Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve method naming in TrustedMaterial interface #114

Merged
merged 2 commits into from
Mar 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions cmd/conformance/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -237,12 +237,12 @@ func main() {
os.Exit(1)
}

if len(tr.TSACertificateAuthorities()) > 0 && len(bundleTimestamps) > 0 {
if len(tr.TimestampingAuthorities()) > 0 && len(bundleTimestamps) > 0 {
verifierConfig = append(verifierConfig, verify.WithSignedTimestamps(1))
}

// Check bundle and trusted root for Tlog information
if len(tr.TlogAuthorities()) > 0 && b.HasInclusionPromise() {
if len(tr.RekorLogs()) > 0 && b.HasInclusionPromise() {
verifierConfig = append(verifierConfig, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1))
}

Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ require (
github.com/sigstore/sigstore v1.8.2
github.com/sigstore/timestamp-authority v1.2.2
github.com/stretchr/testify v1.9.0
github.com/theupdateframework/go-tuf/v2 v2.0.0-20240222081530-454b12158917
github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63
golang.org/x/crypto v0.20.0
golang.org/x/mod v0.15.0
google.golang.org/protobuf v1.32.0
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -298,6 +298,8 @@ github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qv
github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
github.com/theupdateframework/go-tuf/v2 v2.0.0-20240222081530-454b12158917 h1:Ov8+IAeR7pivNDC0Cd25MyyaCR3WPlGBED4wNxIFQ8s=
github.com/theupdateframework/go-tuf/v2 v2.0.0-20240222081530-454b12158917/go.mod h1:+gWwqe1pk4nvGeOKosGJqPgD+N/kbD9M0QVLL9TGIYU=
github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 h1:27XWhDZHPD+cufF6qSdYx6PgGQvD2jJ6pq9sDvR6VBk=
github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63/go.mod h1:+gWwqe1pk4nvGeOKosGJqPgD+N/kbD9M0QVLL9TGIYU=
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=
Expand Down
40 changes: 20 additions & 20 deletions pkg/root/trusted_material.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,29 +22,29 @@ import (
)

type TrustedMaterial interface {
TSACertificateAuthorities() []CertificateAuthority
TimestampingAuthorities() []CertificateAuthority
FulcioCertificateAuthorities() []CertificateAuthority
TlogAuthorities() map[string]*TlogAuthority
CTlogAuthorities() map[string]*TlogAuthority
RekorLogs() map[string]*TransparencyLog
CTLogs() map[string]*TransparencyLog
PublicKeyVerifier(string) (TimeConstrainedVerifier, error)
}

type BaseTrustedMaterial struct{}

func (b *BaseTrustedMaterial) TSACertificateAuthorities() []CertificateAuthority {
func (b *BaseTrustedMaterial) TimestampingAuthorities() []CertificateAuthority {
return []CertificateAuthority{}
}

func (b *BaseTrustedMaterial) FulcioCertificateAuthorities() []CertificateAuthority {
return []CertificateAuthority{}
}

func (b *BaseTrustedMaterial) TlogAuthorities() map[string]*TlogAuthority {
return map[string]*TlogAuthority{}
func (b *BaseTrustedMaterial) RekorLogs() map[string]*TransparencyLog {
return map[string]*TransparencyLog{}
}

func (b *BaseTrustedMaterial) CTlogAuthorities() map[string]*TlogAuthority {
return map[string]*TlogAuthority{}
func (b *BaseTrustedMaterial) CTLogs() map[string]*TransparencyLog {
return map[string]*TransparencyLog{}
}

func (b *BaseTrustedMaterial) PublicKeyVerifier(_ string) (TimeConstrainedVerifier, error) {
Expand All @@ -67,10 +67,10 @@ func (tmc TrustedMaterialCollection) PublicKeyVerifier(keyID string) (TimeConstr
return nil, fmt.Errorf("public key verifier not found for keyID: %s", keyID)
}

func (tmc TrustedMaterialCollection) TSACertificateAuthorities() []CertificateAuthority {
func (tmc TrustedMaterialCollection) TimestampingAuthorities() []CertificateAuthority {
var certAuthorities []CertificateAuthority
for _, tm := range tmc {
certAuthorities = append(certAuthorities, tm.TSACertificateAuthorities()...)
certAuthorities = append(certAuthorities, tm.TimestampingAuthorities()...)
}
return certAuthorities
}
Expand All @@ -83,24 +83,24 @@ func (tmc TrustedMaterialCollection) FulcioCertificateAuthorities() []Certificat
return certAuthorities
}

func (tmc TrustedMaterialCollection) TlogAuthorities() map[string]*TlogAuthority {
tlogAuthorities := make(map[string]*TlogAuthority)
func (tmc TrustedMaterialCollection) RekorLogs() map[string]*TransparencyLog {
rekorLogs := make(map[string]*TransparencyLog)
for _, tm := range tmc {
for keyID, tlogVerifier := range tm.TlogAuthorities() {
tlogAuthorities[keyID] = tlogVerifier
for keyID, tlogVerifier := range tm.RekorLogs() {
rekorLogs[keyID] = tlogVerifier
}
}
return tlogAuthorities
return rekorLogs
}

func (tmc TrustedMaterialCollection) CTlogAuthorities() map[string]*TlogAuthority {
tlogAuthorities := make(map[string]*TlogAuthority)
func (tmc TrustedMaterialCollection) CTLogs() map[string]*TransparencyLog {
rekorLogs := make(map[string]*TransparencyLog)
for _, tm := range tmc {
for keyID, tlogVerifier := range tm.CTlogAuthorities() {
tlogAuthorities[keyID] = tlogVerifier
for keyID, tlogVerifier := range tm.CTLogs() {
rekorLogs[keyID] = tlogVerifier
}
}
return tlogAuthorities
return rekorLogs
}

type ValidityPeriodChecker interface {
Expand Down
54 changes: 27 additions & 27 deletions pkg/root/trusted_root.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,11 @@ const TrustedRootMediaType01 = "application/vnd.dev.sigstore.trustedroot+json;ve

type TrustedRoot struct {
BaseTrustedMaterial
trustedRoot *prototrustroot.TrustedRoot
tlogAuthorities map[string]*TlogAuthority
fulcioCertAuthorities []CertificateAuthority
ctLogAuthorities map[string]*TlogAuthority
tsaCertAuthorities []CertificateAuthority
trustedRoot *prototrustroot.TrustedRoot
rekorLogs map[string]*TransparencyLog
fulcioCertAuthorities []CertificateAuthority
ctLogs map[string]*TransparencyLog
timestampingAuthorities []CertificateAuthority
}

type CertificateAuthority struct {
Expand All @@ -50,7 +50,7 @@ type CertificateAuthority struct {
ValidityPeriodEnd time.Time
}

type TlogAuthority struct {
type TransparencyLog struct {
BaseURL string
ID []byte
ValidityPeriodStart time.Time
Expand All @@ -62,20 +62,20 @@ type TlogAuthority struct {
SignatureHashFunc crypto.Hash
}

func (tr *TrustedRoot) TSACertificateAuthorities() []CertificateAuthority {
return tr.tsaCertAuthorities
func (tr *TrustedRoot) TimestampingAuthorities() []CertificateAuthority {
return tr.timestampingAuthorities
}

func (tr *TrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority {
return tr.fulcioCertAuthorities
}

func (tr *TrustedRoot) TlogAuthorities() map[string]*TlogAuthority {
return tr.tlogAuthorities
func (tr *TrustedRoot) RekorLogs() map[string]*TransparencyLog {
return tr.rekorLogs
}

func (tr *TrustedRoot) CTlogAuthorities() map[string]*TlogAuthority {
return tr.ctLogAuthorities
func (tr *TrustedRoot) CTLogs() map[string]*TransparencyLog {
return tr.ctLogs
}

func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot) (trustedRoot *TrustedRoot, err error) {
Expand All @@ -84,7 +84,7 @@ func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot)
}

trustedRoot = &TrustedRoot{trustedRoot: protobufTrustedRoot}
trustedRoot.tlogAuthorities, err = ParseTlogAuthorities(protobufTrustedRoot.GetTlogs())
trustedRoot.rekorLogs, err = ParseTransparencyLogs(protobufTrustedRoot.GetTlogs())
if err != nil {
return nil, err
}
Expand All @@ -94,21 +94,21 @@ func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot)
return nil, err
}

trustedRoot.tsaCertAuthorities, err = ParseCertificateAuthorities(protobufTrustedRoot.GetTimestampAuthorities())
trustedRoot.timestampingAuthorities, err = ParseCertificateAuthorities(protobufTrustedRoot.GetTimestampAuthorities())
if err != nil {
return nil, err
}

trustedRoot.ctLogAuthorities, err = ParseTlogAuthorities(protobufTrustedRoot.GetCtlogs())
trustedRoot.ctLogs, err = ParseTransparencyLogs(protobufTrustedRoot.GetCtlogs())
if err != nil {
return nil, err
}

return trustedRoot, nil
}

func ParseTlogAuthorities(tlogs []*prototrustroot.TransparencyLogInstance) (tlogAuthorities map[string]*TlogAuthority, err error) {
tlogAuthorities = make(map[string]*TlogAuthority)
func ParseTransparencyLogs(tlogs []*prototrustroot.TransparencyLogInstance) (transparencyLogs map[string]*TransparencyLog, err error) {
transparencyLogs = make(map[string]*TransparencyLog)
for _, tlog := range tlogs {
if tlog.GetHashAlgorithm() != protocommon.HashAlgorithm_SHA2_256 {
return nil, fmt.Errorf("unsupported tlog hash algorithm: %s", tlog.GetHashAlgorithm())
Expand Down Expand Up @@ -147,7 +147,7 @@ func ParseTlogAuthorities(tlogs []*prototrustroot.TransparencyLogInstance) (tlog
if ecKey, ok = key.(*ecdsa.PublicKey); !ok {
return nil, fmt.Errorf("tlog public key is not ECDSA P256")
}
tlogAuthorities[encodedKeyID] = &TlogAuthority{
transparencyLogs[encodedKeyID] = &TransparencyLog{
BaseURL: tlog.GetBaseUrl(),
ID: tlog.GetLogId().GetKeyId(),
HashFunc: hashFunc,
Expand All @@ -156,12 +156,12 @@ func ParseTlogAuthorities(tlogs []*prototrustroot.TransparencyLogInstance) (tlog
}
if validFor := tlog.GetPublicKey().GetValidFor(); validFor != nil {
if validFor.GetStart() != nil {
tlogAuthorities[encodedKeyID].ValidityPeriodStart = validFor.GetStart().AsTime()
transparencyLogs[encodedKeyID].ValidityPeriodStart = validFor.GetStart().AsTime()
} else {
return nil, fmt.Errorf("tlog missing public key validity period start time")
}
if validFor.GetEnd() != nil {
tlogAuthorities[encodedKeyID].ValidityPeriodEnd = validFor.GetEnd().AsTime()
transparencyLogs[encodedKeyID].ValidityPeriodEnd = validFor.GetEnd().AsTime()
}
} else {
return nil, fmt.Errorf("tlog missing public key validity period")
Expand All @@ -170,7 +170,7 @@ func ParseTlogAuthorities(tlogs []*prototrustroot.TransparencyLogInstance) (tlog
return nil, fmt.Errorf("unsupported tlog public key type: %s", tlog.GetPublicKey().GetKeyDetails())
}
}
return tlogAuthorities, nil
return transparencyLogs, nil
}

func ParseCertificateAuthorities(certAuthorities []*prototrustroot.CertificateAuthority) (certificateAuthorities []CertificateAuthority, err error) {
Expand Down Expand Up @@ -329,10 +329,10 @@ func NewLiveTrustedRoot(opts *tuf.Options) (*LiveTrustedRoot, error) {
return ltr, nil
}

func (l *LiveTrustedRoot) TSACertificateAuthorities() []CertificateAuthority {
func (l *LiveTrustedRoot) TimestampingAuthorities() []CertificateAuthority {
l.mu.RLock()
defer l.mu.RUnlock()
return l.TrustedRoot.TSACertificateAuthorities()
return l.TrustedRoot.TimestampingAuthorities()
}

func (l *LiveTrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority {
Expand All @@ -341,16 +341,16 @@ func (l *LiveTrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority
return l.TrustedRoot.FulcioCertificateAuthorities()
}

func (l *LiveTrustedRoot) TlogAuthorities() map[string]*TlogAuthority {
func (l *LiveTrustedRoot) RekorLogs() map[string]*TransparencyLog {
l.mu.RLock()
defer l.mu.RUnlock()
return l.TrustedRoot.TlogAuthorities()
return l.TrustedRoot.RekorLogs()
}

func (l *LiveTrustedRoot) CTlogAuthorities() map[string]*TlogAuthority {
func (l *LiveTrustedRoot) CTLogs() map[string]*TransparencyLog {
l.mu.RLock()
defer l.mu.RUnlock()
return l.TrustedRoot.CTlogAuthorities()
return l.TrustedRoot.CTLogs()
}

func (l *LiveTrustedRoot) PublicKeyVerifier(keyID string) (TimeConstrainedVerifier, error) {
Expand Down
14 changes: 7 additions & 7 deletions pkg/testing/ca/ca.go
Original file line number Diff line number Diff line change
Expand Up @@ -426,21 +426,21 @@ func generateTimestampingResponse(sig []byte, tsaCert *x509.Certificate, tsaKey
return tsTemplate.CreateResponseWithOpts(tsaCert, tsaKey, hash)
}

func (ca *VirtualSigstore) TSACertificateAuthorities() []root.CertificateAuthority {
func (ca *VirtualSigstore) TimestampingAuthorities() []root.CertificateAuthority {
return []root.CertificateAuthority{ca.tsaCA}
}

func (ca *VirtualSigstore) FulcioCertificateAuthorities() []root.CertificateAuthority {
return []root.CertificateAuthority{ca.fulcioCA}
}

func (ca *VirtualSigstore) TlogAuthorities() map[string]*root.TlogAuthority {
verifiers := make(map[string]*root.TlogAuthority)
func (ca *VirtualSigstore) RekorLogs() map[string]*root.TransparencyLog {
verifiers := make(map[string]*root.TransparencyLog)
logID, err := getLogID(ca.rekorKey.Public())
if err != nil {
panic(err)
}
verifiers[logID] = &root.TlogAuthority{
verifiers[logID] = &root.TransparencyLog{
BaseURL: "test",
ID: []byte(logID),
ValidityPeriodStart: time.Now().Add(-time.Hour),
Expand All @@ -451,13 +451,13 @@ func (ca *VirtualSigstore) TlogAuthorities() map[string]*root.TlogAuthority {
return verifiers
}

func (ca *VirtualSigstore) CTlogAuthorities() map[string]*root.TlogAuthority {
verifiers := make(map[string]*root.TlogAuthority)
func (ca *VirtualSigstore) CTLogs() map[string]*root.TransparencyLog {
verifiers := make(map[string]*root.TransparencyLog)
logID, err := getLogID(ca.ctlogKey.Public())
if err != nil {
panic(err)
}
verifiers[logID] = &root.TlogAuthority{
verifiers[logID] = &root.TransparencyLog{
BaseURL: "test",
ID: []byte(logID),
ValidityPeriodStart: time.Now().Add(-time.Hour),
Expand Down
2 changes: 1 addition & 1 deletion pkg/tlog/entry.go
Original file line number Diff line number Diff line change
Expand Up @@ -256,7 +256,7 @@ func VerifyInclusion(entry *Entry, verifier signature.Verifier) error {
return nil
}

func VerifySET(entry *Entry, verifiers map[string]*root.TlogAuthority) error {
func VerifySET(entry *Entry, verifiers map[string]*root.TransparencyLog) error {
rekorPayload := RekorPayload{
Body: entry.logEntryAnon.Body,
IntegratedTime: *entry.logEntryAnon.IntegratedTime,
Expand Down
4 changes: 2 additions & 2 deletions pkg/verify/sct.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,10 +28,10 @@ import (
// VerifySignedCertificateTimestamp, given a threshold, TrustedMaterial, and a
// leaf certificate, will extract SCTs from the leaf certificate and verify the
// timestamps using the TrustedMaterial's FulcioCertificateAuthorities() and
// CTlogAuthorities()
// CTLogs()
// TODO(issue#46): Add unit tests
func VerifySignedCertificateTimestamp(leafCert *x509.Certificate, threshold int, trustedMaterial root.TrustedMaterial) error { // nolint: revive
ctlogs := trustedMaterial.CTlogAuthorities()
ctlogs := trustedMaterial.CTLogs()
fulcioCerts := trustedMaterial.FulcioCertificateAuthorities()

scts, err := x509util.ParseSCTsFromCertificate(leafCert.Raw)
Expand Down
6 changes: 3 additions & 3 deletions pkg/verify/signed_entity.go
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ func WithOnlineVerification() VerifierOption {

// WithSignedTimestamps configures the SignedEntityVerifier to expect RFC 3161
// timestamps from a Timestamp Authority, verify them using the TrustedMaterial's
// TSACertificateAuthorities(), and, if it exists, use the resulting timestamp(s)
// TimestampingAuthorities(), and, if it exists, use the resulting timestamp(s)
// to verify the Fulcio certificate.
func WithSignedTimestamps(threshold int) VerifierOption {
return func(c *VerifierConfig) error {
Expand All @@ -134,7 +134,7 @@ func WithSignedTimestamps(threshold int) VerifierOption {
// WithObserverTimestamps configures the SignedEntityVerifier to expect
// timestamps from either an RFC3161 timestamp authority or a log's
// SignedEntryTimestamp. These are verified using the TrustedMaterial's
// TSACertificateAuthorities() or TlogAuthorities(), and used to verify
// TimestampingAuthorities() or RekorLogs(), and used to verify
// the Fulcio certificate.
func WithObserverTimestamps(threshold int) VerifierOption {
return func(c *VerifierConfig) error {
Expand All @@ -149,7 +149,7 @@ func WithObserverTimestamps(threshold int) VerifierOption {

// WithTransparencyLog configures the SignedEntityVerifier to expect
// Transparency Log inclusion proofs or SignedEntryTimestamps, verifying them
// using the TrustedMaterial's TlogAuthorities().
// using the TrustedMaterial's RekorLogs().
func WithTransparencyLog(threshold int) VerifierOption {
return func(c *VerifierConfig) error {
if threshold < 1 {
Expand Down
6 changes: 3 additions & 3 deletions pkg/verify/tlog.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.Tru
return nil, fmt.Errorf("entry must contain an inclusion proof and/or promise")
}
if entry.HasInclusionPromise() {
err = tlog.VerifySET(entry, trustedMaterial.TlogAuthorities())
err = tlog.VerifySET(entry, trustedMaterial.RekorLogs())
if err != nil {
// skip entries the trust root cannot verify
continue
Expand All @@ -94,7 +94,7 @@ func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.Tru
if entity.HasInclusionProof() {
keyID := entry.LogKeyID()
hex64Key := hex.EncodeToString([]byte(keyID))
tlogVerifier, ok := trustedMaterial.TlogAuthorities()[hex64Key]
tlogVerifier, ok := trustedMaterial.RekorLogs()[hex64Key]
if !ok {
// skip entries the trust root cannot verify
continue
Expand All @@ -114,7 +114,7 @@ func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.Tru
} else {
keyID := entry.LogKeyID()
hex64Key := hex.EncodeToString([]byte(keyID))
tlogVerifier, ok := trustedMaterial.TlogAuthorities()[hex64Key]
tlogVerifier, ok := trustedMaterial.RekorLogs()[hex64Key]
if !ok {
// skip entries the trust root cannot verify
continue
Expand Down
Loading