From 5ef54068bb534152474c5685f5cd248f38549fbd Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Thu, 18 May 2023 19:34:29 +0200 Subject: [PATCH] Clarified the intent of the listed instances in the trusted_root (#80) * Clarified the intent of the listed instances in the trusted_root message. The semantics around valid_for was not properly explained and could lead to confusion. Signed-off-by: Fredrik Skogman * Update protos/sigstore_trustroot.proto Co-authored-by: Hayden B Signed-off-by: Fredrik Skogman * Updated generated files Signed-off-by: Fredrik Skogman --------- Signed-off-by: Fredrik Skogman Co-authored-by: Hayden B --- gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go | 17 +++++++++++++---- .../dev/sigstore/trustroot/v1/__init__.py | 14 ++++++++++---- .../src/__generated__/sigstore_trustroot.ts | 17 +++++++++++++---- protos/sigstore_trustroot.proto | 17 +++++++++++++---- 4 files changed, 49 insertions(+), 16 deletions(-) diff --git a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go index d959eeb9..c28615f9 100644 --- a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go +++ b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go @@ -39,7 +39,7 @@ const ( // transparency log. // See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters // for more details. -// The incluced parameters are the minimal set required to identify a log, +// The included parameters are the minimal set required to identify a log, // and verify an inclusion promise. type TransparencyLogInstance struct { state protoimpl.MessageState @@ -136,7 +136,8 @@ type CertificateAuthority struct { // but it MAY be shorter. Clients MUST check timestamps against *both* // the `valid_for` time range *and* the entire certificate chain. // - // The TimeRange should be considered valid *inclusive* of the endpoints. + // The TimeRange should be considered valid *inclusive* of the + // endpoints. ValidFor *v1.TimeRange `protobuf:"bytes,4,opt,name=valid_for,json=validFor,proto3" json:"valid_for,omitempty"` } @@ -208,9 +209,17 @@ func (x *CertificateAuthority) GetValidFor() *v1.TimeRange { // to capture the complete/global set of trusted verification materials. // When verifying an artifact, based on the artifact and policies, a selection // of keys/authorities are expected to be extracted and provided to the -// verification function. This way the set of keys/authorities kan be kept to +// verification function. This way the set of keys/authorities can be kept to // a minimal set by the policy to gain better control over what signatures // that are allowed. +// +// The embedded transparency logs, CT logs, CAs and TSAs MUST include any +// previously used instance -- otherwise signatures made in the past cannot +// be verified. +// The currently used instances MUST NOT have their 'end' timestamp set in +// their 'valid_for' attribute for easy identification. +// All the listed instances SHOULD be sorted by the 'valid_for' in ascending +// order, that is, the oldest instance first and the current instance last. type TrustedRoot struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -220,7 +229,7 @@ type TrustedRoot struct { MediaType string `protobuf:"bytes,1,opt,name=media_type,json=mediaType,proto3" json:"media_type,omitempty"` // A set of trusted Rekor servers. Tlogs []*TransparencyLogInstance `protobuf:"bytes,2,rep,name=tlogs,proto3" json:"tlogs,omitempty"` - // A set of trusted certificate authorites (e.g Fulcio), and any + // A set of trusted certificate authorities (e.g Fulcio), and any // intermediate certificates they provide. // If a CA is issuing multiple intermediate certificate, each // combination shall be represented as separate chain. I.e, a single diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py index facb523a..a3625149 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py @@ -14,7 +14,7 @@ class TransparencyLogInstance(betterproto.Message): """ TransparencyLogInstance describes the immutable parameters from a transparency log. See https://www.rfc-editor.org/rfc/rfc9162.html#name-log- - parameters for more details. The incluced parameters are the minimal set + parameters for more details. The included parameters are the minimal set required to identify a log, and verify an inclusion promise. """ @@ -73,9 +73,15 @@ class TrustedRoot(betterproto.Message): complete/global set of trusted verification materials. When verifying an artifact, based on the artifact and policies, a selection of keys/authorities are expected to be extracted and provided to the - verification function. This way the set of keys/authorities kan be kept to + verification function. This way the set of keys/authorities can be kept to a minimal set by the policy to gain better control over what signatures - that are allowed. + that are allowed. The embedded transparency logs, CT logs, CAs and TSAs + MUST include any previously used instance -- otherwise signatures made in + the past cannot be verified. The currently used instances MUST NOT have + their 'end' timestamp set in their 'valid_for' attribute for easy + identification. All the listed instances SHOULD be sorted by the + 'valid_for' in ascending order, that is, the oldest instance first and the + current instance last. """ media_type: str = betterproto.string_field(1) @@ -86,7 +92,7 @@ class TrustedRoot(betterproto.Message): certificate_authorities: List["CertificateAuthority"] = betterproto.message_field(3) """ - A set of trusted certificate authorites (e.g Fulcio), and any intermediate + A set of trusted certificate authorities (e.g Fulcio), and any intermediate certificates they provide. If a CA is issuing multiple intermediate certificate, each combination shall be represented as separate chain. I.e, a single root cert may appear in multiple chains but with different diff --git a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts index 281fe929..d373e177 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts @@ -15,7 +15,7 @@ import { * transparency log. * See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters * for more details. - * The incluced parameters are the minimal set required to identify a log, + * The included parameters are the minimal set required to identify a log, * and verify an inclusion promise. */ export interface TransparencyLogInstance { @@ -58,7 +58,8 @@ export interface CertificateAuthority { * but it MAY be shorter. Clients MUST check timestamps against *both* * the `valid_for` time range *and* the entire certificate chain. * - * The TimeRange should be considered valid *inclusive* of the endpoints. + * The TimeRange should be considered valid *inclusive* of the + * endpoints. */ validFor: TimeRange | undefined; } @@ -72,9 +73,17 @@ export interface CertificateAuthority { * to capture the complete/global set of trusted verification materials. * When verifying an artifact, based on the artifact and policies, a selection * of keys/authorities are expected to be extracted and provided to the - * verification function. This way the set of keys/authorities kan be kept to + * verification function. This way the set of keys/authorities can be kept to * a minimal set by the policy to gain better control over what signatures * that are allowed. + * + * The embedded transparency logs, CT logs, CAs and TSAs MUST include any + * previously used instance -- otherwise signatures made in the past cannot + * be verified. + * The currently used instances MUST NOT have their 'end' timestamp set in + * their 'valid_for' attribute for easy identification. + * All the listed instances SHOULD be sorted by the 'valid_for' in ascending + * order, that is, the oldest instance first and the current instance last. */ export interface TrustedRoot { /** MUST be application/vnd.dev.sigstore.trustedroot+json;version=0.1 */ @@ -82,7 +91,7 @@ export interface TrustedRoot { /** A set of trusted Rekor servers. */ tlogs: TransparencyLogInstance[]; /** - * A set of trusted certificate authorites (e.g Fulcio), and any + * A set of trusted certificate authorities (e.g Fulcio), and any * intermediate certificates they provide. * If a CA is issuing multiple intermediate certificate, each * combination shall be represented as separate chain. I.e, a single diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto index 7330ce40..f289e4ee 100644 --- a/protos/sigstore_trustroot.proto +++ b/protos/sigstore_trustroot.proto @@ -26,7 +26,7 @@ option java_outer_classname = "TrustRootProto"; // transparency log. // See https://www.rfc-editor.org/rfc/rfc9162.html#name-log-parameters // for more details. -// The incluced parameters are the minimal set required to identify a log, +// The included parameters are the minimal set required to identify a log, // and verify an inclusion promise. message TransparencyLogInstance { // The base URL at which can be used to URLs for the client. @@ -55,7 +55,8 @@ message CertificateAuthority { // but it MAY be shorter. Clients MUST check timestamps against *both* // the `valid_for` time range *and* the entire certificate chain. // - // The TimeRange should be considered valid *inclusive* of the endpoints. + // The TimeRange should be considered valid *inclusive* of the + // endpoints. dev.sigstore.common.v1.TimeRange valid_for = 4; } @@ -67,15 +68,23 @@ message CertificateAuthority { // to capture the complete/global set of trusted verification materials. // When verifying an artifact, based on the artifact and policies, a selection // of keys/authorities are expected to be extracted and provided to the -// verification function. This way the set of keys/authorities kan be kept to +// verification function. This way the set of keys/authorities can be kept to // a minimal set by the policy to gain better control over what signatures // that are allowed. +// +// The embedded transparency logs, CT logs, CAs and TSAs MUST include any +// previously used instance -- otherwise signatures made in the past cannot +// be verified. +// The currently used instances MUST NOT have their 'end' timestamp set in +// their 'valid_for' attribute for easy identification. +// All the listed instances SHOULD be sorted by the 'valid_for' in ascending +// order, that is, the oldest instance first and the current instance last. message TrustedRoot { // MUST be application/vnd.dev.sigstore.trustedroot+json;version=0.1 string media_type = 1; // A set of trusted Rekor servers. repeated TransparencyLogInstance tlogs = 2; - // A set of trusted certificate authorites (e.g Fulcio), and any + // A set of trusted certificate authorities (e.g Fulcio), and any // intermediate certificates they provide. // If a CA is issuing multiple intermediate certificate, each // combination shall be represented as separate chain. I.e, a single