Previously, verifying a bundle just required specifying cert issuer.

This change also requires you specify something about the cert SAN. Since many cert issuers are shared platforms, you need to ensure the SAN identity matches the identity on that platform you are expecting. Signed-off-by: Zach Steindler <[email protected]>
sigstore · Jan 25, 2024 · cadc390 · cadc390
1 parent 1195bd5
commit cadc390
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/cmd/sigstore-go/main.go b/cmd/sigstore-go/main.go
@@ -113,13 +113,11 @@ func run() error {
 		verifierConfig = append(verifierConfig, verify.WithOnlineVerification())
 	}
 
-	if *expectedOIDIssuer != "" || *expectedSAN != "" || *expectedSANRegex != "" {
-		certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, *expectedSAN, "", *expectedSANRegex)
-		if err != nil {
-			return err
-		}
-		identityPolicies = append(identityPolicies, verify.WithCertificateIdentity(certID))
+	certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, *expectedSAN, "", *expectedSANRegex)
+	if err != nil {
+		return err
 	}
+	identityPolicies = append(identityPolicies, verify.WithCertificateIdentity(certID))
 
 	var trustedMaterial = make(root.TrustedMaterialCollection, 0)
 	var trustedrootJSON []byte

diff --git a/pkg/verify/certificate_identity.go b/pkg/verify/certificate_identity.go
@@ -91,6 +91,10 @@ func (s SubjectAlternativeNameMatcher) Verify(actualCert certificate.Summary) bo
 }
 
 func NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, extensions certificate.Extensions) (CertificateIdentity, error) {
+	if sanMatcher.SubjectAlternativeName.Type == "" && sanMatcher.SubjectAlternativeName.Value == "" && sanMatcher.Regexp.String() == "" {
+		return CertificateIdentity{}, errors.New("when verifying a certificate identity, there must be subject alternative name criteria")
+	}
+
 	certID := CertificateIdentity{SubjectAlternativeName: sanMatcher, Extensions: extensions}
 
 	if certID.Issuer == "" {

diff --git a/pkg/verify/certificate_identity_test.go b/pkg/verify/certificate_identity_test.go
@@ -90,11 +90,17 @@ func TestCertificateIdentityVerify(t *testing.T) {
 	assert.Nil(t, ci)
 }
 
-func TestThatCertIDsHaveToHaveAnIssuer(t *testing.T) {
+func TestThatCertIDsAreFullySpecified(t *testing.T) {
 	_, err := NewShortCertificateIdentity("", "", "", "")
 	assert.NotNil(t, err)
 
 	_, err = NewShortCertificateIdentity("foobar", "", "", "")
+	assert.NotNil(t, err)
+
+	_, err = NewShortCertificateIdentity("", "URI", "", "")
+	assert.NotNil(t, err)
+
+	_, err = NewShortCertificateIdentity("foobar", "URI", "", "")
 	assert.Nil(t, err)
 }