Skip to content

Commit

Permalink
trustroot: initial client config messages (#277)
Browse files Browse the repository at this point in the history
* trustroot: initial client config messages

Signed-off-by: William Woodruff <[email protected]>

* trustroot: docs

Signed-off-by: William Woodruff <[email protected]>

* codegen

Signed-off-by: William Woodruff <[email protected]>

* add TSA url, rename

Signed-off-by: William Woodruff <[email protected]>

* tweak tsa_url

Signed-off-by: William Woodruff <[email protected]>

* gen, protos: multiple tlogs and tsas

Signed-off-by: William Woodruff <[email protected]>

* Apply suggestions from code review

Co-authored-by: Fredrik Skogman <[email protected]>
Signed-off-by: William Woodruff <[email protected]>

* gen: regenerate

Signed-off-by: William Woodruff <[email protected]>

---------

Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Co-authored-by: Fredrik Skogman <[email protected]>
  • Loading branch information
woodruffw and kommendorkapten authored Apr 2, 2024
1 parent 0d09353 commit 58ba3ec
Show file tree
Hide file tree
Showing 9 changed files with 943 additions and 85 deletions.
299 changes: 299 additions & 0 deletions gen/jsonschema/schemas/ClientTrustConfig.schema.json

Large diffs are not rendered by default.

36 changes: 36 additions & 0 deletions gen/jsonschema/schemas/SigningConfig.schema.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/SigningConfig",
"definitions": {
"SigningConfig": {
"properties": {
"caUrl": {
"type": "string",
"description": "A URL to a Fulcio-compatible CA, capable of receiving Certificate Signing Requests (CSRs) and responding with issued certificates. This URL **MUST** be the \"base\" URL for the CA, which clients should construct an appropriate CSR endpoint on top of. For example, if `ca_url` is `https://example.com/ca`, then the client **MAY** construct the CSR endpoint as `https://example.com/ca/api/v2/signingCert`."
},
"oidcUrl": {
"type": "string",
"description": "A URL to an OpenID Connect identity provider. This URL **MUST** be the \"base\" URL for the OIDC IdP, which clients should perform well-known OpenID Connect discovery against."
},
"tlogUrls": {
"items": {
"type": "string"
},
"type": "array",
"description": "One or more URLs to Rekor-compatible transparency log. Each URL **MUST** be the \"base\" URL for the transparency log, which clients should construct appropriate API endpoints on top of."
},
"tsaUrls": {
"items": {
"type": "string"
},
"type": "array",
"description": "One ore more URLs to RFC 3161 Time Stamping Authority (TSA). Each URL **MUST** be the **full** URL for the TSA, meaning that it should be suitable for submitting Time Stamp Requests (TSRs) to via HTTP, per RFC 3161."
}
},
"additionalProperties": false,
"type": "object",
"title": "Signing Config",
"description": "SigningConfig represents the trusted entities/state needed by Sigstore signing. In particular, it primarily contains service URLs that a Sigstore signer may need to connect to for the online aspects of signing."
}
}
}
388 changes: 303 additions & 85 deletions gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go

Large diffs are not rendered by default.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 14 additions & 0 deletions gen/pb-ruby/lib/sigstore_trustroot_pb.rb

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -136,3 +136,70 @@ pub struct TrustedRoot {
#[prost(message, repeated, tag = "5")]
pub timestamp_authorities: ::prost::alloc::vec::Vec<CertificateAuthority>,
}
/// SigningConfig represents the trusted entities/state needed by Sigstore
/// signing. In particular, it primarily contains service URLs that a Sigstore
/// signer may need to connect to for the online aspects of signing.
#[derive(
sigstore_protobuf_specs_derive::Deserialize_proto,
sigstore_protobuf_specs_derive::Serialize_proto
)]
#[derive(::prost_reflect::ReflectMessage)]
#[prost_reflect(message_name = "dev.sigstore.trustroot.v1.SigningConfig")]
#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")]
#[allow(clippy::derive_partial_eq_without_eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct SigningConfig {
/// A URL to a Fulcio-compatible CA, capable of receiving
/// Certificate Signing Requests (CSRs) and responding with
/// issued certificates.
///
/// This URL **MUST** be the "base" URL for the CA, which clients
/// should construct an appropriate CSR endpoint on top of.
/// For example, if `ca_url` is `<https://example.com/ca`,> then
/// the client **MAY** construct the CSR endpoint as
/// `<https://example.com/ca/api/v2/signingCert`.>
#[prost(string, tag = "1")]
pub ca_url: ::prost::alloc::string::String,
/// A URL to an OpenID Connect identity provider.
///
/// This URL **MUST** be the "base" URL for the OIDC IdP, which clients
/// should perform well-known OpenID Connect discovery against.
#[prost(string, tag = "2")]
pub oidc_url: ::prost::alloc::string::String,
/// One or more URLs to Rekor-compatible transparency log.
///
/// Each URL **MUST** be the "base" URL for the transparency log,
/// which clients should construct appropriate API endpoints on top of.
#[prost(string, repeated, tag = "3")]
pub tlog_urls: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
/// One ore more URLs to RFC 3161 Time Stamping Authority (TSA).
///
/// Each URL **MUST** be the **full** URL for the TSA, meaning that it
/// should be suitable for submitting Time Stamp Requests (TSRs) to
/// via HTTP, per RFC 3161.
#[prost(string, repeated, tag = "4")]
pub tsa_urls: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
}
/// ClientTrustConfig describes the complete state needed by a client
/// to perform both signing and verification operations against a particular
/// instance of Sigstore.
#[derive(
sigstore_protobuf_specs_derive::Deserialize_proto,
sigstore_protobuf_specs_derive::Serialize_proto
)]
#[derive(::prost_reflect::ReflectMessage)]
#[prost_reflect(message_name = "dev.sigstore.trustroot.v1.ClientTrustConfig")]
#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")]
#[allow(clippy::derive_partial_eq_without_eq)]
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct ClientTrustConfig {
/// MUST be application/vnd.dev.sigstore.clienttrustconfig.v0.1+json
#[prost(string, tag = "1")]
pub media_type: ::prost::alloc::string::String,
/// The root of trust, which MUST be present.
#[prost(message, optional, tag = "2")]
pub trusted_root: ::core::option::Option<TrustedRoot>,
/// Configuration for signing clients, which MUST be present.
#[prost(message, optional, tag = "3")]
pub signing_config: ::core::option::Option<SigningConfig>,
}
Binary file not shown.
114 changes: 114 additions & 0 deletions gen/pb-typescript/src/__generated__/sigstore_trustroot.ts

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

51 changes: 51 additions & 0 deletions protos/sigstore_trustroot.proto
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
syntax = "proto3";
package dev.sigstore.trustroot.v1;

import "google/api/field_behavior.proto";
import "sigstore_common.proto";

option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1";
Expand Down Expand Up @@ -121,3 +122,53 @@ message TrustedRoot {
// A set of trusted timestamping authorities.
repeated CertificateAuthority timestamp_authorities = 5;
}


// SigningConfig represents the trusted entities/state needed by Sigstore
// signing. In particular, it primarily contains service URLs that a Sigstore
// signer may need to connect to for the online aspects of signing.
message SigningConfig {
// A URL to a Fulcio-compatible CA, capable of receiving
// Certificate Signing Requests (CSRs) and responding with
// issued certificates.
//
// This URL **MUST** be the "base" URL for the CA, which clients
// should construct an appropriate CSR endpoint on top of.
// For example, if `ca_url` is `https://example.com/ca`, then
// the client **MAY** construct the CSR endpoint as
// `https://example.com/ca/api/v2/signingCert`.
string ca_url = 1;

// A URL to an OpenID Connect identity provider.
//
// This URL **MUST** be the "base" URL for the OIDC IdP, which clients
// should perform well-known OpenID Connect discovery against.
string oidc_url = 2;

// One or more URLs to Rekor-compatible transparency log.
//
// Each URL **MUST** be the "base" URL for the transparency log,
// which clients should construct appropriate API endpoints on top of.
repeated string tlog_urls = 3;

// One ore more URLs to RFC 3161 Time Stamping Authority (TSA).
//
// Each URL **MUST** be the **full** URL for the TSA, meaning that it
// should be suitable for submitting Time Stamp Requests (TSRs) to
// via HTTP, per RFC 3161.
repeated string tsa_urls = 4;
}

// ClientTrustConfig describes the complete state needed by a client
// to perform both signing and verification operations against a particular
// instance of Sigstore.
message ClientTrustConfig {
// MUST be application/vnd.dev.sigstore.clienttrustconfig.v0.1+json
string media_type = 1;

// The root of trust, which MUST be present.
TrustedRoot trusted_root = 2 [(google.api.field_behavior) = REQUIRED];

// Configuration for signing clients, which MUST be present.
SigningConfig signing_config = 3 [(google.api.field_behavior) = REQUIRED];
}

0 comments on commit 58ba3ec

Please sign in to comment.