Add cron job to fetch trusted roots for MTC

crates/ct_worker/src/ccadb_roots_cron.rs

@@ -17,7 +17,15 @@ use x509_cert::{
 };
 use x509_util::CertPool;
 
-use crate::{ccadb_roots_filename, CCADB_ROOTS_NAMESPACE, CONFIG};
+use crate::CONFIG;
+
+// A KV namespace with this binding must be configured in 'wrangler.jsonc' if
+// any log shards have 'enable_ccadb_roots=true'.
+pub(crate) const CCADB_ROOTS_NAMESPACE: &str = "ccadb_roots";
+
+pub(crate) fn ccadb_roots_filename(name: &str) -> String {
+    format!("roots_{name}.pem")
+}
 
 #[event(scheduled)]
 async fn main(_event: ScheduledEvent, env: Env, _ctx: ScheduleContext) {

crates/ct_worker/src/lib.rs

@@ -3,6 +3,7 @@
 
 #![doc = include_str!(concat!(env!("CARGO_MANIFEST_DIR"), "/README.md"))]
 
+use crate::ccadb_roots_cron::{ccadb_roots_filename, update_ccadb_roots, CCADB_ROOTS_NAMESPACE};
 use config::AppConfig;
 use ed25519_dalek::SigningKey as Ed25519SigningKey;
 use p256::{ecdsa::SigningKey as EcdsaSigningKey, pkcs8::DecodePrivateKey};
@@ -15,18 +16,12 @@ use tokio::sync::OnceCell;
 use worker::{Env, Result};
 use x509_util::CertPool;
 
-use crate::ccadb_roots_cron::update_ccadb_roots;
-
 mod batcher_do;
 mod ccadb_roots_cron;
 mod cleaner_do;
 mod frontend_worker;
 mod sequencer_do;
 
-// A KV namespace with this binding must be configured in 'wrangler.jsonc' if
-// any log shards have 'enable_ccadb_roots=true'.
-const CCADB_ROOTS_NAMESPACE: &str = "ccadb_roots";
-
 // Application configuration.
 static CONFIG: LazyLock<AppConfig> = LazyLock::new(|| {
     serde_json::from_str::<AppConfig>(include_str!(concat!(env!("OUT_DIR"), "/config.json")))
@@ -105,10 +100,6 @@ pub(crate) fn load_origin(name: &str) -> KeyName {
     .expect("invalid origin name")
 }
 
-fn ccadb_roots_filename(name: &str) -> String {
-    format!("roots_{name}.pem")
-}
-
 async fn load_roots(env: &Env, name: &str) -> Result<&'static CertPool> {
     // Load embedded roots.
     ROOTS

crates/mtc_worker/Cargo.toml

@@ -41,7 +41,10 @@ futures-executor.workspace = true
 
 [dependencies]
 base64.workspace = true
+base64ct.workspace = true
+chrono.workspace = true
 config = { path = "./config", package = "mtc_worker_config" }
+csv.workspace = true
 der.workspace = true
 generic_log_worker.workspace = true
 ed25519-dalek.workspace = true
@@ -53,6 +56,7 @@ serde_json.workspace = true
 serde_with.workspace = true
 signed_note.workspace = true
 tlog_tiles.workspace = true
+tokio.workspace = true
 worker.workspace = true
 x509-cert.workspace = true
 x509_util.workspace = true

crates/mtc_worker/build.rs

@@ -13,7 +13,6 @@ use url::Url;
 use x509_cert::{
     attr::AttributeTypeAndValue,
     name::{RdnSequence, RelativeDistinguishedName},
-    Certificate,
 };
 
 fn main() {
@@ -67,25 +66,13 @@ fn main() {
         }
     }
 
-    // Get and validate roots. Use 'roots.default.pem' if no environment-specific roots file is found.
-    let mut roots_file: &str = &format!("roots.{env}.pem");
-    if !fs::exists(roots_file).expect("failed to check if file exists") {
-        roots_file = "roots.default.pem";
-    }
-    let roots =
-        Certificate::load_pem_chain(&fs::read(roots_file).expect("failed to read roots file"))
-            .expect("unable to decode certificates");
-    assert!(!roots.is_empty(), "Roots file is empty");
-
     // Copy to OUT_DIR.
     let out_dir = env::var("OUT_DIR").unwrap();
     fs::copy(config_file, format!("{out_dir}/config.json")).expect("failed to copy config file");
-    fs::copy(roots_file, format!("{out_dir}/roots.pem")).expect("failed to copy roots file");
 
     println!("cargo::rerun-if-env-changed=DEPLOY_ENV");
     println!("cargo::rerun-if-changed=config.schema.json");
     println!("cargo::rerun-if-changed={config_file}");
-    println!("cargo::rerun-if-changed={roots_file}");
 }
 
 // Validate the URL prefix according to https://datatracker.ietf.org/doc/html/rfc6962#section-4.