Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

remove root_pem_file from cfg, and only allow a single file #225

Merged
merged 2 commits into from
Sep 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions personalities/sctfe/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,9 +48,9 @@ type LogConfig struct {
// origin identifies the log. It will be used in its checkpoint, and
// is also its submission prefix, as per https://c2sp.org/static-ct-api
Origin string
// Paths to the files containing root certificates that are acceptable to the
// Path to the file containing root certificates that are acceptable to the
// log. The certs are served through get-roots endpoint.
RootsPemFile []string
RootsPemFile string
// The private key used for signing Checkpoints or SCTs.
PrivateKey *anypb.Any
// The public key matching the above private key (if both are present).
Expand Down Expand Up @@ -122,7 +122,7 @@ func LogConfigFromFile(filename string) (*configpb.LogConfig, error) {
// - Merge delays (if present) are correct.
//
// Returns the validated structures (useful to avoid double validation).
func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string, bucket string, spannerDB string) (*ValidatedLogConfig, error) {
func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string, bucket string, spannerDB string, rootsPemFile string) (*ValidatedLogConfig, error) {
if origin == "" {
return nil, errors.New("empty origin")
}
Expand All @@ -142,7 +142,7 @@ func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string,

vCfg := ValidatedLogConfig{Config: &LogConfig{
Origin: origin,
RootsPemFile: cfg.RootsPemFile,
RootsPemFile: rootsPemFile,
PrivateKey: cfg.PrivateKey,
PublicKey: cfg.PublicKey,
RejectExpired: cfg.RejectExpired,
Expand Down
2 changes: 1 addition & 1 deletion personalities/sctfe/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -317,7 +317,7 @@ func TestValidateLogConfig(t *testing.T) {
},
} {
t.Run(tc.desc, func(t *testing.T) {
vc, err := ValidateLogConfig(tc.cfg, tc.origin, tc.projectID, tc.bucket, tc.spannerDB)
vc, err := ValidateLogConfig(tc.cfg, tc.origin, tc.projectID, tc.bucket, tc.spannerDB, "")
if len(tc.wantErr) == 0 && err != nil {
t.Errorf("ValidateLogConfig()=%v, want nil", err)
}
Expand Down
95 changes: 41 additions & 54 deletions personalities/sctfe/configpb/config.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 0 additions & 3 deletions personalities/sctfe/configpb/config.proto
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,6 @@ import "google/protobuf/timestamp.proto";
//
// NEXT_ID: 15
message LogConfig {
// Paths to the files containing root certificates that are acceptable to the
// log. The certs are served through get-roots endpoint.
repeated string roots_pem_file = 2;
// The private key used for signing Checkpoints or SCTs.
google.protobuf.Any private_key = 3;
// The public key matching the above private key (if both are present).
Expand Down
14 changes: 7 additions & 7 deletions personalities/sctfe/ct_server_gcp/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -61,12 +61,12 @@ var (
tracingProjectID = flag.String("tracing_project_id", "", "project ID to pass to stackdriver. Can be empty for GCP, consult docs for other platforms.")
tracingPercent = flag.Int("tracing_percent", 0, "Percent of requests to be traced. Zero is a special case to use the DefaultSampler")
pkcs11ModulePath = flag.String("pkcs11_module_path", "", "Path to the PKCS#11 module to use for keys that use the PKCS#11 interface")
// TODO: remove comment above when the config proto has been deleted.
dedupPath = flag.String("dedup_path", "", "Path to the deduplication database")
origin = flag.String("origin", "", "origin of the log, for checkpoints and the monitoring prefix")
projectID = flag.String("project_id", "", "origin of the log, for checkpoints and the monitoring prefix")
bucket = flag.String("bucket", "", "name of the bucket to store the log in")
spannerDB = flag.String("spanner_db_path", "", "projects/{projectId}/instances/{instanceId}/databases/{databaseId}")
dedupPath = flag.String("dedup_path", "", "Path to the deduplication database")
origin = flag.String("origin", "", "origin of the log, for checkpoints and the monitoring prefix")
projectID = flag.String("project_id", "", "origin of the log, for checkpoints and the monitoring prefix")
bucket = flag.String("bucket", "", "name of the bucket to store the log in")
spannerDB = flag.String("spanner_db_path", "", "projects/{projectId}/instances/{instanceId}/databases/{databaseId}")
rootsPemFile = flag.String("roots_pem_file", "", "Path to the file containing root certificates that are acceptable to the log. The certs are served through get-roots endpoint.")
)

// nolint:staticcheck
Expand All @@ -89,7 +89,7 @@ func main() {
klog.Exitf("Failed to read config: %v", err)
}

vCfg, err := sctfe.ValidateLogConfig(cfg, *origin, *projectID, *bucket, *spannerDB)
vCfg, err := sctfe.ValidateLogConfig(cfg, *origin, *projectID, *bucket, *spannerDB, *rootsPemFile)
if err != nil {
klog.Exitf("Invalid config: %v", err)
}
Expand Down
7 changes: 3 additions & 4 deletions personalities/sctfe/instance.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,17 +81,16 @@ func setUpLogInfo(ctx context.Context, opts InstanceOptions) (*logInfo, error) {
vCfg := opts.Validated
cfg := vCfg.Config

// TODO(phboneff): move to ValidateLogConfig
// Check config validity.
if len(cfg.RootsPemFile) == 0 {
return nil, errors.New("need to specify RootsPemFile")
}

// Load the trusted roots.
roots := x509util.NewPEMCertPool()
for _, pemFile := range cfg.RootsPemFile {
if err := roots.AppendCertsFromPEMFile(pemFile); err != nil {
return nil, fmt.Errorf("failed to read trusted roots: %v", err)
}
if err := roots.AppendCertsFromPEMFile(cfg.RootsPemFile); err != nil {
return nil, fmt.Errorf("failed to read trusted roots: %v", err)
}

var signer crypto.Signer
Expand Down
Loading
Loading