From b5aa2fb7d5c17a4ec54df12a958e5f0ce999fc18 Mon Sep 17 00:00:00 2001 From: Zach Steindler Date: Tue, 12 Dec 2023 10:40:44 -0500 Subject: [PATCH] Support Fulcio certificate "chains" that just have a root (#40) * Support Fulcio certificate "chains" that just have a root https://github.com/sigstore/sigstore-conformance/pull/112 includes confromance tests with a mock Sigstore where there are no Fulcio intermediate certificates. Signed-off-by: Zach Steindler * Clarify leaf CT certificate Signed-off-by: Zach Steindler --------- Signed-off-by: Zach Steindler --- pkg/verify/sct.go | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/pkg/verify/sct.go b/pkg/verify/sct.go index 193d1733..84ce3ba5 100644 --- a/pkg/verify/sct.go +++ b/pkg/verify/sct.go @@ -38,7 +38,7 @@ func VerifySignedCertificateTimestamp(leafCert *x509.Certificate, threshold int, return err } - certChain, err := ctx509.ParseCertificates(leafCert.Raw) + leafCTCert, err := ctx509.ParseCertificates(leafCert.Raw) if err != nil { return err } @@ -52,16 +52,21 @@ func VerifySignedCertificateTimestamp(leafCert *x509.Certificate, threshold int, } for _, fulcioCa := range fulcioCerts { + fulcioChain := make([]*ctx509.Certificate, len(leafCTCert)) + copy(fulcioChain, leafCTCert) + + var parentCert []byte + if len(fulcioCa.Intermediates) == 0 { - continue + parentCert = fulcioCa.Root.Raw + } else { + parentCert = fulcioCa.Intermediates[0].Raw } - fulcioIssuer, err := ctx509.ParseCertificates(fulcioCa.Intermediates[0].Raw) + + fulcioIssuer, err := ctx509.ParseCertificates(parentCert) if err != nil { continue } - - fulcioChain := make([]*ctx509.Certificate, len(certChain)) - copy(fulcioChain, certChain) fulcioChain = append(fulcioChain, fulcioIssuer...) err = ctutil.VerifySCT(key.PublicKey, fulcioChain, sct, true)