remove root_pem_file from cfg, and only allow a single file

personalities/sctfe/config.go

@@ -48,9 +48,9 @@ type LogConfig struct {
 	// origin identifies the log. It will be used in its checkpoint, and
 	// is also its submission prefix, as per https://c2sp.org/static-ct-api
 	Origin string
-	// Paths to the files containing root certificates that are acceptable to the
+	// Paths to the file containing root certificates that are acceptable to the
 	// log. The certs are served through get-roots endpoint.
-	RootsPemFile []string
+	RootsPemFile string
 	// The private key used for signing Checkpoints or SCTs.
 	PrivateKey *anypb.Any
 	// The public key matching the above private key (if both are present).
@@ -122,7 +122,7 @@ func LogConfigFromFile(filename string) (*configpb.LogConfig, error) {
 //   - Merge delays (if present) are correct.
 //
 // Returns the validated structures (useful to avoid double validation).
-func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string, bucket string, spannerDB string) (*ValidatedLogConfig, error) {
+func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string, bucket string, spannerDB string, rootsPemFile string) (*ValidatedLogConfig, error) {
 	if origin == "" {
 		return nil, errors.New("empty origin")
 	}
@@ -142,7 +142,7 @@ func ValidateLogConfig(cfg *configpb.LogConfig, origin string, projectID string,
 
 	vCfg := ValidatedLogConfig{Config: &LogConfig{
 		Origin:                origin,
-		RootsPemFile:          cfg.RootsPemFile,
+		RootsPemFile:          rootsPemFile,
 		PrivateKey:            cfg.PrivateKey,
 		PublicKey:             cfg.PublicKey,
 		RejectExpired:         cfg.RejectExpired,

personalities/sctfe/config_test.go

@@ -317,7 +317,7 @@ func TestValidateLogConfig(t *testing.T) {
 		},
 	} {
 		t.Run(tc.desc, func(t *testing.T) {
-			vc, err := ValidateLogConfig(tc.cfg, tc.origin, tc.projectID, tc.bucket, tc.spannerDB)
+			vc, err := ValidateLogConfig(tc.cfg, tc.origin, tc.projectID, tc.bucket, tc.spannerDB, "")
 			if len(tc.wantErr) == 0 && err != nil {
 				t.Errorf("ValidateLogConfig()=%v, want nil", err)
 			}

personalities/sctfe/configpb/config.proto

@@ -26,9 +26,6 @@ import "google/protobuf/timestamp.proto";
 //
 // NEXT_ID: 15
 message LogConfig {
-  // Paths to the files containing root certificates that are acceptable to the
-  // log. The certs are served through get-roots endpoint.
-  repeated string roots_pem_file = 2;
   // The private key used for signing Checkpoints or SCTs.
   google.protobuf.Any private_key = 3;
   // The public key matching the above private key (if both are present). 

personalities/sctfe/ct_server_gcp/main.go

@@ -61,12 +61,12 @@ var (
 	tracingProjectID   = flag.String("tracing_project_id", "", "project ID to pass to stackdriver. Can be empty for GCP, consult docs for other platforms.")
 	tracingPercent     = flag.Int("tracing_percent", 0, "Percent of requests to be traced. Zero is a special case to use the DefaultSampler")
 	pkcs11ModulePath   = flag.String("pkcs11_module_path", "", "Path to the PKCS#11 module to use for keys that use the PKCS#11 interface")
-	// TODO: remove comment above when the config proto has been deleted.
-	dedupPath = flag.String("dedup_path", "", "Path to the deduplication database")
-	origin    = flag.String("origin", "", "origin of the log, for checkpoints and the monitoring prefix")
-	projectID = flag.String("project_id", "", "origin of the log, for checkpoints and the monitoring prefix")
-	bucket    = flag.String("bucket", "", "name of the bucket to store the log in")
-	spannerDB = flag.String("spanner_db_path", "", "projects/{projectId}/instances/{instanceId}/databases/{databaseId}")
+	dedupPath          = flag.String("dedup_path", "", "Path to the deduplication database")
+	origin             = flag.String("origin", "", "origin of the log, for checkpoints and the monitoring prefix")
+	projectID          = flag.String("project_id", "", "origin of the log, for checkpoints and the monitoring prefix")
+	bucket             = flag.String("bucket", "", "name of the bucket to store the log in")
+	spannerDB          = flag.String("spanner_db_path", "", "projects/{projectId}/instances/{instanceId}/databases/{databaseId}")
+	rootsPemFile       = flag.String("roots_pem_file", "", "Paths to the file containing root certificates that are acceptable to the log. The certs are served through get-roots endpoint.")
 )
 
 // nolint:staticcheck
@@ -89,7 +89,7 @@ func main() {
 		klog.Exitf("Failed to read config: %v", err)
 	}
 
-	vCfg, err := sctfe.ValidateLogConfig(cfg, *origin, *projectID, *bucket, *spannerDB)
+	vCfg, err := sctfe.ValidateLogConfig(cfg, *origin, *projectID, *bucket, *spannerDB, *rootsPemFile)
 	if err != nil {
 		klog.Exitf("Invalid config: %v", err)
 	}

personalities/sctfe/instance.go

@@ -81,17 +81,16 @@ func setUpLogInfo(ctx context.Context, opts InstanceOptions) (*logInfo, error) {
 	vCfg := opts.Validated
 	cfg := vCfg.Config
 
+	// TODO(phboneff): move to ValidateLogConfig
 	// Check config validity.
 	if len(cfg.RootsPemFile) == 0 {
 		return nil, errors.New("need to specify RootsPemFile")
 	}
 
 	// Load the trusted roots.
 	roots := x509util.NewPEMCertPool()
-	for _, pemFile := range cfg.RootsPemFile {
-		if err := roots.AppendCertsFromPEMFile(pemFile); err != nil {
-			return nil, fmt.Errorf("failed to read trusted roots: %v", err)
-		}
+	if err := roots.AppendCertsFromPEMFile(cfg.RootsPemFile); err != nil {
+		return nil, fmt.Errorf("failed to read trusted roots: %v", err)
 	}
 
 	var signer crypto.Signer