Fix bug in googleca and update flag description

Signed-off-by: Priya Wadhwa <[email protected]>

cmd/app/serve.go

@@ -60,7 +60,7 @@ func newServeCmd() *cobra.Command {
 	cmd.Flags().String("log_type", "dev", "logger type to use (dev/prod)")
 	cmd.Flags().String("ca", "", "googleca | tinkca | pkcs11ca | fileca | kmsca | ephemeralca (for testing)")
 	cmd.Flags().String("aws-hsm-root-ca-path", "", "Path to root CA on disk (only used with AWS HSM)")
-	cmd.Flags().String("gcp_private_ca_parent", "", "private ca parent: /projects/<project>/locations/<location>/<name> (only used with --ca googleca)")
+	cmd.Flags().String("gcp_private_ca_parent", "", "private ca parent: projects/<project>/locations/<location>/caPools/<caPool>/certificateAuthorities/<certificateAuthority> (only used with --ca googleca)")
 	cmd.Flags().String("hsm-caroot-id", "", "HSM ID for Root CA (only used with --ca pkcs11ca)")
 	cmd.Flags().String("ct-log-url", "http://localhost:6962/test", "host and path (with log prefix at the end) to the ct log")
 	cmd.Flags().String("ct-log-public-key-path", "", "Path to a PEM-encoded public key of the CT log, used to verify SCTs")

pkg/ca/googleca/v1/googleca.go

@@ -33,14 +33,14 @@ import (
 	"github.com/sigstore/fulcio/pkg/ca"
 	"github.com/sigstore/fulcio/pkg/identity"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
-	"google.golang.org/api/iterator"
 	"google.golang.org/api/option"
 	"google.golang.org/protobuf/types/known/durationpb"
 )
 
 type CertAuthorityService struct {
-	parent string
-	client *privateca.CertificateAuthorityClient
+	parent       string
+	caPoolParent string
+	client       *privateca.CertificateAuthorityClient
 
 	// protected by once
 	cachedRoots     [][]*x509.Certificate
@@ -52,9 +52,13 @@ func NewCertAuthorityService(ctx context.Context, parent string, opts ...option.
 	if err != nil {
 		return nil, err
 	}
+	// parent should be in the form projects/*/locations/*/caPools/*/certificateAuthorities/*
+	// to create a cert, we only want projects/*/locations/*/caPools/*
+	caPoolParent := strings.Split(parent, "/certificateAuthorities")
 	return &CertAuthorityService{
-		parent: parent,
-		client: client,
+		parent:       parent,
+		client:       client,
+		caPoolParent: caPoolParent[0],
 	}, nil
 }
 
@@ -145,27 +149,22 @@ func (c *CertAuthorityService) TrustBundle(ctx context.Context) ([][]*x509.Certi
 
 	// fetch the latest values for the specified CA
 	var roots [][]*x509.Certificate
-	cas := c.client.ListCertificateAuthorities(ctx, &privatecapb.ListCertificateAuthoritiesRequest{
-		Parent: c.parent,
+	ca, err := c.client.GetCertificateAuthority(ctx, &privatecapb.GetCertificateAuthorityRequest{
+		Name: c.parent,
 	})
-	for {
-		ca, done := cas.Next()
-		if done == iterator.Done {
-			break
-		} else if done != nil {
-			// if the iterator returns an issue for some reason, exit
-			return [][]*x509.Certificate{}, done
-		}
-		// if we fail to parse the PEM content, return an error
-		caCerts, err := cryptoutils.LoadCertificatesFromPEM(strings.NewReader(strings.Join(ca.PemCaCertificates, "")))
-		if err != nil {
-			return [][]*x509.Certificate{}, fmt.Errorf("failed parsing PemCACertificates response: %w", err)
-		}
-		if len(roots) == 0 {
-			return [][]*x509.Certificate{}, fmt.Errorf("error fetching root certificates")
-		}
-		roots = append(roots, caCerts)
+	if err != nil {
+		return nil, err
+	}
+	// if we fail to parse the PEM content, return an error
+	caCerts, err := cryptoutils.LoadCertificatesFromPEM(strings.NewReader(strings.Join(ca.PemCaCertificates, "")))
+	if err != nil {
+		return [][]*x509.Certificate{}, fmt.Errorf("failed parsing PemCACertificates response: %w", err)
+	}
+	if len(caCerts) == 0 {
+		return [][]*x509.Certificate{}, fmt.Errorf("error fetching root certificates")
 	}
+	roots = append(roots, caCerts)
+
 	c.cachedRootsOnce.Do(func() {
 		c.cachedRoots = roots
 	})
@@ -184,7 +183,7 @@ func (c *CertAuthorityService) CreateCertificate(ctx context.Context, principal
 		return nil, ca.ValidationError(err)
 	}
 
-	req, err := Req(c.parent, pubKeyBytes, cert)
+	req, err := Req(c.caPoolParent, pubKeyBytes, cert)
 	if err != nil {
 		return nil, ca.ValidationError(err)
 	}