-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Minor refactoring of Fulcio SCT handling #1259
base: main
Are you sure you want to change the base?
Conversation
Looks ok to me even with fresh eyes, marking ready for review. @javanlacerda do you want to have a look? |
Functionality should not change: Except a few more errors are handled. The sct module API changes but it is internal. * Remove one unnecessary internal exception and one unused exception * We only support a single SCT: simplify the sct module API * Make sure all errors raised in sct.get_signed_certificate_timestamp() are actually handled (by only raising ValueError and handling that) * Handle SCT parsing errors during verify Signed-off-by: Jussi Kukkonen <[email protected]>
Simplify FulcioCertificateSigningResponse by removing sct field from it. This changes the (internal) fulcio module API. The only place that needs the SCT is verify_sct() and it already gets the certificate which it can trivially get the SCT from. This makes get_signed_certificate_timestamp() an internal implementation detail of verify_sct() which is nice. FulcioSigningCert.post() changes in that it could now return a response without an SCT: this is ok as it is immediately verified in the callsite in Signer._signing_cert(). Signed-off-by: Jussi Kukkonen <[email protected]>
97c854f
to
41b8609
Compare
/gcbrun |
I have no idea how to remove the old failed GCB check from the results:
|
Probably not necessary since the check is not required, but I agree that's annoying! |
Yeah, weird -- I was thinking it might be a Pulimi thing but it's not configured there either. Hopefully it just expires at some point, but agreed with @di about it being a nonblocker 🙂 Edit: Yeah, looks like it got invalidated and removed. |
f"Unexpected embedded SCT count in response: {len(precert_scts_extension)} != 1" | ||
if len(timestamps) != 1: | ||
raise VerificationError( | ||
f"Expected one certificate timestamp, found {len(timestamps)}." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: no periods in exceptons
f"Expected one certificate timestamp, found {len(timestamps)}." | |
f"Expected one certificate timestamp, found {len(timestamps)}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @jku! One small nitpick 🙂
Summary
Simplify SCT management in fulcio client and the sites that need to call verify_sct()
verify_sct()
: Make them an implementation detail and stop exposing them in FulcioCertificateSigningResponse (which is internal, so this is not an API change)FulcioCertificateSigningResponse
may now exist without a valid SCT: In practice Signer works just like before since we callverify_sct()
on the cert immediately after getting the responseThere are two commits but I recommend reviewing the PR as a whole.
Fixes #1258.
Release Note
N/A: No public API changes or CLI changes are expected.