From d3d74f16306968eb641c5acd850cbd8493306bd6 Mon Sep 17 00:00:00 2001
From: Zach Steindler <steiza@github.com>
Date: Fri, 26 Jan 2024 12:27:29 -0500
Subject: [PATCH] Bundle verification should require specifying expected
 certificate issuer and SAN (#82)

Previously, verifying a bundle just required specifying cert issuer.

This change also requires you specify the SAN name or regex.

Since many cert issuers are shared platforms, you need to ensure the SAN
identity matches the identity on that platform you are expecting.

---------

Signed-off-by: Zach Steindler <steiza@github.com>
---
 cmd/sigstore-go/main.go                 | 10 ++++------
 pkg/verify/certificate_identity.go      |  4 ++++
 pkg/verify/certificate_identity_test.go | 10 ++++++++--
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/cmd/sigstore-go/main.go b/cmd/sigstore-go/main.go
index e8812129..d143563f 100644
--- a/cmd/sigstore-go/main.go
+++ b/cmd/sigstore-go/main.go
@@ -113,13 +113,11 @@ func run() error {
 		verifierConfig = append(verifierConfig, verify.WithOnlineVerification())
 	}
 
-	if *expectedOIDIssuer != "" || *expectedSAN != "" || *expectedSANRegex != "" {
-		certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, *expectedSAN, "", *expectedSANRegex)
-		if err != nil {
-			return err
-		}
-		identityPolicies = append(identityPolicies, verify.WithCertificateIdentity(certID))
+	certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, *expectedSAN, "", *expectedSANRegex)
+	if err != nil {
+		return err
 	}
+	identityPolicies = append(identityPolicies, verify.WithCertificateIdentity(certID))
 
 	var trustedMaterial = make(root.TrustedMaterialCollection, 0)
 	var trustedrootJSON []byte
diff --git a/pkg/verify/certificate_identity.go b/pkg/verify/certificate_identity.go
index 8c012211..5776eb1d 100644
--- a/pkg/verify/certificate_identity.go
+++ b/pkg/verify/certificate_identity.go
@@ -91,6 +91,10 @@ func (s SubjectAlternativeNameMatcher) Verify(actualCert certificate.Summary) bo
 }
 
 func NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, extensions certificate.Extensions) (CertificateIdentity, error) {
+	if sanMatcher.SubjectAlternativeName.Value == "" && sanMatcher.Regexp.String() == "" {
+		return CertificateIdentity{}, errors.New("when verifying a certificate identity, there must be subject alternative name criteria")
+	}
+
 	certID := CertificateIdentity{SubjectAlternativeName: sanMatcher, Extensions: extensions}
 
 	if certID.Issuer == "" {
diff --git a/pkg/verify/certificate_identity_test.go b/pkg/verify/certificate_identity_test.go
index 08b0899c..b026be16 100644
--- a/pkg/verify/certificate_identity_test.go
+++ b/pkg/verify/certificate_identity_test.go
@@ -90,11 +90,17 @@ func TestCertificateIdentityVerify(t *testing.T) {
 	assert.Nil(t, ci)
 }
 
-func TestThatCertIDsHaveToHaveAnIssuer(t *testing.T) {
+func TestThatCertIDsAreFullySpecified(t *testing.T) {
 	_, err := NewShortCertificateIdentity("", "", "", "")
-	assert.NotNil(t, err)
+	assert.Error(t, err)
 
 	_, err = NewShortCertificateIdentity("foobar", "", "", "")
+	assert.Error(t, err)
+
+	_, err = NewShortCertificateIdentity("", "", "", SigstoreSanRegex)
+	assert.Error(t, err)
+
+	_, err = NewShortCertificateIdentity("foobar", "", "", SigstoreSanRegex)
 	assert.Nil(t, err)
 }