WIP: Convert SigstoreKeys to protobuf-specs type

Signed-off-by: Cody Soyland <[email protected]>

Author: codysoyland

cmd/tester/main.go

@@ -154,11 +154,10 @@ func main() {
 			log.Fatal(err)
 		}
 
-		c := &config.SigstoreKeys{}
-		c.ConvertFrom(context.Background(), tr.Spec.SigstoreKeys)
-		maps := make(map[string]config.SigstoreKeys, 0)
+		c := config.ConvertSigstoreKeys(context.Background(), tr.Spec.SigstoreKeys)
+		maps := make(map[string]*config.SigstoreKeys, 0)
 
-		maps[tr.Name] = *c
+		maps[tr.Name] = c
 		configCtx.SigstoreKeysConfig = &config.SigstoreKeysMap{SigstoreKeys: maps}
 
 		ctx = config.ToContext(ctx, configCtx)

go.mod

@@ -30,6 +30,7 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/ryanuber/go-glob v1.0.0
 	github.com/sigstore/cosign/v2 v2.2.3
+	github.com/sigstore/protobuf-specs v0.3.0
 	github.com/sigstore/rekor v1.3.5
 	github.com/sigstore/sigstore v1.8.2
 	github.com/stretchr/testify v1.9.0
@@ -41,7 +42,7 @@ require (
 	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/time v0.5.0
 	google.golang.org/grpc v1.61.1 // indirect
-	google.golang.org/protobuf v1.32.0 // indirect
+	google.golang.org/protobuf v1.32.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.29.2
 	k8s.io/apimachinery v0.29.2

go.sum

@@ -724,6 +724,8 @@ github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
 github.com/sigstore/cosign/v2 v2.2.3 h1:WX7yawI+EXu9h7S5bZsfYCbB9XW6Jc43ctKy/NoOSiA=
 github.com/sigstore/cosign/v2 v2.2.3/go.mod h1:WpMn4MBt0cI23GdHsePwO4NxhX1FOz1ITGB3ALUjFaI=
+github.com/sigstore/protobuf-specs v0.3.0 h1:E49qS++llp4psM+3NNVEb+C4AD422bT9VkOQIPrNLpA=
+github.com/sigstore/protobuf-specs v0.3.0/go.mod h1:ynKzXpqr3dUj2Xk9O/5ZUhjnpi0F53DNi5AdH6pS3jc=
 github.com/sigstore/rekor v1.3.5 h1:QoVXcS7NppKY+rpbEFVHr4evGDZBBSh65X0g8PXoUkQ=
 github.com/sigstore/rekor v1.3.5/go.mod h1:CWqOk/fmnPwORQmm7SyDgB54GTJizqobbZ7yOP1lvw8=
 github.com/sigstore/sigstore v1.8.2 h1:0Ttjcn3V0fVQXlYq7+oHaaHkGFIt3ywm7SF4JTU/l8c=

pkg/apis/config/sigstore_keys.go

@@ -17,12 +17,16 @@ package config
 
 import (
 	"context"
-	"encoding/json"
+	"encoding/pem"
 	"fmt"
 
+	"github.com/sigstore/cosign/v2/pkg/cosign"
 	"github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1"
+	pbcommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
+	pbtrustroot "github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1"
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	"google.golang.org/protobuf/encoding/protojson"
 	corev1 "k8s.io/api/core/v1"
-	"knative.dev/pkg/apis"
 	"sigs.k8s.io/yaml"
 )
 
@@ -33,81 +37,24 @@ const (
 	SigstoreKeysConfigName = "config-sigstore-keys"
 )
 
-// Note that these are 1:1 mapped to public API SigstoreKeys. Reasoning
-// being that we may choose to serialize these differently, or use the protos
-// that are defined upstream, so want to keep the public/private distinction, so
-// that we can change things independend of breaking the API. Time will tell
-// if this is the right call, but we can always reunify them later if we so
-// want.
-// TODO(vaikas): See about replacing these with the protos here once they land
-// and see how easy it is to replace with protos instead of our custom defs
-// above.
-// https://github.com/sigstore/protobuf-specs/pull/5
-// And in particular: https://github.com/sigstore/protobuf-specs/pull/5/files#diff-b1f89b7fd3eb27b519380b092a2416f893a96fbba3f8c90cfa767e7687383ad4R70
-
-// TransparencyLogInstance describes the immutable parameters from a
-// transparency log.
-// See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters
-// for more details.
-// The incluced parameters are the minimal set required to identify a log,
-// and verify an inclusion promise.
-type TransparencyLogInstance struct {
-	BaseURL       apis.URL `json:"baseURL"`
-	HashAlgorithm string   `json:"hashAlgorithm"`
-	// PEM encoded public key
-	PublicKey []byte `json:"publicKey"`
-	LogID     string `json:"logID"`
-}
-
-type DistinguishedName struct {
-	Organization string `json:"organization"`
-	CommonName   string `json:"commonName"`
-}
-
-type CertificateAuthority struct {
-	// The root certificate MUST be self-signed, and so the subject and
-	// issuer are the same.
-	Subject DistinguishedName `json:"subject"`
-	// The URI at which the CA can be accessed.
-	URI apis.URL `json:"uri"`
-	// The certificate chain for this CA.
-	// CertChain is in PEM format.
-	CertChain []byte `json:"certChain"`
-
-	// TODO(vaikas): How to best represent this
-	// The time the *entire* chain was valid. This is at max the
-	// longest interval when *all* certificates in the chain where valid,
-	// but it MAY be shorter.
-	//       dev.sigstore.common.v1.TimeRange valid_for = 4;
-}
+// Type aliases for types from protobuf-specs. TODO: Consider just importing
+// the protobuf-specs types directly from each package as needed.
 
 // SigstoreKeys contains all the necessary Keys and Certificates for validating
 // against a specific instance of Sigstore.
-// TODO(vaikas): See about replacing these with the protos here once they land
-// and see how easy it is to replace with protos instead of our custom defs
-// above.
-// https://github.com/sigstore/protobuf-specs/pull/5
-// And in particular: https://github.com/sigstore/protobuf-specs/pull/5/files#diff-b1f89b7fd3eb27b519380b092a2416f893a96fbba3f8c90cfa767e7687383ad4R70
-// Well, not the multi-root, but one instance of that is exactly the
-// SigstoreKeys.
-type SigstoreKeys struct {
-	// Trusted certificate authorities (e.g Fulcio).
-	CertificateAuthorities []CertificateAuthority `json:"certificateAuthorities,omitempty"`
-	// Rekor log specifications
-	TLogs []TransparencyLogInstance `json:"tLogs,omitempty"`
-	// Certificate Transparency Log
-	CTLogs []TransparencyLogInstance `json:"ctLogs,omitempty"`
-	// Trusted timestamping authorities
-	TimeStampAuthorities []CertificateAuthority `json:"timestampAuthorities"`
-}
+type SigstoreKeys = pbtrustroot.TrustedRoot
+type CertificateAuthority = pbtrustroot.CertificateAuthority
+type TransparencyLogInstance = pbtrustroot.TransparencyLogInstance
+type DistinguishedName = pbcommon.DistinguishedName
+type LogId = pbcommon.LogId
 
 type SigstoreKeysMap struct {
-	SigstoreKeys map[string]SigstoreKeys
+	SigstoreKeys map[string]*SigstoreKeys
 }
 
 // NewSigstoreKeysFromMap creates a map of SigstoreKeys to use for validation.
 func NewSigstoreKeysFromMap(data map[string]string) (*SigstoreKeysMap, error) {
-	ret := make(map[string]SigstoreKeys, len(data))
+	ret := make(map[string]*SigstoreKeys, len(data))
 	// Spin through the ConfigMap. Each entry will have a serialized form of
 	// necessary validation keys in the form of SigstoreKeys.
 	for k, v := range data {
@@ -123,7 +70,7 @@ func NewSigstoreKeysFromMap(data map[string]string) (*SigstoreKeysMap, error) {
 		if err := parseSigstoreKeys(v, sigstoreKeys); err != nil {
 			return nil, fmt.Errorf("failed to parse the entry %q : %q : %w", k, v, err)
 		}
-		ret[k] = *sigstoreKeys
+		ret[k] = sigstoreKeys
 	}
 	return &SigstoreKeysMap{SigstoreKeys: ret}, nil
 }
@@ -133,56 +80,121 @@ func NewSigstoreKeysFromConfigMap(config *corev1.ConfigMap) (*SigstoreKeysMap, e
 	return NewSigstoreKeysFromMap(config.Data)
 }
 
-func parseSigstoreKeys(entry string, out interface{}) error {
+func parseSigstoreKeys(entry string, out *pbtrustroot.TrustedRoot) error {
 	j, err := yaml.YAMLToJSON([]byte(entry))
 	if err != nil {
 		return fmt.Errorf("config's value could not be converted to JSON: %w : %s", err, entry)
 	}
-	return json.Unmarshal(j, &out)
+	return protojson.Unmarshal(j, out)
 }
 
-// ConvertFrom takes a source and converts into a SigstoreKeys suitable
+// ConvertSigstoreKeys takes a source and converts into a SigstoreKeys suitable
 // for serialization into a ConfigMap entry.
-func (sk *SigstoreKeys) ConvertFrom(_ context.Context, source *v1alpha1.SigstoreKeys) {
-	sk.CertificateAuthorities = make([]CertificateAuthority, len(source.CertificateAuthorities))
+func ConvertSigstoreKeys(_ context.Context, source *v1alpha1.SigstoreKeys) *SigstoreKeys {
+	sk := &SigstoreKeys{}
+	sk.CertificateAuthorities = make([]*pbtrustroot.CertificateAuthority, len(source.CertificateAuthorities))
 	for i := range source.CertificateAuthorities {
 		sk.CertificateAuthorities[i] = ConvertCertificateAuthority(source.CertificateAuthorities[i])
 	}
 
-	sk.TLogs = make([]TransparencyLogInstance, len(source.TLogs))
+	sk.Tlogs = make([]*pbtrustroot.TransparencyLogInstance, len(source.TLogs))
 	for i := range source.TLogs {
-		sk.TLogs[i] = ConvertTransparencyLogInstance(source.TLogs[i])
+		sk.Tlogs[i] = ConvertTransparencyLogInstance(source.TLogs[i])
 	}
 
-	sk.CTLogs = make([]TransparencyLogInstance, len(source.CTLogs))
+	sk.Ctlogs = make([]*pbtrustroot.TransparencyLogInstance, len(source.CTLogs))
 	for i := range source.CTLogs {
-		sk.CTLogs[i] = ConvertTransparencyLogInstance(source.CTLogs[i])
+		sk.Ctlogs[i] = ConvertTransparencyLogInstance(source.CTLogs[i])
 	}
 
-	sk.TimeStampAuthorities = make([]CertificateAuthority, len(source.TimeStampAuthorities))
+	sk.TimestampAuthorities = make([]*pbtrustroot.CertificateAuthority, len(source.TimeStampAuthorities))
 	for i := range source.TimeStampAuthorities {
-		sk.TimeStampAuthorities[i] = ConvertCertificateAuthority(source.TimeStampAuthorities[i])
+		sk.TimestampAuthorities[i] = ConvertCertificateAuthority(source.TimeStampAuthorities[i])
 	}
+	return sk
 }
 
 // ConvertCertificateAuthority converts public into private CertificateAuthority
-func ConvertCertificateAuthority(source v1alpha1.CertificateAuthority) CertificateAuthority {
-	return CertificateAuthority{
-		Subject: DistinguishedName{
+func ConvertCertificateAuthority(source v1alpha1.CertificateAuthority) *pbtrustroot.CertificateAuthority {
+	return &pbtrustroot.CertificateAuthority{
+		Subject: &pbcommon.DistinguishedName{
 			Organization: source.Subject.Organization,
 			CommonName:   source.Subject.CommonName,
 		},
-		URI:       *source.URI.DeepCopy(),
-		CertChain: source.CertChain,
+		Uri:       source.URI.String(),
+		CertChain: DeserializeCertChain(source.CertChain),
 	}
 }
 
 // ConvertTransparencyLogInstance converts public into private
 // TransparencyLogInstance.
-func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) TransparencyLogInstance {
-	return TransparencyLogInstance{
-		BaseURL:       *source.BaseURL.DeepCopy(),
-		HashAlgorithm: source.HashAlgorithm,
-		PublicKey:     source.PublicKey,
+func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) *pbtrustroot.TransparencyLogInstance {
+	pk, err := cryptoutils.UnmarshalPEMToPublicKey(source.PublicKey)
+	if err != nil {
+		return nil // TODO: log error? Add return error?
+	}
+	logID, err := cosign.GetTransparencyLogID(pk)
+	if err != nil {
+		return nil // TODO: log error? Add return error?
+	}
+
+	var hashAlgorithm pbcommon.HashAlgorithm
+	switch source.HashAlgorithm {
+	case "sha256":
+		hashAlgorithm = pbcommon.HashAlgorithm_SHA2_256
+	case "sha384":
+		hashAlgorithm = pbcommon.HashAlgorithm_SHA2_384
+	case "sha512":
+		hashAlgorithm = pbcommon.HashAlgorithm_SHA2_512
+	default:
+		hashAlgorithm = pbcommon.HashAlgorithm_HASH_ALGORITHM_UNSPECIFIED
+	}
+
+	return &pbtrustroot.TransparencyLogInstance{
+		BaseUrl:       source.BaseURL.String(),
+		HashAlgorithm: hashAlgorithm,
+		PublicKey:     DeserializePublicKey(source.PublicKey),
+		LogId: &pbcommon.LogId{
+			KeyId: []byte(logID),
+		},
 	}
 }
+
+func SerializeCertChain(certChain *pbcommon.X509CertificateChain) []byte {
+	var chain []byte
+	for _, cert := range certChain.Certificates {
+		bytes := cert.RawBytes
+		block := &pem.Block{
+			Type:  "CERTIFICATE",
+			Bytes: bytes,
+		}
+		chain = append(chain, pem.EncodeToMemory(block)...)
+	}
+	return chain
+}
+
+func SerializePublicKey(publicKey *pbcommon.PublicKey) []byte {
+	block := &pem.Block{
+		Type:  "PUBLIC KEY",
+		Bytes: publicKey.RawBytes,
+	}
+	return pem.EncodeToMemory(block)
+}
+
+func DeserializeCertChain(chain []byte) *pbcommon.X509CertificateChain {
+	var certs []*pbcommon.X509Certificate
+	for {
+		var block *pem.Block
+		block, chain = pem.Decode(chain)
+		if block == nil {
+			break
+		}
+		certs = append(certs, &pbcommon.X509Certificate{RawBytes: block.Bytes})
+	}
+	return &pbcommon.X509CertificateChain{Certificates: certs}
+}
+
+func DeserializePublicKey(publicKey []byte) *pbcommon.PublicKey {
+	block, _ := pem.Decode(publicKey)
+	return &pbcommon.PublicKey{RawBytes: block.Bytes}
+}