From ad293ad0eb4b2e02b6b42d81a1eb5b3cd5c540cf Mon Sep 17 00:00:00 2001 From: Philip Harrison Date: Thu, 5 Jan 2023 10:41:06 +0000 Subject: [PATCH] Standardizing Fulcio Certificate Extensions Co-authored-by: Phill MV Co-authored-by: Fredrik Skogman Signed-off-by: Philip Harrison --- docs/deprecated-oid-info.md | 72 ---------------- docs/oid-info.md | 165 +++++++++++++++++++++++++++--------- 2 files changed, 126 insertions(+), 111 deletions(-) delete mode 100644 docs/deprecated-oid-info.md diff --git a/docs/deprecated-oid-info.md b/docs/deprecated-oid-info.md deleted file mode 100644 index e89fa8065..000000000 --- a/docs/deprecated-oid-info.md +++ /dev/null @@ -1,72 +0,0 @@ -# Sigstore OID information (deprecated) - -Note: The OID information in this document has been deprecated and only applies to Fulcio certificates created before date: XXXX-XX-XXTXX:XX - -Please see the updated [Sigstore OID information](oid-info.md). - -## Description - -Sigstore maintains its own Private Enterprise Number (57264) with the Internet -Assigned Numbers Authority to help identify and organize additional metadata in -code signing certificates issued by Fulcio instances. This document aims to -provide a simple directory of values in use with an explanation of their -meaning. - -## Directory - -Note that all values begin from the root OID 1.3.6.1.4.1.57264 [registered by Sigstore][oid-link]. - -When adding additional OIDs under the root, please update the above link with the child OID. - -## 1.3.6.1.4.1.57264.1 | Fulcio - -The `.1` is added to the root OID for sigstore for all OIDs set by Fulcio. - -### 1.3.6.1.4.1.57264.1.1 | Issuer - -This contains the `issuer` claim from the OIDC Identity Token that was -presented at the time the code signing certificate was requested to be created. -This claim is the URI of the OIDC Identity Provider that digitally signed the -identity token. - -### 1.3.6.1.4.1.57264.1.2 | GitHub Workflow Trigger - -This contains the `event_name` claim from the GitHub OIDC Identity token that -contains the name of the event that triggered the workflow run. -[(docs)][github-oidc-doc] - -### 1.3.6.1.4.1.57264.1.3 | GitHub Workflow SHA - -This contains the `sha` claim from the GitHub OIDC Identity token that contains -the commit SHA that the workflow run was based upon. [(docs)][github-oidc-doc] - -### 1.3.6.1.4.1.57264.1.4 | GitHub Workflow Name - -This contains the `workflow` claim from the GitHub OIDC Identity token that -contains the name of the executed workflow. [(docs)][github-oidc-doc] - -### 1.3.6.1.4.1.57264.1.5 | GitHub Workflow Repository - -This contains the `repository` claim from the GitHub OIDC Identity token that -contains the repository that the workflow run was based upon. -[(docs)][github-oidc-doc] - -### 1.3.6.1.4.1.57264.1.6 | GitHub Workflow Ref - -This contains the `ref` claim from the GitHub OIDC Identity token that contains -the git ref that the workflow run was based upon. -[(docs)][github-oidc-doc] - -### 1.3.6.1.4.1.57264.1.7 | OtherName SAN - -This specifies the username identity in the OtherName Subject Alternative Name, as -defined by [RFC5280 4.2.1.6](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6). - -## 1.3.6.1.4.1.57264.2 | Policy OID for Sigstore Timestamp Authority - -Not used by Fulcio. This specifies the policy OID for the [timestamp authority](https://github.com/sigstore/timestamp-authority) -that Sigstore operates. - - -[github-oidc-doc]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token -[oid-link]: http://oid-info.com/get/1.3.6.1.4.1.57264 diff --git a/docs/oid-info.md b/docs/oid-info.md index beced0817..83dda1653 100644 --- a/docs/oid-info.md +++ b/docs/oid-info.md @@ -2,75 +2,158 @@ ## Description -Sigstore maintains its own Private Enterprise Number (57264) with the Internet +Sigstore maintains its own Private Enterprise Number ([57264](http://oid-info.com/get/1.3.6.1.4.1.57264)) with the Internet Assigned Numbers Authority to help identify and organize additional metadata in code signing certificates issued by Fulcio instances. This document aims to provide a simple directory of values in use with an explanation of their meaning. +## Requirements to support signing with CI/CD workload identities + +In order to support Sigstore code signing with CI/CD based workfload identities the following claims must be included in the OIDC ID Token. See example claim values for each extension in the detailed [Directory](#directory). + +Providers MAY choose to emit extension value in other formats to generic examples, and consumers MUST NOT assume the generic example format. + +Requirements: + +- MUST include `iss` claim for `Issuer` extension. +- MUST include claim to support: `Build Signer URI` that identifies the specific build instructions that are responsible for signing. +- MUST include claim to support: `Build Signer Digest` which is an immutable reference to a specific version of the build instructions that are responsible for signing. +- MUST include claim to support: `Runner Environment` that differentiates between builds that took place in platform-hosted cloud infrastructure or customer-hosted infrastructure. + +Recommended: + +- SHOULD include `iss` that uniquely identifies ID tokens originating from the CI/CD system, e.g. not shared with OIDC OAuth 2.0 tokens for email/username logins. +- SHOULD include claim to support: `Source Repository URI` +- SHOULD include claim to support: `Source Repository Digest` +- SHOULD include claim to support: `Source Repository Ref` +- SHOULD include claim to support: `Source Repository Identifier` +- SHOULD include claim to support: `Source Repository Owner URI` +- SHOULD include claim to support: `Source Repository Owner Identifier` + +Nice-to-haves: + +- MAY include claim to support: `Build Config URI` +- MAY include claim to support: `Build Config Digest` +- MAY include claim to support: `Build Trigger` +- MAY include claim to support: `Run Invocation URI` + +## Terminology + +- `Identifier`: Immutable resource identifier, e.g. uuid/primary key ID +- `URI`: SHOULD be a fully qualified URL when available. MAY be a mutable resource identifier, e.g. `https://scm.com/example/repository` + - Fully qualified URL: Complete URL with protocol. +- `Digest`: Output of a cryptographic hash function, e.g. git commit SHA + ## Directory Note that all values begin from the root OID 1.3.6.1.4.1.57264 [registered by Sigstore][oid-link]. When adding additional OIDs under the root, please update the above link with the child OID. +GitHub Workflow specific OID extensions have been deprecated in favor of provider generic extensions starting from 1.3.6.1.4.1.57264.1.8. + ## 1.3.6.1.4.1.57264.1 | Fulcio The `.1` is added to the root OID for sigstore for all OIDs set by Fulcio. ### 1.3.6.1.4.1.57264.1.1 | Issuer -This contains the `issuer` claim from the OIDC Identity Token that was +This contains the `iss` claim from the OIDC Identity Token that was presented at the time the code signing certificate was requested to be created. This claim is the URI of the OIDC Identity Provider that digitally signed the -identity token. For example: https://token.actions.githubusercontent.com. +identity token. For example: `https://oidc-issuer.com`. -### 1.3.6.1.4.1.57264.3.1 | Source URI +### 1.3.6.1.4.1.57264.1.2 | GitHub Workflow Trigger (deprecated) -Should include a fully qualified source repository URL that the build was based -on. +This contains the `event_name` claim from the GitHub OIDC Identity token that +contains the name of the event that triggered the workflow run. +[(docs)][github-oidc-doc] -### 1.3.6.1.4.1.57264.3.2 | Source Digest +### 1.3.6.1.4.1.57264.1.3 | GitHub Workflow SHA (deprecated) -An immutable reference to a specific version of the source code that the build -was based upon. Should include the digest type followed by the digest, e.g. -`sha1:abc123`. +This contains the `sha` claim from the GitHub OIDC Identity token that contains +the commit SHA that the workflow run was based upon. [(docs)][github-oidc-doc] -### 1.3.6.1.4.1.57264.3.3 | Source Ref +### 1.3.6.1.4.1.57264.1.4 | GitHub Workflow Name (deprecated) -The source ref that the build run was based upon. For example: `refs/head/main`. +This contains the `workflow` claim from the GitHub OIDC Identity token that +contains the name of the executed workflow. [(docs)][github-oidc-doc] -### 1.3.6.1.4.1.57264.3.4 | Build Config URI +### 1.3.6.1.4.1.57264.1.5 | GitHub Workflow Repository (deprecated) -A reference to the initiating build instructions. +This contains the `repository` claim from the GitHub OIDC Identity token that +contains the repository that the workflow run was based upon. +[(docs)][github-oidc-doc] -### 1.3.6.1.4.1.57264.3.5 | Build Config Digest +### 1.3.6.1.4.1.57264.1.6 | GitHub Workflow Ref (deprecated) -An immutable reference to the specific version of the top-level build -instructions. Should include the digest type followed by the digest, e.g. -`sha1:abc123`. +This contains the `ref` claim from the GitHub OIDC Identity token that contains +the git ref that the workflow run was based upon. +[(docs)][github-oidc-doc] -### 1.3.6.1.4.1.57264.3.6 | Build Siger URI +### 1.3.6.1.4.1.57264.1.7 | OtherName SAN -Reference to specific build instructions that are responsible for signing. Can be the same as Build Config URI. For example a reusable workflow in GitHub Actions or a Circle CI Orbs. +This specifies the username identity in the OtherName Subject Alternative Name, as +defined by [RFC5280 4.2.1.6](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6). -### 1.3.6.1.4.1.57264.3.7 | Build Siger Digest +### 1.3.6.1.4.1.57264.1.8 | Source Repository URI -An immutable reference to the specific version of the build instructions that is responsible for signing. Should include the digest type followed by the digest, e.g. `sha1:abc123`. +Source repository URL that the build was based on. SHOULD be fully qualified. For example: `https://example.com/owner/repository`. +### 1.3.6.1.4.1.57264.1.9 | Source Repository Digest -### 1.3.6.1.4.1.57264.3.8 | Build Trigger +Immutable reference to a specific version of the source code that the build +was based upon. For example: `abc123` git commit SHA. -The event or action that triggered the build. -### 1.3.6.1.4.1.57264.3.9 | Runner Environment +### 1.3.6.1.4.1.57264.1.10 | Source Repository Ref -For platforms to specify whether the build took place in platform-hosted cloud infrastructure or customer-hosted infrastructure. For example: `platform-hosted` and `self-hosted`. +Source Repository Ref that the build run was based upon. For example: `refs/head/main` git branch or tag. -### 1.3.6.1.4.1.57264.1.7 | OtherName SAN +### 1.3.6.1.4.1.57264.1.11 | Source Repository Identifier -This specifies the username identity in the OtherName Subject Alternative Name, as -defined by [RFC5280 4.2.1.6](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6). +Immutable identifier for the source repository the workflow was based upon. MAY be empty if the Source Repository URI is immutable. For example: `1234` if using a primary key. + +### 1.3.6.1.4.1.57264.1.12 | Source Repository Owner URI + +Source repository owner URL of the owner of the source repository that the build was based +on. SHOULD be fully qualified. MAY be empty if there is no Source Repository Owner. For example: `https://example.com/owner` + +### 1.3.6.1.4.1.57264.1.13 | Source Repository Owner Identifier + +Immutable identifier for the owner of the source repository that the workflow was based upon. MAY be empty if there is no Source Repository Owner or Source Repository Owner URI is immutable. For example: `5678` if using a primary key. + +### 1.3.6.1.4.1.57264.1.14 | Build Config URI + +Build Config URL to the top-level/initiating build instructions. SHOULD be fully qualified. For example: `https://example.com/owner/repository/build-config.yml`. + +### 1.3.6.1.4.1.57264.1.15 | Build Config Digest + +Immutable reference to the specific version of the top-level/initiating build +instructions. For example: `abc123` git commit SHA. + +### 1.3.6.1.4.1.57264.1.16 | Build Signer URI + +Reference to specific build instructions that are responsible for signing. SHOULD be fully qualified. MAY be the same as Build Config URI. Build Signer URI is also included in the Subject Alternative Name. + +For example a reusable workflow ref in GitHub Actions or a Circle CI Orb name/version. For example: `https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0`. + +### 1.3.6.1.4.1.57264.1.17 | Build Signer Digest + +Immutable reference to the specific version of the build instructions that is responsible for signing. For example: `abc123` git commit SHA. + +### 1.3.6.1.4.1.57264.1.18 | Build Trigger + +Event or action that initiated the build. For example: `push`. + +### 1.3.6.1.4.1.57264.1.19 | Run Invocation URI + +Run Invocation URL to uniquely identify the build execution. SHOULD be fully qualified. For example: `https://github.com/example/repository/actions/runs/1536140711/attempts/1`. + +### 1.3.6.1.4.1.57264.1.20 | Runner Environment + +Runner Environment specifying whether the build took place in platform-hosted cloud infrastructure or customer/self-hosted infrastructure. For example: `[platform]-hosted` and `self-hosted`. ## 1.3.6.1.4.1.57264.2 | Policy OID for Sigstore Timestamp Authority @@ -81,19 +164,23 @@ that Sigstore operates. | GitHub [(docs)][github-oidc-doc] | GitLab | CircleCI | Buildkite | Fulcio Certificate Extension | Why / Notes / Questions | |--------------------|--------|----------|-----------|------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| aud | ?? | ?? | ?? | N/A | Only used to validate the JWT. | -| iss | ?? | ?? | ?? | Issuer | This already exists. For example: https://token.actions.githubusercontent.com | -| exp | ?? | ?? | ?? | N/A | Only used to validate the JWT. | -| nbf | ?? | ?? | ?? | N/A | Only used to validate the JWT. | -| iat | ?? | ?? | ?? | N/A | Only used to validate the JWT. | -| repository | ?? | ?? | ?? | Source URI | Should include a fully qualified repository URL. | -| sha | ?? | ?? | ?? | Source Digest | An immutable reference to a specific version of the source code. Should include the digest type followed by the digest, e.g. `sha1:abc123`. | -| ref | ?? | ?? | ?? | Source Ref | The source ref that the build run was based upon. For example: refs/head/main. | +| aud | ?? | aud | aud | N/A | Only used to validate the JWT. | +| iss | iss | iss | iss | Issuer | This already exists. For example: https://token.actions.githubusercontent.com | +| exp | exp | exp | exp | N/A | Only used to validate the JWT. | +| nbf | nbf | nbf | nbf | N/A | Only used to validate the JWT. | +| iat | iat | iat | iat | N/A | Only used to validate the JWT. | +| repository | project_path | ?? | ?? | Source Repository URI | Should include a fully qualified repository URL. | +| sha | ?? | ?? | build_commit | Source Repository Digest | An immutable reference to a specific version of the source code. Should include the digest type followed by the digest, e.g. `sha1:abc123`. | +| ref | ref | ?? | build_branch | Source Repository Ref | The source ref that the build run was based upon. For example: refs/head/main. | +| repository_id | project_id | ?? | ?? | Source Repository Identifier | Stable identifier for the owner of the source repository. | +| repository_owner | namespace_path | ?? | ?? | Source Repository Owner URI | Fully qualified URL for the owner of the source repository. | +| repository_owner_id | namespace_id | ?? | ?? | Source Repository Owner Identifier | Stable identifier for the owner of the source repository. | | workflow_ref | ?? | ?? | ?? | Build Config URI | A reference to the initiating build instructions. | | workflow_sha | ?? | ?? | ?? | Build Config Digest | An immutable reference to the specific version of the top-level build instructions. Should include the digest type followed by the digest, e.g. `sha1:abc123`. | -| job_workflow_ref | ?? | ?? | ?? | Build Signer URI | Reference to specific build instructions that are responsible for signing. Can be the same as Build Config URI. For example a reusable workflow in GitHub Actions or a Circle CI Orbs. | +| server_url + job_workflow_ref | ?? | ?? | ?? | Build Signer URI | Reference to specific build instructions that are responsible for signing. Can be the same as Build Config URI. For example a reusable workflow in GitHub Actions or a Circle CI Orbs. | | job_workflow_sha | ?? | ?? | ?? | Build Signer Digest | An immutable reference to the specific version of the build instructions that is responsible for signing. Should include the digest type followed by the digest, e.g. `sha1:abc123`. | -| event_name | ?? | ?? | ?? | Build Trigger | The event or action that triggered the build. | +| event_name | pipeline_source | ?? | ?? | Build Trigger | The event or action that triggered the build. | +| server_url + repository + "/actions/runs/" + run_id + "/attempts/" + run_attempt | ?? | ?? | ?? | Run Invocation URI | An immutable identifier that can uniquely identify the build execution | | runner_environment | ?? | ?? | ?? | Runner Environment | For platforms to specify whether the build took place in platform-hosted cloud infrastructure or customer-hosted infrastructure. For example: `platform-hosted` and `self-hosted`. | [github-oidc-doc]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token