wip: certificate validation

internal/validator/notation/notation_validator.go

@@ -3,7 +3,6 @@ package notation
 import (
 	"connaisseur/internal/image"
 	"connaisseur/internal/policy"
-	"connaisseur/internal/utils"
 	"connaisseur/internal/validator/auth"
 	"context"
 	"fmt"
@@ -42,12 +41,16 @@ func (nv *NotationValidator) UnmarshalYAML(unmarshal func(interface{}) error) er
 		return fmt.Errorf("no trust roots provided for validator %s", valData.Name)
 	}
 
+	imts, err := NewInMemoryTrustStore(valData.TrustRoots)
+	if err != nil {
+		return fmt.Errorf("failed to create trust store: %s", err)
+	}
+
 	nv.Name = valData.Name
 	nv.Type = valData.Type
 	nv.Auth = valData.Auth
-	nv.TrustStore = &InMemoryTrustStore{
-		trustRoots: valData.TrustRoots,
-	}
+	nv.TrustStore = imts
+
 	return nil
 }
 
@@ -57,7 +60,7 @@ func (nv *NotationValidator) ValidateImage(
 	args policy.RuleOptions,
 ) (string, error) {
 
-	trustPolicy, err := nv.setUpTrustPolicy(image.Context().String(), args)
+	trustPolicy, err := nv.setUpTrustPolicy(image, args)
 	if err != nil {
 		return "", fmt.Errorf("failed to set up trust policy: %s", err)
 	}
@@ -108,30 +111,19 @@ func (nv *NotationValidator) ValidateImage(
 }
 
 func (nv *NotationValidator) setUpTrustPolicy(
-	image string,
+	image *image.Image,
 	args policy.RuleOptions,
 ) (*trustpolicy.Document, error) {
-	imtr := nv.TrustStore.(*InMemoryTrustStore)
-	trs, err := auth.GetTrustRoots([]string{args.TrustRoot}, imtr.trustRoots, true)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get trust roots: %s", err)
-	}
-
 	return &trustpolicy.Document{
 		Version: "1.0",
 		TrustPolicies: []trustpolicy.TrustPolicy{
 			{
 				Name:           "default",
-				RegistryScopes: []string{image},
+				RegistryScopes: []string{image.Context().String()},
 				SignatureVerification: trustpolicy.SignatureVerification{
 					VerificationLevel: trustpolicy.LevelStrict.Name,
 				},
-				TrustStores: utils.Map(
-					trs,
-					func(tr auth.TrustRoot) string {
-						return fmt.Sprintf("ca:%s", tr.Name)
-					},
-				),
+				TrustStores:       []string{fmt.Sprintf("ca:%s", args.TrustRoot)},
 				TrustedIdentities: []string{"*"},
 			},
 		},

internal/validator/notation/trust_store.go

@@ -11,31 +11,37 @@ import (
 )
 
 type InMemoryTrustStore struct {
-	trustRoots []auth.TrustRoot
+	trustRoots map[string][]*x509.Certificate
 	truststore.X509TrustStore
 }
 
+func NewInMemoryTrustStore(trustRoots []auth.TrustRoot) (*InMemoryTrustStore, error) {
+	certs := make(map[string][]*x509.Certificate)
+
+	for _, trustRoot := range trustRoots {
+		block, _ := pem.Decode([]byte(trustRoot.Cert))
+		cert, err := x509.ParseCertificate(block.Bytes)
+		if err != nil {
+			return &InMemoryTrustStore{}, fmt.Errorf("failed to parse certificate for trust root %s: %w", trustRoot.Name, err)
+		}
+		certs[trustRoot.Name] = []*x509.Certificate{cert}
+	}
+
+	return &InMemoryTrustStore{
+		trustRoots: certs,
+	}, nil
+}
+
 func (imts *InMemoryTrustStore) GetCertificates(
 	ctx context.Context,
 	_ truststore.Type,
 	namedStore string,
 ) ([]*x509.Certificate, error) {
-	var certs []*x509.Certificate
-
-	for _, trustRoot := range imts.trustRoots {
-		if trustRoot.Name == namedStore {
-			block, _ := pem.Decode([]byte(trustRoot.Cert))
-			cert, err := x509.ParseCertificate(block.Bytes)
-			if err != nil {
-				return nil, fmt.Errorf(
-					"failed to parse certificate for trustRoot %s: %s",
-					trustRoot.Name,
-					err,
-				)
-			}
-			certs = append(certs, cert)
+	for name, certs := range imts.trustRoots {
+		if name == namedStore {
+			return certs, nil
 		}
 	}
 
-	return certs, nil
+	return nil, fmt.Errorf("no certificates found for trustRoot %s", namedStore)
 }