imjasonh/fulcioroots.diff

## fulcioroots.diff
diff ../cosign/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go pkg/fulcioroots/fulcioroots.go
2c2
< // Copyright 2021 The Sigstore Authors.
---
> // Copyright 2022 The Sigstore Authors.
24d23
< 	"os"
27d25
< 	"github.com/sigstore/cosign/pkg/cosign/tuf"
28a27
> 	"github.com/sigstore/sigstore/pkg/tuf"
61,64c60
< const (
< 	altRoot = "SIGSTORE_ROOT_FILE"
< )
<
---
> // Get returns the Fulcio root certificates.
74a71
> // GetIntermediates returns the Fulcio intermediate certificates.
86,95c83,99
< 	var rootPool *x509.CertPool
< 	var intermediatePool *x509.CertPool
<
< 	rootEnv := os.Getenv(altRoot)
< 	if rootEnv != "" {
< 		raw, err := os.ReadFile(rootEnv)
< 		if err != nil {
< 			return nil, nil, fmt.Errorf("error reading root PEM file: %w", err)
< 		}
< 		certs, err := cryptoutils.UnmarshalCertificatesFromPEM(raw)
---
> 	tufClient, err := tuf.NewFromEnv(context.Background())
> 	if err != nil {
> 		return nil, nil, fmt.Errorf("initializing tuf: %w", err)
> 	}
> 	// Retrieve from the embedded or cached TUF root. If expired, a network
> 	// call is made to update the root.
> 	targets, err := tufClient.GetTargetsByMeta(tuf.Fulcio, []string{fulcioTargetStr, fulcioV1TargetStr})
> 	if err != nil {
> 		return nil, nil, fmt.Errorf("error getting targets: %w", err)
> 	}
> 	if len(targets) == 0 {
> 		return nil, nil, errors.New("none of the Fulcio roots have been found")
> 	}
> 	rootPool := x509.NewCertPool()
> 	intermediatePool := x509.NewCertPool()
> 	for _, t := range targets {
> 		certs, err := cryptoutils.UnmarshalCertificatesFromPEM(t.Target)
102,104d105
< 				if rootPool == nil {
< 					rootPool = x509.NewCertPool()
< 				}
107,109d107
< 				if intermediatePool == nil {
< 					intermediatePool = x509.NewCertPool()
< 				}
113,150d110
< 	} else {
< 		tufClient, err := tuf.NewFromEnv(context.Background())
< 		if err != nil {
< 			return nil, nil, fmt.Errorf("initializing tuf: %w", err)
< 		}
< 		// Retrieve from the embedded or cached TUF root. If expired, a network
< 		// call is made to update the root.
< 		targets, err := tufClient.GetTargetsByMeta(tuf.Fulcio, []string{fulcioTargetStr, fulcioV1TargetStr})
< 		if err != nil {
< 			return nil, nil, fmt.Errorf("error getting targets: %w", err)
< 		}
< 		if len(targets) == 0 {
< 			return nil, nil, errors.New("none of the Fulcio roots have been found")
< 		}
< 		for _, t := range targets {
< 			certs, err := cryptoutils.UnmarshalCertificatesFromPEM(t.Target)
< 			if err != nil {
< 				return nil, nil, fmt.Errorf("error unmarshalling certificates: %w", err)
< 			}
< 			for _, cert := range certs {
< 				// root certificates are self-signed
< 				if bytes.Equal(cert.RawSubject, cert.RawIssuer) {
< 					if rootPool == nil {
< 						rootPool = x509.NewCertPool()
< 					}
< 					rootPool.AddCert(cert)
< 				} else {
< 					if intermediatePool == nil {
< 						intermediatePool = x509.NewCertPool()
< 					}
< 					intermediatePool.AddCert(cert)
< 				}
< 			}
< 		}
< 		if intermediatePool == nil {
< 			intermediatePool = x509.NewCertPool()
< 		}
< 		intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1))
151a112
> 	intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1))
Only in ../cosign/cmd/cosign/cli/fulcio/fulcioroots/: fulcioroots_test.go

## tuf.diff
diff ../cosign/pkg/cosign/tuf/client.go pkg/tuf/client.go
2c2
< // Copyright 2021 The Sigstore Authors.
---
> // Copyright 2022 The Sigstore Authors.
44a45
> 	// DefaultRemoteRoot is the default remote TUF root location.
46,47c47,52
< 	TufRootEnv        = "TUF_ROOT"
< 	SigstoreNoCache   = "SIGSTORE_NO_CACHE"
---
>
> 	// TufRootEnv is the name of the environment variable that locates an alternate local TUF root location.
> 	TufRootEnv = "TUF_ROOT"
>
> 	// SigstoreNoCache is the name of the environment variable that, if set, configures this code to only store root data in memory.
> 	SigstoreNoCache = "SIGSTORE_NO_CACHE"
58,60c63,64
< var GetRemoteRoot = func() string {
< 	return DefaultRemoteRoot
< }
---
> // getRemoteRoot is a var for testing.
> var getRemoteRoot = func() string { return DefaultRemoteRoot }
301c305
< 	mirror := GetRemoteRoot()
---
> 	mirror := getRemoteRoot()
diff ../cosign/pkg/cosign/tuf/client_test.go pkg/tuf/client_test.go
2c2
< // Copyright 2021 The Sigstore Authors.
---
> // Copyright 2022 The Sigstore Authors.
368c368
< 	origDefaultRemote := GetRemoteRoot
---
> 	origDefaultRemote := getRemoteRoot
386c386
< 		GetRemoteRoot = origDefaultRemote
---
> 		getRemoteRoot = origDefaultRemote
404c404
< 	GetRemoteRoot = func() string { return s.URL }
---
> 	getRemoteRoot = func() string { return s.URL }
diff ../cosign/pkg/cosign/tuf/policy.go pkg/tuf/policy.go
2c2
< // Copyright 2021 The Sigstore Authors.
---
> // Copyright 2022 The Sigstore Authors.
80,84d79
< func DefaultExpires(role string) time.Time {
< 	// Default expires in 3 months
< 	return time.Now().AddDate(0, 3, 0).UTC().Round(time.Second)
< }
<
90c85
< 		Expires:            DefaultExpires("root"),
---
> 		Expires:            time.Now().AddDate(0, 3, 0).UTC().Round(time.Second), // Default expires in 3 months
140c135
< 	fulcioKeyVal, err := GetFulcioKeyVal(key)
---
> 	fulcioKeyVal, err := getFulcioKeyVal(key)
147c142
< 		fulcioRootKeyVal, err := GetFulcioKeyVal(rootKey)
---
> 		fulcioRootKeyVal, err := getFulcioKeyVal(rootKey)
diff ../cosign/pkg/cosign/tuf/policy_test.go pkg/tuf/policy_test.go
2c2
< // Copyright 2021 The Sigstore Authors.
---
> // Copyright 2022 The Sigstore Authors.
Common subdirectories: ../cosign/pkg/cosign/tuf/repository and pkg/tuf/repository
diff ../cosign/pkg/cosign/tuf/signer.go pkg/tuf/signer.go
2c2
< // Copyright 2021 The Sigstore Authors.
---
> // Copyright 2022 The Sigstore Authors.
23,24c23,24
< 	KeyTypeFulcio   = "sigstore-oidc"
< 	KeySchemeFulcio = "https://fulcio.sigstore.dev"
---
> 	keyTypeFulcio   = "sigstore-oidc"
> 	keySchemeFulcio = "https://fulcio.sigstore.dev"
28c28
< 	KeyAlgorithms = []string{"sha256", "sha512"}
---
> 	keyAlgorithms = []string{"sha256", "sha512"}
31c31
< type FulcioKeyVal struct {
---
> type fulcioKeyVal struct {
37c37
< 	keyValBytes, _ := json.Marshal(FulcioKeyVal{Identity: email, Issuer: issuer})
---
> 	keyValBytes, _ := json.Marshal(fulcioKeyVal{Identity: email, Issuer: issuer})
39,41c39,41
< 		Type:       KeyTypeFulcio,
< 		Scheme:     KeySchemeFulcio,
< 		Algorithms: KeyAlgorithms,
---
> 		Type:       keyTypeFulcio,
> 		Scheme:     keySchemeFulcio,
> 		Algorithms: keyAlgorithms,
46,47c46,47
< func GetFulcioKeyVal(key *Key) (*FulcioKeyVal, error) {
< 	fulcioKeyVal := &FulcioKeyVal{}
---
> func getFulcioKeyVal(key *Key) (*fulcioKeyVal, error) {
> 	fulcioKeyVal := &fulcioKeyVal{}
diff ../cosign/pkg/cosign/tuf/testutils.go pkg/tuf/testutils.go
2c2
< // Copyright 2021 The Sigstore Authors.
---
> // Copyright 2022 The Sigstore Authors.
	diff ../cosign/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go pkg/fulcioroots/fulcioroots.go
	2c2
	< // Copyright 2021 The Sigstore Authors.
	---
	> // Copyright 2022 The Sigstore Authors.
	24d23
	< "os"
	27d25
	< "github.com/sigstore/cosign/pkg/cosign/tuf"
	28a27
	> "github.com/sigstore/sigstore/pkg/tuf"
	61,64c60
	< const (
	< altRoot = "SIGSTORE_ROOT_FILE"
	< )
	<
	---
	> // Get returns the Fulcio root certificates.
	74a71
	> // GetIntermediates returns the Fulcio intermediate certificates.
	86,95c83,99
	< var rootPool *x509.CertPool
	< var intermediatePool *x509.CertPool
	<
	< rootEnv := os.Getenv(altRoot)
	< if rootEnv != "" {
	< raw, err := os.ReadFile(rootEnv)
	< if err != nil {
	< return nil, nil, fmt.Errorf("error reading root PEM file: %w", err)
	< }
	< certs, err := cryptoutils.UnmarshalCertificatesFromPEM(raw)
	---
	> tufClient, err := tuf.NewFromEnv(context.Background())
	> if err != nil {
	> return nil, nil, fmt.Errorf("initializing tuf: %w", err)
	> }
	> // Retrieve from the embedded or cached TUF root. If expired, a network
	> // call is made to update the root.
	> targets, err := tufClient.GetTargetsByMeta(tuf.Fulcio, []string{fulcioTargetStr, fulcioV1TargetStr})
	> if err != nil {
	> return nil, nil, fmt.Errorf("error getting targets: %w", err)
	> }
	> if len(targets) == 0 {
	> return nil, nil, errors.New("none of the Fulcio roots have been found")
	> }
	> rootPool := x509.NewCertPool()
	> intermediatePool := x509.NewCertPool()
	> for _, t := range targets {
	> certs, err := cryptoutils.UnmarshalCertificatesFromPEM(t.Target)
	102,104d105
	< if rootPool == nil {
	< rootPool = x509.NewCertPool()
	< }
	107,109d107
	< if intermediatePool == nil {
	< intermediatePool = x509.NewCertPool()
	< }
	113,150d110
	< } else {
	< tufClient, err := tuf.NewFromEnv(context.Background())
	< if err != nil {
	< return nil, nil, fmt.Errorf("initializing tuf: %w", err)
	< }
	< // Retrieve from the embedded or cached TUF root. If expired, a network
	< // call is made to update the root.
	< targets, err := tufClient.GetTargetsByMeta(tuf.Fulcio, []string{fulcioTargetStr, fulcioV1TargetStr})
	< if err != nil {
	< return nil, nil, fmt.Errorf("error getting targets: %w", err)
	< }
	< if len(targets) == 0 {
	< return nil, nil, errors.New("none of the Fulcio roots have been found")
	< }
	< for _, t := range targets {
	< certs, err := cryptoutils.UnmarshalCertificatesFromPEM(t.Target)
	< if err != nil {
	< return nil, nil, fmt.Errorf("error unmarshalling certificates: %w", err)
	< }
	< for _, cert := range certs {
	< // root certificates are self-signed
	< if bytes.Equal(cert.RawSubject, cert.RawIssuer) {
	< if rootPool == nil {
	< rootPool = x509.NewCertPool()
	< }
	< rootPool.AddCert(cert)
	< } else {
	< if intermediatePool == nil {
	< intermediatePool = x509.NewCertPool()
	< }
	< intermediatePool.AddCert(cert)
	< }
	< }
	< }
	< if intermediatePool == nil {
	< intermediatePool = x509.NewCertPool()
	< }
	< intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1))
	151a112
	> intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1))
	Only in ../cosign/cmd/cosign/cli/fulcio/fulcioroots/: fulcioroots_test.go
	diff ../cosign/pkg/cosign/tuf/client.go pkg/tuf/client.go
	2c2
	< // Copyright 2021 The Sigstore Authors.
	---
	> // Copyright 2022 The Sigstore Authors.
	44a45
	> // DefaultRemoteRoot is the default remote TUF root location.
	46,47c47,52
	< TufRootEnv = "TUF_ROOT"
	< SigstoreNoCache = "SIGSTORE_NO_CACHE"
	---
	>
	> // TufRootEnv is the name of the environment variable that locates an alternate local TUF root location.
	> TufRootEnv = "TUF_ROOT"
	>
	> // SigstoreNoCache is the name of the environment variable that, if set, configures this code to only store root data in memory.
	> SigstoreNoCache = "SIGSTORE_NO_CACHE"
	58,60c63,64
	< var GetRemoteRoot = func() string {
	< return DefaultRemoteRoot
	< }
	---
	> // getRemoteRoot is a var for testing.
	> var getRemoteRoot = func() string { return DefaultRemoteRoot }
	301c305
	< mirror := GetRemoteRoot()
	---
	> mirror := getRemoteRoot()
	diff ../cosign/pkg/cosign/tuf/client_test.go pkg/tuf/client_test.go
	2c2
	< // Copyright 2021 The Sigstore Authors.
	---
	> // Copyright 2022 The Sigstore Authors.
	368c368
	< origDefaultRemote := GetRemoteRoot
	---
	> origDefaultRemote := getRemoteRoot
	386c386
	< GetRemoteRoot = origDefaultRemote
	---
	> getRemoteRoot = origDefaultRemote
	404c404
	< GetRemoteRoot = func() string { return s.URL }
	---
	> getRemoteRoot = func() string { return s.URL }
	diff ../cosign/pkg/cosign/tuf/policy.go pkg/tuf/policy.go
	2c2
	< // Copyright 2021 The Sigstore Authors.
	---
	> // Copyright 2022 The Sigstore Authors.
	80,84d79
	< func DefaultExpires(role string) time.Time {
	< // Default expires in 3 months
	< return time.Now().AddDate(0, 3, 0).UTC().Round(time.Second)
	< }
	<
	90c85
	< Expires: DefaultExpires("root"),
	---
	> Expires: time.Now().AddDate(0, 3, 0).UTC().Round(time.Second), // Default expires in 3 months
	140c135
	< fulcioKeyVal, err := GetFulcioKeyVal(key)
	---
	> fulcioKeyVal, err := getFulcioKeyVal(key)
	147c142
	< fulcioRootKeyVal, err := GetFulcioKeyVal(rootKey)
	---
	> fulcioRootKeyVal, err := getFulcioKeyVal(rootKey)
	diff ../cosign/pkg/cosign/tuf/policy_test.go pkg/tuf/policy_test.go
	2c2
	< // Copyright 2021 The Sigstore Authors.
	---
	> // Copyright 2022 The Sigstore Authors.
	Common subdirectories: ../cosign/pkg/cosign/tuf/repository and pkg/tuf/repository
	diff ../cosign/pkg/cosign/tuf/signer.go pkg/tuf/signer.go
	2c2
	< // Copyright 2021 The Sigstore Authors.
	---
	> // Copyright 2022 The Sigstore Authors.
	23,24c23,24
	< KeyTypeFulcio = "sigstore-oidc"
	< KeySchemeFulcio = "https://fulcio.sigstore.dev"
	---
	> keyTypeFulcio = "sigstore-oidc"
	> keySchemeFulcio = "https://fulcio.sigstore.dev"
	28c28
	< KeyAlgorithms = []string{"sha256", "sha512"}
	---
	> keyAlgorithms = []string{"sha256", "sha512"}
	31c31
	< type FulcioKeyVal struct {
	---
	> type fulcioKeyVal struct {
	37c37
	< keyValBytes, _ := json.Marshal(FulcioKeyVal{Identity: email, Issuer: issuer})
	---
	> keyValBytes, _ := json.Marshal(fulcioKeyVal{Identity: email, Issuer: issuer})
	39,41c39,41
	< Type: KeyTypeFulcio,
	< Scheme: KeySchemeFulcio,
	< Algorithms: KeyAlgorithms,
	---
	> Type: keyTypeFulcio,
	> Scheme: keySchemeFulcio,
	> Algorithms: keyAlgorithms,
	46,47c46,47
	< func GetFulcioKeyVal(key Key) (FulcioKeyVal, error) {
	< fulcioKeyVal := &FulcioKeyVal{}
	---
	> func getFulcioKeyVal(key Key) (fulcioKeyVal, error) {
	> fulcioKeyVal := &fulcioKeyVal{}
	diff ../cosign/pkg/cosign/tuf/testutils.go pkg/tuf/testutils.go
	2c2
	< // Copyright 2021 The Sigstore Authors.
	---
	> // Copyright 2022 The Sigstore Authors.