Skip to content

Commit 71f805c

Browse files
committed
remove root_pem_file from cfg, and only allow a single file
1 parent da2d50f commit 71f805c

File tree

7 files changed

+164
-179
lines changed

7 files changed

+164
-179
lines changed

personalities/sctfe/config.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -48,9 +48,9 @@ type LogConfig struct {
4848
// origin identifies the log. It will be used in its checkpoint, and
4949
// is also its submission prefix, as per https://c2sp.org/static-ct-api
5050
Origin string
51-
// Paths to the files containing root certificates that are acceptable to the
51+
// Paths to the file containing root certificates that are acceptable to the
5252
// log. The certs are served through get-roots endpoint.
53-
RootsPemFile []string
53+
RootsPemFile string
5454
// The private key used for signing Checkpoints or SCTs.
5555
PrivateKey *anypb.Any
5656
// The public key matching the above private key (if both are present).
@@ -122,7 +122,7 @@ func LogConfigFromFile(filename string) (*configpb.LogConfig, error) {
122122
// - Merge delays (if present) are correct.
123123
//
124124
// Returns the validated structures (useful to avoid double validation).
125-
func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string, bucket string, spannerDB string) (*ValidatedLogConfig, error) {
125+
func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string, bucket string, spannerDB string, rootsPemFile string) (*ValidatedLogConfig, error) {
126126
if origin == "" {
127127
return nil, errors.New("empty origin")
128128
}
@@ -142,7 +142,7 @@ func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string,
142142

143143
vCfg := ValidatedLogConfig{Config: &LogConfig{
144144
Origin: origin,
145-
RootsPemFile: cfg.RootsPemFile,
145+
RootsPemFile: rootsPemFile,
146146
PrivateKey: cfg.PrivateKey,
147147
PublicKey: cfg.PublicKey,
148148
RejectExpired: cfg.RejectExpired,

personalities/sctfe/config_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -317,7 +317,7 @@ func TestValidateLogConfig(t *testing.T) {
317317
},
318318
} {
319319
t.Run(tc.desc, func(t *testing.T) {
320-
vc, err := ValidateLogConfig(tc.cfg, tc.origin, tc.projectID, tc.bucket, tc.spannerDB)
320+
vc, err := ValidateLogConfig(tc.cfg, tc.origin, tc.projectID, tc.bucket, tc.spannerDB, "")
321321
if len(tc.wantErr) == 0 && err != nil {
322322
t.Errorf("ValidateLogConfig()=%v, want nil", err)
323323
}

personalities/sctfe/configpb/config.pb.go

Lines changed: 41 additions & 54 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

personalities/sctfe/configpb/config.proto

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,9 +26,6 @@ import "google/protobuf/timestamp.proto";
2626
//
2727
// NEXT_ID: 15
2828
message LogConfig {
29-
// Paths to the files containing root certificates that are acceptable to the
30-
// log. The certs are served through get-roots endpoint.
31-
repeated string roots_pem_file = 2;
3229
// The private key used for signing Checkpoints or SCTs.
3330
google.protobuf.Any private_key = 3;
3431
// The public key matching the above private key (if both are present).

personalities/sctfe/ct_server_gcp/main.go

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -61,12 +61,12 @@ var (
6161
tracingProjectID = flag.String("tracing_project_id", "", "project ID to pass to stackdriver. Can be empty for GCP, consult docs for other platforms.")
6262
tracingPercent = flag.Int("tracing_percent", 0, "Percent of requests to be traced. Zero is a special case to use the DefaultSampler")
6363
pkcs11ModulePath = flag.String("pkcs11_module_path", "", "Path to the PKCS#11 module to use for keys that use the PKCS#11 interface")
64-
// TODO: remove comment above when the config proto has been deleted.
65-
dedupPath = flag.String("dedup_path", "", "Path to the deduplication database")
66-
origin = flag.String("origin", "", "origin of the log, for checkpoints and the monitoring prefix")
67-
projectID = flag.String("project_id", "", "origin of the log, for checkpoints and the monitoring prefix")
68-
bucket = flag.String("bucket", "", "name of the bucket to store the log in")
69-
spannerDB = flag.String("spanner_db_path", "", "projects/{projectId}/instances/{instanceId}/databases/{databaseId}")
64+
dedupPath = flag.String("dedup_path", "", "Path to the deduplication database")
65+
origin = flag.String("origin", "", "origin of the log, for checkpoints and the monitoring prefix")
66+
projectID = flag.String("project_id", "", "origin of the log, for checkpoints and the monitoring prefix")
67+
bucket = flag.String("bucket", "", "name of the bucket to store the log in")
68+
spannerDB = flag.String("spanner_db_path", "", "projects/{projectId}/instances/{instanceId}/databases/{databaseId}")
69+
rootsPemFile = flag.String("roots_pem_file", "", "Paths to the file containing root certificates that are acceptable to the log. The certs are served through get-roots endpoint.")
7070
)
7171

7272
// nolint:staticcheck
@@ -89,7 +89,7 @@ func main() {
8989
klog.Exitf("Failed to read config: %v", err)
9090
}
9191

92-
vCfg, err := sctfe.ValidateLogConfig(cfg, *origin, *projectID, *bucket, *spannerDB)
92+
vCfg, err := sctfe.ValidateLogConfig(cfg, *origin, *projectID, *bucket, *spannerDB, *rootsPemFile)
9393
if err != nil {
9494
klog.Exitf("Invalid config: %v", err)
9595
}

personalities/sctfe/instance.go

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -81,17 +81,16 @@ func setUpLogInfo(ctx context.Context, opts InstanceOptions) (*logInfo, error) {
8181
vCfg := opts.Validated
8282
cfg := vCfg.Config
8383

84+
// TODO(phboneff): move to ValidateLogConfig
8485
// Check config validity.
8586
if len(cfg.RootsPemFile) == 0 {
8687
return nil, errors.New("need to specify RootsPemFile")
8788
}
8889

8990
// Load the trusted roots.
9091
roots := x509util.NewPEMCertPool()
91-
for _, pemFile := range cfg.RootsPemFile {
92-
if err := roots.AppendCertsFromPEMFile(pemFile); err != nil {
93-
return nil, fmt.Errorf("failed to read trusted roots: %v", err)
94-
}
92+
if err := roots.AppendCertsFromPEMFile(cfg.RootsPemFile); err != nil {
93+
return nil, fmt.Errorf("failed to read trusted roots: %v", err)
9594
}
9695

9796
var signer crypto.Signer

0 commit comments

Comments
 (0)