imjasonh · June 8, 2022 15:49
diff --git a/fulcioroots.diff b/fulcioroots.diff
 diff ../cosign/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go pkg/fulcioroots/fulcioroots.go
 2c2
 < // Copyright 2021 The Sigstore Authors.
 ---
 > // Copyright 2022 The Sigstore Authors.
 24d23
 < 	"os"
 27d25
 < 	"github.com/sigstore/cosign/pkg/cosign/tuf"
 28a27
 > 	"github.com/sigstore/sigstore/pkg/tuf"
 61,64c60
 < const (
 < 	altRoot = "SIGSTORE_ROOT_FILE"
 < )
 < 
 ---
 > // Get returns the Fulcio root certificates.
 74a71
 > // GetIntermediates returns the Fulcio intermediate certificates.
 86,95c83,99
 < 	var rootPool *x509.CertPool
 < 	var intermediatePool *x509.CertPool
 < 
 < 	rootEnv := os.Getenv(altRoot)
 < 	if rootEnv != "" {
 < 		raw, err := os.ReadFile(rootEnv)
 < 		if err != nil {
 < 			return nil, nil, fmt.Errorf("error reading root PEM file: %w", err)
 < 		}
 < 		certs, err := cryptoutils.UnmarshalCertificatesFromPEM(raw)
 ---
 > 	tufClient, err := tuf.NewFromEnv(context.Background())
 > 	if err != nil {
 > 		return nil, nil, fmt.Errorf("initializing tuf: %w", err)
 > 	}
 > 	// Retrieve from the embedded or cached TUF root. If expired, a network
 > 	// call is made to update the root.
 > 	targets, err := tufClient.GetTargetsByMeta(tuf.Fulcio, []string{fulcioTargetStr, fulcioV1TargetStr})
 > 	if err != nil {
 > 		return nil, nil, fmt.Errorf("error getting targets: %w", err)
 > 	}
 > 	if len(targets) == 0 {
 > 		return nil, nil, errors.New("none of the Fulcio roots have been found")
 > 	}
 > 	rootPool := x509.NewCertPool()
 > 	intermediatePool := x509.NewCertPool()
 > 	for _, t := range targets {
 > 		certs, err := cryptoutils.UnmarshalCertificatesFromPEM(t.Target)
 102,104d105
 < 				if rootPool == nil {
 < 					rootPool = x509.NewCertPool()
 < 				}
 107,109d107
 < 				if intermediatePool == nil {
 < 					intermediatePool = x509.NewCertPool()
 < 				}
 113,150d110
 < 	} else {
 < 		tufClient, err := tuf.NewFromEnv(context.Background())
 < 		if err != nil {
 < 			return nil, nil, fmt.Errorf("initializing tuf: %w", err)
 < 		}
 < 		// Retrieve from the embedded or cached TUF root. If expired, a network
 < 		// call is made to update the root.
 < 		targets, err := tufClient.GetTargetsByMeta(tuf.Fulcio, []string{fulcioTargetStr, fulcioV1TargetStr})
 < 		if err != nil {
 < 			return nil, nil, fmt.Errorf("error getting targets: %w", err)
 < 		}
 < 		if len(targets) == 0 {
 < 			return nil, nil, errors.New("none of the Fulcio roots have been found")
 < 		}
 < 		for _, t := range targets {
 < 			certs, err := cryptoutils.UnmarshalCertificatesFromPEM(t.Target)
 < 			if err != nil {
 < 				return nil, nil, fmt.Errorf("error unmarshalling certificates: %w", err)
 < 			}
 < 			for _, cert := range certs {
 < 				// root certificates are self-signed
 < 				if bytes.Equal(cert.RawSubject, cert.RawIssuer) {
 < 					if rootPool == nil {
 < 						rootPool = x509.NewCertPool()
 < 					}
 < 					rootPool.AddCert(cert)
 < 				} else {
 < 					if intermediatePool == nil {
 < 						intermediatePool = x509.NewCertPool()
 < 					}
 < 					intermediatePool.AddCert(cert)
 < 				}
 < 			}
 < 		}
 < 		if intermediatePool == nil {
 < 			intermediatePool = x509.NewCertPool()
 < 		}
 < 		intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1))
 151a112
 > 	intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1))
 Only in ../cosign/cmd/cosign/cli/fulcio/fulcioroots/: fulcioroots_test.go
diff --git a/tuf.diff b/tuf.diff
 diff ../cosign/pkg/cosign/tuf/client.go pkg/tuf/client.go
 2c2
 < // Copyright 2021 The Sigstore Authors.
 ---
 > // Copyright 2022 The Sigstore Authors.
 44a45
 > 	// DefaultRemoteRoot is the default remote TUF root location.
 46,47c47,52
 < 	TufRootEnv        = "TUF_ROOT"
 < 	SigstoreNoCache   = "SIGSTORE_NO_CACHE"
 ---
 > 
 > 	// TufRootEnv is the name of the environment variable that locates an alternate local TUF root location.
 > 	TufRootEnv = "TUF_ROOT"
 > 
 > 	// SigstoreNoCache is the name of the environment variable that, if set, configures this code to only store root data in memory.
 > 	SigstoreNoCache = "SIGSTORE_NO_CACHE"
 58,60c63,64
 < var GetRemoteRoot = func() string {
 < 	return DefaultRemoteRoot
 < }
 ---
 > // getRemoteRoot is a var for testing.
 > var getRemoteRoot = func() string { return DefaultRemoteRoot }
 301c305
 < 	mirror := GetRemoteRoot()
 ---
 > 	mirror := getRemoteRoot()
 diff ../cosign/pkg/cosign/tuf/client_test.go pkg/tuf/client_test.go
 2c2
 < // Copyright 2021 The Sigstore Authors.
 ---
 > // Copyright 2022 The Sigstore Authors.
 368c368
 < 	origDefaultRemote := GetRemoteRoot
 ---
 > 	origDefaultRemote := getRemoteRoot
 386c386
 < 		GetRemoteRoot = origDefaultRemote
 ---
 > 		getRemoteRoot = origDefaultRemote
 404c404
 < 	GetRemoteRoot = func() string { return s.URL }
 ---
 > 	getRemoteRoot = func() string { return s.URL }
 diff ../cosign/pkg/cosign/tuf/policy.go pkg/tuf/policy.go
 2c2
 < // Copyright 2021 The Sigstore Authors.
 ---
 > // Copyright 2022 The Sigstore Authors.
 80,84d79
 < func DefaultExpires(role string) time.Time {
 < 	// Default expires in 3 months
 < 	return time.Now().AddDate(0, 3, 0).UTC().Round(time.Second)
 < }
 < 
 90c85
 < 		Expires:            DefaultExpires("root"),
 ---
 > 		Expires:            time.Now().AddDate(0, 3, 0).UTC().Round(time.Second), // Default expires in 3 months
 140c135
 < 	fulcioKeyVal, err := GetFulcioKeyVal(key)
 ---
 > 	fulcioKeyVal, err := getFulcioKeyVal(key)
 147c142
 < 		fulcioRootKeyVal, err := GetFulcioKeyVal(rootKey)
 ---
 > 		fulcioRootKeyVal, err := getFulcioKeyVal(rootKey)
 diff ../cosign/pkg/cosign/tuf/policy_test.go pkg/tuf/policy_test.go
 2c2
 < // Copyright 2021 The Sigstore Authors.
 ---
 > // Copyright 2022 The Sigstore Authors.
 Common subdirectories: ../cosign/pkg/cosign/tuf/repository and pkg/tuf/repository
 diff ../cosign/pkg/cosign/tuf/signer.go pkg/tuf/signer.go
 2c2
 < // Copyright 2021 The Sigstore Authors.
 ---
 > // Copyright 2022 The Sigstore Authors.
 23,24c23,24
 < 	KeyTypeFulcio   = "sigstore-oidc"
 < 	KeySchemeFulcio = "https://fulcio.sigstore.dev"
 ---
 > 	keyTypeFulcio   = "sigstore-oidc"
 > 	keySchemeFulcio = "https://fulcio.sigstore.dev"
 28c28
 < 	KeyAlgorithms = []string{"sha256", "sha512"}
 ---
 > 	keyAlgorithms = []string{"sha256", "sha512"}
 31c31
 < type FulcioKeyVal struct {
 ---
 > type fulcioKeyVal struct {
 37c37
 < 	keyValBytes, _ := json.Marshal(FulcioKeyVal{Identity: email, Issuer: issuer})
 ---
 > 	keyValBytes, _ := json.Marshal(fulcioKeyVal{Identity: email, Issuer: issuer})
 39,41c39,41
 < 		Type:       KeyTypeFulcio,
 < 		Scheme:     KeySchemeFulcio,
 < 		Algorithms: KeyAlgorithms,
 ---
 > 		Type:       keyTypeFulcio,
 > 		Scheme:     keySchemeFulcio,
 > 		Algorithms: keyAlgorithms,
 46,47c46,47
 < func GetFulcioKeyVal(key *Key) (*FulcioKeyVal, error) {
 < 	fulcioKeyVal := &FulcioKeyVal{}
 ---
 > func getFulcioKeyVal(key *Key) (*fulcioKeyVal, error) {
 > 	fulcioKeyVal := &fulcioKeyVal{}
 diff ../cosign/pkg/cosign/tuf/testutils.go pkg/tuf/testutils.go
 2c2
 < // Copyright 2021 The Sigstore Authors.
 ---
 > // Copyright 2022 The Sigstore Authors.
	diff ../cosign/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go pkg/fulcioroots/fulcioroots.go
	2c2
	< // Copyright 2021 The Sigstore Authors.
	---
	> // Copyright 2022 The Sigstore Authors.
	24d23
	< "os"
	27d25
	< "github.com/sigstore/cosign/pkg/cosign/tuf"
	28a27
	> "github.com/sigstore/sigstore/pkg/tuf"
	61,64c60
	< const (
	< altRoot = "SIGSTORE_ROOT_FILE"
	< )
	<
	---
	> // Get returns the Fulcio root certificates.
	74a71
	> // GetIntermediates returns the Fulcio intermediate certificates.
	86,95c83,99
	< var rootPool *x509.CertPool
	< var intermediatePool *x509.CertPool
	<
	< rootEnv := os.Getenv(altRoot)
	< if rootEnv != "" {
	< raw, err := os.ReadFile(rootEnv)
	< if err != nil {
	< return nil, nil, fmt.Errorf("error reading root PEM file: %w", err)
	< }
	< certs, err := cryptoutils.UnmarshalCertificatesFromPEM(raw)
	---
	> tufClient, err := tuf.NewFromEnv(context.Background())
	> if err != nil {
	> return nil, nil, fmt.Errorf("initializing tuf: %w", err)
	> }
	> // Retrieve from the embedded or cached TUF root. If expired, a network
	> // call is made to update the root.
	> targets, err := tufClient.GetTargetsByMeta(tuf.Fulcio, []string{fulcioTargetStr, fulcioV1TargetStr})
	> if err != nil {
	> return nil, nil, fmt.Errorf("error getting targets: %w", err)
	> }
	> if len(targets) == 0 {
	> return nil, nil, errors.New("none of the Fulcio roots have been found")
	> }
	> rootPool := x509.NewCertPool()
	> intermediatePool := x509.NewCertPool()
	> for _, t := range targets {
	> certs, err := cryptoutils.UnmarshalCertificatesFromPEM(t.Target)
	102,104d105
	< if rootPool == nil {
	< rootPool = x509.NewCertPool()
	< }
	107,109d107
	< if intermediatePool == nil {
	< intermediatePool = x509.NewCertPool()
	< }
	113,150d110
	< } else {
	< tufClient, err := tuf.NewFromEnv(context.Background())
	< if err != nil {
	< return nil, nil, fmt.Errorf("initializing tuf: %w", err)
	< }
	< // Retrieve from the embedded or cached TUF root. If expired, a network
	< // call is made to update the root.
	< targets, err := tufClient.GetTargetsByMeta(tuf.Fulcio, []string{fulcioTargetStr, fulcioV1TargetStr})
	< if err != nil {
	< return nil, nil, fmt.Errorf("error getting targets: %w", err)
	< }
	< if len(targets) == 0 {
	< return nil, nil, errors.New("none of the Fulcio roots have been found")
	< }
	< for _, t := range targets {
	< certs, err := cryptoutils.UnmarshalCertificatesFromPEM(t.Target)
	< if err != nil {
	< return nil, nil, fmt.Errorf("error unmarshalling certificates: %w", err)
	< }
	< for _, cert := range certs {
	< // root certificates are self-signed
	< if bytes.Equal(cert.RawSubject, cert.RawIssuer) {
	< if rootPool == nil {
	< rootPool = x509.NewCertPool()
	< }
	< rootPool.AddCert(cert)
	< } else {
	< if intermediatePool == nil {
	< intermediatePool = x509.NewCertPool()
	< }
	< intermediatePool.AddCert(cert)
	< }
	< }
	< }
	< if intermediatePool == nil {
	< intermediatePool = x509.NewCertPool()
	< }
	< intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1))
	151a112
	> intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1))
	Only in ../cosign/cmd/cosign/cli/fulcio/fulcioroots/: fulcioroots_test.go
	diff ../cosign/pkg/cosign/tuf/client.go pkg/tuf/client.go
	2c2
	< // Copyright 2021 The Sigstore Authors.
	---
	> // Copyright 2022 The Sigstore Authors.
	44a45
	> // DefaultRemoteRoot is the default remote TUF root location.
	46,47c47,52
	< TufRootEnv = "TUF_ROOT"
	< SigstoreNoCache = "SIGSTORE_NO_CACHE"
	---
	>
	> // TufRootEnv is the name of the environment variable that locates an alternate local TUF root location.
	> TufRootEnv = "TUF_ROOT"
	>
	> // SigstoreNoCache is the name of the environment variable that, if set, configures this code to only store root data in memory.
	> SigstoreNoCache = "SIGSTORE_NO_CACHE"
	58,60c63,64
	< var GetRemoteRoot = func() string {
	< return DefaultRemoteRoot
	< }
	---
	> // getRemoteRoot is a var for testing.
	> var getRemoteRoot = func() string { return DefaultRemoteRoot }
	301c305
	< mirror := GetRemoteRoot()
	---
	> mirror := getRemoteRoot()
	diff ../cosign/pkg/cosign/tuf/client_test.go pkg/tuf/client_test.go
	2c2
	< // Copyright 2021 The Sigstore Authors.
	---
	> // Copyright 2022 The Sigstore Authors.
	368c368
	< origDefaultRemote := GetRemoteRoot
	---
	> origDefaultRemote := getRemoteRoot
	386c386
	< GetRemoteRoot = origDefaultRemote
	---
	> getRemoteRoot = origDefaultRemote
	404c404
	< GetRemoteRoot = func() string { return s.URL }
	---
	> getRemoteRoot = func() string { return s.URL }
	diff ../cosign/pkg/cosign/tuf/policy.go pkg/tuf/policy.go
	2c2
	< // Copyright 2021 The Sigstore Authors.
	---
	> // Copyright 2022 The Sigstore Authors.
	80,84d79
	< func DefaultExpires(role string) time.Time {
	< // Default expires in 3 months
	< return time.Now().AddDate(0, 3, 0).UTC().Round(time.Second)
	< }
	<
	90c85
	< Expires: DefaultExpires("root"),
	---
	> Expires: time.Now().AddDate(0, 3, 0).UTC().Round(time.Second), // Default expires in 3 months
	140c135
	< fulcioKeyVal, err := GetFulcioKeyVal(key)
	---
	> fulcioKeyVal, err := getFulcioKeyVal(key)
	147c142
	< fulcioRootKeyVal, err := GetFulcioKeyVal(rootKey)
	---
	> fulcioRootKeyVal, err := getFulcioKeyVal(rootKey)
	diff ../cosign/pkg/cosign/tuf/policy_test.go pkg/tuf/policy_test.go
	2c2
	< // Copyright 2021 The Sigstore Authors.
	---
	> // Copyright 2022 The Sigstore Authors.
	Common subdirectories: ../cosign/pkg/cosign/tuf/repository and pkg/tuf/repository
	diff ../cosign/pkg/cosign/tuf/signer.go pkg/tuf/signer.go
	2c2
	< // Copyright 2021 The Sigstore Authors.
	---
	> // Copyright 2022 The Sigstore Authors.
	23,24c23,24
	< KeyTypeFulcio = "sigstore-oidc"
	< KeySchemeFulcio = "https://fulcio.sigstore.dev"
	---
	> keyTypeFulcio = "sigstore-oidc"
	> keySchemeFulcio = "https://fulcio.sigstore.dev"
	28c28
	< KeyAlgorithms = []string{"sha256", "sha512"}
	---
	> keyAlgorithms = []string{"sha256", "sha512"}
	31c31
	< type FulcioKeyVal struct {
	---
	> type fulcioKeyVal struct {
	37c37
	< keyValBytes, _ := json.Marshal(FulcioKeyVal{Identity: email, Issuer: issuer})
	---
	> keyValBytes, _ := json.Marshal(fulcioKeyVal{Identity: email, Issuer: issuer})
	39,41c39,41
	< Type: KeyTypeFulcio,
	< Scheme: KeySchemeFulcio,
	< Algorithms: KeyAlgorithms,
	---
	> Type: keyTypeFulcio,
	> Scheme: keySchemeFulcio,
	> Algorithms: keyAlgorithms,
	46,47c46,47
	< func GetFulcioKeyVal(key Key) (FulcioKeyVal, error) {
	< fulcioKeyVal := &FulcioKeyVal{}
	---
	> func getFulcioKeyVal(key Key) (fulcioKeyVal, error) {
	> fulcioKeyVal := &fulcioKeyVal{}
	diff ../cosign/pkg/cosign/tuf/testutils.go pkg/tuf/testutils.go
	2c2
	< // Copyright 2021 The Sigstore Authors.
	---
	> // Copyright 2022 The Sigstore Authors.