Add baseUrl and Uri to trusted-root create command

Clients using Rekor v2 need the name of the log server in order to
create a checkpoint verifier, so it is useful to include it in the trust
root. This change adds that functionality for all key material.

Signed-off-by: Colleen Murphy <[email protected]>

Author: cmurphy

cmd/cosign/cli/options/trustedroot.go

@@ -21,12 +21,16 @@ import (
 
 type TrustedRootCreateOptions struct {
 	CertChain        []string
+	FulcioURI        []string
 	CtfeKeyPath      []string
 	CtfeStartTime    []string
+	CtfeURL          []string
 	Out              string
 	RekorKeyPath     []string
 	RekorStartTime   []string
+	RekorURL         []string
 	TSACertChainPath []string
+	TSAURI           []string
 }
 
 var _ Interface = (*TrustedRootCreateOptions)(nil)
@@ -39,6 +43,9 @@ func (o *TrustedRootCreateOptions) AddFlags(cmd *cobra.Command) {
 			"signing certificate and end with the root certificate.")
 	_ = cmd.MarkFlagFilename("certificate-chain", certificateExts...)
 
+	cmd.Flags().StringArrayVar(&o.FulcioURI, "fulcio-uri", nil,
+		"URI of the Fulcio server issuing certificates.")
+
 	cmd.Flags().StringArrayVar(&o.CtfeKeyPath, "ctfe-key", nil,
 		"path to a PEM-encoded public key used by certificate authority for "+
 			"certificate transparency log.")
@@ -48,6 +55,9 @@ func (o *TrustedRootCreateOptions) AddFlags(cmd *cobra.Command) {
 		"RFC 3339 string describing validity start time for key use by "+
 			"certificate transparency log.")
 
+	cmd.Flags().StringArrayVar(&o.CtfeURL, "ctfe-url", nil,
+		"URL of the certificate transparency log.")
+
 	cmd.Flags().StringVar(&o.Out, "out", "", "path to output trusted root")
 	// _ = cmd.MarkFlagFilename("output") // no typical extensions
 
@@ -59,8 +69,14 @@ func (o *TrustedRootCreateOptions) AddFlags(cmd *cobra.Command) {
 		"RFC 3339 string describing validity start time for key use by "+
 			"transparency log like Rekor.")
 
+	cmd.Flags().StringArrayVar(&o.RekorURL, "rekor-url", nil,
+		"URL of the transparency log.")
+
 	cmd.Flags().StringArrayVar(&o.TSACertChainPath, "timestamp-certificate-chain", nil,
 		"path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. "+
 			"Optionally may contain intermediate CA certificates")
 	_ = cmd.MarkFlagFilename("timestamp-certificate-chain", certificateExts...)
+
+	cmd.Flags().StringArrayVar(&o.TSAURI, "timestamp-uri", nil,
+		"URI of the timestamp authority server.")
 }

cmd/cosign/cli/trustedroot.go

@@ -45,12 +45,16 @@ func trustedRootCreate() *cobra.Command {
 		RunE: func(cmd *cobra.Command, _ []string) error {
 			trCreateCmd := &trustedroot.CreateCmd{
 				CertChain:        o.CertChain,
+				FulcioURI:        o.FulcioURI,
 				CtfeKeyPath:      o.CtfeKeyPath,
 				CtfeStartTime:    o.CtfeStartTime,
+				CtfeURL:          o.CtfeURL,
 				Out:              o.Out,
 				RekorKeyPath:     o.RekorKeyPath,
 				RekorStartTime:   o.RekorStartTime,
+				RekorURL:         o.RekorURL,
 				TSACertChainPath: o.TSACertChainPath,
+				TSAURI:           o.TSAURI,
 			}
 
 			ctx, cancel := context.WithTimeout(cmd.Context(), ro.Timeout)

cmd/cosign/cli/trustedroot/trustedroot.go

@@ -32,12 +32,16 @@ import (
 
 type CreateCmd struct {
 	CertChain        []string
+	FulcioURI        []string
 	CtfeKeyPath      []string
 	CtfeStartTime    []string
+	CtfeURL          []string
 	Out              string
 	RekorKeyPath     []string
 	RekorStartTime   []string
+	RekorURL         []string
 	TSACertChainPath []string
+	TSAURI           []string
 }
 
 func (c *CreateCmd) Exec(_ context.Context) error {
@@ -47,7 +51,11 @@ func (c *CreateCmd) Exec(_ context.Context) error {
 	rekorTransparencyLogs := make(map[string]*root.TransparencyLog)
 
 	for i := 0; i < len(c.CertChain); i++ {
-		fulcioAuthority, err := parseCAPEMFile(c.CertChain[i])
+		var fulcioURI string
+		if i < len(c.FulcioURI) {
+			fulcioURI = c.FulcioURI[i]
+		}
+		fulcioAuthority, err := parseCAPEMFile(c.CertChain[i], fulcioURI)
 		if err != nil {
 			return err
 		}
@@ -76,6 +84,10 @@ func (c *CreateCmd) Exec(_ context.Context) error {
 			PublicKey:           *ctLogPubKey,
 			SignatureHashFunc:   crypto.SHA256,
 		}
+
+		if i < len(c.CtfeURL) {
+			ctLogs[id].BaseURL = c.CtfeURL[i]
+		}
 	}
 
 	for i := 0; i < len(c.RekorKeyPath); i++ {
@@ -100,10 +112,18 @@ func (c *CreateCmd) Exec(_ context.Context) error {
 			PublicKey:           *tlogPubKey,
 			SignatureHashFunc:   crypto.SHA256,
 		}
+
+		if i < len(c.RekorURL) {
+			rekorTransparencyLogs[id].BaseURL = c.RekorURL[i]
+		}
 	}
 
 	for i := 0; i < len(c.TSACertChainPath); i++ {
-		timestampAuthority, err := parseTAPEMFile(c.TSACertChainPath[i])
+		var tsaURI string
+		if i < len(c.TSAURI) {
+			tsaURI = c.TSAURI[i]
+		}
+		timestampAuthority, err := parseTAPEMFile(c.TSACertChainPath[i], tsaURI)
 		if err != nil {
 			return err
 		}
@@ -137,7 +157,7 @@ func (c *CreateCmd) Exec(_ context.Context) error {
 	return nil
 }
 
-func parseCAPEMFile(path string) (root.CertificateAuthority, error) {
+func parseCAPEMFile(path, uri string) (root.CertificateAuthority, error) {
 	certs, err := parseCerts(path)
 	if err != nil {
 		return nil, err
@@ -149,11 +169,12 @@ func parseCAPEMFile(path string) (root.CertificateAuthority, error) {
 	if len(certs) > 1 {
 		ca.Intermediates = certs[:len(certs)-1]
 	}
+	ca.URI = uri
 
 	return &ca, nil
 }
 
-func parseTAPEMFile(path string) (root.TimestampingAuthority, error) {
+func parseTAPEMFile(path, uri string) (root.TimestampingAuthority, error) {
 	certs, err := parseCerts(path)
 	if err != nil {
 		return nil, err
@@ -165,6 +186,7 @@ func parseTAPEMFile(path string) (root.TimestampingAuthority, error) {
 	if len(certs) > 1 {
 		ta.Intermediates = certs[:len(certs)-1]
 	}
+	ta.URI = uri
 
 	return &ta, nil
 }

cmd/cosign/cli/trustedroot/trustedroot_test.go

@@ -45,8 +45,11 @@ func TestCreateCmd(t *testing.T) {
 
 	trustedrootCreate := CreateCmd{
 		CertChain:        []string{fulcioChainPath},
+		FulcioURI:        []string{"https://fulcio.sigstore.example"},
+		RekorURL:         []string{"https://rekor.sigstore.example"},
 		Out:              outPath,
 		TSACertChainPath: []string{tsaChainPath},
+		TSAURI:           []string{"https://tsa.sigstore.example"},
 	}
 
 	err := trustedrootCreate.Exec(ctx)