sigstore · dlorenc · Dec 21, 2021 · Dec 20, 2021
diff --git a/go.mod b/go.mod
@@ -22,6 +22,7 @@ require (
 	github.com/stretchr/testify v1.7.0
 	go.uber.org/multierr v1.7.0 // indirect
 	go.uber.org/zap v1.19.1
+	google.golang.org/api v0.63.0
 	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa
 	google.golang.org/protobuf v1.27.1
 	gopkg.in/square/go-jose.v2 v2.6.0

diff --git a/pkg/api/ca.go b/pkg/api/ca.go
@@ -48,12 +48,16 @@ type CertificateRequest struct {
 	SignedEmailAddress []byte `json:"signedEmailAddress"`
 }
 
-const signingCertPath = "/api/v1/signingCert"
+const (
+	signingCertPath = "/api/v1/signingCert"
+	rootCertPath    = "/api/v1/rootCert"
+)
 
 // NewHandler creates a new http.Handler for serving the Fulcio API.
 func NewHandler() http.Handler {
 	handler := http.NewServeMux()
 	handler.HandleFunc(signingCertPath, signingCert)
+	handler.HandleFunc(rootCertPath, rootCert)
 	return handler
 }
 
@@ -212,6 +216,21 @@ func signingCert(w http.ResponseWriter, req *http.Request) {
 	}
 }
 
+func rootCert(w http.ResponseWriter, req *http.Request) {
+	ctx := req.Context()
+	logger := log.ContextLogger(ctx)
+
+	ca := GetCA(ctx)
+	root, err := ca.Root(ctx)
+	if err != nil {
+		logger.Error("Error retrieving root cert: ", err)
+	}
+	w.Header().Add("Content-Type", "application/pem-certificate-chain")
+	if _, err := w.Write(root); err != nil {
+		logger.Error("Error writing response: ", err)
+	}
+}
+
 func ExtractSubject(ctx context.Context, tok *oidc.IDToken, publicKey crypto.PublicKey, challenge []byte) (*challenges.ChallengeResult, error) {
 	iss, ok := config.FromContext(ctx).GetIssuer(tok.Issuer)
 	if !ok {

diff --git a/pkg/ca/googleca/v1/googleca.go b/pkg/ca/googleca/v1/googleca.go
@@ -23,6 +23,8 @@ import (
 	"encoding/asn1"
 	"encoding/pem"
 	"fmt"
+	"strings"
+	"sync"
 	"time"
 
 	privateca "cloud.google.com/go/security/privateca/apiv1"
@@ -31,16 +33,21 @@ import (
 	"github.com/sigstore/fulcio/pkg/challenges"
 	"github.com/sigstore/fulcio/pkg/log"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	"google.golang.org/api/iterator"
 	privatecapb "google.golang.org/genproto/googleapis/cloud/security/privateca/v1"
 	"google.golang.org/protobuf/types/known/durationpb"
 )
 
 type CertAuthorityService struct {
 	parent string
 	client *privateca.CertificateAuthorityClient
+
+	// protected by once
+	cachedRoots     []byte
+	cachedRootsOnce sync.Once
 }
 
-func NewCertAuthorityService(ctx context.Context, parent string) (*CertAuthorityService, error) {
+func NewCertAuthorityService(ctx context.Context, parent string) (ca.CertificateAuthority, error) {
 	client, err := privateca.NewCertificateAuthorityClient(ctx)
 	if err != nil {
 		return nil, err
@@ -133,6 +140,24 @@ func Req(parent string, pemBytes []byte, cert *x509.Certificate) (*privatecapb.C
 	}, nil
 }
 
+func (c *CertAuthorityService) Root(ctx context.Context) ([]byte, error) {
+	c.cachedRootsOnce.Do(func() {
+		var pems string
+		cas := c.client.ListCertificateAuthorities(ctx, &privatecapb.ListCertificateAuthoritiesRequest{
+			Parent: c.parent,
+		})
+		for {
+			c, done := cas.Next()
+			if done == iterator.Done {
+				break
+			}
+			pems += strings.Join(c.PemCaCertificates, "")
+		}
+		c.cachedRoots = []byte(pems)
+	})
+	return c.cachedRoots, nil
+}
+
 func (c *CertAuthorityService) CreateCertificate(ctx context.Context, subj *challenges.ChallengeResult) (*ca.CodeSigningCertificate, error) {
 	logger := log.ContextLogger(ctx)
 

diff --git a/pkg/ca/googleca/v1beta1/googleca.go b/pkg/ca/googleca/v1beta1/googleca.go
@@ -23,6 +23,8 @@ import (
 	"encoding/asn1"
 	"encoding/pem"
 	"fmt"
+	"strings"
+	"sync"
 	"time"
 
 	privateca "cloud.google.com/go/security/privateca/apiv1beta1"
@@ -31,16 +33,21 @@ import (
 	"github.com/sigstore/fulcio/pkg/challenges"
 	"github.com/sigstore/fulcio/pkg/log"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	"google.golang.org/api/iterator"
 	privatecapb "google.golang.org/genproto/googleapis/cloud/security/privateca/v1beta1"
 	"google.golang.org/protobuf/types/known/durationpb"
 )
 
 type CertAuthorityService struct {
 	parent string
 	client *privateca.CertificateAuthorityClient
+
+	// protected by once
+	cachedRoots     []byte
+	cachedRootsOnce sync.Once
 }
 
-func NewCertAuthorityService(ctx context.Context, parent string) (*CertAuthorityService, error) {
+func NewCertAuthorityService(ctx context.Context, parent string) (ca.CertificateAuthority, error) {
 	client, err := privateca.NewCertificateAuthorityClient(ctx)
 	if err != nil {
 		return nil, err
@@ -139,6 +146,24 @@ func Req(parent string, pemBytes []byte, cert *x509.Certificate) (*privatecapb.C
 	}, nil
 }
 
+func (c *CertAuthorityService) Root(ctx context.Context) ([]byte, error) {
+	c.cachedRootsOnce.Do(func() {
+		var pems string
+		cas := c.client.ListCertificateAuthorities(ctx, &privatecapb.ListCertificateAuthoritiesRequest{
+			Parent: c.parent,
+		})
+		for {
+			c, done := cas.Next()
+			if done == iterator.Done {
+				break
+			}
+			pems += strings.Join(c.PemCaCertificates, "")
+		}
+		c.cachedRoots = []byte(pems)
+	})
+	return c.cachedRoots, nil
+}
+
 func (c *CertAuthorityService) CreateCertificate(ctx context.Context, subj *challenges.ChallengeResult) (*ca.CodeSigningCertificate, error) {
 	logger := log.ContextLogger(ctx)
 

diff --git a/pkg/ca/interface.go b/pkg/ca/interface.go
@@ -110,6 +110,7 @@ func (c *CodeSigningCertificate) ChainPEM() ([]byte, error) {
 // CertificateAuthority only returns the SCT in detached format
 type CertificateAuthority interface {
 	CreateCertificate(ctx context.Context, challenge *challenges.ChallengeResult) (*CodeSigningCertificate, error)
+	Root(ctx context.Context) ([]byte, error)
 }
 
 type EmbeddedSCTCA interface {

diff --git a/pkg/ca/x509ca/common.go b/pkg/ca/x509ca/common.go
@@ -22,6 +22,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
+	"encoding/pem"
 	"math/big"
 	"net/url"
 	"time"
@@ -77,6 +78,13 @@ func MakeX509(subject *challenges.ChallengeResult) (*x509.Certificate, error) {
 	return cert, nil
 }
 
+func (x *X509CA) Root(ctx context.Context) ([]byte, error) {
+	return pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: x.RootCA.Raw,
+	}), nil
+}
+
 func (x *X509CA) CreateCertificate(_ context.Context, subject *challenges.ChallengeResult) (*ca.CodeSigningCertificate, error) {
 	cert, err := MakeX509(subject)
 	if err != nil {

diff --git a/pkg/ca/x509ca/x509ca.go b/pkg/ca/x509ca/x509ca.go
@@ -26,6 +26,7 @@ import (
 	"path/filepath"
 
 	"github.com/ThalesIgnite/crypto11"
+	"github.com/sigstore/fulcio/pkg/ca"
 )
 
 type Params struct {
@@ -34,7 +35,7 @@ type Params struct {
 	CAPath     *string
 }
 
-func NewX509CA(params Params) (*X509CA, error) {
+func NewX509CA(params Params) (ca.CertificateAuthority, error) {
 	ca := &X509CA{}
 	p11Ctx, err := crypto11.ConfigureFromFile(params.ConfigPath)
 	if err != nil {