-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fulcio API v2. #209
base: main
Are you sure you want to change the base?
Fulcio API v2. #209
Conversation
I still wanna test and improve the code. But, as my second contribution in the Sigstore ecosystem, I think is worth to open a draft PR to get some initial feedback from all of you. Thanks! |
FYI: @flavio |
Updates sigstore.rs to use the latest Fulcio API v2 to request certs. This required a change in the structures used to send the request because the payload changed in the new API version. Signed-off-by: José Guilherme Vanz <jguilhermevanz@suse.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Warning: this is not related with this specific PR.
I have doubts about the Fulcio types. As I pointed out inside of the comments some of them are not mapping the protobuf specification. I think it would be nice to revisit how these types are generated and try to automate that via some dedicated crate and the usage of of a build.rs
.
Right now I fear that keeping things in sync is just a manual process that requires quite some scrutiny to avoid this kind of mistakes
algorithm: Option<SigningScheme>, | ||
content: String, | ||
} | ||
impl Serialize for PublicKey { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit, empty line missing
struct PublicKeyRequest { | ||
public_key: PublicKey, | ||
proof_of_possession: String, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit, no empty line after the }
#[derive(Serialize, Debug)] | ||
#[serde(rename_all = "camelCase")] | ||
struct Credentials { | ||
oidc_identity_token: String, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would add the following comment:
/// The OIDC token that identifies the caller
This is taken from here
public_key: PublicKey, | ||
proof_of_possession: String, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, copy the inline docs from here
public_key_request: PublicKeyRequest, | ||
certificate_signing_request: Option<String>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not correct, according to the protobuf spec public_key_request
and certificate_signing_request
are declared as oneof
.
I'm not the author of this Rust implementation, but I think this code would be generated in another way using something like protobuf-codegen. I guess the final code would put these fields under something like an enum?
#[derive(Deserialize)] | ||
#[serde(rename_all = "camelCase")] | ||
struct Chain { | ||
certificates: Vec<FulcioCert>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please add the inline comment from here
struct SignedCertificateDetachedSct { | ||
chain: Chain, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing inline comments and signed_certificate_timestamp
, according to the definition
struct SignedCertificateEmbeddedSct { | ||
chain: Chain, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing inline comment, please copy from here
struct CsrResponse { | ||
signed_certificate_detached_sct: Option<SignedCertificateDetachedSct>, | ||
signed_certificate_embedded_sct: Option<SignedCertificateEmbeddedSct>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also in this case, these attributes are mutually exclusive because protobuf defines them as oneof
as seen here
Summary
Updates sigstore.rs to use the latest Fulcio API v2 to request certs. This required a change in the structures used to send the request because the payload changed in the new API version.
Fix #139
Release Note
Switch to the latest Fulcio API v2.