Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support Fulcio certificate "chains" that just have a root
Browse files Browse the repository at this point in the history
sigstore/sigstore-conformance#112 includes
confromance tests with a mock Sigstore where there are no Fulcio
intermediate certificates.

Signed-off-by: Zach Steindler <[email protected]>
steiza committed Dec 11, 2023

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
1 parent 6a8bf18 commit c67baca
Showing 1 changed file with 10 additions and 5 deletions.
15 changes: 10 additions & 5 deletions pkg/verify/sct.go
Original file line number Diff line number Diff line change
@@ -52,16 +52,21 @@ func VerifySignedCertificateTimestamp(leafCert *x509.Certificate, threshold int,
}

for _, fulcioCa := range fulcioCerts {
fulcioChain := make([]*ctx509.Certificate, len(certChain))
copy(fulcioChain, certChain)

var parentCert []byte

if len(fulcioCa.Intermediates) == 0 {
continue
parentCert = fulcioCa.Root.Raw
} else {
parentCert = fulcioCa.Intermediates[0].Raw
}
fulcioIssuer, err := ctx509.ParseCertificates(fulcioCa.Intermediates[0].Raw)

fulcioIssuer, err := ctx509.ParseCertificates(parentCert)
if err != nil {
continue
}

fulcioChain := make([]*ctx509.Certificate, len(certChain))
copy(fulcioChain, certChain)
fulcioChain = append(fulcioChain, fulcioIssuer...)

err = ctutil.VerifySCT(key.PublicKey, fulcioChain, sct, true)

0 comments on commit c67baca

Please sign in to comment.