mtc_worker: Make the witness a proper MTC cosigner

crates/mtc_worker/config.bootstrap-mtca.json

@@ -4,6 +4,7 @@
         "shard1": {
             "description": "Cloudflare bootstrap MTCA shard 1",
             "log_id": "13335.1",
+            "witness_id": "44363.47.3",
             "submission_url": "https://bootstrap-mtca.cloudflareresearch.com/logs/shard1/",
             "monitoring_url": "https://bootstrap-mtca-shard1.cloudflareresearch.com"
         }

crates/mtc_worker/config.dev.json

@@ -4,12 +4,14 @@
         "dev1": {
             "description": "MTCA Dev1",
             "log_id": "13335.1",
+            "witness_id": "44363.47.1",
             "submission_url": "http://localhost:8787/logs/dev1/",
             "location_hint": "enam"
         },
         "dev2": {
             "description": "MTCA Dev2",
             "log_id": "13335.2",
+            "witness_id": "44363.47.2",
             "submission_url": "http://localhost:8787/logs/dev2/",
             "location_hint": "enam",
             "max_certificate_lifetime_secs": 100,

crates/mtc_worker/config.schema.json

@@ -30,6 +30,10 @@
                             "type": "string",
                             "description": "The log name (a trust anchor ID) in dotted decimal notation (e.g., 32473.1)."
                         },
+                        "witness_id": {
+                            "type": "string",
+                            "description": "A cosigner ID (a trust anchor ID) in dotted decimal notation (e.g., 32473.1)."
+                        },
                         "max_certificate_lifetime_secs": {
                             "type": "integer",
                             "default": 604800,

crates/mtc_worker/config/src/lib.rs

@@ -15,6 +15,7 @@ pub struct AppConfig {
 pub struct LogParams {
     pub description: Option<String>,
     pub log_id: String,
+    pub witness_id: String,
     #[serde(default = "default_usize::<604_800>")]
     pub max_certificate_lifetime_secs: usize,
     #[serde(default = "default_usize::<3600>")]

crates/mtc_worker/src/lib.rs

@@ -12,7 +12,7 @@ use signed_note::KeyName;
 use std::collections::HashMap;
 use std::str::FromStr;
 use std::sync::{LazyLock, OnceLock};
-use tlog_tiles::{CheckpointSigner, CosignatureV1CheckpointSigner, SequenceMetadata};
+use tlog_tiles::{CheckpointSigner, SequenceMetadata};
 use tokio::sync::OnceCell;
 #[allow(clippy::wildcard_imports)]
 use worker::*;
@@ -64,23 +64,28 @@ pub(crate) fn load_ed25519_key(
     }
 }
 
-pub(crate) fn load_checkpoint_signers(env: &Env, name: &str) -> Vec<Box<dyn CheckpointSigner>> {
-    let origin = load_origin(name);
-
+fn parse_trust_anchor(id: &str) -> TrustAnchorID {
     // Parse the log ID, an ASN.1 `RELATIVE OID` in decimal-dotted string form.
-    let log_id_relative_oid = RelativeOid::from_str(&CONFIG.logs[name].log_id).unwrap();
+    let relative_oid = RelativeOid::from_str(id).unwrap();
 
     // Get the BER/DER serialization of the content bytes, as described in <https://datatracker.ietf.org/doc/html/draft-ietf-tls-trust-anchor-ids-01#name-trust-anchor-identifiers>.
-    let log_id = TrustAnchorID(log_id_relative_oid.as_bytes().to_vec());
+    TrustAnchorID(relative_oid.as_bytes().to_vec())
+}
+
+pub(crate) fn load_checkpoint_signers(env: &Env, name: &str) -> Vec<Box<dyn CheckpointSigner>> {
+    let origin = load_origin(name);
+
+    let log_id = parse_trust_anchor(&CONFIG.logs[name].log_id);
+    let witness_id = parse_trust_anchor(&CONFIG.logs[name].witness_id);
 
     // TODO should the CA cosigner have a different ID than the log itself?
-    let cosigner_id = log_id.clone();
+    let signing_id = log_id.clone();
     let signing_key = load_signing_key(env, name).unwrap().clone();
     let witness_key = load_witness_key(env, name).unwrap().clone();
 
     // Make the checkpoint signers from the secret keys and put them in a vec
-    let signer = MTCSubtreeCosigner::new(cosigner_id, log_id, origin.clone(), signing_key);
-    let witness = CosignatureV1CheckpointSigner::new(origin, witness_key);
+    let signer = MTCSubtreeCosigner::new(signing_id, log_id.clone(), origin.clone(), signing_key);
+    let witness = MTCSubtreeCosigner::new(witness_id, log_id.clone(), origin.clone(), witness_key);
 
     vec![Box::new(signer), Box::new(witness)]
 }