feat: adds cert-utility templates and documentation. (#889)

* feat: adds cert templates.

Signed-off-by: ianhundere <[email protected]>

* feat: splits/adds cert-utility to pgk/cmd.

Signed-off-by: ianhundere <[email protected]>

* fix: enables timestamping / improves validation / includes leaf wording.

Signed-off-by: ianhundere <[email protected]>

* feat: adds optional intermediate flag(s).

Signed-off-by: ianhundere <[email protected]>

* fix: changes cloudkms flag to gcpkms and makes azure/gcp flags more descriptive.

Signed-off-by: ianhundere <[email protected]>

* fix: makes env vars for azure tenant-id and gcp credentials file more consistent w/ flags.

Signed-off-by: ianhundere <[email protected]>

* fix: changes kms-region flag to aws-region and gcpkms-credentials-file flag to gcp-credentials-file.

Signed-off-by: ianhundere <[email protected]>

* fix: improves kms key validation across providers.

Signed-off-by: ianhundere <[email protected]>

* feat: adds sigstore/sigstore for kms and hashivault support.

Signed-off-by: ianhundere <[email protected]>

* docs: adds readme for tsa-certificate-maker.
Signed-off-by: ianhundere <[email protected]>

* chore: adds tsa-cert-maker to make file.

Signed-off-by: ianhundere <[email protected]>

* refactor: adds bobcallaway's fb.

Signed-off-by: ianhundere <[email protected]>

* refactor: for usage errors, show help / for operational errors show json error.

Signed-off-by: ianhundere <[email protected]>

* chore: groups flags, adds validation for root-id, removes signer wrapper, and other PR fb.

Signed-off-by: ianhundere <[email protected]>

* refactor: adds certLife to replace before/after timestamps.

Signed-off-by: ianhundere <[email protected]>

* feat: adds templating, positional arg for common name and other improvements.

Signed-off-by: ianhundere <[email protected]>

* docs: updates docs.

Signed-off-by: ianhundere <[email protected]>

* chore: reverts makefile and deletes tsa certmaker.

Signed-off-by: ianhundere <[email protected]>

* chore: adds fb.

Signed-off-by: ianhundere <[email protected]>

* chore: adds fb.

Signed-off-by: ianhundere <[email protected]>

---------

Signed-off-by: ianhundere <[email protected]>

.golangci.yml

@@ -23,8 +23,6 @@ linters:
     - misspell
     - revive
     - unused
-output:
-  uniq-by-line: false
 issues:
   exclude-rules:
     - path: _test\.go
@@ -37,6 +35,7 @@ issues:
       text: SA1019
   max-issues-per-linter: 0
   max-same-issues: 0
+  uniq-by-line: false
 run:
   issues-exit-code: 1
   timeout: 10m

Makefile

@@ -136,4 +136,4 @@ help: ## Display help
 			printf "\033[36m%-30s\033[0m %s\n", $$1, $$NF \
 		}' $(MAKEFILE_LIST) | sort
 
-include release/release.mk
+include release/release.mk

README.md

@@ -118,6 +118,19 @@ To deploy to production, the timestamp authority currently supports signing with
 a certificate chain (leaf, any intermediates, and root), where the certificate chain's purpose (extended key usage) is
 for timestamping. We do not recommend the file signer for production since the signing key will only be password protected.
 
+### Certificate Maker
+
+Certificate Maker is a tool for creating RFC 3161 compliant certificate chains for Timestamp Authority. It supports:
+
+* Two-level chains:
+  * root → leaf
+  * root → intermediate
+* Three-level chains:
+  * root → intermediate → leaf
+* Multiple KMS providers (AWS, Google Cloud, Azure, HashiCorp Vault)
+
+For detailed usage instructions and examples, see the [Certificate Maker documentation](docs/certificate-maker.md).
+
 ### Cloud KMS
 
 Create an asymmetric cloud KMS signing key in either GCP, AWS, Azure, or Vault, that will be used to sign timestamps.

docs/certificate-maker.md

@@ -0,0 +1,13 @@
+# Certificate Maker
+
+_Note: Certificate Maker can be [found in the Fulcio repository](https://github.com/sigstore/fulcio/tree/main/cmd/certificate_maker). Please refer to its [respective documentation](https://github.com/sigstore/fulcio/blob/main/docs/certificate-maker.md) to learn more._
+
+The TSA-specific certificate templates located in the `pkg/certmaker/templates` can be used with Certificate Maker.
+
+## Templates
+
+These [TSA-specific certificate templates](pkg/certmaker/templates) are specifically configured for Timestamp Authority certificates with appropriate extensions and constraints:
+
+- `root-template.json`: Template for root CA certificates
+- `intermediate-template.json`: Template for intermediate CA certificates
+- `leaf-template.json`: Template for leaf (TSA) certificates

pkg/certmaker/templates/intermediate-template.json

@@ -0,0 +1,22 @@
+{
+    "subject": {
+        "country": [
+            ""
+        ],
+        "organization": [
+            ""
+        ],
+        "organizationalUnit": [
+            ""
+        ],
+        "commonName": "{{ .Subject.CommonName }}"
+    },
+    "keyUsage": [
+        "certSign",
+        "crlSign"
+    ],
+    "basicConstraints": {
+        "isCA": true,
+        "maxPathLen": 0
+    }
+}

pkg/certmaker/templates/leaf-template.json

@@ -0,0 +1,27 @@
+{
+    "subject": {
+        "country": [
+            ""
+        ],
+        "organization": [
+            ""
+        ],
+        "organizationalUnit": [
+            ""
+        ],
+        "commonName": "{{ .Subject.CommonName }}"
+    },
+    "keyUsage": [
+        "digitalSignature"
+    ],
+    "extensions": [
+        {
+            "id": "2.5.29.37",
+            "critical": true,
+            "value": {{ asn1Seq (asn1Enc "oid:1.3.6.1.5.5.7.3.8") | toJson }}
+        }
+    ],
+    "basicConstraints": {
+        "isCA": false
+    }
+}

pkg/certmaker/templates/root-template.json

@@ -0,0 +1,22 @@
+{
+  "subject": {
+    "country": [
+      ""
+    ],
+    "organization": [
+      ""
+    ],
+    "organizationalUnit": [
+      ""
+    ],
+    "commonName": "{{ .Subject.CommonName }}"
+  },
+  "basicConstraints": {
+    "isCA": true,
+    "maxPathLen": 1
+  },
+  "keyUsage": [
+    "certSign",
+    "crlSign"
+  ]
+}