8000 trustroot: initial client config messages (#277) · sigstore/protobuf-specs@58ba3ec · GitHub 8000
[go: up one dir, main page]
Skip to content

Commit 58ba3ec

Browse files
woodruffwkommendorkapten
woodruffw
and
kommendorkapten
authored
trustroot: initial client config messages (#277)
* trustroot: initial client config messages Signed-off-by: William Woodruff <william@trailofbits.com> * trustroot: docs Signed-off-by: William Woodruff <william@trailofbits.com> * codegen Signed-off-by: William Woodruff <william@trailofbits.com> * add TSA url, rename Signed-off-by: William Woodruff <william@trailofbits.com> * tweak tsa_url Signed-off-by: William Woodruff <william@trailofbits.com> * gen, protos: multiple tlogs and tsas Signed-off-by: William Woodruff <william@trailofbits.com> * Apply suggestions from code review Co-authored-by: Fredrik Skogman <kommendorkapten@github.com> Signed-off-by: William Woodruff <william@yossarian.net> * gen: regenerate Signed-off-by: William Woodruff <william@trailofbits.com> --------- Signed-off-by: William Woodruff <william@trailofbits.com> Signed-off-by: William Woodruff <william@yossarian.net> Co-authored-by: Fredrik Skogman <kommendorkapten@github.com>
1 parent 0d09353 commit 58ba3ec

File tree

9 files changed

+943
-85
lines changed

9 files changed

+943
-85
lines changed

gen/jsonschema/schemas/ClientTrustConfig.schema.json

Copy file name to clipboard
Lines changed: 299 additions & 0 deletions
Large diffs are not rendered by default.

gen/jsonschema/schemas/SigningConfig.schema.json

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
{
2+
"$schema": "http://json-schema.org/draft-04/schema#",
3+
"$ref": "#/definitions/SigningConfig",
4+
"definitions": {
5+
"SigningConfig": {
6+
"properties": {
7+
"caUrl": {
8+
"type": "string",
9+
"description": "A URL to a Fulcio-compatible CA, capable of receiving Certificate Signing Requests (CSRs) and responding with issued certificates. This URL **MUST** be the \"base\" URL for the CA, which clients should construct an appropriate CSR endpoint on top of. For example, if `ca_url` is `https://example.com/ca`, then the client **MAY** construct the CSR endpoint as `https://example.com/ca/api/v2/signingCert`."
10+
},
11+
"oidcUrl": {
12+
"type": "string",
13+
"description": "A URL to an OpenID Connect identity provider. This URL **MUST** be the \"base\" URL for the OIDC IdP, which clients should perform well-known OpenID Connect discovery against."
14+
},
15+
"tlogUrls": {
16+
"items": {
17+
"type": "string"
18+
},
19+
"type": "array",
20+
"description": "One or more URLs to Rekor-compatible transparency log. Each URL **MUST** be the \"base\" URL for the transparency log, which clients should construct appropriate API endpoints on top of."
21+
},
22+
"tsaUrls": {
23+
"items": {
24+
"type": "string"
25+
},
26+
"type": "array",
27+
"description": "One ore more URLs to RFC 3161 Time Stamping Authority (TSA). Each URL **MUST** be the **full** URL for the TSA, meaning that it should be suitable for submitting Time Stamp Requests (TSRs) to via HTTP, per RFC 3161."
28+
}
29+
},
30+
"additionalProperties": false,
31+
"type": "object",
32+
"title": "Signing Config",
33+
"description": "SigningConfig represents the trusted entities/state needed by Sigstore signing. In particular, it primarily contains service URLs that a Sigstore signer may need to connect to for the online aspects of signing."
34+
}
35+
}
36+
}

gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go

Lines changed: 303 additions & 85 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py

Lines changed: 59 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

gen/pb-ruby/lib/sigstore_trustroot_pb.rb

Lines changed: 14 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -136,3 +136,70 @@ pub struct TrustedRoot {
136136
#[prost(message, repeated, tag = "5")]
137137
pub timestamp_authorities: ::prost::alloc::vec::Vec<CertificateAuthority>,
138138
}
139+
/// SigningConfig represents the trusted entities/state needed by Sigstore
140+
/// signing. In particular, it primarily contains service URLs that a Sigstore
141+
/// signer may need to connect to for the online aspects of signing.
142+
#[derive(
143+
sigstore_protobuf_specs_derive::Deserialize_proto,
144+
sigstore_protobuf_specs_derive::Serialize_proto
145+
)]
146+
#[derive(::prost_reflect::ReflectMessage)]
147+
#[prost_reflect(message_name = "dev.sigstore.trustroot.v1.SigningConfig")]
148+
#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")]
149+
#[allow(clippy::derive_partial_eq_without_eq)]
150+
#[derive(Clone, PartialEq, ::prost::Message)]
151+
pub struct SigningConfig {
152+
/// A URL to a Fulcio-compatible CA, capable of receiving
153+
/// Certificate Signing Requests (CSRs) and responding with
154+
/// issued certificates.
155+
///
156+
/// This URL **MUST** be the "base" URL for the CA, which clients
157+
/// should construct an appropriate CSR endpoint on top of.
158+
/// For example, if `ca_url` is `<https://example.com/ca`,> then
159+
/// the client **MAY** construct the CSR endpoint as
160+
/// `<https://example.com/ca/api/v2/signingCert`.>
161+
#[prost(string, tag = "1")]
162+
pub ca_url: ::prost::alloc::string::String,
163+
/// A URL to an OpenID Connect identity provider.
164+
///
165+
/// This URL **MUST** be the "base" URL for the OIDC IdP, which clients
166+
/// should perform well-known OpenID Connect discovery against.
167+
#[prost(string, tag = "2")]
168+
pub oidc_url: ::prost::alloc::string::String,
169+
/// One or more URLs to Rekor-compatible transparency log.
170+
///
171+
/// Each URL **MUST** be the "base" URL for the transparency log,
172+
/// which clients should construct appropriate API endpoints on top of.
173+
#[prost(string, repeated, tag = "3")]
174+
pub tlog_urls: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
175+
/// One ore more URLs to RFC 3161 Time Stamping Authority (TSA).
176+
///
177+
/// Each URL **MUST** be the **full** URL for the TSA, meaning that it
178+
/// should be suitable for submitting Time Stamp Requests (TSRs) to
179+
/// via HTTP, per RFC 3161.
180+
#[prost(string, repeated, tag = "4")]
181+
pub tsa_urls: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
182+
}
183+
/// ClientTrustConfig describes the complete state needed by a client
184+
/// to perform both signing and verification operations against a particular
185+
/// instance of Sigstore.
186+
#[derive(
187+
sigstore_protobuf_specs_derive::Deserialize_proto,
188+
sigstore_protobuf_specs_derive::Serialize_proto
189+
)]
190+
#[derive(::prost_reflect::ReflectMessage)]
191+
#[prost_reflect(message_name = "dev.sigstore.trustroot.v1.ClientTrustConfig")]
192+
#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")]
193+
#[allow(clippy::derive_partial_eq_without_eq)]
194+
#[derive(Clone, PartialEq, ::prost::Message)]
195+
pub struct ClientTrustConfig {
196+
/// MUST be application/vnd.dev.sigstore.clienttrustconfig.v0.1+json
197+
#[prost(string, tag = "1")]
198+
pub media_type: ::prost::alloc::string::String,
199+
/// The root of trust, which MUST be present.
200+
#[prost(message, optional, tag = "2")]
201+
pub trusted_root: ::core::option::Option<TrustedRoot>,
202+
/// Configuration for signing clients, which MUST be present.
203+
#[prost(message, optional, tag = "3")]
204+
pub signing_config: ::core::option::Option<SigningConfig>,
205+
}

gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin

2.47 KB
Binary file not shown.

gen/pb-typescript/src/__generated__/sigstore_trustroot.ts

Lines changed: 114 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

protos/sigstore_trustroot.proto

Lines changed: 51 additions & 0 deletions
+
//
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
syntax = "proto3";
1616
package dev.sigstore.trustroot.v1;
1717

18+
import "google/api/field_behavior.proto";
1819
import "sigstore_common.proto";
1920

2021
option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1";
@@ -121,3 +122,53 @@ message TrustedRoot {
121122
// A set of trusted timestamping authorities.
122123
repeated CertificateAuthority timestamp_authorities = 5;
123124
}
125+
126+
127+
// SigningConfig represents the trusted entities/state needed by Sigstore
128+
// signing. In particular, it primarily contains service URLs that a Sigstore
129+
// signer may need to connect to for the online aspects of signing.
130+
message SigningConfig {
131+
// A URL to a Fulcio-compatible CA, capable of receiving
132+
// Certificate Signing Requests (CSRs) and responding with
133+
// issued certificates.
134+
//
135+
// This URL **MUST** be the "base" URL for the CA, which clients
136+
// should construct an appropriate CSR endpoint on top of.
137+
// For example, if `ca_url` is `https://example.com/ca`, then
138+
// the client **MAY** construct the CSR endpoint as
139+
// `https://example.com/ca/api/v2/signingCert`.
140+
string ca_url = 1;
141+
142+
// A URL to an OpenID Connect identity provider.
143
144+
// This URL **MUST** be the "base" URL for the OIDC IdP, which clients
145+
// should perform well-known OpenID Connect discovery against.
146+
string oidc_url = 2;
147+
148+
// One or more URLs to Rekor-compatible transparency log.
149+
//
150+
// Each URL **MUST** be the "base" URL for the transparency log,
151+
// which clients should construct appropriate API endpoints on top of.
152+
repeated string tlog_urls = 3;
153+
154+
// One ore more URLs to RFC 3161 Time Stamping Authority (TSA).
155+
//
156+
// Each URL **MUST** be the **full** URL for the TSA, meaning that it
157+
// should be suitable for submitting Time Stamp Requests (TSRs) to
158+
// via HTTP, per RFC 3161.
159+
repeated string tsa_urls = 4;
160+
}
161+
162+
// ClientTrustConfig describes the complete state needed by a client
163+
// to perform both signing and verification operations against a particular
164+
// instance of Sigstore.
165+
message ClientTrustConfig {
166+
// MUST be application/vnd.dev.sigstore.clienttrustconfig.v0.1+json
167+
string media_type = 1;
168+
169+
// The root of trust, which MUST be present.
170+
TrustedRoot trusted_root = 2 [(google.api.field_behavior) = REQUIRED];
171+
172+
// Configuration for signing clients, which MUST be present.
173+
SigningConfig signing_config = 3 [(google.api.field_behavior) = REQUIRED];
174+
}

0 commit comments

Comments
 (0)
0