trustroot: initial client config messages

gen/jsonschema/schemas/SigningConfig.schema.json

@@ -0,0 +1,30 @@
+{
+    "$schema": "http://json-schema.org/draft-04/schema#",
+    "$ref": "#/definitions/SigningConfig",
+    "definitions": {
+        "SigningConfig": {
+            "properties": {
+                "caUrl": {
+                    "type": "string",
+                    "description": "A URL to a Fulcio-compatible CA, capable of receiving Certificate Signing Requests (CSRs) and responding with issued certificates. This URL **MUST** be the \"base\" URL for the CA, which clients should construct an appropriate CSR endpoint on top of. For example, if `ca_url` is `https://example.com/ca`, then the client **MAY** construct the CSR endpoint as `https://example.com/ca/api/v2/signingCert`."
+                },
+                "oidcUrl": {
+                    "type": "string",
+                    "description": "A URL to an OpenID Connect identity provider. This URL **MUST** be the \"base\" URL for the OIDC IdP, which clients should perform well-known OpenID Connect discovery against."
+                },
+                "tlogUrl": {
+                    "type": "string",
+                    "description": "A URL to a Rekor-compatible transparency log. This URL **MUST** be the \"base\" URL for the transparency log, which clients should construct appropriate API endpoints on top of."
+                },
+                "tsaUrl": {
+                    "type": "string",
+                    "description": "A URL to an RFC 3161 Time Stamping Authority (TSA). This URL **MUST** be the **full** URL for the TSA, meaning that it should be suitable for submitting Time Stamp Requests (TSRs) to via HTTP, per RFC 3161."
+                }
+            },
+            "additionalProperties": false,
+            "type": "object",
+            "title": "Signing Config",
+            "description": "SigningConfig represents the trusted entities/state needed by Sigstore signing. In particular, it primarily contains service URLs that a Sigstore signer may need to connect to for the online aspects of signing."
+        }
+    }
+}

gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs

@@ -132,3 +132,67 @@ pub struct TrustedRoot {
     #[prost(message, repeated, tag = "5")]
     pub timestamp_authorities: ::prost::alloc::vec::Vec<CertificateAuthority>,
 }
+/// SigningConfig represents the trusted entities/state needed by Sigstore
+/// signing. In particular, it primarily contains service URLs that a Sigstore
+/// signer may need to connect to for the online aspects of signing.
+#[derive(
+    sigstore_protobuf_specs_derive::Deserialize_proto,
+    sigstore_protobuf_specs_derive::Serialize_proto
+)]
+#[derive(::prost_reflect::ReflectMessage)]
+#[prost_reflect(message_name = "dev.sigstore.trustroot.v1.SigningConfig")]
+#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")]
+#[allow(clippy::derive_partial_eq_without_eq)]
+#[derive(Clone, PartialEq, ::prost::Message)]
+pub struct SigningConfig {
+    /// A URL to a Fulcio-compatible CA, capable of receiving
+    /// Certificate Signing Requests (CSRs) and responding with
+    /// issued certificates.
+    ///
+    /// This URL **MUST** be the "base" URL for the CA, which clients
+    /// should construct an appropriate CSR endpoint on top of.
+    /// For example, if `ca_url` is `<https://example.com/ca`,> then
+    /// the client **MAY** construct the CSR endpoint as
+    /// `<https://example.com/ca/api/v2/signingCert`.>
+    #[prost(string, tag = "1")]
+    pub ca_url: ::prost::alloc::string::String,
+    /// A URL to an OpenID Connect identity provider.
+    ///
+    /// This URL **MUST** be the "base" URL for the OIDC IdP, which clients
+    /// should perform well-known OpenID Connect discovery against.
+    #[prost(string, tag = "2")]
+    pub oidc_url: ::prost::alloc::string::String,
+    /// A URL to a Rekor-compatible transparency log.
+    ///
+    /// This URL **MUST** be the "base" URL for the transparency log,
+    /// which clients should construct appropriate API endpoints on top of.
+    #[prost(string, tag = "3")]
+    pub tlog_url: ::prost::alloc::string::String,
+    /// A URL to an RFC 3161 Time Stamping Authority (TSA).
+    ///
+    /// This URL **MUST** be the **full** URL for the TSA, meaning that it
+    /// should be suitable for submitting Time Stamp Requests (TSRs) to
+    /// via HTTP, per RFC 3161.
+    #[prost(string, tag = "4")]
+    pub tsa_url: ::prost::alloc::string::String,
+}
+/// ClientTrustConfig describes the complete state needed by a client
+/// to perform both signing and verification operations against a particular
+/// instance of Sigstore.
+#[derive(
+    sigstore_protobuf_specs_derive::Deserialize_proto,
+    sigstore_protobuf_specs_derive::Serialize_proto
+)]
+#[derive(::prost_reflect::ReflectMessage)]
+#[prost_reflect(message_name = "dev.sigstore.trustroot.v1.ClientTrustConfig")]
+#[prost_reflect(file_descriptor_set_bytes = "crate::FILE_DESCRIPTOR_SET_BYTES")]
+#[allow(clippy::derive_partial_eq_without_eq)]
+#[derive(Clone, PartialEq, ::prost::Message)]
+pub struct ClientTrustConfig {
+    /// The root of trust, which MUST be present.
+    #[prost(message, optional, tag = "1")]
+    pub trusted_root: ::core::option::Option<TrustedRoot>,
+    /// Configuration for signing clients, which MUST be present.
+    #[prost(message, optional, tag = "2")]
+    pub signing_config: ::core::option::Option<SigningConfig>,
+}

protos/sigstore_trustroot.proto

@@ -15,6 +15,7 @@
 syntax = "proto3";
 package dev.sigstore.trustroot.v1;
 
+import "google/api/field_behavior.proto";
 import "sigstore_common.proto";
 
 option go_package = "github.com/sigstore/protobuf-specs/gen/pb-go/trustroot/v1";
@@ -117,3 +118,50 @@ message TrustedRoot {
         // A set of trusted timestamping authorities.
         repeated CertificateAuthority timestamp_authorities = 5;
 }
+
+
+// SigningConfig represents the trusted entities/state needed by Sigstore
+// signing. In particular, it primarily contains service URLs that a Sigstore
+// signer may need to connect to for the online aspects of signing.
+message SigningConfig {
+        // A URL to a Fulcio-compatible CA, capable of receiving
+        // Certificate Signing Requests (CSRs) and responding with
+        // issued certificates.
+        //
+        // This URL **MUST** be the "base" URL for the CA, which clients
+        // should construct an appropriate CSR endpoint on top of.
+        // For example, if `ca_url` is `https://example.com/ca`, then
+        // the client **MAY** construct the CSR endpoint as
+        // `https://example.com/ca/api/v2/signingCert`.
+        string ca_url = 1;
+
+        // A URL to an OpenID Connect identity provider.
+        //
+        // This URL **MUST** be the "base" URL for the OIDC IdP, which clients
+        // should perform well-known OpenID Connect discovery against.
+        string oidc_url = 2;
+
+        // A URL to a Rekor-compatible transparency log.
+        //
+        // This URL **MUST** be the "base" URL for the transparency log,
+        // which clients should construct appropriate API endpoints on top of.
+        string tlog_url = 3;
+
+        // A URL to an RFC 3161 Time Stamping Authority (TSA).
+        //
+        // This URL **MUST** be the **full** URL for the TSA, meaning that it
+        // should be suitable for submitting Time Stamp Requests (TSRs) to
+        // via HTTP, per RFC 3161.
+        string tsa_url = 4;
+}
+
+// ClientTrustConfig describes the complete state needed by a client
+// to perform both signing and verification operations against a particular
+// instance of Sigstore.
+message ClientTrustConfig {
+        // The root of trust, which MUST be present.
+        TrustedRoot trusted_root = 1 [(google.api.field_behavior) = REQUIRED];
+
+        // Configuration for signing clients, which MUST be present.
+        SigningConfig signing_config = 2 [(google.api.field_behavior) = REQUIRED];
+}