Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor challenge verification #580

Merged
merged 2 commits into from
May 17, 2022

Conversation

nsmith5
Copy link
Contributor

@nsmith5 nsmith5 commented May 12, 2022

Summary

The challenge verification logic is sort of mixed up with the OIDC token parsing at the moment. This work makes two changes to this logic to make it a little easier to understand (there is one commit per change so you can read one at a time if desired)

  • Break up the OIDC parsing logic and proof of possession verification in ExtractSubject into two seperate things
  • Group all the logic for verifying a CSR together and all the logic for verify a signed subject proof of possession together. Make a really clear branch in logic between these two completely different challenges.

@haydentherapper
Copy link
Contributor

I’ve got to prep for a presentation, so I’ll take a look at this first thing Monday.

pkg/api/grpc_server.go Outdated Show resolved Hide resolved
pkg/api/grpc_server.go Outdated Show resolved Hide resolved
pkg/api/grpc_server.go Outdated Show resolved Hide resolved
pkg/api/grpc_server.go Outdated Show resolved Hide resolved
@nsmith5 nsmith5 force-pushed the refactor-challenge-verification branch from 46fab85 to 3fde015 Compare May 16, 2022 15:33
@nsmith5 nsmith5 force-pushed the refactor-challenge-verification branch from 3fde015 to 62efc87 Compare May 16, 2022 16:17
Nathan Smith added 2 commits May 16, 2022 09:26
Signed-off-by: Nathan Smith <nathan@chainguard.dev>
There are two challenges a caller can use to prove they possess their
private key:
- Submit a CSR
- Sign the subject or email from their ID token
Previously the logic to verify these two types of challenges was
interweaved. This work splits the verification into two different
branches and groups the logic of each type of verification together.

Signed-off-by: Nathan Smith <nathan@chainguard.dev>
@nsmith5 nsmith5 force-pushed the refactor-challenge-verification branch from 62efc87 to 57dbda7 Compare May 16, 2022 16:26
@dlorenc dlorenc merged commit c041c98 into sigstore:main May 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants