Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow certificate inspection on policy signature verification (including fulcio extensions) #246

Merged
merged 1 commit into from
May 13, 2024
Merged

Allow certificate inspection on policy signature verification (including fulcio extensions) #246

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions internal/policy/policy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (
"github.com/in-toto/go-witness/log"
"github.com/in-toto/go-witness/policy"
"github.com/in-toto/go-witness/timestamp"
"github.com/sigstore/fulcio/pkg/certificate"
)

type VerifyPolicySignatureOptions struct {
Expand All @@ -37,6 +38,7 @@ type VerifyPolicySignatureOptions struct {
policyEmails []string
policyOrganizations []string
policyURIs []string
fulcioCertExtensions certificate.Extensions
}

type Option func(*VerifyPolicySignatureOptions)
Expand Down Expand Up @@ -81,6 +83,12 @@ func NewVerifyPolicySignatureOptions(opts ...Option) *VerifyPolicySignatureOptio
return vo
}

func VerifyWithPolicyFulcioCertExtensions(extensions certificate.Extensions) Option {
return func(vo *VerifyPolicySignatureOptions) {
vo.fulcioCertExtensions = extensions
}
}

func VerifyWithPolicyCertConstraints(commonName string, dnsNames []string, emails []string, organizations []string, uris []string) Option {
return func(vo *VerifyPolicySignatureOptions) {
vo.policyCommonName = commonName
Expand Down Expand Up @@ -125,6 +133,7 @@ func VerifyPolicySignature(ctx context.Context, envelope dsse.Envelope, vo *Veri
Emails: vo.policyEmails,
Organizations: vo.policyOrganizations,
DNSNames: vo.policyDNSNames,
Extensions: vo.fulcioCertExtensions,
},
}

Expand Down
2 changes: 1 addition & 1 deletion policy/constraints.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ func (cc CertConstraint) checkExtensions(ext []pkix.Extension) error {
for _, field := range fields {
constraintField := reflect.ValueOf(cc.Extensions).FieldByName(field.Name)
if constraintField.String() == "" {
log.Infof("No constraint for field %s, allowing all values", field.Name)
log.Debugf("No constraint for field %s, allowing all values", field.Name)
continue
}
extensionsField := reflect.ValueOf(extensions).FieldByName(field.Name)
Expand Down
5 changes: 4 additions & 1 deletion run.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,9 +89,12 @@ type RunResult struct {
// Deprecated: Use RunWithExports instead
func Run(stepName string, opts ...RunOption) (RunResult, error) {
results, err := run(stepName, opts)
if len(results) > 1 {
if len(results) == 0 {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

return RunResult{}, err
} else if len(results) > 1 {
return RunResult{}, errors.New("expected a single result, got multiple")
}

return results[0], err
}

Expand Down
27 changes: 27 additions & 0 deletions verify.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package witness

import (
"context"
"crypto/x509"
"encoding/json"
"fmt"
"io"
Expand All @@ -28,6 +29,8 @@ import (
"github.com/in-toto/go-witness/policy"
"github.com/in-toto/go-witness/slsa"
"github.com/in-toto/go-witness/source"
"github.com/in-toto/go-witness/timestamp"
"github.com/sigstore/fulcio/pkg/certificate"
)

func VerifySignature(r io.Reader, verifiers ...cryptoutil.Verifier) (dsse.Envelope, error) {
Expand Down Expand Up @@ -88,12 +91,36 @@ func VerifyWithRunOptions(opts ...RunOption) VerifyOption {
}
}

func VerifyWithPolicyFulcioCertExtensions(extensions certificate.Extensions) VerifyOption {
return func(vo *verifyOptions) {
vo.verifyPolicySignatureOptions = append(vo.verifyPolicySignatureOptions, ipolicy.VerifyWithPolicyFulcioCertExtensions(extensions))
}
}

func VerifyWithPolicyCertConstraints(commonName string, dnsNames []string, emails []string, organizations []string, uris []string) VerifyOption {
return func(vo *verifyOptions) {
vo.verifyPolicySignatureOptions = append(vo.verifyPolicySignatureOptions, ipolicy.VerifyWithPolicyCertConstraints(commonName, dnsNames, emails, organizations, uris))
}
}

func VerifyWithPolicyTimestampAuthorities(verifiers []timestamp.TimestampVerifier) VerifyOption {
return func(vo *verifyOptions) {
vo.verifyPolicySignatureOptions = append(vo.verifyPolicySignatureOptions, ipolicy.VerifyWithPolicyTimestampAuthorities(verifiers))
}
}

func VerifyWithPolicyCARoots(certs []*x509.Certificate) VerifyOption {
return func(vo *verifyOptions) {
vo.verifyPolicySignatureOptions = append(vo.verifyPolicySignatureOptions, ipolicy.VerifyWithPolicyCARoots(certs))
}
}

func VerifyWithPolicyCAIntermediates(certs []*x509.Certificate) VerifyOption {
return func(vo *verifyOptions) {
vo.verifyPolicySignatureOptions = append(vo.verifyPolicySignatureOptions, ipolicy.VerifyWithPolicyCAIntermediates(certs))
}
}

type VerifyResult struct {
RunResult
VerificationSummary slsa.VerificationSummary
Expand Down
Loading