feat: adds cert-utility templates and documentation. by ianhundere · Pull Request #889 · sigstore/timestamp-authority

ianhundere · 2024-11-21T20:21:01Z

closes #886, closes sigstore/fulcio#1930

Summary

currently, there is no standard method for creating cert chains for fulcio or tsa. the community has used an assortment of open source scripts/tools, but i thought it would be nice to have a small cloud agnostic go app to create/sign (via awskms, gcpkms, or azurekms) certificates. the smallstep crypto library is fairly comprehensive in its kms/cert capabilities.

@haydentherapper / @bobcallaway gave the go ahead in proceeding w/ this work.

Release Note

Adds certificate utility to create and sign certificates via AWS KMS, Google Cloud KMS, or Azure Key Vault.

Documentation

added docs to ./docs folder and updated README.md to point to docs.

ianhundere · 2024-12-01T06:41:56Z

i think this is ready for 👀 now. just a couple of notes.

the following use-cases are now covered:

root ca -> leaf
root ca -> intermediate ca -> leaf

the following kms providers are working:

awskms
azurekms
gcpkms

hashivault was added, but has not been tested.

i think that about covers it, i have some basic readme/documentation above as well.

cc @haydentherapper

codecov · 2024-12-04T04:05:58Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 44.73%. Comparing base (6fd19b0) to head (a96f1ed).
Report is 282 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #889      +/-   ##
==========================================
- Coverage   52.85%   44.73%   -8.12%     
==========================================
  Files          20       55      +35     
  Lines        1209     3657    +2448     
==========================================
+ Hits          639     1636     +997     
- Misses        509     1881    +1372     
- Partials       61      140      +79

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

ianhundere · 2025-01-08T19:03:21Z

nudge for 👀 / thanks y'all

cc @haydentherapper / @bobcallaway

Hayden-IO

Related to the comment I just left on the other PR, I wonder if we can reduce duplication between these two. The only difference between the two is 1) the templates, and 2) that the TSA needs a leaf certificate and Fulcio doesn't.

In the Fulcio codebase, could we have certificate_maker have leaf be optional? Then in this repo, just have a readme pointing to the fulcio codebase and the templates for the TSA?

ianhundere · 2025-01-24T22:07:03Z

reduce duplication between these two.

yeah, that's what i was thinking / i think that totally works.

~~so just to reiterate / instead of allowing intermediate keys be optional, we just allow leafs to be optional, correct ?~~

heh, it's the end of the day here and i didn't connect the dots.

Hayden-IO · 2025-01-24T22:10:32Z

Roots are always required, intermediates are optional, and leafs are optional (for a CA vs TSA).

ianhundere · 2025-01-24T22:12:54Z

Roots are always required, intermediates are optional, and leafs are optional (for a CA vs TSA).

perfect / should i create a new issue in fulcio for this work or ?

Hayden-IO · 2025-01-24T22:15:14Z

Feel free to just create a PR in Fulcio making the leaf optional, then update this PR to be just the templates plus README. Thanks!