Skip to content

Commit

Permalink
remove root_pem_file from cfg, and only allow a single file (#225)
Browse files Browse the repository at this point in the history
* remove root_pem_file from cfg, and only allow a single file

* s/paths/path
  • Loading branch information
phbnf authored Sep 6, 2024
1 parent c369471 commit 0d8f472
Show file tree
Hide file tree
Showing 7 changed files with 164 additions and 179 deletions.
8 changes: 4 additions & 4 deletions personalities/sctfe/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,9 +48,9 @@ type LogConfig struct {
// origin identifies the log. It will be used in its checkpoint, and
// is also its submission prefix, as per https://c2sp.org/static-ct-api
Origin string
// Paths to the files containing root certificates that are acceptable to the
// Path to the file containing root certificates that are acceptable to the
// log. The certs are served through get-roots endpoint.
RootsPemFile []string
RootsPemFile string
// The private key used for signing Checkpoints or SCTs.
PrivateKey *anypb.Any
// The public key matching the above private key (if both are present).
Expand Down Expand Up @@ -122,7 +122,7 @@ func LogConfigFromFile(filename string) (*configpb.LogConfig, error) {
// - Merge delays (if present) are correct.
//
// Returns the validated structures (useful to avoid double validation).
func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string, bucket string, spannerDB string) (*ValidatedLogConfig, error) {
func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string, bucket string, spannerDB string, rootsPemFile string) (*ValidatedLogConfig, error) {
if origin == "" {
return nil, errors.New("empty origin")
}
Expand All @@ -142,7 +142,7 @@ func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string,

vCfg := ValidatedLogConfig{Config: &LogConfig{
Origin: origin,
RootsPemFile: cfg.RootsPemFile,
RootsPemFile: rootsPemFile,
PrivateKey: cfg.PrivateKey,
PublicKey: cfg.PublicKey,
RejectExpired: cfg.RejectExpired,
Expand Down
2 changes: 1 addition & 1 deletion personalities/sctfe/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -317,7 +317,7 @@ func TestValidateLogConfig(t *testing.T) {
},
} {
t.Run(tc.desc, func(t *testing.T) {
vc, err := ValidateLogConfig(tc.cfg, tc.origin, tc.projectID, tc.bucket, tc.spannerDB)
vc, err := ValidateLogConfig(tc.cfg, tc.origin, tc.projectID, tc.bucket, tc.spannerDB, "")
if len(tc.wantErr) == 0 && err != nil {
t.Errorf("ValidateLogConfig()=%v, want nil", err)
}
Expand Down
95 changes: 41 additions & 54 deletions personalities/sctfe/configpb/config.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 0 additions & 3 deletions personalities/sctfe/configpb/config.proto
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,6 @@ import "google/protobuf/timestamp.proto";
//
// NEXT_ID: 15
message LogConfig {
// Paths to the files containing root certificates that are acceptable to the
// log. The certs are served through get-roots endpoint.
repeated string roots_pem_file = 2;
// The private key used for signing Checkpoints or SCTs.
google.protobuf.Any private_key = 3;
// The public key matching the above private key (if both are present).
Expand Down
14 changes: 7 additions & 7 deletions personalities/sctfe/ct_server_gcp/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,12 +61,12 @@ var (
tracingProjectID = flag.String("tracing_project_id", "", "project ID to pass to stackdriver. Can be empty for GCP, consult docs for other platforms.")
tracingPercent = flag.Int("tracing_percent", 0, "Percent of requests to be traced. Zero is a special case to use the DefaultSampler")
pkcs11ModulePath = flag.String("pkcs11_module_path", "", "Path to the PKCS#11 module to use for keys that use the PKCS#11 interface")
// TODO: remove comment above when the config proto has been deleted.
dedupPath = flag.String("dedup_path", "", "Path to the deduplication database")
origin = flag.String("origin", "", "origin of the log, for checkpoints and the monitoring prefix")
projectID = flag.String("project_id", "", "origin of the log, for checkpoints and the monitoring prefix")
bucket = flag.String("bucket", "", "name of the bucket to store the log in")
spannerDB = flag.String("spanner_db_path", "", "projects/{projectId}/instances/{instanceId}/databases/{databaseId}")
dedupPath = flag.String("dedup_path", "", "Path to the deduplication database")
origin = flag.String("origin", "", "origin of the log, for checkpoints and the monitoring prefix")
projectID = flag.String("project_id", "", "origin of the log, for checkpoints and the monitoring prefix")
bucket = flag.String("bucket", "", "name of the bucket to store the log in")
spannerDB = flag.String("spanner_db_path", "", "projects/{projectId}/instances/{instanceId}/databases/{databaseId}")
rootsPemFile = flag.String("roots_pem_file", "", "Path to the file containing root certificates that are acceptable to the log. The certs are served through get-roots endpoint.")
)

// nolint:staticcheck
Expand All @@ -89,7 +89,7 @@ func main() {
klog.Exitf("Failed to read config: %v", err)
}

vCfg, err := sctfe.ValidateLogConfig(cfg, *origin, *projectID, *bucket, *spannerDB)
vCfg, err := sctfe.ValidateLogConfig(cfg, *origin, *projectID, *bucket, *spannerDB, *rootsPemFile)
if err != nil {
klog.Exitf("Invalid config: %v", err)
}
Expand Down
7 changes: 3 additions & 4 deletions personalities/sctfe/instance.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,17 +81,16 @@ func setUpLogInfo(ctx context.Context, opts InstanceOptions) (*logInfo, error) {
vCfg := opts.Validated
cfg := vCfg.Config

// TODO(phboneff): move to ValidateLogConfig
// Check config validity.
if len(cfg.RootsPemFile) == 0 {
return nil, errors.New("need to specify RootsPemFile")
}

// Load the trusted roots.
roots := x509util.NewPEMCertPool()
for _, pemFile := range cfg.RootsPemFile {
if err := roots.AppendCertsFromPEMFile(pemFile); err != nil {
return nil, fmt.Errorf("failed to read trusted roots: %v", err)
}
if err := roots.AppendCertsFromPEMFile(cfg.RootsPemFile); err != nil {
return nil, fmt.Errorf("failed to read trusted roots: %v", err)
}

var signer crypto.Signer
Expand Down
Loading

0 comments on commit 0d8f472

Please sign in to comment.