Convert SCT to AddChainResponse for non-embedded SCT CAs

This is because Cosign expects an AddChainResponse and not an SCT. The new client returns an SCT instead, so we have to manually convert it. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
sigstore · Apr 7, 2022 · 8a1ae74 · 8a1ae74
1 parent dfa90c1
commit 8a1ae74
Show file tree

Hide file tree

Showing 3 changed files with 141 additions and 14 deletions.
diff --git a/pkg/api/ca.go b/pkg/api/ca.go
@@ -28,11 +28,11 @@ import (
 	"strings"
 
 	"github.com/coreos/go-oidc/v3/oidc"
-	ct "github.com/google/certificate-transparency-go"
 	ctclient "github.com/google/certificate-transparency-go/client"
 	certauth "github.com/sigstore/fulcio/pkg/ca"
 	"github.com/sigstore/fulcio/pkg/challenges"
 	"github.com/sigstore/fulcio/pkg/config"
+	"github.com/sigstore/fulcio/pkg/ctl"
 	"github.com/sigstore/fulcio/pkg/log"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
 )
@@ -195,17 +195,18 @@ func (a *api) signingCert(w http.ResponseWriter, req *http.Request) {
 
 		// submit to CTL
 		if a.ct != nil {
-			chain := []ct.ASN1Cert{}
-			chain = append(chain, ct.ASN1Cert{Data: csc.FinalCertificate.Raw})
-			for _, c := range csc.FinalChain {
-				chain = append(chain, ct.ASN1Cert{Data: c.Raw})
-			}
-			sct, err := a.ct.AddChain(ctx, chain)
+			sct, err := a.ct.AddChain(ctx, ctl.BuildCTChain(csc.FinalCertificate, csc.FinalChain))
 			if err != nil {
 				handleFulcioAPIError(w, req, http.StatusInternalServerError, err, failedToEnterCertInCTL)
 				return
 			}
-			sctBytes, err = json.Marshal(sct)
+			// convert to AddChainResponse because Cosign expects this struct.
+			addChainResp, err := ctl.ToAddChainResponse(sct)
+			if err != nil {
+				handleFulcioAPIError(w, req, http.StatusInternalServerError, err, failedToMarshalSCT)
+				return
+			}
+			sctBytes, err = json.Marshal(addChainResp)
 			if err != nil {
 				handleFulcioAPIError(w, req, http.StatusInternalServerError, err, failedToMarshalSCT)
 				return
@@ -225,12 +226,7 @@ func (a *api) signingCert(w http.ResponseWriter, req *http.Request) {
 			handleFulcioAPIError(w, req, http.StatusInternalServerError, err, genericCAError)
 		}
 		// submit precertificate and chain to CT log
-		chain := []ct.ASN1Cert{}
-		chain = append(chain, ct.ASN1Cert{Data: precert.PreCert.Raw})
-		for _, c := range precert.CertChain {
-			chain = append(chain, ct.ASN1Cert{Data: c.Raw})
-		}
-		sct, err := a.ct.AddPreChain(ctx, chain)
+		sct, err := a.ct.AddPreChain(ctx, ctl.BuildCTChain(precert.PreCert, precert.CertChain))
 		if err != nil {
 			handleFulcioAPIError(w, req, http.StatusInternalServerError, err, failedToEnterCertInCTL)
 			return

diff --git a/pkg/ctl/utils.go b/pkg/ctl/utils.go
@@ -0,0 +1,51 @@
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ctl
+
+import (
+	"crypto/x509"
+	"encoding/base64"
+	"fmt"
+
+	ct "github.com/google/certificate-transparency-go"
+	"github.com/google/certificate-transparency-go/tls"
+)
+
+// BuildCTChain constructs an ASN.1 encoded certificate chain for appending to the CT log.
+func BuildCTChain(cert *x509.Certificate, chain []*x509.Certificate) []ct.ASN1Cert {
+	ctChain := []ct.ASN1Cert{}
+	ctChain = append(ctChain, ct.ASN1Cert{Data: cert.Raw})
+	for _, c := range chain {
+		ctChain = append(ctChain, ct.ASN1Cert{Data: c.Raw})
+	}
+	return ctChain
+}
+
+// ToAddChainResponse converts an SCT struct to an AddChainResponse struct.
+func ToAddChainResponse(sct *ct.SignedCertificateTimestamp) (*ct.AddChainResponse, error) {
+	sig, err := tls.Marshal(sct.Signature)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal signature: %s", err)
+	}
+	addChainResp := &ct.AddChainResponse{
+		SCTVersion: sct.SCTVersion,
+		Timestamp:  sct.Timestamp,
+		Extensions: base64.StdEncoding.EncodeToString(sct.Extensions),
+		ID:         sct.LogID.KeyID[:],
+		Signature:  sig,
+	}
+
+	return addChainResp, nil
+}
diff --git a/pkg/ctl/utils_test.go b/pkg/ctl/utils_test.go
@@ -0,0 +1,80 @@
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ctl
+
+import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/base64"
+	"reflect"
+	"testing"
+
+	ct "github.com/google/certificate-transparency-go"
+	"github.com/google/certificate-transparency-go/tls"
+)
+
+func TestBuildCTChain(t *testing.T) {
+	certs := []*x509.Certificate{
+		{Subject: pkix.Name{CommonName: "leaf"}},
+		{Subject: pkix.Name{CommonName: "sub"}},
+		{Subject: pkix.Name{CommonName: "root"}},
+	}
+	ctChain := BuildCTChain(certs[0], certs[1:3])
+
+	if len(ctChain) != len(certs) {
+		t.Fatalf("CT chain length does not equal certificate chain length, got %v, expected %v", len(ctChain), len(certs))
+	}
+
+	for i := 0; i < len(certs); i++ {
+		if !reflect.DeepEqual(ctChain[i].Data, certs[i].Raw) {
+			t.Fatal("CT certificate and certificate do not match")
+		}
+	}
+}
+
+func TestToAddChainResponse(t *testing.T) {
+	sct := &ct.SignedCertificateTimestamp{
+		SCTVersion: ct.V1,
+		LogID:      ct.LogID{KeyID: [32]byte{1, 2, 3, 4}},
+		Timestamp:  12345,
+		Extensions: ct.CTExtensions{1, 2, 3},
+		Signature:  ct.DigitallySigned{Algorithm: tls.SignatureAndHashAlgorithm{Hash: tls.SHA1, Signature: tls.ECDSA}},
+	}
+
+	resp, err := ToAddChainResponse(sct)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+
+	if resp.SCTVersion != sct.SCTVersion {
+		t.Fatal("SCT version does not match")
+	}
+	if !reflect.DeepEqual(resp.ID, sct.LogID.KeyID[:]) {
+		t.Fatal("ID does not match")
+	}
+	if resp.Timestamp != sct.Timestamp {
+		t.Fatal("timestamp does not match")
+	}
+	if resp.Extensions != base64.StdEncoding.EncodeToString(sct.Extensions) {
+		t.Fatal("timestamp does not match")
+	}
+	sig, err := tls.Marshal(sct.Signature)
+	if err != nil {
+		t.Fatal("error marshalling signature")
+	}
+	if !reflect.DeepEqual(resp.Signature, sig) {
+		t.Fatal("signature does not match")
+	}
+}