threaded options into policy validation functionary

Signed-off-by: chaosinthecrd <[email protected]>
ChaosInTheCRD · Jan 29, 2024 · 3e44fe0 · 3e44fe0
1 parent f7947b4
commit 3e44fe0
Showing 1 changed file with 22 additions and 3 deletions.
diff --git a/verify.go b/verify.go
@@ -45,6 +45,11 @@ type verifyOptions struct {
 	policyTimestampAuthorities []timestamp.TimestampVerifier
 	policyCARoots              []*x509.Certificate
 	policyCAIntermediates      []*x509.Certificate
+	policyCommonName           string
+	policyDNSNames             []string
+	policyEmails               []string
+	policyOrganizations        []string
+	policyURIs                 []string
 	policyEnvelope             dsse.Envelope
 	policyVerifiers            []cryptoutil.Verifier
 	collectionSource           source.Sourcer
@@ -87,6 +92,16 @@ func VerifyWithPolicyCAIntermediates(intermediates []*x509.Certificate) VerifyOp
 	}
 }
 
+func VerifyWithPolicyCertConstraints(commonName string, dnsNames []string, emails []string, organizations []string, uris []string) VerifyOption {
+	return func(vo *verifyOptions) {
+		vo.policyCommonName = commonName
+		vo.policyDNSNames = dnsNames
+		vo.policyEmails = emails
+		vo.policyOrganizations = organizations
+		vo.policyURIs = uris
+	}
+}
+
 // Verify verifies a set of attestations against a provided policy. The set of attestations that satisfy the policy will be returned
 // if verifiation is successful.
 func Verify(ctx context.Context, policyEnvelope dsse.Envelope, policyVerifiers []cryptoutil.Verifier, opts ...VerifyOption) (map[string][]source.VerifiedCollection, error) {
@@ -187,8 +202,12 @@ func verifyPolicySignature(ctx context.Context, vo verifyOptions) error {
 			f = policy.Functionary{
 				Type: "root",
 				CertConstraint: policy.CertConstraint{
-					Roots:      rootIDs,
-					CommonName: "*",
+					Roots:         rootIDs,
+					CommonName:    vo.policyCommonName,
+					URIs:          vo.policyURIs,
+					Emails:        vo.policyEmails,
+					Organizations: vo.policyOrganizations,
+					DNSNames:      vo.policyDNSNames,
 				},
 			}
 		} else {
@@ -200,7 +219,7 @@ func verifyPolicySignature(ctx context.Context, vo verifyOptions) error {
 
 		err = f.Validate(verifier.Verifier, trustBundle)
 		if err != nil {
-			log.Debugf("Policy Verifier %s failed failed to match supplied constraints: %w, continuing...", err, kid)
+			log.Debugf("Policy Verifier %s failed failed to match supplied constraints: %w, continuing...", kid, err)
 			continue
 		}
 		passed = true