This is a tool to work with Sigstore Trusted Roots.
The trtool project aims to follow the Unix philosophy as much as possible, which implies "Rule of Silence", if nothing unexpected happens the program stays silent.
This project is still in pre-alpha.
$ ./trtool init \
-ca test_data/fulcio-chain.pem \
-ca-start 2024-04-03T00:00:00Z \
-ca-uri https://fulcio.test.foo | jq > tr.json$ ./trtool add -f tr.json \
-type tlog \
-uri https://foo.bar \
-pem test_data/rekor.pkcs1.pem \
-start 2024-04-03T00:00:00Z | jq > tr2.json$ ./trtool add -f tr2.json \
-type ctlog \
-uri https://ct.bar \
-pem test_data/rekor.pkix.pem \
-start 2024-04-03T00:00:00Z | jq > tr3.jsonInspect the final result
{
"mediaType": "application/vnd.dev.sigstore.trustedroot json;version=0.1",
"tlogs": [
{
"baseUrl": "https://foo.bar",
"hashAlgorithm": "SHA2_256",
"publicKey": {
"rawBytes": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyuEumAOUjCAEM2unKrmJohSqGzAH6 TsETWSPYsB98xDIO5zdL43LD/dpEXW9DnRdGYKnlDCLYyFYiR7/gToxmiZgprn45ZvNxQQDnwHuUdIVnfYvDV5nTSrqMW7WZ1bWckkw5P00BNVXLCWBW6KCGflcZODXd8Nrk8lWzl32iUbKh48WbumvfmcIBdrouXrJ/fzGV3OYLiIk9dMP6ux18cceJeeMyn2rTnSknOMQP95OsdOh0G22bSbQFtCnGeNW TOXsA5q9w59V56/gqGZksOAqLcZu2IhLq33q8r6kh47t2kGcvBFi6QUuqzavT2zguEHdP7nQNCYzfioEo3zwIDAQAB",
"keyDetails": "PKIX_RSA_PKCS1V15_2048_SHA256",
"validFor": {
"start": "2024-04-03T00:00:00Z"
}
},
"logId": {
"keyId": "/TKbCUU9CPkeXPLkZSBMayyIieby0t5s3hpm/mWvTDU="
}
}
],
"certificateAuthorities": [
{
"subject": {
"organization": "Umbrella Corporation",
"commonName": "Root"
},
"uri": "https://fulcio.test.foo",
"certChain": {
"certificates": [
{
"rawBytes": "MIICCTCCAbCgAwIBAgIUHDmuvTRvs0QKLbLB0NzHRNv9uiowCgYIKoZIzj0EAwIwRzEdMBsGA1UEChMUVW1icmVsbGEgQ29ycG9yYXRpb24xJjAkBgNVBAMTHUZ1bGNpbyBJbnRlcm1lZGlhdGUgLSBvZmZsaW5lMB4XDTI0MDIwMzAwMDAwMFoXDTI1MDIwMjAwMDAwMFowRjEdMBsGA1UEChMUVW1icmVsbGEgQ29ycG9yYXRpb24xJTAjBgNVBAMTHEZ1bGNpbyBJbnRlcm1lZGlhdGUgLSBvbmxpbmUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASuVV0y56oOg wDp1tuNqhO kJN7v4LfWeybgXpymTS1iTJi9KG C4vwHHIoDUm903ibl5hcrzHNfimhEIvGfUEo3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQURKRBGoDKyxxvYjKI1hf5XwgzqVUwHwYDVR0jBBgwFoAUSbfpoJQP5tM7K 6m DH2rLIfnmowCgYIKoZIzj0EAwIDRwAwRAIgRl7ocUZySscxipHEsoR8pyq3CQq8eBtIk/ED9pfDVnACIBxf/2FPQ5OrGOtTvMATGobgVT7I47hq0ielUk4Ahu7X"
},
{
"rawBytes": "MIIB3jCCAYOgAwIBAgIURCy5Zqzr3D6OLlWiCK4Wbd6nlXQwCgYIKoZIzj0EAwIwLjEdMBsGA1UEChMUVW1icmVsbGEgQ29ycG9yYXRpb24xDTALBgNVBAMTBFJvb3QwHhcNMjQwMjAzMDAwMDAwWhcNMjkwMjAxMDAwMDAwWjBHMR0wGwYDVQQKExRVbWJyZWxsYSBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdRnVsY2lvIEludGVybWVkaWF0ZSAtIG9mZmxpbmUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAR1jMWmUFKDhsPSGJ5/JhIT/4Tu5jfhNPoxhvSHduDgypcVDHR1 0Z00sziPFO0xo6JcQ Iy0LGHGatxNB7Al81o2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUSbfpoJQP5tM7K 6m DH2rLIfnmowHwYDVR0jBBgwFoAUD4GinE5klrSpTJF1qN/OOS3RdJkwCgYIKoZIzj0EAwIDSQAwRgIhAPKj4S458 h4ZGTEmew773VsnfQtg8QdnnkdMYrik1M5AiEAy31ef0w8KqhknNn6m3L1nLUxLfsQQ KEyLYYpVQIfHE="
},
{
"rawBytes": "MIIBojCCAUmgAwIBAgIUVDnTWXahSkBcdF4a07xIFFeur1YwCgYIKoZIzj0EAwIwLjEdMBsGA1UEChMUVW1icmVsbGEgQ29ycG9yYXRpb24xDTALBgNVBAMTBFJvb3QwHhcNMjQwMjAzMDAwMDAwWhcNMzQwMTMxMDAwMDAwWjAuMR0wGwYDVQQKExRVbWJyZWxsYSBDb3Jwb3JhdGlvbjENMAsGA1UEAxMEUm9vdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFElGoh/aqZ/RCy/IRd 7ZNggDS cwRMMb501j5eH/qKH0k/mnY5Lq3duBX6BGD Q5TtEo8tmQ24 Zy33QsUobmjRTBDMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQPgaKcTmSWtKlMkXWo3845LdF0mTAKBggqhkjOPQQDAgNHADBEAiBvOyX8IMiCTqMD1JC qw8J3lqqmzaou4nwMbIlG8hbXAIgHaYjlnp7IMyJQ nF6p/MXOK0Uh6S7vC6zRcVhBIbG1w="
}
]
},
"validFor": {
"start": "2024-04-03T00:00:00Z"
}
}
],
"ctlogs": [
{
"baseUrl": "https://ct.bar",
"hashAlgorithm": "SHA2_256",
"publicKey": {
"rawBytes": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyuEumAOUjCAEM2unKrmJohSqGzAH6 TsETWSPYsB98xDIO5zdL43LD/dpEXW9DnRdGYKnlDCLYyFYiR7/gToxmiZgprn45ZvNxQQDnwHuUdIVnfYvDV5nTSrqMW7WZ1bWckkw5P00BNVXLCWBW6KCGflcZODXd8Nrk8lWzl32iUbKh48WbumvfmcIBdrouXrJ/fzGV3OYLiIk9dMP6ux18cceJeeMyn2rTnSknOMQP95OsdOh0G22bSbQFtCnGeNW TOXsA5q9w59V56/gqGZksOAqLcZu2IhLq33q8r6kh47t2kGcvBFi6QUuqzavT2zguEHdP7nQNCYzfioEo3zwIDAQAB",
"keyDetails": "PKIX_RSA_PKCS1V15_2048_SHA256",
"validFor": {
"start": "2024-04-03T00:00:00Z"
}
},
"logId": {
"keyId": "/TKbCUU9CPkeXPLkZSBMayyIieby0t5s3hpm/mWvTDU="
}
}
]
}The astute reader will notice that both the CT log and transparency
log have the same public key, but were added with different keys. This
is because the public key loaded is actually the same, but one is
encoded with PKCS#1 and the other with PKIX. During serialization
to JSON only PKIX is supported, per
sigstore/protobuf-specs
PKCS#1 encoding is deprecated.
$ % ./trtool verify -f tr3.json
$ echo $?
0In verbose mode
$ ./trtool verify -v -f tr3.json
Verifying OU='Umbrella Corporation' CN='Root' of length 3
Loaded OU='Umbrella Corporation' CN='Fulcio Intermediate - online' CA:true MaxPathLen 0 at pos 0
issuer OU='Umbrella Corporation' CN='Fulcio Intermediate - offline'
Loaded OU='Umbrella Corporation' CN='Fulcio Intermediate - offline' CA:true MaxPathLen 1 at pos 1
issuer OU='Umbrella Corporation' CN='Root'
Loaded OU='Umbrella Corporation' CN='Root' CA:true MaxPathLen 2 at pos 2
issuer OU='Umbrella Corporation' CN='Root'
------------------------------------------------------------------------
Trusted root is valid