From eec7c6f228a59da18e16ede3e18b866114f70e7e Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Mon, 25 Mar 2024 11:00:47 -0400 Subject: [PATCH 01/27] update setup-ko action reference (#1328) Signed-off-by: Brian DeHamer Co-authored-by: Brian DeHamer --- .github/workflows/build.yaml | 2 +- .github/workflows/kind-cluster-image-policy-no-tuf.yaml | 2 +- .github/workflows/kind-cluster-image-policy-resync-period.yaml | 2 +- .github/workflows/kind-cluster-image-policy-trustroot.yaml | 2 +- .github/workflows/kind-cluster-image-policy-tsa.yaml | 2 +- .github/workflows/kind-cluster-image-policy.yaml | 2 +- .github/workflows/kind-e2e-cosigned.yaml | 2 +- .github/workflows/kind-e2e-trustroot-crd.yaml | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 95d153fc..12e261e0 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -43,7 +43,7 @@ jobs: check-latest: true # will use the latest release available for ko - - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 + - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - uses: chainguard-dev/actions/goimports@dacf41f3472c33979cfd49bca5b503236be57de0 # main diff --git a/.github/workflows/kind-cluster-image-policy-no-tuf.yaml b/.github/workflows/kind-cluster-image-policy-no-tuf.yaml index abe3cca4..8efbf38f 100644 --- a/.github/workflows/kind-cluster-image-policy-no-tuf.yaml +++ b/.github/workflows/kind-cluster-image-policy-no-tuf.yaml @@ -100,7 +100,7 @@ jobs: check-latest: true # will use the latest release available for ko - - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 + - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 diff --git a/.github/workflows/kind-cluster-image-policy-resync-period.yaml b/.github/workflows/kind-cluster-image-policy-resync-period.yaml index f234e02f..f63ca767 100644 --- a/.github/workflows/kind-cluster-image-policy-resync-period.yaml +++ b/.github/workflows/kind-cluster-image-policy-resync-period.yaml @@ -100,7 +100,7 @@ jobs: check-latest: true # will use the latest release available for ko - - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 + - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 diff --git a/.github/workflows/kind-cluster-image-policy-trustroot.yaml b/.github/workflows/kind-cluster-image-policy-trustroot.yaml index e246b8d7..39709875 100644 --- a/.github/workflows/kind-cluster-image-policy-trustroot.yaml +++ b/.github/workflows/kind-cluster-image-policy-trustroot.yaml @@ -105,7 +105,7 @@ jobs: check-latest: true # will use the latest release available for ko - - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 + - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 diff --git a/.github/workflows/kind-cluster-image-policy-tsa.yaml b/.github/workflows/kind-cluster-image-policy-tsa.yaml index e93f593a..5a84df4d 100644 --- a/.github/workflows/kind-cluster-image-policy-tsa.yaml +++ b/.github/workflows/kind-cluster-image-policy-tsa.yaml @@ -100,7 +100,7 @@ jobs: check-latest: true # will use the latest release available for ko - - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 + - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 diff --git a/.github/workflows/kind-cluster-image-policy.yaml b/.github/workflows/kind-cluster-image-policy.yaml index 17561ba6..cda68f62 100644 --- a/.github/workflows/kind-cluster-image-policy.yaml +++ b/.github/workflows/kind-cluster-image-policy.yaml @@ -114,7 +114,7 @@ jobs: check-latest: true # will use the latest release available for ko - - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 + - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml index 89fc2515..76191872 100644 --- a/.github/workflows/kind-e2e-cosigned.yaml +++ b/.github/workflows/kind-e2e-cosigned.yaml @@ -98,7 +98,7 @@ jobs: go-version-file: './go.mod' check-latest: true - - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 + - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 diff --git a/.github/workflows/kind-e2e-trustroot-crd.yaml b/.github/workflows/kind-e2e-trustroot-crd.yaml index cea9517e..49fd825f 100644 --- a/.github/workflows/kind-e2e-trustroot-crd.yaml +++ b/.github/workflows/kind-e2e-trustroot-crd.yaml @@ -98,7 +98,7 @@ jobs: go-version-file: './go.mod' check-latest: true - - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 + - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 From 2e27de5a2ecb8aa7f61ed450f358435d96904e5b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 25 Mar 2024 22:54:57 +0100 Subject: [PATCH 02/27] chore(deps): Bump mikefarah/yq from 4.42.1 to 4.43.1 (#1329) Bumps [mikefarah/yq](https://github.com/mikefarah/yq) from 4.42.1 to 4.43.1. - [Release notes](https://github.com/mikefarah/yq/releases) - [Changelog](https://github.com/mikefarah/yq/blob/master/release_notes.txt) - [Commits](https://github.com/mikefarah/yq/compare/9adde1ac14bb283b8955d2b0d567bcaf3c69e639...c35ec752e38ea0c096d3c44e13cfc0797ac394d8) --- updated-dependencies: - dependency-name: mikefarah/yq dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/kind-cluster-image-policy-no-tuf.yaml | 2 +- .github/workflows/kind-cluster-image-policy-resync-period.yaml | 2 +- .github/workflows/kind-cluster-image-policy-trustroot.yaml | 2 +- .github/workflows/kind-cluster-image-policy-tsa.yaml | 2 +- .github/workflows/kind-cluster-image-policy.yaml | 2 +- .github/workflows/kind-e2e-cosigned.yaml | 2 +- .github/workflows/kind-e2e-trustroot-crd.yaml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/kind-cluster-image-policy-no-tuf.yaml b/.github/workflows/kind-cluster-image-policy-no-tuf.yaml index 8efbf38f..8036b11c 100644 --- a/.github/workflows/kind-cluster-image-policy-no-tuf.yaml +++ b/.github/workflows/kind-cluster-image-policy-no-tuf.yaml @@ -105,7 +105,7 @@ jobs: - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 - name: Install yq - uses: mikefarah/yq@9adde1ac14bb283b8955d2b0d567bcaf3c69e639 # v4.42.1 + uses: mikefarah/yq@c35ec752e38ea0c096d3c44e13cfc0797ac394d8 # v4.43.1 - name: Setup mirror uses: chainguard-dev/actions/setup-mirror@main diff --git a/.github/workflows/kind-cluster-image-policy-resync-period.yaml b/.github/workflows/kind-cluster-image-policy-resync-period.yaml index f63ca767..bdc4ccb0 100644 --- a/.github/workflows/kind-cluster-image-policy-resync-period.yaml +++ b/.github/workflows/kind-cluster-image-policy-resync-period.yaml @@ -105,7 +105,7 @@ jobs: - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 - name: Install yq - uses: mikefarah/yq@9adde1ac14bb283b8955d2b0d567bcaf3c69e639 # v4.42.1 + uses: mikefarah/yq@c35ec752e38ea0c096d3c44e13cfc0797ac394d8 # v4.43.1 - name: Setup mirror uses: chainguard-dev/actions/setup-mirror@main diff --git a/.github/workflows/kind-cluster-image-policy-trustroot.yaml b/.github/workflows/kind-cluster-image-policy-trustroot.yaml index 39709875..052b1b46 100644 --- a/.github/workflows/kind-cluster-image-policy-trustroot.yaml +++ b/.github/workflows/kind-cluster-image-policy-trustroot.yaml @@ -110,7 +110,7 @@ jobs: - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 - name: Install yq - uses: mikefarah/yq@9adde1ac14bb283b8955d2b0d567bcaf3c69e639 # v4.42.1 + uses: mikefarah/yq@c35ec752e38ea0c096d3c44e13cfc0797ac394d8 # v4.43.1 - name: Setup mirror uses: chainguard-dev/actions/setup-mirror@main diff --git a/.github/workflows/kind-cluster-image-policy-tsa.yaml b/.github/workflows/kind-cluster-image-policy-tsa.yaml index 5a84df4d..3218e2cf 100644 --- a/.github/workflows/kind-cluster-image-policy-tsa.yaml +++ b/.github/workflows/kind-cluster-image-policy-tsa.yaml @@ -105,7 +105,7 @@ jobs: - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 - name: Install yq - uses: mikefarah/yq@9adde1ac14bb283b8955d2b0d567bcaf3c69e639 # v4.42.1 + uses: mikefarah/yq@c35ec752e38ea0c096d3c44e13cfc0797ac394d8 # v4.43.1 - name: Setup mirror uses: chainguard-dev/actions/setup-mirror@main diff --git a/.github/workflows/kind-cluster-image-policy.yaml b/.github/workflows/kind-cluster-image-policy.yaml index cda68f62..3843fe7f 100644 --- a/.github/workflows/kind-cluster-image-policy.yaml +++ b/.github/workflows/kind-cluster-image-policy.yaml @@ -119,7 +119,7 @@ jobs: - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 - name: Install yq - uses: mikefarah/yq@9adde1ac14bb283b8955d2b0d567bcaf3c69e639 # v4.42.1 + uses: mikefarah/yq@c35ec752e38ea0c096d3c44e13cfc0797ac394d8 # v4.43.1 - name: Setup mirror uses: chainguard-dev/actions/setup-mirror@main diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml index 76191872..0456501f 100644 --- a/.github/workflows/kind-e2e-cosigned.yaml +++ b/.github/workflows/kind-e2e-cosigned.yaml @@ -103,7 +103,7 @@ jobs: - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 - name: Install yq - uses: mikefarah/yq@9adde1ac14bb283b8955d2b0d567bcaf3c69e639 # v4.42.1 + uses: mikefarah/yq@c35ec752e38ea0c096d3c44e13cfc0797ac394d8 # v4.43.1 - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 diff --git a/.github/workflows/kind-e2e-trustroot-crd.yaml b/.github/workflows/kind-e2e-trustroot-crd.yaml index 49fd825f..30eadce9 100644 --- a/.github/workflows/kind-e2e-trustroot-crd.yaml +++ b/.github/workflows/kind-e2e-trustroot-crd.yaml @@ -103,7 +103,7 @@ jobs: - uses: imranismail/setup-kustomize@2ba527d4d055ab63514ba50a99456fc35684947f # v2.1.0 - name: Install yq - uses: mikefarah/yq@9adde1ac14bb283b8955d2b0d567bcaf3c69e639 # v4.42.1 + uses: mikefarah/yq@c35ec752e38ea0c096d3c44e13cfc0797ac394d8 # v4.43.1 - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 From fc2800a5e9cf28f75c63e5ac6f50e2e468f6b5a2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Mar 2024 23:45:37 +0100 Subject: [PATCH 03/27] chore(deps): Bump anchore/sbom-action from 0.15.9 to 0.15.10 (#1331) Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.15.9 to 0.15.10. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Commits](https://github.com/anchore/sbom-action/compare/9fece9e20048ca9590af301449208b2b8861333b...ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4f52bec0..356f1312 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -28,7 +28,7 @@ jobs: - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 - - uses: anchore/sbom-action/download-syft@9fece9e20048ca9590af301449208b2b8861333b # v0.15.9 + - uses: anchore/sbom-action/download-syft@ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c # v0.15.10 - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 From a46f2d2e3954a5565448b580e68d1a2b3fd070ce Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 29 Mar 2024 10:45:33 +0100 Subject: [PATCH 04/27] chore(deps): Bump codecov/codecov-action from 4.1.0 to 4.1.1 (#1332) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/codecov/codecov-action/compare/54bcd8715eee62d40e33596ef5e8f0f48dbbccab...c16abc29c95fcf9174b58eb7e1abf4c866893bc8) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 3a4fc04b..d796f8e4 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -57,7 +57,7 @@ jobs: - name: Run Go tests run: go test -covermode atomic -coverprofile coverage.txt $(go list ./... | grep -v third_party/) - name: Upload Coverage Report - uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0 + uses: codecov/codecov-action@c16abc29c95fcf9174b58eb7e1abf4c866893bc8 # v4.1.1 with: env_vars: OS - name: Run Go tests w/ `-race` From 509e0989cf8345eafcf3218cb5e1758dc247e653 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sat, 30 Mar 2024 11:30:59 +0100 Subject: [PATCH 05/27] chore(deps): Bump github.com/aws/aws-sdk-go from 1.51.6 to 1.51.10 (#1335) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.51.6 to 1.51.10. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.51.6...v1.51.10) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 96453b3f..2a2eaaf5 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.21 toolchain go1.21.1 require ( - github.com/aws/aws-sdk-go v1.51.6 + github.com/aws/aws-sdk-go v1.51.10 github.com/aws/aws-sdk-go-v2 v1.25.2 // indirect github.com/cenkalti/backoff/v3 v3.2.2 github.com/golang/protobuf v1.5.4 // indirect diff --git a/go.sum b/go.sum index 337db571..e82f3e20 100644 --- a/go.sum +++ b/go.sum @@ -161,8 +161,8 @@ github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.51.6 h1:Ld36dn9r7P9IjU8WZSaswQ8Y/XUCRpewim5980DwYiU= -github.com/aws/aws-sdk-go v1.51.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/aws-sdk-go v1.51.10 h1:/g8K1SllwdCnsVw2BFXsYd+TS5P75skj5a8QFbfdW0U= +github.com/aws/aws-sdk-go v1.51.10/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/aws/aws-sdk-go-v2 v1.25.2 h1:/uiG1avJRgLGiQM9X3qJM8+Qa6KRGK5rRPuXE0HUM+w= github.com/aws/aws-sdk-go-v2 v1.25.2/go.mod h1:Evoc5AsmtveRt1komDwIsjHFyrP5tDuF1D1U+6z6pNo= github.com/aws/aws-sdk-go-v2/config v1.27.4 h1:AhfWb5ZwimdsYTgP7Od8E9L1u4sKmDW2ZVeLcf2O42M= From a25922da09285ffcb60c916302b3ab74a8d768af Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 20:51:27 +0200 Subject: [PATCH 06/27] chore(deps): Bump github.com/sigstore/sigstore/pkg/signature/kms/aws (#1336) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/aws](https://github.com/sigstore/sigstore) from 1.8.2 to 1.8.3. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/aws dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 24 ++++++++++++------------ go.sum | 48 ++++++++++++++++++++++++------------------------ 2 files changed, 36 insertions(+), 36 deletions(-) diff --git a/go.mod b/go.mod index 2a2eaaf5..a275af57 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ toolchain go1.21.1 require ( github.com/aws/aws-sdk-go v1.51.10 - github.com/aws/aws-sdk-go-v2 v1.25.2 // indirect + github.com/aws/aws-sdk-go-v2 v1.26.0 // indirect github.com/cenkalti/backoff/v3 v3.2.2 github.com/golang/protobuf v1.5.4 // indirect github.com/golang/snappy v0.0.4 // indirect @@ -62,7 +62,7 @@ require ( github.com/docker/go-connections v0.5.0 github.com/go-jose/go-jose/v3 v3.0.3 github.com/sigstore/scaffolding v0.6.17 - github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.2 + github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.2 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.2 github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.2 @@ -111,20 +111,20 @@ require ( github.com/alibabacloud-go/tea-xml v1.1.3 // indirect github.com/aliyun/credentials-go v1.3.1 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go-v2/config v1.27.4 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.4 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.2 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 // indirect + github.com/aws/aws-sdk-go-v2/config v1.27.9 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.9 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.6 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.29.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.20.1 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.28.1 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 // indirect + github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 // indirect github.com/aws/smithy-go v1.20.1 // indirect github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 // indirect github.com/beorn7/perks v1.0.1 // indirect diff --git a/go.sum b/go.sum index e82f3e20..5710f97e 100644 --- a/go.sum +++ b/go.sum @@ -163,18 +163,18 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3d github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/aws/aws-sdk-go v1.51.10 h1:/g8K1SllwdCnsVw2BFXsYd+TS5P75skj5a8QFbfdW0U= github.com/aws/aws-sdk-go v1.51.10/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= -github.com/aws/aws-sdk-go-v2 v1.25.2 h1:/uiG1avJRgLGiQM9X3qJM8+Qa6KRGK5rRPuXE0HUM+w= -github.com/aws/aws-sdk-go-v2 v1.25.2/go.mod h1:Evoc5AsmtveRt1komDwIsjHFyrP5tDuF1D1U+6z6pNo= -github.com/aws/aws-sdk-go-v2/config v1.27.4 h1:AhfWb5ZwimdsYTgP7Od8E9L1u4sKmDW2ZVeLcf2O42M= -github.com/aws/aws-sdk-go-v2/config v1.27.4/go.mod h1:zq2FFXK3A416kiukwpsd+rD4ny6JC7QSkp4QdN1Mp2g= -github.com/aws/aws-sdk-go-v2/credentials v1.17.4 h1:h5Vztbd8qLppiPwX+y0Q6WiwMZgpd9keKe2EAENgAuI= -github.com/aws/aws-sdk-go-v2/credentials v1.17.4/go.mod h1:+30tpwrkOgvkJL1rUZuRLoxcJwtI/OkeBLYnHxJtVe0= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.2 h1:AK0J8iYBFeUk2Ax7O8YpLtFsfhdOByh2QIkHmigpRYk= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.2/go.mod h1:iRlGzMix0SExQEviAyptRWRGdYNo3+ufW/lCzvKVTUc= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 h1:bNo4LagzUKbjdxE0tIcR9pMzLR2U/Tgie1Hq1HQ3iH8= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2/go.mod h1:wRQv0nN6v9wDXuWThpovGQjqF1HFdcgWjporw14lS8k= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 h1:EtOU5jsPdIQNP+6Q2C5e3d65NKT1PeCiQk+9OdzO12Q= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2/go.mod h1:tyF5sKccmDz0Bv4NrstEr+/9YkSPJHrcO7UsUKf7pWM= +github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA= +github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I= +github.com/aws/aws-sdk-go-v2/config v1.27.9 h1:gRx/NwpNEFSk+yQlgmk1bmxxvQ5TyJ76CWXs9XScTqg= +github.com/aws/aws-sdk-go-v2/config v1.27.9/go.mod h1:dK1FQfpwpql83kbD873E9vz4FyAxuJtR22wzoXn3qq0= +github.com/aws/aws-sdk-go-v2/credentials v1.17.9 h1:N8s0/7yW+h8qR8WaRlPQeJ6czVMNQVNtNdUqf6cItao= +github.com/aws/aws-sdk-go-v2/credentials v1.17.9/go.mod h1:446YhIdmSV0Jf/SLafGZalQo+xr2iw7/fzXGDPTU1yQ= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0 h1:af5YzcLf80tv4Em4jWVD75lpnOHSBkPUZxZfGkrI3HI= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.0/go.mod h1:nQ3how7DMnFMWiU1SpECohgC82fpn4cKZ875NDMmwtA= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4 h1:0ScVK/4qZ8CIW0k8jOeFVsyS/sAiXpYxRBLolMkuLQM= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.4/go.mod h1:84KyjNZdHC6QZW08nfHI6yZgPd+qRgaWcYsyLUo3QY8= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4 h1:sHmMWWX5E7guWEFQ9SVo6A3S4xpPrWnd77a6y4WM6PU= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.4/go.mod h1:WjpDrhWisWOIoS9n3nk67A3Ll1vfULJ9Kq6h29HTD48= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY= github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7 h1:3iaT/LnGV6jNtbBkvHZDlzz7Ky3wMHDJAyFtGd5GUJI= @@ -183,16 +183,16 @@ github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.6 h1:h+r5/diSwztgKgxUrntt6A github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.6/go.mod h1:7+5MHFC52LC85xKCjCuWDHmIncOOvWnll10OT9EAN/g= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 h1:5ffmXjPtwRExp1zc7gENLgCPyHFbhEPwVTkTiH9niSk= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2/go.mod h1:Ru7vg1iQ7cR4i7SZ/JTLYN9kaXtbL69UdgG0OQWQxW0= -github.com/aws/aws-sdk-go-v2/service/kms v1.29.1 h1:OdjJjUWFlMZLAMl54ASxIpZdGEesY4BH3/c0HAPSFdI= -github.com/aws/aws-sdk-go-v2/service/kms v1.29.1/go.mod h1:Cbx2uxEX0bAB7SlSY+ys05ZBkEb8IbmuAOcGVmDfJFs= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.1 h1:utEGkfdQ4L6YW/ietH7111ZYglLJvS+sLriHJ1NBJEQ= -github.com/aws/aws-sdk-go-v2/service/sso v1.20.1/go.mod h1:RsYqzYr2F2oPDdpy+PdhephuZxTfjHQe7SOBcZGoAU8= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.1 h1:9/GylMS45hGGFCcMrUZDVayQE1jYSIN6da9jo7RAYIw= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.1/go.mod h1:YjAPFn4kGFqKC54VsHs5fn5B6d+PCY2tziEa3U/GB5Y= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.1 h1:3I2cBEYgKhrWlwyZgfpSO2BpaMY1LHPqXYk/QGlu2ew= -github.com/aws/aws-sdk-go-v2/service/sts v1.28.1/go.mod h1:uQ7YYKZt3adCRrdCBREm1CD3efFLOUNH77MrUCvx5oA= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6 h1:b+E7zIUHMmcB4Dckjpkapoy47W6C9QBv/zoUP+Hn8Kc= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.6/go.mod h1:S2fNV0rxrP78NhPbCZeQgY8H9jdDMeGtwcfZIRxzBqU= +github.com/aws/aws-sdk-go-v2/service/kms v1.30.0 h1:yS0JkEdV6h9JOo8sy2JSpjX+i7vsKifU8SIeHrqiDhU= +github.com/aws/aws-sdk-go-v2/service/kms v1.30.0/go.mod h1:+I8VUUSVD4p5ISQtzpgSva4I8cJ4SQ4b1dcBcof7O+g= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.3 h1:mnbuWHOcM70/OFUlZZ5rcdfA8PflGXXiefU/O+1S3+8= +github.com/aws/aws-sdk-go-v2/service/sso v1.20.3/go.mod h1:5HFu51Elk+4oRBZVxmHrSds5jFXmFj8C3w7DVF2gnrs= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3 h1:uLq0BKatTmDzWa/Nu4WO0M1AaQDaPpwTKAeByEc6WFM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.3/go.mod h1:b+qdhjnxj8GSR6t5YfphOffeoQSQ1KmpoVVuBn+PWxs= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 h1:J/PpTf/hllOjx8Xu9DMflff3FajfLxqM5+tepvVXmxg= +github.com/aws/aws-sdk-go-v2/service/sts v1.28.5/go.mod h1:0ih0Z83YDH/QeQ6Ori2yGE2XvWYv/Xm+cZc01LC6oK0= github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw= github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M= @@ -727,8 +727,8 @@ github.com/sigstore/scaffolding v0.6.17 h1:60P4/x/PdIj7SjzhEgEDefrnDcHAKzztF/RXd github.com/sigstore/scaffolding v0.6.17/go.mod h1:jTrLu0YmR5pfQDBieDpn97GSqAPHBAvgjzk8iUNGVjo= github.com/sigstore/sigstore v1.8.2 h1:0Ttjcn3V0fVQXlYq7+oHaaHkGFIt3ywm7SF4JTU/l8c= github.com/sigstore/sigstore v1.8.2/go.mod h1:CHVcSyknCcjI4K2ZhS1SI28r0tcQyBlwtALG536x1DY= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.2 h1:e0EtUcE7cqWBxxME7h6upA3EA0IR3EOE3F1t+WHOdTc= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.2/go.mod h1:07qBxPjI9bsgdQRiBz27Ai+gl6hgr//vwXMZzTX87Us= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqbeSl2OuoFQwUFTnJ4stu+nwWw= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.2 h1:Fgt4dC9OozkLEtMO6JYfFgqNdSDG1y1uAdiJgrtZYN4= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.2/go.mod h1:BT+jh/GK55djPRHqTYu937eq29Zzusf1t0qVbrcn4Aw= github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.2 h1:aX6hLH5v3JdOQJJ6+uCMmeDjcwyfQMLmXKJVl6HtzAg= From 99365e1fc2ceba1802756e5f460e67a1fb70863b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 20:51:43 +0200 Subject: [PATCH 07/27] chore(deps): Bump github.com/sigstore/sigstore/pkg/signature/kms/gcp (#1338) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/gcp](https://github.com/sigstore/sigstore) from 1.8.2 to 1.8.3. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/gcp dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 24 ++++++++++++------------ go.sum | 52 ++++++++++++++++++++++++---------------------------- 2 files changed, 36 insertions(+), 40 deletions(-) diff --git a/go.mod b/go.mod index a275af57..5913b193 100644 --- a/go.mod +++ b/go.mod @@ -40,7 +40,7 @@ require ( golang.org/x/net v0.22.0 golang.org/x/sys v0.18.0 // indirect golang.org/x/time v0.5.0 - google.golang.org/grpc v1.62.0 // indirect + google.golang.org/grpc v1.62.1 // indirect google.golang.org/protobuf v1.33.0 // indirect gopkg.in/yaml.v3 v3.0.1 k8s.io/api v0.29.3 @@ -64,17 +64,17 @@ require ( github.com/sigstore/scaffolding v0.6.17 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.2 - github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.2 + github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3 github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.2 github.com/spf13/viper v1.18.2 gopkg.in/go-jose/go-jose.v2 v2.6.3 ) require ( - cloud.google.com/go/compute v1.23.4 // indirect + cloud.google.com/go/compute v1.24.0 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect cloud.google.com/go/iam v1.1.6 // indirect - cloud.google.com/go/kms v1.15.7 // indirect + cloud.google.com/go/kms v1.15.8 // indirect contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d // indirect contrib.go.opencensus.io/exporter/prometheus v0.4.2 // indirect cuelang.org/go v0.7.0 // indirect @@ -184,7 +184,7 @@ require ( github.com/google/s2a-go v0.1.7 // indirect github.com/google/uuid v1.6.0 // indirect github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect - github.com/googleapis/gax-go/v2 v2.12.1 // indirect + github.com/googleapis/gax-go/v2 v2.12.3 // indirect github.com/gorilla/mux v1.8.1 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 // indirect github.com/hashicorp/vault/api v1.12.0 // indirect @@ -247,8 +247,8 @@ require ( github.com/yashtewari/glob-intersection v0.2.0 // indirect go.mongodb.org/mongo-driver v1.14.0 // indirect go.opencensus.io v0.24.0 // indirect - go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.48.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.48.0 // indirect + go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect go.opentelemetry.io/otel v1.24.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.24.0 // indirect @@ -259,17 +259,17 @@ require ( go.uber.org/multierr v1.11.0 // indirect golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect golang.org/x/mod v0.14.0 // indirect - golang.org/x/oauth2 v0.17.0 // indirect + golang.org/x/oauth2 v0.18.0 // indirect golang.org/x/sync v0.6.0 // indirect golang.org/x/term v0.18.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/tools v0.16.1 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect - google.golang.org/api v0.167.0 // indirect + google.golang.org/api v0.171.0 // indirect google.golang.org/appengine v1.6.8 // indirect - google.golang.org/genproto v0.0.0-20240205150955-31a09d347014 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240213162025-012b6fc9bca9 // indirect + google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect diff --git a/go.sum b/go.sum index 5710f97e..9d999fde 100644 --- a/go.sum +++ b/go.sum @@ -21,16 +21,16 @@ cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvf cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg= cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc= cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ= -cloud.google.com/go/compute v1.23.4 h1:EBT9Nw4q3zyE7G45Wvv3MzolIrCJEuHys5muLY0wvAw= -cloud.google.com/go/compute v1.23.4/go.mod h1:/EJMj55asU6kAFnuZET8zqgwgJ9FvXWXOkkfQZa4ioI= +cloud.google.com/go/compute v1.24.0 h1:phWcR2eWzRJaL/kOiJwfFsPs4BaKq1j6vnpZrc1YlVg= +cloud.google.com/go/compute v1.24.0/go.mod h1:kw1/T+h/+tK2LJK0wiPPx1intgdAM3j/g3hFDlscY40= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk= cloud.google.com/go/iam v1.1.6 h1:bEa06k05IO4f4uJonbB5iAgKTPpABy1ayxaIZV/GHVc= cloud.google.com/go/iam v1.1.6/go.mod h1:O0zxdPeGBoFdWW3HWmBxJsk0pfvNM/p/qa82rWOGTwI= -cloud.google.com/go/kms v1.15.7 h1:7caV9K3yIxvlQPAcaFffhlT7d1qpxjB1wHBtjWa13SM= -cloud.google.com/go/kms v1.15.7/go.mod h1:ub54lbsa6tDkUwnu4W7Yt1aAIFLnspgh0kPGToDukeI= +cloud.google.com/go/kms v1.15.8 h1:szIeDCowID8th2i8XE4uRev5PMxQFqW+JjwYxL9h6xs= +cloud.google.com/go/kms v1.15.8/go.mod h1:WoUHcDjD9pluCg7pNds131awnH429QGvRM3N/4MyoVs= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw= cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA= @@ -236,8 +236,6 @@ github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUK github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU= github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= -github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa h1:jQCWAUqqlij9Pgj2i/PB79y4KOPYVyFYdROxgaCwdTQ= -github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa/go.mod h1:x/1Gn8zydmfq8dk6e9PdstVsDgu9RuyIIJqAaF//0IM= github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg= github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc= github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE= @@ -296,8 +294,6 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/envoyproxy/protoc-gen-validate v1.0.4 h1:gVPz/FMfvh57HdSJQyvBtF00j8JU4zdyUgIUNhlgg0A= -github.com/envoyproxy/protoc-gen-validate v1.0.4/go.mod h1:qys6tmnRsYrQqIhm2bvKZH4Blx/1gTIZ2UKVY1M+Yew= github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.7.0 h1:nJqP7uwL84RJInrohHfW0Fx3awjbm8qZeFv0nW9SYGc= @@ -482,8 +478,8 @@ github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfF github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg= github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= -github.com/googleapis/gax-go/v2 v2.12.1 h1:9F8GV9r9ztXyAi00gsMQHNoF51xPZm8uj1dpYt2ZETM= -github.com/googleapis/gax-go/v2 v2.12.1/go.mod h1:61M8vcyyXR2kqKFxKrfA22jaA8JGF7Dc8App1U3H6jc= +github.com/googleapis/gax-go/v2 v2.12.3 h1:5/zPPDvw8Q1SuXjrqrZslrqT7dL/uJT2CQii/cLCKqA= +github.com/googleapis/gax-go/v2 v2.12.3/go.mod h1:AKloxT6GtNbaLm8QTNSidHUVsHYcBHwWRvkNFJUQcS4= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= @@ -731,8 +727,8 @@ github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqb github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.2 h1:Fgt4dC9OozkLEtMO6JYfFgqNdSDG1y1uAdiJgrtZYN4= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.2/go.mod h1:BT+jh/GK55djPRHqTYu937eq29Zzusf1t0qVbrcn4Aw= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.2 h1:aX6hLH5v3JdOQJJ6+uCMmeDjcwyfQMLmXKJVl6HtzAg= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.2/go.mod h1:OEFPub6XKsX6Fl/PpeIpQTsukG3I0CFWb9saHINV72U= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3 h1:vDl2fqPT0h3D/k6NZPlqnKFd1tz3335wm39qjvpZNJc= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3/go.mod h1:9uOJXbXEXj+M6QjMKH5PaL5WDMu43rHfbIMgXzA8eKI= github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.2 h1:hRC8sGPQtnTcoOqWbCNAvLpW1pHL4CQl7FT55IrEof8= github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.2/go.mod h1:frWJBbYRRHnbLE9h1fH349Mde84NZh6hDrnKqhPgMNU= github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00JQ/JonBiu3QvLE= @@ -822,10 +818,10 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.48.0 h1:P+/g8GpuJGYbOp2tAdKrIPUX9JO02q8Q0YNlHolpibA= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.48.0/go.mod h1:tIKj3DbO8N9Y2xo52og3irLsPI4GW02DSMtrVgNMgxg= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.48.0 h1:doUP+ExOpH3spVTLS0FcWGLnQrPct/hD/bCPbDRUEAU= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.48.0/go.mod h1:rdENBZMT2OE6Ne/KLwpiXudnAsbdrdBaqBvTN8M8BgA= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 h1:jq9TW8u3so/bN+JPT166wjOI6/vQPF6Xe7nMNIltagk= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0/go.mod h1:p8pYQP+m5XfbZm9fxtSKAbM6oIllS7s2AfxrChvc7iw= go.opentelemetry.io/otel v1.24.0 h1:0LAOdjNmQeSTzGBzduGe/rU4tZhMwL5rWgtp9Ku5Jfo= go.opentelemetry.io/otel v1.24.0/go.mod h1:W7b9Ozg4nkF5tWI5zsXkaKKDjdVjpD4oAt9Qi/MArHo= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.24.0 h1:t6wl9SPayj+c7lEIFgm4ooDBZVb01IhLB4InpomhRw8= @@ -967,8 +963,8 @@ golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ= -golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA= +golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI= +golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1148,8 +1144,8 @@ google.golang.org/api v0.25.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0M google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE= google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM= google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc= -google.golang.org/api v0.167.0 h1:CKHrQD1BLRii6xdkatBDXyKzM0mkawt2QP+H3LtPmSE= -google.golang.org/api v0.167.0/go.mod h1:4FcBc686KFi7QI/U51/2GKKevfZMpM17sCdibqe/bSA= +google.golang.org/api v0.171.0 h1:w174hnBPqut76FzW5Qaupt7zY8Kql6fiVjgys4f58sU= +google.golang.org/api v0.171.0/go.mod h1:Hnq5AHm4OTMt2BUVjael2CWZFD6vksJdWCWiUAmjC9o= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1189,12 +1185,12 @@ google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7Fc google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto v0.0.0-20240205150955-31a09d347014 h1:g/4bk7P6TPMkAUbUhquq98xey1slwvuVJPosdBqYJlU= -google.golang.org/genproto v0.0.0-20240205150955-31a09d347014/go.mod h1:xEgQu1e4stdSSsxPDK8Azkrk/ECl5HvdPf6nbZrTS5M= -google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014 h1:x9PwdEgd11LgK+orcck69WVRo7DezSO4VUMPI4xpc8A= -google.golang.org/genproto/googleapis/api v0.0.0-20240205150955-31a09d347014/go.mod h1:rbHMSEDyoYX62nRVLOCc4Qt1HbsdytAYoVwgjiOhF3I= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240213162025-012b6fc9bca9 h1:hZB7eLIaYlW9qXRfCq/qDaPdbeY3757uARz5Vvfv+cY= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:YUWgXUFRPfoYK1IHMuxH5K6nPEXSCzIMljnQ59lLRCk= +google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y= +google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9/go.mod h1:mqHbVIp48Muh7Ywss/AD6I5kNVKZMmAa/QEW58Gxp2s= +google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 h1:rIo7ocm2roD9DcFIX67Ym8icoGCKSARAiPljFhh5suQ= +google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2/go.mod h1:O1cOfN1Cy6QEYr7VxtjOyP5AdAuR0aJ/MYZaaof623Y= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c h1:lfpJ/2rWPa/kJgxyyXM8PrNnfCzcmxJ265mADgwmvLI= +google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= @@ -1208,8 +1204,8 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc= -google.golang.org/grpc v1.62.0 h1:HQKZ/fa1bXkX1oFOvSjmZEUL8wLSaZTjCcLAlmZRtdk= -google.golang.org/grpc v1.62.0/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= +google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk= +google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= From bfd9afc37d920e0dd42064cd7bf34c90d3d7afc6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 21:09:36 +0200 Subject: [PATCH 08/27] chore(deps): Bump github.com/sigstore/sigstore from 1.8.2 to 1.8.3 (#1339) Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.8.2 to 1.8.3. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5913b193..8fd049c3 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( github.com/ryanuber/go-glob v1.0.0 github.com/sigstore/cosign/v2 v2.2.3 github.com/sigstore/rekor v1.3.5 - github.com/sigstore/sigstore v1.8.2 + github.com/sigstore/sigstore v1.8.3 github.com/stretchr/testify v1.9.0 github.com/theupdateframework/go-tuf v0.7.0 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 diff --git a/go.sum b/go.sum index 9d999fde..182eb218 100644 --- a/go.sum +++ b/go.sum @@ -721,8 +721,8 @@ github.com/sigstore/rekor v1.3.5 h1:QoVXcS7NppKY+rpbEFVHr4evGDZBBSh65X0g8PXoUkQ= github.com/sigstore/rekor v1.3.5/go.mod h1:CWqOk/fmnPwORQmm7SyDgB54GTJizqobbZ7yOP1lvw8= github.com/sigstore/scaffolding v0.6.17 h1:60P4/x/PdIj7SjzhEgEDefrnDcHAKzztF/RXddjZGQ8= github.com/sigstore/scaffolding v0.6.17/go.mod h1:jTrLu0YmR5pfQDBieDpn97GSqAPHBAvgjzk8iUNGVjo= -github.com/sigstore/sigstore v1.8.2 h1:0Ttjcn3V0fVQXlYq7+oHaaHkGFIt3ywm7SF4JTU/l8c= -github.com/sigstore/sigstore v1.8.2/go.mod h1:CHVcSyknCcjI4K2ZhS1SI28r0tcQyBlwtALG536x1DY= +github.com/sigstore/sigstore v1.8.3 h1:G7LVXqL+ekgYtYdksBks9B38dPoIsbscjQJX/MGWkA4= +github.com/sigstore/sigstore v1.8.3/go.mod h1:mqbTEariiGA94cn6G3xnDiV6BD8eSLdL/eA7bvJ0fVs= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqbeSl2OuoFQwUFTnJ4stu+nwWw= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18= github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.2 h1:Fgt4dC9OozkLEtMO6JYfFgqNdSDG1y1uAdiJgrtZYN4= From 5b35593521fc2bfae0ba78db1047855ee11fec89 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 21:09:55 +0200 Subject: [PATCH 09/27] chore(deps): Bump github.com/aws/aws-sdk-go from 1.51.10 to 1.51.11 (#1337) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.51.10 to 1.51.11. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.51.10...v1.51.11) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 8fd049c3..43f89353 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.21 toolchain go1.21.1 require ( - github.com/aws/aws-sdk-go v1.51.10 + github.com/aws/aws-sdk-go v1.51.11 github.com/aws/aws-sdk-go-v2 v1.26.0 // indirect github.com/cenkalti/backoff/v3 v3.2.2 github.com/golang/protobuf v1.5.4 // indirect diff --git a/go.sum b/go.sum index 182eb218..5c0980ec 100644 --- a/go.sum +++ b/go.sum @@ -161,8 +161,8 @@ github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.51.10 h1:/g8K1SllwdCnsVw2BFXsYd+TS5P75skj5a8QFbfdW0U= -github.com/aws/aws-sdk-go v1.51.10/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/aws-sdk-go v1.51.11 h1:El5VypsMIz7sFwAAj/j06JX9UGs4KAbAIEaZ57bNY4s= +github.com/aws/aws-sdk-go v1.51.11/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA= github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I= github.com/aws/aws-sdk-go-v2/config v1.27.9 h1:gRx/NwpNEFSk+yQlgmk1bmxxvQ5TyJ76CWXs9XScTqg= From f4fd92cbc35ce3614701a7badd4c51ad745f706c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Apr 2024 23:21:07 +0200 Subject: [PATCH 10/27] chore(deps): Bump github.com/sigstore/sigstore/pkg/signature/kms/azure (#1340) Bumps [github.com/sigstore/sigstore/pkg/signature/kms/azure](https://github.com/sigstore/sigstore) from 1.8.2 to 1.8.3. - [Release notes](https://github.com/sigstore/sigstore/releases) - [Commits](https://github.com/sigstore/sigstore/compare/v1.8.2...v1.8.3) --- updated-dependencies: - dependency-name: github.com/sigstore/sigstore/pkg/signature/kms/azure dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 43f89353..fbb6fc6c 100644 --- a/go.mod +++ b/go.mod @@ -63,7 +63,7 @@ require ( github.com/go-jose/go-jose/v3 v3.0.3 github.com/sigstore/scaffolding v0.6.17 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 - github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.2 + github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3 github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.2 github.com/spf13/viper v1.18.2 @@ -80,7 +80,7 @@ require ( cuelang.org/go v0.7.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2 // indirect + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0 // indirect github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 // indirect github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 // indirect diff --git a/go.sum b/go.sum index 5c0980ec..51904be4 100644 --- a/go.sum +++ b/go.sum @@ -57,8 +57,8 @@ github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0/go.mod h1:GgeIE+1be8Ivm7Sh4RgwI42aTtC9qrcj+Y9Y6CjJhJs= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2 h1:c4k2FIYIh4xtwqrQwV0Ct1v5+ehlNXj5NI/MWVsiTkQ= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.2/go.mod h1:5FDJtLEO/GxwNgUxbwrY3LP0pEoThTQJtk2oysdXHxM= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0 h1:n1DH8TPV4qqPTje2RcUBYwtrTWlabVp4n46+74X2pn4= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0/go.mod h1:HDcZnuGbiyppErN6lB+idp4CKhjbc8gwjto6OPpyggM= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo= github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 h1:LqbJ/WzJUwBf8UiaSzgX7aMclParm9/5Vgp+TY51uBQ= @@ -725,8 +725,8 @@ github.com/sigstore/sigstore v1.8.3 h1:G7LVXqL+ekgYtYdksBks9B38dPoIsbscjQJX/MGWk github.com/sigstore/sigstore v1.8.3/go.mod h1:mqbTEariiGA94cn6G3xnDiV6BD8eSLdL/eA7bvJ0fVs= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqbeSl2OuoFQwUFTnJ4stu+nwWw= github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.2 h1:Fgt4dC9OozkLEtMO6JYfFgqNdSDG1y1uAdiJgrtZYN4= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.2/go.mod h1:BT+jh/GK55djPRHqTYu937eq29Zzusf1t0qVbrcn4Aw= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 h1:xgbPRCr2npmmsuVVteJqi/ERw9+I13Wou7kq0Yk4D8g= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3/go.mod h1:G4+I83FILPX6MtnoaUdmv/bRGEVtR3JdLeJa/kXdk/0= github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3 h1:vDl2fqPT0h3D/k6NZPlqnKFd1tz3335wm39qjvpZNJc= github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3/go.mod h1:9uOJXbXEXj+M6QjMKH5PaL5WDMu43rHfbIMgXzA8eKI= github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.2 h1:hRC8sGPQtnTcoOqWbCNAvLpW1pHL4CQl7FT55IrEof8= From 4ee0834bb829029a08193102cefb9167e2dd6641 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Apr 2024 17:50:13 +0000 Subject: [PATCH 11/27] chore(deps): Bump github.com/aws/aws-sdk-go from 1.51.11 to 1.51.12 (#1344) Bumps [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) from 1.51.11 to 1.51.12. - [Release notes](https://github.com/aws/aws-sdk-go/releases) - [Commits](https://github.com/aws/aws-sdk-go/compare/v1.51.11...v1.51.12) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index fbb6fc6c..eab75cf8 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.21 toolchain go1.21.1 require ( - github.com/aws/aws-sdk-go v1.51.11 + github.com/aws/aws-sdk-go v1.51.12 github.com/aws/aws-sdk-go-v2 v1.26.0 // indirect github.com/cenkalti/backoff/v3 v3.2.2 github.com/golang/protobuf v1.5.4 // indirect diff --git a/go.sum b/go.sum index 51904be4..cc09c94f 100644 --- a/go.sum +++ b/go.sum @@ -161,8 +161,8 @@ github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.51.11 h1:El5VypsMIz7sFwAAj/j06JX9UGs4KAbAIEaZ57bNY4s= -github.com/aws/aws-sdk-go v1.51.11/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= +github.com/aws/aws-sdk-go v1.51.12 h1:DvuhIHZXwnjaR1/Gu19gUe1EGPw4J0qSJw4Qs/5PA8g= +github.com/aws/aws-sdk-go v1.51.12/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA= github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I= github.com/aws/aws-sdk-go-v2/config v1.27.9 h1:gRx/NwpNEFSk+yQlgmk1bmxxvQ5TyJ76CWXs9XScTqg= From 1dabf18fb0e079c61f3da84ad862f45c853f1211 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Apr 2024 18:09:43 +0000 Subject: [PATCH 12/27] chore(deps): Bump sigs.k8s.io/release-utils from 0.7.7 to 0.8.0 (#1342) Bumps [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) from 0.7.7 to 0.8.0. - [Release notes](https://github.com/kubernetes-sigs/release-utils/releases) - [Commits](https://github.com/kubernetes-sigs/release-utils/compare/v0.7.7...v0.8.0) --- updated-dependencies: - dependency-name: sigs.k8s.io/release-utils dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index eab75cf8..d6e6b281 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( knative.dev/hack v0.0.0-20231016131700-2c938d4918da knative.dev/hack/schema v0.0.0-20221024013916-9d2ae47c16b2 knative.dev/pkg v0.0.0-20231101193506-b09d4f2a2845 - sigs.k8s.io/release-utils v0.7.7 + sigs.k8s.io/release-utils v0.8.0 sigs.k8s.io/yaml v1.4.0 ) diff --git a/go.sum b/go.sum index cc09c94f..c6dd4732 100644 --- a/go.sum +++ b/go.sum @@ -1291,8 +1291,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/release-utils v0.7.7 h1:JKDOvhCk6zW8ipEOkpTGDH/mW3TI+XqtPp16aaQ79FU= -sigs.k8s.io/release-utils v0.7.7/go.mod h1:iU7DGVNi3umZJ8q6aHyUFzsDUIaYwNnNKGHo3YE5E3s= +sigs.k8s.io/release-utils v0.8.0 h1:iiyzoALmcPhcrA4Xkb73GHBwoyDfqkS6DItSixaeSJs= +sigs.k8s.io/release-utils v0.8.0/go.mod h1:GWU37J2Srptpc4TvU3yllZORPf0xoH3zk4YPjbWoMtg= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= From 6126ea8803b6ed8835b2caaef53d89762cc47ef7 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Thu, 7 Mar 2024 10:30:18 -0500 Subject: [PATCH 13/27] WIP: Convert SigstoreKeys to protobuf-specs type Signed-off-by: Cody Soyland --- cmd/tester/main.go | 7 +- go.mod | 3 +- go.sum | 2 + pkg/apis/config/sigstore_keys.go | 192 +++++++------ pkg/apis/config/sigstore_keys_test.go | 100 +++---- pkg/apis/config/store_test.go | 2 + .../config/testdata/config-sigstore-keys.yaml | 3 +- pkg/reconciler/trustroot/trustroot.go | 25 +- pkg/reconciler/trustroot/trustroot_test.go | 261 ++++++++++++------ pkg/webhook/validator.go | 24 +- pkg/webhook/validator_test.go | 73 ++--- 11 files changed, 413 insertions(+), 279 deletions(-) diff --git a/cmd/tester/main.go b/cmd/tester/main.go index 2bf800ec..c92be42a 100644 --- a/cmd/tester/main.go +++ b/cmd/tester/main.go @@ -154,11 +154,10 @@ func main() { log.Fatal(err) } - c := &config.SigstoreKeys{} - c.ConvertFrom(context.Background(), tr.Spec.SigstoreKeys) - maps := make(map[string]config.SigstoreKeys, 0) + c := config.ConvertSigstoreKeys(context.Background(), tr.Spec.SigstoreKeys) + maps := make(map[string]*config.SigstoreKeys, 0) - maps[tr.Name] = *c + maps[tr.Name] = c configCtx.SigstoreKeysConfig = &config.SigstoreKeysMap{SigstoreKeys: maps} ctx = config.ToContext(ctx, configCtx) diff --git a/go.mod b/go.mod index d6e6b281..e9520ea2 100644 --- a/go.mod +++ b/go.mod @@ -41,7 +41,7 @@ require ( golang.org/x/sys v0.18.0 // indirect golang.org/x/time v0.5.0 google.golang.org/grpc v1.62.1 // indirect - google.golang.org/protobuf v1.33.0 // indirect + google.golang.org/protobuf v1.33.0 gopkg.in/yaml.v3 v3.0.1 k8s.io/api v0.29.3 k8s.io/apimachinery v0.29.3 @@ -61,6 +61,7 @@ require ( github.com/docker/docker v26.0.0+incompatible github.com/docker/go-connections v0.5.0 github.com/go-jose/go-jose/v3 v3.0.3 + github.com/sigstore/protobuf-specs v0.3.1 github.com/sigstore/scaffolding v0.6.17 github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 diff --git a/go.sum b/go.sum index c6dd4732..7b900656 100644 --- a/go.sum +++ b/go.sum @@ -717,6 +717,8 @@ github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE= github.com/sigstore/cosign/v2 v2.2.3 h1:WX7yawI+EXu9h7S5bZsfYCbB9XW6Jc43ctKy/NoOSiA= github.com/sigstore/cosign/v2 v2.2.3/go.mod h1:WpMn4MBt0cI23GdHsePwO4NxhX1FOz1ITGB3ALUjFaI= +github.com/sigstore/protobuf-specs v0.3.1 h1:9aJQrPq7iRDSLBNg//zsP7tAzxdHnD1sA+1FyCCrkrQ= +github.com/sigstore/protobuf-specs v0.3.1/go.mod h1:HfkcPi5QXteuew4+c5ONz8vYQ8aOH//ZTQ3gg0X8ZUA= github.com/sigstore/rekor v1.3.5 h1:QoVXcS7NppKY+rpbEFVHr4evGDZBBSh65X0g8PXoUkQ= github.com/sigstore/rekor v1.3.5/go.mod h1:CWqOk/fmnPwORQmm7SyDgB54GTJizqobbZ7yOP1lvw8= github.com/sigstore/scaffolding v0.6.17 h1:60P4/x/PdIj7SjzhEgEDefrnDcHAKzztF/RXddjZGQ8= diff --git a/pkg/apis/config/sigstore_keys.go b/pkg/apis/config/sigstore_keys.go index 519b8ef6..a49d663c 100644 --- a/pkg/apis/config/sigstore_keys.go +++ b/pkg/apis/config/sigstore_keys.go @@ -17,12 +17,16 @@ package config import ( "context" - "encoding/json" + "encoding/pem" "fmt" + "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1" + pbcommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" + pbtrustroot "github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1" + "github.com/sigstore/sigstore/pkg/cryptoutils" + "google.golang.org/protobuf/encoding/protojson" corev1 "k8s.io/api/core/v1" - "knative.dev/pkg/apis" "sigs.k8s.io/yaml" ) @@ -33,81 +37,24 @@ const ( SigstoreKeysConfigName = "config-sigstore-keys" ) -// Note that these are 1:1 mapped to public API SigstoreKeys. Reasoning -// being that we may choose to serialize these differently, or use the protos -// that are defined upstream, so want to keep the public/private distinction, so -// that we can change things independend of breaking the API. Time will tell -// if this is the right call, but we can always reunify them later if we so -// want. -// TODO(vaikas): See about replacing these with the protos here once they land -// and see how easy it is to replace with protos instead of our custom defs -// above. -// https://github.com/sigstore/protobuf-specs/pull/5 -// And in particular: https://github.com/sigstore/protobuf-specs/pull/5/files#diff-b1f89b7fd3eb27b519380b092a2416f893a96fbba3f8c90cfa767e7687383ad4R70 - -// TransparencyLogInstance describes the immutable parameters from a -// transparency log. -// See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters -// for more details. -// The incluced parameters are the minimal set required to identify a log, -// and verify an inclusion promise. -type TransparencyLogInstance struct { - BaseURL apis.URL `json:"baseURL"` - HashAlgorithm string `json:"hashAlgorithm"` - // PEM encoded public key - PublicKey []byte `json:"publicKey"` - LogID string `json:"logID"` -} - -type DistinguishedName struct { - Organization string `json:"organization"` - CommonName string `json:"commonName"` -} - -type CertificateAuthority struct { - // The root certificate MUST be self-signed, and so the subject and - // issuer are the same. - Subject DistinguishedName `json:"subject"` - // The URI at which the CA can be accessed. - URI apis.URL `json:"uri"` - // The certificate chain for this CA. - // CertChain is in PEM format. - CertChain []byte `json:"certChain"` - - // TODO(vaikas): How to best represent this - // The time the *entire* chain was valid. This is at max the - // longest interval when *all* certificates in the chain where valid, - // but it MAY be shorter. - // dev.sigstore.common.v1.TimeRange valid_for = 4; -} +// Type aliases for types from protobuf-specs. TODO: Consider just importing +// the protobuf-specs types directly from each package as needed. // SigstoreKeys contains all the necessary Keys and Certificates for validating // against a specific instance of Sigstore. -// TODO(vaikas): See about replacing these with the protos here once they land -// and see how easy it is to replace with protos instead of our custom defs -// above. -// https://github.com/sigstore/protobuf-specs/pull/5 -// And in particular: https://github.com/sigstore/protobuf-specs/pull/5/files#diff-b1f89b7fd3eb27b519380b092a2416f893a96fbba3f8c90cfa767e7687383ad4R70 -// Well, not the multi-root, but one instance of that is exactly the -// SigstoreKeys. -type SigstoreKeys struct { - // Trusted certificate authorities (e.g Fulcio). - CertificateAuthorities []CertificateAuthority `json:"certificateAuthorities,omitempty"` - // Rekor log specifications - TLogs []TransparencyLogInstance `json:"tLogs,omitempty"` - // Certificate Transparency Log - CTLogs []TransparencyLogInstance `json:"ctLogs,omitempty"` - // Trusted timestamping authorities - TimeStampAuthorities []CertificateAuthority `json:"timestampAuthorities"` -} +type SigstoreKeys = pbtrustroot.TrustedRoot +type CertificateAuthority = pbtrustroot.CertificateAuthority +type TransparencyLogInstance = pbtrustroot.TransparencyLogInstance +type DistinguishedName = pbcommon.DistinguishedName +type LogId = pbcommon.LogId type SigstoreKeysMap struct { - SigstoreKeys map[string]SigstoreKeys + SigstoreKeys map[string]*SigstoreKeys } // NewSigstoreKeysFromMap creates a map of SigstoreKeys to use for validation. func NewSigstoreKeysFromMap(data map[string]string) (*SigstoreKeysMap, error) { - ret := make(map[string]SigstoreKeys, len(data)) + ret := make(map[string]*SigstoreKeys, len(data)) // Spin through the ConfigMap. Each entry will have a serialized form of // necessary validation keys in the form of SigstoreKeys. for k, v := range data { @@ -123,7 +70,7 @@ func NewSigstoreKeysFromMap(data map[string]string) (*SigstoreKeysMap, error) { if err := parseSigstoreKeys(v, sigstoreKeys); err != nil { return nil, fmt.Errorf("failed to parse the entry %q : %q : %w", k, v, err) } - ret[k] = *sigstoreKeys + ret[k] = sigstoreKeys } return &SigstoreKeysMap{SigstoreKeys: ret}, nil } @@ -133,56 +80,121 @@ func NewSigstoreKeysFromConfigMap(config *corev1.ConfigMap) (*SigstoreKeysMap, e return NewSigstoreKeysFromMap(config.Data) } -func parseSigstoreKeys(entry string, out interface{}) error { +func parseSigstoreKeys(entry string, out *pbtrustroot.TrustedRoot) error { j, err := yaml.YAMLToJSON([]byte(entry)) if err != nil { return fmt.Errorf("config's value could not be converted to JSON: %w : %s", err, entry) } - return json.Unmarshal(j, &out) + return protojson.Unmarshal(j, out) } -// ConvertFrom takes a source and converts into a SigstoreKeys suitable +// ConvertSigstoreKeys takes a source and converts into a SigstoreKeys suitable // for serialization into a ConfigMap entry. -func (sk *SigstoreKeys) ConvertFrom(_ context.Context, source *v1alpha1.SigstoreKeys) { - sk.CertificateAuthorities = make([]CertificateAuthority, len(source.CertificateAuthorities)) +func ConvertSigstoreKeys(_ context.Context, source *v1alpha1.SigstoreKeys) *SigstoreKeys { + sk := &SigstoreKeys{} + sk.CertificateAuthorities = make([]*pbtrustroot.CertificateAuthority, len(source.CertificateAuthorities)) for i := range source.CertificateAuthorities { sk.CertificateAuthorities[i] = ConvertCertificateAuthority(source.CertificateAuthorities[i]) } - sk.TLogs = make([]TransparencyLogInstance, len(source.TLogs)) + sk.Tlogs = make([]*pbtrustroot.TransparencyLogInstance, len(source.TLogs)) for i := range source.TLogs { - sk.TLogs[i] = ConvertTransparencyLogInstance(source.TLogs[i]) + sk.Tlogs[i] = ConvertTransparencyLogInstance(source.TLogs[i]) } - sk.CTLogs = make([]TransparencyLogInstance, len(source.CTLogs)) + sk.Ctlogs = make([]*pbtrustroot.TransparencyLogInstance, len(source.CTLogs)) for i := range source.CTLogs { - sk.CTLogs[i] = ConvertTransparencyLogInstance(source.CTLogs[i]) + sk.Ctlogs[i] = ConvertTransparencyLogInstance(source.CTLogs[i]) } - sk.TimeStampAuthorities = make([]CertificateAuthority, len(source.TimeStampAuthorities)) + sk.TimestampAuthorities = make([]*pbtrustroot.CertificateAuthority, len(source.TimeStampAuthorities)) for i := range source.TimeStampAuthorities { - sk.TimeStampAuthorities[i] = ConvertCertificateAuthority(source.TimeStampAuthorities[i]) + sk.TimestampAuthorities[i] = ConvertCertificateAuthority(source.TimeStampAuthorities[i]) } + return sk } // ConvertCertificateAuthority converts public into private CertificateAuthority -func ConvertCertificateAuthority(source v1alpha1.CertificateAuthority) CertificateAuthority { - return CertificateAuthority{ - Subject: DistinguishedName{ +func ConvertCertificateAuthority(source v1alpha1.CertificateAuthority) *pbtrustroot.CertificateAuthority { + return &pbtrustroot.CertificateAuthority{ + Subject: &pbcommon.DistinguishedName{ Organization: source.Subject.Organization, CommonName: source.Subject.CommonName, }, - URI: *source.URI.DeepCopy(), - CertChain: source.CertChain, + Uri: source.URI.String(), + CertChain: DeserializeCertChain(source.CertChain), } } // ConvertTransparencyLogInstance converts public into private // TransparencyLogInstance. -func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) TransparencyLogInstance { - return TransparencyLogInstance{ - BaseURL: *source.BaseURL.DeepCopy(), - HashAlgorithm: source.HashAlgorithm, - PublicKey: source.PublicKey, +func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) *pbtrustroot.TransparencyLogInstance { + pk, err := cryptoutils.UnmarshalPEMToPublicKey(source.PublicKey) + if err != nil { + return nil // TODO: log error? Add return error? + } + logID, err := cosign.GetTransparencyLogID(pk) + if err != nil { + return nil // TODO: log error? Add return error? + } + + var hashAlgorithm pbcommon.HashAlgorithm + switch source.HashAlgorithm { + case "sha256": + hashAlgorithm = pbcommon.HashAlgorithm_SHA2_256 + case "sha384": + hashAlgorithm = pbcommon.HashAlgorithm_SHA2_384 + case "sha512": + hashAlgorithm = pbcommon.HashAlgorithm_SHA2_512 + default: + hashAlgorithm = pbcommon.HashAlgorithm_HASH_ALGORITHM_UNSPECIFIED + } + + return &pbtrustroot.TransparencyLogInstance{ + BaseUrl: source.BaseURL.String(), + HashAlgorithm: hashAlgorithm, + PublicKey: DeserializePublicKey(source.PublicKey), + LogId: &pbcommon.LogId{ + KeyId: []byte(logID), + }, } } + +func SerializeCertChain(certChain *pbcommon.X509CertificateChain) []byte { + var chain []byte + for _, cert := range certChain.Certificates { + bytes := cert.RawBytes + block := &pem.Block{ + Type: "CERTIFICATE", + Bytes: bytes, + } + chain = append(chain, pem.EncodeToMemory(block)...) + } + return chain +} + +func SerializePublicKey(publicKey *pbcommon.PublicKey) []byte { + block := &pem.Block{ + Type: "PUBLIC KEY", + Bytes: publicKey.RawBytes, + } + return pem.EncodeToMemory(block) +} + +func DeserializeCertChain(chain []byte) *pbcommon.X509CertificateChain { + var certs []*pbcommon.X509Certificate + for { + var block *pem.Block + block, chain = pem.Decode(chain) + if block == nil { + break + } + certs = append(certs, &pbcommon.X509Certificate{RawBytes: block.Bytes}) + } + return &pbcommon.X509CertificateChain{Certificates: certs} +} + +func DeserializePublicKey(publicKey []byte) *pbcommon.PublicKey { + block, _ := pem.Decode(publicKey) + return &pbcommon.PublicKey{RawBytes: block.Bytes} +} diff --git a/pkg/apis/config/sigstore_keys_test.go b/pkg/apis/config/sigstore_keys_test.go index d6e939b3..b2360e56 100644 --- a/pkg/apis/config/sigstore_keys_test.go +++ b/pkg/apis/config/sigstore_keys_test.go @@ -15,6 +15,8 @@ package config import ( + "bytes" + "encoding/pem" "testing" . "knative.dev/pkg/configmap/testing" @@ -23,45 +25,45 @@ import ( const ( rekorPublicKey = `-----BEGIN PUBLIC KEY----- - MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7D2WvgqSzs9jpdJsOJ5Nl6xg8JXm - Nmo7M3bN7+dQddw9Ibc2R3SV8tzBZw0rST8FKcn4apJepcKM4qUpYUeNfw== - -----END PUBLIC KEY----- - ` +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7D2WvgqSzs9jpdJsOJ5Nl6xg8JXm +Nmo7M3bN7+dQddw9Ibc2R3SV8tzBZw0rST8FKcn4apJepcKM4qUpYUeNfw== +-----END PUBLIC KEY----- +` tsaCertChain = `-----BEGIN CERTIFICATE----- - MIIBzDCCAXKgAwIBAgIUfyGKDoFa7y6s/W1p1CiTmBRs1eAwCgYIKoZIzj0EAwIw - MDEOMAwGA1UEChMFbG9jYWwxHjAcBgNVBAMTFVRlc3QgVFNBIEludGVybWVkaWF0 - ZTAeFw0yMjExMDkyMDMxMzRaFw0zMTExMDkyMDM0MzRaMDAxDjAMBgNVBAoTBWxv - Y2FsMR4wHAYDVQQDExVUZXN0IFRTQSBUaW1lc3RhbXBpbmcwWTATBgcqhkjOPQIB - BggqhkjOPQMBBwNCAAR3KcDy9jwARX0rDvyr+MGGkG3n1OA0MU5+ZiDmgusFyk6U - 6bovKWVMfD8J8NTcJZE0RaYJr8/dE9kgcIIXlhMwo2owaDAOBgNVHQ8BAf8EBAMC - B4AwHQYDVR0OBBYEFHNn5R3b3MtUdSNrFO49Q6XDVSnkMB8GA1UdIwQYMBaAFNLS - 6gno7Om++Qt5zIa+H9o0HiT2MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMAoGCCqG - SM49BAMCA0gAMEUCIQCF0olohnvdUq6T7/wPk19Z5aQP/yxRTjCWYuhn/TCyHgIg - azV3air4GRZbN9bdYtcQ7JUAKq89GOhtFfl6kcoVUvU= - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIB0jCCAXigAwIBAgIUXpBmYJFFaGW3cC8p6b/DHr1i8IowCgYIKoZIzj0EAwIw - KDEOMAwGA1UEChMFbG9jYWwxFjAUBgNVBAMTDVRlc3QgVFNBIFJvb3QwHhcNMjIx - MTA5MjAyOTM0WhcNMzIxMTA5MjAzNDM0WjAwMQ4wDAYDVQQKEwVsb2NhbDEeMBwG - A1UEAxMVVGVzdCBUU0EgSW50ZXJtZWRpYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0D - AQcDQgAEKDPDRIwDS1ZCymub6yanCG5ma0qDjLpNonDvooSkRHEgU0TNibeJn6M+ - 5W608hCw8nwuucMbXQ41kNeuBeevyqN4MHYwDgYDVR0PAQH/BAQDAgEGMBMGA1Ud - JQQMMAoGCCsGAQUFBwMIMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNLS6gno - 7Om++Qt5zIa+H9o0HiT2MB8GA1UdIwQYMBaAFB1nvXpNK7AuQlbJ+ya6nPSqWi+T - MAoGCCqGSM49BAMCA0gAMEUCIGiwqCI29w7C4V8TltCsi728s5DtklCPySDASUSu - a5y5AiEA40Ifdlwf7Uj8q8NSD6Z4g/0js0tGNdLSUJ1do/WoN0s= - -----END CERTIFICATE----- - -----BEGIN CERTIFICATE----- - MIIBlDCCATqgAwIBAgIUYZx9sS14En7SuHDOJJP4IPopMjUwCgYIKoZIzj0EAwIw - KDEOMAwGA1UEChMFbG9jYWwxFjAUBgNVBAMTDVRlc3QgVFNBIFJvb3QwHhcNMjIx - MTA5MjAyOTM0WhcNMzIxMTA5MjAzNDM0WjAoMQ4wDAYDVQQKEwVsb2NhbDEWMBQG - A1UEAxMNVGVzdCBUU0EgUm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAbB - B0SU8G75hVIUphChA4nfOwNWP347TjScIdsEPrKVn+/Y1HmmLHJDjSfn+xhEFoEk - 7jqgrqon48i4xbo7xAujQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTAD - AQH/MB0GA1UdDgQWBBQdZ716TSuwLkJWyfsmupz0qlovkzAKBggqhkjOPQQDAgNI - ADBFAiBe5P56foqmFcZAVpEeAOFZrAlEiq05CCpMNYh5EjLvmAIhAKNF6xIV5uFd - pSTJsAwzjW78CKQm7qol0uPmPPu6mNaw - -----END CERTIFICATE-----` +MIIBzDCCAXKgAwIBAgIUfyGKDoFa7y6s/W1p1CiTmBRs1eAwCgYIKoZIzj0EAwIw +MDEOMAwGA1UEChMFbG9jYWwxHjAcBgNVBAMTFVRlc3QgVFNBIEludGVybWVkaWF0 +ZTAeFw0yMjExMDkyMDMxMzRaFw0zMTExMDkyMDM0MzRaMDAxDjAMBgNVBAoTBWxv +Y2FsMR4wHAYDVQQDExVUZXN0IFRTQSBUaW1lc3RhbXBpbmcwWTATBgcqhkjOPQIB +BggqhkjOPQMBBwNCAAR3KcDy9jwARX0rDvyr+MGGkG3n1OA0MU5+ZiDmgusFyk6U +6bovKWVMfD8J8NTcJZE0RaYJr8/dE9kgcIIXlhMwo2owaDAOBgNVHQ8BAf8EBAMC +B4AwHQYDVR0OBBYEFHNn5R3b3MtUdSNrFO49Q6XDVSnkMB8GA1UdIwQYMBaAFNLS +6gno7Om++Qt5zIa+H9o0HiT2MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMAoGCCqG +SM49BAMCA0gAMEUCIQCF0olohnvdUq6T7/wPk19Z5aQP/yxRTjCWYuhn/TCyHgIg +azV3air4GRZbN9bdYtcQ7JUAKq89GOhtFfl6kcoVUvU= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIB0jCCAXigAwIBAgIUXpBmYJFFaGW3cC8p6b/DHr1i8IowCgYIKoZIzj0EAwIw +KDEOMAwGA1UEChMFbG9jYWwxFjAUBgNVBAMTDVRlc3QgVFNBIFJvb3QwHhcNMjIx +MTA5MjAyOTM0WhcNMzIxMTA5MjAzNDM0WjAwMQ4wDAYDVQQKEwVsb2NhbDEeMBwG +A1UEAxMVVGVzdCBUU0EgSW50ZXJtZWRpYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0D +AQcDQgAEKDPDRIwDS1ZCymub6yanCG5ma0qDjLpNonDvooSkRHEgU0TNibeJn6M+ +5W608hCw8nwuucMbXQ41kNeuBeevyqN4MHYwDgYDVR0PAQH/BAQDAgEGMBMGA1Ud +JQQMMAoGCCsGAQUFBwMIMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNLS6gno +7Om++Qt5zIa+H9o0HiT2MB8GA1UdIwQYMBaAFB1nvXpNK7AuQlbJ+ya6nPSqWi+T +MAoGCCqGSM49BAMCA0gAMEUCIGiwqCI29w7C4V8TltCsi728s5DtklCPySDASUSu +a5y5AiEA40Ifdlwf7Uj8q8NSD6Z4g/0js0tGNdLSUJ1do/WoN0s= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIBlDCCATqgAwIBAgIUYZx9sS14En7SuHDOJJP4IPopMjUwCgYIKoZIzj0EAwIw +KDEOMAwGA1UEChMFbG9jYWwxFjAUBgNVBAMTDVRlc3QgVFNBIFJvb3QwHhcNMjIx +MTA5MjAyOTM0WhcNMzIxMTA5MjAzNDM0WjAoMQ4wDAYDVQQKEwVsb2NhbDEWMBQG +A1UEAxMNVGVzdCBUU0EgUm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAbB +B0SU8G75hVIUphChA4nfOwNWP347TjScIdsEPrKVn+/Y1HmmLHJDjSfn+xhEFoEk +7jqgrqon48i4xbo7xAujQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTAD +AQH/MB0GA1UdDgQWBBQdZ716TSuwLkJWyfsmupz0qlovkzAKBggqhkjOPQQDAgNI +ADBFAiBe5P56foqmFcZAVpEeAOFZrAlEiq05CCpMNYh5EjLvmAIhAKNF6xIV5uFd +pSTJsAwzjW78CKQm7qol0uPmPPu6mNaw +-----END CERTIFICATE-----` ) func TestDefaultsSigstoreKeysConfigurationFromFile(t *testing.T) { @@ -71,21 +73,25 @@ func TestDefaultsSigstoreKeysConfigurationFromFile(t *testing.T) { t.Error("NewSigstoreKeysFromConfigMap(example) =", err) } sigstoreKeys := keysMap.SigstoreKeys["my-custom-sigstore-keys"] - got := sigstoreKeys.CertificateAuthorities[0].Subject.Organization - if got != "fulcio-organization" { - t.Errorf("Invalid organization, want foo got %s", got) + org := sigstoreKeys.CertificateAuthorities[0].Subject.Organization + if org != "fulcio-organization" { + t.Errorf("Invalid organization, want foo got %s", org) } // TODO: Validate the entire file, above spot checks are not enough, but // at least we can unmarshal. // Note that even though sigstoreKeys.TLog[0].PublicKey is base64 encoded // in the ConfigMap it gets decoded when we fetch it above, so we get the // PEM format for it directly. Same for tsaCertChain - got = string(sigstoreKeys.TLogs[0].PublicKey) - if got != rekorPublicKey { - t.Errorf("Invalid public key, want %s got %s", rekorPublicKey, got) + got := sigstoreKeys.Tlogs[0].PublicKey.RawBytes + block, _ := pem.Decode([]byte(rekorPublicKey)) + if !bytes.Equal(got, block.Bytes) { + t.Errorf("Invalid public key, want %s got %s", block.Bytes, got) } - got = string(sigstoreKeys.TimeStampAuthorities[0].CertChain) - if got != tsaCertChain { - t.Errorf("Invalid cert chain, want %s got %s", tsaCertChain, got) + certs := []byte(tsaCertChain) + for _, cert := range sigstoreKeys.TimestampAuthorities[0].CertChain.Certificates { + block, certs = pem.Decode(certs) + if !bytes.Equal(block.Bytes, cert.RawBytes) { + t.Errorf("Invalid cert chain, want %s got %s", cert.RawBytes, block.Bytes) + } } } diff --git a/pkg/apis/config/store_test.go b/pkg/apis/config/store_test.go index 4be73357..b9fe3101 100644 --- a/pkg/apis/config/store_test.go +++ b/pkg/apis/config/store_test.go @@ -21,6 +21,7 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" "github.com/sigstore/cosign/v2/pkg/oci/remote" + "google.golang.org/protobuf/testing/protocmp" "k8s.io/apimachinery/pkg/api/resource" logtesting "knative.dev/pkg/logging/testing" @@ -28,6 +29,7 @@ import ( ) var ignoreStuff = cmp.Options{ + protocmp.Transform(), cmpopts.IgnoreUnexported(resource.Quantity{}), // Ignore functional remote options cmpopts.IgnoreTypes((remote.Option)(nil)), diff --git a/pkg/apis/config/testdata/config-sigstore-keys.yaml b/pkg/apis/config/testdata/config-sigstore-keys.yaml index 008f7ce2..52a14cb8 100644 --- a/pkg/apis/config/testdata/config-sigstore-keys.yaml +++ b/pkg/apis/config/testdata/config-sigstore-keys.yaml @@ -28,4 +28,5 @@ data: # # ################################ my-custom-sigstore-keys: |- - {"certificateAuthorities":[{"subject":{"organization":"fulcio-organization","commonName":"fulcio-common-name"},"uri":"https://fulcio.example.com","certChain":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCglNSUlGd3pDQ0E2dWdBd0lCQWdJSUs3eGIrcnFZNGdFd0RRWUpLb1pJaHZjTkFRRUxCUUF3ZmpFTU1Bb0dBMVVFCglCaE1EVlZOQk1STXdFUVlEVlFRSUV3cERZV3hwWm05eWJtbGhNUll3RkFZRFZRUUhFdzFUWVc0Z1JuSmhibU5wCgljMk52TVJZd0ZBWURWUVFKRXcwMU5EZ2dUV0Z5YTJWMElGTjBNUTR3REFZRFZRUVJFd1UxTnpJM05ERVpNQmNHCglBMVVFQ2hNUVRHbHVkWGdnUm05MWJtUmhkR2x2YmpBZUZ3MHlNakV5TURnd01qRTNOVEZhRncweU16RXlNRGd3CglNakUzTlRGYU1INHhEREFLQmdOVkJBWVRBMVZUUVRFVE1CRUdBMVVFQ0JNS1EyRnNhV1p2Y201cFlURVdNQlFHCglBMVVFQnhNTlUyRnVJRVp5WVc1amFYTmpiekVXTUJRR0ExVUVDUk1OTlRRNElFMWhjbXRsZENCVGRERU9NQXdHCglBMVVFRVJNRk5UY3lOelF4R1RBWEJnTlZCQW9URUV4cGJuVjRJRVp2ZFc1a1lYUnBiMjR3Z2dJaU1BMEdDU3FHCglTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDMTQyRWpsZzJReEl3cE5qYmFlVy9mdDlzSDFUWFU2Q1dnCglic3ZWcDc3dlJnY2tTbnBNM1JUQy9nd0V3Skh0WCtHT1RyUDlybzZuRkpOM0czaGNGbmFNSExLZEdyb2Y5aUh1Cgkvdy9sWkx3UXpYelZUKzBaeVp4eXRIQVdHRkJ2bVlNNEozM2pINkRqOVB2cU9Od3RTQlNtWkJQYy9ILzhFdllzCglVenhQV3VraE90b3RTSDNWWERxWjRqbDk2TUxlMCs1ZzJXaTdNeFJYNDRYMVJpUFMxNGJhMUVTNTM4YlRoaGNRCgk0U01qM3VoYmRzQ0lrY203ZUY0RVkzcEVYUXBYRUVHblpHZndZZ1FyKzZjVDA3WmQvV0RNME5YM0t4SDZxUms5CglnRGpQbmZjTXVGYk9UYmZEL251dng2Rk5YNk9VcnpyWlNnbGtMdmNQSUJWT1c3TG40MUxBYjdhWG1iV0xGRUpuCgl1TG9vUHBZWXIrNk5obkZETkdwc0JLR0tyL2t2YlF5REtLc3QzQ0tqOW90UFMxMzYzbmk0MXFub0E3WVdTcXh3Cgl6NDE4NWRLS2MrWTd5dkpRc1JscjZxRzFzTkxPK2M3N2ZTUzVWWkltek5vekJjUmt1TEpGbFgrV0IwdXpnUVU1CglzNDVJWlcrZks5Mm5mdThNbUtqekhSK2lkeXI0T3lqUzBZU04zR01nYzBVUDdLNmhWcGhMZWRBcEZweWtCU0ZHCglVZ2lQWndyVCttR1NWZ21PWHE1bjFkUVRDRDE0bEVoMnF0My9yZmY4ek5jMENNQU5XeWJhTUdCR1E0YmhWVlhlCglSS1l4OXUyUFpqUHY1M3A3WWIvRENkcW5HRUR3L0hDQkRpQ3M0b1llNGRhRTM2eFVvanhEU20zRGFlTkc2OHo5CglSTDdnZlVqQXhRSURBUUFCbzBVd1F6QU9CZ05WSFE4QkFmOEVCQU1DQVFZd0VnWURWUjBUQVFIL0JBZ3dCZ0VCCgkvd0lCQVRBZEJnTlZIUTRFRmdRVWYrbGJOWDBXaDRoK1EwU1J0aFJLK0tmTGpxRXdEUVlKS29aSWh2Y05BUUVMCglCUUFEZ2dJQkFFaEpqYTBaU0t3WGNhT1hDWVJYVEUwNitKYnBlekk1TGV2QmhtYlJRSzc4OVJxMTBKZUFYYTdtCglFVG9SR2xHRkxIMnVEVDExbXNGS3lNM3Y2N0tsRTFTWVZjcUttQ2xZZklWRVlIM0xhMHVJKzlySFpuV2diNEJsCgl5MUI4d2JsS0p6aFlRRDlaNEgvZ3MrQkFzb1JYNVZvRnlJZ2tOQmsxcDNmdGFWQ2JrUXZTME9ZdFlzNWl3NGVLCgljSTcxL0lzVElUM1pwcGo5UjhJR3Nxd0xLZ3pmbnlOY0ZKZHorb2hjNlYyMlBqWk1FQkhDc0hQTzRhdjJMbFdLCgk1WTFmbEwrMmJxVHFibU8vYmpmWDB3NFoxRHVvalJjT1pGN1NINE8zUXUyWTcvNjlnSDdDcDBuaVZDbTV6K1M1CgkwMTFWNlB2TWpybWlFK3hWa3hMSGJZRWdvY2JGaGQ1RGNpTUNYcHZzdURab2phSTNGUkVtQnFpSWhLb2tpM3JiCgl3dUVseWE3OGJNd2taMWtycDc2bldzbzQ3LzArNTFpby9XcmlBZHIwY2ptem9uaG83UnFJRTNEQzc3Q0VNa2FnCgladktTbUwzc2ZmK1dOU3JuUGx6bksxOU5BMno0SW1XOU1zenFQckNUUUdQLy9CQnU3U2Ftem9mVk05ZjRQQUlyCglGVHBuVzZzR2RwQ3pQOEUwV1V1OUIrdmlLcnRmTS85c3huSTlXaGZKUGRyRVAwaVpXM3Zod3ZnUWJLYjVEMk9TCglVNG5yVm92NkJXci9CbmhRSzhJWG8xdHEzajhGQ1JJb2xlWE5oa3M0Z25rT2FEc1cyS3RWcXd0SzNpTzNCdlBiCglMNXcwZ2RMandNTGtlazcyeTYxWHF6NVd4WndOaGw1WWNtQkt1U3ZtVlNIdkE2OEJWU2JCCgktLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCgk="}],"tLogs":[{"baseURL":"https://rekor.example.com","hashAlgorithm":"sha-256","publicKey":"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KCU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRTdEMld2Z3FTenM5anBkSnNPSjVObDZ4ZzhKWG0KCU5tbzdNM2JONytkUWRkdzlJYmMyUjNTVjh0ekJadzByU1Q4RktjbjRhcEplcGNLTTRxVXBZVWVOZnc9PQoJLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCgk=","logID":"0bac0fddd0c15fbc46f8b1bf51c2b57676a9f262294fe13417d85602e73f392a"}],"ctLogs":[{"baseURL":"https://ctfe.example.com","hashAlgorithm":"sha-256","publicKey":"LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KCU1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRUp2Q0ppNzA3ZnY1dE1KMVUyVFZNWit1TzRkS0cKCWFFY3ZqbENrZ0JDS1hicmt1bVpWMG0wZFNsSzFWMWd4RWl5UTh5NmhrMU14Sk5lMkFaclpVdDdhNHc9PQoJLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCgk=","logID":"39d1c085f7d5f3fe7a0de9e52a3ead14186891e52a9269d90de7990a30b55083"}],"timestampAuthorities":[{"subject":{"organization":"tsa-organization","commonName":"tsa-common-name"},"uri":"https://tsa.example.com","certChain":"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCglNSUlCekRDQ0FYS2dBd0lCQWdJVWZ5R0tEb0ZhN3k2cy9XMXAxQ2lUbUJSczFlQXdDZ1lJS29aSXpqMEVBd0l3CglNREVPTUF3R0ExVUVDaE1GYkc5allXd3hIakFjQmdOVkJBTVRGVlJsYzNRZ1ZGTkJJRWx1ZEdWeWJXVmthV0YwCglaVEFlRncweU1qRXhNRGt5TURNeE16UmFGdzB6TVRFeE1Ea3lNRE0wTXpSYU1EQXhEakFNQmdOVkJBb1RCV3h2CglZMkZzTVI0d0hBWURWUVFERXhWVVpYTjBJRlJUUVNCVWFXMWxjM1JoYlhCcGJtY3dXVEFUQmdjcWhrak9QUUlCCglCZ2dxaGtqT1BRTUJCd05DQUFSM0tjRHk5andBUlgwckR2eXIrTUdHa0czbjFPQTBNVTUrWmlEbWd1c0Z5azZVCgk2Ym92S1dWTWZEOEo4TlRjSlpFMFJhWUpyOC9kRTlrZ2NJSVhsaE13bzJvd2FEQU9CZ05WSFE4QkFmOEVCQU1DCglCNEF3SFFZRFZSME9CQllFRkhObjVSM2IzTXRVZFNOckZPNDlRNlhEVlNua01COEdBMVVkSXdRWU1CYUFGTkxTCgk2Z25vN09tKytRdDV6SWErSDlvMEhpVDJNQllHQTFVZEpRRUIvd1FNTUFvR0NDc0dBUVVGQndNSU1Bb0dDQ3FHCglTTTQ5QkFNQ0EwZ0FNRVVDSVFDRjBvbG9obnZkVXE2VDcvd1BrMTlaNWFRUC95eFJUakNXWXVobi9UQ3lIZ0lnCglhelYzYWlyNEdSWmJOOWJkWXRjUTdKVUFLcTg5R09odEZmbDZrY29WVXZVPQoJLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQoJLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCglNSUlCMGpDQ0FYaWdBd0lCQWdJVVhwQm1ZSkZGYUdXM2NDOHA2Yi9ESHIxaThJb3dDZ1lJS29aSXpqMEVBd0l3CglLREVPTUF3R0ExVUVDaE1GYkc5allXd3hGakFVQmdOVkJBTVREVlJsYzNRZ1ZGTkJJRkp2YjNRd0hoY05Nakl4CglNVEE1TWpBeU9UTTBXaGNOTXpJeE1UQTVNakF6TkRNMFdqQXdNUTR3REFZRFZRUUtFd1ZzYjJOaGJERWVNQndHCglBMVVFQXhNVlZHVnpkQ0JVVTBFZ1NXNTBaWEp0WldScFlYUmxNRmt3RXdZSEtvWkl6ajBDQVFZSUtvWkl6ajBECglBUWNEUWdBRUtEUERSSXdEUzFaQ3ltdWI2eWFuQ0c1bWEwcURqTHBOb25Edm9vU2tSSEVnVTBUTmliZUpuNk0rCgk1VzYwOGhDdzhud3V1Y01iWFE0MWtOZXVCZWV2eXFONE1IWXdEZ1lEVlIwUEFRSC9CQVFEQWdFR01CTUdBMVVkCglKUVFNTUFvR0NDc0dBUVVGQndNSU1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZOTFM2Z25vCgk3T20rK1F0NXpJYStIOW8wSGlUMk1COEdBMVVkSXdRWU1CYUFGQjFudlhwTks3QXVRbGJKK3lhNm5QU3FXaStUCglNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJR2l3cUNJMjl3N0M0VjhUbHRDc2k3MjhzNUR0a2xDUHlTREFTVVN1CglhNXk1QWlFQTQwSWZkbHdmN1VqOHE4TlNENlo0Zy8wanMwdEdOZExTVUoxZG8vV29OMHM9CgktLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCgktLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KCU1JSUJsRENDQVRxZ0F3SUJBZ0lVWVp4OXNTMTRFbjdTdUhET0pKUDRJUG9wTWpVd0NnWUlLb1pJemowRUF3SXcKCUtERU9NQXdHQTFVRUNoTUZiRzlqWVd3eEZqQVVCZ05WQkFNVERWUmxjM1FnVkZOQklGSnZiM1F3SGhjTk1qSXgKCU1UQTVNakF5T1RNMFdoY05Nekl4TVRBNU1qQXpORE0wV2pBb01RNHdEQVlEVlFRS0V3VnNiMk5oYkRFV01CUUcKCUExVUVBeE1OVkdWemRDQlVVMEVnVW05dmREQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJBYkIKCUIwU1U4Rzc1aFZJVXBoQ2hBNG5mT3dOV1AzNDdUalNjSWRzRVByS1ZuKy9ZMUhtbUxISkRqU2ZuK3hoRUZvRWsKCTdqcWdycW9uNDhpNHhibzd4QXVqUWpCQU1BNEdBMVVkRHdFQi93UUVBd0lCQmpBUEJnTlZIUk1CQWY4RUJUQUQKCUFRSC9NQjBHQTFVZERnUVdCQlFkWjcxNlRTdXdMa0pXeWZzbXVwejBxbG92a3pBS0JnZ3Foa2pPUFFRREFnTkkKCUFEQkZBaUJlNVA1NmZvcW1GY1pBVnBFZUFPRlpyQWxFaXEwNUNDcE1OWWg1RWpMdm1BSWhBS05GNnhJVjV1RmQKCXBTVEpzQXd6alc3OENLUW03cW9sMHVQbVBQdTZtTmF3CgktLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t"}]} + {"certificateAuthorities":[{"subject":{"organization":"fulcio-organization","commonName":"fulcio-common-name"},"uri":"https://fulcio.example.com","certChain":{"certificates":[{"rawBytes":"MIIFwzCCA6ugAwIBAgIIK7xb+rqY4gEwDQYJKoZIhvcNAQELBQAwfjEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRYwFAYDVQQJEw01NDggTWFya2V0IFN0MQ4wDAYDVQQREwU1NzI3NDEZMBcGA1UEChMQTGludXggRm91bmRhdGlvbjAeFw0yMjEyMDgwMjE3NTFaFw0yMzEyMDgwMjE3NTFaMH4xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEWMBQGA1UECRMNNTQ4IE1hcmtldCBTdDEOMAwGA1UEERMFNTcyNzQxGTAXBgNVBAoTEExpbnV4IEZvdW5kYXRpb24wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC142Ejlg2QxIwpNjbaeW/ft9sH1TXU6CWgbsvVp77vRgckSnpM3RTC/gwEwJHtX+GOTrP9ro6nFJN3G3hcFnaMHLKdGrof9iHu/w/lZLwQzXzVT+0ZyZxytHAWGFBvmYM4J33jH6Dj9PvqONwtSBSmZBPc/H/8EvYsUzxPWukhOtotSH3VXDqZ4jl96MLe0+5g2Wi7MxRX44X1RiPS14ba1ES538bThhcQ4SMj3uhbdsCIkcm7eF4EY3pEXQpXEEGnZGfwYgQr+6cT07Zd/WDM0NX3KxH6qRk9gDjPnfcMuFbOTbfD/nuvx6FNX6OUrzrZSglkLvcPIBVOW7Ln41LAb7aXmbWLFEJnuLooPpYYr+6NhnFDNGpsBKGKr/kvbQyDKKst3CKj9otPS1363ni41qnoA7YWSqxwz4185dKKc+Y7yvJQsRlr6qG1sNLO+c77fSS5VZImzNozBcRkuLJFlX+WB0uzgQU5s45IZW+fK92nfu8MmKjzHR+idyr4OyjS0YSN3GMgc0UP7K6hVphLedApFpykBSFGUgiPZwrT+mGSVgmOXq5n1dQTCD14lEh2qt3/rff8zNc0CMANWybaMGBGQ4bhVVXeRKYx9u2PZjPv53p7Yb/DCdqnGEDw/HCBDiCs4oYe4daE36xUojxDSm3DaeNG68z9RL7gfUjAxQIDAQABo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUf+lbNX0Wh4h+Q0SRthRK+KfLjqEwDQYJKoZIhvcNAQELBQADggIBAEhJja0ZSKwXcaOXCYRXTE06+JbpezI5LevBhmbRQK789Rq10JeAXa7mEToRGlGFLH2uDT11msFKyM3v67KlE1SYVcqKmClYfIVEYH3La0uI+9rHZnWgb4Bly1B8wblKJzhYQD9Z4H/gs+BAsoRX5VoFyIgkNBk1p3ftaVCbkQvS0OYtYs5iw4eKcI71/IsTIT3Zppj9R8IGsqwLKgzfnyNcFJdz+ohc6V22PjZMEBHCsHPO4av2LlWK5Y1flL+2bqTqbmO/bjfX0w4Z1DuojRcOZF7SH4O3Qu2Y7/69gH7Cp0niVCm5z+S5011V6PvMjrmiE+xVkxLHbYEgocbFhd5DciMCXpvsuDZojaI3FREmBqiIhKoki3rbwuElya78bMwkZ1krp76nWso47/0+51io/WriAdr0cjmzonho7RqIE3DC77CEMkagZvKSmL3sff+WNSrnPlznK19NA2z4ImW9MszqPrCTQGP//BBu7SamzofVM9f4PAIrFTpnW6sGdpCzP8E0WUu9B+viKrtfM/9sxnI9WhfJPdrEP0iZW3vhwvgQbKb5D2OSU4nrVov6BWr/BnhQK8IXo1tq3j8FCRIoleXNhks4gnkOaDsW2KtVqwtK3iO3BvPbL5w0gdLjwMLkek72y61Xqz5WxZwNhl5YcmBKuSvmVSHvA68BVSbB"}]},"validFor":{"start":"2024-01-01T00:00:00Z"}}],"tlogs":[{"baseUrl":"https://rekor.example.com","hashAlgorithm":"SHA2_256","publicKey":{"rawBytes":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7D2WvgqSzs9jpdJsOJ5Nl6xg8JXmNmo7M3bN7+dQddw9Ibc2R3SV8tzBZw0rST8FKcn4apJepcKM4qUpYUeNfw==","keyDetails":"PKIX_ECDSA_P256_SHA_256","validFor":{"start":"2024-01-01T00:00:00Z"}},"logId":{"keyId":"0bac0fddd0c15fbc46f8b1bf51c2b57676a9f262294fe13417d85602e73f392a"}}],"ctlogs":[{"baseUrl":"https://ctfe.example.com","hashAlgorithm":"SHA2_256","publicKey":{"rawBytes":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJvCJi707fv5tMJ1U2TVMZ+uO4dKGaEcvjlCkgBCKXbrkumZV0m0dSlK1V1gxEiyQ8y6hk1MxJNe2AZrZUt7a4w==","keyDetails":"PKIX_ECDSA_P256_SHA_256","validFor":{"start":"2024-01-01T00:00:00Z"}},"logId":{"keyId":"39d1c085f7d5f3fe7a0de9e52a3ead14186891e52a9269d90de7990a30b55083"}}],"timestampAuthorities":[{"subject":{"organization":"tsa-organization","commonName":"tsa-common-name"},"uri":"https://tsa.example.com","certChain":{"certificates":[{"rawBytes":"MIIBzDCCAXKgAwIBAgIUfyGKDoFa7y6s/W1p1CiTmBRs1eAwCgYIKoZIzj0EAwIwMDEOMAwGA1UEChMFbG9jYWwxHjAcBgNVBAMTFVRlc3QgVFNBIEludGVybWVkaWF0ZTAeFw0yMjExMDkyMDMxMzRaFw0zMTExMDkyMDM0MzRaMDAxDjAMBgNVBAoTBWxvY2FsMR4wHAYDVQQDExVUZXN0IFRTQSBUaW1lc3RhbXBpbmcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR3KcDy9jwARX0rDvyr+MGGkG3n1OA0MU5+ZiDmgusFyk6U6bovKWVMfD8J8NTcJZE0RaYJr8/dE9kgcIIXlhMwo2owaDAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0OBBYEFHNn5R3b3MtUdSNrFO49Q6XDVSnkMB8GA1UdIwQYMBaAFNLS6gno7Om++Qt5zIa+H9o0HiT2MBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMIMAoGCCqGSM49BAMCA0gAMEUCIQCF0olohnvdUq6T7/wPk19Z5aQP/yxRTjCWYuhn/TCyHgIgazV3air4GRZbN9bdYtcQ7JUAKq89GOhtFfl6kcoVUvU="},{"rawBytes":"MIIB0jCCAXigAwIBAgIUXpBmYJFFaGW3cC8p6b/DHr1i8IowCgYIKoZIzj0EAwIwKDEOMAwGA1UEChMFbG9jYWwxFjAUBgNVBAMTDVRlc3QgVFNBIFJvb3QwHhcNMjIxMTA5MjAyOTM0WhcNMzIxMTA5MjAzNDM0WjAwMQ4wDAYDVQQKEwVsb2NhbDEeMBwGA1UEAxMVVGVzdCBUU0EgSW50ZXJtZWRpYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKDPDRIwDS1ZCymub6yanCG5ma0qDjLpNonDvooSkRHEgU0TNibeJn6M+5W608hCw8nwuucMbXQ41kNeuBeevyqN4MHYwDgYDVR0PAQH/BAQDAgEGMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNLS6gno7Om++Qt5zIa+H9o0HiT2MB8GA1UdIwQYMBaAFB1nvXpNK7AuQlbJ+ya6nPSqWi+TMAoGCCqGSM49BAMCA0gAMEUCIGiwqCI29w7C4V8TltCsi728s5DtklCPySDASUSua5y5AiEA40Ifdlwf7Uj8q8NSD6Z4g/0js0tGNdLSUJ1do/WoN0s="},{"rawBytes":"MIIBlDCCATqgAwIBAgIUYZx9sS14En7SuHDOJJP4IPopMjUwCgYIKoZIzj0EAwIwKDEOMAwGA1UEChMFbG9jYWwxFjAUBgNVBAMTDVRlc3QgVFNBIFJvb3QwHhcNMjIxMTA5MjAyOTM0WhcNMzIxMTA5MjAzNDM0WjAoMQ4wDAYDVQQKEwVsb2NhbDEWMBQGA1UEAxMNVGVzdCBUU0EgUm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAbBB0SU8G75hVIUphChA4nfOwNWP347TjScIdsEPrKVn+/Y1HmmLHJDjSfn+xhEFoEk7jqgrqon48i4xbo7xAujQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQdZ716TSuwLkJWyfsmupz0qlovkzAKBggqhkjOPQQDAgNIADBFAiBe5P56foqmFcZAVpEeAOFZrAlEiq05CCpMNYh5EjLvmAIhAKNF6xIV5uFdpSTJsAwzjW78CKQm7qol0uPmPPu6mNaw"}]},"validFor":{"start":"2024-01-01T00:00:00Z"}}]} + diff --git a/pkg/reconciler/trustroot/trustroot.go b/pkg/reconciler/trustroot/trustroot.go index f010b7c6..6fcdcec8 100644 --- a/pkg/reconciler/trustroot/trustroot.go +++ b/pkg/reconciler/trustroot/trustroot.go @@ -66,8 +66,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, trustroot *v1alpha1.Trus case trustroot.Spec.Remote != nil: sigstoreKeys, err = r.getSigstoreKeysFromRemote(ctx, trustroot.Spec.Remote) case trustroot.Spec.SigstoreKeys != nil: - sigstoreKeys = &config.SigstoreKeys{} - sigstoreKeys.ConvertFrom(ctx, trustroot.Spec.SigstoreKeys) + sigstoreKeys = config.ConvertSigstoreKeys(ctx, trustroot.Spec.SigstoreKeys) default: // This should not happen since the CRD has been validated. err = fmt.Errorf("invalid TrustRoot entry: %s missing repository,remote, and sigstoreKeys", trustroot.Name) @@ -84,8 +83,8 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, trustroot *v1alpha1.Trus // them before serializing. // Note this is identical to what we do with CTLog PublicKeys, but they // are not restricted to being only ecdsa.PublicKey. - for i, tlog := range sigstoreKeys.TLogs { - pk, logID, err := pemToKeyAndID(tlog.PublicKey) + for i, tlog := range sigstoreKeys.Tlogs { + pk, logID, err := pemToKeyAndID(config.SerializePublicKey(tlog.PublicKey)) if err != nil { return fmt.Errorf("invalid rekor public key %d: %w", i, err) } @@ -95,14 +94,14 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, trustroot *v1alpha1.Trus if !ok { return fmt.Errorf("public key %d is not ecdsa.PublicKey", i) } - sigstoreKeys.TLogs[i].LogID = logID + sigstoreKeys.Tlogs[i].LogId = &config.LogId{KeyId: []byte(logID)} } - for i, ctlog := range sigstoreKeys.CTLogs { - _, logID, err := pemToKeyAndID(ctlog.PublicKey) + for i, ctlog := range sigstoreKeys.Ctlogs { + _, logID, err := pemToKeyAndID(config.SerializePublicKey(ctlog.PublicKey)) if err != nil { return fmt.Errorf("invalid ctlog public key %d: %w", i, err) } - sigstoreKeys.CTLogs[i].LogID = logID + sigstoreKeys.Ctlogs[i].LogId = &config.LogId{KeyId: []byte(logID)} } // See if the CM holding configs exists @@ -203,7 +202,7 @@ func (r *Reconciler) removeTrustRootEntry(ctx context.Context, cm *corev1.Config } // pemToKeyAndID takes a public key in PEM format, and turns it into -// crypto.PublicKey and the CTLog LogID. +// crypto.PublicKey and the CTLog LogId. func pemToKeyAndID(pem []byte) (crypto.PublicKey, string, error) { pk, err := cryptoutils.UnmarshalPEMToPublicKey(pem) if err != nil { @@ -236,6 +235,8 @@ func getSigstoreKeysFromTuf(ctx context.Context, tufClient *client.Client) (*con return nil, fmt.Errorf("error getting targets: %w", err) } ret := &config.SigstoreKeys{} + // TODO: Use `trusted_root.json` to populate `config.SigstoreKeys`, if + // available. Fall back to using target files with custom metadata if not. for name, targetMeta := range targets { // Skip any targets that do not include custom metadata. if targetMeta.Custom == nil { @@ -253,11 +254,11 @@ func getSigstoreKeysFromTuf(ctx context.Context, tufClient *client.Client) (*con } switch scm.Sigstore.Usage { case sigstoretuf.Fulcio: - ret.CertificateAuthorities = append(ret.CertificateAuthorities, config.CertificateAuthority{CertChain: dl.Bytes()}) + ret.CertificateAuthorities = append(ret.CertificateAuthorities, &config.CertificateAuthority{CertChain: config.DeserializeCertChain(dl.Bytes())}) case sigstoretuf.CTFE: - ret.CTLogs = append(ret.CTLogs, config.TransparencyLogInstance{PublicKey: dl.Bytes()}) + ret.Ctlogs = append(ret.Ctlogs, &config.TransparencyLogInstance{PublicKey: config.DeserializePublicKey(dl.Bytes())}) case sigstoretuf.Rekor: - ret.TLogs = append(ret.TLogs, config.TransparencyLogInstance{PublicKey: dl.Bytes()}) + ret.Tlogs = append(ret.Tlogs, &config.TransparencyLogInstance{PublicKey: config.DeserializePublicKey(dl.Bytes())}) } } // Make sure there's at least a single CertificateAuthority (Fulcio there). diff --git a/pkg/reconciler/trustroot/trustroot_test.go b/pkg/reconciler/trustroot/trustroot_test.go index 88226322..3e2288e5 100644 --- a/pkg/reconciler/trustroot/trustroot_test.go +++ b/pkg/reconciler/trustroot/trustroot_test.go @@ -17,11 +17,19 @@ package trustroot import ( "bytes" "context" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/x509" + "crypto/x509/pkix" _ "embed" "encoding/json" + "encoding/pem" "fmt" + "math/big" "strings" "testing" + "time" "knative.dev/pkg/apis" logtesting "knative.dev/pkg/logging/testing" @@ -30,6 +38,7 @@ import ( "github.com/sigstore/policy-controller/pkg/apis/policy/v1alpha1" fakecosignclient "github.com/sigstore/policy-controller/pkg/client/injection/client/fake" "github.com/sigstore/policy-controller/pkg/client/injection/reconciler/policy/v1alpha1/trustroot" + pbcommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -363,13 +372,13 @@ func makeConfigMapWithSigstoreKeys() *corev1.ConfigMap { Data: make(map[string]string), } source := NewTrustRoot(trName, WithSigstoreKeys(sigstoreKeys)) - c := &config.SigstoreKeys{} - c.ConvertFrom(context.Background(), source.Spec.SigstoreKeys) - for i := range c.TLogs { - c.TLogs[i].LogID = rekorLogID + c := config.ConvertSigstoreKeys(context.Background(), source.Spec.SigstoreKeys) + for i := range c.Tlogs { + c.Tlogs[i].LogId = &config.LogId{KeyId: []byte(rekorLogID)} + } - for i := range c.CTLogs { - c.CTLogs[i].LogID = ctfeLogID + for i := range c.Ctlogs { + c.Ctlogs[i].LogId = &config.LogId{KeyId: []byte(ctfeLogID)} } marshalled, err := resources.Marshal(c) if err != nil { @@ -463,67 +472,161 @@ func patchRemoveFinalizers(namespace, name string) clientgotesting.PatchActionIm return action } -// TestConvertFrom tests marshalling / unmarshalling to the configmap and back. +// TestConvertSigstoreKeys tests marshalling / unmarshalling to the configmap and back. // This is here instead of in the pkg/apis/config because of import cycles and // having both types v1alpha1.SigstoreTypes and config.SigstoreTypes being // available makes testing way easier, and due to import cycles we can't put // that in config and yet import v1alpha1. -func TestConvertFrom(t *testing.T) { - source := v1alpha1.SigstoreKeys{} - +func TestConvertSigstoreKeys(t *testing.T) { itemsPerEntry := 2 - // Create TransparencyLogInstances. - // Values are not valid for proper usage, but we want to make sure - // we properly handle the serialize/unserialize so we use fixed values - // for testing that. + type key struct { + pem []byte + der []byte + } + type testTlog struct { + url string + hashAlgorithm string + publicKey key + } + type testCA struct { + url string + org string + commonName string + certChain []key + } + type testData struct { + tlogs []testTlog + ctlogs []testTlog + cas []testCA + tsas []testCA + } + + hashAlgorithms := []string{"sha256", "sha512"} + hashAlgorithmMap := map[string]pbcommon.HashAlgorithm{"sha256": pbcommon.HashAlgorithm_SHA2_256, "sha512": pbcommon.HashAlgorithm_SHA2_512} + + test := testData{} + + // construct test data for i := 0; i < itemsPerEntry; i++ { - for _, prefix := range []string{"tlog", "ctlog"} { - entry := v1alpha1.TransparencyLogInstance{ - BaseURL: *apis.HTTP(fmt.Sprintf("%s-%d.example.com", prefix, i)), - HashAlgorithm: fmt.Sprintf("%s-hash-%d", prefix, i), - PublicKey: []byte(fmt.Sprintf("%s-publickey-%d", prefix, i)), + for _, service := range []string{"tlog", "ctlog"} { + priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + t.Fatalf("failed to generate ecdsa key: %v", err) } - switch prefix { + der, err := x509.MarshalPKIXPublicKey(priv.Public().(*ecdsa.PublicKey)) + if err != nil { + t.Fatalf("failed to marshal ecdsa key: %v", err) + } + pem := pem.EncodeToMemory(&pem.Block{Type: "PUBLIC KEY", Bytes: der}) + tlog := testTlog{ + url: fmt.Sprintf("https://%s-%d.example.com", service, i), + hashAlgorithm: hashAlgorithms[i%2], + publicKey: key{pem, der}, + } + + switch service { case "tlog": - source.TLogs = append(source.TLogs, entry) + test.tlogs = append(test.tlogs, tlog) case "ctlog": - source.CTLogs = append(source.CTLogs, entry) - default: - panic("invalid type") + test.ctlogs = append(test.ctlogs, tlog) } } - } - // Create CertificateAuthorities. - // Values are not valid for proper usage, but we want to make sure - // we properly handle the serialize/unserialize so we use fixed values - // for testing that. - for i := 0; i < itemsPerEntry; i++ { - for _, prefix := range []string{"fulcio", "tsa"} { - entry := v1alpha1.CertificateAuthority{ - Subject: v1alpha1.DistinguishedName{ - Organization: fmt.Sprintf("%s-organization-%d", prefix, i), - CommonName: fmt.Sprintf("%s-commonname-%d", prefix, i), + for _, service := range []string{"fulcio", "tsa"} { + priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + t.Fatalf("failed to generate ecdsa key: %v", err) + } + template := x509.Certificate{ + SerialNumber: big.NewInt(1), + Subject: pkix.Name{ + CommonName: "Test Certificate", }, - URI: *apis.HTTP(fmt.Sprintf("%s-%d.example.com", prefix, i)), - CertChain: []byte(fmt.Sprintf("%s-certchain-%d", prefix, i)), + NotBefore: time.Now(), + NotAfter: time.Now().AddDate(1, 0, 0), + KeyUsage: x509.KeyUsageDigitalSignature, + BasicConstraintsValid: true, } - switch prefix { + der, err := x509.CreateCertificate(rand.Reader, &template, &template, priv.Public(), priv) + if err != nil { + t.Fatalf("failed to create x509 certificate: %v", err) + } + pem := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: der}) + ca := testCA{ + url: fmt.Sprintf("https://%s-%d.example.com", service, i), + org: fmt.Sprintf("Test Org %d for %s", i, service), + commonName: fmt.Sprintf("Test CA %d for %s", i, service), + certChain: []key{{pem, der}}, + } + + switch service { case "fulcio": - source.CertificateAuthorities = append(source.CertificateAuthorities, entry) + test.cas = append(test.cas, ca) case "tsa": - source.TimeStampAuthorities = append(source.TimeStampAuthorities, entry) - default: - panic("invalid type") + test.tsas = append(test.tsas, ca) } } } - converted := &config.SigstoreKeys{} + + // create and populate source + source := v1alpha1.SigstoreKeys{} + + for _, tlog := range test.tlogs { + url, err := apis.ParseURL(tlog.url) + if err != nil { + t.Fatalf("failed to parse url: %v", err) + } + source.TLogs = append(source.TLogs, v1alpha1.TransparencyLogInstance{ + BaseURL: *url, + HashAlgorithm: tlog.hashAlgorithm, + PublicKey: tlog.publicKey.pem, + }) + } + for _, ctlog := range test.ctlogs { + url, err := apis.ParseURL(ctlog.url) + if err != nil { + t.Fatalf("failed to parse url: %v", err) + } + source.CTLogs = append(source.CTLogs, v1alpha1.TransparencyLogInstance{ + BaseURL: *url, + HashAlgorithm: ctlog.hashAlgorithm, + PublicKey: ctlog.publicKey.pem, + }) + } + for _, ca := range test.cas { + url, err := apis.ParseURL(ca.url) + if err != nil { + t.Fatalf("failed to parse url: %v", err) + } + source.CertificateAuthorities = append(source.CertificateAuthorities, v1alpha1.CertificateAuthority{ + Subject: v1alpha1.DistinguishedName{ + Organization: ca.org, + CommonName: ca.commonName, + }, + URI: *url, + CertChain: ca.certChain[0].pem, + }) + } + for _, tsa := range test.tsas { + url, err := apis.ParseURL(tsa.url) + if err != nil { + t.Fatalf("failed to parse url: %v", err) + } + source.TimeStampAuthorities = append(source.TimeStampAuthorities, v1alpha1.CertificateAuthority{ + Subject: v1alpha1.DistinguishedName{ + Organization: tsa.org, + CommonName: tsa.commonName, + }, + URI: *url, + CertChain: tsa.certChain[0].pem, + }) + } + // convert from v1alpha1 to config and let's marshal to configmap and back // to make sure we exercise the path from: // v1alpha1 => config => configMap => back (this is what reconciler will // use to call cosign verification functions with). - converted.ConvertFrom(context.Background(), &source) + converted := config.ConvertSigstoreKeys(context.Background(), &source) marshalled, err := resources.Marshal(converted) if err != nil { t.Fatalf("Failed to marshal entry: %v", err) @@ -534,72 +637,70 @@ func TestConvertFrom(t *testing.T) { t.Fatalf("Failed to construct from map entry: %v", err) } sk := skMap.SigstoreKeys["test-entry"] - if len(sk.TLogs) != 2 { - t.Errorf("Not enough TLog entries, want 2 got %d", len(sk.TLogs)) + if len(sk.Tlogs) != 2 { + t.Errorf("Not enough TLog entries, want 2 got %d", len(sk.Tlogs)) } - if len(sk.CTLogs) != 2 { - t.Errorf("Not enough CTLog entries, want 2 got %d", len(sk.CTLogs)) + if len(sk.Ctlogs) != 2 { + t.Errorf("Not enough CTLog entries, want 2 got %d", len(sk.Ctlogs)) } if len(sk.CertificateAuthorities) != 2 { t.Errorf("Not enough CertificateAuthority entries, want 2 got %d", len(sk.CertificateAuthorities)) } - if len(sk.TimeStampAuthorities) != 2 { - t.Errorf("Not enough TimestampAuthorities entries, want 2 got %d", len(sk.TimeStampAuthorities)) + if len(sk.TimestampAuthorities) != 2 { + t.Errorf("Not enough TimestampAuthorities entries, want 2 got %d", len(sk.TimestampAuthorities)) } // Verify TLog, CTLog for i := 0; i < itemsPerEntry; i++ { - for _, prefix := range []string{"tlog", "ctlog"} { - var entry config.TransparencyLogInstance - switch prefix { + for _, service := range []string{"tlog", "ctlog"} { + var entry *config.TransparencyLogInstance + var tlog testTlog + switch service { case "tlog": - entry = sk.TLogs[i] + entry = sk.Tlogs[i] + tlog = test.tlogs[i] case "ctlog": - entry = sk.CTLogs[i] + entry = sk.Ctlogs[i] + tlog = test.ctlogs[i] default: panic("invalid type") } - wantURL := fmt.Sprintf("http://%s-%d.example.com", prefix, i) - wantHash := fmt.Sprintf("%s-hash-%d", prefix, i) - wantPublicKey := fmt.Sprintf("%s-publickey-%d", prefix, i) - if entry.BaseURL.String() != wantURL { - t.Errorf("Unexpected BaseURL for %s %d wanted %s got %s", prefix, i, wantURL, entry.BaseURL.String()) + if entry.BaseUrl != tlog.url { + t.Errorf("Unexpected BaseUrl for %s %d wanted %s got %s", service, i, tlog.url, entry.BaseUrl) } - if entry.HashAlgorithm != wantHash { - t.Errorf("Unexpected HashAlgorithm for %s %d wanted %s got %s", prefix, i, wantHash, entry.HashAlgorithm) + if entry.HashAlgorithm != hashAlgorithmMap[tlog.hashAlgorithm] { + t.Errorf("Unexpected HashAlgorithm for %s %d wanted %s got %s", service, i, tlog.hashAlgorithm, entry.HashAlgorithm) } - if string(entry.PublicKey) != wantPublicKey { - t.Errorf("Unexpected PublicKey for %s %d wanted %s got %s", prefix, i, wantPublicKey, string(entry.PublicKey)) + if !bytes.Equal(entry.PublicKey.RawBytes, tlog.publicKey.der) { + t.Errorf("Unexpected PublicKey for %s %d wanted %s got %s", service, i, tlog.publicKey.der, entry.PublicKey.RawBytes) } } } - // Verify CertificateAuthority, TimeStampAuthorities + // Verify CertificateAuthority, TimestampAuthorities for i := 0; i < itemsPerEntry; i++ { for _, prefix := range []string{"fulcio", "tsa"} { - var entry config.CertificateAuthority + var entry *config.CertificateAuthority + var ca testCA switch prefix { case "fulcio": entry = sk.CertificateAuthorities[i] + ca = test.cas[i] case "tsa": - entry = sk.TimeStampAuthorities[i] + entry = sk.TimestampAuthorities[i] + ca = test.tsas[i] default: panic("invalid type") } - wantOrganization := fmt.Sprintf("%s-organization-%d", prefix, i) - wantCommonName := fmt.Sprintf("%s-commonname-%d", prefix, i) - wantURI := fmt.Sprintf("http://%s-%d.example.com", prefix, i) - wantCertChain := fmt.Sprintf("%s-certchain-%d", prefix, i) - - if entry.Subject.Organization != wantOrganization { - t.Errorf("Unexpected Organization for %s %d wanted %s got %s", prefix, i, wantOrganization, entry.Subject.Organization) + if entry.Uri != ca.url { + t.Errorf("Unexpected Uri for %s %d wanted %s got %s", prefix, i, ca.url, entry.Uri) } - if entry.Subject.CommonName != wantCommonName { - t.Errorf("Unexpected CommonName for %s %d wanted %s got %s", prefix, i, wantCommonName, entry.Subject.CommonName) + if entry.Subject.Organization != ca.org { + t.Errorf("Unexpected Organization for %s %d wanted %s got %s", prefix, i, ca.org, entry.Subject.Organization) } - if string(entry.CertChain) != wantCertChain { - t.Errorf("Unexpected CertChain for %s %d wanted %s got %s", prefix, i, wantCertChain, string(entry.CertChain)) + if entry.Subject.CommonName != ca.commonName { + t.Errorf("Unexpected CommonName for %s %d wanted %s got %s", prefix, i, ca.commonName, entry.Subject.CommonName) } - if entry.URI.String() != wantURI { - t.Errorf("Unexpected URI for %s %d wanted %s got %s", prefix, i, wantURI, entry.URI.String()) + if !bytes.Equal(entry.CertChain.Certificates[0].RawBytes, ca.certChain[0].der) { + t.Errorf("Unexpected CertChain for %s %d wanted %s got %s", prefix, i, ca.certChain[0].der, entry.CertChain.Certificates[0].RawBytes) } } } diff --git a/pkg/webhook/validator.go b/pkg/webhook/validator.go index dfe45942..5a144106 100644 --- a/pkg/webhook/validator.go +++ b/pkg/webhook/validator.go @@ -1394,8 +1394,8 @@ func checkOptsFromAuthority(ctx context.Context, authority webhookcip.Authority, if !ok { return nil, fmt.Errorf("trustRootRef %s not found", authority.RFC3161Timestamp.TrustRootRef) } - for _, timestampAuthority := range sk.TimeStampAuthorities { - leaves, intermediates, roots, err := splitPEMCertificateChain(timestampAuthority.CertChain) + for _, timestampAuthority := range sk.TimestampAuthorities { + leaves, intermediates, roots, err := splitPEMCertificateChain(config.SerializeCertChain(timestampAuthority.CertChain)) // TODO: this is less efficient than it could be if err != nil { return nil, fmt.Errorf("error splitting certificates: %w", err) } @@ -1463,7 +1463,7 @@ func fulcioCertsFromAuthority(ctx context.Context, keylessRef *webhookcip.Keyles return nil, nil, nil, fmt.Errorf("trustRootRef %s not found", trustRootRef) } for _, ca := range sk.CertificateAuthorities { - certs, err := cryptoutils.UnmarshalCertificatesFromPEM(ca.CertChain) + certs, err := cryptoutils.UnmarshalCertificatesFromPEM(config.SerializeCertChain(ca.CertChain)) // TODO: this is less efficient than it could be if err != nil { return nil, nil, nil, fmt.Errorf("error unmarshalling certificates: %w", err) } @@ -1478,14 +1478,14 @@ func fulcioCertsFromAuthority(ctx context.Context, keylessRef *webhookcip.Keyles } ctlogKeys := &cosign.TrustedTransparencyLogPubKeys{ - Keys: make(map[string]cosign.TransparencyLogPubKey, len(sk.CTLogs)), + Keys: make(map[string]cosign.TransparencyLogPubKey, len(sk.Ctlogs)), } - for i, ctlog := range sk.CTLogs { - pk, err := cryptoutils.UnmarshalPEMToPublicKey(ctlog.PublicKey) + for i, ctlog := range sk.Ctlogs { + pk, err := cryptoutils.UnmarshalPEMToPublicKey(config.SerializePublicKey(ctlog.PublicKey)) // TODO: this is less efficient than it could be if err != nil { return nil, nil, nil, fmt.Errorf("unmarshaling public key %d failed: %w", i, err) } - ctlogKeys.Keys[ctlog.LogID] = cosign.TransparencyLogPubKey{ + ctlogKeys.Keys[string(ctlog.LogId.KeyId)] = cosign.TransparencyLogPubKey{ PubKey: pk, Status: tuf.Active, } @@ -1563,11 +1563,11 @@ func rekorKeysFromTrustRef(ctx context.Context, trustRootRef string) (*cosign.Tr if sk, ok := sigstoreKeys.SigstoreKeys[trustRootRef]; ok { retKeys := &cosign.TrustedTransparencyLogPubKeys{ - Keys: make(map[string]cosign.TransparencyLogPubKey, len(sk.TLogs)), + Keys: make(map[string]cosign.TransparencyLogPubKey, len(sk.Tlogs)), } rekorURL := "" - for i, tlog := range sk.TLogs { - pk, err := cryptoutils.UnmarshalPEMToPublicKey(tlog.PublicKey) + for i, tlog := range sk.Tlogs { + pk, err := cryptoutils.UnmarshalPEMToPublicKey(config.SerializePublicKey(tlog.PublicKey)) if err != nil { return nil, "", fmt.Errorf("unmarshaling public key %d failed: %w", i, err) } @@ -1577,11 +1577,11 @@ func rekorKeysFromTrustRef(ctx context.Context, trustRootRef string) (*cosign.Tr if !ok { return nil, "", fmt.Errorf("public key %d is not ecdsa.PublicKey", i) } - retKeys.Keys[tlog.LogID] = cosign.TransparencyLogPubKey{ + retKeys.Keys[string(tlog.LogId.KeyId)] = cosign.TransparencyLogPubKey{ PubKey: pkecdsa, Status: tuf.Active, } - rekorURL = tlog.BaseURL.String() + rekorURL = tlog.BaseUrl } return retKeys, rekorURL, nil } diff --git a/pkg/webhook/validator_test.go b/pkg/webhook/validator_test.go index 0753903f..3a652cae 100644 --- a/pkg/webhook/validator_test.go +++ b/pkg/webhook/validator_test.go @@ -2951,19 +2951,22 @@ func TestFulcioCertsFromAuthority(t *testing.T) { t.Fatalf("Failed to get embedded CTLog Public keys for testing") } sk := config.SigstoreKeys{ - CertificateAuthorities: []config.CertificateAuthority{{ - Subject: config.DistinguishedName{ + CertificateAuthorities: []*config.CertificateAuthority{{ + Subject: &config.DistinguishedName{ Organization: "testorg", CommonName: "testcommonname", }, - CertChain: []byte(certChain), + CertChain: config.DeserializeCertChain([]byte(certChain)), + }}, + Ctlogs: []*config.TransparencyLogInstance{{ + LogId: &config.LogId{KeyId: []byte(ctfeLogID)}, + PublicKey: config.DeserializePublicKey([]byte(ctfePublicKey)), }}, - CTLogs: []config.TransparencyLogInstance{{LogID: ctfeLogID, PublicKey: []byte(ctfePublicKey)}}, } c := &config.Config{ SigstoreKeysConfig: &config.SigstoreKeysMap{ - SigstoreKeys: map[string]config.SigstoreKeys{ - "test-trust-root": sk, + SigstoreKeys: map[string]*config.SigstoreKeys{ + "test-trust-root": &sk, }, }, } @@ -3066,16 +3069,16 @@ func TestRekorClientAndKeysFromAuthority(t *testing.T) { } sk := config.SigstoreKeys{ - TLogs: []config.TransparencyLogInstance{{ - PublicKey: []byte(rekorPublicKey), - LogID: rekorLogID, - BaseURL: *apis.HTTPS("rekor.example.com"), + Tlogs: []*config.TransparencyLogInstance{{ + PublicKey: config.DeserializePublicKey([]byte(rekorPublicKey)), + LogId: &config.LogId{KeyId: []byte(rekorLogID)}, + BaseUrl: "rekor.example.com", }}, } c := &config.Config{ SigstoreKeysConfig: &config.SigstoreKeysMap{ - SigstoreKeys: map[string]config.SigstoreKeys{ - "test-trust-root": sk, + SigstoreKeys: map[string]*config.SigstoreKeys{ + "test-trust-root": &sk, }, }, } @@ -3210,43 +3213,49 @@ func TestCheckOptsFromAuthority(t *testing.T) { } skRekor := config.SigstoreKeys{ - TLogs: []config.TransparencyLogInstance{{ - PublicKey: []byte(rekorPublicKey), - LogID: "rekor-logid", - BaseURL: *apis.HTTPS("rekor.example.com"), + Tlogs: []*config.TransparencyLogInstance{{ + PublicKey: config.DeserializePublicKey([]byte(rekorPublicKey)), + LogId: &config.LogId{KeyId: []byte("rekor-logid")}, + BaseUrl: "rekor.example.com", }}, } skFulcio := config.SigstoreKeys{ - CertificateAuthorities: []config.CertificateAuthority{{ - Subject: config.DistinguishedName{ + CertificateAuthorities: []*config.CertificateAuthority{{ + Subject: &config.DistinguishedName{ Organization: "testorg", CommonName: "testcommonname", }, - CertChain: []byte(certChain), + CertChain: config.DeserializeCertChain([]byte(certChain)), + }}, + Ctlogs: []*config.TransparencyLogInstance{{ + LogId: &config.LogId{KeyId: []byte(ctfeLogID)}, + PublicKey: config.DeserializePublicKey([]byte(ctfePublicKey)), }}, - CTLogs: []config.TransparencyLogInstance{{LogID: ctfeLogID, PublicKey: []byte(ctfePublicKey)}}, } skCombined := config.SigstoreKeys{ - TLogs: []config.TransparencyLogInstance{{ - PublicKey: []byte(rekorPublicKey), - LogID: "rekor-logid", - BaseURL: *apis.HTTPS("rekor.example.com"), + Tlogs: []*config.TransparencyLogInstance{{ + PublicKey: config.DeserializePublicKey([]byte(rekorPublicKey)), + LogId: &config.LogId{KeyId: []byte("rekor-logid")}, + BaseUrl: "rekor.example.com", }}, - CertificateAuthorities: []config.CertificateAuthority{{ - Subject: config.DistinguishedName{ + CertificateAuthorities: []*config.CertificateAuthority{{ + Subject: &config.DistinguishedName{ Organization: "testorg", CommonName: "testcommonname", }, - CertChain: []byte(certChain), + CertChain: config.DeserializeCertChain([]byte(certChain)), + }}, + Ctlogs: []*config.TransparencyLogInstance{{ + LogId: &config.LogId{KeyId: []byte(ctfeLogID)}, + PublicKey: config.DeserializePublicKey([]byte(ctfePublicKey)), }}, - CTLogs: []config.TransparencyLogInstance{{LogID: ctfeLogID, PublicKey: []byte(ctfePublicKey)}}, } c := &config.Config{ SigstoreKeysConfig: &config.SigstoreKeysMap{ - SigstoreKeys: map[string]config.SigstoreKeys{ - "test-trust-rekor": skRekor, - "test-trust-fulcio": skFulcio, - "test-trust-combined": skCombined, + SigstoreKeys: map[string]*config.SigstoreKeys{ + "test-trust-rekor": &skRekor, + "test-trust-fulcio": &skFulcio, + "test-trust-combined": &skCombined, }, }, } From e479c991b1cec20bac8aa026db045876f0ca5295 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Wed, 13 Mar 2024 15:15:13 -0400 Subject: [PATCH 14/27] Use dash in CR hash algorithm name, as documented Signed-off-by: Cody Soyland --- pkg/apis/config/sigstore_keys.go | 6 +++--- pkg/reconciler/trustroot/trustroot_test.go | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/pkg/apis/config/sigstore_keys.go b/pkg/apis/config/sigstore_keys.go index a49d663c..0ed70189 100644 --- a/pkg/apis/config/sigstore_keys.go +++ b/pkg/apis/config/sigstore_keys.go @@ -140,11 +140,11 @@ func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) *pb var hashAlgorithm pbcommon.HashAlgorithm switch source.HashAlgorithm { - case "sha256": + case "sha-256": hashAlgorithm = pbcommon.HashAlgorithm_SHA2_256 - case "sha384": + case "sha-384": hashAlgorithm = pbcommon.HashAlgorithm_SHA2_384 - case "sha512": + case "sha-512": hashAlgorithm = pbcommon.HashAlgorithm_SHA2_512 default: hashAlgorithm = pbcommon.HashAlgorithm_HASH_ALGORITHM_UNSPECIFIED diff --git a/pkg/reconciler/trustroot/trustroot_test.go b/pkg/reconciler/trustroot/trustroot_test.go index 3e2288e5..cd7717a5 100644 --- a/pkg/reconciler/trustroot/trustroot_test.go +++ b/pkg/reconciler/trustroot/trustroot_test.go @@ -502,8 +502,8 @@ func TestConvertSigstoreKeys(t *testing.T) { tsas []testCA } - hashAlgorithms := []string{"sha256", "sha512"} - hashAlgorithmMap := map[string]pbcommon.HashAlgorithm{"sha256": pbcommon.HashAlgorithm_SHA2_256, "sha512": pbcommon.HashAlgorithm_SHA2_512} + hashAlgorithms := []string{"sha-256", "sha-512"} + hashAlgorithmMap := map[string]pbcommon.HashAlgorithm{"sha-256": pbcommon.HashAlgorithm_SHA2_256, "sha-512": pbcommon.HashAlgorithm_SHA2_512} test := testData{} From aec6ca5facd01f49976e7b856c36b72405a48fe9 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Thu, 14 Mar 2024 10:54:24 -0400 Subject: [PATCH 15/27] Fix broken reconciler tests Signed-off-by: Cody Soyland --- pkg/reconciler/trustroot/resources/configmap.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/reconciler/trustroot/resources/configmap.go b/pkg/reconciler/trustroot/resources/configmap.go index 685777f4..051048ed 100644 --- a/pkg/reconciler/trustroot/resources/configmap.go +++ b/pkg/reconciler/trustroot/resources/configmap.go @@ -15,10 +15,10 @@ package resources import ( - "encoding/json" "fmt" "github.com/sigstore/policy-controller/pkg/apis/config" + "google.golang.org/protobuf/encoding/protojson" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/pkg/apis/duck" @@ -83,7 +83,7 @@ func CreateRemovePatch(ns, name string, cm *corev1.ConfigMap, tkName string) ([] } func Marshal(spec *config.SigstoreKeys) (string, error) { - bytes, err := json.Marshal(spec) + bytes, err := protojson.Marshal(spec) if err != nil { return "", err } From 052122df3ff94cddcf48aec23d25f19e5d444099 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Fri, 15 Mar 2024 14:14:03 -0400 Subject: [PATCH 16/27] Add func to canonicalize SigstoreKeys Signed-off-by: Cody Soyland --- hack/gentestdata/gentestdata.go | 32 +++++----- .../trustroot/testdata/ctfeLogID.txt | 2 +- .../trustroot/testdata/ctfePublicKey.pem | 4 +- .../trustroot/testdata/fulcioCertChain.pem | 24 ++++---- .../trustroot/testdata/marshalledEntry.json | 56 +++++++++++++----- .../testdata/marshalledEntryFromMirrorFS.json | 43 ++++++++------ .../trustroot/testdata/rekorLogID.txt | 2 +- .../trustroot/testdata/rekorPublicKey.pem | 4 +- pkg/reconciler/trustroot/testdata/root.json | 30 +++++----- .../trustroot/testdata/tsaCertChain.pem | 28 ++++----- pkg/reconciler/trustroot/testdata/tufRepo.tar | Bin 2840 -> 2836 bytes pkg/reconciler/trustroot/trustroot_test.go | 36 ++++++----- 12 files changed, 149 insertions(+), 112 deletions(-) diff --git a/hack/gentestdata/gentestdata.go b/hack/gentestdata/gentestdata.go index 15013867..f2ec6b28 100644 --- a/hack/gentestdata/gentestdata.go +++ b/hack/gentestdata/gentestdata.go @@ -22,7 +22,6 @@ import ( "crypto/rand" "crypto/x509" "crypto/x509/pkix" - "encoding/json" "encoding/pem" "flag" "log" @@ -37,6 +36,7 @@ import ( testing "github.com/sigstore/policy-controller/pkg/reconciler/testing/v1alpha1" "github.com/sigstore/scaffolding/pkg/repo" "github.com/sigstore/sigstore/pkg/cryptoutils" + "google.golang.org/protobuf/encoding/protojson" ) // This program generates test data for the trustroot reconciler. @@ -169,35 +169,34 @@ func genCertChain(keyUsage x509.KeyUsage) [][]byte { func genTrustRoot(sigstoreKeysMap map[string]string) (marshalledEntry []byte, err error) { trustRoot := testing.NewTrustRoot("test-trustroot", testing.WithSigstoreKeys(sigstoreKeysMap)) - sigstoreKeys := &config.SigstoreKeys{} - sigstoreKeys.ConvertFrom(context.Background(), trustRoot.Spec.SigstoreKeys) + sigstoreKeys := config.ConvertSigstoreKeys(context.Background(), trustRoot.Spec.SigstoreKeys) err = populateLogIDs(sigstoreKeys) if err != nil { return nil, err } - return json.MarshalIndent(sigstoreKeys, "", " ") + return []byte(protojson.Format(sigstoreKeys)), nil } func populateLogIDs(sigstoreKeys *config.SigstoreKeys) error { - for i := range sigstoreKeys.TLogs { - logID, err := genLogID(sigstoreKeys.TLogs[i].PublicKey) + for i := range sigstoreKeys.Tlogs { + logID, err := genLogID(sigstoreKeys.Tlogs[i].PublicKey.RawBytes) if err != nil { return err } - sigstoreKeys.TLogs[i].LogID = logID + sigstoreKeys.Tlogs[i].LogId = &config.LogId{KeyId: []byte(logID)} } - for i := range sigstoreKeys.CTLogs { - logID, err := genLogID(sigstoreKeys.CTLogs[i].PublicKey) + for i := range sigstoreKeys.Ctlogs { + logID, err := genLogID(sigstoreKeys.Ctlogs[i].PublicKey.RawBytes) if err != nil { return err } - sigstoreKeys.CTLogs[i].LogID = logID + sigstoreKeys.Ctlogs[i].LogId = &config.LogId{KeyId: []byte(logID)} } return nil } func genLogID(pkBytes []byte) (string, error) { - pk, err := cryptoutils.UnmarshalPEMToPublicKey(pkBytes) + pk, err := x509.ParsePKIXPublicKey(pkBytes) if err != nil { return "", err } @@ -231,17 +230,14 @@ func genTUFRepo(sigstoreKeysMap map[string]string) ([]byte, []byte, []byte, erro } trustRoot := &config.SigstoreKeys{ - CertificateAuthorities: []config.CertificateAuthority{{CertChain: []byte(sigstoreKeysMap["fulcio"])}}, - TLogs: []config.TransparencyLogInstance{{PublicKey: []byte(sigstoreKeysMap["rekor"])}}, - CTLogs: []config.TransparencyLogInstance{{PublicKey: []byte(sigstoreKeysMap["ctfe"])}}, + CertificateAuthorities: []*config.CertificateAuthority{{CertChain: config.DeserializeCertChain([]byte(sigstoreKeysMap["fulcio"]))}}, + Tlogs: []*config.TransparencyLogInstance{{PublicKey: config.DeserializePublicKey([]byte(sigstoreKeysMap["rekor"]))}}, + Ctlogs: []*config.TransparencyLogInstance{{PublicKey: config.DeserializePublicKey([]byte(sigstoreKeysMap["ctfe"]))}}, } err = populateLogIDs(trustRoot) if err != nil { return nil, nil, nil, err } - trustRootBytes, err := json.MarshalIndent(trustRoot, "", " ") - if err != nil { - return nil, nil, nil, err - } + trustRootBytes := []byte(protojson.Format(trustRoot)) return trustRootBytes, compressed.Bytes(), rootJSON, nil } diff --git a/pkg/reconciler/trustroot/testdata/ctfeLogID.txt b/pkg/reconciler/trustroot/testdata/ctfeLogID.txt index fe4d37d5..ca9fe71b 100644 --- a/pkg/reconciler/trustroot/testdata/ctfeLogID.txt +++ b/pkg/reconciler/trustroot/testdata/ctfeLogID.txt @@ -1 +1 @@ -83e749763552c099b251d441566b9c12f160b24fbff28ab08d2681757d8acbde \ No newline at end of file +8048f6c3f57f286298650755e9859c7a99907b1fcfebdd7478bf3211df6d12cf \ No newline at end of file diff --git a/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem b/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem index fb91a0d3..454b8510 100644 --- a/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem +++ b/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem @@ -1,4 +1,4 @@ -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZ4cgFaCk7JtO/wxDw2E1S3U+97F0 -2dF2fixniThvXgbxAQ+bkQ4dQUNwN46QcCzwYuJc9742Vi6LvNx7X7427A== +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGI26nKgEYi+4FdSOPEaABIro8IGH +c63nQtcL8DlG2NIvALG1B3CyS4WCAKOyVNCiqMLMjkh/FcEk41H+P9lyhg== -----END PUBLIC KEY----- diff --git a/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem b/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem index 59e6d653..1ed45e0a 100644 --- a/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem +++ b/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 -MDMyMTIxMzcwNVoXDTM0MDMyMTIxMzcwNVowDzENMAsGA1UEAxMEbGVhZjBZMBMG -ByqGSM49AgEGCCqGSM49AwEHA0IABNnZTptnN0TWM6BRIPn/KLgo2u/W5Vt8lmOM -6xYfr1uXobdkmcUI+qMxAmXhOHDhcXgQKlgZuivcd8XwmOlpQ0SjMzAxMA4GA1Ud -DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBRz6KN30XFdWO9mNjwtziSnqItmEjAKBggq -hkjOPQQDAgNJADBGAiEA9dnInoX3QVoKbqGohmvuHjcw3SLi3cYMkMCGyLI3sioC -IQDqFTNB7UGQG2HCCXoGO+hHd1uCDEz2i+56JDXYSiKnOQ== +MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDzENMAsGA1UEAxMEbGVhZjBZMBMG +ByqGSM49AgEGCCqGSM49AwEHA0IABJlBSj/YAf85O4m5o6tsCvxLHWVlRLomsu7Q +3Xwo0XI/1ZIy92kOxoF+QVQYy95/JopW/O0oc3DTHNiZU2iw9a2jMzAxMA4GA1Ud +DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQl6uIvO3xeqpvfT+VMLbLS76/lWjAKBggq +hkjOPQQDAgNJADBGAiEA3XvRYfeeBB3Ovw6wwi1C7USjeQ25nyGnrs/B/S2J97YC +IQD9pCbm1w0srRMt+wjxQmpksT0oe0ePJkmozCYP4ZjUHg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 -MDMyMTIxMzcwNVoXDTM0MDMyMTIxMzcwNVowDTELMAkGA1UEAxMCY2EwWTATBgcq -hkjOPQIBBggqhkjOPQMBBwNCAAREu5I6L0ARFHjrcT+YWXuKOyo57mqOB6mCz74o -4Puipf3w8Ciuh9tnN2I1FlZ+gL3j9RKn613E399EUHkjpOoro0IwQDAOBgNVHQ8B -Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUc+ijd9FxXVjvZjY8 -Lc4kp6iLZhIwCgYIKoZIzj0EAwIDSAAwRQIgGpcv3B78/j4Ru+AqVA934rCGqM/X -83pUXjS4/PUsP3UCIQDlosQuYkks7zlgY7rCYMF6Nqo/1OvTOwy9V2yY3v0a4A== +MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDTELMAkGA1UEAxMCY2EwWTATBgcq +hkjOPQIBBggqhkjOPQMBBwNCAATpf/P7CJjOIonxqaNc6Ppx7ItOgxrn41H133o1 +Qf0998QGu92hiazFOrIm+Jh4iGaD9Q4mbCDMWC1p9HtNSdVLo0IwQDAOBgNVHQ8B +Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJeriLzt8Xqqb30/l +TC2y0u+v5VowCgYIKoZIzj0EAwIDSAAwRQIhAOS1MYUaBMZDV943jHxQoIzJfhNm +pZoZJq8ptZwzbH3FAiAFmSuZUf/FNYdm7xDXmygJpV/PZFWjx0FfoNyKOOFfHQ== -----END CERTIFICATE----- diff --git a/pkg/reconciler/trustroot/testdata/marshalledEntry.json b/pkg/reconciler/trustroot/testdata/marshalledEntry.json index 0945662c..a5f20402 100644 --- a/pkg/reconciler/trustroot/testdata/marshalledEntry.json +++ b/pkg/reconciler/trustroot/testdata/marshalledEntry.json @@ -1,4 +1,16 @@ { + "tlogs": [ + { + "baseUrl": "https://rekor.example.com", + "hashAlgorithm": "SHA2_256", + "publicKey": { + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvTLFLnTSWccxxMbHxMdBM0AyPlRi5f7s4VU+7zj17gtQgJlm+/rTjKCeSjNZmcwlFfzd+2MxhQa8n1nMffBBYQ==" + }, + "logId": { + "keyId": "MGNlN2UxNGVmZWYzNTQyNTA0YTc2NDBmNjZhZWNiMDRlN2YyYWEyNWEyYWNhMTU1NWI5NDI4MDAzNTNlZWRjMg==" + } + } + ], "certificateAuthorities": [ { "subject": { @@ -6,23 +18,28 @@ "commonName": "fulcio-common-name" }, "uri": "https://fulcio.example.com", - "certChain": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCNUtBREFnRUNBZ0VDTUFvR0NDcUdTTTQ5QkFNQ01BMHhDekFKQmdOVkJBTVRBbU5oTUI0WERUSTAKTURNeU1USXhNemN3TlZvWERUTTBNRE15TVRJeE16Y3dOVm93RHpFTk1Bc0dBMVVFQXhNRWJHVmhaakJaTUJNRwpCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQk5uWlRwdG5OMFRXTTZCUklQbi9LTGdvMnUvVzVWdDhsbU9NCjZ4WWZyMXVYb2Jka21jVUkrcU14QW1YaE9IRGhjWGdRS2xnWnVpdmNkOFh3bU9scFEwU2pNekF4TUE0R0ExVWQKRHdFQi93UUVBd0lHd0RBZkJnTlZIU01FR0RBV2dCUno2S04zMFhGZFdPOW1Oand0emlTbnFJdG1FakFLQmdncQpoa2pPUFFRREFnTkpBREJHQWlFQTlkbklub1gzUVZvS2JxR29obXZ1SGpjdzNTTGkzY1lNa01DR3lMSTNzaW9DCklRRHFGVE5CN1VHUUcySENDWG9HTytoSGQxdUNERXoyaSs1NkpEWFlTaUtuT1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlCU2pDQjhhQURBZ0VDQWdFQk1Bb0dDQ3FHU000OUJBTUNNQTB4Q3pBSkJnTlZCQU1UQW1OaE1CNFhEVEkwCk1ETXlNVEl4TXpjd05Wb1hEVE0wTURNeU1USXhNemN3TlZvd0RURUxNQWtHQTFVRUF4TUNZMkV3V1RBVEJnY3EKaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFSRXU1STZMMEFSRkhqcmNUK1lXWHVLT3lvNTdtcU9CNm1Dejc0bwo0UHVpcGYzdzhDaXVoOXRuTjJJMUZsWitnTDNqOVJLbjYxM0UzOTlFVUhranBPb3JvMEl3UURBT0JnTlZIUThCCkFmOEVCQU1DQWdRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWMraWpkOUZ4WFZqdlpqWTgKTGM0a3A2aUxaaEl3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnR3BjdjNCNzgvajRSdStBcVZBOTM0ckNHcU0vWAo4M3BVWGpTNC9QVXNQM1VDSVFEbG9zUXVZa2tzN3psZ1k3ckNZTUY2TnFvLzFPdlRPd3k5VjJ5WTN2MGE0QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" + "certChain": { + "certificates": [ + { + "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJlBSj/YAf85O4m5o6tsCvxLHWVlRLomsu7Q3Xwo0XI/1ZIy92kOxoF+QVQYy95/JopW/O0oc3DTHNiZU2iw9a2jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQl6uIvO3xeqpvfT+VMLbLS76/lWjAKBggqhkjOPQQDAgNJADBGAiEA3XvRYfeeBB3Ovw6wwi1C7USjeQ25nyGnrs/B/S2J97YCIQD9pCbm1w0srRMt+wjxQmpksT0oe0ePJkmozCYP4ZjUHg==" + }, + { + "rawBytes": "MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpf/P7CJjOIonxqaNc6Ppx7ItOgxrn41H133o1Qf0998QGu92hiazFOrIm+Jh4iGaD9Q4mbCDMWC1p9HtNSdVLo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJeriLzt8Xqqb30/lTC2y0u+v5VowCgYIKoZIzj0EAwIDSAAwRQIhAOS1MYUaBMZDV943jHxQoIzJfhNmpZoZJq8ptZwzbH3FAiAFmSuZUf/FNYdm7xDXmygJpV/PZFWjx0FfoNyKOOFfHQ==" + } + ] + } } ], - "tLogs": [ + "ctlogs": [ { - "baseURL": "https://rekor.example.com", - "hashAlgorithm": "sha-256", - "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMHh0SkYxNzZabE1qV0F5dFVTNXJpZXVrcEFWUgo5d1JpN1BDaG1Ed2NFTUZIemFwczN3NnVUcG9aSDQ1TzZkcnJvcGl1azNBZEJtbHc4Rkdpcnd4Z2ZnPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==", - "logID": "fe807d6c26f5b8e4f2f11a1e210c42a1dd38499c448d25ba04a5c5997dec4f3a" - } - ], - "ctLogs": [ - { - "baseURL": "https://ctfe.example.com", - "hashAlgorithm": "sha-256", - "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFWjRjZ0ZhQ2s3SnRPL3d4RHcyRTFTM1UrOTdGMAoyZEYyZml4bmlUaHZYZ2J4QVErYmtRNGRRVU53TjQ2UWNDendZdUpjOTc0MlZpNkx2Tng3WDc0MjdBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==", - "logID": "83e749763552c099b251d441566b9c12f160b24fbff28ab08d2681757d8acbde" + "baseUrl": "https://ctfe.example.com", + "hashAlgorithm": "SHA2_256", + "publicKey": { + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGI26nKgEYi+4FdSOPEaABIro8IGHc63nQtcL8DlG2NIvALG1B3CyS4WCAKOyVNCiqMLMjkh/FcEk41H+P9lyhg==" + }, + "logId": { + "keyId": "ODA0OGY2YzNmNTdmMjg2Mjk4NjUwNzU1ZTk4NTljN2E5OTkwN2IxZmNmZWJkZDc0NzhiZjMyMTFkZjZkMTJjZg==" + } } ], "timestampAuthorities": [ @@ -32,7 +49,16 @@ "commonName": "tsa-common-name" }, "uri": "https://tsa.example.com", - "certChain": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQRENCNUtBREFnRUNBZ0VDTUFvR0NDcUdTTTQ5QkFNQ01BMHhDekFKQmdOVkJBTVRBbU5oTUI0WERUSTAKTURNeU1USXhNemN3TlZvWERUTTBNRE15TVRJeE16Y3dOVm93RHpFTk1Bc0dBMVVFQXhNRWJHVmhaakJaTUJNRwpCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQk1RMXBPSHJpSGV1eHFDV3RrOVlVZkNDWWZsZ2ZzdUR2SWdHCitLeXExNTVlQVdqSjVjVzFkbXpLOHU3ZjQzU0F6dmVmRWRuUWo0OHlGZVBzeXRyOTNGQ2pNekF4TUE0R0ExVWQKRHdFQi93UUVBd0lFRURBZkJnTlZIU01FR0RBV2dCUXpHTVVTTmJTLzIrNU5jVTFoN3NaNXRML3VZVEFLQmdncQpoa2pPUFFRREFnTkhBREJFQWlBVXlUSHlhWDB1a2NWMHdaa3NMMUg1VkU3dmlKQVp4d1dNS2F1MlJiWURSd0lnCmJORW9MdDFvZGdqZ1B5OU9WdFNpYmIrOEZ3RlJwc0MxdWo3TFVXM1pWNzQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJTVENCOGFBREFnRUNBZ0VCTUFvR0NDcUdTTTQ5QkFNQ01BMHhDekFKQmdOVkJBTVRBbU5oTUI0WERUSTAKTURNeU1USXhNemN3TlZvWERUTTBNRE15TVRJeE16Y3dOVm93RFRFTE1Ba0dBMVVFQXhNQ1kyRXdXVEFUQmdjcQpoa2pPUFFJQkJnZ3Foa2pPUFFNQkJ3TkNBQVFDVDVVQ1RTYUtqUWZ1dDRUNWJXTy8rSWl0OWEzYW05SFhMZWdaClhMQUMrNU1Yd3lUM0ozWGVRcnRRZk8rMk4xb0NneWp0MVRLRE9sRGdkOXpOSkp5NG8wSXdRREFPQmdOVkhROEIKQWY4RUJBTUNBZ1F3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVTXhqRkVqVzB2OXZ1VFhGTgpZZTdHZWJTLzdtRXdDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdaS0Q2M0VUY2xHV0J0enJhSm1DdExobGduMWx6CmtBS1hwK0IyUUpkNnRKOENJQUdPZEJnZFFYemVDdFBEOTllVnpPSzVqSm5iMm1yWStXT0FCcTVzRDhpbQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" + "certChain": { + "certificates": [ + { + "rawBytes": "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFj2yotddj/q8pKlSMcdQTNkIllx1vj8AI9Yo4gmip3vdRpuY4tLWnyAM3fgSm8ecmX87P3bzk/vbiJyg8dmTLijMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBTJfhL0wHF0k4dMeAZL+Pn3IwlRsDAKBggqhkjOPQQDAgNIADBFAiEAwTd8P7LXN7x5sQkfylWtB60zwjCGKzr80GU8c9Vf5XwCIDwjs61mcdrcuukmCYacGKE2lo3ZBqF/ewal/neZQui6" + }, + { + "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmQIV8+cpTnw+q7QK4vbep8sqgILosTyCGomDkbXHa6a6l95Orwn+zU9J/gxgCxsGSQunV7hUMCZp8fUglrCwNo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUyX4S9MBxdJOHTHgGS/j59yMJUbAwCgYIKoZIzj0EAwIDSQAwRgIhAJV84sFlLejYvYdwvmVqtxCxjW6F6A6zOZi47myTqu/vAiEA/gbSJUO+vgdiHIENYdOw0Mkfx7WGL2xscx9BJVWOBbU=" + } + ] + } } ] } \ No newline at end of file diff --git a/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json b/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json index e93bd564..158ce7c9 100644 --- a/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json +++ b/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json @@ -1,29 +1,36 @@ { - "certificateAuthorities": [ + "tlogs": [ { - "subject": { - "organization": "", - "commonName": "" + "publicKey": { + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvTLFLnTSWccxxMbHxMdBM0AyPlRi5f7s4VU+7zj17gtQgJlm+/rTjKCeSjNZmcwlFfzd+2MxhQa8n1nMffBBYQ==" }, - "uri": "", - "certChain": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCNUtBREFnRUNBZ0VDTUFvR0NDcUdTTTQ5QkFNQ01BMHhDekFKQmdOVkJBTVRBbU5oTUI0WERUSTAKTURNeU1USXhNemN3TlZvWERUTTBNRE15TVRJeE16Y3dOVm93RHpFTk1Bc0dBMVVFQXhNRWJHVmhaakJaTUJNRwpCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQk5uWlRwdG5OMFRXTTZCUklQbi9LTGdvMnUvVzVWdDhsbU9NCjZ4WWZyMXVYb2Jka21jVUkrcU14QW1YaE9IRGhjWGdRS2xnWnVpdmNkOFh3bU9scFEwU2pNekF4TUE0R0ExVWQKRHdFQi93UUVBd0lHd0RBZkJnTlZIU01FR0RBV2dCUno2S04zMFhGZFdPOW1Oand0emlTbnFJdG1FakFLQmdncQpoa2pPUFFRREFnTkpBREJHQWlFQTlkbklub1gzUVZvS2JxR29obXZ1SGpjdzNTTGkzY1lNa01DR3lMSTNzaW9DCklRRHFGVE5CN1VHUUcySENDWG9HTytoSGQxdUNERXoyaSs1NkpEWFlTaUtuT1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlCU2pDQjhhQURBZ0VDQWdFQk1Bb0dDQ3FHU000OUJBTUNNQTB4Q3pBSkJnTlZCQU1UQW1OaE1CNFhEVEkwCk1ETXlNVEl4TXpjd05Wb1hEVE0wTURNeU1USXhNemN3TlZvd0RURUxNQWtHQTFVRUF4TUNZMkV3V1RBVEJnY3EKaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFSRXU1STZMMEFSRkhqcmNUK1lXWHVLT3lvNTdtcU9CNm1Dejc0bwo0UHVpcGYzdzhDaXVoOXRuTjJJMUZsWitnTDNqOVJLbjYxM0UzOTlFVUhranBPb3JvMEl3UURBT0JnTlZIUThCCkFmOEVCQU1DQWdRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWMraWpkOUZ4WFZqdlpqWTgKTGM0a3A2aUxaaEl3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnR3BjdjNCNzgvajRSdStBcVZBOTM0ckNHcU0vWAo4M3BVWGpTNC9QVXNQM1VDSVFEbG9zUXVZa2tzN3psZ1k3ckNZTUY2TnFvLzFPdlRPd3k5VjJ5WTN2MGE0QT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" + "logId": { + "keyId": "MGNlN2UxNGVmZWYzNTQyNTA0YTc2NDBmNjZhZWNiMDRlN2YyYWEyNWEyYWNhMTU1NWI5NDI4MDAzNTNlZWRjMg==" + } } ], - "tLogs": [ + "certificateAuthorities": [ { - "baseURL": "", - "hashAlgorithm": "", - "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFMHh0SkYxNzZabE1qV0F5dFVTNXJpZXVrcEFWUgo5d1JpN1BDaG1Ed2NFTUZIemFwczN3NnVUcG9aSDQ1TzZkcnJvcGl1azNBZEJtbHc4Rkdpcnd4Z2ZnPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==", - "logID": "fe807d6c26f5b8e4f2f11a1e210c42a1dd38499c448d25ba04a5c5997dec4f3a" + "certChain": { + "certificates": [ + { + "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJlBSj/YAf85O4m5o6tsCvxLHWVlRLomsu7Q3Xwo0XI/1ZIy92kOxoF+QVQYy95/JopW/O0oc3DTHNiZU2iw9a2jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQl6uIvO3xeqpvfT+VMLbLS76/lWjAKBggqhkjOPQQDAgNJADBGAiEA3XvRYfeeBB3Ovw6wwi1C7USjeQ25nyGnrs/B/S2J97YCIQD9pCbm1w0srRMt+wjxQmpksT0oe0ePJkmozCYP4ZjUHg==" + }, + { + "rawBytes": "MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpf/P7CJjOIonxqaNc6Ppx7ItOgxrn41H133o1Qf0998QGu92hiazFOrIm+Jh4iGaD9Q4mbCDMWC1p9HtNSdVLo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJeriLzt8Xqqb30/lTC2y0u+v5VowCgYIKoZIzj0EAwIDSAAwRQIhAOS1MYUaBMZDV943jHxQoIzJfhNmpZoZJq8ptZwzbH3FAiAFmSuZUf/FNYdm7xDXmygJpV/PZFWjx0FfoNyKOOFfHQ==" + } + ] + } } ], - "ctLogs": [ + "ctlogs": [ { - "baseURL": "", - "hashAlgorithm": "", - "publicKey": "LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFWjRjZ0ZhQ2s3SnRPL3d4RHcyRTFTM1UrOTdGMAoyZEYyZml4bmlUaHZYZ2J4QVErYmtRNGRRVU53TjQ2UWNDendZdUpjOTc0MlZpNkx2Tng3WDc0MjdBPT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==", - "logID": "83e749763552c099b251d441566b9c12f160b24fbff28ab08d2681757d8acbde" + "publicKey": { + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGI26nKgEYi+4FdSOPEaABIro8IGHc63nQtcL8DlG2NIvALG1B3CyS4WCAKOyVNCiqMLMjkh/FcEk41H+P9lyhg==" + }, + "logId": { + "keyId": "ODA0OGY2YzNmNTdmMjg2Mjk4NjUwNzU1ZTk4NTljN2E5OTkwN2IxZmNmZWJkZDc0NzhiZjMyMTFkZjZkMTJjZg==" + } } - ], - "timestampAuthorities": null + ] } \ No newline at end of file diff --git a/pkg/reconciler/trustroot/testdata/rekorLogID.txt b/pkg/reconciler/trustroot/testdata/rekorLogID.txt index b69acbab..8a8bb320 100644 --- a/pkg/reconciler/trustroot/testdata/rekorLogID.txt +++ b/pkg/reconciler/trustroot/testdata/rekorLogID.txt @@ -1 +1 @@ -fe807d6c26f5b8e4f2f11a1e210c42a1dd38499c448d25ba04a5c5997dec4f3a \ No newline at end of file +0ce7e14efef3542504a7640f66aecb04e7f2aa25a2aca1555b942800353eedc2 \ No newline at end of file diff --git a/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem b/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem index 50ac0c58..2a0f1043 100644 --- a/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem +++ b/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem @@ -1,4 +1,4 @@ -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE0xtJF176ZlMjWAytUS5rieukpAVR -9wRi7PChmDwcEMFHzaps3w6uTpoZH45O6drropiuk3AdBmlw8FGirwxgfg== +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvTLFLnTSWccxxMbHxMdBM0AyPlRi +5f7s4VU+7zj17gtQgJlm+/rTjKCeSjNZmcwlFfzd+2MxhQa8n1nMffBBYQ== -----END PUBLIC KEY----- diff --git a/pkg/reconciler/trustroot/testdata/root.json b/pkg/reconciler/trustroot/testdata/root.json index c1a671d7..f15630c8 100644 --- a/pkg/reconciler/trustroot/testdata/root.json +++ b/pkg/reconciler/trustroot/testdata/root.json @@ -3,9 +3,9 @@ "_type": "root", "spec_version": "1.0", "version": 1, - "expires": "2024-09-21T17:37:05-04:00", + "expires": "2024-09-22T15:00:53-04:00", "keys": { - "0eb0ad52cfe100a2a23a3ccd9d04be89ec8e2dd227b6c07f93c97ba520266e03": { + "459dea25aa10d11f95bc4466bc5f6713cc0b38bc72d76f4969abc02a4d6807fc": { "keytype": "ed25519", "scheme": "ed25519", "keyid_hash_algorithms": [ @@ -13,10 +13,10 @@ "sha512" ], "keyval": { - "public": "a206426b3e527818be479e2ed56af0bf40ac94e5b7c1c16fe971e916cbac0131" + "public": "133f123f83b36f4d436f994736652f5cc7be8a8b1dc4405a0ead572a91bbf5ce" } }, - "6518b160ca979f75f590dd0eb2b63e5ade89020de7f249f49f41e7dd70102072": { + "9bd28f95c00e93a5ba1033e3b50e8bc4200d4595065b40dca75486e71a8afa43": { "keytype": "ed25519", "scheme": "ed25519", "keyid_hash_algorithms": [ @@ -24,10 +24,10 @@ "sha512" ], "keyval": { - "public": "682a3ffa5b6831005501a880bdcf402cfc5957ed90e7f02603d454f7a6220f5b" + "public": "47eb932ce6c20b683b41ffedb7799a7db8480221de8f92b7207c31c436b91597" } }, - "95e5d5d9bec66701589cf7c6469037ae792ace408b3db1165a7c8cfd388f2c87": { + "d9eb7b1de2c23b40335e84059557131f878e6e51fac90a4d04a9cac380f7efc5": { "keytype": "ed25519", "scheme": "ed25519", "keyid_hash_algorithms": [ @@ -35,10 +35,10 @@ "sha512" ], "keyval": { - "public": "5265fdc744fba2b29eac631b065b0f863a4dfbb6b6ee21a7088b0df65bcc6444" + "public": "0388c7fe902582d87790493a48a049b665f41c428b94d04d8fa5c3fe3d4370a0" } }, - "ecff6ba56f1930f6ee81e3b4c7763bf79d3e8344400c3864e22456365c38cbde": { + "fddf1e0b78e5088ea2108184d5446ed997cafb72b7ac6e6dd8fefdccced0c088": { "keytype": "ed25519", "scheme": "ed25519", "keyid_hash_algorithms": [ @@ -46,32 +46,32 @@ "sha512" ], "keyval": { - "public": "feb8ba11326535d888cbd97eea3f031014e0fd40549c1eb907afff592be4c249" + "public": "8b96ebea4387f0e7706d9791d025fa21f0d3a6e76c5780b52d3e4cbbb1b74262" } } }, "roles": { "root": { "keyids": [ - "0eb0ad52cfe100a2a23a3ccd9d04be89ec8e2dd227b6c07f93c97ba520266e03" + "9bd28f95c00e93a5ba1033e3b50e8bc4200d4595065b40dca75486e71a8afa43" ], "threshold": 1 }, "snapshot": { "keyids": [ - "6518b160ca979f75f590dd0eb2b63e5ade89020de7f249f49f41e7dd70102072" + "d9eb7b1de2c23b40335e84059557131f878e6e51fac90a4d04a9cac380f7efc5" ], "threshold": 1 }, "targets": { "keyids": [ - "ecff6ba56f1930f6ee81e3b4c7763bf79d3e8344400c3864e22456365c38cbde" + "459dea25aa10d11f95bc4466bc5f6713cc0b38bc72d76f4969abc02a4d6807fc" ], "threshold": 1 }, "timestamp": { "keyids": [ - "95e5d5d9bec66701589cf7c6469037ae792ace408b3db1165a7c8cfd388f2c87" + "fddf1e0b78e5088ea2108184d5446ed997cafb72b7ac6e6dd8fefdccced0c088" ], "threshold": 1 } @@ -80,8 +80,8 @@ }, "signatures": [ { - "keyid": "0eb0ad52cfe100a2a23a3ccd9d04be89ec8e2dd227b6c07f93c97ba520266e03", - "sig": "a7afdd2cbe3518a0fa66a091f1647d7ce7a7e0b14304ce9c86f16f24d6da9aebef07b9ee97295bff1f2af6a5fbfdc35a5be21c6a393ce34fe34d34a2c713aa04" + "keyid": "9bd28f95c00e93a5ba1033e3b50e8bc4200d4595065b40dca75486e71a8afa43", + "sig": "2a3a0ef2efe53ce99338b9652facd3aeee1ef9c8ddc7f7cab9c7f6c06c484fb4f0f8701f441c8aa55682685bdc2cb3e0b43898c3ff56fddf08be71a3c68d2002" } ] } \ No newline at end of file diff --git a/pkg/reconciler/trustroot/testdata/tsaCertChain.pem b/pkg/reconciler/trustroot/testdata/tsaCertChain.pem index 5b568e52..ab11a8f3 100644 --- a/pkg/reconciler/trustroot/testdata/tsaCertChain.pem +++ b/pkg/reconciler/trustroot/testdata/tsaCertChain.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIBPDCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 -MDMyMTIxMzcwNVoXDTM0MDMyMTIxMzcwNVowDzENMAsGA1UEAxMEbGVhZjBZMBMG -ByqGSM49AgEGCCqGSM49AwEHA0IABMQ1pOHriHeuxqCWtk9YUfCCYflgfsuDvIgG -+Kyq155eAWjJ5cW1dmzK8u7f43SAzvefEdnQj48yFePsytr93FCjMzAxMA4GA1Ud -DwEB/wQEAwIEEDAfBgNVHSMEGDAWgBQzGMUSNbS/2+5NcU1h7sZ5tL/uYTAKBggq -hkjOPQQDAgNHADBEAiAUyTHyaX0ukcV0wZksL1H5VE7viJAZxwWMKau2RbYDRwIg -bNEoLt1odgjgPy9OVtSibb+8FwFRpsC1uj7LUW3ZV74= +MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 +MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDzENMAsGA1UEAxMEbGVhZjBZMBMG +ByqGSM49AgEGCCqGSM49AwEHA0IABFj2yotddj/q8pKlSMcdQTNkIllx1vj8AI9Y +o4gmip3vdRpuY4tLWnyAM3fgSm8ecmX87P3bzk/vbiJyg8dmTLijMzAxMA4GA1Ud +DwEB/wQEAwIEEDAfBgNVHSMEGDAWgBTJfhL0wHF0k4dMeAZL+Pn3IwlRsDAKBggq +hkjOPQQDAgNIADBFAiEAwTd8P7LXN7x5sQkfylWtB60zwjCGKzr80GU8c9Vf5XwC +IDwjs61mcdrcuukmCYacGKE2lo3ZBqF/ewal/neZQui6 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 -MDMyMTIxMzcwNVoXDTM0MDMyMTIxMzcwNVowDTELMAkGA1UEAxMCY2EwWTATBgcq -hkjOPQIBBggqhkjOPQMBBwNCAAQCT5UCTSaKjQfut4T5bWO/+Iit9a3am9HXLegZ -XLAC+5MXwyT3J3XeQrtQfO+2N1oCgyjt1TKDOlDgd9zNJJy4o0IwQDAOBgNVHQ8B -Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUMxjFEjW0v9vuTXFN -Ye7GebS/7mEwCgYIKoZIzj0EAwIDRwAwRAIgZKD63ETclGWBtzraJmCtLhlgn1lz -kAKXp+B2QJd6tJ8CIAGOdBgdQXzeCtPD99eVzOK5jJnb2mrY+WOABq5sD8im +MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 +MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDTELMAkGA1UEAxMCY2EwWTATBgcq +hkjOPQIBBggqhkjOPQMBBwNCAATmQIV8+cpTnw+q7QK4vbep8sqgILosTyCGomDk +bXHa6a6l95Orwn+zU9J/gxgCxsGSQunV7hUMCZp8fUglrCwNo0IwQDAOBgNVHQ8B +Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUyX4S9MBxdJOHTHgG +S/j59yMJUbAwCgYIKoZIzj0EAwIDSQAwRgIhAJV84sFlLejYvYdwvmVqtxCxjW6F +6A6zOZi47myTqu/vAiEA/gbSJUO+vgdiHIENYdOw0Mkfx7WGL2xscx9BJVWOBbU= -----END CERTIFICATE----- diff --git a/pkg/reconciler/trustroot/testdata/tufRepo.tar b/pkg/reconciler/trustroot/testdata/tufRepo.tar index aeb86988acd2d8dd1cea816e57a2c2ebd6824f79..4808635816f1272384a2699d5d91e5db10055631 100644 GIT binary patch literal 2836 zcmV+v3+wbBiwFP!00000|Lj^>Qya;$_OpHk!7F!$tjeryBF;m%BtV!3WCR#)oN&~t z1&Nj=fdnV!zu%BpyU&y zbySv90^_Bev3H5H}O+fsc+y7scmDO>#eICQ=Z!7<*tgNhl znp_Rz>TfHnb8lGvpZTrvF#1oIaWw9h=kpQvE8Gk`++&OHaW?FZ;&}cH2Ts3$`GxZq z6TbocCh!-a-{AHy&*IhicE*)e5++2;g|!RV7O%SDQ^$@wpKQNfj=Gc1V6NK#E{0cD z#~sUsynTA{RWQD~`1a3-S6tfuy%sC0!wc8%`UO;oiE&IC9m+(3P$pwYp_GCr;k|NE zTkTlzL?A3g8-(K4Fz1r+@n)jm=l}n{m~GX#z;!ah14M&XILiPrq7x9c^TYuH2_rxX zM-aSKg0zf^S#6Ug{E5LL6`euuqx2k{)aZz%6oXUB7^{NQq=9o5qE3c8#X)&wo=`f& zgi+su6-;!>u@JfE=m-!+)C9r^p%}8Hm5wqBmaI2mDF9jHtw#+>#pK0L3>Ki)UZrS& z3(bR8$^aR(q%DwfQi?>(6W7kn*A;ZK!efdU2o+fP7OWIPViBCuQGnLbat4}d3W7++ zV2tuMImMl_UPc*$PB8`VeGK41>z^1b?Tm~rT0*T7M5RCmqYMkcMY5bF2xw(g(hH@* z2_7(#cg``Vh)ez$tjaB5tD~|XAClN2T|P#j8y@Tb;;{Wi5(1|(B#E_|BNR04&%%7ad$k4=aWy5 z43%tu94m`Q7NyuuE^cb*T)!LNTBtnt;}?6;t($b)iyCdwLQFiSD9}e^5a)p+c(OjA zjWM#AjMpJ}m6W&6c$K6F=}A*^lptvZEDCE4airpsIIY)S?yANDoo*tD}5Ef~gxN<<&gV!-x>z(&tFeI%_FbORX zDsm}smtu692^5J(t8E}5MbeU(3BqZQz=&8d%2^R0B~RW3OiDX%rIU^Y79*%=JY%;s z;a1T{$lTX~KbYrVT%^Cq^NurVlrT)O;9^LmNE%0hX--CHqJ${5GBPLuCJAYLO4btj zU}P|Xl48ju!_j-IHH+K`aHvpd0gMM7xprX=53)$ghGY>9kJ@vkHJD|d|7qn>{=bdD z*Pr9x@Ba%xw(S4Eg?wxObw5e**I^vI+8oc+f8dgTUH=8rvi`q?{4$rkzS-Da*+0y8 z8r7Be^^?WTO0jV^txr$3-j}D1>mF3I=1JrBb1iH7TC<(iHyd1@zi-!1x@)u%4)*rz zHp?5MQa3iYDqiAwbK-Y&t-r~48<*M6Cd;vUbwJ0}?ET)=(QdW-x!5UsXPxy8Uq2(Z zwYG2iSDp4h{!v-zP~WY6qt<^KvHvdlPW-2fzVDW=m;s*S|4Muv|B3-y#{XN$qxi4Z zKeQSfjcV4a-zI=YBj4{;bMZc_W$k)({;$Z&&1&`Y=0QOw&x&f1!K`|nZRhRXqdY5G z*y^-n4dI-z~E7X2uTd*{rC$&7;m~FF!5v zVzZK8-OQA=>-V!})B08hjV#~p=Lfy@lPqbmM*~sH$+&ts+u1rk>VMcN2jdIXtl-CK z2_GBl?6h%Z_}Sj9+*oTKHBYXLSl=#($Lo7gdaSj!cDtvCygN0P_loOmR%A5SC{$|G zdcHnw*0X72b6U&Ne4SedMSZiD9k=slUtTmW_iz?J4=+<|?WovsI|oXx_m6wo`@G%$ zT7c+vvCW`2yuV=Y*1cTPxk4wcewRM=KRK>&l&rm zSIxD(H+KH|#%|SjitOyp*wqtWpB}feR^Ik^NHy{~Y&V~aJfH4Xv#d2t>-(y@-P>!F z=d;gt*USCkOf@EZ?b+y@*cL-9S*4l47~R~wFuc>X*Bg7I#$au`L)}eVGff(}YOOe~ zvZ2|U>>h-poe~<;W-Z%W*tDthN|tnezRs-OoYtl%wWANv%9>m2d3HF>=8kZkg`0<| zzR_+TZpTq~=X#<)e*Wwb*87!Km0!Wd+NC%ur`7g-xtx1X?I6phADWF$ws*jalS7*q zr?n$P*xQ;l%f|I~>g*0G!_)F~`?DTSPN&yy3pcWEwlO%kI6X}38@nfApk}p?gRA!T z@MwMibmO=;gN;<~UcKMj+ell@CyoF8`2SA+AH}nB^qK_lPw+p5%l)4>kr(p6%ht}u z&Ux$L*!$V6a9gt?&>T`Bpq?G3;%_aYPEBQA5U;hZmGx5&_;@9yHAeZs~7V^aY?_CS;M{WOp z)goNI+jsch?yu6%Z~l7VQczMt2$w>PT$+eV&RveA^kuk1=Rp_EhM3Nvv5~!831X@RBgSUnWry+j1`RgynlXCD_(QbP@ zDM#_)*2?O|*tQo~S6dtPyWaN7>Ud%&7Yhh8Kj~h^hmng>cYgb3s+)fFmo5DJ-)`SS z5r97rqd=De3d^FA$iYP6jIcfmfFvXmbK3DJlJgNHlRnxIWD-oOl&la2l>>y3oMkEj zawE7?6oik`1#cj7D~*gEqSu;87#^%6u6&s5=h#bN+*mCCHGsS)L4Vd8lOd%gDA3*! zi z=d-SgO8A%rCKr;HMq9?MBo8fl%@O)bHyl literal 2840 zcmV+z3+MD7iwFP!00000|Lj^>QzJXF?q~lBf>-W2WNKGO%tLv_4K{5sG;m|0LrO_r zzzbe5Fwy`0Mwzvj3ug{A(`Syq0Lrc^N~tfU%&(N1#PMj_n~f${?|vEp0JM}hM|E=q zCT@;5c!xr2jZ84WcYvG=_HIr7Jd++UpU&Lm9RQ8OlN3y6E~O`~-*x2f_!q&0|2OgX z$!IkDy+0idU$>2%4<*F^=YPRKf8&2C1io8)6B7UC{{L5DZGGD73}aY-zxJ=f+S>Z( z+0{6%zh7I=N5lI6Kbm25!^}^?_n|43Dv(9MJn{@}dY5%*tytY2= zIwsZa-OH~M+4}O^KOY`(;m+=@SX&>@{aKIl#vB7BnDRVIrVSb&g|?B!AeBqtlK@9n zMCmmlp-Rzej20DnM}Qn}8v2s|{jzLrT}d<^6_B&qCM}b+5CTNcyy8*15RC-}A?n10 zP5BQ-9fAe~2AciCWGTZOPsvHI3`YPd0i7}610?~B5=kp{3>KnJz!dNxq)6H+#vn=m zJy}*p8Dy|Nl2RH_8cRu&63PPCE^5mhMFGb1;1QK{nhd4DjY*7*{)NesOvw~T3z58I zp4sR~arB_1hh!9YA|&sXS1~el8jSG}l9HZC2_e2GD^g0zJE;;{4oSsmFmf+QYsG!i zHt=Y;5CVX>Q6e%Xq~b~vH{?V7g~>|M8}AS~QkeQow;%xea9WNejf6R{FAWmm)Fn+?47YB)FEV&;rG#XBO(^(wOK0k6) za%a<6Sl+Ts#cnpg$)UM@H)CsQaz2hC3Mgf zwbKzi3J!vzC8H9m#6(cRSr>gwpuLUJYG$QR2@`WkIhlM4#HEuyG9=}=iD{lC)xzYJL`{lC)xEB(LH z|115!(*G;G2_EVHyCM1N?*Px}e?SlY zeZ4f9t2l2V?<6R!6r^mD zI)6!VJVhr3ir^eL$$=9H?@(AF5u8@qqb92<=_nbXXMstw5&>6n{+Gq0_0)D_i-G&S{u*ge_)DzoBt)MRsMeq{Fb9wsnwfn9}kK<_0rmQ z<#>6r(5Rj+DvRT-?a@j7x(}tSbzHywT+UilZgsNCiJ(r^l}`1C+3x1zvbuR-zE{C^8Pn*XKBUb|kcm$G){ zHUQM?#gF|`QEq4DtWzoFzm05EE0xY``wd}>S)llR z^5Jwq2lb8f#$`4*>h5lpyL8lPZJ%{c=DiCF=4dh4JsY=Rzu&mdE*qK1EeeJ5qEg&k zv?|%6UR#v2l=pLMzfq}`vrnDk-nH6payY7nPrG)|>@Q~5z5U^NeKx4{v+ZK1b6)74 z_IE$FTIHFv1S~a#+Djkh#yBpoDfb&wha?N@hQhg{N9q;$Hhr6xEk@Gu;KIiQH zeyM2Oy|at2@9cJEr;(lBIlFYsDvM9;tX=HT9aHsUPTS4rMzOePma=TGGM9C=1KD16 zt3RRk#_^}4`S$MBNb14)Zcze4F!v z+3btG`9^krm{~3+rP_I8^Qd6>_~59&FE&3OOh592QoU6^8%q+Uj zQB}?J(I)O*w09R*_K;m2^9yhyd(!zop8r3H|C4w+n!Kg}{1f_5<7)lqP4Ghf2bZ%C zRn+R_tkM6JUCj>m<)jzqr{nB!uV5E@J^iuN9h4VTX;ina-FV6uYTh1?PPT;HRbet2 zjeGM`o`vGzY+?W)y40>#?rPg>>(iN=&6gBrH0xc&hb!|*FF$?L)J;A5s}lah zyW5Xg1Ypn8XmtV+HKv5YF((!HkVu2&q!|kDtO&{(vP^g*1Vj?jnt&`OW?1r0S|rV) zO-?$lFiD}gb*O2%GH;Yo(IF{9VG&#m+;Ph|CKeExG%umCy6paI5P2_x{_JR^AS|h< zxp#&|=FoB_G~=XQFw7Z1>5^1jtEi(^G8m(@ch)dwR06G|bqp+bmV1We80R)61)OX$ z(W;n&L(4*nmV43|l}p;PV7Mam(!GSny}a`;WAWdpb-Z{Zz*n^nB_qh>I7Pw~gOUop z_EK3ADkefh-aGDdPZ$v~a+aL3+9@SW(86-Y7$PN4T7d9@h$BiTv`QQ>N-j9_PFoZP z1O%-#_`nE*m5NKSf3aG}5B%)zj10|!G)z)yKt&Choj$G)V qAqc@-gkVS}6Kp`{CB(m2P+Vb!6;}8g;Qs;u0RR8nN4~58LI409MxcKH diff --git a/pkg/reconciler/trustroot/trustroot_test.go b/pkg/reconciler/trustroot/trustroot_test.go index cd7717a5..c3e72b17 100644 --- a/pkg/reconciler/trustroot/trustroot_test.go +++ b/pkg/reconciler/trustroot/trustroot_test.go @@ -23,7 +23,6 @@ import ( "crypto/x509" "crypto/x509/pkix" _ "embed" - "encoding/json" "encoding/pem" "fmt" "math/big" @@ -31,6 +30,7 @@ import ( "testing" "time" + "google.golang.org/protobuf/encoding/protojson" "knative.dev/pkg/apis" logtesting "knative.dev/pkg/logging/testing" @@ -119,17 +119,6 @@ const ( removePatchFmtString = `[{"op":"remove","path":"/data/%s"}]` ) -// compactJSON compacts the given JSON, as the test data is formatted with -// indentation for readability, but the expected patches are compacted. -func compactJSON(in []byte) []byte { - out := bytes.NewBuffer([]byte{}) - err := json.Compact(out, in) - if err != nil { - panic("error compacting json test data: " + err.Error()) - } - return out.Bytes() -} - // testmap with prepopulated entries for creating TrustRoot resource. // ctfe => CTLog Public Key // fulcio => CertificateAuthority certificate @@ -142,12 +131,31 @@ var sigstoreKeys = map[string]string{ "tsa": string(testdata.Get("tsaCertChain.pem")), } +// canonicalizeSigstoreKeys round-trips the SigstoreKeys through protojson so +// the output is deterministic for the current test run. This is necessary +// because protojson has "randomly deterministic" output, meaning it will add +// whitespace randomly depending on the digest of the executable. +// See https://go-review.googlesource.com/c/protobuf/+/151340 and +// https://github.com/golang/protobuf/issues/1121 +func canonicalizeSigstoreKeys(in []byte) []byte { + keys := &config.SigstoreKeys{} + err := protojson.Unmarshal([]byte(in), keys) + if err != nil { + panic(err) + } + out, err := protojson.Marshal(keys) + if err != nil { + panic(err) + } + return out +} + // This is the marshalled entry from above keys/certs with fixed values // (for ease of testing) for other parts. -var marshalledEntry = string(compactJSON(testdata.Get("marshalledEntry.json"))) +var marshalledEntry = string(canonicalizeSigstoreKeys(testdata.Get("marshalledEntry.json"))) // this is the marshalled entry for when we construct from the repository. -var marshalledEntryFromMirrorFS = string(compactJSON(testdata.Get("marshalledEntryFromMirrorFS.json"))) +var marshalledEntryFromMirrorFS = string(canonicalizeSigstoreKeys(testdata.Get("marshalledEntryFromMirrorFS.json"))) var rekorLogID = string(testdata.Get("rekorLogID.txt")) var ctfeLogID = string(testdata.Get("ctfeLogID.txt")) From d736dd32ab9393f3a24db40952a1697c38e09684 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Mon, 18 Mar 2024 15:39:23 -0400 Subject: [PATCH 17/27] Add support for trusted_root.json Signed-off-by: Cody Soyland --- pkg/reconciler/trustroot/trustroot.go | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/pkg/reconciler/trustroot/trustroot.go b/pkg/reconciler/trustroot/trustroot.go index 6fcdcec8..18310922 100644 --- a/pkg/reconciler/trustroot/trustroot.go +++ b/pkg/reconciler/trustroot/trustroot.go @@ -32,6 +32,7 @@ import ( "github.com/sigstore/sigstore/pkg/cryptoutils" sigstoretuf "github.com/sigstore/sigstore/pkg/tuf" "github.com/theupdateframework/go-tuf/client" + "google.golang.org/protobuf/encoding/protojson" corev1 "k8s.io/api/core/v1" apierrs "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -235,8 +236,23 @@ func getSigstoreKeysFromTuf(ctx context.Context, tufClient *client.Client) (*con return nil, fmt.Errorf("error getting targets: %w", err) } ret := &config.SigstoreKeys{} - // TODO: Use `trusted_root.json` to populate `config.SigstoreKeys`, if - // available. Fall back to using target files with custom metadata if not. + + // if there is a "trusted_root.json" target, we can use that instead of the custom metadata + // TODO: Write tests for this + if _, ok := targets["trusted_root.json"]; ok { + dl := newDownloader() + if err = tufClient.Download("trusted_root.json", &dl); err != nil { + return nil, fmt.Errorf("downloading trusted_root.json: %w", err) + } + + err := protojson.Unmarshal(dl.Bytes(), ret) + if err != nil { + return nil, fmt.Errorf("parsing trusted_root.json: %w", err) + } + return ret, nil + } + + // fall back to using custom metadata (e.g. for private TUF repositories) for name, targetMeta := range targets { // Skip any targets that do not include custom metadata. if targetMeta.Custom == nil { From bfdb6c0f5098174e254d2312653f5f88a690c8d1 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Tue, 19 Mar 2024 17:12:05 -0400 Subject: [PATCH 18/27] Add time ranges, log ids, and urls to converted SigstoreKeys Signed-off-by: Cody Soyland --- hack/gentestdata/gentestdata.go | 18 +++- pkg/apis/config/sigstore_keys.go | 84 +++++++++++++++--- .../trustroot/testdata/ctfeLogID.txt | 2 +- .../trustroot/testdata/ctfePublicKey.pem | 4 +- .../trustroot/testdata/fulcioCertChain.pem | 26 +++--- .../trustroot/testdata/marshalledEntry.json | 31 +++++-- .../testdata/marshalledEntryFromMirrorFS.json | 25 ++++-- .../trustroot/testdata/rekorLogID.txt | 2 +- .../trustroot/testdata/rekorPublicKey.pem | 4 +- pkg/reconciler/trustroot/testdata/root.json | 30 +++---- .../trustroot/testdata/tsaCertChain.pem | 26 +++--- pkg/reconciler/trustroot/testdata/tufRepo.tar | Bin 2836 -> 2837 bytes pkg/reconciler/trustroot/trustroot.go | 44 ++++++++- 13 files changed, 215 insertions(+), 81 deletions(-) diff --git a/hack/gentestdata/gentestdata.go b/hack/gentestdata/gentestdata.go index f2ec6b28..26cb9a06 100644 --- a/hack/gentestdata/gentestdata.go +++ b/hack/gentestdata/gentestdata.go @@ -34,6 +34,7 @@ import ( "github.com/sigstore/cosign/v2/pkg/cosign" "github.com/sigstore/policy-controller/pkg/apis/config" testing "github.com/sigstore/policy-controller/pkg/reconciler/testing/v1alpha1" + pbcommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/scaffolding/pkg/repo" "github.com/sigstore/sigstore/pkg/cryptoutils" "google.golang.org/protobuf/encoding/protojson" @@ -230,9 +231,20 @@ func genTUFRepo(sigstoreKeysMap map[string]string) ([]byte, []byte, []byte, erro } trustRoot := &config.SigstoreKeys{ - CertificateAuthorities: []*config.CertificateAuthority{{CertChain: config.DeserializeCertChain([]byte(sigstoreKeysMap["fulcio"]))}}, - Tlogs: []*config.TransparencyLogInstance{{PublicKey: config.DeserializePublicKey([]byte(sigstoreKeysMap["rekor"]))}}, - Ctlogs: []*config.TransparencyLogInstance{{PublicKey: config.DeserializePublicKey([]byte(sigstoreKeysMap["ctfe"]))}}, + CertificateAuthorities: []*config.CertificateAuthority{{ + CertChain: config.DeserializeCertChain([]byte(sigstoreKeysMap["fulcio"])), + ValidFor: &config.TimeRange{ + Start: &config.Timestamp{}, + }, + }}, + Tlogs: []*config.TransparencyLogInstance{{ + HashAlgorithm: pbcommon.HashAlgorithm_SHA2_256, + PublicKey: config.DeserializePublicKey([]byte(sigstoreKeysMap["rekor"])), + }}, + Ctlogs: []*config.TransparencyLogInstance{{ + HashAlgorithm: pbcommon.HashAlgorithm_SHA2_256, + PublicKey: config.DeserializePublicKey([]byte(sigstoreKeysMap["ctfe"])), + }}, } err = populateLogIDs(trustRoot) if err != nil { diff --git a/pkg/apis/config/sigstore_keys.go b/pkg/apis/config/sigstore_keys.go index 0ed70189..06aa9b7a 100644 --- a/pkg/apis/config/sigstore_keys.go +++ b/pkg/apis/config/sigstore_keys.go @@ -17,6 +17,9 @@ package config import ( "context" + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rsa" "encoding/pem" "fmt" @@ -26,6 +29,7 @@ import ( pbtrustroot "github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1" "github.com/sigstore/sigstore/pkg/cryptoutils" "google.golang.org/protobuf/encoding/protojson" + "google.golang.org/protobuf/types/known/timestamppb" corev1 "k8s.io/api/core/v1" "sigs.k8s.io/yaml" ) @@ -47,6 +51,8 @@ type CertificateAuthority = pbtrustroot.CertificateAuthority type TransparencyLogInstance = pbtrustroot.TransparencyLogInstance type DistinguishedName = pbcommon.DistinguishedName type LogId = pbcommon.LogId +type TimeRange = pbcommon.TimeRange +type Timestamp = timestamppb.Timestamp type SigstoreKeysMap struct { SigstoreKeys map[string]*SigstoreKeys @@ -92,6 +98,7 @@ func parseSigstoreKeys(entry string, out *pbtrustroot.TrustedRoot) error { // for serialization into a ConfigMap entry. func ConvertSigstoreKeys(_ context.Context, source *v1alpha1.SigstoreKeys) *SigstoreKeys { sk := &SigstoreKeys{} + sk.MediaType = "application/vnd.dev.sigstore.trustedroot+json;version=0.1" sk.CertificateAuthorities = make([]*pbtrustroot.CertificateAuthority, len(source.CertificateAuthorities)) for i := range source.CertificateAuthorities { sk.CertificateAuthorities[i] = ConvertCertificateAuthority(source.CertificateAuthorities[i]) @@ -123,6 +130,11 @@ func ConvertCertificateAuthority(source v1alpha1.CertificateAuthority) *pbtrustr }, Uri: source.URI.String(), CertChain: DeserializeCertChain(source.CertChain), + ValidFor: &pbcommon.TimeRange{ + Start: ×tamppb.Timestamp{ + Seconds: 0, // TODO: Add support for time range to v1alpha1.CertificateAuthority + }, + }, } } @@ -138,21 +150,9 @@ func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) *pb return nil // TODO: log error? Add return error? } - var hashAlgorithm pbcommon.HashAlgorithm - switch source.HashAlgorithm { - case "sha-256": - hashAlgorithm = pbcommon.HashAlgorithm_SHA2_256 - case "sha-384": - hashAlgorithm = pbcommon.HashAlgorithm_SHA2_384 - case "sha-512": - hashAlgorithm = pbcommon.HashAlgorithm_SHA2_512 - default: - hashAlgorithm = pbcommon.HashAlgorithm_HASH_ALGORITHM_UNSPECIFIED - } - return &pbtrustroot.TransparencyLogInstance{ BaseUrl: source.BaseURL.String(), - HashAlgorithm: hashAlgorithm, + HashAlgorithm: HashStringToHashAlgorithm(source.HashAlgorithm), PublicKey: DeserializePublicKey(source.PublicKey), LogId: &pbcommon.LogId{ KeyId: []byte(logID), @@ -160,6 +160,19 @@ func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) *pb } } +func HashStringToHashAlgorithm(hash string) pbcommon.HashAlgorithm { + switch hash { + case "sha-256", "sha256": + return pbcommon.HashAlgorithm_SHA2_256 + case "sha-384", "sha384": + return pbcommon.HashAlgorithm_SHA2_384 + case "sha-512", "sha512": + return pbcommon.HashAlgorithm_SHA2_512 + default: + return pbcommon.HashAlgorithm_HASH_ALGORITHM_UNSPECIFIED + } +} + func SerializeCertChain(certChain *pbcommon.X509CertificateChain) []byte { var chain []byte for _, cert := range certChain.Certificates { @@ -196,5 +209,48 @@ func DeserializeCertChain(chain []byte) *pbcommon.X509CertificateChain { func DeserializePublicKey(publicKey []byte) *pbcommon.PublicKey { block, _ := pem.Decode(publicKey) - return &pbcommon.PublicKey{RawBytes: block.Bytes} + if block == nil { + return nil // TODO: log error? Add return error? + } + pk, err := cryptoutils.UnmarshalPEMToPublicKey(publicKey) + if err != nil { + return nil // TODO: log error? Add return error? + } + var keyDetails pbcommon.PublicKeyDetails + switch k := pk.(type) { + case *ecdsa.PublicKey: + switch k.Curve { + case elliptic.P256(): + keyDetails = pbcommon.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256 + case elliptic.P384(): + keyDetails = pbcommon.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384 + case elliptic.P521(): + keyDetails = pbcommon.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512 + default: + keyDetails = pbcommon.PublicKeyDetails_PUBLIC_KEY_DETAILS_UNSPECIFIED + } + case *rsa.PublicKey: + switch k.Size() { + case 2048: + keyDetails = pbcommon.PublicKeyDetails_PKIX_RSA_PSS_2048_SHA256 + case 3072: + keyDetails = pbcommon.PublicKeyDetails_PKIX_RSA_PSS_3072_SHA256 + case 4096: + keyDetails = pbcommon.PublicKeyDetails_PKIX_RSA_PSS_4096_SHA256 + default: + keyDetails = pbcommon.PublicKeyDetails_PUBLIC_KEY_DETAILS_UNSPECIFIED + } + default: + keyDetails = pbcommon.PublicKeyDetails_PUBLIC_KEY_DETAILS_UNSPECIFIED + } + + return &pbcommon.PublicKey{ + RawBytes: block.Bytes, + KeyDetails: keyDetails, + ValidFor: &pbcommon.TimeRange{ + Start: ×tamppb.Timestamp{ + Seconds: 0, // TODO: Add support for time range to v1alpha.TransparencyLogInstance + }, + }, + } } diff --git a/pkg/reconciler/trustroot/testdata/ctfeLogID.txt b/pkg/reconciler/trustroot/testdata/ctfeLogID.txt index ca9fe71b..0d7a64f1 100644 --- a/pkg/reconciler/trustroot/testdata/ctfeLogID.txt +++ b/pkg/reconciler/trustroot/testdata/ctfeLogID.txt @@ -1 +1 @@ -8048f6c3f57f286298650755e9859c7a99907b1fcfebdd7478bf3211df6d12cf \ No newline at end of file +f233e0255ba7b06f768210de40a72dad6456c364f864fef10654e9d1f3576cdf \ No newline at end of file diff --git a/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem b/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem index 454b8510..1bdc24e9 100644 --- a/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem +++ b/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem @@ -1,4 +1,4 @@ -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGI26nKgEYi+4FdSOPEaABIro8IGH -c63nQtcL8DlG2NIvALG1B3CyS4WCAKOyVNCiqMLMjkh/FcEk41H+P9lyhg== +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/0axOYDFW1GxfRBsuCZEXDbNkMfz +RJqocd5QqkycTqqK47i7ip75BeyvmQcqYE6KRMnHQds1tlzkAxZ3RlPnFA== -----END PUBLIC KEY----- diff --git a/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem b/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem index 1ed45e0a..9a5052ae 100644 --- a/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem +++ b/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 -MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDzENMAsGA1UEAxMEbGVhZjBZMBMG -ByqGSM49AgEGCCqGSM49AwEHA0IABJlBSj/YAf85O4m5o6tsCvxLHWVlRLomsu7Q -3Xwo0XI/1ZIy92kOxoF+QVQYy95/JopW/O0oc3DTHNiZU2iw9a2jMzAxMA4GA1Ud -DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQl6uIvO3xeqpvfT+VMLbLS76/lWjAKBggq -hkjOPQQDAgNJADBGAiEA3XvRYfeeBB3Ovw6wwi1C7USjeQ25nyGnrs/B/S2J97YC -IQD9pCbm1w0srRMt+wjxQmpksT0oe0ePJkmozCYP4ZjUHg== +MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMG +ByqGSM49AgEGCCqGSM49AwEHA0IABH52pFOcobYjT5V85OtmQU+nxhhGNUayYt7f +LtsY8qDtQOCFW7P8Ya1B14IowM7fFbI0c5jeEczhTLqnGU4yrBqjMzAxMA4GA1Ud +DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQsTJia5d928QAnmtfYJffrTRnsFzAKBggq +hkjOPQQDAgNJADBGAiEAoIIysKwCCicQsX3URWsPS9N6aGIfhfdS22qZpvkbg88C +IQDezHPTP8Vp8fKnHoRplC6++c1N8yds5GlK9QNDSoTwug== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 -MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDTELMAkGA1UEAxMCY2EwWTATBgcq -hkjOPQIBBggqhkjOPQMBBwNCAATpf/P7CJjOIonxqaNc6Ppx7ItOgxrn41H133o1 -Qf0998QGu92hiazFOrIm+Jh4iGaD9Q4mbCDMWC1p9HtNSdVLo0IwQDAOBgNVHQ8B -Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJeriLzt8Xqqb30/l -TC2y0u+v5VowCgYIKoZIzj0EAwIDSAAwRQIhAOS1MYUaBMZDV943jHxQoIzJfhNm -pZoZJq8ptZwzbH3FAiAFmSuZUf/FNYdm7xDXmygJpV/PZFWjx0FfoNyKOOFfHQ== +MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 +MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcq +hkjOPQIBBggqhkjOPQMBBwNCAARtAqUJCj/Wb+rFJJn76UdcAcUA5H1w3PjIZRR8 +LBkBAkP/AmDDs0uKxl32jGaOISUtCVQUhnEx2XofoRdI1yQqo0IwQDAOBgNVHQ8B +Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULEyYmuXfdvEAJ5rX +2CX3600Z7BcwCgYIKoZIzj0EAwIDSQAwRgIhAMCf8nrN60qqT6MEL4nhu2OepICr +DiCugo150fQQKNRaAiEAldwHCU3UF8f7b+mtUyoJQ1K5nksElcvODJRutb/GvCk= -----END CERTIFICATE----- diff --git a/pkg/reconciler/trustroot/testdata/marshalledEntry.json b/pkg/reconciler/trustroot/testdata/marshalledEntry.json index a5f20402..b0c9f8a5 100644 --- a/pkg/reconciler/trustroot/testdata/marshalledEntry.json +++ b/pkg/reconciler/trustroot/testdata/marshalledEntry.json @@ -1,13 +1,18 @@ { + "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1", "tlogs": [ { "baseUrl": "https://rekor.example.com", "hashAlgorithm": "SHA2_256", "publicKey": { - "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvTLFLnTSWccxxMbHxMdBM0AyPlRi5f7s4VU+7zj17gtQgJlm+/rTjKCeSjNZmcwlFfzd+2MxhQa8n1nMffBBYQ==" + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI4VIUxpIQaYEpS5Vlp7PHTB7ho3oWabbChqboVxueHh+wqimmPJXuXLe+Zu32VH+fN5WFn4AGajIGje1GBXtOw==", + "keyDetails": "PKIX_ECDSA_P256_SHA_256", + "validFor": { + "start": "1970-01-01T00:00:00Z" + } }, "logId": { - "keyId": "MGNlN2UxNGVmZWYzNTQyNTA0YTc2NDBmNjZhZWNiMDRlN2YyYWEyNWEyYWNhMTU1NWI5NDI4MDAzNTNlZWRjMg==" + "keyId": "ODYzMWJhMjQwZTYxN2M1ZWY2NWU2Y2QxZjcwYjhhOTU1NTQ5ZmNhYjk5NmYyZGI2MGE1ZThjYWE5OWJlMWNmMg==" } } ], @@ -21,12 +26,15 @@ "certChain": { "certificates": [ { - "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJlBSj/YAf85O4m5o6tsCvxLHWVlRLomsu7Q3Xwo0XI/1ZIy92kOxoF+QVQYy95/JopW/O0oc3DTHNiZU2iw9a2jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQl6uIvO3xeqpvfT+VMLbLS76/lWjAKBggqhkjOPQQDAgNJADBGAiEA3XvRYfeeBB3Ovw6wwi1C7USjeQ25nyGnrs/B/S2J97YCIQD9pCbm1w0srRMt+wjxQmpksT0oe0ePJkmozCYP4ZjUHg==" + "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH52pFOcobYjT5V85OtmQU+nxhhGNUayYt7fLtsY8qDtQOCFW7P8Ya1B14IowM7fFbI0c5jeEczhTLqnGU4yrBqjMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQsTJia5d928QAnmtfYJffrTRnsFzAKBggqhkjOPQQDAgNJADBGAiEAoIIysKwCCicQsX3URWsPS9N6aGIfhfdS22qZpvkbg88CIQDezHPTP8Vp8fKnHoRplC6++c1N8yds5GlK9QNDSoTwug==" }, { - "rawBytes": "MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpf/P7CJjOIonxqaNc6Ppx7ItOgxrn41H133o1Qf0998QGu92hiazFOrIm+Jh4iGaD9Q4mbCDMWC1p9HtNSdVLo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJeriLzt8Xqqb30/lTC2y0u+v5VowCgYIKoZIzj0EAwIDSAAwRQIhAOS1MYUaBMZDV943jHxQoIzJfhNmpZoZJq8ptZwzbH3FAiAFmSuZUf/FNYdm7xDXmygJpV/PZFWjx0FfoNyKOOFfHQ==" + "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARtAqUJCj/Wb+rFJJn76UdcAcUA5H1w3PjIZRR8LBkBAkP/AmDDs0uKxl32jGaOISUtCVQUhnEx2XofoRdI1yQqo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULEyYmuXfdvEAJ5rX2CX3600Z7BcwCgYIKoZIzj0EAwIDSQAwRgIhAMCf8nrN60qqT6MEL4nhu2OepICrDiCugo150fQQKNRaAiEAldwHCU3UF8f7b+mtUyoJQ1K5nksElcvODJRutb/GvCk=" } ] + }, + "validFor": { + "start": "1970-01-01T00:00:00Z" } } ], @@ -35,10 +43,14 @@ "baseUrl": "https://ctfe.example.com", "hashAlgorithm": "SHA2_256", "publicKey": { - "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGI26nKgEYi+4FdSOPEaABIro8IGHc63nQtcL8DlG2NIvALG1B3CyS4WCAKOyVNCiqMLMjkh/FcEk41H+P9lyhg==" + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/0axOYDFW1GxfRBsuCZEXDbNkMfzRJqocd5QqkycTqqK47i7ip75BeyvmQcqYE6KRMnHQds1tlzkAxZ3RlPnFA==", + "keyDetails": "PKIX_ECDSA_P256_SHA_256", + "validFor": { + "start": "1970-01-01T00:00:00Z" + } }, "logId": { - "keyId": "ODA0OGY2YzNmNTdmMjg2Mjk4NjUwNzU1ZTk4NTljN2E5OTkwN2IxZmNmZWJkZDc0NzhiZjMyMTFkZjZkMTJjZg==" + "keyId": "ZjIzM2UwMjU1YmE3YjA2Zjc2ODIxMGRlNDBhNzJkYWQ2NDU2YzM2NGY4NjRmZWYxMDY1NGU5ZDFmMzU3NmNkZg==" } } ], @@ -52,12 +64,15 @@ "certChain": { "certificates": [ { - "rawBytes": "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFj2yotddj/q8pKlSMcdQTNkIllx1vj8AI9Yo4gmip3vdRpuY4tLWnyAM3fgSm8ecmX87P3bzk/vbiJyg8dmTLijMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBTJfhL0wHF0k4dMeAZL+Pn3IwlRsDAKBggqhkjOPQQDAgNIADBFAiEAwTd8P7LXN7x5sQkfylWtB60zwjCGKzr80GU8c9Vf5XwCIDwjs61mcdrcuukmCYacGKE2lo3ZBqF/ewal/neZQui6" + "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCOUCx97+DsDdyvKgf/FhyiMIzd40bAquTXCeZlDeKsHUhsLHrLCa8fOV8njfl8dE2ABX/lwPA+czYfDW1myooGjMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRNdydaOxYhTIQG3d3Zp22F1Rj+XDAKBggqhkjOPQQDAgNJADBGAiEA7BJb9k0usb77EKqvbCfOF1fGeBFiU3i32+4HnUXC9GcCIQCZ+/gZ+G47t2OlCVNnE+9YasE9100MR/Sm9SBCzn6UTQ==" }, { - "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATmQIV8+cpTnw+q7QK4vbep8sqgILosTyCGomDkbXHa6a6l95Orwn+zU9J/gxgCxsGSQunV7hUMCZp8fUglrCwNo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUyX4S9MBxdJOHTHgGS/j59yMJUbAwCgYIKoZIzj0EAwIDSQAwRgIhAJV84sFlLejYvYdwvmVqtxCxjW6F6A6zOZi47myTqu/vAiEA/gbSJUO+vgdiHIENYdOw0Mkfx7WGL2xscx9BJVWOBbU=" + "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQjjBapPc46v5hDtKeyNshq4Xdb+t+WX6R4Jgrwpy31o+0exhZhzlMYl1aelkZi/7u9fnNsuUVfgRjSZIC1aF+7o0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUTXcnWjsWIUyEBt3d2adthdUY/lwwCgYIKoZIzj0EAwIDSQAwRgIhAOYOmibcfPIN/8DYOdEsd6JVa1RJn7dwJJueg4rNwpBzAiEAiFSpjPSVbNRUJDUOYJGPpkmj+TLh5GCoz2Bw2/oed44=" } ] + }, + "validFor": { + "start": "1970-01-01T00:00:00Z" } } ] diff --git a/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json b/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json index 158ce7c9..b61c78fd 100644 --- a/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json +++ b/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json @@ -1,11 +1,16 @@ { "tlogs": [ { + "hashAlgorithm": "SHA2_256", "publicKey": { - "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvTLFLnTSWccxxMbHxMdBM0AyPlRi5f7s4VU+7zj17gtQgJlm+/rTjKCeSjNZmcwlFfzd+2MxhQa8n1nMffBBYQ==" + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI4VIUxpIQaYEpS5Vlp7PHTB7ho3oWabbChqboVxueHh+wqimmPJXuXLe+Zu32VH+fN5WFn4AGajIGje1GBXtOw==", + "keyDetails": "PKIX_ECDSA_P256_SHA_256", + "validFor": { + "start": "1970-01-01T00:00:00Z" + } }, "logId": { - "keyId": "MGNlN2UxNGVmZWYzNTQyNTA0YTc2NDBmNjZhZWNiMDRlN2YyYWEyNWEyYWNhMTU1NWI5NDI4MDAzNTNlZWRjMg==" + "keyId": "ODYzMWJhMjQwZTYxN2M1ZWY2NWU2Y2QxZjcwYjhhOTU1NTQ5ZmNhYjk5NmYyZGI2MGE1ZThjYWE5OWJlMWNmMg==" } } ], @@ -14,22 +19,30 @@ "certChain": { "certificates": [ { - "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJlBSj/YAf85O4m5o6tsCvxLHWVlRLomsu7Q3Xwo0XI/1ZIy92kOxoF+QVQYy95/JopW/O0oc3DTHNiZU2iw9a2jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQl6uIvO3xeqpvfT+VMLbLS76/lWjAKBggqhkjOPQQDAgNJADBGAiEA3XvRYfeeBB3Ovw6wwi1C7USjeQ25nyGnrs/B/S2J97YCIQD9pCbm1w0srRMt+wjxQmpksT0oe0ePJkmozCYP4ZjUHg==" + "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH52pFOcobYjT5V85OtmQU+nxhhGNUayYt7fLtsY8qDtQOCFW7P8Ya1B14IowM7fFbI0c5jeEczhTLqnGU4yrBqjMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQsTJia5d928QAnmtfYJffrTRnsFzAKBggqhkjOPQQDAgNJADBGAiEAoIIysKwCCicQsX3URWsPS9N6aGIfhfdS22qZpvkbg88CIQDezHPTP8Vp8fKnHoRplC6++c1N8yds5GlK9QNDSoTwug==" }, { - "rawBytes": "MIIBSjCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpf/P7CJjOIonxqaNc6Ppx7ItOgxrn41H133o1Qf0998QGu92hiazFOrIm+Jh4iGaD9Q4mbCDMWC1p9HtNSdVLo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJeriLzt8Xqqb30/lTC2y0u+v5VowCgYIKoZIzj0EAwIDSAAwRQIhAOS1MYUaBMZDV943jHxQoIzJfhNmpZoZJq8ptZwzbH3FAiAFmSuZUf/FNYdm7xDXmygJpV/PZFWjx0FfoNyKOOFfHQ==" + "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARtAqUJCj/Wb+rFJJn76UdcAcUA5H1w3PjIZRR8LBkBAkP/AmDDs0uKxl32jGaOISUtCVQUhnEx2XofoRdI1yQqo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULEyYmuXfdvEAJ5rX2CX3600Z7BcwCgYIKoZIzj0EAwIDSQAwRgIhAMCf8nrN60qqT6MEL4nhu2OepICrDiCugo150fQQKNRaAiEAldwHCU3UF8f7b+mtUyoJQ1K5nksElcvODJRutb/GvCk=" } ] + }, + "validFor": { + "start": "1970-01-01T00:00:00Z" } } ], "ctlogs": [ { + "hashAlgorithm": "SHA2_256", "publicKey": { - "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGI26nKgEYi+4FdSOPEaABIro8IGHc63nQtcL8DlG2NIvALG1B3CyS4WCAKOyVNCiqMLMjkh/FcEk41H+P9lyhg==" + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/0axOYDFW1GxfRBsuCZEXDbNkMfzRJqocd5QqkycTqqK47i7ip75BeyvmQcqYE6KRMnHQds1tlzkAxZ3RlPnFA==", + "keyDetails": "PKIX_ECDSA_P256_SHA_256", + "validFor": { + "start": "1970-01-01T00:00:00Z" + } }, "logId": { - "keyId": "ODA0OGY2YzNmNTdmMjg2Mjk4NjUwNzU1ZTk4NTljN2E5OTkwN2IxZmNmZWJkZDc0NzhiZjMyMTFkZjZkMTJjZg==" + "keyId": "ZjIzM2UwMjU1YmE3YjA2Zjc2ODIxMGRlNDBhNzJkYWQ2NDU2YzM2NGY4NjRmZWYxMDY1NGU5ZDFmMzU3NmNkZg==" } } ] diff --git a/pkg/reconciler/trustroot/testdata/rekorLogID.txt b/pkg/reconciler/trustroot/testdata/rekorLogID.txt index 8a8bb320..c8e072f9 100644 --- a/pkg/reconciler/trustroot/testdata/rekorLogID.txt +++ b/pkg/reconciler/trustroot/testdata/rekorLogID.txt @@ -1 +1 @@ -0ce7e14efef3542504a7640f66aecb04e7f2aa25a2aca1555b942800353eedc2 \ No newline at end of file +8631ba240e617c5ef65e6cd1f70b8a955549fcab996f2db60a5e8caa99be1cf2 \ No newline at end of file diff --git a/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem b/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem index 2a0f1043..fa59362e 100644 --- a/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem +++ b/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem @@ -1,4 +1,4 @@ -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvTLFLnTSWccxxMbHxMdBM0AyPlRi -5f7s4VU+7zj17gtQgJlm+/rTjKCeSjNZmcwlFfzd+2MxhQa8n1nMffBBYQ== +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI4VIUxpIQaYEpS5Vlp7PHTB7ho3o +WabbChqboVxueHh+wqimmPJXuXLe+Zu32VH+fN5WFn4AGajIGje1GBXtOw== -----END PUBLIC KEY----- diff --git a/pkg/reconciler/trustroot/testdata/root.json b/pkg/reconciler/trustroot/testdata/root.json index f15630c8..d635f7bd 100644 --- a/pkg/reconciler/trustroot/testdata/root.json +++ b/pkg/reconciler/trustroot/testdata/root.json @@ -3,9 +3,9 @@ "_type": "root", "spec_version": "1.0", "version": 1, - "expires": "2024-09-22T15:00:53-04:00", + "expires": "2024-09-22T15:32:01-04:00", "keys": { - "459dea25aa10d11f95bc4466bc5f6713cc0b38bc72d76f4969abc02a4d6807fc": { + "4b22a801cd5addfbcf9646b3a2dd299d076be90a506d7173742df76a916b511f": { "keytype": "ed25519", "scheme": "ed25519", "keyid_hash_algorithms": [ @@ -13,10 +13,10 @@ "sha512" ], "keyval": { - "public": "133f123f83b36f4d436f994736652f5cc7be8a8b1dc4405a0ead572a91bbf5ce" + "public": "a4d3caa7307b07ae60f8827d6a63a421caa9436818911ec4a5fec159c2e0a6ea" } }, - "9bd28f95c00e93a5ba1033e3b50e8bc4200d4595065b40dca75486e71a8afa43": { + "8296a838fbbcb44d3badbe77c37cd1d78a44518c8574f1e98c5991db886fae59": { "keytype": "ed25519", "scheme": "ed25519", "keyid_hash_algorithms": [ @@ -24,10 +24,10 @@ "sha512" ], "keyval": { - "public": "47eb932ce6c20b683b41ffedb7799a7db8480221de8f92b7207c31c436b91597" + "public": "2e9da73f5b4a9abbcaf343214f54f897cd2d66b02199ed039fe1d4d3bd002b8b" } }, - "d9eb7b1de2c23b40335e84059557131f878e6e51fac90a4d04a9cac380f7efc5": { + "93a9525c20dcad686288e943a3a1c5c26b185d838fa25d7ca07c6bd6a80a9093": { "keytype": "ed25519", "scheme": "ed25519", "keyid_hash_algorithms": [ @@ -35,10 +35,10 @@ "sha512" ], "keyval": { - "public": "0388c7fe902582d87790493a48a049b665f41c428b94d04d8fa5c3fe3d4370a0" + "public": "4c20f29a8b91b19ed8c2446354067fc52d234412ffc9432785f966a0cde6af93" } }, - "fddf1e0b78e5088ea2108184d5446ed997cafb72b7ac6e6dd8fefdccced0c088": { + "a182898f8f07aa5a376da7aeaf62dbe13a23f21dc8088e28936b67a08bbefb87": { "keytype": "ed25519", "scheme": "ed25519", "keyid_hash_algorithms": [ @@ -46,32 +46,32 @@ "sha512" ], "keyval": { - "public": "8b96ebea4387f0e7706d9791d025fa21f0d3a6e76c5780b52d3e4cbbb1b74262" + "public": "d5a909f2ecbbe521323e5c84970b2937955e098605d43e6aa9fe14d682eef3b3" } } }, "roles": { "root": { "keyids": [ - "9bd28f95c00e93a5ba1033e3b50e8bc4200d4595065b40dca75486e71a8afa43" + "8296a838fbbcb44d3badbe77c37cd1d78a44518c8574f1e98c5991db886fae59" ], "threshold": 1 }, "snapshot": { "keyids": [ - "d9eb7b1de2c23b40335e84059557131f878e6e51fac90a4d04a9cac380f7efc5" + "a182898f8f07aa5a376da7aeaf62dbe13a23f21dc8088e28936b67a08bbefb87" ], "threshold": 1 }, "targets": { "keyids": [ - "459dea25aa10d11f95bc4466bc5f6713cc0b38bc72d76f4969abc02a4d6807fc" + "4b22a801cd5addfbcf9646b3a2dd299d076be90a506d7173742df76a916b511f" ], "threshold": 1 }, "timestamp": { "keyids": [ - "fddf1e0b78e5088ea2108184d5446ed997cafb72b7ac6e6dd8fefdccced0c088" + "93a9525c20dcad686288e943a3a1c5c26b185d838fa25d7ca07c6bd6a80a9093" ], "threshold": 1 } @@ -80,8 +80,8 @@ }, "signatures": [ { - "keyid": "9bd28f95c00e93a5ba1033e3b50e8bc4200d4595065b40dca75486e71a8afa43", - "sig": "2a3a0ef2efe53ce99338b9652facd3aeee1ef9c8ddc7f7cab9c7f6c06c484fb4f0f8701f441c8aa55682685bdc2cb3e0b43898c3ff56fddf08be71a3c68d2002" + "keyid": "8296a838fbbcb44d3badbe77c37cd1d78a44518c8574f1e98c5991db886fae59", + "sig": "053c49473376571093b419ce3f4a6fcf350d6b7bead1234fe5eae685ee3914b5c28b9cc1ccfdfa84a276374a54eefe06c0545c1ada32dd42194e5fa86f69510a" } ] } \ No newline at end of file diff --git a/pkg/reconciler/trustroot/testdata/tsaCertChain.pem b/pkg/reconciler/trustroot/testdata/tsaCertChain.pem index ab11a8f3..e6131a87 100644 --- a/pkg/reconciler/trustroot/testdata/tsaCertChain.pem +++ b/pkg/reconciler/trustroot/testdata/tsaCertChain.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 -MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDzENMAsGA1UEAxMEbGVhZjBZMBMG -ByqGSM49AgEGCCqGSM49AwEHA0IABFj2yotddj/q8pKlSMcdQTNkIllx1vj8AI9Y -o4gmip3vdRpuY4tLWnyAM3fgSm8ecmX87P3bzk/vbiJyg8dmTLijMzAxMA4GA1Ud -DwEB/wQEAwIEEDAfBgNVHSMEGDAWgBTJfhL0wHF0k4dMeAZL+Pn3IwlRsDAKBggq -hkjOPQQDAgNIADBFAiEAwTd8P7LXN7x5sQkfylWtB60zwjCGKzr80GU8c9Vf5XwC -IDwjs61mcdrcuukmCYacGKE2lo3ZBqF/ewal/neZQui6 +MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 +MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMG +ByqGSM49AgEGCCqGSM49AwEHA0IABCOUCx97+DsDdyvKgf/FhyiMIzd40bAquTXC +eZlDeKsHUhsLHrLCa8fOV8njfl8dE2ABX/lwPA+czYfDW1myooGjMzAxMA4GA1Ud +DwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRNdydaOxYhTIQG3d3Zp22F1Rj+XDAKBggq +hkjOPQQDAgNJADBGAiEA7BJb9k0usb77EKqvbCfOF1fGeBFiU3i32+4HnUXC9GcC +IQCZ+/gZ+G47t2OlCVNnE+9YasE9100MR/Sm9SBCzn6UTQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 -MDMyMjE5MDA1M1oXDTM0MDMyMjE5MDA1M1owDTELMAkGA1UEAxMCY2EwWTATBgcq -hkjOPQIBBggqhkjOPQMBBwNCAATmQIV8+cpTnw+q7QK4vbep8sqgILosTyCGomDk -bXHa6a6l95Orwn+zU9J/gxgCxsGSQunV7hUMCZp8fUglrCwNo0IwQDAOBgNVHQ8B -Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUyX4S9MBxdJOHTHgG -S/j59yMJUbAwCgYIKoZIzj0EAwIDSQAwRgIhAJV84sFlLejYvYdwvmVqtxCxjW6F -6A6zOZi47myTqu/vAiEA/gbSJUO+vgdiHIENYdOw0Mkfx7WGL2xscx9BJVWOBbU= +MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcq +hkjOPQIBBggqhkjOPQMBBwNCAAQjjBapPc46v5hDtKeyNshq4Xdb+t+WX6R4Jgrw +py31o+0exhZhzlMYl1aelkZi/7u9fnNsuUVfgRjSZIC1aF+7o0IwQDAOBgNVHQ8B +Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUTXcnWjsWIUyEBt3d +2adthdUY/lwwCgYIKoZIzj0EAwIDSQAwRgIhAOYOmibcfPIN/8DYOdEsd6JVa1RJ +n7dwJJueg4rNwpBzAiEAiFSpjPSVbNRUJDUOYJGPpkmj+TLh5GCoz2Bw2/oed44= -----END CERTIFICATE----- diff --git a/pkg/reconciler/trustroot/testdata/tufRepo.tar b/pkg/reconciler/trustroot/testdata/tufRepo.tar index 4808635816f1272384a2699d5d91e5db10055631..2fcaab93c79c4c75d3f27033fc53c58b79fc04a9 100644 GIT binary patch literal 2837 zcmV+w3+nVAiwFP!00000|Lj^>QyWXN_OpHk!K?2%&RVh-N6bTOK?p2BLc+j}2}jl@ ziA7sW7BF%C`;8W>u`irCV8%0}jDVJ^T3uORW@Ua|S<^Tk<%8L1din0B2>^gbyuPaI zD{y&zy_R=OqSgWxSL_`yAyB_t!=I|R^X z`@~V*+`asYjIS@h{r&zCU+L^li?#Lf+?@@4F&N1pJdqZl9cYRQk}+HdMM{w5%oABD zlwrm)7QG})(KEE3M<5mHdZ0gw|9>n;TQ}S)GQuS1ypu8rN5Ms{z0f|epbbfh%y@%Z zCKj#nXe|rQ7?miZ{e{8e(FW2Yp_63EIZsJQ!I?}bld;+d9+YyxnYA&1uqm=oAP@k! zGwyq^tRRaVJ%`{aD5JPB(Mmyrm`Bf*V+KQkCUFef6KJnoP-K8CSn&&kB|V44Eg5H- zV>Slkxs*zv1f`Ql9=MQ_@szxkf@_1xDn;N!RFtgv9xP&p8*7qDpox%#R)I7{N{R;; znIJ9_XTcjVCURqia!L~z=VEe3|H5DeEXw(_4+WJc3ooaImG@#3KW=kyqy$9zWT<0mwEagcaMlRJm;qhUVCXK^_D^1x7u z&hl7V-m*-^G@D=N&_cg!-&(3%`0Z)5L%&TV1<*+`Y4hlm3$Hi zK{@Rr1;&L;5hF!qFh*gSbm+Np)_dlC3W+oACgnT>U|M=7RYGkN_#~_`Ttd)6 zF|GuIWI<>qkpW9Ff;Ys243QPthFh*<(A*m7tp<-eap^f{PVg9XA{7GTB(+E!6pJ@B z;YQI1$lT?DKN;s=oTR^r^JKh|ffX+tT4*M~@Z=y#C#)9D$pQ~BRS6jWT_5tW(_o%w@nbj{+yPVG} z$F;+%+c|Bft5SPwGV%dilhaGznM}5&9_YbXV>w=aJ#YERQB7^Po5Rgk$l2`d>NLAJ z7VWdW;YRkizm=9c)OM=hsr9c$>_1C>u>RBh%nwGd7y+K+{~8~!f6V|^>;Em}!TPV% z+MUKmqmp%MHvyp0DDRzA%DA0XvtF%I{57*ty;7Of_nXp|vu354!A0dN+bZ{V4$4`x zlb!GMn`L=e?KGg&tTr#3CpBzdH5Sc-(P6dIghy?Q>Q!y0ndSA2b!*v0v*zjt{o|AJ zakJd4m&%vdBW1nX-Kg23wwXaAD{mqnZ|wS!J38s$fx+F`d8_+=c+v0Ice-?WG}Ec{ zX_gY`TuuxQn?MWeo`W~rFx=6+1+cks#$MmE3204*`St<8jZ_*dr_$jd@DZ`-S+2vZ{O}Hsy9+Ug?-K^$K$W3 zu4hc8)M!=X)#hGj&m4?R+8%C>+T*i|djH;5w9&icd|~o=Wmf}lndCdKR3(e#ZD#5+OurZ-Kv~? z`0U!7yNLPM(xmGm#xVN8jDsn+g;kUWy+;2nOZT=tk+sp7f02DHgvMq=7)0DU1WtL zTxH?Kj*t~+^9@T)j?(68!?2`YHjbdsqmJwu-L40MR&s_?cSfyx|gG^ z7Td<*X zzE3;&d1ENEI-NA?Cy~|5hqK+qivPWpe82u*{|Lx4>z@}ddym#X0It^mTgVgpzqcj4 zpSAt_s6@DayYKL$-Cu2<-~9EYAo-+iU|Jckl{eN%E19*Z!8pw#84BJ6Ba=(caNz=i z;^3@B3l_cANoY)9j3P*kISW#Aa3Yc?r7R>Q9+O7NNO+~uI?uJ1iP?zXZvOgtJ{z4s zRCLhGXQOGnZ(3WQ=hRzbUFmGpZfo0X>-mgk^Cg6tpAEjo`=0r9P&8i;bzP7Cri6e0 z?)D=T0r>MUlH;J0CunfV?9?f7KhK5!wMloD55X(9-e zJfKce$dnS}T!EC*qI3#Kc;Zg6m%!LACjT-N|A|`1iw^>PQ|sUW%%vbf3u&!~D4Es9 zaYT-hfQ(HxCNzlBs^CB*2|+r^MB*GnkXBpaVkAyVa07)$Yar$oc+ftkn7EY6FlLS6 zJPH|{R)p4L@&VxAtk&@`|KA>!cx?voZ2ea~-v3uZ@KyeQ3wbL4-yNNKlLGKJ#}9rG zbrl!SM_q^Bc)%FF@kv?3&~PqelnzoS$8{ zN2G%TQdT1TjIs#Ua~++x zz(EID{DL!&C?pCV$wv~}a{)nGu5HpDwI)i=Tar$Dlnz*sQAC+EL}@6IwvK5OLLpZY ni=Zt7Dl1Vk<#nW00eB@VS;Qya;$_OpHk!7F!$tjeryBF;m%BtV!3WCR#)oN&~t z1&Nj=fdnV!zu%BpyU&y zbySv90^_Bev3H5H}O+fsc+y7scmDO>#eICQ=Z!7<*tgNhl znp_Rz>TfHnb8lGvpZTrvF#1oIaWw9h=kpQvE8Gk`++&OHaW?FZ;&}cH2Ts3$`GxZq z6TbocCh!-a-{AHy&*IhicE*)e5++2;g|!RV7O%SDQ^$@wpKQNfj=Gc1V6NK#E{0cD z#~sUsynTA{RWQD~`1a3-S6tfuy%sC0!wc8%`UO;oiE&IC9m+(3P$pwYp_GCr;k|NE zTkTlzL?A3g8-(K4Fz1r+@n)jm=l}n{m~GX#z;!ah14M&XILiPrq7x9c^TYuH2_rxX zM-aSKg0zf^S#6Ug{E5LL6`euuqx2k{)aZz%6oXUB7^{NQq=9o5qE3c8#X)&wo=`f& zgi+su6-;!>u@JfE=m-!+)C9r^p%}8Hm5wqBmaI2mDF9jHtw#+>#pK0L3>Ki)UZrS& z3(bR8$^aR(q%DwfQi?>(6W7kn*A;ZK!efdU2o+fP7OWIPViBCuQGnLbat4}d3W7++ zV2tuMImMl_UPc*$PB8`VeGK41>z^1b?Tm~rT0*T7M5RCmqYMkcMY5bF2xw(g(hH@* z2_7(#cg``Vh)ez$tjaB5tD~|XAClN2T|P#j8y@Tb;;{Wi5(1|(B#E_|BNR04&%%7ad$k4=aWy5 z43%tu94m`Q7NyuuE^cb*T)!LNTBtnt;}?6;t($b)iyCdwLQFiSD9}e^5a)p+c(OjA zjWM#AjMpJ}m6W&6c$K6F=}A*^lptvZEDCE4airpsIIY)S?yANDoo*tD}5Ef~gxN<<&gV!-x>z(&tFeI%_FbORX zDsm}smtu692^5J(t8E}5MbeU(3BqZQz=&8d%2^R0B~RW3OiDX%rIU^Y79*%=JY%;s z;a1T{$lTX~KbYrVT%^Cq^NurVlrT)O;9^LmNE%0hX--CHqJ${5GBPLuCJAYLO4btj zU}P|Xl48ju!_j-IHH+K`aHvpd0gMM7xprX=53)$ghGY>9kJ@vkHJD|d|7qn>{=bdD z*Pr9x@Ba%xw(S4Eg?wxObw5e**I^vI+8oc+f8dgTUH=8rvi`q?{4$rkzS-Da*+0y8 z8r7Be^^?WTO0jV^txr$3-j}D1>mF3I=1JrBb1iH7TC<(iHyd1@zi-!1x@)u%4)*rz zHp?5MQa3iYDqiAwbK-Y&t-r~48<*M6Cd;vUbwJ0}?ET)=(QdW-x!5UsXPxy8Uq2(Z zwYG2iSDp4h{!v-zP~WY6qt<^KvHvdlPW-2fzVDW=m;s*S|4Muv|B3-y#{XN$qxi4Z zKeQSfjcV4a-zI=YBj4{;bMZc_W$k)({;$Z&&1&`Y=0QOw&x&f1!K`|nZRhRXqdY5G z*y^-n4dI-z~E7X2uTd*{rC$&7;m~FF!5v zVzZK8-OQA=>-V!})B08hjV#~p=Lfy@lPqbmM*~sH$+&ts+u1rk>VMcN2jdIXtl-CK z2_GBl?6h%Z_}Sj9+*oTKHBYXLSl=#($Lo7gdaSj!cDtvCygN0P_loOmR%A5SC{$|G zdcHnw*0X72b6U&Ne4SedMSZiD9k=slUtTmW_iz?J4=+<|?WovsI|oXx_m6wo`@G%$ zT7c+vvCW`2yuV=Y*1cTPxk4wcewRM=KRK>&l&rm zSIxD(H+KH|#%|SjitOyp*wqtWpB}feR^Ik^NHy{~Y&V~aJfH4Xv#d2t>-(y@-P>!F z=d;gt*USCkOf@EZ?b+y@*cL-9S*4l47~R~wFuc>X*Bg7I#$au`L)}eVGff(}YOOe~ zvZ2|U>>h-poe~<;W-Z%W*tDthN|tnezRs-OoYtl%wWANv%9>m2d3HF>=8kZkg`0<| zzR_+TZpTq~=X#<)e*Wwb*87!Km0!Wd+NC%ur`7g-xtx1X?I6phADWF$ws*jalS7*q zr?n$P*xQ;l%f|I~>g*0G!_)F~`?DTSPN&yy3pcWEwlO%kI6X}38@nfApk}p?gRA!T z@MwMibmO=;gN;<~UcKMj+ell@CyoF8`2SA+AH}nB^qK_lPw+p5%l)4>kr(p6%ht}u z&Ux$L*!$V6a9gt?&>T`Bpq?G3;%_aYPEBQA5U;hZmGx5&_;@9yHAeZs~7V^aY?_CS;M{WOp z)goNI+jsch?yu6%Z~l7VQczMt2$w>PT$+eV&RveA^kuk1=Rp_EhM3Nvv5~!831X@RBgSUnWry+j1`RgynlXCD_(QbP@ zDM#_)*2?O|*tQo~S6dtPyWaN7>Ud%&7Yhh8Kj~h^hmng>cYgb3s+)fFmo5DJ-)`SS z5r97rqd=De3d^FA$iYP6jIcfmfFvXmbK3DJlJgNHlRnxIWD-oOl&la2l>>y3oMkEj zawE7?6oik`1#cj7D~*gEqSu;87#^%6u6&s5=h#bN+*mCCHGsS)L4Vd8lOd%gDA3*! zi z=d-SgO8A%rCKr;HMq9?MBo8fl%@O)bHyl diff --git a/pkg/reconciler/trustroot/trustroot.go b/pkg/reconciler/trustroot/trustroot.go index 18310922..eedc1d57 100644 --- a/pkg/reconciler/trustroot/trustroot.go +++ b/pkg/reconciler/trustroot/trustroot.go @@ -29,6 +29,7 @@ import ( trustrootreconciler "github.com/sigstore/policy-controller/pkg/client/injection/reconciler/policy/v1alpha1/trustroot" "github.com/sigstore/policy-controller/pkg/reconciler/trustroot/resources" "github.com/sigstore/policy-controller/pkg/tuf" + pbcommon "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1" "github.com/sigstore/sigstore/pkg/cryptoutils" sigstoretuf "github.com/sigstore/sigstore/pkg/tuf" "github.com/theupdateframework/go-tuf/client" @@ -221,6 +222,7 @@ func pemToKeyAndID(pem []byte) (crypto.PublicKey, string, error) { type customMetadata struct { Usage sigstoretuf.UsageKind `json:"usage"` Status sigstoretuf.StatusKind `json:"status"` + URI string `json:"uri"` } type sigstoreCustomMetadata struct { @@ -268,13 +270,31 @@ func getSigstoreKeysFromTuf(ctx context.Context, tufClient *client.Client) (*con if err = tufClient.Download(name, &dl); err != nil { return nil, fmt.Errorf("downloading target %s: %w", name, err) } + switch scm.Sigstore.Usage { case sigstoretuf.Fulcio: - ret.CertificateAuthorities = append(ret.CertificateAuthorities, &config.CertificateAuthority{CertChain: config.DeserializeCertChain(dl.Bytes())}) + certChain := config.DeserializeCertChain(dl.Bytes()) + ret.CertificateAuthorities = append(ret.CertificateAuthorities, + &config.CertificateAuthority{ + Uri: scm.Sigstore.URI, + CertChain: certChain, + ValidFor: &config.TimeRange{ + Start: &config.Timestamp{}, + }, + }, + ) case sigstoretuf.CTFE: - ret.Ctlogs = append(ret.Ctlogs, &config.TransparencyLogInstance{PublicKey: config.DeserializePublicKey(dl.Bytes())}) + tlog, err := genTransparencyLogInstance(scm.Sigstore.URI, dl.Bytes()) + if err != nil { + return nil, fmt.Errorf("creating transparency log instance: %w", err) + } + ret.Ctlogs = append(ret.Ctlogs, tlog) case sigstoretuf.Rekor: - ret.Tlogs = append(ret.Tlogs, &config.TransparencyLogInstance{PublicKey: config.DeserializePublicKey(dl.Bytes())}) + tlog, err := genTransparencyLogInstance(scm.Sigstore.URI, dl.Bytes()) + if err != nil { + return nil, fmt.Errorf("creating transparency log instance: %w", err) + } + ret.Tlogs = append(ret.Tlogs, tlog) } } // Make sure there's at least a single CertificateAuthority (Fulcio there). @@ -285,6 +305,24 @@ func getSigstoreKeysFromTuf(ctx context.Context, tufClient *client.Client) (*con return ret, nil } +func genTransparencyLogInstance(baseURL string, pkBytes []byte) (*config.TransparencyLogInstance, error) { + pbpk := config.DeserializePublicKey(pkBytes) // TODO: refactor this func to also return public key and log id + pk, err := cryptoutils.UnmarshalPEMToPublicKey(pkBytes) + if err != nil { + return nil, fmt.Errorf("unmarshaling PEM public key: %w", err) + } + logID, err := cosign.GetTransparencyLogID(pk) + if err != nil { + return nil, fmt.Errorf("failed to construct LogID: %w", err) + } + return &config.TransparencyLogInstance{ + BaseUrl: baseURL, + HashAlgorithm: pbcommon.HashAlgorithm_SHA2_256, + PublicKey: pbpk, + LogId: &pbcommon.LogId{KeyId: []byte(logID)}, + }, nil +} + func newDownloader() downloader { return downloader{&bytes.Buffer{}} } From 77fe6524d85f799b70ff82bae7c18ba187632ecf Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Wed, 20 Mar 2024 10:26:07 -0400 Subject: [PATCH 19/27] Refactor DeserializePublicKey to also return crypto.PublicKey Signed-off-by: Cody Soyland --- pkg/apis/config/sigstore_keys.go | 13 ++++----- pkg/reconciler/trustroot/trustroot.go | 3 +-- pkg/webhook/validator_test.go | 39 +++++++++++++-------------- 3 files changed, 27 insertions(+), 28 deletions(-) diff --git a/pkg/apis/config/sigstore_keys.go b/pkg/apis/config/sigstore_keys.go index 06aa9b7a..839a151c 100644 --- a/pkg/apis/config/sigstore_keys.go +++ b/pkg/apis/config/sigstore_keys.go @@ -17,6 +17,7 @@ package config import ( "context" + "crypto" "crypto/ecdsa" "crypto/elliptic" "crypto/rsa" @@ -141,7 +142,7 @@ func ConvertCertificateAuthority(source v1alpha1.CertificateAuthority) *pbtrustr // ConvertTransparencyLogInstance converts public into private // TransparencyLogInstance. func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) *pbtrustroot.TransparencyLogInstance { - pk, err := cryptoutils.UnmarshalPEMToPublicKey(source.PublicKey) + pbpk, pk, err := DeserializePublicKey(source.PublicKey) if err != nil { return nil // TODO: log error? Add return error? } @@ -153,7 +154,7 @@ func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) *pb return &pbtrustroot.TransparencyLogInstance{ BaseUrl: source.BaseURL.String(), HashAlgorithm: HashStringToHashAlgorithm(source.HashAlgorithm), - PublicKey: DeserializePublicKey(source.PublicKey), + PublicKey: pbpk, LogId: &pbcommon.LogId{ KeyId: []byte(logID), }, @@ -207,14 +208,14 @@ func DeserializeCertChain(chain []byte) *pbcommon.X509CertificateChain { return &pbcommon.X509CertificateChain{Certificates: certs} } -func DeserializePublicKey(publicKey []byte) *pbcommon.PublicKey { +func DeserializePublicKey(publicKey []byte) (*pbcommon.PublicKey, crypto.PublicKey, error) { block, _ := pem.Decode(publicKey) if block == nil { - return nil // TODO: log error? Add return error? + return nil, nil, fmt.Errorf("failed to decode public key") } pk, err := cryptoutils.UnmarshalPEMToPublicKey(publicKey) if err != nil { - return nil // TODO: log error? Add return error? + return nil, nil, fmt.Errorf("failed to unmarshal public key: %w", err) } var keyDetails pbcommon.PublicKeyDetails switch k := pk.(type) { @@ -252,5 +253,5 @@ func DeserializePublicKey(publicKey []byte) *pbcommon.PublicKey { Seconds: 0, // TODO: Add support for time range to v1alpha.TransparencyLogInstance }, }, - } + }, pk, nil } diff --git a/pkg/reconciler/trustroot/trustroot.go b/pkg/reconciler/trustroot/trustroot.go index eedc1d57..b19991dd 100644 --- a/pkg/reconciler/trustroot/trustroot.go +++ b/pkg/reconciler/trustroot/trustroot.go @@ -306,8 +306,7 @@ func getSigstoreKeysFromTuf(ctx context.Context, tufClient *client.Client) (*con } func genTransparencyLogInstance(baseURL string, pkBytes []byte) (*config.TransparencyLogInstance, error) { - pbpk := config.DeserializePublicKey(pkBytes) // TODO: refactor this func to also return public key and log id - pk, err := cryptoutils.UnmarshalPEMToPublicKey(pkBytes) + pbpk, pk, err := config.DeserializePublicKey(pkBytes) if err != nil { return nil, fmt.Errorf("unmarshaling PEM public key: %w", err) } diff --git a/pkg/webhook/validator_test.go b/pkg/webhook/validator_test.go index 3a652cae..4fe08f5c 100644 --- a/pkg/webhook/validator_test.go +++ b/pkg/webhook/validator_test.go @@ -2950,6 +2950,10 @@ func TestFulcioCertsFromAuthority(t *testing.T) { if err != nil { t.Fatalf("Failed to get embedded CTLog Public keys for testing") } + pbpk, marshalledPK, err := config.DeserializePublicKey([]byte(ctfePublicKey)) + if err != nil { + t.Fatalf("Failed to deserialize CTLog public key: %v", err) + } sk := config.SigstoreKeys{ CertificateAuthorities: []*config.CertificateAuthority{{ Subject: &config.DistinguishedName{ @@ -2960,7 +2964,7 @@ func TestFulcioCertsFromAuthority(t *testing.T) { }}, Ctlogs: []*config.TransparencyLogInstance{{ LogId: &config.LogId{KeyId: []byte(ctfeLogID)}, - PublicKey: config.DeserializePublicKey([]byte(ctfePublicKey)), + PublicKey: pbpk, }}, } c := &config.Config{ @@ -2970,10 +2974,6 @@ func TestFulcioCertsFromAuthority(t *testing.T) { }, }, } - marshalledPK, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(ctfePublicKey)) - if err != nil { - t.Fatalf("Failed to unmarshal CTLog public key: %v", err) - } testCtx := config.ToContext(context.Background(), c) @@ -3045,7 +3045,7 @@ func TestFulcioCertsFromAuthority(t *testing.T) { } func TestRekorClientAndKeysFromAuthority(t *testing.T) { - pk, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(rekorPublicKey)) + pbpk, pk, err := config.DeserializePublicKey([]byte(rekorPublicKey)) if err != nil { t.Fatalf("Failed to unmarshal public key for testing: %v", err) } @@ -3070,7 +3070,7 @@ func TestRekorClientAndKeysFromAuthority(t *testing.T) { sk := config.SigstoreKeys{ Tlogs: []*config.TransparencyLogInstance{{ - PublicKey: config.DeserializePublicKey([]byte(rekorPublicKey)), + PublicKey: pbpk, LogId: &config.LogId{KeyId: []byte(rekorLogID)}, BaseUrl: "rekor.example.com", }}, @@ -3158,11 +3158,15 @@ func TestRekorClientAndKeysFromAuthority(t *testing.T) { } func TestCheckOptsFromAuthority(t *testing.T) { - pk, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(rekorPublicKey)) + pbpkRekor, pkRekor, err := config.DeserializePublicKey([]byte(rekorPublicKey)) if err != nil { t.Fatalf("Failed to unmarshal public key for testing: %v", err) } - ecpk, ok := pk.(*ecdsa.PublicKey) + pbpkCTFE, pkCTFE, err := config.DeserializePublicKey([]byte(ctfePublicKey)) + if err != nil { + t.Fatalf("Failed to unmarshal public key for testing: %v", err) + } + ecpk, ok := pkRekor.(*ecdsa.PublicKey) if !ok { t.Fatalf("pk is not a ecsda public key") } @@ -3207,14 +3211,9 @@ func TestCheckOptsFromAuthority(t *testing.T) { t.Fatalf("Failed to get embedded CTLog Public keys for testing") } - marshalledPK, err := cryptoutils.UnmarshalPEMToPublicKey([]byte(ctfePublicKey)) - if err != nil { - t.Fatalf("Failed to unmarshal CTLog public key: %v", err) - } - skRekor := config.SigstoreKeys{ Tlogs: []*config.TransparencyLogInstance{{ - PublicKey: config.DeserializePublicKey([]byte(rekorPublicKey)), + PublicKey: pbpkRekor, LogId: &config.LogId{KeyId: []byte("rekor-logid")}, BaseUrl: "rekor.example.com", }}, @@ -3229,12 +3228,12 @@ func TestCheckOptsFromAuthority(t *testing.T) { }}, Ctlogs: []*config.TransparencyLogInstance{{ LogId: &config.LogId{KeyId: []byte(ctfeLogID)}, - PublicKey: config.DeserializePublicKey([]byte(ctfePublicKey)), + PublicKey: pbpkCTFE, }}, } skCombined := config.SigstoreKeys{ Tlogs: []*config.TransparencyLogInstance{{ - PublicKey: config.DeserializePublicKey([]byte(rekorPublicKey)), + PublicKey: pbpkRekor, LogId: &config.LogId{KeyId: []byte("rekor-logid")}, BaseUrl: "rekor.example.com", }}, @@ -3247,7 +3246,7 @@ func TestCheckOptsFromAuthority(t *testing.T) { }}, Ctlogs: []*config.TransparencyLogInstance{{ LogId: &config.LogId{KeyId: []byte(ctfeLogID)}, - PublicKey: config.DeserializePublicKey([]byte(ctfePublicKey)), + PublicKey: pbpkCTFE, }}, } c := &config.Config{ @@ -3321,7 +3320,7 @@ func TestCheckOptsFromAuthority(t *testing.T) { RootCerts: roots, IntermediateCerts: intermediates, IgnoreTlog: true, - CTLogPubKeys: &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{ctfeLogID: {PubKey: marshalledPK, Status: tuf.Active}}}, + CTLogPubKeys: &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{ctfeLogID: {PubKey: pkCTFE, Status: tuf.Active}}}, }, }, { name: "trustroot found, combined, with Identities", @@ -3346,7 +3345,7 @@ func TestCheckOptsFromAuthority(t *testing.T) { Issuer: "issuer", Subject: "subject", }}, - CTLogPubKeys: &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{ctfeLogID: {PubKey: marshalledPK, Status: tuf.Active}}}, + CTLogPubKeys: &cosign.TrustedTransparencyLogPubKeys{Keys: map[string]cosign.TransparencyLogPubKey{ctfeLogID: {PubKey: pkCTFE, Status: tuf.Active}}}, }, }} From 2fe1a9001f0159849cd367e916cd0b6b9cb8d8a5 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Wed, 20 Mar 2024 11:55:05 -0700 Subject: [PATCH 20/27] add missing license headers Signed-off-by: Brian DeHamer --- hack/gentestdata/gentestdata.go | 4 ++-- pkg/reconciler/trustroot/testdata/testdata.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/hack/gentestdata/gentestdata.go b/hack/gentestdata/gentestdata.go index 26cb9a06..5001908c 100644 --- a/hack/gentestdata/gentestdata.go +++ b/hack/gentestdata/gentestdata.go @@ -1,10 +1,10 @@ -// Copyright 2024 The Sigstore Authors +// Copyright 2022 The Sigstore Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // -// http://www.apache.org/licenses/LICENSE-2.0 +// http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, diff --git a/pkg/reconciler/trustroot/testdata/testdata.go b/pkg/reconciler/trustroot/testdata/testdata.go index 49c4e703..ef49b81f 100644 --- a/pkg/reconciler/trustroot/testdata/testdata.go +++ b/pkg/reconciler/trustroot/testdata/testdata.go @@ -1,10 +1,10 @@ -// Copyright 2024 The Sigstore Authors +// Copyright 2022 The Sigstore Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // -// http://www.apache.org/licenses/LICENSE-2.0 +// http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, From 5da24e9f66e3ca88c2bbbbdea313ad47155e08a9 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Wed, 20 Mar 2024 12:51:39 -0700 Subject: [PATCH 21/27] lintfix Signed-off-by: Brian DeHamer --- pkg/apis/config/sigstore_keys.go | 2 +- pkg/reconciler/trustroot/trustroot.go | 4 ++-- pkg/reconciler/trustroot/trustroot_test.go | 5 ++--- pkg/webhook/validator_test.go | 12 ++++++------ 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/pkg/apis/config/sigstore_keys.go b/pkg/apis/config/sigstore_keys.go index 839a151c..dbb068f3 100644 --- a/pkg/apis/config/sigstore_keys.go +++ b/pkg/apis/config/sigstore_keys.go @@ -51,7 +51,7 @@ type SigstoreKeys = pbtrustroot.TrustedRoot type CertificateAuthority = pbtrustroot.CertificateAuthority type TransparencyLogInstance = pbtrustroot.TransparencyLogInstance type DistinguishedName = pbcommon.DistinguishedName -type LogId = pbcommon.LogId +type LogID = pbcommon.LogId type TimeRange = pbcommon.TimeRange type Timestamp = timestamppb.Timestamp diff --git a/pkg/reconciler/trustroot/trustroot.go b/pkg/reconciler/trustroot/trustroot.go index b19991dd..e9c80e92 100644 --- a/pkg/reconciler/trustroot/trustroot.go +++ b/pkg/reconciler/trustroot/trustroot.go @@ -96,14 +96,14 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, trustroot *v1alpha1.Trus if !ok { return fmt.Errorf("public key %d is not ecdsa.PublicKey", i) } - sigstoreKeys.Tlogs[i].LogId = &config.LogId{KeyId: []byte(logID)} + sigstoreKeys.Tlogs[i].LogId = &config.LogID{KeyId: []byte(logID)} } for i, ctlog := range sigstoreKeys.Ctlogs { _, logID, err := pemToKeyAndID(config.SerializePublicKey(ctlog.PublicKey)) if err != nil { return fmt.Errorf("invalid ctlog public key %d: %w", i, err) } - sigstoreKeys.Ctlogs[i].LogId = &config.LogId{KeyId: []byte(logID)} + sigstoreKeys.Ctlogs[i].LogId = &config.LogID{KeyId: []byte(logID)} } // See if the CM holding configs exists diff --git a/pkg/reconciler/trustroot/trustroot_test.go b/pkg/reconciler/trustroot/trustroot_test.go index c3e72b17..97c0f842 100644 --- a/pkg/reconciler/trustroot/trustroot_test.go +++ b/pkg/reconciler/trustroot/trustroot_test.go @@ -382,11 +382,10 @@ func makeConfigMapWithSigstoreKeys() *corev1.ConfigMap { source := NewTrustRoot(trName, WithSigstoreKeys(sigstoreKeys)) c := config.ConvertSigstoreKeys(context.Background(), source.Spec.SigstoreKeys) for i := range c.Tlogs { - c.Tlogs[i].LogId = &config.LogId{KeyId: []byte(rekorLogID)} - + c.Tlogs[i].LogId = &config.LogID{KeyId: []byte(rekorLogID)} } for i := range c.Ctlogs { - c.Ctlogs[i].LogId = &config.LogId{KeyId: []byte(ctfeLogID)} + c.Ctlogs[i].LogId = &config.LogID{KeyId: []byte(ctfeLogID)} } marshalled, err := resources.Marshal(c) if err != nil { diff --git a/pkg/webhook/validator_test.go b/pkg/webhook/validator_test.go index 4fe08f5c..3855d8a1 100644 --- a/pkg/webhook/validator_test.go +++ b/pkg/webhook/validator_test.go @@ -2963,7 +2963,7 @@ func TestFulcioCertsFromAuthority(t *testing.T) { CertChain: config.DeserializeCertChain([]byte(certChain)), }}, Ctlogs: []*config.TransparencyLogInstance{{ - LogId: &config.LogId{KeyId: []byte(ctfeLogID)}, + LogId: &config.LogID{KeyId: []byte(ctfeLogID)}, PublicKey: pbpk, }}, } @@ -3071,7 +3071,7 @@ func TestRekorClientAndKeysFromAuthority(t *testing.T) { sk := config.SigstoreKeys{ Tlogs: []*config.TransparencyLogInstance{{ PublicKey: pbpk, - LogId: &config.LogId{KeyId: []byte(rekorLogID)}, + LogId: &config.LogID{KeyId: []byte(rekorLogID)}, BaseUrl: "rekor.example.com", }}, } @@ -3214,7 +3214,7 @@ func TestCheckOptsFromAuthority(t *testing.T) { skRekor := config.SigstoreKeys{ Tlogs: []*config.TransparencyLogInstance{{ PublicKey: pbpkRekor, - LogId: &config.LogId{KeyId: []byte("rekor-logid")}, + LogId: &config.LogID{KeyId: []byte("rekor-logid")}, BaseUrl: "rekor.example.com", }}, } @@ -3227,14 +3227,14 @@ func TestCheckOptsFromAuthority(t *testing.T) { CertChain: config.DeserializeCertChain([]byte(certChain)), }}, Ctlogs: []*config.TransparencyLogInstance{{ - LogId: &config.LogId{KeyId: []byte(ctfeLogID)}, + LogId: &config.LogID{KeyId: []byte(ctfeLogID)}, PublicKey: pbpkCTFE, }}, } skCombined := config.SigstoreKeys{ Tlogs: []*config.TransparencyLogInstance{{ PublicKey: pbpkRekor, - LogId: &config.LogId{KeyId: []byte("rekor-logid")}, + LogId: &config.LogID{KeyId: []byte("rekor-logid")}, BaseUrl: "rekor.example.com", }}, CertificateAuthorities: []*config.CertificateAuthority{{ @@ -3245,7 +3245,7 @@ func TestCheckOptsFromAuthority(t *testing.T) { CertChain: config.DeserializeCertChain([]byte(certChain)), }}, Ctlogs: []*config.TransparencyLogInstance{{ - LogId: &config.LogId{KeyId: []byte(ctfeLogID)}, + LogId: &config.LogID{KeyId: []byte(ctfeLogID)}, PublicKey: pbpkCTFE, }}, } From b9257973ec29e73b4802bd04249ed583778ba22b Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Wed, 20 Mar 2024 15:09:05 -0700 Subject: [PATCH 22/27] fix e2e_test_trustroot_crd.sh Signed-off-by: Brian DeHamer --- test/e2e_test_trustroot_crd.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/test/e2e_test_trustroot_crd.sh b/test/e2e_test_trustroot_crd.sh index 88757b71..fbfc9e5f 100755 --- a/test/e2e_test_trustroot_crd.sh +++ b/test/e2e_test_trustroot_crd.sh @@ -36,19 +36,25 @@ echo '::endgroup::' echo '::group:: Validating the configmap entries' echo "Validating Fulcio entry" -kubectl -n cosign-system get cm config-sigstore-keys -ojsonpath='{.data.bring-your-own-sigstore-keys}' | yq '.certificateAuthorities[0].certChain' | base64 -d > ./got.fulcio.pem +echo -n > ./got.fulcio.pem +for cert in $(kubectl -n cosign-system get cm config-sigstore-keys -ojsonpath='{.data.bring-your-own-sigstore-keys}' | yq '.certificateAuthorities[0].certChain.certificates[] | .rawBytes' ); do + echo $cert | base64 -d | openssl x509 -inform der >> ./got.fulcio.pem +done diff ./got.fulcio.pem ./test/testdata/trustroot/golden/fulcio.crt.pem echo "Validating TSA entry" -kubectl -n cosign-system get cm config-sigstore-keys -ojsonpath='{.data.bring-your-own-sigstore-keys}' | yq '.timestampAuthorities[0].certChain' | base64 -d > ./got.tsa.pem +echo -n > ./got.tsa.pem +for cert in $(kubectl -n cosign-system get cm config-sigstore-keys -ojsonpath='{.data.bring-your-own-sigstore-keys}' | yq '.timestampAuthorities[0].certChain.certificates[] | .rawBytes' ); do + echo $cert | base64 -d | openssl x509 -inform der >> ./got.tsa.pem +done diff ./got.tsa.pem ./test/testdata/trustroot/golden/tsa.crt.pem echo "Validating Rekor entry" -kubectl -n cosign-system get cm config-sigstore-keys -ojsonpath='{.data.bring-your-own-sigstore-keys}' | yq '.tLogs[0].publicKey' | base64 -d > ./got.rekor.pem +kubectl -n cosign-system get cm config-sigstore-keys -ojsonpath='{.data.bring-your-own-sigstore-keys}' | yq '.tlogs[0].publicKey.rawBytes' | base64 -d | openssl pkey -pubin -inform der > ./got.rekor.pem diff ./got.rekor.pem ./test/testdata/trustroot/golden/rekor.pem echo "Validating CTLog entry" -kubectl -n cosign-system get cm config-sigstore-keys -ojsonpath='{.data.bring-your-own-sigstore-keys}' | yq '.ctLogs[0].publicKey' | base64 -d > ./got.ctfe.pem +kubectl -n cosign-system get cm config-sigstore-keys -ojsonpath='{.data.bring-your-own-sigstore-keys}' | yq '.ctlogs[0].publicKey.rawBytes' | base64 -d | openssl pkey -pubin -inform der > ./got.ctfe.pem diff ./got.ctfe.pem ./test/testdata/trustroot/golden/ctfe.pem kubectl delete -f ./test/testdata/trustroot/valid/valid-sigstore-keys.yaml From 705ddaed7e53723491b6e7765ae43c457b017b81 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Fri, 22 Mar 2024 15:55:27 -0400 Subject: [PATCH 23/27] Couple of fixes Signed-off-by: Cody Soyland --- hack/gentestdata/gentestdata.go | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/hack/gentestdata/gentestdata.go b/hack/gentestdata/gentestdata.go index 5001908c..29c54646 100644 --- a/hack/gentestdata/gentestdata.go +++ b/hack/gentestdata/gentestdata.go @@ -184,14 +184,14 @@ func populateLogIDs(sigstoreKeys *config.SigstoreKeys) error { if err != nil { return err } - sigstoreKeys.Tlogs[i].LogId = &config.LogId{KeyId: []byte(logID)} + sigstoreKeys.Tlogs[i].LogId = &config.LogID{KeyId: []byte(logID)} } for i := range sigstoreKeys.Ctlogs { logID, err := genLogID(sigstoreKeys.Ctlogs[i].PublicKey.RawBytes) if err != nil { return err } - sigstoreKeys.Ctlogs[i].LogId = &config.LogId{KeyId: []byte(logID)} + sigstoreKeys.Ctlogs[i].LogId = &config.LogID{KeyId: []byte(logID)} } return nil } @@ -230,6 +230,15 @@ func genTUFRepo(sigstoreKeysMap map[string]string) ([]byte, []byte, []byte, erro return nil, nil, nil, err } + tlogKey, _, err := config.DeserializePublicKey([]byte(sigstoreKeysMap["rekor"])) + if err != nil { + return nil, nil, nil, err + } + ctlogKey, _, err := config.DeserializePublicKey([]byte(sigstoreKeysMap["ctfe"])) + if err != nil { + return nil, nil, nil, err + } + trustRoot := &config.SigstoreKeys{ CertificateAuthorities: []*config.CertificateAuthority{{ CertChain: config.DeserializeCertChain([]byte(sigstoreKeysMap["fulcio"])), @@ -239,11 +248,11 @@ func genTUFRepo(sigstoreKeysMap map[string]string) ([]byte, []byte, []byte, erro }}, Tlogs: []*config.TransparencyLogInstance{{ HashAlgorithm: pbcommon.HashAlgorithm_SHA2_256, - PublicKey: config.DeserializePublicKey([]byte(sigstoreKeysMap["rekor"])), + PublicKey: tlogKey, }}, Ctlogs: []*config.TransparencyLogInstance{{ HashAlgorithm: pbcommon.HashAlgorithm_SHA2_256, - PublicKey: config.DeserializePublicKey([]byte(sigstoreKeysMap["ctfe"])), + PublicKey: ctlogKey, }}, } err = populateLogIDs(trustRoot) From ff865ed963953dd78f66fe84253492fe8524eeda Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Fri, 22 Mar 2024 16:16:19 -0400 Subject: [PATCH 24/27] Remove unneccesary conversion Signed-off-by: Cody Soyland --- pkg/reconciler/trustroot/trustroot_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/reconciler/trustroot/trustroot_test.go b/pkg/reconciler/trustroot/trustroot_test.go index 97c0f842..c08da71d 100644 --- a/pkg/reconciler/trustroot/trustroot_test.go +++ b/pkg/reconciler/trustroot/trustroot_test.go @@ -139,7 +139,7 @@ var sigstoreKeys = map[string]string{ // https://github.com/golang/protobuf/issues/1121 func canonicalizeSigstoreKeys(in []byte) []byte { keys := &config.SigstoreKeys{} - err := protojson.Unmarshal([]byte(in), keys) + err := protojson.Unmarshal(in, keys) if err != nil { panic(err) } From 18eea2b7fe83c5c22e0337ab6e728a30a6ca47d2 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Fri, 22 Mar 2024 16:58:55 -0400 Subject: [PATCH 25/27] Add test for fetching trusted_root.json from TUF repo Signed-off-by: Cody Soyland --- hack/gentestdata/gentestdata.go | 46 ++++++--- .../trustroot/testdata/ctfeLogID.txt | 2 +- .../trustroot/testdata/ctfePublicKey.pem | 4 +- .../trustroot/testdata/fulcioCertChain.pem | 28 +++--- .../trustroot/testdata/marshalledEntry.json | 86 ++++++++--------- .../testdata/marshalledEntryFromMirrorFS.json | 50 +++++----- .../trustroot/testdata/rekorLogID.txt | 2 +- .../trustroot/testdata/rekorPublicKey.pem | 4 +- pkg/reconciler/trustroot/testdata/root.json | 30 +++--- .../testdata/rootWithTrustedRootJSON.json | 87 ++++++++++++++++++ .../trustroot/testdata/tsaCertChain.pem | 26 +++--- pkg/reconciler/trustroot/testdata/tufRepo.tar | Bin 2837 -> 2835 bytes .../testdata/tufRepoWithTrustedRootJSON.tar | Bin 0 -> 3425 bytes pkg/reconciler/trustroot/trustroot.go | 1 - pkg/reconciler/trustroot/trustroot_test.go | 38 +++++++- 15 files changed, 269 insertions(+), 135 deletions(-) create mode 100644 pkg/reconciler/trustroot/testdata/rootWithTrustedRootJSON.json create mode 100644 pkg/reconciler/trustroot/testdata/tufRepoWithTrustedRootJSON.tar diff --git a/hack/gentestdata/gentestdata.go b/hack/gentestdata/gentestdata.go index 29c54646..2600749a 100644 --- a/hack/gentestdata/gentestdata.go +++ b/hack/gentestdata/gentestdata.go @@ -77,7 +77,23 @@ func main() { log.Fatal(err) } - marshalledEntryFromMirrorFS, tufRepo, rootJSON, err := genTUFRepo(sigstoreKeysMap) + tufRepo, rootJSON, err := genTUFRepo(map[string][]byte{ + "rekor.pem": []byte(sigstoreKeysMap["rekor"]), + "ctfe.pem": []byte(sigstoreKeysMap["ctfe"]), + "fulcio.pem": []byte(sigstoreKeysMap["fulcio"]), + }) + if err != nil { + log.Fatal(err) + } + + tufRepoWithTrustedRootJSON, rootJSONWithTrustedRootJSON, err := genTUFRepo(map[string][]byte{ + "trusted_root.json": marshalledEntry, + }) + if err != nil { + log.Fatal(err) + } + + marshalledEntryFromMirrorFS, err := genTrustedRoot(sigstoreKeysMap) if err != nil { log.Fatal(err) } @@ -92,6 +108,8 @@ func main() { mustWriteFile("marshalledEntryFromMirrorFS.json", marshalledEntryFromMirrorFS) mustWriteFile("tufRepo.tar", tufRepo) mustWriteFile("root.json", rootJSON) + mustWriteFile("tufRepoWithTrustedRootJSON.tar", tufRepoWithTrustedRootJSON) + mustWriteFile("rootWithTrustedRootJSON.json", rootJSONWithTrustedRootJSON) } func mustWriteFile(path string, data []byte) { @@ -204,39 +222,37 @@ func genLogID(pkBytes []byte) (string, error) { return cosign.GetTransparencyLogID(pk) } -func genTUFRepo(sigstoreKeysMap map[string]string) ([]byte, []byte, []byte, error) { - files := map[string][]byte{} - files["rekor.pem"] = []byte(sigstoreKeysMap["rekor"]) - files["ctfe.pem"] = []byte(sigstoreKeysMap["ctfe"]) - files["fulcio.pem"] = []byte(sigstoreKeysMap["fulcio"]) - +func genTUFRepo(files map[string][]byte) ([]byte, []byte, error) { defer os.RemoveAll(path.Join(os.TempDir(), "tuf")) // TODO: Update scaffolding to use os.MkdirTemp and remove this ctx := context.Background() local, dir, err := repo.CreateRepo(ctx, files) if err != nil { - return nil, nil, nil, err + return nil, nil, err } meta, err := local.GetMeta() if err != nil { - return nil, nil, nil, err + return nil, nil, err } rootJSON, ok := meta["root.json"] if !ok { - return nil, nil, nil, err + return nil, nil, err } var compressed bytes.Buffer if err := repo.CompressFS(os.DirFS(dir), &compressed, map[string]bool{"keys": true, "staged": true}); err != nil { - return nil, nil, nil, err + return nil, nil, err } + return compressed.Bytes(), rootJSON, nil +} +func genTrustedRoot(sigstoreKeysMap map[string]string) ([]byte, error) { tlogKey, _, err := config.DeserializePublicKey([]byte(sigstoreKeysMap["rekor"])) if err != nil { - return nil, nil, nil, err + return nil, err } ctlogKey, _, err := config.DeserializePublicKey([]byte(sigstoreKeysMap["ctfe"])) if err != nil { - return nil, nil, nil, err + return nil, err } trustRoot := &config.SigstoreKeys{ @@ -257,8 +273,8 @@ func genTUFRepo(sigstoreKeysMap map[string]string) ([]byte, []byte, []byte, erro } err = populateLogIDs(trustRoot) if err != nil { - return nil, nil, nil, err + return nil, err } trustRootBytes := []byte(protojson.Format(trustRoot)) - return trustRootBytes, compressed.Bytes(), rootJSON, nil + return trustRootBytes, nil } diff --git a/pkg/reconciler/trustroot/testdata/ctfeLogID.txt b/pkg/reconciler/trustroot/testdata/ctfeLogID.txt index 0d7a64f1..6e92256b 100644 --- a/pkg/reconciler/trustroot/testdata/ctfeLogID.txt +++ b/pkg/reconciler/trustroot/testdata/ctfeLogID.txt @@ -1 +1 @@ -f233e0255ba7b06f768210de40a72dad6456c364f864fef10654e9d1f3576cdf \ No newline at end of file +1710e23da0651aaa8194bc9652cd00a97c1fda9c76fce12f14eb635e42036954 \ No newline at end of file diff --git a/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem b/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem index 1bdc24e9..ea57536c 100644 --- a/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem +++ b/pkg/reconciler/trustroot/testdata/ctfePublicKey.pem @@ -1,4 +1,4 @@ -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/0axOYDFW1GxfRBsuCZEXDbNkMfz -RJqocd5QqkycTqqK47i7ip75BeyvmQcqYE6KRMnHQds1tlzkAxZ3RlPnFA== +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMj +ld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ== -----END PUBLIC KEY----- diff --git a/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem b/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem index 9a5052ae..4b10e30d 100644 --- a/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem +++ b/pkg/reconciler/trustroot/testdata/fulcioCertChain.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 -MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMG -ByqGSM49AgEGCCqGSM49AwEHA0IABH52pFOcobYjT5V85OtmQU+nxhhGNUayYt7f -LtsY8qDtQOCFW7P8Ya1B14IowM7fFbI0c5jeEczhTLqnGU4yrBqjMzAxMA4GA1Ud -DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQsTJia5d928QAnmtfYJffrTRnsFzAKBggq -hkjOPQQDAgNJADBGAiEAoIIysKwCCicQsX3URWsPS9N6aGIfhfdS22qZpvkbg88C -IQDezHPTP8Vp8fKnHoRplC6++c1N8yds5GlK9QNDSoTwug== +MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 +MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMG +ByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/5 +5rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1Ud +DwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggq +hkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64C +IHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 -MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcq -hkjOPQIBBggqhkjOPQMBBwNCAARtAqUJCj/Wb+rFJJn76UdcAcUA5H1w3PjIZRR8 -LBkBAkP/AmDDs0uKxl32jGaOISUtCVQUhnEx2XofoRdI1yQqo0IwQDAOBgNVHQ8B -Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULEyYmuXfdvEAJ5rX -2CX3600Z7BcwCgYIKoZIzj0EAwIDSQAwRgIhAMCf8nrN60qqT6MEL4nhu2OepICr -DiCugo150fQQKNRaAiEAldwHCU3UF8f7b+mtUyoJQ1K5nksElcvODJRutb/GvCk= +MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 +MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcq +hkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz +9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8B +Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3 +eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55 +FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW -----END CERTIFICATE----- diff --git a/pkg/reconciler/trustroot/testdata/marshalledEntry.json b/pkg/reconciler/trustroot/testdata/marshalledEntry.json index b0c9f8a5..e9fc1f2e 100644 --- a/pkg/reconciler/trustroot/testdata/marshalledEntry.json +++ b/pkg/reconciler/trustroot/testdata/marshalledEntry.json @@ -1,78 +1,78 @@ { - "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1", - "tlogs": [ + "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1", + "tlogs": [ { - "baseUrl": "https://rekor.example.com", - "hashAlgorithm": "SHA2_256", - "publicKey": { - "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI4VIUxpIQaYEpS5Vlp7PHTB7ho3oWabbChqboVxueHh+wqimmPJXuXLe+Zu32VH+fN5WFn4AGajIGje1GBXtOw==", - "keyDetails": "PKIX_ECDSA_P256_SHA_256", - "validFor": { - "start": "1970-01-01T00:00:00Z" + "baseUrl": "https://rekor.example.com", + "hashAlgorithm": "SHA2_256", + "publicKey": { + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Vobk4rjNzYrf/uqDwEd/HDfCro89r63DaHCTRYQJaf/JHdJj/nxBl1e3ZCo0B7kB/uU+e7d56A9gPdelFc51g==", + "keyDetails": "PKIX_ECDSA_P256_SHA_256", + "validFor": { + "start": "1970-01-01T00:00:00Z" } }, - "logId": { - "keyId": "ODYzMWJhMjQwZTYxN2M1ZWY2NWU2Y2QxZjcwYjhhOTU1NTQ5ZmNhYjk5NmYyZGI2MGE1ZThjYWE5OWJlMWNmMg==" + "logId": { + "keyId": "YWRjNTE1MWY5OTExZWUxZjAwMWVkYzc0Y2Q3MWNkNThmOGExMWE0ODRhOGM5NzA5NDkwYjRkOTY2NDcxZjQxMQ==" } } ], - "certificateAuthorities": [ + "certificateAuthorities": [ { - "subject": { - "organization": "fulcio-organization", - "commonName": "fulcio-common-name" + "subject": { + "organization": "fulcio-organization", + "commonName": "fulcio-common-name" }, - "uri": "https://fulcio.example.com", - "certChain": { - "certificates": [ + "uri": "https://fulcio.example.com", + "certChain": { + "certificates": [ { - "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH52pFOcobYjT5V85OtmQU+nxhhGNUayYt7fLtsY8qDtQOCFW7P8Ya1B14IowM7fFbI0c5jeEczhTLqnGU4yrBqjMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQsTJia5d928QAnmtfYJffrTRnsFzAKBggqhkjOPQQDAgNJADBGAiEAoIIysKwCCicQsX3URWsPS9N6aGIfhfdS22qZpvkbg88CIQDezHPTP8Vp8fKnHoRplC6++c1N8yds5GlK9QNDSoTwug==" + "rawBytes": "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/55rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggqhkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64CIHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT" }, { - "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARtAqUJCj/Wb+rFJJn76UdcAcUA5H1w3PjIZRR8LBkBAkP/AmDDs0uKxl32jGaOISUtCVQUhnEx2XofoRdI1yQqo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULEyYmuXfdvEAJ5rX2CX3600Z7BcwCgYIKoZIzj0EAwIDSQAwRgIhAMCf8nrN60qqT6MEL4nhu2OepICrDiCugo150fQQKNRaAiEAldwHCU3UF8f7b+mtUyoJQ1K5nksElcvODJRutb/GvCk=" + "rawBytes": "MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW" } ] }, - "validFor": { - "start": "1970-01-01T00:00:00Z" + "validFor": { + "start": "1970-01-01T00:00:00Z" } } ], - "ctlogs": [ + "ctlogs": [ { - "baseUrl": "https://ctfe.example.com", - "hashAlgorithm": "SHA2_256", - "publicKey": { - "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/0axOYDFW1GxfRBsuCZEXDbNkMfzRJqocd5QqkycTqqK47i7ip75BeyvmQcqYE6KRMnHQds1tlzkAxZ3RlPnFA==", - "keyDetails": "PKIX_ECDSA_P256_SHA_256", - "validFor": { - "start": "1970-01-01T00:00:00Z" + "baseUrl": "https://ctfe.example.com", + "hashAlgorithm": "SHA2_256", + "publicKey": { + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMjld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ==", + "keyDetails": "PKIX_ECDSA_P256_SHA_256", + "validFor": { + "start": "1970-01-01T00:00:00Z" } }, - "logId": { - "keyId": "ZjIzM2UwMjU1YmE3YjA2Zjc2ODIxMGRlNDBhNzJkYWQ2NDU2YzM2NGY4NjRmZWYxMDY1NGU5ZDFmMzU3NmNkZg==" + "logId": { + "keyId": "MTcxMGUyM2RhMDY1MWFhYTgxOTRiYzk2NTJjZDAwYTk3YzFmZGE5Yzc2ZmNlMTJmMTRlYjYzNWU0MjAzNjk1NA==" } } ], - "timestampAuthorities": [ + "timestampAuthorities": [ { - "subject": { - "organization": "tsa-organization", - "commonName": "tsa-common-name" + "subject": { + "organization": "tsa-organization", + "commonName": "tsa-common-name" }, - "uri": "https://tsa.example.com", - "certChain": { - "certificates": [ + "uri": "https://tsa.example.com", + "certChain": { + "certificates": [ { - "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCOUCx97+DsDdyvKgf/FhyiMIzd40bAquTXCeZlDeKsHUhsLHrLCa8fOV8njfl8dE2ABX/lwPA+czYfDW1myooGjMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRNdydaOxYhTIQG3d3Zp22F1Rj+XDAKBggqhkjOPQQDAgNJADBGAiEA7BJb9k0usb77EKqvbCfOF1fGeBFiU3i32+4HnUXC9GcCIQCZ+/gZ+G47t2OlCVNnE+9YasE9100MR/Sm9SBCzn6UTQ==" + "rawBytes": "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDgjsTzgbEsFFuBFCp1LIRv4SwYLCLL1fxtq95tbtGj/wHQUmrKLxMLMxaxIzdJs54lIDP+LoKeK25+HBPftwtCjMzAxMA4GA1UdDwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRRiPL3dEhG22Qh+0GTFJ/G1SW1yDAKBggqhkjOPQQDAgNIADBFAiABNvVUla7gqF/135UkA55FQ57M6r84IArwk43Zy2aPPgIhAO8/F8k9VB5+I1FSiQL1qsM8yO6SUpVF9E+hNJ9n/6zU" }, { - "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQjjBapPc46v5hDtKeyNshq4Xdb+t+WX6R4Jgrwpy31o+0exhZhzlMYl1aelkZi/7u9fnNsuUVfgRjSZIC1aF+7o0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUTXcnWjsWIUyEBt3d2adthdUY/lwwCgYIKoZIzj0EAwIDSQAwRgIhAOYOmibcfPIN/8DYOdEsd6JVa1RJn7dwJJueg4rNwpBzAiEAiFSpjPSVbNRUJDUOYJGPpkmj+TLh5GCoz2Bw2/oed44=" + "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARjUhxtm6QXaB2bkGKHenCToVRPhVf0PTkuS7/hTGjHhELoMrD8r3nbqyceFEl4FUTzEMDfrj/YhefX7ZbeesSho0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUYjy93RIRttkIftBkxSfxtUltcgwCgYIKoZIzj0EAwIDSQAwRgIhAJgRO/ig4ZBrlYjuNYpC/kqUIVsfSKLpS9c4/lkcTGBPAiEAq+euZ8zkevab16uWx7ZaEcElKYY3xzhTr5yQYeJPOcQ=" } ] }, - "validFor": { - "start": "1970-01-01T00:00:00Z" + "validFor": { + "start": "1970-01-01T00:00:00Z" } } ] diff --git a/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json b/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json index b61c78fd..a3774db9 100644 --- a/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json +++ b/pkg/reconciler/trustroot/testdata/marshalledEntryFromMirrorFS.json @@ -1,48 +1,48 @@ { - "tlogs": [ + "tlogs": [ { - "hashAlgorithm": "SHA2_256", - "publicKey": { - "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI4VIUxpIQaYEpS5Vlp7PHTB7ho3oWabbChqboVxueHh+wqimmPJXuXLe+Zu32VH+fN5WFn4AGajIGje1GBXtOw==", - "keyDetails": "PKIX_ECDSA_P256_SHA_256", - "validFor": { - "start": "1970-01-01T00:00:00Z" + "hashAlgorithm": "SHA2_256", + "publicKey": { + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Vobk4rjNzYrf/uqDwEd/HDfCro89r63DaHCTRYQJaf/JHdJj/nxBl1e3ZCo0B7kB/uU+e7d56A9gPdelFc51g==", + "keyDetails": "PKIX_ECDSA_P256_SHA_256", + "validFor": { + "start": "1970-01-01T00:00:00Z" } }, - "logId": { - "keyId": "ODYzMWJhMjQwZTYxN2M1ZWY2NWU2Y2QxZjcwYjhhOTU1NTQ5ZmNhYjk5NmYyZGI2MGE1ZThjYWE5OWJlMWNmMg==" + "logId": { + "keyId": "YWRjNTE1MWY5OTExZWUxZjAwMWVkYzc0Y2Q3MWNkNThmOGExMWE0ODRhOGM5NzA5NDkwYjRkOTY2NDcxZjQxMQ==" } } ], - "certificateAuthorities": [ + "certificateAuthorities": [ { - "certChain": { - "certificates": [ + "certChain": { + "certificates": [ { - "rawBytes": "MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH52pFOcobYjT5V85OtmQU+nxhhGNUayYt7fLtsY8qDtQOCFW7P8Ya1B14IowM7fFbI0c5jeEczhTLqnGU4yrBqjMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBQsTJia5d928QAnmtfYJffrTRnsFzAKBggqhkjOPQQDAgNJADBGAiEAoIIysKwCCicQsX3URWsPS9N6aGIfhfdS22qZpvkbg88CIQDezHPTP8Vp8fKnHoRplC6++c1N8yds5GlK9QNDSoTwug==" + "rawBytes": "MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNr99Dzn4PLhw3a9dP8YLwZaPnm3hpF3vt/55rMc7N194IPRB+qCDQIKIsyFMQ937IA+ylxdYvwYPB30kw/nie+jMzAxMA4GA1UdDwEB/wQEAwIGwDAfBgNVHSMEGDAWgBSgpcC8Rht4JttKz/d6pqb87A+f+zAKBggqhkjOPQQDAgNIADBFAiEAtuSOJ8LaCp6OrUIo8eKz7iYFEeOMI5d3aBEUSUp8y64CIHnTyu87fhXigrwrrhx0mEluHBfqeBpJilenwWjcUzYT" }, { - "rawBytes": "MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARtAqUJCj/Wb+rFJJn76UdcAcUA5H1w3PjIZRR8LBkBAkP/AmDDs0uKxl32jGaOISUtCVQUhnEx2XofoRdI1yQqo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULEyYmuXfdvEAJ5rX2CX3600Z7BcwCgYIKoZIzj0EAwIDSQAwRgIhAMCf8nrN60qqT6MEL4nhu2OepICrDiCugo150fQQKNRaAiEAldwHCU3UF8f7b+mtUyoJQ1K5nksElcvODJRutb/GvCk=" + "rawBytes": "MIIBSTCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATpp0ZNVPLAIzjTPkYzluuwuJxo4kmCLQRmznmz9GE89huCeLhyLbgj6xLgLrlZPwEnlGRKdiba+pLxUzKVKTPAo0IwQDAOBgNVHQ8BAf8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUoKXAvEYbeCbbSs/3eqam/OwPn/swCgYIKoZIzj0EAwIDRwAwRAIgPpFwR+kjxrG75XPEQCiKPwF1Zg55FZVT7PlNJKyIPYACIFMMqZ4//ncJoBxMtvTsr3++2d91SPpyis2cLiDcr3kW" } ] }, - "validFor": { - "start": "1970-01-01T00:00:00Z" + "validFor": { + "start": "1970-01-01T00:00:00Z" } } ], - "ctlogs": [ + "ctlogs": [ { - "hashAlgorithm": "SHA2_256", - "publicKey": { - "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/0axOYDFW1GxfRBsuCZEXDbNkMfzRJqocd5QqkycTqqK47i7ip75BeyvmQcqYE6KRMnHQds1tlzkAxZ3RlPnFA==", - "keyDetails": "PKIX_ECDSA_P256_SHA_256", - "validFor": { - "start": "1970-01-01T00:00:00Z" + "hashAlgorithm": "SHA2_256", + "publicKey": { + "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBQY7A479x/VleGrvxp1gQAykOZMjld4J6VWVLnN0WLiqOesr9QkSBVnBkYKw0pr6Bgr8Qjg6NA3x470DLPxrDQ==", + "keyDetails": "PKIX_ECDSA_P256_SHA_256", + "validFor": { + "start": "1970-01-01T00:00:00Z" } }, - "logId": { - "keyId": "ZjIzM2UwMjU1YmE3YjA2Zjc2ODIxMGRlNDBhNzJkYWQ2NDU2YzM2NGY4NjRmZWYxMDY1NGU5ZDFmMzU3NmNkZg==" + "logId": { + "keyId": "MTcxMGUyM2RhMDY1MWFhYTgxOTRiYzk2NTJjZDAwYTk3YzFmZGE5Yzc2ZmNlMTJmMTRlYjYzNWU0MjAzNjk1NA==" } } ] diff --git a/pkg/reconciler/trustroot/testdata/rekorLogID.txt b/pkg/reconciler/trustroot/testdata/rekorLogID.txt index c8e072f9..e96bd223 100644 --- a/pkg/reconciler/trustroot/testdata/rekorLogID.txt +++ b/pkg/reconciler/trustroot/testdata/rekorLogID.txt @@ -1 +1 @@ -8631ba240e617c5ef65e6cd1f70b8a955549fcab996f2db60a5e8caa99be1cf2 \ No newline at end of file +adc5151f9911ee1f001edc74cd71cd58f8a11a484a8c9709490b4d966471f411 \ No newline at end of file diff --git a/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem b/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem index fa59362e..58573372 100644 --- a/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem +++ b/pkg/reconciler/trustroot/testdata/rekorPublicKey.pem @@ -1,4 +1,4 @@ -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEI4VIUxpIQaYEpS5Vlp7PHTB7ho3o -WabbChqboVxueHh+wqimmPJXuXLe+Zu32VH+fN5WFn4AGajIGje1GBXtOw== +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Vobk4rjNzYrf/uqDwEd/HDfCro8 +9r63DaHCTRYQJaf/JHdJj/nxBl1e3ZCo0B7kB/uU+e7d56A9gPdelFc51g== -----END PUBLIC KEY----- diff --git a/pkg/reconciler/trustroot/testdata/root.json b/pkg/reconciler/trustroot/testdata/root.json index d635f7bd..f7bae914 100644 --- a/pkg/reconciler/trustroot/testdata/root.json +++ b/pkg/reconciler/trustroot/testdata/root.json @@ -3,9 +3,9 @@ "_type": "root", "spec_version": "1.0", "version": 1, - "expires": "2024-09-22T15:32:01-04:00", + "expires": "2024-09-22T16:47:39-04:00", "keys": { - "4b22a801cd5addfbcf9646b3a2dd299d076be90a506d7173742df76a916b511f": { + "0c5ee15a0b35012b32989697c15e22f199d8534863a80197bea385adb908d0c9": { "keytype": "ed25519", "scheme": "ed25519", "keyid_hash_algorithms": [ @@ -13,10 +13,10 @@ "sha512" ], "keyval": { - "public": "a4d3caa7307b07ae60f8827d6a63a421caa9436818911ec4a5fec159c2e0a6ea" + "public": "06ba72d6fe28cc6d1d85ca8f933f7e855875af2cabb97dd075074f5d1c188249" } }, - "8296a838fbbcb44d3badbe77c37cd1d78a44518c8574f1e98c5991db886fae59": { + "b2cf295def74b86b6a50211bfcf3ab3839a2bdbed936d95cfacce1f4c31deedd": { "keytype": "ed25519", "scheme": "ed25519", "keyid_hash_algorithms": [ @@ -24,10 +24,10 @@ "sha512" ], "keyval": { - "public": "2e9da73f5b4a9abbcaf343214f54f897cd2d66b02199ed039fe1d4d3bd002b8b" + "public": "97c5f9488951eb67f16ea9328c9537c2ade4485a0b924ec0486a236f50e80f96" } }, - "93a9525c20dcad686288e943a3a1c5c26b185d838fa25d7ca07c6bd6a80a9093": { + "d4177b1e89bf7eb02c44285e9f7907eb089ff7951199179d6fd68280dbb4d69d": { "keytype": "ed25519", "scheme": "ed25519", "keyid_hash_algorithms": [ @@ -35,10 +35,10 @@ "sha512" ], "keyval": { - "public": "4c20f29a8b91b19ed8c2446354067fc52d234412ffc9432785f966a0cde6af93" + "public": "4b92888524b5cd2de6cad461f83fb86b3f5590792c037b416132811ba71e1e8b" } }, - "a182898f8f07aa5a376da7aeaf62dbe13a23f21dc8088e28936b67a08bbefb87": { + "fcf4d6c6bfa6fccb41df570cc60e6ef63cfe45baed10c0ead716de97f4a25264": { "keytype": "ed25519", "scheme": "ed25519", "keyid_hash_algorithms": [ @@ -46,32 +46,32 @@ "sha512" ], "keyval": { - "public": "d5a909f2ecbbe521323e5c84970b2937955e098605d43e6aa9fe14d682eef3b3" + "public": "6f98dc24fc1df15ed2888658f711dbe59433aa7b0a62334080100fa52a483716" } } }, "roles": { "root": { "keyids": [ - "8296a838fbbcb44d3badbe77c37cd1d78a44518c8574f1e98c5991db886fae59" + "d4177b1e89bf7eb02c44285e9f7907eb089ff7951199179d6fd68280dbb4d69d" ], "threshold": 1 }, "snapshot": { "keyids": [ - "a182898f8f07aa5a376da7aeaf62dbe13a23f21dc8088e28936b67a08bbefb87" + "b2cf295def74b86b6a50211bfcf3ab3839a2bdbed936d95cfacce1f4c31deedd" ], "threshold": 1 }, "targets": { "keyids": [ - "4b22a801cd5addfbcf9646b3a2dd299d076be90a506d7173742df76a916b511f" + "fcf4d6c6bfa6fccb41df570cc60e6ef63cfe45baed10c0ead716de97f4a25264" ], "threshold": 1 }, "timestamp": { "keyids": [ - "93a9525c20dcad686288e943a3a1c5c26b185d838fa25d7ca07c6bd6a80a9093" + "0c5ee15a0b35012b32989697c15e22f199d8534863a80197bea385adb908d0c9" ], "threshold": 1 } @@ -80,8 +80,8 @@ }, "signatures": [ { - "keyid": "8296a838fbbcb44d3badbe77c37cd1d78a44518c8574f1e98c5991db886fae59", - "sig": "053c49473376571093b419ce3f4a6fcf350d6b7bead1234fe5eae685ee3914b5c28b9cc1ccfdfa84a276374a54eefe06c0545c1ada32dd42194e5fa86f69510a" + "keyid": "d4177b1e89bf7eb02c44285e9f7907eb089ff7951199179d6fd68280dbb4d69d", + "sig": "0eca8e52cd9d8e18dc02593925bde4c44f2eac3e173199ff30a8a875391636f419914563fafe171d5b4b22917b8a6604ad77af5ea9f88166b3f8ca6c15332201" } ] } \ No newline at end of file diff --git a/pkg/reconciler/trustroot/testdata/rootWithTrustedRootJSON.json b/pkg/reconciler/trustroot/testdata/rootWithTrustedRootJSON.json new file mode 100644 index 00000000..cc9bb5cf --- /dev/null +++ b/pkg/reconciler/trustroot/testdata/rootWithTrustedRootJSON.json @@ -0,0 +1,87 @@ +{ + "signed": { + "_type": "root", + "spec_version": "1.0", + "version": 1, + "expires": "2024-09-22T16:47:40-04:00", + "keys": { + "1742f6a1f846f4042382403b907864f125c2fca7bd70d6c157a40ac8e6f7d505": { + "keytype": "ed25519", + "scheme": "ed25519", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "3bfd19c0931a80cd3279322fc22b04b90831b1804f5dbc72c31676ca2ac82f97" + } + }, + "5dd6940e523073d10a6252f38a4dc2ebf33e23641c103682e43cb351a5672f43": { + "keytype": "ed25519", + "scheme": "ed25519", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "d64a13987f3b0ccfcbfab8c5631acff1b69dda70e40c1aae0cb1f0f9575716cb" + } + }, + "8b635809713e0b6ae3370afeb6fa83d7aae2039b355e56d1211049246c3d1a4d": { + "keytype": "ed25519", + "scheme": "ed25519", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "ecf8b527a4a4ce34718286dc9a67a5969060053bf1750e2dc74e065c9ab30ec1" + } + }, + "d263be84f7043dd0b4636fb797cfd1c9b455b9168f282cad8f48ff0ca47465fc": { + "keytype": "ed25519", + "scheme": "ed25519", + "keyid_hash_algorithms": [ + "sha256", + "sha512" + ], + "keyval": { + "public": "e7f35e9f47b6e2f38e62b184d9f9a54f085843c57bb102cab0fe684dabe1e0bd" + } + } + }, + "roles": { + "root": { + "keyids": [ + "1742f6a1f846f4042382403b907864f125c2fca7bd70d6c157a40ac8e6f7d505" + ], + "threshold": 1 + }, + "snapshot": { + "keyids": [ + "8b635809713e0b6ae3370afeb6fa83d7aae2039b355e56d1211049246c3d1a4d" + ], + "threshold": 1 + }, + "targets": { + "keyids": [ + "5dd6940e523073d10a6252f38a4dc2ebf33e23641c103682e43cb351a5672f43" + ], + "threshold": 1 + }, + "timestamp": { + "keyids": [ + "d263be84f7043dd0b4636fb797cfd1c9b455b9168f282cad8f48ff0ca47465fc" + ], + "threshold": 1 + } + }, + "consistent_snapshot": false + }, + "signatures": [ + { + "keyid": "1742f6a1f846f4042382403b907864f125c2fca7bd70d6c157a40ac8e6f7d505", + "sig": "1050176114e44eec30b0661a9016b0a1ce607b4168d8e84ab1d4c15d73c3bdb051f0c0b21b67f03c77d4a98ea7dabc5fd1404bbef2eaac605ddfa2a6145d0709" + } + ] +} \ No newline at end of file diff --git a/pkg/reconciler/trustroot/testdata/tsaCertChain.pem b/pkg/reconciler/trustroot/testdata/tsaCertChain.pem index e6131a87..0c657654 100644 --- a/pkg/reconciler/trustroot/testdata/tsaCertChain.pem +++ b/pkg/reconciler/trustroot/testdata/tsaCertChain.pem @@ -1,18 +1,18 @@ -----BEGIN CERTIFICATE----- -MIIBPjCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 -MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDzENMAsGA1UEAxMEbGVhZjBZMBMG -ByqGSM49AgEGCCqGSM49AwEHA0IABCOUCx97+DsDdyvKgf/FhyiMIzd40bAquTXC -eZlDeKsHUhsLHrLCa8fOV8njfl8dE2ABX/lwPA+czYfDW1myooGjMzAxMA4GA1Ud -DwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRNdydaOxYhTIQG3d3Zp22F1Rj+XDAKBggq -hkjOPQQDAgNJADBGAiEA7BJb9k0usb77EKqvbCfOF1fGeBFiU3i32+4HnUXC9GcC -IQCZ+/gZ+G47t2OlCVNnE+9YasE9100MR/Sm9SBCzn6UTQ== +MIIBPTCB5KADAgECAgECMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 +MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDzENMAsGA1UEAxMEbGVhZjBZMBMG +ByqGSM49AgEGCCqGSM49AwEHA0IABDgjsTzgbEsFFuBFCp1LIRv4SwYLCLL1fxtq +95tbtGj/wHQUmrKLxMLMxaxIzdJs54lIDP+LoKeK25+HBPftwtCjMzAxMA4GA1Ud +DwEB/wQEAwIEEDAfBgNVHSMEGDAWgBRRiPL3dEhG22Qh+0GTFJ/G1SW1yDAKBggq +hkjOPQQDAgNIADBFAiABNvVUla7gqF/135UkA55FQ57M6r84IArwk43Zy2aPPgIh +AO8/F8k9VB5+I1FSiQL1qsM8yO6SUpVF9E+hNJ9n/6zU -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBSzCB8aADAgECAgEBMAoGCCqGSM49BAMCMA0xCzAJBgNVBAMTAmNhMB4XDTI0 -MDMyMjE5MzIwMVoXDTM0MDMyMjE5MzIwMVowDTELMAkGA1UEAxMCY2EwWTATBgcq -hkjOPQIBBggqhkjOPQMBBwNCAAQjjBapPc46v5hDtKeyNshq4Xdb+t+WX6R4Jgrw -py31o+0exhZhzlMYl1aelkZi/7u9fnNsuUVfgRjSZIC1aF+7o0IwQDAOBgNVHQ8B -Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUTXcnWjsWIUyEBt3d -2adthdUY/lwwCgYIKoZIzj0EAwIDSQAwRgIhAOYOmibcfPIN/8DYOdEsd6JVa1RJ -n7dwJJueg4rNwpBzAiEAiFSpjPSVbNRUJDUOYJGPpkmj+TLh5GCoz2Bw2/oed44= +MDMyMjIwNDczOVoXDTM0MDMyMjIwNDczOVowDTELMAkGA1UEAxMCY2EwWTATBgcq +hkjOPQIBBggqhkjOPQMBBwNCAARjUhxtm6QXaB2bkGKHenCToVRPhVf0PTkuS7/h +TGjHhELoMrD8r3nbqyceFEl4FUTzEMDfrj/YhefX7ZbeesSho0IwQDAOBgNVHQ8B +Af8EBAMCAgQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUUYjy93RIRttkIftB +kxSfxtUltcgwCgYIKoZIzj0EAwIDSQAwRgIhAJgRO/ig4ZBrlYjuNYpC/kqUIVsf +SKLpS9c4/lkcTGBPAiEAq+euZ8zkevab16uWx7ZaEcElKYY3xzhTr5yQYeJPOcQ= -----END CERTIFICATE----- diff --git a/pkg/reconciler/trustroot/testdata/tufRepo.tar b/pkg/reconciler/trustroot/testdata/tufRepo.tar index 2fcaab93c79c4c75d3f27033fc53c58b79fc04a9..53f2a8d18d2f854686dd869a530e06b820fda527 100644 GIT binary patch literal 2835 zcmV+u3+(hCiwFP!00000|Lj^@QzFZ!`>c;N?!Z1Dw!DQ-EdgA)sMDC7%5qa=` z8Gj!ShtuCrC&R((>L~C~Li~UJ7Yy__{+B}GyOlQq@o(<`f0b5NC%w*q;_CaAf0b5N zRzFRzN3{BWWwnTg)&D7mCL;=;KGS&88xD#q_&eNOco@UQIbDr(viLr#%MkBc}iaP^nwI|1o zbkSQd5rVyY(BiRo=2K)+qFtyf<`BAc{-X7U**_m1@!9q7tyozdUHX166v{w(r&&~qm0pR0fbSGag`*H zfn?S9U`2sidn99h(&T{!A()Y5leSO{7@Lx|646@JHmVerVFsf2A}aeUgC)FW#u&+j zmm#u9D!3>VCc{$^7d%O6L0cApYcEhCX9m$bjf72tffU zN{WX>LV8CLApp6kQAM&k3CAQ;;ui)>C2L|}A_a^ICB*_dB~8+Z(UY`-bLX@Nrx@n~ z3?M*qk~v|x#;+o)bPL$(c-W_hB(_MGj}hp_$M(NC62F@2v^%Crci1li6d$>8GH|0w z_en!uoIn1MAyYT*&~);I9WRcyKW0booF-FuK6=8E7nh%BEV&PuFdR&JlPL|RpB_0X zx&DMoi(3|@*iA2QYG`5KO>8YpF5>vbQFI$7z0RUIQE-MN3(-bHXkq{+Ew@biNFoT4 z7`ea+HAibx;^2%kT5^kut0W2~LMonIBGeeA7oIVT+8d`72p6?>Ns_b47*s`0GQp{U zl5@rY3*f$#R{mM~@}H(be_MIP|9=wu|5N;*Gq&XaZy`(mzvTbF3|LG4zvTZ*{=ek^ zOa8y)|4VrjdBp$kLh{w$0iNOii1J(huTbkH|9=a4g8$#AsGs!?a86TqUp{XO#v=G0 za&?~uooTmtHrH^QU<;1$P-3X`#bBwiem1MkjyJc5C-wO$RI=7_{q}b?YlUj7lhyLpvCf3HSLLHVZHzx(jj+?o zuFv*P8mFax6kF=(!_m%Q7e4ItF7{|Lwym>+{AiG$9dFNIG*)?MY+9!swVUxPp`p6d zyc${gGN^QSg zU$0lPcI`F+)a!Y(UCHHkR?RxKO7X9e4L2&4i;aVZuzA*~G%~oV%(Jb$vwM_hjdpgv z+im3HW3^p}Qlr|qZk*OMuvyA?5a`o8%N!f)BL27 zH#SQ7^^K;iQ@hui&1#z&)U$kdY;AQu5Y3(Lj5`~f=6Gjz;+lhV-W{#;&(pFj$#Em- zU9_U!+|So8D%DnfyFR&IZ?r7e^=$3Be-)2E&yJfphqGCE(4)1}#yq=fWTLPrma4N_ zUY@mT*{r@Xt7fT~=jK79wo%PKbn=7FC{)aTcPh4~)9raVs?mivI$KL?^K3isbS_HW zv(vq1t5wZ9yY;M^uV=klHoZL9+cG<@GE#fv!}`$B_FVUl*K4%bsLRM*UOPNE9GPn+ zDy917pnZL5bn1TWb;h&txO)ZXwf^O1o-QaKZT0#zn0+`6hx6n1L)QGxna?@;pk2w0 zyLWW{`i^ebb{g5)ouezqtTy}5&f0k=+@Vy@3&?JMH}ZV8TgkHaXapy_N6nqAK0j?Y z&yMH)%gfp2*40p)omX~R`{(n)`MhK|YQ}aiE40(S-tnDNb+yyk8TU_`v)Z7)vA-RA z-mQ&xt`6thN89aYHiY`DRn7Jm{%o1NlqFLu=9zU`v+C@)dbAJithHIrv%^_d1i?Iu zH#dvgdZ%?b-2Rw-t{r=-cz-Y{^AcUS^YY%TIVewNmCk*sEF!16Kg(wOS-sO7t@U`c5}9lCmktE>nBHT-R$pfZC}@$$62Mm-e_E$h;n%lwubptWBR#0 z8S}L@7A+n$N7uax3p>4P81u6aPdNVR_5XwXKc=(c_%#XOpWuI*FZX}mL|(}M@M!4I z#Q1b~emqX)%Zuu)7R#H}R2dIV$&MATy3I;^|G2f~Qh94LZk?6~S9u?apHzmB>$ALk zdALS8N|o78Gg5y&NbD^6-&@J|>;LsX0eNQqGs(YO{{YMN|0eRp{_kB2?`LiQe$ygc zz1w&A(eAG{&u{)ZABabeR-&*{Kw>tdVXUS~2L zj_F}&W%Y96It#2T?e*GSZ+m5RGIi6-1%z3c_CC|YmCJFj7`{<;(~thTg@6C<_5&2H z70;t+QV{5@=Sc&XOa&GgNS2~SCs~qUnUO{s=0ZTNB5H`9ORbzEhe*jdOd%vk44sMS zI2Vdh2#zCZ9|=|Bks=9`B*laj90iiWNr}?fm!P=5nEh+uc+Y|UY%mJ&=mkpUB;yja z(#dJBP+D!ABAL)4D8*!Af})Xuu|U>FZ2)}a5xi!>S{pD1h?blb3KTP(a}N--(<}xu zA{vx{NqYqp3?p!e2JDN1ale@S%TW9`S{*O`4&bX+2Xl#gP*IWz(nOVlg&@&;4H{8G zRF+hbkpXEbBrzA65{V3ubH&297CdrfT%$6IbI&-5WEJDwDkGy!(d*y?Xk@^HVU98q@0hzSlMSZ0m$go?D+!CDE@ zfi*TbVXYHV6C*8nB5RYgN=6ervrZNz$qGgklMgAR2q=*yfm~o9P*Hn^N;?UX8RfNO lh9DUO)@fxR{nfJKQkJrmrTq8H{{;X5|NkC#1WN!y006(PmJt8| literal 2837 zcmV+w3+nVAiwFP!00000|Lj^>QyWXN_OpHk!K?2%&RVh-N6bTOK?p2BLc+j}2}jl@ ziA7sW7BF%C`;8W>u`irCV8%0}jDVJ^T3uORW@Ua|S<^Tk<%8L1din0B2>^gbyuPaI zD{y&zy_R=OqSgWxSL_`yAyB_t!=I|R^X z`@~V*+`asYjIS@h{r&zCU+L^li?#Lf+?@@4F&N1pJdqZl9cYRQk}+HdMM{w5%oABD zlwrm)7QG})(KEE3M<5mHdZ0gw|9>n;TQ}S)GQuS1ypu8rN5Ms{z0f|epbbfh%y@%Z zCKj#nXe|rQ7?miZ{e{8e(FW2Yp_63EIZsJQ!I?}bld;+d9+YyxnYA&1uqm=oAP@k! zGwyq^tRRaVJ%`{aD5JPB(Mmyrm`Bf*V+KQkCUFef6KJnoP-K8CSn&&kB|V44Eg5H- zV>Slkxs*zv1f`Ql9=MQ_@szxkf@_1xDn;N!RFtgv9xP&p8*7qDpox%#R)I7{N{R;; znIJ9_XTcjVCURqia!L~z=VEe3|H5DeEXw(_4+WJc3ooaImG@#3KW=kyqy$9zWT<0mwEagcaMlRJm;qhUVCXK^_D^1x7u z&hl7V-m*-^G@D=N&_cg!-&(3%`0Z)5L%&TV1<*+`Y4hlm3$Hi zK{@Rr1;&L;5hF!qFh*gSbm+Np)_dlC3W+oACgnT>U|M=7RYGkN_#~_`Ttd)6 zF|GuIWI<>qkpW9Ff;Ys243QPthFh*<(A*m7tp<-eap^f{PVg9XA{7GTB(+E!6pJ@B z;YQI1$lT?DKN;s=oTR^r^JKh|ffX+tT4*M~@Z=y#C#)9D$pQ~BRS6jWT_5tW(_o%w@nbj{+yPVG} z$F;+%+c|Bft5SPwGV%dilhaGznM}5&9_YbXV>w=aJ#YERQB7^Po5Rgk$l2`d>NLAJ z7VWdW;YRkizm=9c)OM=hsr9c$>_1C>u>RBh%nwGd7y+K+{~8~!f6V|^>;Em}!TPV% z+MUKmqmp%MHvyp0DDRzA%DA0XvtF%I{57*ty;7Of_nXp|vu354!A0dN+bZ{V4$4`x zlb!GMn`L=e?KGg&tTr#3CpBzdH5Sc-(P6dIghy?Q>Q!y0ndSA2b!*v0v*zjt{o|AJ zakJd4m&%vdBW1nX-Kg23wwXaAD{mqnZ|wS!J38s$fx+F`d8_+=c+v0Ice-?WG}Ec{ zX_gY`TuuxQn?MWeo`W~rFx=6+1+cks#$MmE3204*`St<8jZ_*dr_$jd@DZ`-S+2vZ{O}Hsy9+Ug?-K^$K$W3 zu4hc8)M!=X)#hGj&m4?R+8%C>+T*i|djH;5w9&icd|~o=Wmf}lndCdKR3(e#ZD#5+OurZ-Kv~? z`0U!7yNLPM(xmGm#xVN8jDsn+g;kUWy+;2nOZT=tk+sp7f02DHgvMq=7)0DU1WtL zTxH?Kj*t~+^9@T)j?(68!?2`YHjbdsqmJwu-L40MR&s_?cSfyx|gG^ z7Td<*X zzE3;&d1ENEI-NA?Cy~|5hqK+qivPWpe82u*{|Lx4>z@}ddym#X0It^mTgVgpzqcj4 zpSAt_s6@DayYKL$-Cu2<-~9EYAo-+iU|Jckl{eN%E19*Z!8pw#84BJ6Ba=(caNz=i z;^3@B3l_cANoY)9j3P*kISW#Aa3Yc?r7R>Q9+O7NNO+~uI?uJ1iP?zXZvOgtJ{z4s zRCLhGXQOGnZ(3WQ=hRzbUFmGpZfo0X>-mgk^Cg6tpAEjo`=0r9P&8i;bzP7Cri6e0 z?)D=T0r>MUlH;J0CunfV?9?f7KhK5!wMloD55X(9-e zJfKce$dnS}T!EC*qI3#Kc;Zg6m%!LACjT-N|A|`1iw^>PQ|sUW%%vbf3u&!~D4Es9 zaYT-hfQ(HxCNzlBs^CB*2|+r^MB*GnkXBpaVkAyVa07)$Yar$oc+ftkn7EY6FlLS6 zJPH|{R)p4L@&VxAtk&@`|KA>!cx?voZ2ea~-v3uZ@KyeQ3wbL4-yNNKlLGKJ#}9rG zbrl!SM_q^Bc)%FF@kv?3&~PqelnzoS$8{ zN2G%TQdT1TjIs#Ua~++x zz(EID{DL!&C?pCV$wv~}a{)nGu5HpDwI)i=Tar$Dlnz*sQAC+EL}@6IwvK5OLLpZY ni=Zt7Dl1Vk<#nW00eB@VS;a~jFA_OpM5f>#}z+85vOLpPg{Xv8WRZcI38Wna|Y zsDTOp_ZxtAdu-3K$JZwg8MYd#i>|E9?C;B}tk^9V$tYdKn^*ss0001|^l)W|D?sFM zJ;*CaDCd}QNXaVzF=pu13H|3(dX!a?s`wQEW?{c-f+SVmf93xDMDDNuA@b<|JbW83 z7U|n@vY7weF?RM~g#4BN2?G3u|0!Yc)yXe0;(xjS|9pLtOGbmav$=OCf4)9B$$d;W zOP70hlG{Z??q9p6Wa-SuTNfvz#e8=Mz6FOHk8N=O-L03S*d@C@2q5wX$TtXeAbUsn zI|AMS@($ena^g10-H0bS$O-aHK`#jN1Q3J;A^>X%xM0LXL=Eyracw!U%s|Q&0m=x+ zJhv3k`v>hGd#}E;h*Bu`!|mo^hHmzy8xyw~*^fh&3_q&rU=fef;cTbc|L$*}2-f29!R_TT<^e8jDqK4@{0TdwqUWOjpL?JblBNDP$##$v=JM#vk4G$2|6fuV*1 z5KpZ(92pE5XGS4q1oDy}2Ku!7`)NN~j#|qk0gfUJIJOWdhA8q_C}ItA+GFexW&|1t zFcZiTY&51&QO1!c_%}9|Wkf+N1@~A3W4zH`X<;bCP#N!`X3|>4fg`{`r5rFCdf+AH zltX6p=f)D6VJd*+5Idlmau{=fsEGZIjpd9N znj)@Z;(<$(ujui^IQD&djAkxL)ol3{O@27;zoE%Pz?j86 z86~Nkryrj<%ByMOUhli?saU0}1BdSPJH*yr zfH9~ffJ_4gjbngo0-3PF38FN##6W5}HdtE?DD=Ppji6@S18g|AL`mTkw@Mr8EhKqop#NHVlK=lh+5f+l|6_!X`TwtwWBz~4 z|9=}}9rOQV{(sE>kNN*G|3BvcNBJf4B>%q;$)COk_(uK@A!RS}e+D@_=KsG!zLNhx zK-53A2AH{2J<#VJVeEtN5v!+eK1heTcPAXlJAB=x2#>V;m~mL5Qy(WPB2LoQP@kyBo~ScWUK)YNz9BgQej}AMTj$K8P|$fhK(hh zP>PV&-Xo8&;{ZddFv1!LDDJX^J4K%u=79#j6Xt)Iqo2V%W0U{|ov?VPJKh04B1SvI zi3Ju|$DIaJO3VZi5*h2DVN_Y8xMNsp$p8|LB7}{@5DQHq&{9f>0CtpU0=zaBQectO zia|sv5mY(~DAK?mVgC1(C-{H&2LAjp{(k+R0*sIK|6d`W`#+z?t0Z;y<4@ZU{09GX z%wO<70+jM2|Njd4^FYLQq&f%MKgp@(ayl|99WCbh+qr#f-R;|CG)U4#?B3o5$1XNb zcd_w5cP#fFyoCo=Pp6B)j@Is$S9dIZlG7@2-FUhmVwk4O(*+voVvGW zF}q*iA80IS5MdYN0129@n?M*ymR_#jIrWXGLF#7edAi7u8vz)9N+PmCv7_ z+4FIJz7D6*;eKHOLOu!etL~}ema;$&8rDtAhQh)7_YbNb$i3)NHJTpOYFt!5d@L1; z?cierQTDNY7Cf8WE`do2T<^Lyu6If>y6(}-PHEl0?ymdeAd9ZACcUizJ=Da}b$wFr3}=^> z(mJ{>fy-iRcv*>PeH+kvagz1Mt;uDlhw4SM?vI=6sQLc=y+)rNc2WK~tcP8kj{Gjx zT(C-qJ7167mtrSb>9I5E3&j`lK+Q+neWdR7_p7NHE#5q9e_~Iwn9UaRx|+GCy$`K# z=DX(4?6rzV&jR-Fn=eP~ZZ?IX8qHs*`DB()=5~;$Zv8B9tJSd4DTMSQC-BqfIofX7!@kUS2Ie6g$z& zwyd}<)uSM(1h88Q)=^1Uu7>?_*pI@f5^fIT1cTDUm_b%L3qUmp>#>x@?VL1f!wf5F z8=_as`l>OX;o-83Z__-bab$QMN>XjK!qb~Vv01&SCYy59l$ck8)6H~kd$(Dy5n?dO z^7D~99Y@<>9R*~kk1b}UFrPI`K~}9~#lY|8c-D?em11x`2-}0DDTvlECFf~+vCUhy zywQROr~Y&sT!e$c&2TclY&4t2U{J3H#jqTVN0U5X7Oh3eV7vsnr5haX0RIE&-q8q7-5)mi9oT(~?RP2D`Z9-HpA*U3Hc zLiYR+>*M ztqVKS>U3FKcefW;7oA410M)En3@-PMY>F`OqO_Z1Flc7QtXI5hflkmo%ZEWX3wF-m z2KLaGl*)r%=1ZB7(Af*E?|nSEXZ0xb_-AWn)={OqiBM}86?-tcE)RR1!TPe(8uhjlRPUUR`^6yZbtbsCEzkOu z676jb>d)%asB=DxI<0AM+}qZ#yC50|+xmC{>%m`B>%+eHPa)PcQQym|yRLtWQqx2o z`7|sJ#z|*8(50kYUWMht64t7%Thh*YwL+~1{W`soG}UQkoX^gh-C2B5TSv8Mt=848 zJx?f^R*Q|(+Ty}pAbNThHhh|;g}>s{Qt2~3ZM8;?8n&fj1)=8f6jVCp^Lz!iui>Wn zS9}_T_1mlNRPn)0IS(=IP6A5HP0Aw{3sMc@Y(j8g`@@Z?_9j?p>+ zc;!K(Gg-BHe%Psu&xWPiB8rP5#&dnMF|J&il5)4REk#8ikMq5u^B;I$JD0SFKgy@w z-gqN%tJ+G_N!6#}WZm}bv^!1B;4?mLH-oITbK?1+b(tRxNI#6Hz45BvTNd(@n{M?g z@$HM+vMmkCPba2R2^+hF>*mz0`eHkAw@O2{x?c0XDw)#sqSwRg?XVNmO|$3D8<(c} z{#SGAaX<1)`#(Sb2-vskKN!Q8^&bH6asTI6$XDt=_a*#)s{Hffh(PYMeaA19fv~{h z+jSt$A(xyuEIqaeNQ1cslzAwy6I^@bwV@m-D-gEIa3qc6Q~|9RHcSgZnbOc(Cbf{t z35~R(R7=H_;#^@syaPr8M5I>KL4YOHPGPAr6I#;ebs)1!(#7nlqIa8Vk4-1JRiXxa zt9R#<`67GFuy(MPuJ-l}Ogg%CxfhvK?he^Ly*Q%sou#H9K8EqE)Z~o zUSp#;K#p1ov_@6~rvhbkgwtY!_lc< zasc4j@slq=KSSu-$j=NE1S7>cvw}#Zu^|u(386)fN=&W9P8Y*Y4rI2Hy0P&C*A_;VuaQf3u0Q~TowC4xC z5J7?|kNgg0rI*S>B?+M3S!bEY&NAk)A>27Yq1KpCYmvoNYrz Date: Wed, 3 Apr 2024 09:17:39 -0400 Subject: [PATCH 26/27] Fix erroneous date Signed-off-by: Cody Soyland --- hack/gentestdata/gentestdata.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/gentestdata/gentestdata.go b/hack/gentestdata/gentestdata.go index 2600749a..cf14c55a 100644 --- a/hack/gentestdata/gentestdata.go +++ b/hack/gentestdata/gentestdata.go @@ -1,4 +1,4 @@ -// Copyright 2022 The Sigstore Authors. +// Copyright 2024 The Sigstore Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. From ee576e2d83be126ccd172f27495bea1f84a8a2ae Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Wed, 3 Apr 2024 16:11:36 -0400 Subject: [PATCH 27/27] Improve error handling Signed-off-by: Cody Soyland --- cmd/tester/main.go | 5 +- hack/gentestdata/gentestdata.go | 11 ++++- pkg/apis/config/sigstore_keys.go | 54 ++++++++++++++-------- pkg/reconciler/trustroot/trustroot.go | 7 ++- pkg/reconciler/trustroot/trustroot_test.go | 10 +++- pkg/webhook/validator_test.go | 14 ++++-- 6 files changed, 72 insertions(+), 29 deletions(-) diff --git a/cmd/tester/main.go b/cmd/tester/main.go index c92be42a..583198e3 100644 --- a/cmd/tester/main.go +++ b/cmd/tester/main.go @@ -154,7 +154,10 @@ func main() { log.Fatal(err) } - c := config.ConvertSigstoreKeys(context.Background(), tr.Spec.SigstoreKeys) + c, err := config.ConvertSigstoreKeys(context.Background(), tr.Spec.SigstoreKeys) + if err != nil { + log.Fatal(err) + } maps := make(map[string]*config.SigstoreKeys, 0) maps[tr.Name] = c diff --git a/hack/gentestdata/gentestdata.go b/hack/gentestdata/gentestdata.go index cf14c55a..4390023d 100644 --- a/hack/gentestdata/gentestdata.go +++ b/hack/gentestdata/gentestdata.go @@ -188,7 +188,10 @@ func genCertChain(keyUsage x509.KeyUsage) [][]byte { func genTrustRoot(sigstoreKeysMap map[string]string) (marshalledEntry []byte, err error) { trustRoot := testing.NewTrustRoot("test-trustroot", testing.WithSigstoreKeys(sigstoreKeysMap)) - sigstoreKeys := config.ConvertSigstoreKeys(context.Background(), trustRoot.Spec.SigstoreKeys) + sigstoreKeys, err := config.ConvertSigstoreKeys(context.Background(), trustRoot.Spec.SigstoreKeys) + if err != nil { + return nil, err + } err = populateLogIDs(sigstoreKeys) if err != nil { return nil, err @@ -254,10 +257,14 @@ func genTrustedRoot(sigstoreKeysMap map[string]string) ([]byte, error) { if err != nil { return nil, err } + certChain, err := config.DeserializeCertChain([]byte(sigstoreKeysMap["fulcio"])) + if err != nil { + return nil, err + } trustRoot := &config.SigstoreKeys{ CertificateAuthorities: []*config.CertificateAuthority{{ - CertChain: config.DeserializeCertChain([]byte(sigstoreKeysMap["fulcio"])), + CertChain: certChain, ValidFor: &config.TimeRange{ Start: &config.Timestamp{}, }, diff --git a/pkg/apis/config/sigstore_keys.go b/pkg/apis/config/sigstore_keys.go index dbb068f3..b391bd69 100644 --- a/pkg/apis/config/sigstore_keys.go +++ b/pkg/apis/config/sigstore_keys.go @@ -97,58 +97,74 @@ func parseSigstoreKeys(entry string, out *pbtrustroot.TrustedRoot) error { // ConvertSigstoreKeys takes a source and converts into a SigstoreKeys suitable // for serialization into a ConfigMap entry. -func ConvertSigstoreKeys(_ context.Context, source *v1alpha1.SigstoreKeys) *SigstoreKeys { - sk := &SigstoreKeys{} +func ConvertSigstoreKeys(_ context.Context, source *v1alpha1.SigstoreKeys) (sk *SigstoreKeys, err error) { + sk = &SigstoreKeys{} sk.MediaType = "application/vnd.dev.sigstore.trustedroot+json;version=0.1" sk.CertificateAuthorities = make([]*pbtrustroot.CertificateAuthority, len(source.CertificateAuthorities)) for i := range source.CertificateAuthorities { - sk.CertificateAuthorities[i] = ConvertCertificateAuthority(source.CertificateAuthorities[i]) + sk.CertificateAuthorities[i], err = ConvertCertificateAuthority(source.CertificateAuthorities[i]) + if err != nil { + return nil, fmt.Errorf("failed to convert certificate authority: %w", err) + } } sk.Tlogs = make([]*pbtrustroot.TransparencyLogInstance, len(source.TLogs)) for i := range source.TLogs { - sk.Tlogs[i] = ConvertTransparencyLogInstance(source.TLogs[i]) + sk.Tlogs[i], err = ConvertTransparencyLogInstance(source.TLogs[i]) + if err != nil { + return nil, fmt.Errorf("failed to convert transparency log instance: %w", err) + } } sk.Ctlogs = make([]*pbtrustroot.TransparencyLogInstance, len(source.CTLogs)) for i := range source.CTLogs { - sk.Ctlogs[i] = ConvertTransparencyLogInstance(source.CTLogs[i]) + sk.Ctlogs[i], err = ConvertTransparencyLogInstance(source.CTLogs[i]) + if err != nil { + return nil, fmt.Errorf("failed to convert ct log instance: %w", err) + } } sk.TimestampAuthorities = make([]*pbtrustroot.CertificateAuthority, len(source.TimeStampAuthorities)) for i := range source.TimeStampAuthorities { - sk.TimestampAuthorities[i] = ConvertCertificateAuthority(source.TimeStampAuthorities[i]) + sk.TimestampAuthorities[i], err = ConvertCertificateAuthority(source.TimeStampAuthorities[i]) + if err != nil { + return nil, fmt.Errorf("failed to convert timestamp authority: %w", err) + } } - return sk + return sk, nil } // ConvertCertificateAuthority converts public into private CertificateAuthority -func ConvertCertificateAuthority(source v1alpha1.CertificateAuthority) *pbtrustroot.CertificateAuthority { +func ConvertCertificateAuthority(source v1alpha1.CertificateAuthority) (*pbtrustroot.CertificateAuthority, error) { + certChain, err := DeserializeCertChain(source.CertChain) + if err != nil { + return nil, err + } return &pbtrustroot.CertificateAuthority{ Subject: &pbcommon.DistinguishedName{ Organization: source.Subject.Organization, CommonName: source.Subject.CommonName, }, Uri: source.URI.String(), - CertChain: DeserializeCertChain(source.CertChain), + CertChain: certChain, ValidFor: &pbcommon.TimeRange{ Start: ×tamppb.Timestamp{ Seconds: 0, // TODO: Add support for time range to v1alpha1.CertificateAuthority }, }, - } + }, nil } // ConvertTransparencyLogInstance converts public into private // TransparencyLogInstance. -func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) *pbtrustroot.TransparencyLogInstance { +func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) (*pbtrustroot.TransparencyLogInstance, error) { pbpk, pk, err := DeserializePublicKey(source.PublicKey) if err != nil { - return nil // TODO: log error? Add return error? + return nil, err } logID, err := cosign.GetTransparencyLogID(pk) if err != nil { - return nil // TODO: log error? Add return error? + return nil, err } return &pbtrustroot.TransparencyLogInstance{ @@ -158,7 +174,7 @@ func ConvertTransparencyLogInstance(source v1alpha1.TransparencyLogInstance) *pb LogId: &pbcommon.LogId{ KeyId: []byte(logID), }, - } + }, nil } func HashStringToHashAlgorithm(hash string) pbcommon.HashAlgorithm { @@ -195,17 +211,17 @@ func SerializePublicKey(publicKey *pbcommon.PublicKey) []byte { return pem.EncodeToMemory(block) } -func DeserializeCertChain(chain []byte) *pbcommon.X509CertificateChain { +func DeserializeCertChain(chain []byte) (*pbcommon.X509CertificateChain, error) { var certs []*pbcommon.X509Certificate - for { - var block *pem.Block + var block *pem.Block + for len(chain) > 0 { block, chain = pem.Decode(chain) if block == nil { - break + return nil, fmt.Errorf("failed to decode certificate chain PEM") } certs = append(certs, &pbcommon.X509Certificate{RawBytes: block.Bytes}) } - return &pbcommon.X509CertificateChain{Certificates: certs} + return &pbcommon.X509CertificateChain{Certificates: certs}, nil } func DeserializePublicKey(publicKey []byte) (*pbcommon.PublicKey, crypto.PublicKey, error) { diff --git a/pkg/reconciler/trustroot/trustroot.go b/pkg/reconciler/trustroot/trustroot.go index fdd763f8..ded2c861 100644 --- a/pkg/reconciler/trustroot/trustroot.go +++ b/pkg/reconciler/trustroot/trustroot.go @@ -68,7 +68,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, trustroot *v1alpha1.Trus case trustroot.Spec.Remote != nil: sigstoreKeys, err = r.getSigstoreKeysFromRemote(ctx, trustroot.Spec.Remote) case trustroot.Spec.SigstoreKeys != nil: - sigstoreKeys = config.ConvertSigstoreKeys(ctx, trustroot.Spec.SigstoreKeys) + sigstoreKeys, err = config.ConvertSigstoreKeys(ctx, trustroot.Spec.SigstoreKeys) default: // This should not happen since the CRD has been validated. err = fmt.Errorf("invalid TrustRoot entry: %s missing repository,remote, and sigstoreKeys", trustroot.Name) @@ -272,7 +272,10 @@ func getSigstoreKeysFromTuf(ctx context.Context, tufClient *client.Client) (*con switch scm.Sigstore.Usage { case sigstoretuf.Fulcio: - certChain := config.DeserializeCertChain(dl.Bytes()) + certChain, err := config.DeserializeCertChain(dl.Bytes()) + if err != nil { + return nil, fmt.Errorf("deserializing certificate chain: %w", err) + } ret.CertificateAuthorities = append(ret.CertificateAuthorities, &config.CertificateAuthority{ Uri: scm.Sigstore.URI, diff --git a/pkg/reconciler/trustroot/trustroot_test.go b/pkg/reconciler/trustroot/trustroot_test.go index 6aee1084..af26e08d 100644 --- a/pkg/reconciler/trustroot/trustroot_test.go +++ b/pkg/reconciler/trustroot/trustroot_test.go @@ -412,7 +412,10 @@ func makeConfigMapWithSigstoreKeys() *corev1.ConfigMap { Data: make(map[string]string), } source := NewTrustRoot(trName, WithSigstoreKeys(sigstoreKeys)) - c := config.ConvertSigstoreKeys(context.Background(), source.Spec.SigstoreKeys) + c, err := config.ConvertSigstoreKeys(context.Background(), source.Spec.SigstoreKeys) + if err != nil { + panic("failed to convert test SigstoreKeys") + } for i := range c.Tlogs { c.Tlogs[i].LogId = &config.LogID{KeyId: []byte(rekorLogID)} } @@ -665,7 +668,10 @@ func TestConvertSigstoreKeys(t *testing.T) { // to make sure we exercise the path from: // v1alpha1 => config => configMap => back (this is what reconciler will // use to call cosign verification functions with). - converted := config.ConvertSigstoreKeys(context.Background(), &source) + converted, err := config.ConvertSigstoreKeys(context.Background(), &source) + if err != nil { + t.Fatalf("Failed to convert entry: %v", err) + } marshalled, err := resources.Marshal(converted) if err != nil { t.Fatalf("Failed to marshal entry: %v", err) diff --git a/pkg/webhook/validator_test.go b/pkg/webhook/validator_test.go index 3855d8a1..dcd80b09 100644 --- a/pkg/webhook/validator_test.go +++ b/pkg/webhook/validator_test.go @@ -2954,13 +2954,17 @@ func TestFulcioCertsFromAuthority(t *testing.T) { if err != nil { t.Fatalf("Failed to deserialize CTLog public key: %v", err) } + certChain, err := config.DeserializeCertChain([]byte(certChain)) + if err != nil { + t.Fatalf("Failed to deserialize cert chain: %v", err) + } sk := config.SigstoreKeys{ CertificateAuthorities: []*config.CertificateAuthority{{ Subject: &config.DistinguishedName{ Organization: "testorg", CommonName: "testcommonname", }, - CertChain: config.DeserializeCertChain([]byte(certChain)), + CertChain: certChain, }}, Ctlogs: []*config.TransparencyLogInstance{{ LogId: &config.LogID{KeyId: []byte(ctfeLogID)}, @@ -3218,13 +3222,17 @@ func TestCheckOptsFromAuthority(t *testing.T) { BaseUrl: "rekor.example.com", }}, } + certChainPB, err := config.DeserializeCertChain([]byte(certChain)) + if err != nil { + t.Fatalf("Failed to unmarshal cert chain for testing: %v", err) + } skFulcio := config.SigstoreKeys{ CertificateAuthorities: []*config.CertificateAuthority{{ Subject: &config.DistinguishedName{ Organization: "testorg", CommonName: "testcommonname", }, - CertChain: config.DeserializeCertChain([]byte(certChain)), + CertChain: certChainPB, }}, Ctlogs: []*config.TransparencyLogInstance{{ LogId: &config.LogID{KeyId: []byte(ctfeLogID)}, @@ -3242,7 +3250,7 @@ func TestCheckOptsFromAuthority(t *testing.T) { Organization: "testorg", CommonName: "testcommonname", }, - CertChain: config.DeserializeCertChain([]byte(certChain)), + CertChain: certChainPB, }}, Ctlogs: []*config.TransparencyLogInstance{{ LogId: &config.LogID{KeyId: []byte(ctfeLogID)},