update tough dep, clippy fixes

This commit updates the tough dependency, which changes how many of our trait definitions work. Additionally move from the use of std::sync::oncecell to tokio::sync::oncecell for sigstoretrustroot.trusted_root so that SigstoreTrustRoot can be Send. Update examples and tests. Remove some unused types Fixup clippy warnings Signed-off-by: Andrew Stoycos <astoycos@redhat.com>
sigstore · Mar 26, 2024 · 1c626ea · 1c626ea
1 parent de298c5
commit 1c626ea
Show file tree

Hide file tree

Showing 30 changed files with 124 additions and 162 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -40,7 +40,7 @@ rekor-native-tls = ["reqwest/native-tls", "rekor"]
 rekor-rustls-tls = ["reqwest/rustls-tls", "rekor"]
 rekor = ["reqwest"]
 
-sigstore-trust-root = ["tough", "regex"]
+sigstore-trust-root = ["futures-util", "tough", "regex", "tokio/sync"]
 
 sign = []
 
@@ -81,6 +81,8 @@ ecdsa = { version = "0.16.7", features = ["pkcs8", "digest", "der", "signing"] }
 ed25519 = { version = "2.2.1", features = ["alloc"] }
 ed25519-dalek = { version = "2.0.0-rc.2", features = ["pkcs8", "rand_core"] }
 elliptic-curve = { version = "0.13.5", features = ["arithmetic", "pem"] }
+futures = "0.3"
+futures-util = { version = "0.3.30", optional = true }
 lazy_static = "1.4.0"
 oci-distribution = { version = "0.10", default-features = false, optional = true }
 olpc-cjson = "0.1"
@@ -116,7 +118,7 @@ sigstore_protobuf_specs = "0.1.0-rc.2"
 thiserror = "1.0.30"
 tokio = { version = "1.17.0", features = ["rt"] }
 tokio-util = { version = "0.7.10", features = ["io-util"] }
-tough = { version = "0.14", features = ["http"], optional = true }
+tough = { git = "https://github.com/awslabs/tough" , branch = "develop", features = ["http"], optional = true }
 tracing = "0.1.31"
 url = "2.2.2"
 x509-cert = { version = "0.2.2", features = ["builder", "pem", "std"] }

diff --git a/examples/cosign/sign/main.rs b/examples/cosign/sign/main.rs
@@ -18,7 +18,6 @@ use sigstore::cosign::constraint::{AnnotationMarker, PrivateKeySigner};
 use sigstore::cosign::{Constraint, CosignCapabilities, SignatureLayer};
 use sigstore::crypto::SigningScheme;
 use sigstore::registry::{Auth, ClientConfig, ClientProtocol, OciReference};
-use std::convert::TryFrom;
 use tracing::{debug, warn};
 use zeroize::Zeroizing;
 

diff --git a/examples/cosign/verify/main.rs b/examples/cosign/verify/main.rs
@@ -23,8 +23,6 @@ use sigstore::crypto::SigningScheme;
 use sigstore::errors::SigstoreVerifyConstraintsError;
 use sigstore::registry::{ClientConfig, ClientProtocol, OciReference};
 use sigstore::trust::sigstore::SigstoreTrustRoot;
-use std::boxed::Box;
-use std::convert::TryFrom;
 use std::time::Instant;
 
 extern crate anyhow;
@@ -34,7 +32,6 @@ extern crate clap;
 use clap::Parser;
 
 use std::{collections::HashMap, fs};
-use tokio::task::spawn_blocking;
 
 extern crate tracing_subscriber;
 use tracing::{info, warn};
@@ -133,7 +130,7 @@ async fn run_app(
 
     let mut client_builder =
         sigstore::cosign::ClientBuilder::default().with_oci_client_config(oci_client_config);
-    client_builder = client_builder.with_trust_repository(frd)?;
+    client_builder = client_builder.with_trust_repository(frd).await?;
 
     let cert_chain: Option<Vec<sigstore::registry::Certificate>> = match cli.cert_chain.as_ref() {
         None => None,
@@ -187,7 +184,7 @@ async fn run_app(
     }
     if let Some(path_to_cert) = cli.cert.as_ref() {
         let cert = fs::read(path_to_cert).map_err(|e| anyhow!("Cannot read cert: {:?}", e))?;
-        let require_rekor_bundle = if !frd.rekor_keys()?.is_empty() {
+        let require_rekor_bundle = if !frd.rekor_keys().await?.is_empty() {
             true
         } else {
             warn!("certificate based verification is weaker when Rekor integration is disabled");
@@ -230,12 +227,10 @@ async fn run_app(
 
 async fn fulcio_and_rekor_data(cli: &Cli) -> anyhow::Result<Box<dyn sigstore::trust::TrustRoot>> {
     if cli.use_sigstore_tuf_data {
-        let repo: sigstore::errors::Result<SigstoreTrustRoot> = spawn_blocking(|| {
-            info!("Downloading data from Sigstore TUF repository");
-            SigstoreTrustRoot::new(None)?.prefetch()
-        })
-        .await
-        .map_err(|e| anyhow!("Error spawning blocking task inside of tokio: {}", e))?;
+        info!("Downloading data from Sigstore TUF repository");
+
+        let repo: sigstore::errors::Result<SigstoreTrustRoot> =
+            SigstoreTrustRoot::new(None).await?.prefetch().await;
 
         return Ok(Box::new(repo?));
     };

diff --git a/src/cosign/client_builder.rs b/src/cosign/client_builder.rs
@@ -72,12 +72,15 @@ impl<'a> ClientBuilder<'a> {
     ///
     /// Enables Fulcio and Rekor integration with the given trust repository.
     /// See [crate::sigstore::TrustRoot] for more details on trust repositories.
-    pub fn with_trust_repository<R: TrustRoot + ?Sized>(mut self, repo: &'a R) -> Result<Self> {
-        let rekor_keys = repo.rekor_keys()?;
+    pub async fn with_trust_repository<R: TrustRoot + ?Sized>(
+        mut self,
+        repo: &'a R,
+    ) -> Result<Self> {
+        let rekor_keys = repo.rekor_keys().await?;
         if !rekor_keys.is_empty() {
             self.rekor_pub_key = Some(rekor_keys[0]);
         }
-        self.fulcio_certs = repo.fulcio_certs()?;
+        self.fulcio_certs = repo.fulcio_certs().await?;
 
         Ok(self)
     }

diff --git a/src/cosign/mod.rs b/src/cosign/mod.rs
@@ -48,7 +48,6 @@ use crate::crypto::{CosignVerificationKey, Signature};
 use crate::errors::SigstoreError;
 use base64::{engine::general_purpose::STANDARD as BASE64_STD_ENGINE, Engine as _};
 use pkcs8::der::Decode;
-use std::convert::TryFrom;
 use x509_cert::Certificate;
 
 pub mod bundle;
@@ -284,7 +283,6 @@ where
 #[cfg(test)]
 mod tests {
     use serde_json::json;
-    use std::collections::HashMap;
     use webpki::types::CertificateDer;
 
     use super::constraint::{AnnotationMarker, PrivateKeySigner};
@@ -296,7 +294,7 @@ mod tests {
         AnnotationVerifier, CertSubjectEmailVerifier, VerificationConstraintVec,
     };
     use crate::crypto::certificate_pool::CertificatePool;
-    use crate::crypto::{CosignVerificationKey, SigningScheme};
+    use crate::crypto::SigningScheme;
 
     #[cfg(feature = "test-registry")]
     use testcontainers::{clients, core::WaitFor};

diff --git a/src/cosign/signature_layers.rs b/src/cosign/signature_layers.rs
@@ -17,7 +17,6 @@ use const_oid::ObjectIdentifier;
 use digest::Digest;
 use oci_distribution::client::ImageLayer;
 use serde::Serialize;
-use std::convert::TryFrom;
 use std::{collections::HashMap, fmt};
 use tracing::{debug, info, warn};
 use x509_cert::der::DecodePem;
@@ -550,8 +549,6 @@ pub(crate) mod tests {
     use super::*;
     use openssl::x509::X509;
     use serde_json::json;
-    use std::collections::HashMap;
-    use std::convert::TryFrom;
 
     use crate::cosign::tests::{get_fulcio_cert_pool, get_rekor_public_key};
 

diff --git a/src/cosign/verification_constraint/cert_subject_email_verifier.rs b/src/cosign/verification_constraint/cert_subject_email_verifier.rs
@@ -126,7 +126,6 @@ mod tests {
         build_correct_signature_layer_with_certificate,
         build_correct_signature_layer_without_bundle,
     };
-    use crate::cosign::signature_layers::CertificateSubject;
     use crate::cosign::verification_constraint::CertSubjectUrlVerifier;
 
     #[test]

diff --git a/src/cosign/verification_constraint/cert_subject_url_verifier.rs b/src/cosign/verification_constraint/cert_subject_url_verifier.rs
@@ -74,7 +74,6 @@ mod tests {
         build_correct_signature_layer_with_certificate,
         build_correct_signature_layer_without_bundle,
     };
-    use crate::cosign::signature_layers::CertificateSubject;
     use crate::cosign::verification_constraint::CertSubjectEmailVerifier;
 
     #[test]

diff --git a/src/cosign/verification_constraint/certificate_verifier.rs b/src/cosign/verification_constraint/certificate_verifier.rs
@@ -1,6 +1,5 @@
 use chrono::{DateTime, Utc};
 use pkcs8::der::Decode;
-use std::convert::TryFrom;
 use tracing::warn;
 use webpki::types::CertificateDer;
 use x509_cert::Certificate;

diff --git a/src/crypto/certificate.rs b/src/crypto/certificate.rs
@@ -126,7 +126,7 @@ mod tests {
     use super::*;
     use crate::crypto::tests::*;
 
-    use chrono::{TimeDelta, Utc};
+    use chrono::TimeDelta;
     use x509_cert::der::Decode;
 
     #[test]

diff --git a/src/crypto/mod.rs b/src/crypto/mod.rs
@@ -16,7 +16,6 @@
 //! Structures and constants required to perform cryptographic operations.
 
 use sha2::{Sha256, Sha384};
-use std::convert::TryFrom;
 
 use crate::errors::*;
 
@@ -60,20 +59,19 @@ pub enum SigningScheme {
     ED25519,
 }
 
-impl ToString for SigningScheme {
-    fn to_string(&self) -> String {
-        let str = match self {
-            SigningScheme::RSA_PSS_SHA256(_) => "RSA_PSS_SHA256",
-            SigningScheme::RSA_PSS_SHA384(_) => "RSA_PSS_SHA384",
-            SigningScheme::RSA_PSS_SHA512(_) => "RSA_PSS_SHA512",
-            SigningScheme::RSA_PKCS1_SHA256(_) => "RSA_PKCS1_SHA256",
-            SigningScheme::RSA_PKCS1_SHA384(_) => "RSA_PKCS1_SHA384",
-            SigningScheme::RSA_PKCS1_SHA512(_) => "RSA_PKCS1_SHA512",
-            SigningScheme::ECDSA_P256_SHA256_ASN1 => "ECDSA_P256_SHA256_ASN1",
-            SigningScheme::ECDSA_P384_SHA384_ASN1 => "ECDSA_P384_SHA384_ASN1",
-            SigningScheme::ED25519 => "ED25519",
-        };
-        String::from(str)
+impl std::fmt::Display for SigningScheme {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            SigningScheme::RSA_PSS_SHA256(_) => write!(f, "RSA_PSS_SHA256"),
+            SigningScheme::RSA_PSS_SHA384(_) => write!(f, "RSA_PSS_SHA384"),
+            SigningScheme::RSA_PSS_SHA512(_) => write!(f, "RSA_PSS_SHA512"),
+            SigningScheme::RSA_PKCS1_SHA256(_) => write!(f, "RSA_PKCS1_SHA256"),
+            SigningScheme::RSA_PKCS1_SHA384(_) => write!(f, "RSA_PKCS1_SHA384"),
+            SigningScheme::RSA_PKCS1_SHA512(_) => write!(f, "RSA_PKCS1_SHA512"),
+            SigningScheme::ECDSA_P256_SHA256_ASN1 => write!(f, "ECDSA_P256_SHA256_ASN1"),
+            SigningScheme::ECDSA_P384_SHA384_ASN1 => write!(f, "ECDSA_P384_SHA384_ASN1"),
+            SigningScheme::ED25519 => write!(f, "ED25519"),
+        }
     }
 }
 

diff --git a/src/crypto/signing_key/ecdsa/ec.rs b/src/crypto/signing_key/ecdsa/ec.rs
@@ -63,7 +63,7 @@
 //! let signature = ec_signer.sign(b"some message");
 //! ```
 
-use std::{convert::TryFrom, marker::PhantomData, ops::Add};
+use std::{marker::PhantomData, ops::Add};
 
 use digest::{
     core_api::BlockSizeUser,

diff --git a/src/crypto/signing_key/ecdsa/mod.rs b/src/crypto/signing_key/ecdsa/mod.rs
@@ -73,8 +73,6 @@
 //! // verify
 //! assert!(verification_key.verify_signature(Signature::Raw(&signature_data),message).is_ok());
 /// ```
-use p256;
-
 use crate::errors::*;
 
 use self::ec::{EcdsaKeys, EcdsaSigner};
@@ -88,13 +86,12 @@ pub enum ECDSAKeys {
     P384(EcdsaKeys<p384::NistP384>),
 }
 
-impl ToString for ECDSAKeys {
-    fn to_string(&self) -> String {
-        let str = match self {
-            ECDSAKeys::P256(_) => "ECDSA P256",
-            ECDSAKeys::P384(_) => "ECDSA P384",
-        };
-        String::from(str)
+impl std::fmt::Display for ECDSAKeys {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            ECDSAKeys::P256(_) => write!(f, "ECDSA P256"),
+            ECDSAKeys::P384(_) => write!(f, "ECDSA P384"),
+        }
     }
 }
 

diff --git a/src/crypto/signing_key/ed25519.rs b/src/crypto/signing_key/ed25519.rs
@@ -61,7 +61,6 @@
 //! ```
 
 use ed25519::pkcs8::{DecodePrivateKey, EncodePrivateKey, EncodePublicKey};
-use std::convert::TryFrom;
 
 use ed25519::KeypairBytes;
 use ed25519_dalek::{Signer as _, SigningKey};

diff --git a/src/crypto/signing_key/mod.rs b/src/crypto/signing_key/mod.rs
@@ -139,12 +139,12 @@ pub enum SigStoreKeyPair {
     RSA(RSAKeys),
 }
 
-impl ToString for SigStoreKeyPair {
-    fn to_string(&self) -> String {
+impl std::fmt::Display for SigStoreKeyPair {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         match self {
-            SigStoreKeyPair::ECDSA(_) => String::from("EC Key"),
-            SigStoreKeyPair::ED25519(_) => String::from("Ed25519 Key"),
-            SigStoreKeyPair::RSA(_) => String::from("RSA Key"),
+            SigStoreKeyPair::ECDSA(_) => write!(f, "EC Key"),
+            SigStoreKeyPair::ED25519(_) => write!(f, "Ed25519 Key"),
+            SigStoreKeyPair::RSA(_) => write!(f, "RSA Key"),
         }
     }
 }

diff --git a/src/crypto/signing_key/rsa/keypair.rs b/src/crypto/signing_key/rsa/keypair.rs
@@ -39,8 +39,6 @@
 //! let rsa_keys2 = RSAKeys::from_encrypted_pem(privkey_pem.as_bytes(), b"password").unwrap();
 //! ```
 
-use std::convert::TryFrom;
-
 use pkcs8::{DecodePrivateKey, EncodePrivateKey, EncodePublicKey};
 use rsa::{
     pkcs1::DecodeRsaPrivateKey, pkcs1v15::SigningKey, pss::BlindedSigningKey, RsaPrivateKey,

diff --git a/src/crypto/verification_key.rs b/src/crypto/verification_key.rs
@@ -19,7 +19,6 @@ use ed25519::pkcs8::DecodePublicKey as ED25519DecodePublicKey;
 use rsa::{pkcs1v15, pss};
 use sha2::{Digest, Sha256, Sha384};
 use signature::{DigestVerifier, Verifier};
-use std::convert::TryFrom;
 use x509_cert::{der::referenced::OwnedToRef, spki::SubjectPublicKeyInfoOwned};
 
 use super::{

diff --git a/src/fulcio/mod.rs b/src/fulcio/mod.rs
@@ -14,7 +14,6 @@ use pkcs8::der::Decode;
 use reqwest::{header, Body};
 use serde::ser::SerializeStruct;
 use serde::{Serialize, Serializer};
-use std::convert::{TryFrom, TryInto};
 use std::fmt::{Debug, Display, Formatter};
 use tracing::debug;
 use url::Url;
@@ -55,7 +54,7 @@ impl TryFrom<Csr> for Body {
 struct PublicKey(String, SigningScheme);
 
 impl Serialize for PublicKey {
-    fn serialize<S: Serializer>(&self, serializer: S) -> std::result::Result<S::Ok, S::Error>
+    fn serialize<S>(&self, serializer: S) -> std::result::Result<S::Ok, S::Error>
     where
         S: Serializer,
     {

diff --git a/src/fulcio/models.rs b/src/fulcio/models.rs
@@ -19,7 +19,7 @@
 use base64::{engine::general_purpose::STANDARD as BASE64_STD_ENGINE, Engine as _};
 use pem::Pem;
 use pkcs8::der::EncodePem;
-use serde::{Deserialize, Deserializer, Serialize, Serializer};
+use serde::{Deserialize, Serialize, Serializer};
 use serde_repr::Deserialize_repr;
 use x509_cert::Certificate;
 
@@ -38,26 +38,6 @@ where
     ser.serialize_str(&encoded)
 }
 
-fn deserialize_base64<'de, D>(de: D) -> std::result::Result<Vec<u8>, D::Error>
-where
-    D: Deserializer<'de>,
-{
-    let buf: &str = Deserialize::deserialize(de)?;
-
-    BASE64_STD_ENGINE
-        .decode(buf)
-        .map_err(serde::de::Error::custom)
-}
-
-fn deserialize_inner_detached_sct<'de, D>(de: D) -> std::result::Result<InnerDetachedSCT, D::Error>
-where
-    D: Deserializer<'de>,
-{
-    let buf = deserialize_base64(de)?;
-
-    serde_json::from_slice(&buf).map_err(serde::de::Error::custom)
-}
-
 #[derive(Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct CreateSigningCertificateRequest {
@@ -76,8 +56,6 @@ pub enum SigningCertificate {
 #[serde(rename_all = "camelCase")]
 pub struct SigningCertificateDetachedSCT {
     pub chain: CertificateChain,
-    #[serde(deserialize_with = "deserialize_inner_detached_sct")]
-    pub signed_certificate_timestamp: InnerDetachedSCT,
 }
 
 #[derive(Deserialize)]
@@ -91,18 +69,6 @@ pub struct CertificateChain {
     pub certificates: Vec<Pem>,
 }
 
-#[derive(Deserialize)]
-pub struct InnerDetachedSCT {
-    pub sct_version: SCTVersion,
-    #[serde(deserialize_with = "deserialize_base64")]
-    pub id: Vec<u8>,
-    pub timestamp: u64,
-    #[serde(deserialize_with = "deserialize_base64")]
-    pub signature: Vec<u8>,
-    #[serde(deserialize_with = "deserialize_base64")]
-    pub extensions: Vec<u8>,
-}
-
 #[derive(Deserialize_repr, PartialEq, Debug)]
 #[repr(u8)]
 pub enum SCTVersion {

diff --git a/src/lib.rs b/src/lib.rs
@@ -100,6 +100,7 @@
 //!
 //!   let mut client = sigstore::cosign::ClientBuilder::default()
 //!     .with_trust_repository(&repo)
+//!     .await
 //!     .expect("Cannot construct cosign client from given materials")
 //!     .build()
 //!     .expect("Unexpected failure while building Client");