Skip to content

kommendorkapten/trtool

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

trtool

This is a tool to work with Sigstore Trusted Roots.

The trtool project aims to follow the Unix philosophy as much as possible, which implies "Rule of Silence", if nothing unexpected happens the program stays silent.

This project is still in pre-alpha.

Examples

Initialize a trust root

$ ./trtool init \
    -ca test_data/fulcio-chain.pem \
    -ca-start 2024-04-03T00:00:00Z \
    -ca-uri https://fulcio.test.foo | jq > tr.json

Add an artifact signature transparency log

$ ./trtool add -f tr.json \
    -type tlog \
    -uri https://foo.bar \
    -pem test_data/rekor.pkcs1.pem \
    -start 2024-04-03T00:00:00Z | jq > tr2.json

Add a certificate transparency log

$ ./trtool add -f tr2.json \
    -type ctlog \
    -uri https://ct.bar \
    -pem test_data/rekor.pkix.pem \
    -start 2024-04-03T00:00:00Z | jq > tr3.json

Inspect the final result

{
  "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
  "tlogs": [
    {
      "baseUrl": "https://foo.bar",
      "hashAlgorithm": "SHA2_256",
      "publicKey": {
        "rawBytes": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyuEumAOUjCAEM2unKrmJohSqGzAH6+TsETWSPYsB98xDIO5zdL43LD/dpEXW9DnRdGYKnlDCLYyFYiR7/gToxmiZgprn45ZvNxQQDnwHuUdIVnfYvDV5nTSrqMW7WZ1bWckkw5P00BNVXLCWBW6KCGflcZODXd8Nrk8lWzl32iUbKh48WbumvfmcIBdrouXrJ/fzGV3OYLiIk9dMP6ux18cceJeeMyn2rTnSknOMQP95OsdOh0G22bSbQFtCnGeNW+TOXsA5q9w59V56/gqGZksOAqLcZu2IhLq33q8r6kh47t2kGcvBFi6QUuqzavT2zguEHdP7nQNCYzfioEo3zwIDAQAB",
        "keyDetails": "PKIX_RSA_PKCS1V15_2048_SHA256",
        "validFor": {
          "start": "2024-04-03T00:00:00Z"
        }
      },
      "logId": {
        "keyId": "/TKbCUU9CPkeXPLkZSBMayyIieby0t5s3hpm/mWvTDU="
      }
    }
  ],
  "certificateAuthorities": [
    {
      "subject": {
        "organization": "Umbrella Corporation",
        "commonName": "Root"
      },
      "uri": "https://fulcio.test.foo",
      "certChain": {
        "certificates": [
          {
            "rawBytes": "MIICCTCCAbCgAwIBAgIUHDmuvTRvs0QKLbLB0NzHRNv9uiowCgYIKoZIzj0EAwIwRzEdMBsGA1UEChMUVW1icmVsbGEgQ29ycG9yYXRpb24xJjAkBgNVBAMTHUZ1bGNpbyBJbnRlcm1lZGlhdGUgLSBvZmZsaW5lMB4XDTI0MDIwMzAwMDAwMFoXDTI1MDIwMjAwMDAwMFowRjEdMBsGA1UEChMUVW1icmVsbGEgQ29ycG9yYXRpb24xJTAjBgNVBAMTHEZ1bGNpbyBJbnRlcm1lZGlhdGUgLSBvbmxpbmUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASuVV0y56oOg+wDp1tuNqhO+kJN7v4LfWeybgXpymTS1iTJi9KG+C4vwHHIoDUm903ibl5hcrzHNfimhEIvGfUEo3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQURKRBGoDKyxxvYjKI1hf5XwgzqVUwHwYDVR0jBBgwFoAUSbfpoJQP5tM7K+6m+DH2rLIfnmowCgYIKoZIzj0EAwIDRwAwRAIgRl7ocUZySscxipHEsoR8pyq3CQq8eBtIk/ED9pfDVnACIBxf/2FPQ5OrGOtTvMATGobgVT7I47hq0ielUk4Ahu7X"
          },
          {
            "rawBytes": "MIIB3jCCAYOgAwIBAgIURCy5Zqzr3D6OLlWiCK4Wbd6nlXQwCgYIKoZIzj0EAwIwLjEdMBsGA1UEChMUVW1icmVsbGEgQ29ycG9yYXRpb24xDTALBgNVBAMTBFJvb3QwHhcNMjQwMjAzMDAwMDAwWhcNMjkwMjAxMDAwMDAwWjBHMR0wGwYDVQQKExRVbWJyZWxsYSBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdRnVsY2lvIEludGVybWVkaWF0ZSAtIG9mZmxpbmUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR1jMWmUFKDhsPSGJ5/JhIT/4Tu5jfhNPoxhvSHduDgypcVDHR1+0Z00sziPFO0xo6JcQ+Iy0LGHGatxNB7Al81o2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUSbfpoJQP5tM7K+6m+DH2rLIfnmowHwYDVR0jBBgwFoAUD4GinE5klrSpTJF1qN/OOS3RdJkwCgYIKoZIzj0EAwIDSQAwRgIhAPKj4S458+h4ZGTEmew773VsnfQtg8QdnnkdMYrik1M5AiEAy31ef0w8KqhknNn6m3L1nLUxLfsQQ+KEyLYYpVQIfHE="
          },
          {
            "rawBytes": "MIIBojCCAUmgAwIBAgIUVDnTWXahSkBcdF4a07xIFFeur1YwCgYIKoZIzj0EAwIwLjEdMBsGA1UEChMUVW1icmVsbGEgQ29ycG9yYXRpb24xDTALBgNVBAMTBFJvb3QwHhcNMjQwMjAzMDAwMDAwWhcNMzQwMTMxMDAwMDAwWjAuMR0wGwYDVQQKExRVbWJyZWxsYSBDb3Jwb3JhdGlvbjENMAsGA1UEAxMEUm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFElGoh/aqZ/RCy/IRd+7ZNggDS+cwRMMb501j5eH/qKH0k/mnY5Lq3duBX6BGD+Q5TtEo8tmQ24+Zy33QsUobmjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQPgaKcTmSWtKlMkXWo3845LdF0mTAKBggqhkjOPQQDAgNHADBEAiBvOyX8IMiCTqMD1JC+qw8J3lqqmzaou4nwMbIlG8hbXAIgHaYjlnp7IMyJQ+nF6p/MXOK0Uh6S7vC6zRcVhBIbG1w="
          }
        ]
      },
      "validFor": {
        "start": "2024-04-03T00:00:00Z"
      }
    }
  ],
  "ctlogs": [
    {
      "baseUrl": "https://ct.bar",
      "hashAlgorithm": "SHA2_256",
      "publicKey": {
        "rawBytes": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyuEumAOUjCAEM2unKrmJohSqGzAH6+TsETWSPYsB98xDIO5zdL43LD/dpEXW9DnRdGYKnlDCLYyFYiR7/gToxmiZgprn45ZvNxQQDnwHuUdIVnfYvDV5nTSrqMW7WZ1bWckkw5P00BNVXLCWBW6KCGflcZODXd8Nrk8lWzl32iUbKh48WbumvfmcIBdrouXrJ/fzGV3OYLiIk9dMP6ux18cceJeeMyn2rTnSknOMQP95OsdOh0G22bSbQFtCnGeNW+TOXsA5q9w59V56/gqGZksOAqLcZu2IhLq33q8r6kh47t2kGcvBFi6QUuqzavT2zguEHdP7nQNCYzfioEo3zwIDAQAB",
        "keyDetails": "PKIX_RSA_PKCS1V15_2048_SHA256",
        "validFor": {
          "start": "2024-04-03T00:00:00Z"
        }
      },
      "logId": {
        "keyId": "/TKbCUU9CPkeXPLkZSBMayyIieby0t5s3hpm/mWvTDU="
      }
    }
  ]
}

The astute reader will notice that both the CT log and transparency log have the same public key, but were added with different keys. This is because the public key loaded is actually the same, but one is encoded with PKCS#1 and the other with PKIX. During serialization to JSON only PKIX is supported, per sigstore/protobuf-specs PKCS#1 encoding is deprecated.

Verify the generated trust root

$ % ./trtool verify -f tr3.json
$ echo $?
0

In verbose mode

$  ./trtool verify -v -f tr3.json
Verifying OU='Umbrella Corporation' CN='Root' of length 3
  Loaded OU='Umbrella Corporation' CN='Fulcio Intermediate - online' CA:true MaxPathLen 0 at pos 0
    issuer OU='Umbrella Corporation' CN='Fulcio Intermediate - offline'
  Loaded OU='Umbrella Corporation' CN='Fulcio Intermediate - offline' CA:true MaxPathLen 1 at pos 1
    issuer OU='Umbrella Corporation' CN='Root'
  Loaded OU='Umbrella Corporation' CN='Root' CA:true MaxPathLen 2 at pos 2
    issuer OU='Umbrella Corporation' CN='Root'
------------------------------------------------------------------------
Trusted root is valid

About

Trust root tool

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published