hook up client trust config

woodruffw · woodruffw · commit 5c6b4f19ce6c · 2024-05-14T16:59:53.000-04:00
Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;
diff --git a/sigstore/_cli.py b/sigstore/_cli.py
@@ -29,13 +29,13 @@
 from sigstore import __version__
 from sigstore._internal.fulcio.client import ExpiredCertificate
 from sigstore._internal.rekor import _hashedrekord_from_parts
+from sigstore._internal.trust import ClientTrustConfig
 from sigstore._utils import sha256_digest
 from sigstore.errors import Error, VerificationError
 from sigstore.hashes import Hashed
 from sigstore.models import Bundle
 from sigstore.oidc import (
     DEFAULT_OAUTH_ISSUER_URL,
-    STAGING_OAUTH_ISSUER_URL,
     ExpiredIdentity,
     IdentityToken,
     Issuer,
@@ -210,7 +210,7 @@ def _parser() -> argparse.ArgumentParser:
     global_instance_options.add_argument(
         "--trust-config",
         metavar="FILE",
-        type=str,
+        type=Path,
         help="The client trust configuration to use",
     )
     subcommands = parser.add_subparsers(
@@ -515,9 +515,9 @@ def _sign(args: argparse.Namespace) -> None:
     if args.staging:
         _logger.debug("sign: staging instances requested")
         signing_ctx = SigningContext.staging()
-        args.oidc_issuer = STAGING_OAUTH_ISSUER_URL
     elif args.trust_config:
-        raise ValueError("fuck")
+        trust_config = ClientTrustConfig.from_json(args.trust_config.read_text())
+        signing_ctx = SigningContext._from_trust_config(trust_config)
     else:
         # If the user didn't request the staging instance or pass in an
         # explicit client trust config, we're using the public good (i.e.
@@ -679,7 +679,8 @@ def _collect_verification_state(
         _logger.debug("verify: staging instances requested")
         verifier = Verifier.staging()
     elif args.trust_config:
-        raise ValueError("fuck")
+        trust_config = ClientTrustConfig.from_json(args.trust_config.read_text())
+        verifier = Verifier._from_trust_config(trust_config)
     else:
         verifier = Verifier.production()
 
diff --git a/sigstore/_internal/trust.py b/sigstore/_internal/trust.py
@@ -344,20 +344,22 @@ class ClientTrustConfig:
     """
 
     @classmethod
-    def from_json(cls, raw: str) -> None:
+    def from_json(cls, raw: str) -> ClientTrustConfig:
         """
         Deserialize the given client trust config.
         """
         inner = _ClientTrustConfig().from_json(raw)
-        cls(inner)
+        return cls(inner)
 
     def __init__(self, inner: _ClientTrustConfig) -> None:
         """
         @api private
         """
         self._inner = inner
-        # self._
 
-    # @property
-    # def trusted_root(self) -> TrustedRoot:
-    #     pass
+    @property
+    def trusted_root(self) -> TrustedRoot:
+        """
+        Return the interior root of trust, as a `TrustedRoot`.
+        """
+        return TrustedRoot(self._inner.trusted_root)
diff --git a/sigstore/sign.py b/sigstore/sign.py
@@ -62,7 +62,7 @@
 )
 from sigstore._internal.rekor.client import RekorClient
 from sigstore._internal.sct import verify_sct
-from sigstore._internal.trust import KeyringPurpose, TrustedRoot
+from sigstore._internal.trust import ClientTrustConfig, KeyringPurpose, TrustedRoot
 from sigstore._utils import sha256_digest
 from sigstore.models import Bundle
 from sigstore.oidc import ExpiredIdentity, IdentityToken
@@ -333,6 +333,19 @@ def staging(cls) -> SigningContext:
             trusted_root=TrustedRoot.staging(),
         )
 
+    @classmethod
+    def _from_trust_config(cls, trust_config: ClientTrustConfig) -> SigningContext:
+        """
+        Create a `SigningContext` from the given `ClientTrustConfig`.
+
+        @api private
+        """
+        return cls(
+            fulcio=FulcioClient(trust_config._inner.signing_config.ca_url),
+            rekor=RekorClient(trust_config._inner.signing_config.tlog_urls[0]),
+            trusted_root=trust_config.trusted_root,
+        )
+
     @contextmanager
     def signer(
         self, identity_token: IdentityToken, *, cache: bool = True
diff --git a/sigstore/verify/verifier.py b/sigstore/verify/verifier.py
@@ -44,7 +44,7 @@
     _get_precertificate_signed_certificate_timestamps,
     verify_sct,
 )
-from sigstore._internal.trust import KeyringPurpose, TrustedRoot
+from sigstore._internal.trust import ClientTrustConfig, KeyringPurpose, TrustedRoot
 from sigstore._utils import base64_encode_pem_cert, sha256_digest
 from sigstore.errors import VerificationError
 from sigstore.hashes import Hashed
@@ -96,6 +96,18 @@ def staging(cls) -> Verifier:
             trusted_root=TrustedRoot.staging(),
         )
 
+    @classmethod
+    def _from_trust_config(cls, trust_config: ClientTrustConfig) -> Verifier:
+        """
+        Create a `Verifier` from the given `ClientTrustConfig`.
+
+        @api private
+        """
+        return cls(
+            rekor=RekorClient(trust_config._inner.signing_config.tlog_urls[0]),
+            trusted_root=trust_config.trusted_root,
+        )
+
     def _verify_common_signing_cert(
         self, bundle: Bundle, policy: VerificationPolicy
     ) -> None:
