Skip to content

Commit

Permalink
Add the ability to contruct TrustRoot from targets
Browse files Browse the repository at this point in the history
Signed-off-by: Slavek Kabrda <bkabrda@redhat.com>
  • Loading branch information
bkabrda committed Jul 30, 2024
1 parent 2b6fc6d commit 368c2a9
Show file tree
Hide file tree
Showing 3 changed files with 624 additions and 0 deletions.
29 changes: 29 additions & 0 deletions pkg/root/trusted_root.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package root
import (
"crypto"
"crypto/ecdsa"
"crypto/rsa"
"crypto/x509"
"encoding/hex"
"fmt"
Expand Down Expand Up @@ -78,6 +79,15 @@ func (tr *TrustedRoot) CTLogs() map[string]*TransparencyLog {
return tr.ctLogs
}

func (tr *TrustedRoot) MarshalJSON() ([]byte, error) {
err := tr.constructProtoTrustRoot()
if err != nil {
return nil, fmt.Errorf("failed constructing protobuf TrustRoot representation: %w", err)
}

return protojson.Marshal(tr.trustedRoot)
}

func NewTrustedRootFromProtobuf(protobufTrustedRoot *prototrustroot.TrustedRoot) (trustedRoot *TrustedRoot, err error) {
if protobufTrustedRoot.GetMediaType() != TrustedRootMediaType01 {
return nil, fmt.Errorf("unsupported TrustedRoot media type: %s", protobufTrustedRoot.GetMediaType())
Expand Down Expand Up @@ -154,6 +164,25 @@ func ParseTransparencyLogs(tlogs []*prototrustroot.TransparencyLogInstance) (tra
PublicKey: ecKey,
SignatureHashFunc: crypto.SHA256,
}
case protocommon.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256,
protocommon.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256,
protocommon.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256:
key, err := x509.ParsePKIXPublicKey(tlog.GetPublicKey().GetRawBytes())
if err != nil {
return nil, err
}
var rsaKey *rsa.PublicKey
var ok bool
if rsaKey, ok = key.(*rsa.PublicKey); !ok {
return nil, fmt.Errorf("tlog public key is not RSA")
}
transparencyLogs[encodedKeyID] = &TransparencyLog{
BaseURL: tlog.GetBaseUrl(),
ID: tlog.GetLogId().GetKeyId(),
HashFunc: hashFunc,
PublicKey: rsaKey,
SignatureHashFunc: crypto.SHA256,
}
// This key format is deprecated, but currently in use for Sigstore staging instance
case protocommon.PublicKeyDetails_PKCS1_RSA_PKCS1V5: //nolint:staticcheck
key, err := x509.ParsePKCS1PublicKey(tlog.GetPublicKey().GetRawBytes())
Expand Down
Loading

0 comments on commit 368c2a9

Please sign in to comment.