Add OtherName checking when verifying cert-identity flag (#2414)

Signed-off-by: Hayden Blauzvern <[email protected]> Signed-off-by: Hayden Blauzvern <[email protected]>
sigstore · Nov 6, 2022 · 40fa54c · 40fa54c
1 parent 03ac564
commit 40fa54c
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -352,6 +352,12 @@ func validateCertIdentity(cert *x509.Certificate, co *CheckOpts) error {
 			return nil
 		}
 	}
+
+	otherName, _ := UnmarshalOtherNameSAN(cert.Extensions)
+	if len(otherName) > 0 && co.CertIdentity == otherName {
+		return nil
+	}
+
 	return &VerificationError{"expected identity not found in certificate"}
 }
 

diff --git a/pkg/cosign/verify_test.go b/pkg/cosign/verify_test.go
@@ -658,6 +658,39 @@ func TestValidateAndUnpackCertSuccessWithUriSan(t *testing.T) {
 	}
 }
 
+func TestValidateAndUnpackCertSuccessWithOtherNameSan(t *testing.T) {
+	// generate with OtherName, which will override other SANs
+	subject := "subject-othername"
+	ext, err := MarshalOtherNameSAN(subject, true)
+	if err != nil {
+		t.Fatalf("error marshalling SANs: %v", err)
+	}
+	exts := []pkix.Extension{*ext}
+
+	oidcIssuer := "https://accounts.google.com"
+
+	rootCert, rootKey, _ := test.GenerateRootCa()
+	leafCert, _, _ := test.GenerateLeafCert("unused", oidcIssuer, rootCert, rootKey, exts...)
+
+	rootPool := x509.NewCertPool()
+	rootPool.AddCert(rootCert)
+
+	co := &CheckOpts{
+		RootCerts:      rootPool,
+		CertIdentity:   subject,
+		CertOidcIssuer: oidcIssuer,
+	}
+
+	_, err = ValidateAndUnpackCert(leafCert, co)
+	if err != nil {
+		t.Errorf("ValidateAndUnpackCert expected no error, got err = %v", err)
+	}
+	err = CheckCertificatePolicy(leafCert, co)
+	if err != nil {
+		t.Errorf("CheckCertificatePolicy expected no error, got err = %v", err)
+	}
+}
+
 func TestValidateAndUnpackCertInvalidRoot(t *testing.T) {
 	subject := "email@email"
 	oidcIssuer := "https://accounts.google.com"