Support legacy bundle v0.3 string; only parse leaf from cert chain

Signed-off-by: Zach Steindler <[email protected]>
sigstore · Mar 29, 2024 · c49270a · c49270a
1 parent 5f7e2d2
commit c49270a
Showing 1 changed file with 8 additions and 13 deletions.
diff --git a/pkg/bundle/bundle.go b/pkg/bundle/bundle.go
@@ -35,6 +35,7 @@ import (
 
 const SigstoreBundleMediaType01 = "application/vnd.dev.sigstore.bundle+json;version=0.1"
 const SigstoreBundleMediaType02 = "application/vnd.dev.sigstore.bundle+json;version=0.2"
+const SigstoreBundleMediaType03Legacy = "application/vnd.dev.sigstore.bundle+json;version=0.3"
 const SigstoreBundleMediaType03 = "application/vnd.dev.sigstore.bundle.v0.3+json"
 const IntotoMediaType = "application/vnd.in-toto+json"
 
@@ -87,7 +88,7 @@ func (b *ProtobufBundle) validate() error {
 		if len(entries) > 0 && !b.hasInclusionProof {
 			return errors.New("inclusion proof missing in bundle (required for bundle v0.2)")
 		}
-	case SigstoreBundleMediaType03:
+	case SigstoreBundleMediaType03, SigstoreBundleMediaType03Legacy:
 		certs := b.Bundle.VerificationMaterial.GetX509CertificateChain()
 
 		if certs != nil {
@@ -143,20 +144,14 @@ func (b *ProtobufBundle) VerificationContent() (verify.VerificationContent, erro
 
 	switch content := b.VerificationMaterial.GetContent().(type) {
 	case *protobundle.VerificationMaterial_X509CertificateChain:
-		var parsedCert *x509.Certificate
-		for i, eachCert := range content.X509CertificateChain.GetCertificates() {
-			thisCert, err := x509.ParseCertificate(eachCert.RawBytes)
-			if err != nil {
-				return nil, ErrValidationError(err)
-			}
-
-			if i == 0 {
-				parsedCert = thisCert
-			}
-		}
-		if parsedCert == nil {
+		certs := content.X509CertificateChain.GetCertificates()
+		if len(certs) == 0 {
 			return nil, ErrMissingVerificationMaterial
 		}
+		parsedCert, err := x509.ParseCertificate(certs[0].RawBytes)
+		if err != nil {
+			return nil, ErrValidationError(err)
+		}
 		cert := &Certificate{
 			Certificate: parsedCert,
 		}