From 623d50f9b77ee85886a166daac648455e65003ec Mon Sep 17 00:00:00 2001 From: Hayden B Date: Mon, 18 Apr 2022 17:02:41 -0700 Subject: [PATCH] Add Fulcio intermediate CA certificate to intermediate pool (#1774) This certificate will be necessary for chain building from a leaf certificate to a root once a new version of Fulcio is rolled out. For OCI, the chain is stored in an annotation. This intermediate is currently only needed for verify-blob when looking up the certificate from Rekor. For the V3 TUF Root, the intermediate will be bundled, so that it is easily discoverable and revokable. For now, we'll simply bundle it with Cosign. Note that intermediates are considered untrusted, so it's fine if the intermediate is not in TUF currently, as the root that issued the intermediate certificate is in TUF. Signed-off-by: Hayden Blauzvern --- .../cli/fulcio/fulcioroots/fulcioroots.go | 18 ++++++++++++++++++ .../cli/fulcio/fulcioroots/fulcioroots_test.go | 3 +-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go index 9b48f2b2d74..db1fc460c7e 100644 --- a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go +++ b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go @@ -39,6 +39,23 @@ var fulcioTargetStr = `fulcio.crt.pem` // This is the v1 migrated root. var fulcioV1TargetStr = `fulcio_v1.crt.pem` +// The untrusted intermediate CA certificate, used for chain building +// TODO: Remove once this is bundled in TUF metadata. +var fulcioIntermediateV1 = `-----BEGIN CERTIFICATE----- +MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw +KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y +MjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl +LmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C +AQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7 +7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS +0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB +BQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp +KFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI +zj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR +nZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP +mygUY7Ii2zbdCdliiow= +-----END CERTIFICATE-----` + const ( altRoot = "SIGSTORE_ROOT_FILE" ) @@ -116,6 +133,7 @@ func initRoots() (*x509.CertPool, *x509.CertPool, error) { } } } + intermediatePool.AppendCertsFromPEM([]byte(fulcioIntermediateV1)) } return rootPool, intermediatePool, nil } diff --git a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go index 9071db8cd4a..b400f453a82 100644 --- a/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go +++ b/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots_test.go @@ -40,8 +40,7 @@ func TestGetFulcioRoots(t *testing.T) { if _, err := tmpCertFile.Write(chain); err != nil { t.Fatalf("failed to write cert file: %v", err) } - os.Setenv("SIGSTORE_ROOT_FILE", tmpCertFile.Name()) - defer os.Unsetenv("SIGSTORE_ROOT_FILE") + t.Setenv("SIGSTORE_ROOT_FILE", tmpCertFile.Name()) rootCertPool := Get() // ignore deprecation error because certificates do not contain from SystemCertPool