Adopt TrustAnchorIdentifiers from v03 of MTC draft

.github/workflows/go.yml

@@ -17,7 +17,7 @@ jobs:
     - uses: actions/checkout@v4
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@v5
       with:
         go-version: '1.23'
 

README.md

@@ -107,7 +107,7 @@ For every batch, the CA signs that root together with all the roots
 Let's create an MTC CA.
 
 ```
-$ mtc ca new --batch-duration 5m --lifetime 1h my-mtc-ca ca.example.com/path
+$ mtc ca new --batch-duration 5m --lifetime 1h my-mtc-ca 123.12.15 ca.example.com/path
 ```
 
 This creates a new MTC CA called `my-mtc-ca`, and puts the data in the

ca/ca.go

@@ -30,6 +30,7 @@ var (
 
 type NewOpts struct {
 	IssuerId   string
+	IssuerOID  mtc.TrustAnchorIdentifier
 	HttpServer string
 
 	// Fields below are optional.
@@ -991,7 +992,7 @@ func (h *Handle) issueBatchTo(dir string, batch mtc.Batch, empty bool) error {
 	return nil
 }
 
-// Creates a new Merkle Tree CA, and opens it.
+// New creates a new Merkle Tree CA, and opens it.
 //
 // Call Handle.Close() when done.
 func New(path string, opts NewOpts) (*Handle, error) {
@@ -1035,6 +1036,7 @@ func New(path string, opts NewOpts) (*Handle, error) {
 
 	h.params.HttpServer = opts.HttpServer
 	h.params.IssuerId = opts.IssuerId
+	h.params.IssuerOID = opts.IssuerOID
 
 	if opts.SignatureScheme == 0 {
 		opts.SignatureScheme = mtc.TLSDilitihium5r3

cmd/mtc/main.go

@@ -1,8 +1,10 @@
 package main
 
 import (
+	"errors"
 	"github.com/bwesterb/mtc"
 	"github.com/bwesterb/mtc/ca"
+	"reflect"
 
 	"github.com/urfave/cli/v2"
 	"golang.org/x/crypto/cryptobyte"
@@ -11,7 +13,6 @@ import (
 	"crypto/x509"
 	"encoding/hex"
 	"encoding/pem"
-	"errors"
 	"fmt"
 	"io"
 	"net"
@@ -396,15 +397,24 @@ func handleCaShowQueue(cc *cli.Context) error {
 }
 
 func handleCaNew(cc *cli.Context) error {
-	if cc.Args().Len() != 2 {
+	if cc.Args().Len() != 3 {
 		cli.ShowSubcommandHelp(cc)
 		return errArgs
 	}
+
+	taiString := cc.Args().Get(1)
+	tai := mtc.TrustAnchorIdentifier{}
+	err := tai.UnmarshalText([]byte(taiString))
+	if err != nil {
+		return err
+	}
+
 	h, err := ca.New(
 		cc.String("ca-path"),
 		ca.NewOpts{
 			IssuerId:   cc.Args().Get(0),
-			HttpServer: cc.Args().Get(1),
+			IssuerOID:  tai,
+			HttpServer: cc.Args().Get(2),
 
 			BatchDuration:   cc.Duration("batch-duration"),
 			StorageDuration: cc.Duration("storage-duration"),
@@ -585,13 +595,10 @@ func handleInspectCert(cc *cli.Context) error {
 	w := tabwriter.NewWriter(os.Stdout, 1, 1, 1, ' ', 0)
 	writeAssertion(w, c.Assertion)
 	fmt.Fprintf(w, "\n")
-	fmt.Fprintf(w, "proof_type\t%v\n", c.Proof.TrustAnchor().ProofType())
+	fmt.Fprintf(w, "proof_type\t%v\n", c.Proof.TrustAnchorIdentifier().ProofType())
 
-	switch anch := c.Proof.TrustAnchor().(type) {
-	case *mtc.MerkleTreeTrustAnchor:
-		fmt.Fprintf(w, "issuer_id\t%s\n", anch.IssuerId())
-		fmt.Fprintf(w, "batch\t%d\n", anch.BatchNumber())
-	}
+	fmt.Fprintf(w, "CA OID\t%s\n", c.Proof.TrustAnchorIdentifier().CAIdentifier())
+	fmt.Fprintf(w, "Batch number\t%d\n", c.Proof.TrustAnchorIdentifier().BatchNumber())
 
 	switch proof := c.Proof.(type) {
 	case *mtc.MerkleTreeProof:
@@ -604,18 +611,16 @@ func handleInspectCert(cc *cli.Context) error {
 
 		params, err := inspectGetCAParams(cc)
 		if err == nil {
-			anch := proof.TrustAnchor().(*mtc.MerkleTreeTrustAnchor)
-
 			batch := &mtc.Batch{
 				CA:     params,
-				Number: anch.BatchNumber(),
+				Number: proof.TrustAnchorIdentifier().BatchNumber(),
 			}
 
-			if anch.IssuerId() != params.IssuerId {
+			if !reflect.DeepEqual(proof.TrustAnchorIdentifier().CAIdentifier(), params.IssuerOID) {
 				return fmt.Errorf(
 					"IssuerId doesn't match: %s ≠ %s",
-					params.IssuerId,
-					anch.IssuerId(),
+					params.IssuerOID,
+					proof.TrustAnchorIdentifier().CAIdentifier(),
 				)
 			}
 			aa := c.Assertion.Abridge()
@@ -629,7 +634,7 @@ func handleInspectCert(cc *cli.Context) error {
 			}
 
 			fmt.Fprintf(w, "recomputed root\t%x\n", root)
-		} else if err != errNoCaParams {
+		} else if !errors.Is(err, errNoCaParams) {
 			return err
 		}
 
@@ -722,6 +727,7 @@ func handleInspectCaParams(cc *cli.Context) error {
 	}
 	w := tabwriter.NewWriter(os.Stdout, 1, 1, 1, ' ', 0)
 	fmt.Fprintf(w, "issuer_id\t%s\n", p.IssuerId)
+	fmt.Fprintf(w, "issuer_oid\t%s\n", p.IssuerOID)
 	fmt.Fprintf(w, "start_time\t%d\t%s\n", p.StartTime,
 		time.Unix(int64(p.StartTime), 0))
 	fmt.Fprintf(w, "batch_duration\t%d\t%s\n", p.BatchDuration,
@@ -764,7 +770,7 @@ func main() {
 						Name:      "new",
 						Usage:     "creates a new CA",
 						Action:    handleCaNew,
-						ArgsUsage: "<issuer-id> <http-server>",
+						ArgsUsage: "<issuer-id> <issuer-oid> <http-server>",
 						Flags: []cli.Flag{
 							&cli.DurationFlag{
 								Name:    "batch-duration",
@@ -781,6 +787,12 @@ func main() {
 								Aliases: []string{"s"},
 								Usage:   "time to serve assertions",
 							},
+							&cli.StringFlag{
+								Name:    "ca-path",
+								Aliases: []string{"p"},
+								Usage:   "root directory to store CA files",
+								Value:   ".",
+							},
 						},
 					},
 					{