Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch to cryptoutils function for SANS #3185

Merged
merged 1 commit into from
Aug 12, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 1 addition & 24 deletions pkg/cosign/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -296,7 +296,7 @@ func CheckCertificatePolicy(cert *x509.Certificate, co *CheckOpts) error {
return err
}
oidcIssuer := ce.GetIssuer()
sans := getSubjectAlternateNames(cert)
sans := cryptoutils.GetSubjectAlternateNames(cert)
// If there are identities given, go through them and if one of them
// matches, call that good, otherwise, return an error.
if len(co.Identities) > 0 {
Expand Down Expand Up @@ -399,29 +399,6 @@ func validateCertExtensions(ce CertExtensions, co *CheckOpts) error {
return nil
}

// getSubjectAlternateNames returns all of the following for a Certificate.
// DNSNames
// EmailAddresses
// IPAddresses
// URIs
func getSubjectAlternateNames(cert *x509.Certificate) []string {
sans := []string{}
sans = append(sans, cert.DNSNames...)
sans = append(sans, cert.EmailAddresses...)
for _, ip := range cert.IPAddresses {
sans = append(sans, ip.String())
}
for _, uri := range cert.URIs {
sans = append(sans, uri.String())
}
// ignore error if there's no OtherName SAN
otherName, _ := cryptoutils.UnmarshalOtherNameSAN(cert.Extensions)
if len(otherName) > 0 {
sans = append(sans, otherName)
}
return sans
}

// ValidateAndUnpackCertWithChain creates a Verifier from a certificate. Verifies that the certificate
// chains up to the provided root. Chain should start with the parent of the certificate and end with the root.
// Optionally verifies the subject and issuer of the certificate.
Expand Down
40 changes: 0 additions & 40 deletions pkg/cosign/verify_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1318,46 +1318,6 @@ func TestTrustedCertSuccessChainFromRoot(t *testing.T) {
}
}

func Test_getSubjectAltnernativeNames(t *testing.T) {
rootCert, rootKey, _ := test.GenerateRootCa()
subCert, subKey, _ := test.GenerateSubordinateCa(rootCert, rootKey)

// generate with OtherName, which will override other SANs
ext, err := cryptoutils.MarshalOtherNameSAN("subject-othername", true)
if err != nil {
t.Fatalf("error marshalling SANs: %v", err)
}
exts := []pkix.Extension{*ext}
leafCert, _, _ := test.GenerateLeafCert("[email protected]", "oidc-issuer", subCert, subKey, exts...)

sans := getSubjectAlternateNames(leafCert)
if len(sans) != 1 {
t.Fatalf("expected 1 SAN field, got %d", len(sans))
}
if sans[0] != "subject-othername" {
t.Fatalf("unexpected OtherName SAN value")
}

// generate with all other SANs
leafCert, _, _ = test.GenerateLeafCertWithSubjectAlternateNames([]string{"subject-dns"}, []string{"subject-email"}, []net.IP{{1, 2, 3, 4}}, []*url.URL{{Path: "testURL"}}, "oidc-issuer", subCert, subKey)
sans = getSubjectAlternateNames(leafCert)
if len(sans) != 4 {
t.Fatalf("expected 1 SAN field, got %d", len(sans))
}
if sans[0] != "subject-dns" {
t.Fatalf("unexpected DNS SAN value")
}
if sans[1] != "subject-email" {
t.Fatalf("unexpected email SAN value")
}
if sans[2] != "1.2.3.4" {
t.Fatalf("unexpected IP SAN value")
}
if sans[3] != "testURL" {
t.Fatalf("unexpected URL SAN value")
}
}

func TestVerifyRFC3161Timestamp(t *testing.T) {
// generate signed artifact
rootCert, rootKey, _ := test.GenerateRootCa()
Expand Down
Loading