Bundle verification should require specifying expected certificate is…

…suer and SAN (#82) Previously, verifying a bundle just required specifying cert issuer. This change also requires you specify the SAN name or regex. Since many cert issuers are shared platforms, you need to ensure the SAN identity matches the identity on that platform you are expecting. --------- Signed-off-by: Zach Steindler <[email protected]>
sigstore · Jan 26, 2024 · d3d74f1 · d3d74f1
1 parent 2e5477d
commit d3d74f1
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 8 deletions.
diff --git a/cmd/sigstore-go/main.go b/cmd/sigstore-go/main.go
@@ -113,13 +113,11 @@ func run() error {
 		verifierConfig = append(verifierConfig, verify.WithOnlineVerification())
 	}
 
-	if *expectedOIDIssuer != "" || *expectedSAN != "" || *expectedSANRegex != "" {
-		certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, *expectedSAN, "", *expectedSANRegex)
-		if err != nil {
-			return err
-		}
-		identityPolicies = append(identityPolicies, verify.WithCertificateIdentity(certID))
+	certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, *expectedSAN, "", *expectedSANRegex)
+	if err != nil {
+		return err
 	}
+	identityPolicies = append(identityPolicies, verify.WithCertificateIdentity(certID))
 
 	var trustedMaterial = make(root.TrustedMaterialCollection, 0)
 	var trustedrootJSON []byte

diff --git a/pkg/verify/certificate_identity.go b/pkg/verify/certificate_identity.go
@@ -91,6 +91,10 @@ func (s SubjectAlternativeNameMatcher) Verify(actualCert certificate.Summary) bo
 }
 
 func NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, extensions certificate.Extensions) (CertificateIdentity, error) {
+	if sanMatcher.SubjectAlternativeName.Value == "" && sanMatcher.Regexp.String() == "" {
+		return CertificateIdentity{}, errors.New("when verifying a certificate identity, there must be subject alternative name criteria")
+	}
+
 	certID := CertificateIdentity{SubjectAlternativeName: sanMatcher, Extensions: extensions}
 
 	if certID.Issuer == "" {

diff --git a/pkg/verify/certificate_identity_test.go b/pkg/verify/certificate_identity_test.go
@@ -90,11 +90,17 @@ func TestCertificateIdentityVerify(t *testing.T) {
 	assert.Nil(t, ci)
 }
 
-func TestThatCertIDsHaveToHaveAnIssuer(t *testing.T) {
+func TestThatCertIDsAreFullySpecified(t *testing.T) {
 	_, err := NewShortCertificateIdentity("", "", "", "")
-	assert.NotNil(t, err)
+	assert.Error(t, err)
 
 	_, err = NewShortCertificateIdentity("foobar", "", "", "")
+	assert.Error(t, err)
+
+	_, err = NewShortCertificateIdentity("", "", "", SigstoreSanRegex)
+	assert.Error(t, err)
+
+	_, err = NewShortCertificateIdentity("foobar", "", "", SigstoreSanRegex)
 	assert.Nil(t, err)
 }