Use pkg/fulcioroots and pkg/tuf and test/ from sigstore/sigstore

Signed-off-by: Jason Hall <jason@chainguard.dev>
sigstore · May 11, 2022 · 0bf8151 · 0bf8151
1 parent 89b9e88
commit 0bf8151
Show file tree

Hide file tree

Showing 31 changed files with 117 additions and 2,865 deletions.
diff --git a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go
@@ -16,139 +16,11 @@
 package fulcioroots
 
 import (
-	"bytes"
-	"context"
-	"crypto/x509"
-	"os"
-	"sync"
-
-	"github.com/pkg/errors"
-	"github.com/sigstore/cosign/pkg/cosign/tuf"
-	"github.com/sigstore/sigstore/pkg/cryptoutils"
-)
-
-var (
-	rootsOnce     sync.Once
-	roots         *x509.CertPool
-	intermediates *x509.CertPool
-)
-
-// This is the root in the fulcio project.
-var fulcioTargetStr = `fulcio.crt.pem`
-
-// This is the v1 migrated root.
-var fulcioV1TargetStr = `fulcio_v1.crt.pem`
-
-// The untrusted intermediate CA certificate, used for chain building
-// TODO: Remove once this is bundled in TUF metadata.
-var fulcioIntermediateV1 = `-----BEGIN CERTIFICATE-----
-MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw
-KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
-MjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl
-LmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C
-AQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7
-7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS
-0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB
-BQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp
-KFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI
-zj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR
-nZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP
-mygUY7Ii2zbdCdliiow=
------END CERTIFICATE-----`
-
-const (
-	altRoot = "SIGSTORE_ROOT_FILE"
+	"github.com/sigstore/sigstore/pkg/fulcioroots"
 )
 
-func Get() *x509.CertPool {
-	rootsOnce.Do(func() {
-		var err error
-		roots, intermediates, err = initRoots()
-		if err != nil {
-			panic(err)
-		}
-	})
-	return roots
-}
-
-func GetIntermediates() *x509.CertPool {
-	rootsOnce.Do(func() {
-		var err error
-		roots, intermediates, err = initRoots()
-		if err != nil {
-			panic(err)
-		}
-	})
-	return intermediates
-}
-
-func initRoots() (*x509.CertPool, *x509.CertPool, error) {
-	var rootPool *x509.CertPool
-	var intermediatePool *x509.CertPool
+// Deprecated: use github.com/sigstore/sigstore/pkg/fulcioroots.Get
+var Get = fulcioroots.Get
 
-	rootEnv := os.Getenv(altRoot)
-	if rootEnv != "" {
-		raw, err := os.ReadFile(rootEnv)
-		if err != nil {
-			return nil, nil, errors.Wrap(err, "error reading root PEM file")
-		}
-		certs, err := cryptoutils.UnmarshalCertificatesFromPEM(raw)
-		if err != nil {
-			return nil, nil, errors.Wrap(err, "error unmarshalling certificates")
-		}
-		for _, cert := range certs {
-			// root certificates are self-signed
-			if bytes.Equal(cert.RawSubject, cert.RawIssuer) {
-				if rootPool == nil {
-					rootPool = x509.NewCertPool()
-				}
-				rootPool.AddCert(cert)
-			} else {
-				if intermediatePool == nil {
-					intermediatePool = x509.NewCertPool()
-				}
-				intermediatePool.AddCert(cert)
-			}
-		}
-	} else {
-		tufClient, err := tuf.NewFromEnv(context.Background())
-		if err != nil {
-			return nil, nil, errors.Wrap(err, "initializing tuf")
-		}
-		defer tufClient.Close()
-		// Retrieve from the embedded or cached TUF root. If expired, a network
-		// call is made to update the root.
-		targets, err := tufClient.GetTargetsByMeta(tuf.Fulcio, []string{fulcioTargetStr, fulcioV1TargetStr})
-		if err != nil {
-			return nil, nil, errors.New("error getting targets")
-		}
-		if len(targets) == 0 {
-			return nil, nil, errors.New("none of the Fulcio roots have been found")
-		}
-		for _, t := range targets {
-			certs, err := cryptoutils.UnmarshalCertificatesFromPEM(t.Target)
-			if err != nil {
-				return nil, nil, errors.Wrap(err, "error unmarshalling certificates")
-			}
-			for _, cert := range certs {
-				// root certificates are self-signed
-				if bytes.Equal(cert.RawSubject, cert.RawIssuer) {
-					if rootPool == nil {
-						rootPool = x509.NewCertPool()
-					}
-					rootPool.AddCert(cert)
-				} else {
-					if intermediatePool == nil {
-						intermediatePool = x509.NewCertPool()
-					}
-					intermediatePool.AddCert(cert)
-				}
-			}
-		}
-		if intermediatePool == nil {
-			intermediatePool = x509.NewCertPool()
-		}
-		intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1))
-	}
-	return rootPool, intermediatePool, nil
-}
+// Deprecated: use github.com/sigstore/sigstore/pkg/fulcioroots.GetIntermediates
+var GetIntermediates = fulcioroots.GetIntermediates
diff --git a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go
diff --git a/go.mod b/go.mod
@@ -2,8 +2,10 @@ module github.com/sigstore/cosign
 
 go 1.17
 
+// TODO(jason): Remove this.
+replace github.com/sigstore/sigstore => github.com/imjasonh/sigstore v1.1.1-0.20220511191944-e015617260f1
+
 require (
-	cloud.google.com/go/storage v1.22.0
 	cuelang.org/go v0.4.3
 	github.com/ThalesIgnite/crypto11 v1.2.5
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20220228164355-396b2034c795
@@ -111,9 +113,10 @@ require (
 	cloud.google.com/go/compute v1.6.1 // indirect
 	cloud.google.com/go/iam v0.3.0 // indirect
 	cloud.google.com/go/kms v1.4.0 // indirect
+	cloud.google.com/go/storage v1.22.0 // indirect
 	contrib.go.opencensus.io/exporter/ocagent v0.7.1-0.20200907061046-05415f1de66d // indirect
 	contrib.go.opencensus.io/exporter/prometheus v0.4.0 // indirect
-	github.com/Azure/azure-sdk-for-go v63.3.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go v64.0.0+incompatible // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.27 // indirect
 	github.com/Azure/go-autorest/autorest/adal v0.9.18 // indirect
@@ -132,7 +135,7 @@ require (
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/ReneKroon/ttlcache/v2 v2.11.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
-	github.com/aws/aws-sdk-go v1.43.45 // indirect
+	github.com/aws/aws-sdk-go v1.44.11 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.14.0 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.14.0 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.9.0 // indirect