Merge pull request #477 from sigstore/updates-to-trustroot

Updates before applying tuf to fulcio client

Author: loosebazooka

sigstore-java/src/main/java/dev/sigstore/encryption/certificates/Certificates.java

@@ -16,6 +16,7 @@
 package dev.sigstore.encryption.certificates;
 
 import com.google.api.client.util.PemReader;
+import com.google.common.collect.ImmutableList;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.StringReader;
@@ -135,4 +136,16 @@ public static CertPath toCertPath(Certificate certificate) throws CertificateExc
     CertificateFactory cf = CertificateFactory.getInstance("X.509");
     return cf.generateCertPath(Collections.singletonList(certificate));
   }
+
+  /** Appends an X509Certificate to a {@link CertPath} as a leaf. */
+  public static CertPath appendCertPath(CertPath root, Certificate certificate)
+      throws CertificateException {
+    CertificateFactory cf = CertificateFactory.getInstance("X.509");
+    List<Certificate> certs =
+        ImmutableList.<Certificate>builder()
+            .add(certificate)
+            .addAll(root.getCertificates())
+            .build();
+    return cf.generateCertPath(certs);
+  }
 }

sigstore-java/src/main/java/dev/sigstore/http/GrpcChannels.java

@@ -39,4 +39,23 @@ public static ManagedChannel newManagedChannel(URI serverUrl, HttpParams httpPar
     }
     return channelBuilder.build();
   }
+
+  /**
+   * Create a new managed channel, this may be reused across multiple requests to a host, and must
+   * be closed when finished.
+   *
+   * @param serverUrl the host to connect to
+   * @param httpParams the http configuration
+   * @return a reusable grpc channel
+   */
+  public static ManagedChannel newManagedChannel(String serverUrl, HttpParams httpParams) {
+    var channelBuilder =
+        ManagedChannelBuilder.forTarget(serverUrl)
+            .userAgent(httpParams.getUserAgent())
+            .keepAliveTimeout(httpParams.getTimeout(), TimeUnit.SECONDS);
+    if (httpParams.getAllowInsecureConnections()) {
+      channelBuilder.usePlaintext();
+    }
+    return channelBuilder.build();
+  }
 }

sigstore-java/src/main/java/dev/sigstore/trustroot/CertificateAuthorities.java

@@ -16,6 +16,7 @@
 package dev.sigstore.trustroot;
 
 import java.time.Instant;
+import java.util.Iterator;
 import java.util.List;
 import java.util.stream.Collectors;
 import org.immutables.value.Value;
@@ -26,7 +27,7 @@
 @Value.Style(
     depluralize = true,
     depluralizeDictionary = {"certificateAuthority:certificateAuthorities"})
-public abstract class CertificateAuthorities {
+public abstract class CertificateAuthorities implements Iterable<CertificateAuthority> {
 
   public abstract List<CertificateAuthority> getCertificateAuthorities();
 
@@ -74,4 +75,9 @@ public CertificateAuthority current() {
     }
     return current.get(0);
   }
+
+  @Override
+  public Iterator<CertificateAuthority> iterator() {
+    return getCertificateAuthorities().iterator();
+  }
 }

sigstore-java/src/main/java/dev/sigstore/trustroot/CertificateAuthority.java

@@ -17,10 +17,16 @@
 
 import dev.sigstore.proto.ProtoMutators;
 import java.net.URI;
+import java.security.InvalidAlgorithmParameterException;
 import java.security.cert.CertPath;
 import java.security.cert.CertificateException;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.security.cert.X509Certificate;
 import java.time.Instant;
+import java.util.Collections;
 import org.immutables.value.Value.Immutable;
+import org.immutables.value.Value.Lazy;
 
 @Immutable
 public abstract class CertificateAuthority {
@@ -36,6 +42,19 @@ public boolean isCurrent() {
     return getValidFor().contains(Instant.now());
   }
 
+  @Lazy
+  public TrustAnchor asTrustAnchor()
+      throws CertificateException, InvalidAlgorithmParameterException {
+    var certs = getCertPath().getCertificates();
+    X509Certificate fulcioRootObj = (X509Certificate) certs.get(certs.size() - 1);
+    TrustAnchor fulcioRootTrustAnchor = new TrustAnchor(fulcioRootObj, null);
+
+    // validate the certificate can be a trust anchor
+    new PKIXParameters(Collections.singleton(fulcioRootTrustAnchor));
+
+    return fulcioRootTrustAnchor;
+  }
+
   public static CertificateAuthority from(
       dev.sigstore.proto.trustroot.v1.CertificateAuthority proto) throws CertificateException {
     return ImmutableCertificateAuthority.builder()

sigstore-java/src/main/java/dev/sigstore/trustroot/PublicKey.java

@@ -19,28 +19,30 @@
 import java.security.NoSuchAlgorithmException;
 import java.security.spec.InvalidKeySpecException;
 import org.immutables.value.Value.Immutable;
+import org.immutables.value.Value.Lazy;
 
 @Immutable
-public interface PublicKey {
-  byte[] getRawBytes();
+public abstract class PublicKey {
+  public abstract byte[] getRawBytes();
 
-  String getKeyDetails();
+  public abstract String getKeyDetails();
 
-  ValidFor getValidFor();
+  public abstract ValidFor getValidFor();
 
-  static PublicKey from(dev.sigstore.proto.common.v1.PublicKey proto) {
+  @Lazy
+  public java.security.PublicKey toJavaPublicKey()
+      throws InvalidKeySpecException, NoSuchAlgorithmException {
+    if (!getKeyDetails().equals("PKIX_ECDSA_P256_SHA_256")) {
+      throw new InvalidKeySpecException("Unsupported key algorithm: " + getKeyDetails());
+    }
+    return Keys.parsePkixPublicKey(getRawBytes(), "EC");
+  }
+
+  public static PublicKey from(dev.sigstore.proto.common.v1.PublicKey proto) {
     return ImmutablePublicKey.builder()
         .rawBytes(proto.getRawBytes().toByteArray())
         .keyDetails(proto.getKeyDetails().name())
         .validFor(ValidFor.from(proto.getValidFor()))
         .build();
   }
-
-  static java.security.PublicKey toJavaPublicKey(PublicKey publicKey)
-      throws InvalidKeySpecException, NoSuchAlgorithmException {
-    if (!publicKey.getKeyDetails().equals("PKIX_ECDSA_P256_SHA_256")) {
-      throw new InvalidKeySpecException("Unsupported key algorithm: " + publicKey.getKeyDetails());
-    }
-    return Keys.parsePkixPublicKey(publicKey.getRawBytes(), "EC");
-  }
 }

sigstore-java/src/main/java/dev/sigstore/trustroot/Subject.java

@@ -19,7 +19,7 @@
 import org.immutables.value.Value.Immutable;
 
 @Immutable
-interface Subject {
+public interface Subject {
   String getOrganization();
 
   String getCommonName();

sigstore-java/src/main/java/dev/sigstore/trustroot/TransparencyLogs.java

@@ -17,6 +17,7 @@
 
 import java.time.Instant;
 import java.util.Arrays;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Optional;
 import java.util.stream.Collectors;
@@ -26,7 +27,7 @@
 
 @Immutable
 @Value.Style(depluralize = true)
-public abstract class TransparencyLogs {
+public abstract class TransparencyLogs implements Iterable<TransparencyLog> {
 
   public abstract List<TransparencyLog> getTransparencyLogs();
 
@@ -64,4 +65,9 @@ public Optional<TransparencyLog> find(byte[] logId, Instant time) {
                 tl.getPublicKey().getValidFor().getEnd().orElse(Instant.now()).compareTo(time) >= 0)
         .findAny();
   }
+
+  @Override
+  public Iterator<TransparencyLog> iterator() {
+    return getTransparencyLogs().iterator();
+  }
 }

sigstore-java/src/test/java/dev/sigstore/encryption/certificates/CertificatesTest.java

@@ -28,6 +28,7 @@
 public class CertificatesTest {
   static final String CERT_CHAIN = "dev/sigstore/samples/certs/cert.pem";
   static final String CERT = "dev/sigstore/samples/certs/cert-single.pem";
+  static final String CERT_GH = "dev/sigstore/samples/certs/cert-githuboidc.pem";
 
   @Test
   public void testCertificateTranslation() throws IOException, CertificateException {
@@ -130,4 +131,19 @@ public void toCertPath() throws Exception {
     Assertions.assertEquals(1, certPath.getCertificates().size());
     Assertions.assertEquals(cert, certPath.getCertificates().get(0));
   }
+
+  @Test
+  public void appendCertPath() throws Exception {
+    var certPath =
+        Certificates.fromPemChain(Resources.toByteArray(Resources.getResource(CERT_CHAIN)));
+    var cert = Certificates.fromPem(Resources.toByteArray(Resources.getResource(CERT_GH)));
+
+    Assertions.assertEquals(2, certPath.getCertificates().size());
+    var appended = Certificates.appendCertPath(certPath, cert);
+
+    Assertions.assertEquals(3, appended.getCertificates().size());
+    Assertions.assertEquals(cert, appended.getCertificates().get(0));
+    Assertions.assertEquals(certPath.getCertificates().get(0), appended.getCertificates().get(1));
+    Assertions.assertEquals(certPath.getCertificates().get(1), appended.getCertificates().get(2));
+  }
 }

sigstore-java/src/test/java/dev/sigstore/trustroot/SigstoreTrustedRootTest.java

@@ -100,7 +100,7 @@ void from_checkFields() throws Exception {
         Base64.toBase64String(tlog.getLogId().getKeyId()));
     assertEquals(
         "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwrkBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==",
-        Base64.toBase64String(PublicKey.toJavaPublicKey(tlog.getPublicKey()).getEncoded()));
+        Base64.toBase64String(tlog.getPublicKey().toJavaPublicKey().getEncoded()));
 
     var oldCTLog = trustRoot.getCTLogs().all().get(0);
     assertEquals("https://ctfe.sigstore.dev/test", oldCTLog.getBaseUrl().toString());
@@ -116,7 +116,7 @@ void from_checkFields() throws Exception {
         Base64.toBase64String(oldCTLog.getLogId().getKeyId()));
     assertEquals(
         "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbfwR+RJudXscgRBRpKX1XFDy3PyudDxz/SfnRi1fT8ekpfBd2O1uoz7jr3Z8nKzxA69EUQ+eFCFI3zeubPWU7w==",
-        Base64.toBase64String(PublicKey.toJavaPublicKey(oldCTLog.getPublicKey()).getEncoded()));
+        Base64.toBase64String(oldCTLog.getPublicKey().toJavaPublicKey().getEncoded()));
 
     var currCTLog = trustRoot.getCTLogs().all().get(1);
     assertEquals("https://ctfe.sigstore.dev/2022", currCTLog.getBaseUrl().toString());
@@ -130,7 +130,7 @@ void from_checkFields() throws Exception {
         Base64.toBase64String(currCTLog.getLogId().getKeyId()));
     assertEquals(
         "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiPSlFi0CmFTfEjCUqF9HuCEcYXNKAaYalIJmBZ8yyezPjTqhxrKBpMnaocVtLJBI1eM3uXnQzQGAJdJ4gs9Fyw==",
-        Base64.toBase64String(PublicKey.toJavaPublicKey(currCTLog.getPublicKey()).getEncoded()));
+        Base64.toBase64String(currCTLog.getPublicKey().toJavaPublicKey().getEncoded()));
   }
 
   @Test