Merge pull request #673 from sigstore/no-more-current

Remove current tlog/ca refs from trusted_root
sigstore · Apr 3, 2024 · 1a175b4 · 1a175b4
2 parents 1ba6f8b + cf700f3
commit 1a175b4
Show file tree

Hide file tree

Showing 22 changed files with 189 additions and 442 deletions.
diff --git a/fuzzing/src/main/java/util/Tuf.java b/fuzzing/src/main/java/util/Tuf.java
@@ -17,18 +17,14 @@
 
 import com.code_intelligence.jazzer.api.FuzzedDataProvider;
 import com.google.common.hash.Hashing;
-import dev.sigstore.trustroot.CertificateAuthorities;
 import dev.sigstore.trustroot.CertificateAuthority;
-import dev.sigstore.trustroot.ImmutableCertificateAuthorities;
 import dev.sigstore.trustroot.ImmutableCertificateAuthority;
 import dev.sigstore.trustroot.ImmutableLogId;
 import dev.sigstore.trustroot.ImmutablePublicKey;
 import dev.sigstore.trustroot.ImmutableSubject;
 import dev.sigstore.trustroot.ImmutableTransparencyLog;
-import dev.sigstore.trustroot.ImmutableTransparencyLogs;
 import dev.sigstore.trustroot.ImmutableValidFor;
 import dev.sigstore.trustroot.TransparencyLog;
-import dev.sigstore.trustroot.TransparencyLogs;
 import java.io.ByteArrayInputStream;
 import java.net.URI;
 import java.security.cert.CertPath;
@@ -47,17 +43,17 @@ public final class Tuf {
   // ecdsa key size in bytes
   private static final int ECDSA_KEY_BYTES = 91;
 
-  public static TransparencyLogs transparencyLogsFrom(FuzzedDataProvider data) {
-    return ImmutableTransparencyLogs.builder().addTransparencyLog(genTlog(data)).build();
+  public static List<TransparencyLog> transparencyLogsFrom(FuzzedDataProvider data) {
+    return List.of(genTlog(data));
   }
 
-  public static CertificateAuthorities certificateAuthoritiesFrom(FuzzedDataProvider data)
+  public static List<CertificateAuthority> certificateAuthoritiesFrom(FuzzedDataProvider data)
       throws CertificateException {
-    return ImmutableCertificateAuthorities.builder().addCertificateAuthority(genCA(data)).build();
+    return List.of(genCA(data));
   }
 
   private static CertPath genCertPath(FuzzedDataProvider data) throws CertificateException {
-    List<Certificate> certList = new ArrayList<Certificate>();
+    List<Certificate> certList = new ArrayList<>();
     CertificateFactory cf = CertificateFactory.getInstance("X.509");
     certList.add(
         cf.generateCertificate(new ByteArrayInputStream(data.consumeBytes(MAX_CERT_SIZE))));

diff --git a/sigstore-java/src/main/java/dev/sigstore/KeylessSigner.java b/sigstore-java/src/main/java/dev/sigstore/KeylessSigner.java
@@ -22,6 +22,7 @@
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import com.google.errorprone.annotations.CheckReturnValue;
 import com.google.errorprone.annotations.concurrent.GuardedBy;
+import dev.sigstore.KeylessVerifier.Builder;
 import dev.sigstore.encryption.certificates.Certificates;
 import dev.sigstore.encryption.signers.Signer;
 import dev.sigstore.encryption.signers.Signers;
@@ -41,6 +42,7 @@
 import dev.sigstore.rekor.client.RekorVerifier;
 import dev.sigstore.tuf.SigstoreTufClient;
 import java.io.IOException;
+import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
 import java.security.InvalidAlgorithmParameterException;
@@ -132,15 +134,29 @@ public static Builder builder() {
   }
 
   public static class Builder {
-    private SigstoreTufClient sigstoreTufClient;
+    private TrustedRootProvider trustedRootProvider;
     private OidcClients oidcClients;
     private List<OidcIdentity> oidcIdentities = Collections.emptyList();
     private Signer signer;
     private Duration minSigningCertificateLifetime = DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME;
+    private URI fulcioUri;
+    private URI rekorUri;
 
     @CanIgnoreReturnValue
-    public Builder sigstoreTufClient(SigstoreTufClient sigstoreTufClient) {
-      this.sigstoreTufClient = sigstoreTufClient;
+    public Builder fulcioUrl(URI uri) {
+      this.fulcioUri = uri;
+      return this;
+    }
+
+    @CanIgnoreReturnValue
+    public Builder rekorUrl(URI uri) {
+      this.rekorUri = uri;
+      return this;
+    }
+
+    @CanIgnoreReturnValue
+    public Builder trustedRoot(Path trustedRoot) {
+      trustedRootProvider = TrustedRootProvider.from(trustedRoot);
       return this;
     }
 
@@ -152,7 +168,8 @@ public Builder oidcClients(OidcClients oidcClients) {
 
     /**
      * An allow list OIDC identities to be used during signing. If the OidcClients are misconfigured
-     * or pick up unexpected credentials, this should prevent signing from proceeding
+     * or pick up unexpected credentials, this should prevent signing from proceeding. Cannot be
+     * null but can be an empty list and will allow all identities.
      */
     @CanIgnoreReturnValue
     public Builder allowedOidcIdentities(List<OidcIdentity> oidcIdentities) {
@@ -188,14 +205,17 @@ public Builder minSigningCertificateLifetime(Duration minSigningCertificateLifet
     public KeylessSigner build()
         throws CertificateException, IOException, NoSuchAlgorithmException, InvalidKeySpecException,
             InvalidKeyException, InvalidAlgorithmParameterException {
-      Preconditions.checkNotNull(sigstoreTufClient, "sigstoreTufClient");
-      sigstoreTufClient.update();
-      var trustedRoot = sigstoreTufClient.getSigstoreTrustedRoot();
-      var fulcioClient =
-          FulcioClient.builder().setUri(trustedRoot.getCAs().current().getUri()).build();
+      Preconditions.checkNotNull(trustedRootProvider);
+      var trustedRoot = trustedRootProvider.get();
+      Preconditions.checkNotNull(fulcioUri);
+      Preconditions.checkNotNull(rekorUri);
+      Preconditions.checkNotNull(oidcClients);
+      Preconditions.checkNotNull(oidcIdentities);
+      Preconditions.checkNotNull(signer);
+      Preconditions.checkNotNull(minSigningCertificateLifetime);
+      var fulcioClient = FulcioClient.builder().setUri(fulcioUri).build();
       var fulcioVerifier = FulcioVerifier.newFulcioVerifier(trustedRoot);
-      var rekorClient =
-          RekorClient.builder().setUri(trustedRoot.getTLogs().current().getBaseUrl()).build();
+      var rekorClient = RekorClient.builder().setUri(rekorUri).build();
       var rekorVerifier = RekorVerifier.newRekorVerifier(trustedRoot);
       return new KeylessSigner(
           fulcioClient,
@@ -213,9 +233,12 @@ public KeylessSigner build()
      * ecdsa signing.
      */
     @CanIgnoreReturnValue
-    public Builder sigstorePublicDefaults() throws IOException, NoSuchAlgorithmException {
-      sigstoreTufClient = SigstoreTufClient.builder().usePublicGoodInstance().build();
-      oidcClients(OidcClients.DEFAULTS);
+    public Builder sigstorePublicDefaults() {
+      var sigstoreTufClientBuilder = SigstoreTufClient.builder().usePublicGoodInstance();
+      trustedRootProvider = TrustedRootProvider.from(sigstoreTufClientBuilder);
+      fulcioUri = FulcioClient.PUBLIC_GOOD_URI;
+      rekorUri = RekorClient.PUBLIC_GOOD_URI;
+      oidcClients(OidcClients.PUBLIC_GOOD);
       signer(Signers.newEcdsaSigner());
       minSigningCertificateLifetime(DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME);
       return this;
@@ -226,9 +249,12 @@ public Builder sigstorePublicDefaults() throws IOException, NoSuchAlgorithmExcep
      * signing.
      */
     @CanIgnoreReturnValue
-    public Builder sigstoreStagingDefaults() throws IOException, NoSuchAlgorithmException {
-      sigstoreTufClient = SigstoreTufClient.builder().useStagingInstance().build();
-      oidcClients(OidcClients.STAGING_DEFAULTS);
+    public Builder sigstoreStagingDefaults() {
+      var sigstoreTufClientBuilder = SigstoreTufClient.builder().useStagingInstance();
+      trustedRootProvider = TrustedRootProvider.from(sigstoreTufClientBuilder);
+      fulcioUri = FulcioClient.STAGING_URI;
+      rekorUri = RekorClient.STAGING_URI;
+      oidcClients(OidcClients.STAGING);
       signer(Signers.newEcdsaSigner());
       minSigningCertificateLifetime(DEFAULT_MIN_SIGNING_CERTIFICATE_LIFETIME);
       return this;

diff --git a/sigstore-java/src/main/java/dev/sigstore/KeylessVerifier.java b/sigstore-java/src/main/java/dev/sigstore/KeylessVerifier.java
@@ -79,23 +79,23 @@ public KeylessVerifier build()
       var fulcioVerifier = FulcioVerifier.newFulcioVerifier(trustedRoot);
       var rekorVerifier = RekorVerifier.newRekorVerifier(trustedRoot);
       var rekorClients =
-          trustedRoot.getTLogs().getTransparencyLogs().stream()
+          trustedRoot.getTLogs().stream()
               .map(TransparencyLog::getBaseUrl)
               .distinct()
               .map(uri -> RekorClient.builder().setUri(uri).build())
               .collect(Collectors.toList());
       return new KeylessVerifier(fulcioVerifier, rekorClients, rekorVerifier);
     }
 
-    public Builder sigstorePublicDefaults() throws IOException {
-      var sigstoreTufClient = SigstoreTufClient.builder().usePublicGoodInstance().build();
-      trustedRootProvider = TrustedRootProvider.from(sigstoreTufClient);
+    public Builder sigstorePublicDefaults() {
+      var sigstoreTufClientBuilder = SigstoreTufClient.builder().usePublicGoodInstance();
+      trustedRootProvider = TrustedRootProvider.from(sigstoreTufClientBuilder);
       return this;
     }
 
-    public Builder sigstoreStagingDefaults() throws IOException {
-      var sigstoreTufClient = SigstoreTufClient.builder().useStagingInstance().build();
-      trustedRootProvider = TrustedRootProvider.from(sigstoreTufClient);
+    public Builder sigstoreStagingDefaults() {
+      var sigstoreTufClientBuilder = SigstoreTufClient.builder().useStagingInstance();
+      trustedRootProvider = TrustedRootProvider.from(sigstoreTufClientBuilder);
       return this;
     }
 
@@ -220,7 +220,7 @@ private RekorEntry getEntryFromRekor(
       byte[] artifactDigest, X509Certificate leafCert, byte[] signature)
       throws KeylessVerificationException {
     // rebuild the hashedRekord so we can query the log for it
-    HashedRekordRequest hashedRekordRequest = null;
+    HashedRekordRequest hashedRekordRequest;
     try {
       hashedRekordRequest =
           HashedRekordRequest.newHashedRekordRequest(

diff --git a/sigstore-java/src/main/java/dev/sigstore/TrustedRootProvider.java b/sigstore-java/src/main/java/dev/sigstore/TrustedRootProvider.java
@@ -37,9 +37,10 @@ SigstoreTrustedRoot get()
       throws InvalidAlgorithmParameterException, CertificateException, InvalidKeySpecException,
           NoSuchAlgorithmException, IOException, InvalidKeyException;
 
-  static TrustedRootProvider from(SigstoreTufClient tufClient) {
-    Preconditions.checkNotNull(tufClient);
+  static TrustedRootProvider from(SigstoreTufClient.Builder tufClientBuilder) {
+    Preconditions.checkNotNull(tufClientBuilder);
     return () -> {
+      var tufClient = tufClientBuilder.build();
       tufClient.update();
       return tufClient.getSigstoreTrustedRoot();
     };

diff --git a/sigstore-java/src/main/java/dev/sigstore/encryption/signers/Signers.java b/sigstore-java/src/main/java/dev/sigstore/encryption/signers/Signers.java
@@ -22,16 +22,24 @@
 public class Signers {
 
   /** Create a new ECDSA signer with 256 bit keysize. */
-  public static EcdsaSigner newEcdsaSigner() throws NoSuchAlgorithmException {
-    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
-    keyGen.initialize(256);
-    return new EcdsaSigner(keyGen.generateKeyPair());
+  public static EcdsaSigner newEcdsaSigner() {
+    try {
+      KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
+      keyGen.initialize(256);
+      return new EcdsaSigner(keyGen.generateKeyPair());
+    } catch (NoSuchAlgorithmException nse) {
+      throw new RuntimeException("No EC algorithm found in Runtime", nse);
+    }
   }
 
   /** Create a new RSA signer with 2048 bit keysize. */
-  public static RsaSigner newRsaSigner() throws NoSuchAlgorithmException {
-    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
-    keyGen.initialize(2048);
-    return new RsaSigner(keyGen.generateKeyPair());
+  public static RsaSigner newRsaSigner() {
+    try {
+      KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+      keyGen.initialize(2048);
+      return new RsaSigner(keyGen.generateKeyPair());
+    } catch (NoSuchAlgorithmException nse) {
+      throw new RuntimeException("No RSA algorithm found in Runtime", nse);
+    }
   }
 }
diff --git a/sigstore-java/src/main/java/dev/sigstore/fulcio/client/FulcioClient.java b/sigstore-java/src/main/java/dev/sigstore/fulcio/client/FulcioClient.java
@@ -42,6 +42,9 @@
 /** A client to communicate with a fulcio service instance over gRPC. */
 public class FulcioClient {
 
+  public static final URI PUBLIC_GOOD_URI = URI.create("https://fulcio.sigstore.dev");
+  public static final URI STAGING_URI = URI.create("https://fulcio.sigstage.dev");
+
   private final HttpParams httpParams;
   private final URI uri;
 
@@ -55,7 +58,7 @@ private FulcioClient(HttpParams httpParams, URI uri) {
   }
 
   public static class Builder {
-    private URI uri = URI.create("https://fulcio.sigstore.dev");
+    private URI uri = PUBLIC_GOOD_URI;
     private HttpParams httpParams = ImmutableHttpParams.builder().build();
 
     private Builder() {}

diff --git a/sigstore-java/src/main/java/dev/sigstore/fulcio/client/FulcioVerifier.java b/sigstore-java/src/main/java/dev/sigstore/fulcio/client/FulcioVerifier.java
@@ -20,9 +20,9 @@
 import dev.sigstore.encryption.certificates.transparency.CTLogInfo;
 import dev.sigstore.encryption.certificates.transparency.CTVerificationResult;
 import dev.sigstore.encryption.certificates.transparency.CTVerifier;
-import dev.sigstore.trustroot.CertificateAuthorities;
+import dev.sigstore.trustroot.CertificateAuthority;
 import dev.sigstore.trustroot.SigstoreTrustedRoot;
-import dev.sigstore.trustroot.TransparencyLogs;
+import dev.sigstore.trustroot.TransparencyLog;
 import java.io.IOException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.NoSuchAlgorithmException;
@@ -46,8 +46,8 @@
 
 /** Verifier for fulcio generated signing cerificates */
 public class FulcioVerifier {
-  private final CertificateAuthorities cas;
-  private final TransparencyLogs ctLogs;
+  private final List<CertificateAuthority> cas;
+  private final List<TransparencyLog> ctLogs;
   private final CTVerifier ctVerifier;
 
   public static FulcioVerifier newFulcioVerifier(SigstoreTrustedRoot trustRoot)
@@ -57,11 +57,11 @@ public static FulcioVerifier newFulcioVerifier(SigstoreTrustedRoot trustRoot)
   }
 
   public static FulcioVerifier newFulcioVerifier(
-      CertificateAuthorities cas, TransparencyLogs ctLogs)
+      List<CertificateAuthority> cas, List<TransparencyLog> ctLogs)
       throws InvalidKeySpecException, NoSuchAlgorithmException, InvalidAlgorithmParameterException,
           CertificateException {
     List<CTLogInfo> logs = new ArrayList<>();
-    for (var ctLog : ctLogs.all()) {
+    for (var ctLog : ctLogs) {
       logs.add(
           new CTLogInfo(
               ctLog.getPublicKey().toJavaPublicKey(), "CT Log", ctLog.getBaseUrl().toString()));
@@ -75,15 +75,15 @@ public static FulcioVerifier newFulcioVerifier(
                     .orElse(null));
 
     // check to see if we can use all fulcio roots (this is a bit eager)
-    for (var ca : cas.all()) {
+    for (var ca : cas) {
       ca.asTrustAnchor();
     }
 
     return new FulcioVerifier(cas, ctLogs, verifier);
   }
 
   private FulcioVerifier(
-      CertificateAuthorities cas, TransparencyLogs ctLogs, CTVerifier ctVerifier) {
+      List<CertificateAuthority> cas, List<TransparencyLog> ctLogs, CTVerifier ctVerifier) {
     this.cas = cas;
     this.ctLogs = ctLogs;
     this.ctVerifier = ctVerifier;
@@ -122,7 +122,7 @@ private void verifyEmbeddedScts(CertPath certPath) throws FulcioVerificationExce
       var logId = sct.getLogID();
       var entryTime = Instant.ofEpochMilli(sct.getTimestamp());
 
-      var ctLog = ctLogs.find(logId, entryTime);
+      var ctLog = TransparencyLog.find(ctLogs, logId, entryTime);
       if (ctLog.isPresent()) {
         // TODO: currently we only require one valid SCT, but maybe this should be configurable?
         // found at least one valid sct with a matching valid log
@@ -178,7 +178,7 @@ CertPath validateCertPath(CertPath signingCertificate) throws FulcioVerification
     }
 
     var leaf = Certificates.getLeaf(signingCertificate);
-    var validCAs = cas.find(leaf.getNotBefore().toInstant());
+    var validCAs = CertificateAuthority.find(cas, leaf.getNotBefore().toInstant());
 
     if (validCAs.size() == 0) {
       throw new FulcioVerificationException(

diff --git a/sigstore-java/src/main/java/dev/sigstore/oidc/client/OidcClients.java b/sigstore-java/src/main/java/dev/sigstore/oidc/client/OidcClients.java
@@ -20,10 +20,10 @@
 /** An ordered list of oidc clients to use when looking for credentials. */
 public class OidcClients {
 
-  public static final OidcClients DEFAULTS =
+  public static final OidcClients PUBLIC_GOOD =
       of(GithubActionsOidcClient.builder().build(), WebOidcClient.builder().build());
 
-  public static final OidcClients STAGING_DEFAULTS =
+  public static final OidcClients STAGING =
       of(
           GithubActionsOidcClient.builder().build(),
           WebOidcClient.builder().setIssuer(WebOidcClient.STAGING_DEX_ISSUER).build());

diff --git a/sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorClient.java b/sigstore-java/src/main/java/dev/sigstore/rekor/client/RekorClient.java
@@ -35,6 +35,9 @@
 
 /** A client to communicate with a rekor service instance. */
 public class RekorClient {
+  public static final URI PUBLIC_GOOD_URI = URI.create("https://rekor.sigstore.dev");
+  public static final URI STAGING_URI = URI.create("https://rekor.sigstage.dev");
+
   public static final String REKOR_ENTRIES_PATH = "/api/v1/log/entries";
   public static final String REKOR_INDEX_SEARCH_PATH = "/api/v1/index/retrieve";
 
@@ -52,7 +55,7 @@ private RekorClient(HttpParams httpParams, URI uri) {
 
   public static class Builder {
     private HttpParams httpParams = ImmutableHttpParams.builder().build();
-    private URI uri = URI.create("https://rekor.sigstore.dev");
+    private URI uri = PUBLIC_GOOD_URI;
 
     private Builder() {}