Fulcio API v2. #209
Fulcio API v2. #209
Conversation
|
I still wanna test and improve the code. But, as my second contribution in the Sigstore ecosystem, I think is worth to open a draft PR to get some initial feedback from all of you. Thanks! |
|
FYI: @flavio |
Updates sigstore.rs to use the latest Fulcio API v2 to request certs. This required a change in the structures used to send the request because the payload changed in the new API version. Signed-off-by: José Guilherme Vanz <[email protected]>
There was a problem hiding this comment.
Warning: this is not related with this specific PR.
I have doubts about the Fulcio types. As I pointed out inside of the comments some of them are not mapping the protobuf specification. I think it would be nice to revisit how these types are generated and try to automate that via some dedicated crate and the usage of of a build.rs.
Right now I fear that keeping things in sync is just a manual process that requires quite some scrutiny to avoid this kind of mistakes
| algorithm: Option<SigningScheme>, | ||
| content: String, | ||
| } | ||
| impl Serialize for PublicKey { |
| struct PublicKeyRequest { | ||
| public_key: PublicKey, | ||
| proof_of_possession: String, | ||
| } |
| #[derive(Serialize, Debug)] | ||
| #[serde(rename_all = "camelCase")] | ||
| struct Credentials { | ||
| oidc_identity_token: String, |
There was a problem hiding this comment.
I would add the following comment:
/// The OIDC token that identifies the caller
This is taken from here
| public_key: PublicKey, | ||
| proof_of_possession: String, |
There was a problem hiding this comment.
Please, copy the inline docs from here
| public_key_request: PublicKeyRequest, | ||
| certificate_signing_request: Option<String>, |
There was a problem hiding this comment.
This is not correct, according to the protobuf spec public_key_request and certificate_signing_request are declared as oneof.
I'm not the author of this Rust implementation, but I think this code would be generated in another way using something like protobuf-codegen. I guess the final code would put these fields under something like an enum?
| #[derive(Deserialize)] | ||
| #[serde(rename_all = "camelCase")] | ||
| struct Chain { | ||
| certificates: Vec<FulcioCert>, |
There was a problem hiding this comment.
please add the inline comment from here
| struct SignedCertificateDetachedSct { | ||
| chain: Chain, | ||
| } |
There was a problem hiding this comment.
Missing inline comments and signed_certificate_timestamp, according to the definition
| struct SignedCertificateEmbeddedSct { | ||
| chain: Chain, | ||
| } |
There was a problem hiding this comment.
Missing inline comment, please copy from here
| struct CsrResponse { | ||
| signed_certificate_detached_sct: Option<SignedCertificateDetachedSct>, | ||
| signed_certificate_embedded_sct: Option<SignedCertificateEmbeddedSct>, |
There was a problem hiding this comment.
Also in this case, these attributes are mutually exclusive because protobuf defines them as oneof as seen here
Summary
Updates sigstore.rs to use the latest Fulcio API v2 to request certs. This required a change in the structures used to send the request because the payload changed in the new API version.
Fix #139
Release Note
Switch to the latest Fulcio API v2.