opentdf · pflynn-virtru · Oct 17, 2025 · Sep 30, 2025 · Oct 2, 2025 · Oct 2, 2025
@@ -32,6 +32,7 @@ const (
 	ObjectTypeKasAttributeDefinitionKeyAssignment
 	ObjectTypeKasAttributeValueKeyAssignment
 	ObjectTypeKasAttributeNamespaceKeyAssignment
+	ObjectTypeNamespaceCertificate
 )
 
 func (ot ObjectType) String() string {
@@ -61,6 +62,7 @@ func (ot ObjectType) String() string {
 		"kas_attribute_definition_key_assignment",
 		"kas_attribute_value_key_assignment",
 		"kas_attribute_namespace_key_assignment",
+		"namespace_certificate",
 	}[ot]
 }
 

@@ -39,6 +39,8 @@ var (
 	ErrKasURIMismatch             = errors.New("ErrKasURIMismatch: KAS URI mismatch")
 	ErrInvalidOblTriParam         = errors.New("ErrInvalidOblTriParam: either the obligation value, attribute value, or action provided was not found")
 	ErrCheckViolation             = errors.New("ErrCheckViolation: check constraint violation")
+	ErrFqnMismatch                = errors.New("ErrFqnMismatch: FQN mismatch")
+	ErrInvalidCertificate         = errors.New("ErrInvalidCertificate: invalid certificate")
 )
 
 // Get helpful error message for PostgreSQL violation
@@ -132,6 +134,8 @@ const (
 	ErrorTextKasURIMismatch             = "kas uri mismatch"
 	ErrorTextKIDMismatch                = "key id mismatch"
 	ErrorTextInvalidOblTrigParam        = "either the obligation value, attribute value, or action provided is invalid"
+	ErrorTextFqnMismatch                = "fqn mismatch"
+	ErrorTextInvalidCertificate         = "invalid certificate"
 )
 
 func StatusifyError(ctx context.Context, l *logger.Logger, err error, fallbackErr string, logs ...any) error {
@@ -200,6 +204,14 @@ func StatusifyError(ctx context.Context, l *logger.Logger, err error, fallbackEr
 		l.ErrorContext(ctx, ErrorTextInvalidOblTrigParam, logs...)
 		return connect.NewError(connect.CodeInvalidArgument, errors.New(ErrorTextInvalidOblTrigParam))
 	}
+	if errors.Is(err, ErrFqnMismatch) {
+		l.ErrorContext(ctx, ErrorTextFqnMismatch, logs...)
+		return connect.NewError(connect.CodeInvalidArgument, errors.New(ErrorTextFqnMismatch))
+	}
+	if errors.Is(err, ErrInvalidCertificate) {
+		l.ErrorContext(ctx, ErrorTextInvalidCertificate, logs...)
+		return connect.NewError(connect.CodeInvalidArgument, errors.New(ErrorTextInvalidCertificate))
+	}
 
 	l.ErrorContext(ctx, "request error", append(logs, slog.Any("error", err))...)
 	return connect.NewError(connect.CodeInternal, errors.New(fallbackErr))

@@ -194,3 +194,34 @@ func UnmarshalSimpleKasKey(keysJSON []byte) (*policy.SimpleKasKey, error) {
 	}
 	return key, nil
 }
+
+func CertificatesProtoJSON(certsJSON []byte) ([]*policy.Certificate, error) {
+	var (
+		certs []*policy.Certificate
+		raw   []json.RawMessage
+	)
+	if err := json.Unmarshal(certsJSON, &raw); err != nil {
+		return nil, err
+	}
+	for _, r := range raw {
+		c, err := UnmarshalCertificate([]byte(r))
+		if err != nil {
+			return nil, fmt.Errorf("failed to unmarshal certificate: %w", err)
+		}
+		if c != nil {
+			certs = append(certs, c)
+		}
+	}
+	return certs, nil
+}
+
+func UnmarshalCertificate(certJSON []byte) (*policy.Certificate, error) {
+	var cert *policy.Certificate
+	if certJSON != nil {
+		cert = &policy.Certificate{}
+		if err := protojson.Unmarshal(certJSON, cert); err != nil {
+			return nil, err
+		}
+	}
+	return cert, nil
+}
@@ -0,0 +1,74 @@
+# Add Namespace Certificates
+
+## Migration: 20251002000000_add_namespace_certificates.sql
+
+### Purpose
+
+This migration adds support for associating root certificates with attribute namespaces to establish a chain of trust for the OpenTDF platform.
+
+### Changes
+
+#### New Tables
+
+1. **`certificates`** - Stores root certificate data
+   - `id` (UUID, PRIMARY KEY) - Unique identifier for the certificate
+   - `x5c` (TEXT, NOT NULL) - Base64-encoded DER certificate in x5c format
+   - `metadata` (JSONB) - Optional metadata for the certificate (labels, etc.)
+   - `created_at` (TIMESTAMP) - Creation timestamp
+   - `updated_at` (TIMESTAMP) - Last update timestamp
+
+2. **`attribute_namespace_certificates`** - Junction table for many-to-many relationship
+   - `namespace_id` (UUID, FK to attribute_namespaces) - Reference to the namespace
+   - `certificate_id` (UUID, FK to certificates) - Reference to the certificate
+   - Composite PRIMARY KEY on (namespace_id, certificate_id)
+   - CASCADE deletion on both foreign keys
+
+#### Indexes
+
+- Primary key index on `certificates(id)`
+- Composite primary key index on `attribute_namespace_certificates(namespace_id, certificate_id)`
+- Foreign key indexes created automatically by PostgreSQL
+
+### Motivation
+
+Root certificates need to be associated with namespaces to:
+1. Establish chain of trust for attribute-based access control
+2. Support certificate validation in the policy enforcement flow
+3. Enable namespace-scoped trust boundaries
+
+The junction table design allows:
+- Multiple certificates per namespace (certificate rotation/migration scenarios)
+- Certificate reuse across namespaces (if needed)
+- Clean cascade deletion when namespaces or certificates are removed
+
+### Certificate Format
+
+Certificates are stored in **x5c format**: base64-encoded DER (Distinguished Encoding Rules) representation without PEM headers/footers, following the JWT/JWS standard (RFC 7515 Section 4.1.6).
+
+### Schema Relations
+
+```
+attribute_namespaces (1) ----< (N) attribute_namespace_certificates (N) >---- (1) certificates
+```
+
+- One namespace can have many certificates (one-to-many)
+- One certificate can be assigned to many namespaces (many-to-one, though typically one-to-one)
+- Junction table enables many-to-many flexibility
+
+### Backward Compatibility
+
+This migration is **non-breaking**:
+- Only adds new tables, does not modify existing tables
+- No data migration required
+- Existing functionality continues to work unchanged
+- New certificate fields (`root_certs`) in Namespace proto are optional
+
+### Testing
+
+Before merging, verify:
+- [x] Migration up succeeds
+- [x] Migration down succeeds and removes tables cleanly
+- [x] CRUD operations on certificates work correctly
+- [x] Foreign key constraints enforce referential integrity
+- [x] CASCADE deletion works as expected
+- [x] Schema ERD updated with new relations
@@ -0,0 +1,45 @@
+-- +goose Up
+-- +goose StatementBegin
+
+CREATE TABLE IF NOT EXISTS certificates
+(
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    pem TEXT NOT NULL,
+    metadata JSONB,
+    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+COMMENT ON TABLE certificates IS 'Table to store X.509 certificates for chain of trust (root only)';
+COMMENT ON COLUMN certificates.id IS 'Unique identifier for the certificate';
+COMMENT ON COLUMN certificates.pem IS 'PEM format - Base64-encoded DER certificate (not PEM; no headers/footers)';
+COMMENT ON COLUMN certificates.metadata IS 'Optional metadata for the certificate';
+COMMENT ON COLUMN certificates.created_at IS 'Timestamp when the certificate was created';
+COMMENT ON COLUMN certificates.updated_at IS 'Timestamp when the certificate was last updated';
+
+CREATE TABLE IF NOT EXISTS attribute_namespace_certificates
+(
+    namespace_id UUID NOT NULL REFERENCES attribute_namespaces(id) ON DELETE CASCADE,
+    certificate_id UUID NOT NULL REFERENCES certificates(id) ON DELETE CASCADE,
+    PRIMARY KEY (namespace_id, certificate_id)
+);
+
+COMMENT ON TABLE attribute_namespace_certificates IS 'Junction table to map root certificates to attribute namespaces';
+COMMENT ON COLUMN attribute_namespace_certificates.namespace_id IS 'Foreign key to the namespace';
+COMMENT ON COLUMN attribute_namespace_certificates.certificate_id IS 'Foreign key to the certificate';
+
+CREATE TRIGGER certificates_updated_at
+  BEFORE UPDATE ON certificates
+  FOR EACH ROW
+  EXECUTE FUNCTION update_updated_at();
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+
+DROP TRIGGER IF EXISTS certificates_updated_at ON certificates;
+DROP TABLE IF EXISTS attribute_namespace_certificates;
+DROP TABLE IF EXISTS certificates;
+
+-- +goose StatementEnd