Update to require SAN name or regex, do not allow just type

Signed-off-by: Zach Steindler <[email protected]>
sigstore · Jan 26, 2024 · 1d8be1e · 1d8be1e
1 parent cadc390
commit 1d8be1e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/pkg/verify/certificate_identity.go b/pkg/verify/certificate_identity.go
@@ -91,7 +91,7 @@ func (s SubjectAlternativeNameMatcher) Verify(actualCert certificate.Summary) bo
 }
 
 func NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, extensions certificate.Extensions) (CertificateIdentity, error) {
-	if sanMatcher.SubjectAlternativeName.Type == "" && sanMatcher.SubjectAlternativeName.Value == "" && sanMatcher.Regexp.String() == "" {
+	if sanMatcher.SubjectAlternativeName.Value == "" && sanMatcher.Regexp.String() == "" {
 		return CertificateIdentity{}, errors.New("when verifying a certificate identity, there must be subject alternative name criteria")
 	}
 

diff --git a/pkg/verify/certificate_identity_test.go b/pkg/verify/certificate_identity_test.go
@@ -92,15 +92,15 @@ func TestCertificateIdentityVerify(t *testing.T) {
 
 func TestThatCertIDsAreFullySpecified(t *testing.T) {
 	_, err := NewShortCertificateIdentity("", "", "", "")
-	assert.NotNil(t, err)
+	assert.Error(t, err)
 
 	_, err = NewShortCertificateIdentity("foobar", "", "", "")
-	assert.NotNil(t, err)
+	assert.Error(t, err)
 
-	_, err = NewShortCertificateIdentity("", "URI", "", "")
-	assert.NotNil(t, err)
+	_, err = NewShortCertificateIdentity("", "", "", SigstoreSanRegex)
+	assert.Error(t, err)
 
-	_, err = NewShortCertificateIdentity("foobar", "URI", "", "")
+	_, err = NewShortCertificateIdentity("foobar", "", "", SigstoreSanRegex)
 	assert.Nil(t, err)
 }