diff --git a/cmd/conformance/main.go b/cmd/conformance/main.go index d6c40263..ad8e337c 100644 --- a/cmd/conformance/main.go +++ b/cmd/conformance/main.go @@ -237,12 +237,12 @@ func main() { os.Exit(1) } - if len(tr.TSACertificateAuthorities()) > 0 && len(bundleTimestamps) > 0 { + if len(tr.TimestampingAuthorities()) > 0 && len(bundleTimestamps) > 0 { verifierConfig = append(verifierConfig, verify.WithSignedTimestamps(1)) } // Check bundle and trusted root for Tlog information - if len(tr.TlogAuthorities()) > 0 && b.HasInclusionPromise() { + if len(tr.RekorLogs()) > 0 && b.HasInclusionPromise() { verifierConfig = append(verifierConfig, verify.WithTransparencyLog(1), verify.WithIntegratedTimestamps(1)) } diff --git a/go.mod b/go.mod index 2110a214..ddaa9757 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/sigstore/sigstore v1.8.2 github.com/sigstore/timestamp-authority v1.2.2 github.com/stretchr/testify v1.9.0 - github.com/theupdateframework/go-tuf/v2 v2.0.0-20240222081530-454b12158917 + github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 golang.org/x/crypto v0.20.0 golang.org/x/mod v0.15.0 google.golang.org/protobuf v1.32.0 diff --git a/go.sum b/go.sum index f0108304..fa635898 100644 --- a/go.sum +++ b/go.sum @@ -298,6 +298,8 @@ github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qv github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug= github.com/theupdateframework/go-tuf/v2 v2.0.0-20240222081530-454b12158917 h1:Ov8+IAeR7pivNDC0Cd25MyyaCR3WPlGBED4wNxIFQ8s= github.com/theupdateframework/go-tuf/v2 v2.0.0-20240222081530-454b12158917/go.mod h1:+gWwqe1pk4nvGeOKosGJqPgD+N/kbD9M0QVLL9TGIYU= +github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63 h1:27XWhDZHPD+cufF6qSdYx6PgGQvD2jJ6pq9sDvR6VBk= +github.com/theupdateframework/go-tuf/v2 v2.0.0-20240223092044-1e7978e83f63/go.mod h1:+gWwqe1pk4nvGeOKosGJqPgD+N/kbD9M0QVLL9TGIYU= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0= github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399/go.mod h1:LdwHTNJT99C5fTAzDz0ud328OgXz+gierycbcIx2fRs= github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG81+twTK4= diff --git a/pkg/root/trusted_material.go b/pkg/root/trusted_material.go index 5b90da14..4e47f0ab 100644 --- a/pkg/root/trusted_material.go +++ b/pkg/root/trusted_material.go @@ -22,16 +22,16 @@ import ( ) type TrustedMaterial interface { - TSACertificateAuthorities() []CertificateAuthority + TimestampingAuthorities() []CertificateAuthority FulcioCertificateAuthorities() []CertificateAuthority - TlogAuthorities() map[string]*TlogAuthority - CTlogAuthorities() map[string]*TlogAuthority + RekorLogs() map[string]*TransparencyLog + CTLogs() map[string]*TransparencyLog PublicKeyVerifier(string) (TimeConstrainedVerifier, error) } type BaseTrustedMaterial struct{} -func (b *BaseTrustedMaterial) TSACertificateAuthorities() []CertificateAuthority { +func (b *BaseTrustedMaterial) TimestampingAuthorities() []CertificateAuthority { return []CertificateAuthority{} } @@ -39,12 +39,12 @@ func (b *BaseTrustedMaterial) FulcioCertificateAuthorities() []CertificateAuthor return []CertificateAuthority{} } -func (b *BaseTrustedMaterial) TlogAuthorities() map[string]*TlogAuthority { - return map[string]*TlogAuthority{} +func (b *BaseTrustedMaterial) RekorLogs() map[string]*TransparencyLog { + return map[string]*TransparencyLog{} } -func (b *BaseTrustedMaterial) CTlogAuthorities() map[string]*TlogAuthority { - return map[string]*TlogAuthority{} +func (b *BaseTrustedMaterial) CTLogs() map[string]*TransparencyLog { + return map[string]*TransparencyLog{} } func (b *BaseTrustedMaterial) PublicKeyVerifier(_ string) (TimeConstrainedVerifier, error) { @@ -67,10 +67,10 @@ func (tmc TrustedMaterialCollection) PublicKeyVerifier(keyID string) (TimeConstr return nil, fmt.Errorf("public key verifier not found for keyID: %s", keyID) } -func (tmc TrustedMaterialCollection) TSACertificateAuthorities() []CertificateAuthority { +func (tmc TrustedMaterialCollection) TimestampingAuthorities() []CertificateAuthority { var certAuthorities []CertificateAuthority for _, tm := range tmc { - certAuthorities = append(certAuthorities, tm.TSACertificateAuthorities()...) + certAuthorities = append(certAuthorities, tm.TimestampingAuthorities()...) } return certAuthorities } @@ -83,24 +83,24 @@ func (tmc TrustedMaterialCollection) FulcioCertificateAuthorities() []Certificat return certAuthorities } -func (tmc TrustedMaterialCollection) TlogAuthorities() map[string]*TlogAuthority { - tlogAuthorities := make(map[string]*TlogAuthority) +func (tmc TrustedMaterialCollection) RekorLogs() map[string]*TransparencyLog { + rekorLogs := make(map[string]*TransparencyLog) for _, tm := range tmc { - for keyID, tlogVerifier := range tm.TlogAuthorities() { - tlogAuthorities[keyID] = tlogVerifier + for keyID, tlogVerifier := range tm.RekorLogs() { + rekorLogs[keyID] = tlogVerifier } } - return tlogAuthorities + return rekorLogs } -func (tmc TrustedMaterialCollection) CTlogAuthorities() map[string]*TlogAuthority { - tlogAuthorities := make(map[string]*TlogAuthority) +func (tmc TrustedMaterialCollection) CTLogs() map[string]*TransparencyLog { + rekorLogs := make(map[string]*TransparencyLog) for _, tm := range tmc { - for keyID, tlogVerifier := range tm.CTlogAuthorities() { - tlogAuthorities[keyID] = tlogVerifier + for keyID, tlogVerifier := range tm.CTLogs() { + rekorLogs[keyID] = tlogVerifier } } - return tlogAuthorities + return rekorLogs } type ValidityPeriodChecker interface { diff --git a/pkg/root/trusted_root.go b/pkg/root/trusted_root.go index 16288a00..e6b2cba4 100644 --- a/pkg/root/trusted_root.go +++ b/pkg/root/trusted_root.go @@ -35,11 +35,11 @@ const TrustedRootMediaType01 = "application/vnd.dev.sigstore.trustedroot+json;ve type TrustedRoot struct { BaseTrustedMaterial - trustedRoot *prototrustroot.TrustedRoot - tlogAuthorities map[string]*TlogAuthority - fulcioCertAuthorities []CertificateAuthority - ctLogAuthorities map[string]*TlogAuthority - tsaCertAuthorities []CertificateAuthority + trustedRoot *prototrustroot.TrustedRoot + rekorLogs map[string]*TransparencyLog + fulcioCertAuthorities []CertificateAuthority + ctLogs map[string]*TransparencyLog + timestampingAuthorities []CertificateAuthority } type CertificateAuthority struct { @@ -50,7 +50,7 @@ type CertificateAuthority struct { ValidityPeriodEnd time.Time } -type TlogAuthority struct { +type TransparencyLog struct { BaseURL string ID []byte ValidityPeriodStart time.Time @@ -62,20 +62,20 @@ type TlogAuthority struct { SignatureHashFunc crypto.Hash } -func (tr *TrustedRoot) TSACertificateAuthorities() []CertificateAuthority { - return tr.tsaCertAuthorities +func (tr *TrustedRoot) TimestampingAuthorities() []CertificateAuthority { + return tr.timestampingAuthorities } func (tr *TrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority { return tr.fulcioCertAuthorities } -func (tr *TrustedRoot) TlogAuthorities() map[string]*TlogAuthority { - return tr.tlogAuthorities +func (tr *TrustedRoot) RekorLogs() map[string]*TransparencyLog { + return tr.rekorLogs } -func (tr *TrustedRoot) CTlogAuthorities() map[string]*TlogAuthority { - return tr.ctLogAuthorities +func (tr *TrustedRoot) CTLogs() map[string]*TransparencyLog { + return tr.ctLogs } func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot) (trustedRoot *TrustedRoot, err error) { @@ -84,7 +84,7 @@ func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot) } trustedRoot = &TrustedRoot{trustedRoot: protobufTrustedRoot} - trustedRoot.tlogAuthorities, err = ParseTlogAuthorities(protobufTrustedRoot.GetTlogs()) + trustedRoot.rekorLogs, err = ParseTransparencyLogs(protobufTrustedRoot.GetTlogs()) if err != nil { return nil, err } @@ -94,12 +94,12 @@ func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot) return nil, err } - trustedRoot.tsaCertAuthorities, err = ParseCertificateAuthorities(protobufTrustedRoot.GetTimestampAuthorities()) + trustedRoot.timestampingAuthorities, err = ParseCertificateAuthorities(protobufTrustedRoot.GetTimestampAuthorities()) if err != nil { return nil, err } - trustedRoot.ctLogAuthorities, err = ParseTlogAuthorities(protobufTrustedRoot.GetCtlogs()) + trustedRoot.ctLogs, err = ParseTransparencyLogs(protobufTrustedRoot.GetCtlogs()) if err != nil { return nil, err } @@ -107,8 +107,8 @@ func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot) return trustedRoot, nil } -func ParseTlogAuthorities(tlogs []*prototrustroot.TransparencyLogInstance) (tlogAuthorities map[string]*TlogAuthority, err error) { - tlogAuthorities = make(map[string]*TlogAuthority) +func ParseTransparencyLogs(tlogs []*prototrustroot.TransparencyLogInstance) (transparencyLogs map[string]*TransparencyLog, err error) { + transparencyLogs = make(map[string]*TransparencyLog) for _, tlog := range tlogs { if tlog.GetHashAlgorithm() != protocommon.HashAlgorithm_SHA2_256 { return nil, fmt.Errorf("unsupported tlog hash algorithm: %s", tlog.GetHashAlgorithm()) @@ -147,7 +147,7 @@ func ParseTlogAuthorities(tlogs []*prototrustroot.TransparencyLogInstance) (tlog if ecKey, ok = key.(*ecdsa.PublicKey); !ok { return nil, fmt.Errorf("tlog public key is not ECDSA P256") } - tlogAuthorities[encodedKeyID] = &TlogAuthority{ + transparencyLogs[encodedKeyID] = &TransparencyLog{ BaseURL: tlog.GetBaseUrl(), ID: tlog.GetLogId().GetKeyId(), HashFunc: hashFunc, @@ -156,12 +156,12 @@ func ParseTlogAuthorities(tlogs []*prototrustroot.TransparencyLogInstance) (tlog } if validFor := tlog.GetPublicKey().GetValidFor(); validFor != nil { if validFor.GetStart() != nil { - tlogAuthorities[encodedKeyID].ValidityPeriodStart = validFor.GetStart().AsTime() + transparencyLogs[encodedKeyID].ValidityPeriodStart = validFor.GetStart().AsTime() } else { return nil, fmt.Errorf("tlog missing public key validity period start time") } if validFor.GetEnd() != nil { - tlogAuthorities[encodedKeyID].ValidityPeriodEnd = validFor.GetEnd().AsTime() + transparencyLogs[encodedKeyID].ValidityPeriodEnd = validFor.GetEnd().AsTime() } } else { return nil, fmt.Errorf("tlog missing public key validity period") @@ -170,7 +170,7 @@ func ParseTlogAuthorities(tlogs []*prototrustroot.TransparencyLogInstance) (tlog return nil, fmt.Errorf("unsupported tlog public key type: %s", tlog.GetPublicKey().GetKeyDetails()) } } - return tlogAuthorities, nil + return transparencyLogs, nil } func ParseCertificateAuthorities(certAuthorities []*prototrustroot.CertificateAuthority) (certificateAuthorities []CertificateAuthority, err error) { @@ -329,10 +329,10 @@ func NewLiveTrustedRoot(opts *tuf.Options) (*LiveTrustedRoot, error) { return ltr, nil } -func (l *LiveTrustedRoot) TSACertificateAuthorities() []CertificateAuthority { +func (l *LiveTrustedRoot) TimestampingAuthorities() []CertificateAuthority { l.mu.RLock() defer l.mu.RUnlock() - return l.TrustedRoot.TSACertificateAuthorities() + return l.TrustedRoot.TimestampingAuthorities() } func (l *LiveTrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority { @@ -341,16 +341,16 @@ func (l *LiveTrustedRoot) FulcioCertificateAuthorities() []CertificateAuthority return l.TrustedRoot.FulcioCertificateAuthorities() } -func (l *LiveTrustedRoot) TlogAuthorities() map[string]*TlogAuthority { +func (l *LiveTrustedRoot) RekorLogs() map[string]*TransparencyLog { l.mu.RLock() defer l.mu.RUnlock() - return l.TrustedRoot.TlogAuthorities() + return l.TrustedRoot.RekorLogs() } -func (l *LiveTrustedRoot) CTlogAuthorities() map[string]*TlogAuthority { +func (l *LiveTrustedRoot) CTLogs() map[string]*TransparencyLog { l.mu.RLock() defer l.mu.RUnlock() - return l.TrustedRoot.CTlogAuthorities() + return l.TrustedRoot.CTLogs() } func (l *LiveTrustedRoot) PublicKeyVerifier(keyID string) (TimeConstrainedVerifier, error) { diff --git a/pkg/testing/ca/ca.go b/pkg/testing/ca/ca.go index 553e6df3..e592f1a1 100644 --- a/pkg/testing/ca/ca.go +++ b/pkg/testing/ca/ca.go @@ -426,7 +426,7 @@ func generateTimestampingResponse(sig []byte, tsaCert *x509.Certificate, tsaKey return tsTemplate.CreateResponseWithOpts(tsaCert, tsaKey, hash) } -func (ca *VirtualSigstore) TSACertificateAuthorities() []root.CertificateAuthority { +func (ca *VirtualSigstore) TimestampingAuthorities() []root.CertificateAuthority { return []root.CertificateAuthority{ca.tsaCA} } @@ -434,13 +434,13 @@ func (ca *VirtualSigstore) FulcioCertificateAuthorities() []root.CertificateAuth return []root.CertificateAuthority{ca.fulcioCA} } -func (ca *VirtualSigstore) TlogAuthorities() map[string]*root.TlogAuthority { - verifiers := make(map[string]*root.TlogAuthority) +func (ca *VirtualSigstore) RekorLogs() map[string]*root.TransparencyLog { + verifiers := make(map[string]*root.TransparencyLog) logID, err := getLogID(ca.rekorKey.Public()) if err != nil { panic(err) } - verifiers[logID] = &root.TlogAuthority{ + verifiers[logID] = &root.TransparencyLog{ BaseURL: "test", ID: []byte(logID), ValidityPeriodStart: time.Now().Add(-time.Hour), @@ -451,13 +451,13 @@ func (ca *VirtualSigstore) TlogAuthorities() map[string]*root.TlogAuthority { return verifiers } -func (ca *VirtualSigstore) CTlogAuthorities() map[string]*root.TlogAuthority { - verifiers := make(map[string]*root.TlogAuthority) +func (ca *VirtualSigstore) CTLogs() map[string]*root.TransparencyLog { + verifiers := make(map[string]*root.TransparencyLog) logID, err := getLogID(ca.ctlogKey.Public()) if err != nil { panic(err) } - verifiers[logID] = &root.TlogAuthority{ + verifiers[logID] = &root.TransparencyLog{ BaseURL: "test", ID: []byte(logID), ValidityPeriodStart: time.Now().Add(-time.Hour), diff --git a/pkg/tlog/entry.go b/pkg/tlog/entry.go index 6fa01fea..b1ba68a4 100644 --- a/pkg/tlog/entry.go +++ b/pkg/tlog/entry.go @@ -256,7 +256,7 @@ func VerifyInclusion(entry *Entry, verifier signature.Verifier) error { return nil } -func VerifySET(entry *Entry, verifiers map[string]*root.TlogAuthority) error { +func VerifySET(entry *Entry, verifiers map[string]*root.TransparencyLog) error { rekorPayload := RekorPayload{ Body: entry.logEntryAnon.Body, IntegratedTime: *entry.logEntryAnon.IntegratedTime, diff --git a/pkg/verify/sct.go b/pkg/verify/sct.go index 3fff2f31..61a0e10c 100644 --- a/pkg/verify/sct.go +++ b/pkg/verify/sct.go @@ -28,10 +28,10 @@ import ( // VerifySignedCertificateTimestamp, given a threshold, TrustedMaterial, and a // leaf certificate, will extract SCTs from the leaf certificate and verify the // timestamps using the TrustedMaterial's FulcioCertificateAuthorities() and -// CTlogAuthorities() +// CTLogs() // TODO(issue#46): Add unit tests func VerifySignedCertificateTimestamp(leafCert *x509.Certificate, threshold int, trustedMaterial root.TrustedMaterial) error { // nolint: revive - ctlogs := trustedMaterial.CTlogAuthorities() + ctlogs := trustedMaterial.CTLogs() fulcioCerts := trustedMaterial.FulcioCertificateAuthorities() scts, err := x509util.ParseSCTsFromCertificate(leafCert.Raw) diff --git a/pkg/verify/signed_entity.go b/pkg/verify/signed_entity.go index b865d01e..08be6594 100644 --- a/pkg/verify/signed_entity.go +++ b/pkg/verify/signed_entity.go @@ -118,7 +118,7 @@ func WithOnlineVerification() VerifierOption { // WithSignedTimestamps configures the SignedEntityVerifier to expect RFC 3161 // timestamps from a Timestamp Authority, verify them using the TrustedMaterial's -// TSACertificateAuthorities(), and, if it exists, use the resulting timestamp(s) +// TimestampingAuthorities(), and, if it exists, use the resulting timestamp(s) // to verify the Fulcio certificate. func WithSignedTimestamps(threshold int) VerifierOption { return func(c *VerifierConfig) error { @@ -134,7 +134,7 @@ func WithSignedTimestamps(threshold int) VerifierOption { // WithObserverTimestamps configures the SignedEntityVerifier to expect // timestamps from either an RFC3161 timestamp authority or a log's // SignedEntryTimestamp. These are verified using the TrustedMaterial's -// TSACertificateAuthorities() or TlogAuthorities(), and used to verify +// TimestampingAuthorities() or RekorLogs(), and used to verify // the Fulcio certificate. func WithObserverTimestamps(threshold int) VerifierOption { return func(c *VerifierConfig) error { @@ -149,7 +149,7 @@ func WithObserverTimestamps(threshold int) VerifierOption { // WithTransparencyLog configures the SignedEntityVerifier to expect // Transparency Log inclusion proofs or SignedEntryTimestamps, verifying them -// using the TrustedMaterial's TlogAuthorities(). +// using the TrustedMaterial's RekorLogs(). func WithTransparencyLog(threshold int) VerifierOption { return func(c *VerifierConfig) error { if threshold < 1 { diff --git a/pkg/verify/tlog.go b/pkg/verify/tlog.go index 1414cc54..6769b3bc 100644 --- a/pkg/verify/tlog.go +++ b/pkg/verify/tlog.go @@ -82,7 +82,7 @@ func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.Tru return nil, fmt.Errorf("entry must contain an inclusion proof and/or promise") } if entry.HasInclusionPromise() { - err = tlog.VerifySET(entry, trustedMaterial.TlogAuthorities()) + err = tlog.VerifySET(entry, trustedMaterial.RekorLogs()) if err != nil { // skip entries the trust root cannot verify continue @@ -94,7 +94,7 @@ func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.Tru if entity.HasInclusionProof() { keyID := entry.LogKeyID() hex64Key := hex.EncodeToString([]byte(keyID)) - tlogVerifier, ok := trustedMaterial.TlogAuthorities()[hex64Key] + tlogVerifier, ok := trustedMaterial.RekorLogs()[hex64Key] if !ok { // skip entries the trust root cannot verify continue @@ -114,7 +114,7 @@ func VerifyArtifactTransparencyLog(entity SignedEntity, trustedMaterial root.Tru } else { keyID := entry.LogKeyID() hex64Key := hex.EncodeToString([]byte(keyID)) - tlogVerifier, ok := trustedMaterial.TlogAuthorities()[hex64Key] + tlogVerifier, ok := trustedMaterial.RekorLogs()[hex64Key] if !ok { // skip entries the trust root cannot verify continue diff --git a/pkg/verify/tsa.go b/pkg/verify/tsa.go index e6ed48fa..39ffb5d4 100644 --- a/pkg/verify/tsa.go +++ b/pkg/verify/tsa.go @@ -87,7 +87,7 @@ func VerifyTimestampAuthorityWithThreshold(entity SignedEntity, trustedMaterial } func verifySignedTimestamp(signedTimestamp []byte, dsseSignatureBytes []byte, trustedMaterial root.TrustedMaterial, verificationContent VerificationContent) (time.Time, error) { - certAuthorities := trustedMaterial.TSACertificateAuthorities() + certAuthorities := trustedMaterial.TimestampingAuthorities() // Iterate through TSA certificate authorities to find one that verifies for _, ca := range certAuthorities { diff --git a/pkg/verify/tsa_test.go b/pkg/verify/tsa_test.go index 6d37b1e3..b7fab242 100644 --- a/pkg/verify/tsa_test.go +++ b/pkg/verify/tsa_test.go @@ -140,7 +140,7 @@ type customTSAChainTrustedMaterial struct { tsaChain []root.CertificateAuthority } -func (i *customTSAChainTrustedMaterial) TSACertificateAuthorities() []root.CertificateAuthority { +func (i *customTSAChainTrustedMaterial) TimestampingAuthorities() []root.CertificateAuthority { return i.tsaChain } @@ -151,8 +151,8 @@ func TestBadTSACertificateChain(t *testing.T) { virtualSigstore2, err := ca.NewVirtualSigstore() assert.NoError(t, err) - ca1 := virtualSigstore.TSACertificateAuthorities()[0] - ca2 := virtualSigstore2.TSACertificateAuthorities()[0] + ca1 := virtualSigstore.TimestampingAuthorities()[0] + ca2 := virtualSigstore2.TimestampingAuthorities()[0] badChain := root.CertificateAuthority{ Root: ca2.Root, Intermediates: ca2.Intermediates, @@ -172,7 +172,7 @@ func TestBadTSACertificateChainOutsideValidityPeriod(t *testing.T) { virtualSigstore, err := ca.NewVirtualSigstore() assert.NoError(t, err) - ca := virtualSigstore.TSACertificateAuthorities()[0] + ca := virtualSigstore.TimestampingAuthorities()[0] for _, test := range []struct { name string