Add Fulcio intermediate CA certificate to intermediate pool (#1774)

This certificate will be necessary for chain building from a leaf certificate to a root once a new version of Fulcio is rolled out. For OCI, the chain is stored in an annotation. This intermediate is currently only needed for verify-blob when looking up the certificate from Rekor. For the V3 TUF Root, the intermediate will be bundled, so that it is easily discoverable and revokable. For now, we'll simply bundle it with Cosign. Note that intermediates are considered untrusted, so it's fine if the intermediate is not in TUF currently, as the root that issued the intermediate certificate is in TUF. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
sigstore · Apr 19, 2022 · 623d50f · 623d50f
1 parent f89d691
commit 623d50f
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go
@@ -39,6 +39,23 @@ var fulcioTargetStr = `fulcio.crt.pem`
 // This is the v1 migrated root.
 var fulcioV1TargetStr = `fulcio_v1.crt.pem`
 
+// The untrusted intermediate CA certificate, used for chain building
+// TODO: Remove once this is bundled in TUF metadata.
+var fulcioIntermediateV1 = `-----BEGIN CERTIFICATE-----
+MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw
+KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
+MjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl
+LmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C
+AQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7
+7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS
+0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB
+BQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp
+KFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI
+zj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR
+nZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP
+mygUY7Ii2zbdCdliiow=
+-----END CERTIFICATE-----`
+
 const (
 	altRoot = "SIGSTORE_ROOT_FILE"
 )
@@ -116,6 +133,7 @@ func initRoots() (*x509.CertPool, *x509.CertPool, error) {
 				}
 			}
 		}
+		intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1))
 	}
 	return rootPool, intermediatePool, nil
 }
diff --git a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go
@@ -40,8 +40,7 @@ func TestGetFulcioRoots(t *testing.T) {
 	if _, err := tmpCertFile.Write(chain); err != nil {
 		t.Fatalf("failed to write cert file: %v", err)
 	}
-	os.Setenv("SIGSTORE_ROOT_FILE", tmpCertFile.Name())
-	defer os.Unsetenv("SIGSTORE_ROOT_FILE")
+	t.Setenv("SIGSTORE_ROOT_FILE", tmpCertFile.Name())
 
 	rootCertPool := Get()
 	// ignore deprecation error because certificates do not contain from SystemCertPool