Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add accessors to trustroot #432

Merged
merged 1 commit into from
Aug 3, 2023
Merged

Add accessors to trustroot #432

merged 1 commit into from
Aug 3, 2023

Conversation

loosebazooka
Copy link
Member

@loosebazooka loosebazooka commented Apr 25, 2023
edited

We need to be able to query the trustroot for CAs and logs to initialize our signers and based on the material we are signing.

This will eventually allow us to init a client directly from a trustroot

vlsi
vlsi reviewed Apr 25, 2023
View reviewed changes
sigstore-java/src/test/java/dev/sigstore/trustroot/SigstoreTrustedRootTest.java Outdated
Comment on lines 141 to 142
assertIsPresent(
trustRoot.getTlog(key, ZonedDateTime.parse("2021-01-12T11:53:27.000Z").toInstant()));
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you considered factoring out assertGetTLogExists / assertGetTLogMissing so the assertion failures could include input data rather than "expected true got false"?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the failure is pretty obvious from the data/test-line-number? In particular, someone would need to inspect the full trust root json and then decide why the test is failing.

It seems to me that changes would make the tests a bit more complicated that it needs to be? But maybe I'm not seeing this the same way you are?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay, I think coming back to this, I see what you're saying, lemme try it out

@loosebazooka loosebazooka added the safe to test conformance testing label label Apr 26, 2023
patflynn
patflynn reviewed May 9, 2023
View reviewed changes
sigstore-java/src/main/java/dev/sigstore/trustroot/SigstoreTrustedRoot.java Outdated
List<CertificateAuthority> certificateAuthorities) {
var current =
certificateAuthorities.stream()
.filter(ca -> ca.getValidFor().getEnd().isEmpty())
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could a currentCA not have a getEnd value that's in the future?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@znewman01 @kommendorkapten could it?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically they could, but the intention is to have the current with an unspecified end. I think this is a good callout, I'll create a PR to clarify this: sigstore/protobuf-specs#80.

If the current has a known end, and due to operational constraints there may be an overlap of the validity time for a CA, so if we need to understand what CA is the current we would need to guess based on the time range which can be error-prone.

@loosebazooka
Add queryable trustroot containers
9b9fb4c 
Specificially for CertificateAuthorities and TransparencyLogs

We need to be able to query the trustroot for CAs and logs to initialize
our signers and based on the material we are signing.

This will eventually allow us to init a client directly from a trustroot

Signed-off-by: Appu Goundan <appu@google.com>
@loosebazooka
Copy link
Member Author

reworked this a bit to put the logic in CertificateAuthorities and TranspencyLogs. We can now pass just those objects when necessary instead of the whole trust root?

@loosebazooka
Copy link
Member Author

@patflynn @vlsi this is ready for another look. The intention is to pass CertificateAuthorities and TransparencyLogs to the appropriate Fulcio/Rekor client.

@loosebazooka loosebazooka merged commit 0d557a2 into main Aug 3, 2023
10 of 11 checks passed
@loosebazooka loosebazooka deleted the plumb-tuf-client-part1 branch August 3, 2023 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patflynn patflynn patflynn left review comments

@kommendorkapten kommendorkapten kommendorkapten left review comments

@vlsi vlsi vlsi approved these changes

Assignees
No one assigned
Labels
safe to test conformance testing label
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@loosebazooka @vlsi @patflynn @kommendorkapten