trustroot: initial client config messages (#277)

* trustroot: initial client config messages

Signed-off-by: William Woodruff <[email protected]>

* trustroot: docs

Signed-off-by: William Woodruff <[email protected]>

* codegen

Signed-off-by: William Woodruff <[email protected]>

* add TSA url, rename

Signed-off-by: William Woodruff <[email protected]>

* tweak tsa_url

Signed-off-by: William Woodruff <[email protected]>

* gen, protos: multiple tlogs and tsas

Signed-off-by: William Woodruff <[email protected]>

* Apply suggestions from code review

Co-authored-by: Fredrik Skogman <[email protected]>
Signed-off-by: William Woodruff <[email protected]>

* gen: regenerate

Signed-off-by: William Woodruff <[email protected]>

---------

Signed-off-by: William Woodruff <[email protected]>
Signed-off-by: William Woodruff <[email protected]>
Co-authored-by: Fredrik Skogman <[email protected]>

gen/jsonschema/schemas/SigningConfig.schema.json

@@ -0,0 +1,36 @@
+{
+    "$schema": "http://json-schema.org/draft-04/schema#",
+    "$ref": "#/definitions/SigningConfig",
+    "definitions": {
+        "SigningConfig": {
+            "properties": {
+                "caUrl": {
+                    "type": "string",
+                    "description": "A URL to a Fulcio-compatible CA, capable of receiving Certificate Signing Requests (CSRs) and responding with issued certificates. This URL **MUST** be the \"base\" URL for the CA, which clients should construct an appropriate CSR endpoint on top of. For example, if `ca_url` is `https://example.com/ca`, then the client **MAY** construct the CSR endpoint as `https://example.com/ca/api/v2/signingCert`."
+                },
+                "oidcUrl": {
+                    "type": "string",
+                    "description": "A URL to an OpenID Connect identity provider. This URL **MUST** be the \"base\" URL for the OIDC IdP, which clients should perform well-known OpenID Connect discovery against."
+                },
+                "tlogUrls": {
+                    "items": {
+                        "type": "string"
+                    },
+                    "type": "array",
+                    "description": "One or more URLs to Rekor-compatible transparency log. Each URL **MUST** be the \"base\" URL for the transparency log, which clients should construct appropriate API endpoints on top of."
+                },
+                "tsaUrls": {
+                    "items": {
+                        "type": "string"
+                    },
+                    "type": "array",
+                    "description": "One ore more URLs to RFC 3161 Time Stamping Authority (TSA). Each URL **MUST** be the **full** URL for the TSA, meaning that it should be suitable for submitting Time Stamp Requests (TSRs) to via HTTP, per RFC 3161."
+                }
+            },
+            "additionalProperties": false,
+            "type": "object",
+            "title": "Signing Config",
+            "description": "SigningConfig represents the trusted entities/state needed by Sigstore signing. In particular, it primarily contains service URLs that a Sigstore signer may need to connect to for the online aspects of signing."
+        }
+    }
+}

gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs

@@ -136,3 +136,70 @@ pub struct TrustedRoot {
     #[prost(message, repeated, tag = "5")]
     pub timestamp_authorities: ::prost::alloc::vec::Vec<CertificateAuthority>,
 }
+/// SigningConfig represents the trusted entities/state needed by Sigstore
+/// signing. In particular, it primarily contains service URLs that a Sigstore
+/// signer may need to connect to for the online aspects of signing.
+#[derive(
+    sigstore_protobuf_specs_derive::Deserialize_proto,
+    sigstore_protobuf_specs_derive::Serialize_proto
+)]
+#[derive(::prost_reflect::ReflectMessage)]
+#[prost_reflect(message_name = "dev.sigstore.trustroot.v1.SigningConfig")]
+#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")]
+#[allow(clippy::derive_partial_eq_without_eq)]
+#[derive(Clone, PartialEq, ::prost::Message)]
+pub struct SigningConfig {
+    /// A URL to a Fulcio-compatible CA, capable of receiving
+    /// Certificate Signing Requests (CSRs) and responding with
+    /// issued certificates.
+    ///
+    /// This URL **MUST** be the "base" URL for the CA, which clients
+    /// should construct an appropriate CSR endpoint on top of.
+    /// For example, if `ca_url` is `<https://example.com/ca`,> then
+    /// the client **MAY** construct the CSR endpoint as
+    /// `<https://example.com/ca/api/v2/signingCert`.>
+    #[prost(string, tag = "1")]
+    pub ca_url: ::prost::alloc::string::String,
+    /// A URL to an OpenID Connect identity provider.
+    ///
+    /// This URL **MUST** be the "base" URL for the OIDC IdP, which clients
+    /// should perform well-known OpenID Connect discovery against.
+    #[prost(string, tag = "2")]
+    pub oidc_url: ::prost::alloc::string::String,
+    /// One or more URLs to Rekor-compatible transparency log.
+    ///
+    /// Each URL **MUST** be the "base" URL for the transparency log,
+    /// which clients should construct appropriate API endpoints on top of.
+    #[prost(string, repeated, tag = "3")]
+    pub tlog_urls: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
+    /// One ore more URLs to RFC 3161 Time Stamping Authority (TSA).
+    ///
+    /// Each URL **MUST** be the **full** URL for the TSA, meaning that it
+    /// should be suitable for submitting Time Stamp Requests (TSRs) to
+    /// via HTTP, per RFC 3161.
+    #[prost(string, repeated, tag = "4")]
+    pub tsa_urls: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
+}
+/// ClientTrustConfig describes the complete state needed by a client
+/// to perform both signing and verification operations against a particular
+/// instance of Sigstore.
+#[derive(
+    sigstore_protobuf_specs_derive::Deserialize_proto,
+    sigstore_protobuf_specs_derive::Serialize_proto
+)]
+#[derive(::prost_reflect::ReflectMessage)]
+#[prost_reflect(message_name = "dev.sigstore.trustroot.v1.ClientTrustConfig")]
+#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")]
+#[allow(clippy::derive_partial_eq_without_eq)]
+#[derive(Clone, PartialEq, ::prost::Message)]
+pub struct ClientTrustConfig {
+    /// MUST be application/vnd.dev.sigstore.clienttrustconfig.v0.1+json
+    #[prost(string, tag = "1")]
+    pub media_type: ::prost::alloc::string::String,
+    /// The root of trust, which MUST be present.
+    #[prost(message, optional, tag = "2")]
+    pub trusted_root: ::core::option::Option<TrustedRoot>,
+    /// Configuration for signing clients, which MUST be present.
+    #[prost(message, optional, tag = "3")]
+    pub signing_config: ::core::option::Option<SigningConfig>,
+}

protos/sigstore_trustroot.proto

@@ -15,6 +15,7 @@
 syntax = "proto3";
 package dev.sigstore.trustroot.v1;
 
+import "google/api/field_behavior.proto";
 import "sigstore_common.proto";
 
 option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1";
@@ -121,3 +122,53 @@ message TrustedRoot {
         // A set of trusted timestamping authorities.
         repeated CertificateAuthority timestamp_authorities = 5;
 }
+
+
+// SigningConfig represents the trusted entities/state needed by Sigstore
+// signing. In particular, it primarily contains service URLs that a Sigstore
+// signer may need to connect to for the online aspects of signing.
+message SigningConfig {
+        // A URL to a Fulcio-compatible CA, capable of receiving
+        // Certificate Signing Requests (CSRs) and responding with
+        // issued certificates.
+        //
+        // This URL **MUST** be the "base" URL for the CA, which clients
+        // should construct an appropriate CSR endpoint on top of.
+        // For example, if `ca_url` is `https://example.com/ca`, then
+        // the client **MAY** construct the CSR endpoint as
+        // `https://example.com/ca/api/v2/signingCert`.
+        string ca_url = 1;
+
+        // A URL to an OpenID Connect identity provider.
+        //
+        // This URL **MUST** be the "base" URL for the OIDC IdP, which clients
+        // should perform well-known OpenID Connect discovery against.
+        string oidc_url = 2;
+
+        // One or more URLs to Rekor-compatible transparency log.
+        //
+        // Each URL **MUST** be the "base" URL for the transparency log,
+        // which clients should construct appropriate API endpoints on top of.
+        repeated string tlog_urls = 3;
+
+        // One ore more URLs to RFC 3161 Time Stamping Authority (TSA).
+        //
+        // Each URL **MUST** be the **full** URL for the TSA, meaning that it
+        // should be suitable for submitting Time Stamp Requests (TSRs) to
+        // via HTTP, per RFC 3161.
+        repeated string tsa_urls = 4;
+}
+
+// ClientTrustConfig describes the complete state needed by a client
+// to perform both signing and verification operations against a particular
+// instance of Sigstore.
+message ClientTrustConfig {
+        // MUST be application/vnd.dev.sigstore.clienttrustconfig.v0.1+json
+        string media_type = 1;
+
+        // The root of trust, which MUST be present.
+        TrustedRoot trusted_root = 2 [(google.api.field_behavior) = REQUIRED];
+
+        // Configuration for signing clients, which MUST be present.
+        SigningConfig signing_config = 3 [(google.api.field_behavior) = REQUIRED];
+}