-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add accessors to trustroot #432
Conversation
assertIsPresent( | ||
trustRoot.getTlog(key, ZonedDateTime.parse("2021-01-12T11:53:27.000Z").toInstant())); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you considered factoring out assertGetTLogExists
/ assertGetTLogMissing
so the assertion failures could include input data rather than "expected true got false"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the failure is pretty obvious from the data/test-line-number? In particular, someone would need to inspect the full trust root json and then decide why the test is failing.
It seems to me that changes would make the tests a bit more complicated that it needs to be? But maybe I'm not seeing this the same way you are?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
okay, I think coming back to this, I see what you're saying, lemme try it out
sigstore-java/src/main/java/dev/sigstore/trustroot/SigstoreTrustedRoot.java
Outdated
Show resolved
Hide resolved
List<CertificateAuthority> certificateAuthorities) { | ||
var current = | ||
certificateAuthorities.stream() | ||
.filter(ca -> ca.getValidFor().getEnd().isEmpty()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could a currentCA not have a getEnd value that's in the future?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@znewman01 @kommendorkapten could it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically they could, but the intention is to have the current with an unspecified end. I think this is a good callout, I'll create a PR to clarify this: sigstore/protobuf-specs#80.
If the current has a known end, and due to operational constraints there may be an overlap of the validity time for a CA, so if we need to understand what CA is the current we would need to guess based on the time range which can be error-prone.
6bb9a4d
to
4f55b3f
Compare
Specificially for CertificateAuthorities and TransparencyLogs We need to be able to query the trustroot for CAs and logs to initialize our signers and based on the material we are signing. This will eventually allow us to init a client directly from a trustroot Signed-off-by: Appu Goundan <appu@google.com>
4f55b3f
to
9b9fb4c
Compare
reworked this a bit to put the logic in |
We need to be able to query the trustroot for CAs and logs to initialize our signers and based on the material we are signing.
This will eventually allow us to init a client directly from a trustroot