Address review feedback, rename X509Chain to Umbilical

Author: lukevalenta

ca/ca.go

@@ -34,12 +34,12 @@ type NewOpts struct {
 
 	// Fields below are optional.
 
-	SignatureScheme mtc.SignatureScheme
-	BatchDuration   time.Duration
-	Lifetime        time.Duration
-	StorageDuration time.Duration
-	EvidencePolicy  mtc.EvidencePolicyType
-	AcceptedRoots   []byte
+	SignatureScheme   mtc.SignatureScheme
+	BatchDuration     time.Duration
+	Lifetime          time.Duration
+	StorageDuration   time.Duration
+	EvidencePolicy    mtc.EvidencePolicyType
+	UmbilicalRootsPEM []byte
 }
 
 // Handle for exclusive access to a Merkle Tree CA state.
@@ -49,7 +49,7 @@ type Handle struct {
 	flock             lockfile.Lockfile
 	path              string
 	closed            bool
-	acceptedRoots     *x509.CertPool
+	umbilicalRoots    *x509.CertPool
 	revocationChecker *revocation.Checker
 
 	indices map[uint32]*Index
@@ -126,16 +126,18 @@ func (h *Handle) QueueMultiple(it func(yield func(ar mtc.AssertionRequest) error
 	bw := bufio.NewWriter(w)
 
 	if err := it(func(ar mtc.AssertionRequest) error {
-		if h.params.EvidencePolicy == mtc.RequireX509ChainEvidencePolicyType {
+		switch h.params.EvidencePolicy {
+		case mtc.EmptyEvidencePolicyType:
+		case mtc.UmbilicalEvidencePolicyType:
 			var (
 				err   error
 				chain []*x509.Certificate
 			)
 			// TODO this checks only the first matching evidence. Do we want to allow multiple
 			// of the same evidence type to be submitted, and should we check them all?
 			for _, ev := range ar.Evidence {
-				if ev.Type() == mtc.X509ChainEvidenceType {
-					chain, err = ev.(mtc.X509ChainEvidence).Chain()
+				if ev.Type() == mtc.UmbilicalEvidenceType {
+					chain, err = ev.(mtc.UmbilicalEvidence).Chain()
 					if err != nil {
 						return err
 					}
@@ -152,10 +154,12 @@ func (h *Handle) QueueMultiple(it func(yield func(ar mtc.AssertionRequest) error
 				CA:     &h.params,
 				Number: h.params.ActiveBatches(time.Now()).End + 1,
 			}
-			_, err = umbilical.CheckAssertionValidForX509(ar.Assertion, batch, chain, h.acceptedRoots, h.revocationChecker)
+			_, err = umbilical.CheckAssertionValidForX509(ar.Assertion, batch, chain, h.umbilicalRoots, h.revocationChecker)
 			if err != nil {
 				return err
 			}
+		default:
+			return fmt.Errorf("unknown evidence policy: %d", h.params.EvidencePolicy)
 		}
 
 		buf, err := ar.MarshalBinary()
@@ -231,21 +235,25 @@ func Open(path string) (*Handle, error) {
 	if err != nil {
 		return nil, fmt.Errorf("parsing %s: %w", h.skPath(), err)
 	}
-	if h.params.EvidencePolicy == mtc.RequireX509ChainEvidencePolicyType {
+	switch h.params.EvidencePolicy {
+	case mtc.EmptyEvidencePolicyType:
+	case mtc.UmbilicalEvidencePolicyType:
 		h.revocationChecker, err = revocation.NewChecker(revocation.Config{Cache: h.revocationCachePath()})
 		if err != nil {
 			return nil, fmt.Errorf("creating revocation checker from %s: %w", h.revocationCachePath(), err)
 		}
-		h.acceptedRoots = x509.NewCertPool()
-		pemCerts, err := os.ReadFile(h.rootsPath())
+		h.umbilicalRoots = x509.NewCertPool()
+		pemCerts, err := os.ReadFile(h.umbilicalRootsPath())
 		if err != nil {
-			return nil, fmt.Errorf("reading %s: %w", h.rootsPath(), err)
+			return nil, fmt.Errorf("reading %s: %w", h.umbilicalRootsPath(), err)
 		}
 		// TODO use AddCertWithConstraint to deal with constrained roots:
 		// https://chromium.googlesource.com/chromium/src/+/main/net/data/ssl/chrome_root_store/root_store.md#constrained-roots
-		if !h.acceptedRoots.AppendCertsFromPEM(pemCerts) {
+		if !h.umbilicalRoots.AppendCertsFromPEM(pemCerts) {
 			return nil, fmt.Errorf("failed to append root certs")
 		}
+	default:
+		return nil, fmt.Errorf("unknown evidence policy: %d", h.params.EvidencePolicy)
 	}
 	return &h, nil
 }
@@ -266,8 +274,8 @@ func (h Handle) revocationCachePath() string {
 	return gopath.Join(h.path, "revocation-cache")
 }
 
-func (h Handle) rootsPath() string {
-	return gopath.Join(h.path, "www", "mtc", "v1", "roots")
+func (h Handle) umbilicalRootsPath() string {
+	return gopath.Join(h.path, "www", "mtc", "v1", "umbilical-roots.pem")
 }
 
 func (h Handle) treePath(number uint32) string {
@@ -1167,12 +1175,12 @@ func New(path string, opts NewOpts) (*Handle, error) {
 	if opts.StorageDuration.Nanoseconds()%opts.BatchDuration.Nanoseconds() != 0 {
 		return nil, errors.New("StorageDuration has to be a multiple of BatchDuration")
 	}
-	if opts.EvidencePolicy == mtc.RequireX509ChainEvidencePolicyType {
-		if opts.AcceptedRoots == nil {
-			return nil, errors.New("AcceptedRoots must be set when x509 chain evidence is required")
+	if opts.EvidencePolicy == mtc.UmbilicalEvidencePolicyType {
+		if opts.UmbilicalRootsPEM == nil {
+			return nil, errors.New("UmbilicalRoots is required with the 'umbilical' evidence policy")
 		}
-		if !x509.NewCertPool().AppendCertsFromPEM(opts.AcceptedRoots) {
-			return nil, errors.New("Failed to parse any PEM-encoded roots from AcceptedRoots")
+		if !x509.NewCertPool().AppendCertsFromPEM(opts.UmbilicalRootsPEM) {
+			return nil, errors.New("Failed to parse any PEM-encoded roots from UmbilicalRootsPEM")
 		}
 	}
 	h.params.ValidityWindowSize = uint64(opts.Lifetime.Nanoseconds() / opts.BatchDuration.Nanoseconds())
@@ -1251,9 +1259,9 @@ func New(path string, opts NewOpts) (*Handle, error) {
 	}
 
 	// Accepted roots
-	if h.params.EvidencePolicy == mtc.RequireX509ChainEvidencePolicyType {
-		if err := os.WriteFile(h.rootsPath(), opts.AcceptedRoots, 0o644); err != nil {
-			return nil, fmt.Errorf("Writing %s: %w", h.rootsPath(), err)
+	if h.params.EvidencePolicy == mtc.UmbilicalEvidencePolicyType {
+		if err := os.WriteFile(h.umbilicalRootsPath(), opts.UmbilicalRootsPEM, 0o644); err != nil {
+			return nil, fmt.Errorf("Writing %s: %w", h.umbilicalRootsPath(), err)
 		}
 	}
 

cmd/mtc/main.go

@@ -29,8 +29,8 @@ var (
 	errArgs       = errors.New("Wrong number of arguments")
 	fCpuProfile   *os.File
 	evPolicyMap   = map[string]mtc.EvidencePolicyType{
-		"empty":              mtc.EmptyEvidencePolicyType,
-		"require-x509-chain": mtc.RequireX509ChainEvidencePolicyType,
+		"empty":     mtc.EmptyEvidencePolicyType,
+		"umbilical": mtc.UmbilicalEvidencePolicyType,
 	}
 )
 
@@ -256,7 +256,7 @@ func assertionRequestFromFlagsUnchecked(cc *cli.Context) (*mtc.AssertionRequest,
 			return nil, fmt.Errorf("from-x509: %s", err)
 		}
 
-		ev, err := mtc.NewX509ChainEvidence(certs)
+		ev, err := mtc.NewUmbilicalEvidence(certs)
 		if err != nil {
 			return nil, err
 		}
@@ -558,11 +558,11 @@ func handleCaNew(cc *cli.Context) error {
 		return fmt.Errorf("unknown evidence policy: %s", cc.String("evidence-policy"))
 	}
 
-	var acceptedRoots []byte
-	if evPolicy == mtc.RequireX509ChainEvidencePolicyType {
-		acceptedRoots, err = os.ReadFile(cc.String("roots"))
+	var umbilicalRoots []byte
+	if evPolicy == mtc.UmbilicalEvidencePolicyType {
+		umbilicalRoots, err = os.ReadFile(cc.String("umbilical-roots"))
 		if err != nil {
-			return fmt.Errorf("reading %s: %w", cc.String("roots"), err)
+			return fmt.Errorf("reading %s: %w", cc.String("umbilical-roots"), err)
 		}
 	}
 
@@ -572,11 +572,11 @@ func handleCaNew(cc *cli.Context) error {
 			Issuer:     oid,
 			HttpServer: cc.Args().Get(1),
 
-			BatchDuration:   cc.Duration("batch-duration"),
-			StorageDuration: cc.Duration("storage-duration"),
-			Lifetime:        cc.Duration("lifetime"),
-			EvidencePolicy:  evPolicy,
-			AcceptedRoots:   acceptedRoots,
+			BatchDuration:     cc.Duration("batch-duration"),
+			StorageDuration:   cc.Duration("storage-duration"),
+			Lifetime:          cc.Duration("lifetime"),
+			EvidencePolicy:    evPolicy,
+			UmbilicalRootsPEM: umbilicalRoots,
 		},
 	)
 	if err != nil {
@@ -744,9 +744,9 @@ func writeEvidenceList(w *tabwriter.Writer, el mtc.EvidenceList) error {
 	fmt.Fprintf(w, "evidence-list (%d entries)\n", len(el))
 	for _, ev := range el {
 		switch ev.Type() {
-		case mtc.X509ChainEvidenceType:
-			fmt.Fprintf(w, "x509_chain\n")
-			chain, err := ev.(mtc.X509ChainEvidence).Chain()
+		case mtc.UmbilicalEvidenceType:
+			fmt.Fprintf(w, "umbilical\n")
+			chain, err := ev.(mtc.UmbilicalEvidence).Chain()
 			if err != nil {
 				return err
 			}
@@ -1015,8 +1015,8 @@ func main() {
 								Value: "empty",
 							},
 							&cli.StringFlag{
-								Name:  "roots",
-								Usage: "path to PEM-encode root store when X.509 chain evidence is required",
+								Name:  "umbilical-roots",
+								Usage: "path to PEM-encoded accepted roots for umbilical (X.509 chain) evidence",
 							},
 						},
 					},

mtc.go

@@ -58,7 +58,7 @@ type Claims struct {
 type EvidenceType uint16
 
 const (
-	X509ChainEvidenceType EvidenceType = iota
+	UmbilicalEvidenceType EvidenceType = iota
 )
 
 type EvidenceList []Evidence
@@ -68,7 +68,7 @@ type Evidence interface {
 	Info() []byte
 }
 
-type X509ChainEvidence []byte
+type UmbilicalEvidence []byte
 
 type UnknownEvidence struct {
 	typ  EvidenceType
@@ -78,8 +78,11 @@ type UnknownEvidence struct {
 type EvidencePolicyType uint16
 
 const (
+	// Policy requiring no evidence to queue an assertion request.
 	EmptyEvidencePolicyType EvidencePolicyType = iota
-	RequireX509ChainEvidencePolicyType
+
+	// Policy requiring an X509 chain to an accepted root to queue an assertion request.
+	UmbilicalEvidencePolicyType
 )
 
 // Represents a claim we do not how to interpret.
@@ -936,12 +939,12 @@ func (a *AbridgedAssertion) unmarshal(s *cryptobyte.String) error {
 	return nil
 }
 
-func (e X509ChainEvidence) Type() EvidenceType { return X509ChainEvidenceType }
-func (e X509ChainEvidence) Info() []byte       { return e }
-func (e X509ChainEvidence) Chain() ([]*x509.Certificate, error) {
+func (e UmbilicalEvidence) Type() EvidenceType { return UmbilicalEvidenceType }
+func (e UmbilicalEvidence) Info() []byte       { return e }
+func (e UmbilicalEvidence) Chain() ([]*x509.Certificate, error) {
 	return x509.ParseCertificates(e)
 }
-func NewX509ChainEvidence(certs []*x509.Certificate) (X509ChainEvidence, error) {
+func NewUmbilicalEvidence(certs []*x509.Certificate) (UmbilicalEvidence, error) {
 	var b cryptobyte.Builder
 	for _, cert := range certs {
 		b.AddBytes(cert.Raw)
@@ -1656,8 +1659,8 @@ func (el *EvidenceList) unmarshal(s *cryptobyte.String) error {
 		}
 
 		switch evidenceType {
-		case X509ChainEvidenceType:
-			*el = append(*el, X509ChainEvidence(evidenceInfo))
+		case UmbilicalEvidenceType:
+			*el = append(*el, UmbilicalEvidence(evidenceInfo))
 		default:
 			*el = append(*el, UnknownEvidence{
 				typ:  evidenceType,