Merge pull request #1032 from sigstore/remove-legacy-sc

Replace LegacySigningConfig with TUF signing config

Author: aaronlew02

sigstore-java/src/main/java/dev/sigstore/trustroot/LegacySigningConfig.java

@@ -24,9 +24,11 @@
 import dev.sigstore.testing.FulcioWrapper;
 import dev.sigstore.testing.MockOAuth2ServerExtension;
 import dev.sigstore.testing.grpc.GrpcTypes;
-import dev.sigstore.trustroot.LegacySigningConfig;
+import dev.sigstore.trustroot.Service;
+import dev.sigstore.tuf.SigstoreTufClient;
 import java.nio.charset.StandardCharsets;
 import java.security.cert.CertificateException;
+import java.util.List;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
@@ -96,11 +98,14 @@ public void testDecode_embeddedGrpc() throws Exception {
             Resources.toString(
                 Resources.getResource("dev/sigstore/samples/fulcio-response/valid/certWithSct.pem"),
                 StandardCharsets.UTF_8));
+
+    var tufClient = SigstoreTufClient.builder().usePublicGoodInstance().build();
+    tufClient.update();
+    var signingConfig = tufClient.getSigstoreSigningConfig();
+    var fulcioService = Service.select(signingConfig.getCas(), List.of(1)).get();
+
     var signingCert =
-        FulcioClientGrpc.builder()
-            .setService(LegacySigningConfig.PUBLIC_GOOD.getCas().get(0))
-            .build()
-            .decodeCerts(certs);
+        FulcioClientGrpc.builder().setService(fulcioService).build().decodeCerts(certs);
     Assertions.assertTrue(
         Certificates.getEmbeddedSCTs(Certificates.getLeaf(signingCert)).isPresent());
     Assertions.assertEquals(3, signingCert.getCertificates().size());

sigstore-java/src/test/java/dev/sigstore/fulcio/client/FulcioClientGrpcTest.java

@@ -17,7 +17,6 @@
 
 import com.gargoylesoftware.htmlunit.WebClient;
 import dev.sigstore.testing.MockOAuth2ServerExtension;
-import dev.sigstore.trustroot.LegacySigningConfig;
 import dev.sigstore.trustroot.Service;
 import io.github.netmikey.logunit.api.LogCapturer;
 import java.net.URI;
@@ -54,7 +53,7 @@ public void testAuthFlow() throws OidcException {
   public void isEnabled_CI() {
     var client =
         WebOidcClient.builder()
-            .setIssuer(LegacySigningConfig.PUBLIC_GOOD.getOidcProviders().get(0))
+            .setIssuer(Service.of(URI.create("https://nonsense.com"), 1))
             .build();
     Assertions.assertFalse(client.isEnabled(Map.of("CI", "true")));
     logs.assertContains("Skipping browser based oidc provider because CI detected");
@@ -64,7 +63,7 @@ public void isEnabled_CI() {
   public void isEnabled_notCI() {
     var client =
         WebOidcClient.builder()
-            .setIssuer(LegacySigningConfig.PUBLIC_GOOD.getOidcProviders().get(0))
+            .setIssuer(Service.of(URI.create("https://nonsense.com"), 1))
             .build();
     Assertions.assertTrue(client.isEnabled(Map.of("CI", "false")));
   }

sigstore-java/src/test/java/dev/sigstore/oidc/client/WebOidcClientTest.java

@@ -24,14 +24,16 @@
 import dev.sigstore.encryption.certificates.Certificates;
 import dev.sigstore.encryption.signers.Signers;
 import dev.sigstore.testing.CertGenerator;
-import dev.sigstore.trustroot.LegacySigningConfig;
+import dev.sigstore.trustroot.Service;
+import dev.sigstore.tuf.SigstoreTufClient;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SignatureException;
 import java.security.cert.CertificateException;
+import java.util.List;
 import java.util.Optional;
 import java.util.UUID;
 import org.bouncycastle.operator.OperatorCreationException;
@@ -51,10 +53,12 @@ public class RekorClientHttpTest {
   @BeforeAll
   public static void setupClient() throws Exception {
     // this tests directly against rekor in prod, it's a bit hard to bring up a rekor instance
-    client =
-        RekorClientHttp.builder()
-            .setService(LegacySigningConfig.PUBLIC_GOOD.getTLogs().get(0))
-            .build();
+    var tufClient = SigstoreTufClient.builder().usePublicGoodInstance().build();
+    tufClient.update();
+    var signingConfig = tufClient.getSigstoreSigningConfig();
+    var rekorService = Service.select(signingConfig.getTLogs(), List.of(1)).get();
+
+    client = RekorClientHttp.builder().setService(rekorService).build();
     req = createdRekorRequest();
     resp = client.putEntry(req);
   }
@@ -64,11 +68,13 @@ public void putEntry() throws Exception {
     HashedRekordRequest req = createdRekorRequest();
     var resp = client.putEntry(req);
     // pretty basic testing
+    var tufClient = SigstoreTufClient.builder().usePublicGoodInstance().build();
+    tufClient.update();
+    var signingConfig = tufClient.getSigstoreSigningConfig();
     MatcherAssert.assertThat(
         resp.getEntryLocation().toString(),
         CoreMatchers.startsWith(
-            LegacySigningConfig.PUBLIC_GOOD.getTLogs().get(0).getUrl().toString()
-                + "/api/v1/log/entries/"));
+            signingConfig.getTLogs().get(0).getUrl().toString() + "/api/v1/log/entries/"));
 
     assertNotNull(resp.getUuid());
     assertNotNull(resp.getRaw());

sigstore-java/src/test/java/dev/sigstore/rekor/client/RekorClientHttpTest.java

@@ -28,8 +28,9 @@
 import dev.sigstore.proto.rekor.v2.Verifier;
 import dev.sigstore.rekor.client.RekorEntry;
 import dev.sigstore.testing.CertGenerator;
-import dev.sigstore.trustroot.LegacySigningConfig;
+import dev.sigstore.trustroot.Service;
 import java.io.IOException;
+import java.net.URI;
 import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.MessageDigest;
@@ -49,10 +50,9 @@ public class RekorV2ClientHttpTest {
 
   @BeforeAll
   public static void setupClient() throws Exception {
-    client =
-        RekorV2ClientHttp.builder()
-            .setService(LegacySigningConfig.STAGING_REKOR_V2.getTLogs().get(0))
-            .build();
+    // TODO(#1033): Get Rekor v2 service from TUF signing config when in prod
+    var rekorService = Service.of(URI.create("https://log2025-alpha1.rekor.sigstage.dev"), 2);
+    client = RekorV2ClientHttp.builder().setService(rekorService).build();
     req = createdRekorRequest();
     entry = client.putEntry(req);
   }

sigstore-java/src/test/java/dev/sigstore/rekor/v2/client/RekorV2ClientHttpTest.java

@@ -21,10 +21,11 @@
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
-import dev.sigstore.trustroot.LegacySigningConfig;
 import dev.sigstore.trustroot.Service;
+import dev.sigstore.tuf.SigstoreTufClient;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
+import java.util.List;
 import okhttp3.mockwebserver.MockResponse;
 import okhttp3.mockwebserver.MockWebServer;
 import okhttp3.mockwebserver.SocketPolicy;
@@ -50,10 +51,11 @@ public static void setup() throws Exception {
 
   @Test
   public void timestamp_success() throws Exception {
-    var client =
-        TimestampClientHttp.builder()
-            .setService(LegacySigningConfig.STAGING.getTsas().get(0))
-            .build();
+    var tufClient = SigstoreTufClient.builder().useStagingInstance().build();
+    tufClient.update();
+    var signingConfig = tufClient.getSigstoreSigningConfig();
+    var tsService = Service.select(signingConfig.getTsas(), List.of(1)).get();
+    var client = TimestampClientHttp.builder().setService(tsService).build();
 
     var tsResp = client.timestamp(tsReq);
 
@@ -85,10 +87,11 @@ public void timestamp_failure_badResponse_incorrectDigestLength() throws Excepti
             .nonce(tsReq.getNonce())
             .build();
 
-    var client =
-        TimestampClientHttp.builder()
-            .setService(LegacySigningConfig.STAGING.getTsas().get(0))
-            .build();
+    var tufClient = SigstoreTufClient.builder().useStagingInstance().build();
+    tufClient.update();
+    var signingConfig = tufClient.getSigstoreSigningConfig();
+    var tsService = Service.select(signingConfig.getTsas(), List.of(1)).get();
+    var client = TimestampClientHttp.builder().setService(tsService).build();
 
     var tse =
         assertThrows(