Just use paths to files on disk

Instead of clients querying remote servers Signed-off-by: Zach Steindler <[email protected]>
sigstore · Sep 26, 2024 · cab9148 · cab9148
1 parent b3262d7
commit cab9148
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 42 deletions.
diff --git a/cmd/cosign/cli/options/trustedroot.go b/cmd/cosign/cli/options/trustedroot.go
@@ -23,8 +23,8 @@ type TrustedRootCreateOptions struct {
 	CAIntermediates  string
 	CARoots          string
 	CertChain        string
-	IgnoreSCT        bool
-	IgnoreTlog       bool
+	CtfeKeyPath      string
+	RekorKeyPath     string
 	Out              string
 	TSACertChainPath string
 }
@@ -54,13 +54,12 @@ func (o *TrustedRootCreateOptions) AddFlags(cmd *cobra.Command) {
 	cmd.MarkFlagsMutuallyExclusive("ca-roots", "certificate-chain")
 	cmd.MarkFlagsMutuallyExclusive("ca-intermediates", "certificate-chain")
 
-	cmd.Flags().BoolVar(&o.IgnoreSCT, "ignore-sct", false,
-		"when set, do not include key for verifying certificate transparency "+
-			"log. Set this if you signed with a key instead of using Fulcio.")
+	cmd.Flags().StringVar(&o.CtfeKeyPath, "ctfe-key", "",
+		"path to a PEM-encoded public key used by certificate authority for "+
+			"certificate transparency log.")
 
-	cmd.Flags().BoolVar(&o.IgnoreTlog, "ignore-tlog", false,
-		"when set, do not include key for verifying transparency. Set this if "+
-			"you did not sign with Rekor.")
+	cmd.Flags().StringVar(&o.RekorKeyPath, "rekor-key", "",
+		"path to a PEM-encoded public key used by transparency log like Rekor.")
 
 	cmd.Flags().StringVar(&o.Out, "out", "",
 		"path to output trusted root")

diff --git a/cmd/cosign/cli/trustedroot.go b/cmd/cosign/cli/trustedroot.go
@@ -48,9 +48,9 @@ func trustedRootCreate() *cobra.Command {
 				CAIntermediates:  o.CAIntermediates,
 				CARoots:          o.CARoots,
 				CertChain:        o.CertChain,
-				IgnoreSCT:        o.IgnoreSCT,
-				IgnoreTlog:       o.IgnoreTlog,
+				CtfeKeyPath:      o.CtfeKeyPath,
 				Out:              o.Out,
+				RekorKeyPath:     o.RekorKeyPath,
 				TSACertChainPath: o.TSACertChainPath,
 			}
 

diff --git a/cmd/cosign/cli/trustedroot/trustedroot.go b/cmd/cosign/cli/trustedroot/trustedroot.go
@@ -25,6 +25,7 @@ import (
 	"os"
 
 	"github.com/sigstore/sigstore-go/pkg/root"
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
 
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 )
@@ -33,13 +34,13 @@ type CreateCmd struct {
 	CAIntermediates  string
 	CARoots          string
 	CertChain        string
-	IgnoreSCT        bool
-	IgnoreTlog       bool
+	CtfeKeyPath      string
 	Out              string
+	RekorKeyPath     string
 	TSACertChainPath string
 }
 
-func (c *CreateCmd) Exec(ctx context.Context) error {
+func (c *CreateCmd) Exec(_ context.Context) error {
 	var fulcioCertAuthorities []root.CertificateAuthority
 	ctLogs := make(map[string]*root.TransparencyLog)
 	var timestampAuthorities []root.CertificateAuthority
@@ -80,43 +81,31 @@ func (c *CreateCmd) Exec(ctx context.Context) error {
 		}
 	}
 
-	if !c.IgnoreSCT {
-		ctLogPubKeys, err := cosign.GetCTLogPubs(ctx)
+	if c.CtfeKeyPath != "" {
+		ctLogPubKey, id, idBytes, err := getPubKey(c.CtfeKeyPath)
 		if err != nil {
 			return err
 		}
 
-		for id, key := range ctLogPubKeys.Keys {
-			idBytes, err := hex.DecodeString(id)
-			if err != nil {
-				return err
-			}
-			ctLogs[id] = &root.TransparencyLog{
-				HashFunc:          crypto.SHA256,
-				ID:                idBytes,
-				PublicKey:         key.PubKey,
-				SignatureHashFunc: crypto.SHA256,
-			}
+		ctLogs[id] = &root.TransparencyLog{
+			HashFunc:          crypto.SHA256,
+			ID:                idBytes,
+			PublicKey:         *ctLogPubKey,
+			SignatureHashFunc: crypto.SHA256,
 		}
 	}
 
-	if !c.IgnoreTlog {
-		tlogPubKeys, err := cosign.GetRekorPubs(ctx)
+	if c.RekorKeyPath != "" {
+		tlogPubKey, id, idBytes, err := getPubKey(c.RekorKeyPath)
 		if err != nil {
 			return err
 		}
 
-		for id, key := range tlogPubKeys.Keys {
-			idBytes, err := hex.DecodeString(id)
-			if err != nil {
-				return err
-			}
-			rekorTransparencyLogs[id] = &root.TransparencyLog{
-				HashFunc:          crypto.SHA256,
-				ID:                idBytes,
-				PublicKey:         key.PubKey,
-				SignatureHashFunc: crypto.SHA256,
-			}
+		rekorTransparencyLogs[id] = &root.TransparencyLog{
+			HashFunc:          crypto.SHA256,
+			ID:                idBytes,
+			PublicKey:         *tlogPubKey,
+			SignatureHashFunc: crypto.SHA256,
 		}
 	}
 
@@ -196,3 +185,27 @@ func parseCerts(path string) ([]*x509.Certificate, error) {
 
 	return certs, nil
 }
+
+func getPubKey(path string) (*crypto.PublicKey, string, []byte, error) {
+	pemBytes, err := os.ReadFile(path)
+	if err != nil {
+		return nil, "", []byte{}, err
+	}
+
+	pubKey, err := cryptoutils.UnmarshalPEMToPublicKey(pemBytes)
+	if err != nil {
+		return nil, "", []byte{}, err
+	}
+
+	keyID, err := cosign.GetTransparencyLogID(pubKey)
+	if err != nil {
+		return nil, "", []byte{}, err
+	}
+
+	idBytes, err := hex.DecodeString(keyID)
+	if err != nil {
+		return nil, "", []byte{}, err
+	}
+
+	return &pubKey, keyID, idBytes, nil
+}
diff --git a/cmd/cosign/cli/trustedroot/trustedroot_test.go b/cmd/cosign/cli/trustedroot/trustedroot_test.go
@@ -45,7 +45,6 @@ func TestCreateCmd(t *testing.T) {
 
 	trustedrootCreate := CreateCmd{
 		CertChain:        fulcioChainPath,
-		IgnoreSCT:        true,
 		Out:              outPath,
 		TSACertChainPath: tsaChainPath,
 	}

diff --git a/doc/cosign_trusted-root_create.md b/doc/cosign_trusted-root_create.md