Extract more certificate-extensions for validation

[ckotzbauer]

Description
Prerequisite for kyverno/kyverno#3216

In the signature package there are functions to extract the issuer (CertIssuerExtension) and subject (CertSubject) from a generated certificate. In sigstore/fulcio#306 I implemented several extensions (https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md) extracted from GitHub OIDC claims.

I suggest to add the ability to read those extensions too with additional functions (or a generic function which receives the name as parameter) to make it possible for kyverno to validate this values too with a policy.

I would be happy to make a PR for that if desired. 😉

[JimBugwadia]

Hi @ckotzbauer - this will be great to have!

I like the idea of having a generic function, to allow for future custom claims. Is there an available map of names to extension IDs, or would this need to be defined? Instead of the clients asking for each claim, may be best to return the entire list with names, so it can be used to display in the cosign verify output and in policy checks.

[ckotzbauer]

I don't think that there's a mapping for names to extension-IDs yet, but I'm not sure.
I think working with lists here would be great, this would be a generic approach and could be used in other places.

[dlorenc]

This sounds good to me! @nsmith5 had a proposal to add more things to the certs as well.

[JimBugwadia]

Hi @ckotzbauer - are you planning a PR for this? If not, I can take a look at proposing the changes.

[ckotzbauer]

I can take a look at the weekend.