Improve method naming in TrustedMaterial interface

cmd/conformance/main.go

@@ -237,12 +237,12 @@ func main() {
  os.Exit(1)
  }
 
- if len(tr.TSACertificateAuthorities()) > 0 && len(bundleTimestamps) > 0 {
+ if len(tr.TimestampingAuthorities()) > 0 && len(bundleTimestamps) > 0 {
  verifierConfig = append(verifierConfig, verify.WithSignedTimestamps(1))
  }
 
  // Check bundle and trusted root for Tlog information
- if len(tr.TlogAuthorities()) > 0 && b.HasInclusionPromise() {
+ if len(tr.RekorLogs()) > 0 && b.HasInclusionPromise() {
  verifierConfig = append(verifierConfig, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1))
  }
 

go.mod

@@ -16,7 +16,7 @@ require (
  github.com/sigstore/sigstore v1.8.2
  github.com/sigstore/timestamp-authority v1.2.2
  github.com/stretchr/testify v1.9.0
- github.com/theupdateframework/go-tuf/v2 v2.0.0-20240222081530-454b12158917
+ github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63
  golang.org/x/crypto v0.20.0
  golang.org/x/mod v0.15.0
  google.golang.org/protobuf v1.32.0

go.sum

@@ -298,6 +298,8 @@ github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qv
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
 github.com/theupdateframework/go-tuf/v2 v2.0.0-20240222081530-454b12158917 h1:Ov8+IAeR7pivNDC0Cd25MyyaCR3WPlGBED4wNxIFQ8s=
 github.com/theupdateframework/go-tuf/v2 v2.0.0-20240222081530-454b12158917/go.mod h1:+gWwqe1pk4nvGeOKosGJqPgD+N/kbD9M0QVLL9TGIYU=
+github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 h1:27XWhDZHPD+cufF6qSdYx6PgGQvD2jJ6pq9sDvR6VBk=
+github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63/go.mod h1:+gWwqe1pk4nvGeOKosGJqPgD+N/kbD9M0QVLL9TGIYU=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs=
 github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4=

pkg/root/trusted_material.go

@@ -22,29 +22,29 @@ import (
 )
 
 type TrustedMaterial interface {
- TSACertificateAuthorities() []CertificateAuthority
+ TimestampingAuthorities() []CertificateAuthority
  FulcioCertificateAuthorities() []CertificateAuthority
- TlogAuthorities() map[string]*TlogAuthority
- CTlogAuthorities() map[string]*TlogAuthority
+ RekorLogs() map[string]*TransparencyLog
+ CTLogs() map[string]*TransparencyLog
  PublicKeyVerifier(string) (TimeConstrainedVerifier, error)
 }
 
 type BaseTrustedMaterial struct{}
 
-func (b *BaseTrustedMaterial) TSACertificateAuthorities() []CertificateAuthority {
+func (b *BaseTrustedMaterial) TimestampingAuthorities() []CertificateAuthority {
  return []CertificateAuthority{}
 }
 
 func (b *BaseTrustedMaterial) FulcioCertificateAuthorities() []CertificateAuthority {
  return []CertificateAuthority{}
 }
 
-func (b *BaseTrustedMaterial) TlogAuthorities() map[string]*TlogAuthority {
- return map[string]*TlogAuthority{}
+func (b *BaseTrustedMaterial) RekorLogs() map[string]*TransparencyLog {
+ return map[string]*TransparencyLog{}
 }
 
-func (b *BaseTrustedMaterial) CTlogAuthorities() map[string]*TlogAuthority {
- return map[string]*TlogAuthority{}
+func (b *BaseTrustedMaterial) CTLogs() map[string]*TransparencyLog {
+ return map[string]*TransparencyLog{}
 }
 
 func (b *BaseTrustedMaterial) PublicKeyVerifier(_ string) (TimeConstrainedVerifier, error) {
@@ -67,10 +67,10 @@ func (tmc TrustedMaterialCollection) PublicKeyVerifier(keyID string) (TimeConstr
  return nil, fmt.Errorf("public key verifier not found for keyID: %s", keyID)
 }
 
-func (tmc TrustedMaterialCollection) TSACertificateAuthorities() []CertificateAuthority {
+func (tmc TrustedMaterialCollection) TimestampingAuthorities() []CertificateAuthority {
  var certAuthorities []CertificateAuthority
  for _, tm := range tmc {
- certAuthorities = append(certAuthorities, tm.TSACertificateAuthorities()...)
+ certAuthorities = append(certAuthorities, tm.TimestampingAuthorities()...)
  }
  return certAuthorities
 }
@@ -83,24 +83,24 @@ func (tmc TrustedMaterialCollection) FulcioCertificateAuthorities() []Certificat
  return certAuthorities
 }
 
-func (tmc TrustedMaterialCollection) TlogAuthorities() map[string]*TlogAuthority {
- tlogAuthorities := make(map[string]*TlogAuthority)
+func (tmc TrustedMaterialCollection) RekorLogs() map[string]*TransparencyLog {
+ rekorLogs := make(map[string]*TransparencyLog)
  for _, tm := range tmc {
- for keyID, tlogVerifier := range tm.TlogAuthorities() {
- tlogAuthorities[keyID] = tlogVerifier
+ for keyID, tlogVerifier := range tm.RekorLogs() {
+ rekorLogs[keyID] = tlogVerifier
  }
  }
- return tlogAuthorities
+ return rekorLogs
 }
 
-func (tmc TrustedMaterialCollection) CTlogAuthorities() map[string]*TlogAuthority {
- tlogAuthorities := make(map[string]*TlogAuthority)
+func (tmc TrustedMaterialCollection) CTLogs() map[string]*TransparencyLog {
+ rekorLogs := make(map[string]*TransparencyLog)
  for _, tm := range tmc {
- for keyID, tlogVerifier := range tm.CTlogAuthorities() {
- tlogAuthorities[keyID] = tlogVerifier
+ for keyID, tlogVerifier := range tm.CTLogs() {
+ rekorLogs[keyID] = tlogVerifier
  }
  }
- return tlogAuthorities
+ return rekorLogs
 }
 
 type ValidityPeriodChecker interface {

pkg/root/trusted_root.go

@@ -35,11 +35,11 @@ const TrustedRootMediaType01 = "application/vnd.dev.sigstore.trustedroot+json;ve
 
 type TrustedRoot struct {
  BaseTrustedMaterial
- trustedRoot *prototrustroot.TrustedRoot
- tlogAuthorities map[string]*TlogAuthority
- fulcioCertAuthorities []CertificateAuthority
- ctLogAuthorities map[string]*TlogAuthority
- tsaCertAuthorities  []CertificateAuthority
+ trustedRoot  *prototrustroot.TrustedRoot
+ rekorLogs  map[string]*TransparencyLog
+ fulcioCertAuthorities  []CertificateAuthority
+ ctLogs  map[string]*TransparencyLog
+ timestampingAuthorities []CertificateAuthority
 }
 
 type CertificateAuthority struct {
@@ -50,7 +50,7 @@ type CertificateAuthority struct {
  ValidityPeriodEnd time.Time
 }
 
-type TlogAuthority struct {
+type TransparencyLog struct {
  BaseURL string
  ID []byte
  ValidityPeriodStart time.Time
@@ -62,20 +62,20 @@ type TlogAuthority struct {
  SignatureHashFunc crypto.Hash
 }
 
-func (tr *TrustedRoot) TSACertificateAuthorities() []CertificateAuthority {
- return tr.tsaCertAuthorities
+func (tr *TrustedRoot) TimestampingAuthorities() []CertificateAuthority {
+ return tr.timestampingAuthorities
 }
 
 func (tr *TrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority {
  return tr.fulcioCertAuthorities
 }
 
-func (tr *TrustedRoot) TlogAuthorities() map[string]*TlogAuthority {
- return tr.tlogAuthorities
+func (tr *TrustedRoot) RekorLogs() map[string]*TransparencyLog {
+ return tr.rekorLogs
 }
 
-func (tr *TrustedRoot) CTlogAuthorities() map[string]*TlogAuthority {
- return tr.ctLogAuthorities
+func (tr *TrustedRoot) CTLogs() map[string]*TransparencyLog {
+ return tr.ctLogs
 }
 
 func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot) (trustedRoot *TrustedRoot, err error) {
@@ -84,7 +84,7 @@ func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot)
  }
 
  trustedRoot = &TrustedRoot{trustedRoot: protobufTrustedRoot}
- trustedRoot.tlogAuthorities, err = ParseTlogAuthorities(protobufTrustedRoot.GetTlogs())
+ trustedRoot.rekorLogs, err = ParseRekorLogs(protobufTrustedRoot.GetTlogs())
  if err != nil {
  return nil, err
  }
@@ -94,21 +94,21 @@ func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot)
  return nil, err
  }
 
- trustedRoot.tsaCertAuthorities, err = ParseCertificateAuthorities(protobufTrustedRoot.GetTimestampAuthorities())
+ trustedRoot.timestampingAuthorities, err = ParseCertificateAuthorities(protobufTrustedRoot.GetTimestampAuthorities())
  if err != nil {
  return nil, err
  }
 
- trustedRoot.ctLogAuthorities, err = ParseTlogAuthorities(protobufTrustedRoot.GetCtlogs())
+ trustedRoot.ctLogs, err = ParseRekorLogs(protobufTrustedRoot.GetCtlogs())
  if err != nil {
  return nil, err
  }
 
  return trustedRoot, nil
 }
 
-func ParseTlogAuthorities(tlogs []*prototrustroot.TransparencyLogInstance) (tlogAuthorities map[string]*TlogAuthority, err error) {
- tlogAuthorities = make(map[string]*TlogAuthority)
+func ParseRekorLogs(tlogs []*prototrustroot.TransparencyLogInstance) (rekorLogs map[string]*TransparencyLog, err error) {
+ rekorLogs = make(map[string]*TransparencyLog)
  for _, tlog := range tlogs {
  if tlog.GetHashAlgorithm() != protocommon.HashAlgorithm_SHA2_256 {
  return nil, fmt.Errorf("unsupported tlog hash algorithm: %s", tlog.GetHashAlgorithm())
@@ -147,7 +147,7 @@ func ParseTlogAuthorities(tlogs []*prototrustroot.TransparencyLogInstance) (tlog
  if ecKey, ok = key.(*ecdsa.PublicKey); !ok {
  return nil, fmt.Errorf("tlog public key is not ECDSA P256")
  }
- tlogAuthorities[encodedKeyID] = &TlogAuthority{
+ rekorLogs[encodedKeyID] = &TransparencyLog{
  BaseURL: tlog.GetBaseUrl(),
  ID: tlog.GetLogId().GetKeyId(),
  HashFunc: hashFunc,
@@ -156,12 +156,12 @@ func ParseTlogAuthorities(tlogs []*prototrustroot.TransparencyLogInstance) (tlog
  }
  if validFor := tlog.GetPublicKey().GetValidFor(); validFor != nil {
  if validFor.GetStart() != nil {
- tlogAuthorities[encodedKeyID].ValidityPeriodStart = validFor.GetStart().AsTime()
+ rekorLogs[encodedKeyID].ValidityPeriodStart = validFor.GetStart().AsTime()
  } else {
  return nil, fmt.Errorf("tlog missing public key validity period start time")
  }
  if validFor.GetEnd() != nil {
- tlogAuthorities[encodedKeyID].ValidityPeriodEnd = validFor.GetEnd().AsTime()
+ rekorLogs[encodedKeyID].ValidityPeriodEnd = validFor.GetEnd().AsTime()
  }
  } else {
  return nil, fmt.Errorf("tlog missing public key validity period")
@@ -170,7 +170,7 @@ func ParseTlogAuthorities(tlogs []*prototrustroot.TransparencyLogInstance) (tlog
  return nil, fmt.Errorf("unsupported tlog public key type: %s", tlog.GetPublicKey().GetKeyDetails())
  }
  }
- return tlogAuthorities, nil
+ return rekorLogs, nil
 }
 
 func ParseCertificateAuthorities(certAuthorities []*prototrustroot.CertificateAuthority) (certificateAuthorities []CertificateAuthority, err error) {
@@ -329,10 +329,10 @@ func NewLiveTrustedRoot(opts *tuf.Options) (*LiveTrustedRoot, error) {
  return ltr, nil
 }
 
-func (l *LiveTrustedRoot) TSACertificateAuthorities() []CertificateAuthority {
+func (l *LiveTrustedRoot) TimestampingAuthorities() []CertificateAuthority {
  l.mu.RLock()
  defer l.mu.RUnlock()
- return l.TrustedRoot.TSACertificateAuthorities()
+ return l.TrustedRoot.TimestampingAuthorities()
 }
 
 func (l *LiveTrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority {
@@ -341,16 +341,16 @@ func (l *LiveTrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority
  return l.TrustedRoot.FulcioCertificateAuthorities()
 }
 
-func (l *LiveTrustedRoot) TlogAuthorities() map[string]*TlogAuthority {
+func (l *LiveTrustedRoot) RekorLogs() map[string]*TransparencyLog {
  l.mu.RLock()
  defer l.mu.RUnlock()
- return l.TrustedRoot.TlogAuthorities()
+ return l.TrustedRoot.RekorLogs()
 }
 
-func (l *LiveTrustedRoot) CTlogAuthorities() map[string]*TlogAuthority {
+func (l *LiveTrustedRoot) CTLogs() map[string]*TransparencyLog {
  l.mu.RLock()
  defer l.mu.RUnlock()
- return l.TrustedRoot.CTlogAuthorities()
+ return l.TrustedRoot.CTLogs()
 }
 
 func (l *LiveTrustedRoot) PublicKeyVerifier(keyID string) (TimeConstrainedVerifier, error) {

pkg/testing/ca/ca.go

@@ -426,21 +426,21 @@ func generateTimestampingResponse(sig []byte, tsaCert *x509.Certificate, tsaKey
  return tsTemplate.CreateResponseWithOpts(tsaCert, tsaKey, hash)
 }
 
-func (ca *VirtualSigstore) TSACertificateAuthorities() []root.CertificateAuthority {
+func (ca *VirtualSigstore) TimestampingAuthorities() []root.CertificateAuthority {
  return []root.CertificateAuthority{ca.tsaCA}
 }
 
 func (ca *VirtualSigstore) FulcioCertificateAuthorities() []root.CertificateAuthority {
  return []root.CertificateAuthority{ca.fulcioCA}
 }
 
-func (ca *VirtualSigstore) TlogAuthorities() map[string]*root.TlogAuthority {
- verifiers := make(map[string]*root.TlogAuthority)
+func (ca *VirtualSigstore) RekorLogs() map[string]*root.TransparencyLog {
+ verifiers := make(map[string]*root.TransparencyLog)
  logID, err := getLogID(ca.rekorKey.Public())
  if err != nil {
  panic(err)
  }
- verifiers[logID] = &root.TlogAuthority{
+ verifiers[logID] = &root.TransparencyLog{
  BaseURL: "test",
  ID: []byte(logID),
  ValidityPeriodStart: time.Now().Add(-time.Hour),
@@ -451,13 +451,13 @@ func (ca *VirtualSigstore) TlogAuthorities() map[string]*root.TlogAuthority {
  return verifiers
 }
 
-func (ca *VirtualSigstore) CTlogAuthorities() map[string]*root.TlogAuthority {
- verifiers := make(map[string]*root.TlogAuthority)
+func (ca *VirtualSigstore) CTLogs() map[string]*root.TransparencyLog {
+ verifiers := make(map[string]*root.TransparencyLog)
  logID, err := getLogID(ca.ctlogKey.Public())
  if err != nil {
  panic(err)
  }
- verifiers[logID] = &root.TlogAuthority{
+ verifiers[logID] = &root.TransparencyLog{
  BaseURL: "test",
  ID: []byte(logID),
  ValidityPeriodStart: time.Now().Add(-time.Hour),

pkg/tlog/entry.go

@@ -256,7 +256,7 @@ func VerifyInclusion(entry *Entry, verifier signature.Verifier) error {
  return nil
 }
 
-func VerifySET(entry *Entry, verifiers map[string]*root.TlogAuthority) error {
+func VerifySET(entry *Entry, verifiers map[string]*root.TransparencyLog) error {
  rekorPayload := RekorPayload{
  Body: entry.logEntryAnon.Body,
  IntegratedTime: *entry.logEntryAnon.IntegratedTime,

pkg/verify/sct.go

@@ -28,10 +28,10 @@ import (
 // VerifySignedCertificateTimestamp, given a threshold, TrustedMaterial, and a
 // leaf certificate, will extract SCTs from the leaf certificate and verify the
 // timestamps using the TrustedMaterial's FulcioCertificateAuthorities() and
-// CTlogAuthorities()
+// CTLogs()
 // TODO(issue#46): Add unit tests
 func VerifySignedCertificateTimestamp(leafCert *x509.Certificate, threshold int, trustedMaterial root.TrustedMaterial) error { // nolint: revive
- ctlogs := trustedMaterial.CTlogAuthorities()
+ ctlogs := trustedMaterial.CTLogs()
  fulcioCerts := trustedMaterial.FulcioCertificateAuthorities()
 
  scts, err := x509util.ParseSCTsFromCertificate(leafCert.Raw)

pkg/verify/signed_entity.go

@@ -118,7 +118,7 @@ func WithOnlineVerification() VerifierOption {
 
 // WithSignedTimestamps configures the SignedEntityVerifier to expect RFC 3161
 // timestamps from a Timestamp Authority, verify them using the TrustedMaterial's
-// TSACertificateAuthorities(), and, if it exists, use the resulting timestamp(s)
+// TimestampingAuthorities(), and, if it exists, use the resulting timestamp(s)
 // to verify the Fulcio certificate.
 func WithSignedTimestamps(threshold int) VerifierOption {
  return func(c *VerifierConfig) error {
@@ -134,7 +134,7 @@ func WithSignedTimestamps(threshold int) VerifierOption {
 // WithObserverTimestamps configures the SignedEntityVerifier to expect
 // timestamps from either an RFC3161 timestamp authority or a log's
 // SignedEntryTimestamp. These are verified using the TrustedMaterial's
-// TSACertificateAuthorities() or TlogAuthorities(), and used to verify
+// TimestampingAuthorities() or RekorLogs(), and used to verify
 // the Fulcio certificate.
 func WithObserverTimestamps(threshold int) VerifierOption {
  return func(c *VerifierConfig) error {
@@ -149,7 +149,7 @@ func WithObserverTimestamps(threshold int) VerifierOption {
 
 // WithTransparencyLog configures the SignedEntityVerifier to expect
 // Transparency Log inclusion proofs or SignedEntryTimestamps, verifying them
-// using the TrustedMaterial's TlogAuthorities().
+// using the TrustedMaterial's RekorLogs().
 func WithTransparencyLog(threshold int) VerifierOption {
  return func(c *VerifierConfig) error {
  if threshold < 1 {

pkg/verify/tlog.go

@@ -82,7 +82,7 @@ func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.Tru
  return nil, fmt.Errorf("entry must contain an inclusion proof and/or promise")
  }
  if entry.HasInclusionPromise() {
- err = tlog.VerifySET(entry, trustedMaterial.TlogAuthorities())
+ err = tlog.VerifySET(entry, trustedMaterial.RekorLogs())
  if err != nil {
  // skip entries the trust root cannot verify
  continue
@@ -94,7 +94,7 @@ func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.Tru
  if entity.HasInclusionProof() {
  keyID := entry.LogKeyID()
  hex64Key := hex.EncodeToString([]byte(keyID))
- tlogVerifier, ok := trustedMaterial.TlogAuthorities()[hex64Key]
+ tlogVerifier, ok := trustedMaterial.RekorLogs()[hex64Key]
  if !ok {
  // skip entries the trust root cannot verify
  continue
@@ -114,7 +114,7 @@ func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.Tru
  } else {
  keyID := entry.LogKeyID()
  hex64Key := hex.EncodeToString([]byte(keyID))
- tlogVerifier, ok := trustedMaterial.TlogAuthorities()[hex64Key]
+ tlogVerifier, ok := trustedMaterial.RekorLogs()[hex64Key]
  if !ok {
  // skip entries the trust root cannot verify
  continue