Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

trustroot: initial client config messages #277

Merged
merged 9 commits into from
Apr 2, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
299 changes: 299 additions & 0 deletions gen/jsonschema/schemas/ClientTrustConfig.schema.json

Large diffs are not rendered by default.

36 changes: 36 additions & 0 deletions gen/jsonschema/schemas/SigningConfig.schema.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/SigningConfig",
"definitions": {
"SigningConfig": {
"properties": {
"caUrl": {
"type": "string",
"description": "A URL to a Fulcio-compatible CA, capable of receiving Certificate Signing Requests (CSRs) and responding with issued certificates. This URL **MUST** be the \"base\" URL for the CA, which clients should construct an appropriate CSR endpoint on top of. For example, if `ca_url` is `https://example.com/ca`, then the client **MAY** construct the CSR endpoint as `https://example.com/ca/api/v2/signingCert`."
},
"oidcUrl": {
"type": "string",
"description": "A URL to an OpenID Connect identity provider. This URL **MUST** be the \"base\" URL for the OIDC IdP, which clients should perform well-known OpenID Connect discovery against."
},
"tlogUrls": {
"items": {
"type": "string"
},
"type": "array",
"description": "One or more URLs to Rekor-compatible transparency log. Each URL **MUST** be the \"base\" URL for the transparency log, which clients should construct appropriate API endpoints on top of."
},
"tsaUrls": {
"items": {
"type": "string"
},
"type": "array",
"description": "One ore more URLs to RFC 3161 Time Stamping Authority (TSA). Each URL **MUST** be the **full** URL for the TSA, meaning that it should be suitable for submitting Time Stamp Requests (TSRs) to via HTTP, per RFC 3161."
}
},
"additionalProperties": false,
"type": "object",
"title": "Signing Config",
"description": "SigningConfig represents the trusted entities/state needed by Sigstore signing. In particular, it primarily contains service URLs that a Sigstore signer may need to connect to for the online aspects of signing."
}
}
}
388 changes: 303 additions & 85 deletions gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go

Large diffs are not rendered by default.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 14 additions & 0 deletions gen/pb-ruby/lib/sigstore_trustroot_pb.rb

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -136,3 +136,70 @@ pub struct TrustedRoot {
#[prost(message, repeated, tag = "5")]
pub timestamp_authorities: ::prost::alloc::vec::Vec<CertificateAuthority>,
}
/// SigningConfig represents the trusted entities/state needed by Sigstore
/// signing. In particular, it primarily contains service URLs that a Sigstore
/// signer may need to connect to for the online aspects of signing.
#[derive(
sigstore_protobuf_specs_derive::Deserialize_proto,
sigstore_protobuf_specs_derive::Serialize_proto
)]
#[derive(::prost_reflect::ReflectMessage)]
#[prost_reflect(message_name = "dev.sigstore.trustroot.v1.SigningConfig")]
#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")]
#[allow(clippy::derive_partial_eq_without_eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct SigningConfig {
/// A URL to a Fulcio-compatible CA, capable of receiving
/// Certificate Signing Requests (CSRs) and responding with
/// issued certificates.
///
/// This URL **MUST** be the "base" URL for the CA, which clients
/// should construct an appropriate CSR endpoint on top of.
/// For example, if `ca_url` is `<https://example.com/ca`,> then
/// the client **MAY** construct the CSR endpoint as
/// `<https://example.com/ca/api/v2/signingCert`.>
#[prost(string, tag = "1")]
pub ca_url: ::prost::alloc::string::String,
/// A URL to an OpenID Connect identity provider.
///
/// This URL **MUST** be the "base" URL for the OIDC IdP, which clients
/// should perform well-known OpenID Connect discovery against.
#[prost(string, tag = "2")]
pub oidc_url: ::prost::alloc::string::String,
/// One or more URLs to Rekor-compatible transparency log.
///
/// Each URL **MUST** be the "base" URL for the transparency log,
/// which clients should construct appropriate API endpoints on top of.
#[prost(string, repeated, tag = "3")]
pub tlog_urls: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
/// One ore more URLs to RFC 3161 Time Stamping Authority (TSA).
///
/// Each URL **MUST** be the **full** URL for the TSA, meaning that it
/// should be suitable for submitting Time Stamp Requests (TSRs) to
/// via HTTP, per RFC 3161.
#[prost(string, repeated, tag = "4")]
pub tsa_urls: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
}
/// ClientTrustConfig describes the complete state needed by a client
/// to perform both signing and verification operations against a particular
/// instance of Sigstore.
#[derive(
sigstore_protobuf_specs_derive::Deserialize_proto,
sigstore_protobuf_specs_derive::Serialize_proto
)]
#[derive(::prost_reflect::ReflectMessage)]
#[prost_reflect(message_name = "dev.sigstore.trustroot.v1.ClientTrustConfig")]
#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")]
#[allow(clippy::derive_partial_eq_without_eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct ClientTrustConfig {
/// MUST be application/vnd.dev.sigstore.clienttrustconfig.v0.1+json
#[prost(string, tag = "1")]
pub media_type: ::prost::alloc::string::String,
/// The root of trust, which MUST be present.
#[prost(message, optional, tag = "2")]
pub trusted_root: ::core::option::Option<TrustedRoot>,
/// Configuration for signing clients, which MUST be present.
#[prost(message, optional, tag = "3")]
pub signing_config: ::core::option::Option<SigningConfig>,
}
Binary file not shown.
114 changes: 114 additions & 0 deletions gen/pb-typescript/src/__generated__/sigstore_trustroot.ts

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

51 changes: 51 additions & 0 deletions protos/sigstore_trustroot.proto
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
syntax = "proto3";
package dev.sigstore.trustroot.v1;

import "google/api/field_behavior.proto";
import "sigstore_common.proto";

option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1";
Expand Down Expand Up @@ -121,3 +122,53 @@ message TrustedRoot {
// A set of trusted timestamping authorities.
repeated CertificateAuthority timestamp_authorities = 5;
}


// SigningConfig represents the trusted entities/state needed by Sigstore
// signing. In particular, it primarily contains service URLs that a Sigstore
// signer may need to connect to for the online aspects of signing.
message SigningConfig {
woodruffw marked this conversation as resolved.
Show resolved Hide resolved
// A URL to a Fulcio-compatible CA, capable of receiving
// Certificate Signing Requests (CSRs) and responding with
// issued certificates.
//
// This URL **MUST** be the "base" URL for the CA, which clients
// should construct an appropriate CSR endpoint on top of.
// For example, if `ca_url` is `https://example.com/ca`, then
// the client **MAY** construct the CSR endpoint as
// `https://example.com/ca/api/v2/signingCert`.
string ca_url = 1;
woodruffw marked this conversation as resolved.
Show resolved Hide resolved

// A URL to an OpenID Connect identity provider.
//
// This URL **MUST** be the "base" URL for the OIDC IdP, which clients
// should perform well-known OpenID Connect discovery against.
string oidc_url = 2;

// One or more URLs to Rekor-compatible transparency log.
//
// Each URL **MUST** be the "base" URL for the transparency log,
// which clients should construct appropriate API endpoints on top of.
repeated string tlog_urls = 3;

// One ore more URLs to RFC 3161 Time Stamping Authority (TSA).
//
// Each URL **MUST** be the **full** URL for the TSA, meaning that it
// should be suitable for submitting Time Stamp Requests (TSRs) to
// via HTTP, per RFC 3161.
repeated string tsa_urls = 4;
}

// ClientTrustConfig describes the complete state needed by a client
// to perform both signing and verification operations against a particular
// instance of Sigstore.
message ClientTrustConfig {
woodruffw marked this conversation as resolved.
Show resolved Hide resolved
// MUST be application/vnd.dev.sigstore.clienttrustconfig.v0.1+json
string media_type = 1;

// The root of trust, which MUST be present.
woodruffw marked this conversation as resolved.
Show resolved Hide resolved
TrustedRoot trusted_root = 2 [(google.api.field_behavior) = REQUIRED];

// Configuration for signing clients, which MUST be present.
SigningConfig signing_config = 3 [(google.api.field_behavior) = REQUIRED];
}