Add Buildkite OIDC to Fulcio

config/fulcio-config.yaml

@@ -22,6 +22,11 @@ data:
               "ClientID": "sigstore",
               "Type": "email"
             },
+            "https://agent.buildkite.com": {
+              "IssuerURL": "https://agent.buildkite.com",
+              "ClientID": "sigstore",
+              "Type": "buildkite-job"
+            },
             "https://allow.pub": {
               "IssuerURL": "https://allow.pub",
               "ClientID": "sigstore",

federation/agent.buildkite.com/config.yaml

@@ -0,0 +1,18 @@
+# Copyright 2023 The Sigstore Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+url: https://agent.buildkite.com
+contact: support@buildkite.com
+description: "Buildkite Agent OIDC tokens for job identity"
+type: "buildkite-job"

pkg/challenges/challenges.go

@@ -26,6 +26,7 @@ import (
 
 	"github.com/sigstore/fulcio/pkg/config"
 	"github.com/sigstore/fulcio/pkg/identity"
+	"github.com/sigstore/fulcio/pkg/identity/buildkite"
 	"github.com/sigstore/fulcio/pkg/identity/email"
 	"github.com/sigstore/fulcio/pkg/identity/github"
 	"github.com/sigstore/fulcio/pkg/identity/kubernetes"
@@ -57,6 +58,8 @@ func PrincipalFromIDToken(ctx context.Context, tok *oidc.IDToken) (identity.Prin
 	var principal identity.Principal
 	var err error
 	switch iss.Type {
+	case config.IssuerTypeBuildkiteJob:
+		principal, err = buildkite.JobPrincipalFromIDToken(ctx, tok)
 	case config.IssuerTypeEmail:
 		principal, err = email.PrincipalFromIDToken(ctx, tok)
 	case config.IssuerTypeSpiffe:

pkg/config/config.go

@@ -208,6 +208,7 @@ func (fc *FulcioConfig) prepare() error {
 type IssuerType string
 
 const (
+	IssuerTypeBuildkiteJob   = "buildkite-job"
 	IssuerTypeEmail          = "email"
 	IssuerTypeGithubWorkflow = "github-workflow"
 	IssuerTypeKubernetes     = "kubernetes"
@@ -459,6 +460,8 @@ func validateAllowedDomain(subjectHostname, issuerHostname string) error {
 
 func issuerToChallengeClaim(issType IssuerType) string {
 	switch issType {
+	case IssuerTypeBuildkiteJob:
+		return "sub"
 	case IssuerTypeEmail:
 		return "email"
 	case IssuerTypeGithubWorkflow:

pkg/config/config_test.go

@@ -482,6 +482,9 @@ func Test_issuerToChallengeClaim(t *testing.T) {
 	if claim := issuerToChallengeClaim(IssuerTypeURI); claim != "sub" {
 		t.Fatalf("expected sub subject claim for URI issuer, got %s", claim)
 	}
+	if claim := issuerToChallengeClaim(IssuerTypeBuildkiteJob); claim != "sub" {
+		t.Fatalf("expected sub subject claim for Buildkite issuer, got %s", claim)
+	}
 	if claim := issuerToChallengeClaim(IssuerTypeGithubWorkflow); claim != "sub" {
 		t.Fatalf("expected sub subject claim for GitHub issuer, got %s", claim)
 	}

pkg/identity/buildkite/principal.go

@@ -0,0 +1,88 @@
+// Copyright 2023 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package buildkite
+
+import (
+	"context"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"net/url"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/sigstore/fulcio/pkg/certificate"
+	"github.com/sigstore/fulcio/pkg/identity"
+)
+
+type jobPrincipal struct {
+	// Subject matches the 'sub' claim from the OIDC ID token this is what is
+	// signed as proof of possession for Buildkite job identities
+	subject string
+
+	// OIDC Issuer URL. Matches 'iss' claim from ID token. The real issuer URL is
+	// https://agent.buildkite.com/.well-known/openid-configuration
+	issuer string
+
+	// The URL of the pipeline, the container of many builds. This will be
+	// set as a human-friendly SubjectAlternativeName URI in the certificate.
+	url string
+}
+
+func JobPrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (identity.Principal, error) {
+	var claims struct {
+		OrganizationSlug string `json:"organization_slug"`
+		PipelineSlug     string `json:"pipeline_slug"`
+	}
+	if err := token.Claims(&claims); err != nil {
+		return nil, err
+	}
+
+	if claims.OrganizationSlug == "" {
+		return nil, errors.New("missing organization_slug claim in ID token")
+	}
+
+	if claims.PipelineSlug == "" {
+		return nil, errors.New("missing pipeline_slug claim in ID token")
+	}
+
+	return &jobPrincipal{
+		subject: token.Subject,
+		issuer:  token.Issuer,
+		url:     fmt.Sprintf("https://buildkite.com/%s/%s", claims.OrganizationSlug, claims.PipelineSlug),
+	}, nil
+}
+
+func (p jobPrincipal) Name(ctx context.Context) string {
+	return p.subject
+}
+
+func (p jobPrincipal) Embed(ctx context.Context, cert *x509.Certificate) error {
+	// Set SubjectAlternativeName to the pipeline URL on the certificate
+	parsed, err := url.Parse(p.url)
+	if err != nil {
+		return err
+	}
+	cert.URIs = []*url.URL{parsed}
+
+	// Embed additional information into custom extensions
+	cert.ExtraExtensions, err = certificate.Extensions{
+		Issuer: p.issuer,
+	}.Render()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}