.1 predicate.
+type ProvenanceStatementSLSA01 struct {
+	StatementHeader
+	Predicate slsa01.ProvenancePredicate `json:"predicate"`
+}
+
+// ProvenanceStatementSLSA02 is the definition for an entire provenance statement with SLSA 0.2 predicate.
+type ProvenanceStatementSLSA02 struct {
+	StatementHeader
+	Predicate slsa02.ProvenancePredicate `json:"predicate"`
+}
+
+// ProvenanceStatementSLSA1 is the definition for an entire provenance statement with SLSA 1.0 predicate.
+type ProvenanceStatementSLSA1 struct {
+	StatementHeader
+	Predicate slsa1.ProvenancePredicate `json:"predicate"`
+}
+
+// ProvenanceStatement is the definition for an entire provenance statement with SLSA 0.2 predicate.
+// Deprecated: Only version-specific provenance structs will be maintained (ProvenanceStatementSLSA01, ProvenanceStatementSLSA02).
+type ProvenanceStatement struct {
+	StatementHeader
+	Predicate slsa02.ProvenancePredicate `json:"predicate"`
+}
+
+// LinkStatement is the definition for an entire link statement.
+type LinkStatement struct {
+	StatementHeader
+	Predicate Link `json:"predicate"`
+}
+
+/*
+SPDXStatement is the definition for an entire SPDX statement.
+This is currently not implemented. Some tooling exists here:
+https://github.com/spdx/tools-golang, but this software is still in
+early state.
+This struct is the same as the generic Statement struct but is added for
+completeness
+*/
+type SPDXStatement struct {
+	StatementHeader
+	Predicate interface{} `json:"predicate"`
+}
+
+/*
+CycloneDXStatement defines a cyclonedx sbom in the predicate. It is not
+currently serialized just as its SPDX counterpart. It is an empty
+interface, like the generic Statement.
+*/
+type CycloneDXStatement struct {
+	StatementHeader
+	Predicate interface{} `json:"predicate"`
+}