Skip to content

Commit d99d67b

Browse files
committed
Add providers for signing config and legacy helper
And some other minor associated changes Signed-off-by: Appu Goundan <appu@google.com>
1 parent 67b9be2 commit d99d67b

File tree

5 files changed

+146
-7
lines changed

5 files changed

+146
-7
lines changed
Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
/*
2+
* Copyright 2025 The Sigstore Authors.
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* http://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
package dev.sigstore;
17+
18+
import com.google.common.base.Preconditions;
19+
import dev.sigstore.trustroot.SigstoreConfigurationException;
20+
import dev.sigstore.trustroot.SigstoreSigningConfig;
21+
import dev.sigstore.tuf.SigstoreTufClient;
22+
import java.io.IOException;
23+
import java.nio.file.Files;
24+
import java.nio.file.Path;
25+
26+
@FunctionalInterface
27+
public interface SigningConfigProvider {
28+
29+
SigstoreSigningConfig get() throws SigstoreConfigurationException;
30+
31+
static SigningConfigProvider from(SigstoreTufClient.Builder tufClientBuilder) {
32+
Preconditions.checkNotNull(tufClientBuilder);
33+
return () -> {
34+
try {
35+
SigstoreTufClient tufClient = tufClientBuilder.build();
36+
tufClient.update();
37+
return tufClient.getSigstoreSigningConfig();
38+
} catch (IOException ex) {
39+
throw new SigstoreConfigurationException(
40+
"Could not initialize signing config from provided tuf client", ex);
41+
}
42+
};
43+
}
44+
45+
// Temporary while the tuf repos catches up, this will still fail if the remove TUF isn't
46+
// available to check for signing config
47+
static SigningConfigProvider fromOrDefault(
48+
SigstoreTufClient.Builder tufClientBuilder, SigstoreSigningConfig defaultConfig) {
49+
Preconditions.checkNotNull(tufClientBuilder);
50+
return () -> {
51+
try {
52+
var tufClient = tufClientBuilder.build();
53+
tufClient.update();
54+
var fromTuf = tufClient.getSigstoreSigningConfig();
55+
return fromTuf == null ? defaultConfig : fromTuf;
56+
} catch (IOException ex) {
57+
throw new SigstoreConfigurationException(
58+
"Could not initialize signing config from provided tuf client", ex);
59+
}
60+
};
61+
}
62+
63+
static SigningConfigProvider from(Path signingConfig) {
64+
Preconditions.checkNotNull(signingConfig);
65+
return () -> {
66+
try {
67+
return SigstoreSigningConfig.from(Files.newInputStream(signingConfig));
68+
} catch (IOException ex) {
69+
throw new SigstoreConfigurationException(
70+
"Could not initialize signing config from " + signingConfig, ex);
71+
}
72+
};
73+
}
74+
}

sigstore-java/src/main/java/dev/sigstore/TrustedRootProvider.java

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,8 @@ static TrustedRootProvider from(SigstoreTufClient.Builder tufClientBuilder) {
3636
tufClient.update();
3737
return tufClient.getSigstoreTrustedRoot();
3838
} catch (IOException ex) {
39-
throw new SigstoreConfigurationException(ex);
39+
throw new SigstoreConfigurationException(
40+
"Could not initialize trusted root from provided tuf client", ex);
4041
}
4142
};
4243
}
@@ -47,7 +48,8 @@ static TrustedRootProvider from(Path trustedRoot) {
4748
try (var is = Files.newInputStream(trustedRoot)) {
4849
return SigstoreTrustedRoot.from(is);
4950
} catch (IOException ex) {
50-
throw new SigstoreConfigurationException(ex);
51+
throw new SigstoreConfigurationException(
52+
"Could not initialize trusted root from " + trustedRoot, ex);
5153
}
5254
};
5355
}
Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
/*
2+
* Copyright 2025 The Sigstore Authors.
3+
*
4+
* Licensed under the Apache License, Version 2.0 (the "License");
5+
* you may not use this file except in compliance with the License.
6+
* You may obtain a copy of the License at
7+
*
8+
* http://www.apache.org/licenses/LICENSE-2.0
9+
*
10+
* Unless required by applicable law or agreed to in writing, software
11+
* distributed under the License is distributed on an "AS IS" BASIS,
12+
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13+
* See the License for the specific language governing permissions and
14+
* limitations under the License.
15+
*/
16+
package dev.sigstore.trustroot;
17+
18+
import dev.sigstore.trustroot.Service.Config.Selector;
19+
import java.net.URI;
20+
import java.time.Instant;
21+
22+
/**
23+
* Internal use only: legacy signing config that contains all the necessary information to keep
24+
* signers working without signing config being available on a TUF repo
25+
*/
26+
public class LegacySigningConfig {
27+
28+
static final URI REKOR_PUBLIC_GOOD_URI = URI.create("https://rekor.sigstore.dev");
29+
static final URI REKOR_STAGING_URI = URI.create("https://rekor.sigstage.dev");
30+
31+
static final URI FULCIO_PUBLIC_GOOD_URI = URI.create("https://fulcio.sigstore.dev");
32+
static final URI FULCIO_STAGING_URI = URI.create("https://fulcio.sigstage.dev");
33+
34+
static final URI DEX_PUBLIC_GOOD_URI = URI.create("https://oauth2.sigstore.dev/auth");
35+
static final URI DEX_STAGING_GOOD_URI = URI.create("https://oauth2.sigstage.dev/auth");
36+
37+
static final URI TSA_PUBLIC_GOOD_URI = URI.create("https://tsa.sigstore.dev/api/v1/timestamp");
38+
static final URI TSA_STAGING_URI = URI.create("https://tsa.sigstage.dev/api/v1/timestamp");
39+
40+
static SigstoreSigningConfig from(URI fulcioUrl, URI rekorUrl, URI dexUrl, URI tsaUrl) {
41+
var anySelector = ImmutableConfig.builder().selector(Selector.ANY).build();
42+
var now = ImmutableValidFor.builder().start(Instant.now()).build();
43+
return ImmutableSigstoreSigningConfig.builder()
44+
.tLogConfig(anySelector)
45+
.tsaConfig(anySelector)
46+
.addCas(ImmutableService.builder().apiVersion(1).url(fulcioUrl).validFor(now).build())
47+
.addTLogs(ImmutableService.builder().apiVersion(1).url(rekorUrl).validFor(now).build())
48+
.addOidcProviders(
49+
ImmutableService.builder().apiVersion(1).url(dexUrl).validFor(now).build())
50+
.addTsas(ImmutableService.builder().apiVersion(1).url(tsaUrl).validFor(now).build())
51+
.build();
52+
}
53+
54+
public static final SigstoreSigningConfig PUBLIC_GOOD =
55+
from(FULCIO_PUBLIC_GOOD_URI, REKOR_PUBLIC_GOOD_URI, DEX_PUBLIC_GOOD_URI, TSA_PUBLIC_GOOD_URI);
56+
public static SigstoreSigningConfig STAGING =
57+
from(FULCIO_STAGING_URI, REKOR_STAGING_URI, DEX_STAGING_GOOD_URI, TSA_STAGING_URI);
58+
}

sigstore-java/src/main/java/dev/sigstore/trustroot/SigstoreTrustedRoot.java

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
package dev.sigstore.trustroot;
1717

1818
import com.google.api.client.util.Lists;
19+
import com.google.common.base.Strings;
1920
import dev.sigstore.json.ProtoJson;
2021
import dev.sigstore.proto.trustroot.v1.TrustedRoot;
2122
import dev.sigstore.proto.trustroot.v1.TrustedRootOrBuilder;
@@ -43,7 +44,7 @@ public interface SigstoreTrustedRoot {
4344
/** A list of timestamping authorities associated with this trustroot. */
4445
List<CertificateAuthority> getTSAs();
4546

46-
/** Create an instance from an input stream of a json representation of a trustedroot. */
47+
/** Parse the trusted root from an input stream and close the stream */
4748
static SigstoreTrustedRoot from(InputStream json) throws SigstoreConfigurationException {
4849
var trustedRootBuilder = TrustedRoot.newBuilder();
4950
try (var reader = new InputStreamReader(json, StandardCharsets.UTF_8)) {
@@ -57,13 +58,19 @@ static SigstoreTrustedRoot from(InputStream json) throws SigstoreConfigurationEx
5758
/** Create an instance from a parsed proto definition of a trustedroot. */
5859
static SigstoreTrustedRoot from(TrustedRootOrBuilder proto)
5960
throws SigstoreConfigurationException {
61+
if (!Strings.isNullOrEmpty(proto.getMediaType())
62+
&& !proto
63+
.getMediaType()
64+
.equals("application/vnd.dev.sigstore.trustedroot+json;version=0.1")) {
65+
throw new SigstoreConfigurationException(
66+
"Unsupported trusted root mediaType: " + proto.getMediaType());
67+
}
6068
List<CertificateAuthority> cas = Lists.newArrayList();
6169
for (var certAuthority : proto.getCertificateAuthoritiesList()) {
6270
try {
6371
cas.add(CertificateAuthority.from(certAuthority));
6472
} catch (CertificateException ce) {
65-
throw new SigstoreConfigurationException(
66-
"Could not parse certificates in trusted root", ce);
73+
throw new SigstoreConfigurationException("Could not parse certificate in trusted root", ce);
6774
}
6875
}
6976

sigstore-java/src/main/java/dev/sigstore/tuf/Updater.java

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -144,8 +144,6 @@ public void downloadTarget(String targetName) throws IOException {
144144
void updateRoot()
145145
throws IOException,
146146
RoleExpiredException,
147-
NoSuchAlgorithmException,
148-
InvalidKeySpecException,
149147
FileExceedsMaxLengthException,
150148
RollbackVersionException,
151149
SignatureVerificationException {

0 commit comments

Comments
 (0)