Merge pull request #965 from sigstore/readSigningConfig

Consume signing_config v0.2 from TUF repo if availalbe.

Author: loosebazooka

sigstore-java/src/main/java/dev/sigstore/TrustedRootProvider.java

@@ -22,10 +22,6 @@
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
-import java.security.spec.InvalidKeySpecException;
 
 @FunctionalInterface
 public interface TrustedRootProvider {
@@ -39,11 +35,7 @@ static TrustedRootProvider from(SigstoreTufClient.Builder tufClientBuilder) {
         var tufClient = tufClientBuilder.build();
         tufClient.update();
         return tufClient.getSigstoreTrustedRoot();
-      } catch (IOException
-          | NoSuchAlgorithmException
-          | InvalidKeySpecException
-          | InvalidKeyException
-          | CertificateException ex) {
+      } catch (IOException ex) {
         throw new SigstoreConfigurationException(ex);
       }
     };

sigstore-java/src/main/java/dev/sigstore/tuf/SigstoreTufClient.java

@@ -17,22 +17,20 @@
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
-import com.google.protobuf.util.JsonFormat;
-import dev.sigstore.proto.trustroot.v1.TrustedRoot;
 import dev.sigstore.trustroot.SigstoreConfigurationException;
+import dev.sigstore.trustroot.SigstoreSigningConfig;
 import dev.sigstore.trustroot.SigstoreTrustedRoot;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
-import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
-import java.security.cert.CertificateException;
 import java.security.spec.InvalidKeySpecException;
 import java.time.Duration;
 import java.time.Instant;
+import javax.annotation.Nullable;
 
 /**
  * Wrapper around {@link dev.sigstore.tuf.Updater} that provides access to sigstore specific
@@ -41,6 +39,7 @@
 public class SigstoreTufClient {
 
   @VisibleForTesting static final String TRUST_ROOT_FILENAME = "trusted_root.json";
+  @VisibleForTesting static final String SIGNING_CONFIG_FILENAME = "signing_config.v0.2.json";
 
   public static final String PUBLIC_GOOD_ROOT_RESOURCE =
       "dev/sigstore/tuf/sigstore-tuf-root/root.json";
@@ -49,6 +48,10 @@ public class SigstoreTufClient {
   private final Updater updater;
   private Instant lastUpdate;
   private SigstoreTrustedRoot sigstoreTrustedRoot;
+  // TODO: this is nullable because we expect all future sigstore tuf repos to contain a signing
+  // config
+  // but while we transition, we need to handle the null case.
+  @Nullable private SigstoreSigningConfig sigstoreSigningConfig;
   private final Duration cacheValidity;
 
   @VisibleForTesting
@@ -66,8 +69,8 @@ public static class Builder {
     Path tufCacheLocation =
         Path.of(System.getProperty("user.home")).resolve(".sigstore-java").resolve("root");
 
-    URL remoteMirror;
-    RootProvider trustedRoot;
+    private URL remoteMirror;
+    private RootProvider trustedRoot;
 
     public Builder usePublicGoodInstance() {
       if (remoteMirror != null || trustedRoot != null) {
@@ -152,39 +155,53 @@ public SigstoreTufClient build() throws IOException {
    * Update the tuf metadata if the cache has not been updated for at least {@code cacheValidity}
    * defined on the client.
    */
-  public void update()
-      throws SigstoreConfigurationException,
-          CertificateException,
-          IOException,
-          NoSuchAlgorithmException,
-          InvalidKeySpecException,
-          InvalidKeyException {
+  public void update() throws SigstoreConfigurationException {
     if (lastUpdate == null
         || Duration.between(lastUpdate, Instant.now()).compareTo(cacheValidity) > 0) {
       this.forceUpdate();
     }
   }
 
   /** Force an update, ignoring any cache validity. */
-  public void forceUpdate()
-      throws SigstoreConfigurationException,
-          CertificateException,
-          IOException,
-          NoSuchAlgorithmException,
-          InvalidKeySpecException,
-          InvalidKeyException {
-    updater.update();
+  public void forceUpdate() throws SigstoreConfigurationException {
+    try {
+      updater.update();
+    } catch (IOException
+        | NoSuchAlgorithmException
+        | InvalidKeySpecException
+        | InvalidKeyException ex) {
+      throw new SigstoreConfigurationException("TUF repo failed to update", ex);
+    }
     lastUpdate = Instant.now();
-    var trustedRootBuilder = TrustedRoot.newBuilder();
-    JsonFormat.parser()
-        .merge(
-            new String(
-                updater.getTargetStore().readTarget(TRUST_ROOT_FILENAME), StandardCharsets.UTF_8),
-            trustedRootBuilder);
-    sigstoreTrustedRoot = SigstoreTrustedRoot.from(trustedRootBuilder.build());
+    try {
+      sigstoreTrustedRoot =
+          SigstoreTrustedRoot.from(
+              updater.getTargetStore().getTargetInputSteam(TRUST_ROOT_FILENAME));
+    } catch (IOException ex) {
+      throw new SigstoreConfigurationException("Failed to read trusted root from target store", ex);
+    }
+    try {
+      if (updater.getTargetStore().hasTarget(SIGNING_CONFIG_FILENAME)) {
+        sigstoreSigningConfig =
+            SigstoreSigningConfig.from(
+                updater.getTargetStore().getTargetInputSteam(SIGNING_CONFIG_FILENAME));
+      } else {
+        sigstoreSigningConfig = null;
+        // TODO: Remove when prod and staging TUF repos have fully configured signing configs, but
+        // right now sigstore tuf repos not having sigstoreSigningConfig is a valid state.
+      }
+    } catch (IOException ex) {
+      throw new SigstoreConfigurationException(
+          "Failed to read signing config from target store", ex);
+    }
   }
 
   public SigstoreTrustedRoot getSigstoreTrustedRoot() {
     return sigstoreTrustedRoot;
   }
+
+  @Nullable
+  public SigstoreSigningConfig getSigstoreSigningConfig() {
+    return sigstoreSigningConfig;
+  }
 }

sigstore-java/src/test/java/dev/sigstore/tuf/SigstoreTufClientTest.java

@@ -17,15 +17,20 @@
 
 import com.google.protobuf.util.JsonFormat;
 import dev.sigstore.proto.trustroot.v1.TrustedRoot;
+import dev.sigstore.trustroot.SigstoreSigningConfig;
 import dev.sigstore.trustroot.SigstoreTrustedRoot;
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
 import java.time.Duration;
+import java.util.List;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.io.TempDir;
 import org.mockito.Mockito;
+import org.mockito.stubbing.Answer;
 
 class SigstoreTufClientTest {
 
@@ -43,6 +48,19 @@ public void testUpdate_publicGoodHasTrustedRootJson() throws Exception {
     assertTrustedRootValid(client.getSigstoreTrustedRoot());
   }
 
+  @Test
+  public void testUpdate_publicGoodNoSigningConfigV02() throws Exception {
+    var client =
+        SigstoreTufClient.builder()
+            .usePublicGoodInstance()
+            .tufCacheLocation(localStorePath)
+            .build();
+    client.forceUpdate();
+
+    // TODO: change this when we publish new signing config to public good
+    Assertions.assertNull(client.getSigstoreSigningConfig());
+  }
+
   @Test
   public void testUpdate_stagingHasTrustedRootJson() throws Exception {
     var client =
@@ -52,6 +70,15 @@ public void testUpdate_stagingHasTrustedRootJson() throws Exception {
     assertTrustedRootValid(client.getSigstoreTrustedRoot());
   }
 
+  @Test
+  public void testUpdate_stagingHasSigningConfigV02() throws Exception {
+    var client =
+        SigstoreTufClient.builder().useStagingInstance().tufCacheLocation(localStorePath).build();
+    client.forceUpdate();
+
+    assertSigningConfigValid(client.getSigstoreSigningConfig());
+  }
+
   private void assertTrustedRootValid(SigstoreTrustedRoot trustedRoot) {
     Assertions.assertNotNull(trustedRoot);
 
@@ -64,6 +91,15 @@ private void assertTrustedRootValid(SigstoreTrustedRoot trustedRoot) {
     }
   }
 
+  private void assertSigningConfigValid(SigstoreSigningConfig signingConfig) {
+    Assertions.assertNotNull(signingConfig);
+
+    assertNonEmpty(signingConfig.getCas());
+    assertNonEmpty(signingConfig.getTsas());
+    assertNonEmpty(signingConfig.getTLogs());
+    assertNonEmpty(signingConfig.getOidcProviders());
+  }
+
   @Test
   public void testUpdate_updateWhenCacheInvalid() throws Exception {
     var mockUpdater = mockUpdater();
@@ -90,10 +126,15 @@ private static Updater mockUpdater() throws IOException {
         JsonFormat.printer().print(TrustedRoot.newBuilder()).getBytes(StandardCharsets.UTF_8);
     var mockUpdater = Mockito.mock(Updater.class);
     var mockTargetStore = Mockito.mock(TargetStore.class);
-    Mockito.when(mockTargetStore.readTarget(SigstoreTufClient.TRUST_ROOT_FILENAME))
-        .thenReturn(trustRootBytes);
+    Mockito.when(mockTargetStore.getTargetInputSteam(SigstoreTufClient.TRUST_ROOT_FILENAME))
+        .thenAnswer((Answer<InputStream>) invocation -> new ByteArrayInputStream(trustRootBytes));
     Mockito.when(mockUpdater.getTargetStore()).thenReturn(mockTargetStore);
 
     return mockUpdater;
   }
+
+  private <T> void assertNonEmpty(List<T> list) {
+    Assertions.assertNotNull(list);
+    Assertions.assertFalse(list.isEmpty());
+  }
 }