address comments

phbnf · phbnf · commit b3f71880484e · 2025-01-17T12:26:38.000Z
diff --git a/cmd/gcp/main.go b/cmd/gcp/main.go
@@ -83,7 +83,7 @@ func main() {
 	}
 
 	chainValidationConfig := sctfe.ChainValidationConfig{
-		RootsPemFile:     *rootsPemFile,
+		RootsPEMFile:     *rootsPemFile,
 		RejectExpired:    *rejectExpired,
 		RejectUnexpired:  *rejectUnexpired,
 		ExtKeyUsages:     *extKeyUsages,
@@ -94,7 +94,7 @@ func main() {
 
 	vCfg, err := sctfe.ValidateLogConfig(chainValidationConfig, *origin, signer)
 	if err != nil {
-		klog.Exitf("Failed to initialize log config: %v", err)
+		klog.Exitf("Invalid log config: %v", err)
 	}
 
 	cpSigner, err := sctfe.NewCpSigner(signer, vCfg.Origin, timeSource)
@@ -104,7 +104,7 @@ func main() {
 
 	storage, err := newGCPStorage(ctx, cpSigner)
 	if err != nil {
-		klog.Exitf("Failed to initiate storage backend: %v", err)
+		klog.Exitf("Failed to initialize storage backend: %v", err)
 	}
 
 	opts := sctfe.HandlerOptions{
diff --git a/config.go b/config.go
@@ -29,24 +29,27 @@ import (
 	"k8s.io/klog/v2"
 )
 
+// ChainValidationConfig contains all the parameters chains will be filtered on.
 type ChainValidationConfig struct {
-	// Path to the file containing root certificates that are acceptable to the
-	// log. The certs are served through get-roots endpoint.
-	RootsPemFile string
-	// If RejectExpired is true then the certificate validity period will be
+	// RootsPEMFile is the path to the file containing root certificates that
+	// are acceptable to the log. The certs are served through get-roots
+	// endpoint.
+	RootsPEMFile string
+	// RejectExpired controls if true then the certificate validity period will be
 	// checked against the current time during the validation of submissions.
 	// This will cause expired certificates to be rejected.
 	RejectExpired bool
-	// If RejectUnexpired is true then CTFE rejects certificates that are either
-	// currently valid or not yet valid.
+	// RejectUnexpired controls if the SCTFE rejects certificates that are
+	// either currently valid or not yet valid.
+	// TODO(phboneff): evaluate whether we need to keep this one.
 	RejectUnexpired bool
-	// If set, ExtKeyUsages will restrict the set of such usages that the
-	// server will accept. By default all are accepted. The values specified
-	// must be ones known to the x509 package, comma separated.
+	// ExtKeyUsages lists Extended Key Usage values that newly submitted
+	// certificates MUST contain. By default all are accepted. The
+	// values specified must be ones known to the x509 package, comma separated.
 	ExtKeyUsages string
-	// A comma separated list of X.509 extension OIDs, in dotted string form
-	// (e.g. "2.3.4.5") which, if present, should cause submissions to be
-	// rejected.
+	// RejectExtensions lists X.509 extension OIDs that newly submitted
+	// certificates MUST NOT contain. Empty by default. Values must be
+	// specificed in dotted string form (e.g. "2.3.4.5").
 	RejectExtensions string
 	// NotAfterStart defines the start of the range of acceptable NotAfter
 	// values, inclusive.
@@ -85,11 +88,11 @@ func ValidateLogConfig(cfg ChainValidationConfig, origin string, signer crypto.S
 	}
 
 	// Load the trusted roots.
-	if cfg.RootsPemFile == "" {
+	if cfg.RootsPEMFile == "" {
 		return nil, errors.New("empty rootsPemFile")
 	}
 	roots := x509util.NewPEMCertPool()
-	if err := roots.AppendCertsFromPEMFile(cfg.RootsPemFile); err != nil {
+	if err := roots.AppendCertsFromPEMFile(cfg.RootsPEMFile); err != nil {
 		return nil, fmt.Errorf("failed to read trusted roots: %v", err)
 	}
 
diff --git a/config_test.go b/config_test.go
@@ -66,7 +66,7 @@ func TestValidateLogConfig(t *testing.T) {
 			bucket:    "bucket",
 			spannerDB: "spanner",
 			cvcfg: ChainValidationConfig{
-				RootsPemFile: "./testdata/bogus.cert",
+				RootsPEMFile: "./testdata/bogus.cert",
 			},
 			signer: signer,
 		},
@@ -78,7 +78,7 @@ func TestValidateLogConfig(t *testing.T) {
 			bucket:    "bucket",
 			spannerDB: "spanner",
 			cvcfg: ChainValidationConfig{
-				RootsPemFile:    "./testdata/fake-ca.cert",
+				RootsPEMFile:    "./testdata/fake-ca.cert",
 				RejectExpired:   true,
 				RejectUnexpired: true},
 			signer: signer,
@@ -91,7 +91,7 @@ func TestValidateLogConfig(t *testing.T) {
 			bucket:    "bucket",
 			spannerDB: "spanner",
 			cvcfg: ChainValidationConfig{
-				RootsPemFile: "./testdata/fake-ca.cert",
+				RootsPEMFile: "./testdata/fake-ca.cert",
 				ExtKeyUsages: "wrong_usage"},
 			signer: signer,
 		},
@@ -103,7 +103,7 @@ func TestValidateLogConfig(t *testing.T) {
 			bucket:    "bucket",
 			spannerDB: "spanner",
 			cvcfg: ChainValidationConfig{
-				RootsPemFile: "./testdata/fake-ca.cert",
+				RootsPEMFile: "./testdata/fake-ca.cert",
 				ExtKeyUsages: "ClientAuth,ServerAuth,TimeStomping",
 			},
 			signer: signer,
@@ -116,7 +116,7 @@ func TestValidateLogConfig(t *testing.T) {
 			bucket:    "bucket",
 			spannerDB: "spanner",
 			cvcfg: ChainValidationConfig{
-				RootsPemFile: "./testdata/fake-ca.cert",
+				RootsPEMFile: "./testdata/fake-ca.cert",
 				ExtKeyUsages: "Any ",
 			},
 			signer: signer,
@@ -129,7 +129,7 @@ func TestValidateLogConfig(t *testing.T) {
 			bucket:    "bucket",
 			spannerDB: "spanner",
 			cvcfg: ChainValidationConfig{
-				RootsPemFile:     "./testdata/fake-ca.cert",
+				RootsPEMFile:     "./testdata/fake-ca.cert",
 				RejectExtensions: "1.2.3.4,one.banana.two.bananas",
 			},
 			signer: signer,
@@ -141,7 +141,7 @@ func TestValidateLogConfig(t *testing.T) {
 			bucket:    "bucket",
 			spannerDB: "spanner",
 			cvcfg: ChainValidationConfig{
-				RootsPemFile:  "./testdata/fake-ca.cert",
+				RootsPEMFile:  "./testdata/fake-ca.cert",
 				NotAfterStart: &t200,
 				NotAfterLimit: &t100,
 			},
@@ -154,7 +154,7 @@ func TestValidateLogConfig(t *testing.T) {
 			bucket:    "bucket",
 			spannerDB: "spanner",
 			cvcfg: ChainValidationConfig{
-				RootsPemFile: "./testdata/fake-ca.cert",
+				RootsPEMFile: "./testdata/fake-ca.cert",
 			},
 			signer: signer,
 		},
@@ -165,7 +165,7 @@ func TestValidateLogConfig(t *testing.T) {
 			bucket:    "bucket",
 			spannerDB: "spanner",
 			cvcfg: ChainValidationConfig{
-				RootsPemFile: "./testdata/fake-ca.cert",
+				RootsPEMFile: "./testdata/fake-ca.cert",
 				ExtKeyUsages: "ServerAuth,ClientAuth,OCSPSigning",
 			},
 			signer: signer,
@@ -177,7 +177,7 @@ func TestValidateLogConfig(t *testing.T) {
 			bucket:    "bucket",
 			spannerDB: "spanner",
 			cvcfg: ChainValidationConfig{
-				RootsPemFile:     "./testdata/fake-ca.cert",
+				RootsPEMFile:     "./testdata/fake-ca.cert",
 				RejectExtensions: "1.2.3.4,5.6.7.8",
 			},
 			signer: signer,
@@ -189,7 +189,7 @@ func TestValidateLogConfig(t *testing.T) {
 			bucket:    "bucket",
 			spannerDB: "spanner",
 			cvcfg: ChainValidationConfig{
-				RootsPemFile:  "./testdata/fake-ca.cert",
+				RootsPEMFile:  "./testdata/fake-ca.cert",
 				NotAfterStart: &t100,
 			},
 			signer: signer,
@@ -201,7 +201,7 @@ func TestValidateLogConfig(t *testing.T) {
 			bucket:    "bucket",
 			spannerDB: "spanner",
 			cvcfg: ChainValidationConfig{
-				RootsPemFile:  "./testdata/fake-ca.cert",
+				RootsPEMFile:  "./testdata/fake-ca.cert",
 				NotAfterStart: &t200,
 			},
 			signer: signer,
@@ -213,7 +213,7 @@ func TestValidateLogConfig(t *testing.T) {
 			bucket:    "bucket",
 			spannerDB: "spanner",
 			cvcfg: ChainValidationConfig{
-				RootsPemFile:  "./testdata/fake-ca.cert",
+				RootsPEMFile:  "./testdata/fake-ca.cert",
 				NotAfterStart: &t100,
 				NotAfterLimit: &t200,
 			},
