Add chain in response for all CAs, fix newlines in response (#341)

The certificate's chain was not being included when issuing certificates for non-GCP CAs. We were also adding too many newlines between PEM-encoded certificates. pem.Encode automatically adds newlines. Just in case the source that's providing the certificates is not including trailing newlines, I've added a check to optionally append newlines. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
sigstore · Jan 22, 2022 · 10262db · 10262db
1 parent 50b605d
commit 10262db
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 10 deletions.
diff --git a/pkg/api/api_test.go b/pkg/api/api_test.go
@@ -242,8 +242,8 @@ func fakeCTLogServer(t *testing.T) *httptest.Server {
 		}
 		var chain certChain
 		json.Unmarshal(body, &chain)
-		if len(chain.Chain) != 1 {
-			t.Fatalf("Did not get expected chain for input, wanted 1 entry, got %d", len(chain.Chain))
+		if len(chain.Chain) != 2 {
+			t.Fatalf("Did not get expected chain for input, wanted 2 entries, got %d", len(chain.Chain))
 		}
 		// Just make sure we can decode it.
 		for _, chainEntry := range chain.Chain {

diff --git a/pkg/api/ca.go b/pkg/api/ca.go
@@ -196,14 +196,21 @@ func signingCert(w http.ResponseWriter, req *http.Request) {
 		handleFulcioAPIError(w, req, http.StatusInternalServerError, err, failedToMarshalCert)
 		return
 	}
-	fmt.Fprintf(&ret, "%s\n", finalPEM)
+	fmt.Fprintf(&ret, "%s", finalPEM)
+	if finalPEM[len(finalPEM)-1] != '\n' {
+		fmt.Fprintf(&ret, "\n")
+	}
+
 	finalChainPEM, err := csc.ChainPEM()
 	if err != nil {
 		handleFulcioAPIError(w, req, http.StatusInternalServerError, err, failedToMarshalCert)
 		return
 	}
 	if len(finalChainPEM) > 0 {
-		fmt.Fprintf(&ret, "%s\n", finalChainPEM)
+		fmt.Fprintf(&ret, "%s", finalChainPEM)
+		if finalPEM[len(finalChainPEM)-1] != '\n' {
+			fmt.Fprintf(&ret, "\n")
+		}
 	}
 
 	// Set the SCT and Content-Type headers, and then respond with a 201 Created.

diff --git a/pkg/ca/fileca/fileca.go b/pkg/ca/fileca/fileca.go
@@ -99,7 +99,7 @@ func (fca *fileCA) CreateCertificate(_ context.Context, subject *challenges.Chal
 		return nil, err
 	}
 
-	return ca.CreateCSCFromDER(subject, finalCertBytes, nil)
+	return ca.CreateCSCFromDER(subject, finalCertBytes, fca.certs)
 }
 
 func (fca *fileCA) Root(ctx context.Context) ([]byte, error) {

diff --git a/pkg/ca/interface.go b/pkg/ca/interface.go
@@ -63,7 +63,7 @@ func CreateCSCFromPEM(subject *challenges.ChallengeResult, cert string, chain []
 	return c, nil
 }
 
-func CreateCSCFromDER(subject *challenges.ChallengeResult, cert, chain []byte) (c *CodeSigningCertificate, err error) {
+func CreateCSCFromDER(subject *challenges.ChallengeResult, cert []byte, chain []*x509.Certificate) (c *CodeSigningCertificate, err error) {
 	c = &CodeSigningCertificate{
 		Subject: subject,
 	}
@@ -76,14 +76,14 @@ func CreateCSCFromDER(subject *challenges.ChallengeResult, cert, chain []byte) (
 	}
 
 	// convert to X509 and store both formats
-	c.FinalChain, err = x509.ParseCertificates(chain)
+	c.FinalChain = chain
 	if err != nil {
 		return nil, err
 	}
 	buf := bytes.Buffer{}
-	for i, chainCert := range c.FinalChain {
+	for _, chainCert := range c.FinalChain {
 		buf.Write(cryptoutils.PEMEncode(cryptoutils.CertificatePEMType, chainCert.Raw))
-		if i != len(c.FinalChain) {
+		if chainCert.Raw[len(chainCert.Raw)-1] != '\n' {
 			buf.WriteRune('\n')
 		}
 	}

diff --git a/pkg/ca/x509ca/common.go b/pkg/ca/x509ca/common.go
@@ -96,7 +96,7 @@ func (x *X509CA) CreateCertificate(_ context.Context, subject *challenges.Challe
 		return nil, err
 	}
 
-	return ca.CreateCSCFromDER(subject, finalCertBytes, nil)
+	return ca.CreateCSCFromDER(subject, finalCertBytes, []*x509.Certificate{x.RootCA})
 }
 
 func AdditionalExtensions(subject *challenges.ChallengeResult) []pkix.Extension {