feat(signing): implement timestamp authorities for signature and veri…

…fication (chainloop-dev#1843) Signed-off-by: Jose I. Paris <[email protected]>
jiparis · Feb 20, 2025 · 3b67e0e · 3b67e0e
1 parent 9f2781c
commit 3b67e0e
Show file tree

Hide file tree

Showing 44 changed files with 2,337 additions and 1,175 deletions.
diff --git a/app/cli/internal/action/attestation_init.go b/app/cli/internal/action/attestation_init.go
@@ -150,9 +150,13 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
 		return "", ErrRunnerContextNotFound{err.Error()}
 	}
 
-	// Identifier of this attestation instance
-	var attestationID string
-	var blockOnPolicyViolation bool
+	var (
+		// Identifier of this attestation instance
+		attestationID          string
+		blockOnPolicyViolation bool
+		// Timestamp Authority URL for new attestations
+		timestampAuthorityURL string
+	)
 
 	// Init in the control plane if needed including the runner context
 	if !action.dryRun {
@@ -176,6 +180,7 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
 		workflowMeta.WorkflowRunId = workflowRun.GetId()
 		workflowMeta.Organization = runResp.GetResult().GetOrganization()
 		blockOnPolicyViolation = runResp.GetResult().GetBlockOnPolicyViolation()
+		timestampAuthorityURL = runResp.GetResult().GetSigningOptions().GetTimestampAuthorityUrl()
 		if v := workflowMeta.Version; v != nil {
 			workflowMeta.Version.Prerelease = runResp.GetResult().GetWorkflowRun().Version.GetPrerelease()
 		}
@@ -194,6 +199,7 @@ func (action *AttestationInit) Run(ctx context.Context, opts *AttestationInitRun
 		AttestationID:          attestationID,
 		Runner:                 discoveredRunner,
 		BlockOnPolicyViolation: blockOnPolicyViolation,
+		SigningOptions:         &crafter.SigningOpts{TimestampAuthorityURL: timestampAuthorityURL},
 	}
 
 	if err := action.c.Init(ctx, initOpts); err != nil {

diff --git a/app/cli/internal/action/workflow_run_describe.go b/app/cli/internal/action/workflow_run_describe.go
@@ -246,7 +246,7 @@ func (action *WorkflowRunDescribe) Run(ctx context.Context, opts *WorkflowRunDes
 }
 
 func trustedRootPbToVerifier(resp *pb.GetTrustedRootResponse) (*verifier.TrustedRoot, error) {
-	tr := &verifier.TrustedRoot{Keys: make(map[string][]*x509.Certificate)}
+	tr := &verifier.TrustedRoot{Keys: make(map[string][]*x509.Certificate), TimestampAuthorities: make(map[string][]*x509.Certificate)}
 	for k, v := range resp.GetKeys() {
 		for _, c := range v.Certificates {
 			cert, err := cryptoutils.LoadCertificatesFromPEM(strings.NewReader(c))
@@ -256,6 +256,15 @@ func trustedRootPbToVerifier(resp *pb.GetTrustedRootResponse) (*verifier.Trusted
 			tr.Keys[k] = append(tr.Keys[k], cert[0])
 		}
 	}
+	for k, v := range resp.GetTimestampAuthorities() {
+		for _, c := range v.Certificates {
+			cert, err := cryptoutils.LoadCertificatesFromPEM(strings.NewReader(c))
+			if err != nil {
+				return nil, fmt.Errorf("loading certificate from PEM: %w", err)
+			}
+			tr.TimestampAuthorities[k] = append(tr.TimestampAuthorities[k], cert[0])
+		}
+	}
 	return tr, nil
 }
 

diff --git a/app/controlplane/api/controlplane/v1/signing.pb.go b/app/controlplane/api/controlplane/v1/signing.pb.go
diff --git a/app/controlplane/api/controlplane/v1/signing.proto b/app/controlplane/api/controlplane/v1/signing.proto
@@ -47,4 +47,6 @@ message GetTrustedRootRequest {}
 message GetTrustedRootResponse {
   // map keyID (cert SubjectKeyIdentifier) to PEM encoded chains
   map<string, CertificateChain> keys = 1;
+  // timestamp authorities
+  map<string, CertificateChain> timestamp_authorities = 2;
 }