From 1d8be1e666c50fa73a71bfc8988f3e962a3c3212 Mon Sep 17 00:00:00 2001
From: Zach Steindler <steiza@github.com>
Date: Fri, 26 Jan 2024 11:28:44 -0500
Subject: [PATCH] Update to require SAN name or regex, do not allow just type

Signed-off-by: Zach Steindler <steiza@github.com>
---
 pkg/verify/certificate_identity.go      |  2 +-
 pkg/verify/certificate_identity_test.go | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/pkg/verify/certificate_identity.go b/pkg/verify/certificate_identity.go
index 1e59d454..5776eb1d 100644
--- a/pkg/verify/certificate_identity.go
+++ b/pkg/verify/certificate_identity.go
@@ -91,7 +91,7 @@ func (s SubjectAlternativeNameMatcher) Verify(actualCert certificate.Summary) bo
 }
 
 func NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, extensions certificate.Extensions) (CertificateIdentity, error) {
-	if sanMatcher.SubjectAlternativeName.Type == "" && sanMatcher.SubjectAlternativeName.Value == "" && sanMatcher.Regexp.String() == "" {
+	if sanMatcher.SubjectAlternativeName.Value == "" && sanMatcher.Regexp.String() == "" {
 		return CertificateIdentity{}, errors.New("when verifying a certificate identity, there must be subject alternative name criteria")
 	}
 
diff --git a/pkg/verify/certificate_identity_test.go b/pkg/verify/certificate_identity_test.go
index c0c21dfe..b026be16 100644
--- a/pkg/verify/certificate_identity_test.go
+++ b/pkg/verify/certificate_identity_test.go
@@ -92,15 +92,15 @@ func TestCertificateIdentityVerify(t *testing.T) {
 
 func TestThatCertIDsAreFullySpecified(t *testing.T) {
 	_, err := NewShortCertificateIdentity("", "", "", "")
-	assert.NotNil(t, err)
+	assert.Error(t, err)
 
 	_, err = NewShortCertificateIdentity("foobar", "", "", "")
-	assert.NotNil(t, err)
+	assert.Error(t, err)
 
-	_, err = NewShortCertificateIdentity("", "URI", "", "")
-	assert.NotNil(t, err)
+	_, err = NewShortCertificateIdentity("", "", "", SigstoreSanRegex)
+	assert.Error(t, err)
 
-	_, err = NewShortCertificateIdentity("foobar", "URI", "", "")
+	_, err = NewShortCertificateIdentity("foobar", "", "", SigstoreSanRegex)
 	assert.Nil(t, err)
 }