Clarify what is interpretted as trust anchor for chain (#245)

This standardizes client behavior on considering the last certificate in the chain as a trust anchor, regardless if it's a root or intermediate. This means clients should use all preceding CA certificates as chain-builders or intermediates. We do document the case where an intermediate may be issued from multiple roots, specifying that multiple chains should be provided. Another solution for a later PR could be to provide two pools, trusted and untrusted, as an alternative to chains. Signed-off-by: Hayden Blauzvern <[email protected]>
sigstore · Mar 6, 2024 · 49f0435 · 49f0435
1 parent 98f337e
commit 49f0435
Show file tree

Hide file tree

Showing 9 changed files with 22 additions and 8 deletions.
diff --git a/gen/jsonschema/schemas/CertificateAuthority.schema.json b/gen/jsonschema/schemas/CertificateAuthority.schema.json
@@ -16,7 +16,7 @@
                 "certChain": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain",
                     "additionalProperties": false,
-                    "description": "The certificate chain for this CA."
+                    "description": "The certificate chain for this CA. The last certificate in the chain MUST be the trust anchor. The trust anchor MAY be a self-signed root CA certificate or MAY be an intermediate CA certificate."
                 },
                 "validFor": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",

diff --git a/gen/jsonschema/schemas/Input.schema.json b/gen/jsonschema/schemas/Input.schema.json
@@ -545,7 +545,7 @@
                 "certChain": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain",
                     "additionalProperties": false,
-                    "description": "The certificate chain for this CA."
+                    "description": "The certificate chain for this CA. The last certificate in the chain MUST be the trust anchor. The trust anchor MAY be a self-signed root CA certificate or MAY be an intermediate CA certificate."
                 },
                 "validFor": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",

diff --git a/gen/jsonschema/schemas/TrustedRoot.schema.json b/gen/jsonschema/schemas/TrustedRoot.schema.json
@@ -195,7 +195,7 @@
                 "certChain": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.X509CertificateChain",
                     "additionalProperties": false,
-                    "description": "The certificate chain for this CA."
+                    "description": "The certificate chain for this CA. The last certificate in the chain MUST be the trust anchor. The trust anchor MAY be a self-signed root CA certificate or MAY be an intermediate CA certificate."
                 },
                 "validFor": {
                     "$ref": "#/definitions/dev.sigstore.common.v1.TimeRange",

diff --git a/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go b/gen/pb-go/trustroot/v1/sigstore_trustroot.pb.go
diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/trustroot/v1/__init__.py
diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs b/gen/pb-rust/sigstore-protobuf-specs/src/generated/dev.sigstore.trustroot.v1.rs
@@ -52,7 +52,9 @@ pub struct CertificateAuthority {
     /// authority.
     #[prost(string, tag = "2")]
     pub uri: ::prost::alloc::string::String,
-    /// The certificate chain for this CA.
+    /// The certificate chain for this CA. The last certificate in the chain
+    /// MUST be the trust anchor. The trust anchor MAY be a self-signed root
+    /// CA certificate or MAY be an intermediate CA certificate.
     #[prost(message, optional, tag = "3")]
     pub cert_chain: ::core::option::Option<
         super::super::common::v1::X509CertificateChain,

diff --git a/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin b/gen/pb-rust/sigstore-protobuf-specs/src/generated/file_descriptor_set.bin
diff --git a/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts b/gen/pb-typescript/src/__generated__/sigstore_trustroot.ts
diff --git a/protos/sigstore_trustroot.proto b/protos/sigstore_trustroot.proto
@@ -54,7 +54,9 @@ message CertificateAuthority {
         // by the certificate authority to interact with the certificate
         // authority.
         string uri = 2;
-        // The certificate chain for this CA.
+        // The certificate chain for this CA. The last certificate in the chain
+        // MUST be the trust anchor. The trust anchor MAY be a self-signed root
+        // CA certificate or MAY be an intermediate CA certificate.
         dev.sigstore.common.v1.X509CertificateChain cert_chain = 3;
         // The time the *entire* chain was valid. This is at max the
         // longest interval when *all* certificates in the chain were valid,