Handle the case of missing EKU in _is_preissuer #674
Conversation
|
/gcbrun |
|
Thanks @ccordoui! For maximum pedantry: we probably also need the (Given that we don't build the chain anyways, I'm okay with skipping this for the purposes of this PR. But I want to make sure I'm not missing anything.) |
Yes, will do.
I'll add that too. Thanks @woodruffw! |
|
No problem, thanks to you as well! You may be able to reuse one of the cert utility functions that I added under |
ccordoui
force-pushed
the
bf/eku
branch
3 times, most recently
from
97ab14a
to
51aead9
Compare
|
I have to check why I have an expired client certificate using the signing unit tests, but outside of that, it seems that using |
|
@woodruffw this version doesn't pass the unit tests but it is expected: ================================================================================================== short test summary info ==================================================================================================
...
FAILED test/unit/test_sign.py::test_sign_rekor_entry_consistent[staging] - sigstore._internal.sct.InvalidSCTError: Invalid issuer pubkey basicConstraint (not a CA): <cryptography.hazmat.backends.openssl.ec._EllipticCurvePublicKey object at 0x10ae4e990>
....With debug logs: ERROR sigstore._internal.sct:sct.py:153 Found <Certificate(subject=<Name(O=sigstore.dev,CN=sigstore-intermediate)>, ...)> as issuer, verifying if it is a ca
ERROR sigstore._internal.sct:sct.py:157 Invalid <Certificate(subject=<Name(O=sigstore.dev,CN=sigstore-intermediate)>, ...)>: failed to validate ca constrain: invalid certificate states: KeyUsage.digitalSignature=False, KeyUsage.keyCertSign=True, BasicConstraints.ca=TrueSo it fail this check in cert_is_ca: # If all three states are set, this is a CA.
if ca and key_cert_sign and digital_signature:
return TrueAnd it make sense to me, in the case of sigstore public instance, they are using a From what I could gather from rfc5280 on KU:
I couldn't find a RFC specifying that we need the |
Nothing 🙂 -- I added that check based on observed behaviors for the Sigstore CAs, but it's not actually mandated in RFC 5280 for CAs. I don't think there's any harm in removing that check on |
ccordoui
force-pushed
the
bf/eku
branch
3 times, most recently
from
c74765c
to
dc1428c
Compare
|
/gcbrun |
|
/gcbrun |
|
@ccordoui mind updating the branch here? If I do it, we'll need to do another hop of reviewers because of the merge restrictions 🙃 |
@woodruffw a rebase will do? |
Yes, that should be fine -- anything that updates the |
RFC 6962 stipulate that the TBSCertificate can be either signed by: - A special purpose CA Precertificate Signing Certificate with an EKU - The final CA Certificate with no mandatory EKU In _is_preissuer was failing on the later if no EKU was present In both case, the certificate must be a valid CA Resolves: sigstore#658 Signed-off-by: Cyril Cordoui <[email protected]> Update sigstore/_utils.py Signed-off-by: William Woodruff <[email protected]> Update CHANGELOG.md Signed-off-by: William Woodruff <[email protected]> Signed-off-by: Cyril Cordoui <[email protected]>
|
/gcbrun |
Summary
Previously, TBSCertificate signed with the same CA than the final certificate was failing if no
ExtendedKeyUsagewere presentRelease Note
Fix a case where signing an artifact against a private sigstore instance was failing if no
ExtendedKeyUsagewas present in the Sigining CADocumentation
NONE
Resolves: #658