light tool to create/sign (via kms) fulcio/tsa certs (ca, leaf etc)

[ianhundere]

Description

cross posting this from sigstore/helm-charts#863 as i'm thinking something like this would best live here.

[haydentherapper]

Hey Ian, I like this idea! Would this make sense as a utility in the fulcio or timestamp-authority repositories? I want to make sure the generated certificates are conformant with the Fulcio/RFC3161 standards respectively, and if you're planning to leverage libraries from these repositories already, then maybe it'd be easiest to have them maintained under their respective repos.

[ianhundere]

hey Hayden, that definitely makes more sense.

i wasn't planning on leveraging libraries from those respective repos, but it looks like there's some overlap.

i'm currently using the following packages/config templates to create/sign certs for fulcio and tsa:

packages

	"context"
	"fmt"
	"math/big"
	"time"

	"crypto/x509"
	"crypto/x509/pkix"

	"encoding/json"
	"encoding/pem"
	"os"

	"go.step.sm/crypto/kms/apiv1"
	"go.step.sm/crypto/kms/awskms"
	"go.step.sm/crypto/kms/cloudkms"
	"go.step.sm/crypto/kms/azurekms"
	"go.step.sm/crypto/x509util"

fulcio intermediate/leaf cert template

{
  "subject": {
    "commonName": "https://blah.com"
  },
  "issuer": {
    "commonName": "https://blah.com"
  },
  "keyUsage": [
    "certSign",
    "crlSign"
  ],
  "extKeyUsage": [
    "CodeSigning"
  ],
  "basicConstraints": {
    "isCA": true,
    "maxPathLen": 0
  }
}

tsa intermediate/leaf cert template

{
    "subject": {
        "commonName": "https://blah.com"
    },
    "issuer": {
        "commonName": "https://blah.com"
    },
    "keyUsage": [
        "certSign",
        "crlSign"
    ],
    "basicConstraints": {
        "isCA": false,
        "maxPathLen": 0
    },
    "extensions": [
        {
            "id": "2.5.29.37",
            "critical": true,
            "value": "asn1Seq (asn1Enc oid:1.3.6.1.5.5.7.3.8) | toJson"
        }
    ]
}

maybe have a utility with the expected cert standards (e.g. fulcio/rfc3161) and each lives in its respective repo?

lemme know, and i can open an issue for each respective repository and pivot there for discussing further.

btw, thanks for the quick response / feedback!

[ianhundere]

@haydentherapper / @bobcallaway

should i create a PR in each respective repo:

• https://github.com/sigstore/fulcio
• https://github.com/sigstore/timestamp-authority

or should we have it just live in the fulcio repo w/ the expectation that someone can grab it there if needed for tsa ?

[haydentherapper]

In each repo is good with me, I'll review the PRs.

[ianhundere]

sounds good / i'll open issues there and should have PRs up by the end of the week.

[ianhundere]

closing in favor of:

• light tool to create/sign (via kms) certs (ca, leaf etc) fulcio#1869
• light tool to create/sign (via kms) certs (ca, leaf etc) timestamp-authority#886