Skip to content

Commit

Permalink
Support Fulcio certificate "chains" that just have a root (#40)
Browse files Browse the repository at this point in the history
* Support Fulcio certificate "chains" that just have a root

sigstore/sigstore-conformance#112 includes
confromance tests with a mock Sigstore where there are no Fulcio
intermediate certificates.

Signed-off-by: Zach Steindler <steiza@github.com>

* Clarify leaf CT certificate

Signed-off-by: Zach Steindler <steiza@github.com>

---------

Signed-off-by: Zach Steindler <steiza@github.com>
  • Loading branch information
steiza authored Dec 12, 2023
1 parent 6a8bf18 commit b5aa2fb
Showing 1 changed file with 11 additions and 6 deletions.
17 changes: 11 additions & 6 deletions pkg/verify/sct.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ func VerifySignedCertificateTimestamp(leafCert *x509.Certificate, threshold int,
return err
}

certChain, err := ctx509.ParseCertificates(leafCert.Raw)
leafCTCert, err := ctx509.ParseCertificates(leafCert.Raw)
if err != nil {
return err
}
Expand All @@ -52,16 +52,21 @@ func VerifySignedCertificateTimestamp(leafCert *x509.Certificate, threshold int,
}

for _, fulcioCa := range fulcioCerts {
fulcioChain := make([]*ctx509.Certificate, len(leafCTCert))
copy(fulcioChain, leafCTCert)

var parentCert []byte

if len(fulcioCa.Intermediates) == 0 {
continue
parentCert = fulcioCa.Root.Raw
} else {
parentCert = fulcioCa.Intermediates[0].Raw
}
fulcioIssuer, err := ctx509.ParseCertificates(fulcioCa.Intermediates[0].Raw)

fulcioIssuer, err := ctx509.ParseCertificates(parentCert)
if err != nil {
continue
}

fulcioChain := make([]*ctx509.Certificate, len(certChain))
copy(fulcioChain, certChain)
fulcioChain = append(fulcioChain, fulcioIssuer...)

err = ctutil.VerifySCT(key.PublicKey, fulcioChain, sct, true)
Expand Down

0 comments on commit b5aa2fb

Please sign in to comment.