From 8e55dc2b0514db9ac49333eb5a743ea4a9c479cf Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Fri, 11 Aug 2023 22:30:33 +0000 Subject: [PATCH] Switch to cryptoutils function for SANS It was moved to s/s awhile ago. Signed-off-by: Hayden Blauzvern --- pkg/cosign/verify.go | 25 +----------------------- pkg/cosign/verify_test.go | 40 --------------------------------------- 2 files changed, 1 insertion(+), 64 deletions(-) diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index 5280869be6f..dffd8691e1f 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -296,7 +296,7 @@ func CheckCertificatePolicy(cert *x509.Certificate, co *CheckOpts) error { return err } oidcIssuer := ce.GetIssuer() - sans := getSubjectAlternateNames(cert) + sans := cryptoutils.GetSubjectAlternateNames(cert) // If there are identities given, go through them and if one of them // matches, call that good, otherwise, return an error. if len(co.Identities) > 0 { @@ -399,29 +399,6 @@ func validateCertExtensions(ce CertExtensions, co *CheckOpts) error { return nil } -// getSubjectAlternateNames returns all of the following for a Certificate. -// DNSNames -// EmailAddresses -// IPAddresses -// URIs -func getSubjectAlternateNames(cert *x509.Certificate) []string { - sans := []string{} - sans = append(sans, cert.DNSNames...) - sans = append(sans, cert.EmailAddresses...) - for _, ip := range cert.IPAddresses { - sans = append(sans, ip.String()) - } - for _, uri := range cert.URIs { - sans = append(sans, uri.String()) - } - // ignore error if there's no OtherName SAN - otherName, _ := cryptoutils.UnmarshalOtherNameSAN(cert.Extensions) - if len(otherName) > 0 { - sans = append(sans, otherName) - } - return sans -} - // ValidateAndUnpackCertWithChain creates a Verifier from a certificate. Verifies that the certificate // chains up to the provided root. Chain should start with the parent of the certificate and end with the root. // Optionally verifies the subject and issuer of the certificate. diff --git a/pkg/cosign/verify_test.go b/pkg/cosign/verify_test.go index de05bf94b7e..57fb224985c 100644 --- a/pkg/cosign/verify_test.go +++ b/pkg/cosign/verify_test.go @@ -1318,46 +1318,6 @@ func TestTrustedCertSuccessChainFromRoot(t *testing.T) { } } -func Test_getSubjectAltnernativeNames(t *testing.T) { - rootCert, rootKey, _ := test.GenerateRootCa() - subCert, subKey, _ := test.GenerateSubordinateCa(rootCert, rootKey) - - // generate with OtherName, which will override other SANs - ext, err := cryptoutils.MarshalOtherNameSAN("subject-othername", true) - if err != nil { - t.Fatalf("error marshalling SANs: %v", err) - } - exts := []pkix.Extension{*ext} - leafCert, _, _ := test.GenerateLeafCert("unused@mail.com", "oidc-issuer", subCert, subKey, exts...) - - sans := getSubjectAlternateNames(leafCert) - if len(sans) != 1 { - t.Fatalf("expected 1 SAN field, got %d", len(sans)) - } - if sans[0] != "subject-othername" { - t.Fatalf("unexpected OtherName SAN value") - } - - // generate with all other SANs - leafCert, _, _ = test.GenerateLeafCertWithSubjectAlternateNames([]string{"subject-dns"}, []string{"subject-email"}, []net.IP{{1, 2, 3, 4}}, []*url.URL{{Path: "testURL"}}, "oidc-issuer", subCert, subKey) - sans = getSubjectAlternateNames(leafCert) - if len(sans) != 4 { - t.Fatalf("expected 1 SAN field, got %d", len(sans)) - } - if sans[0] != "subject-dns" { - t.Fatalf("unexpected DNS SAN value") - } - if sans[1] != "subject-email" { - t.Fatalf("unexpected email SAN value") - } - if sans[2] != "1.2.3.4" { - t.Fatalf("unexpected IP SAN value") - } - if sans[3] != "testURL" { - t.Fatalf("unexpected URL SAN value") - } -} - func TestVerifyRFC3161Timestamp(t *testing.T) { // generate signed artifact rootCert, rootKey, _ := test.GenerateRootCa()