Add the ability to contruct TrustRoot from targets

pkg/root/trusted_root.go

@@ -17,6 +17,7 @@ package root
 import (
 	"crypto"
 	"crypto/ecdsa"
+	"crypto/rsa"
 	"crypto/x509"
 	"encoding/hex"
 	"fmt"
@@ -78,6 +79,15 @@ func (tr *TrustedRoot) CTLogs() map[string]*TransparencyLog {
 	return tr.ctLogs
 }
 
+func (tr *TrustedRoot) MarshalJSON() ([]byte, error) {
+	err := tr.constructProtoTrustRoot()
+	if err != nil {
+		return nil, fmt.Errorf("failed constructing protobuf TrustRoot representation: %w", err)
+	}
+
+	return protojson.Marshal(tr.trustedRoot)
+}
+
 func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot) (trustedRoot *TrustedRoot, err error) {
 	if protobufTrustedRoot.GetMediaType() != TrustedRootMediaType01 {
 		return nil, fmt.Errorf("unsupported TrustedRoot media type: %s", protobufTrustedRoot.GetMediaType())
@@ -154,6 +164,25 @@ func ParseTransparencyLogs(tlogs []*prototrustroot.TransparencyLogInstance) (tra
 				PublicKey:         ecKey,
 				SignatureHashFunc: crypto.SHA256,
 			}
+		case protocommon.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256,
+			protocommon.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256,
+			protocommon.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256:
+			key, err := x509.ParsePKIXPublicKey(tlog.GetPublicKey().GetRawBytes())
+			if err != nil {
+				return nil, err
+			}
+			var rsaKey *rsa.PublicKey
+			var ok bool
+			if rsaKey, ok = key.(*rsa.PublicKey); !ok {
+				return nil, fmt.Errorf("tlog public key is not RSA")
+			}
+			transparencyLogs[encodedKeyID] = &TransparencyLog{
+				BaseURL:           tlog.GetBaseUrl(),
+				ID:                tlog.GetLogId().GetKeyId(),
+				HashFunc:          hashFunc,
+				PublicKey:         rsaKey,
+				SignatureHashFunc: crypto.SHA256,
+			}
 		// This key format is deprecated, but currently in use for Sigstore staging instance
 		case protocommon.PublicKeyDetails_PKCS1_RSA_PKCS1V5: //nolint:staticcheck
 			key, err := x509.ParsePKCS1PublicKey(tlog.GetPublicKey().GetRawBytes())