Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fulcio API v2. #209

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fulcio API v2. #209

wants to merge 1 commit into from

Conversation

jvanz
Copy link
Contributor

@jvanz jvanz commented Feb 3, 2023

Summary

Updates sigstore.rs to use the latest Fulcio API v2 to request certs. This required a change in the structures used to send the request because the payload changed in the new API version.

Fix #139

Release Note

Switch to the latest Fulcio API v2.

@jvanz
Copy link
Contributor Author

jvanz commented Feb 3, 2023

I still wanna test and improve the code. But, as my second contribution in the Sigstore ecosystem, I think is worth to open a draft PR to get some initial feedback from all of you. Thanks!

@jvanz
Copy link
Contributor Author

jvanz commented Feb 3, 2023

FYI: @flavio

Updates sigstore.rs to use the latest Fulcio API v2 to request certs.
This required a change in the structures used to send the request
because the payload changed in the new API version.

Signed-off-by: José Guilherme Vanz <[email protected]>
@jvanz jvanz marked this pull request as ready for review May 31, 2023 20:07
Copy link
Member

@flavio flavio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Warning: this is not related with this specific PR.

I have doubts about the Fulcio types. As I pointed out inside of the comments some of them are not mapping the protobuf specification. I think it would be nice to revisit how these types are generated and try to automate that via some dedicated crate and the usage of of a build.rs.

Right now I fear that keeping things in sync is just a manual process that requires quite some scrutiny to avoid this kind of mistakes

algorithm: Option<SigningScheme>,
content: String,
}
impl Serialize for PublicKey {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, empty line missing

struct PublicKeyRequest {
public_key: PublicKey,
proof_of_possession: String,
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, no empty line after the }

#[derive(Serialize, Debug)]
#[serde(rename_all = "camelCase")]
struct Credentials {
oidc_identity_token: String,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would add the following comment:

/// The OIDC token that identifies the caller

This is taken from here

Comment on lines +64 to +65
public_key: PublicKey,
proof_of_possession: String,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please, copy the inline docs from here

Comment on lines +75 to +76
public_key_request: PublicKeyRequest,
certificate_signing_request: Option<String>,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not correct, according to the protobuf spec public_key_request and certificate_signing_request are declared as oneof.

I'm not the author of this Rust implementation, but I think this code would be generated in another way using something like protobuf-codegen. I guess the final code would put these fields under something like an enum?

#[derive(Deserialize)]
#[serde(rename_all = "camelCase")]
struct Chain {
certificates: Vec<FulcioCert>,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add the inline comment from here

Comment on lines +95 to +97
struct SignedCertificateDetachedSct {
chain: Chain,
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing inline comments and signed_certificate_timestamp, according to the definition

Comment on lines +101 to +103
struct SignedCertificateEmbeddedSct {
chain: Chain,
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing inline comment, please copy from here

Comment on lines +107 to +109
struct CsrResponse {
signed_certificate_detached_sct: Option<SignedCertificateDetachedSct>,
signed_certificate_embedded_sct: Option<SignedCertificateEmbeddedSct>,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also in this case, these attributes are mutually exclusive because protobuf defines them as oneof as seen here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Switch to Fulcio V2 API
2 participants