From cadc3909b2376a32d26a54b4ff806e0b21883a8e Mon Sep 17 00:00:00 2001
From: Zach Steindler <steiza@github.com>
Date: Thu, 25 Jan 2024 17:00:10 -0500
Subject: [PATCH] Previously, verifying a bundle just required specifying cert
 issuer.

This change also requires you specify something about the cert SAN.

Since many cert issuers are shared platforms, you need to ensure the SAN
identity matches the identity on that platform you are expecting.

Signed-off-by: Zach Steindler <steiza@github.com>
---
 cmd/sigstore-go/main.go                 | 10 ++++------
 pkg/verify/certificate_identity.go      |  4 ++++
 pkg/verify/certificate_identity_test.go |  8 +++++++-
 3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/cmd/sigstore-go/main.go b/cmd/sigstore-go/main.go
index e8812129..d143563f 100644
--- a/cmd/sigstore-go/main.go
+++ b/cmd/sigstore-go/main.go
@@ -113,13 +113,11 @@ func run() error {
 		verifierConfig = append(verifierConfig, verify.WithOnlineVerification())
 	}
 
-	if *expectedOIDIssuer != "" || *expectedSAN != "" || *expectedSANRegex != "" {
-		certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, *expectedSAN, "", *expectedSANRegex)
-		if err != nil {
-			return err
-		}
-		identityPolicies = append(identityPolicies, verify.WithCertificateIdentity(certID))
+	certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, *expectedSAN, "", *expectedSANRegex)
+	if err != nil {
+		return err
 	}
+	identityPolicies = append(identityPolicies, verify.WithCertificateIdentity(certID))
 
 	var trustedMaterial = make(root.TrustedMaterialCollection, 0)
 	var trustedrootJSON []byte
diff --git a/pkg/verify/certificate_identity.go b/pkg/verify/certificate_identity.go
index 8c012211..1e59d454 100644
--- a/pkg/verify/certificate_identity.go
+++ b/pkg/verify/certificate_identity.go
@@ -91,6 +91,10 @@ func (s SubjectAlternativeNameMatcher) Verify(actualCert certificate.Summary) bo
 }
 
 func NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, extensions certificate.Extensions) (CertificateIdentity, error) {
+	if sanMatcher.SubjectAlternativeName.Type == "" && sanMatcher.SubjectAlternativeName.Value == "" && sanMatcher.Regexp.String() == "" {
+		return CertificateIdentity{}, errors.New("when verifying a certificate identity, there must be subject alternative name criteria")
+	}
+
 	certID := CertificateIdentity{SubjectAlternativeName: sanMatcher, Extensions: extensions}
 
 	if certID.Issuer == "" {
diff --git a/pkg/verify/certificate_identity_test.go b/pkg/verify/certificate_identity_test.go
index 08b0899c..c0c21dfe 100644
--- a/pkg/verify/certificate_identity_test.go
+++ b/pkg/verify/certificate_identity_test.go
@@ -90,11 +90,17 @@ func TestCertificateIdentityVerify(t *testing.T) {
 	assert.Nil(t, ci)
 }
 
-func TestThatCertIDsHaveToHaveAnIssuer(t *testing.T) {
+func TestThatCertIDsAreFullySpecified(t *testing.T) {
 	_, err := NewShortCertificateIdentity("", "", "", "")
 	assert.NotNil(t, err)
 
 	_, err = NewShortCertificateIdentity("foobar", "", "", "")
+	assert.NotNil(t, err)
+
+	_, err = NewShortCertificateIdentity("", "URI", "", "")
+	assert.NotNil(t, err)
+
+	_, err = NewShortCertificateIdentity("foobar", "URI", "", "")
 	assert.Nil(t, err)
 }