Remove support for 1.3.6.1.4.1.57264.1.7

trailofbits · Nov 20, 2024 · e38186c · e38186c
1 parent 90ba826
commit e38186c
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 43 deletions.
diff --git a/src/pypi_attestations/_impl.py b/src/pypi_attestations/_impl.py
@@ -13,7 +13,6 @@
 import sigstore.errors
 from annotated_types import MinLen  # noqa: TCH002
 from cryptography import x509
-from cryptography.hazmat._oid import ExtensionOID
 from cryptography.hazmat.primitives import serialization
 from packaging.utils import parse_sdist_filename, parse_wheel_filename
 from pyasn1.codec.der.decoder import decode as der_decode
@@ -197,9 +196,12 @@ def certificate_claims(self) -> dict[str, str]:
         """Return the claims present in the certificate that match non-deprecated Fulcio OIDs.
 
         The complete list is available on Fulcio documentation, but we only return
-        non deprecated extensions (from 1.3.6.1.4.1.57264.1.7 to .22):
+        the extensions from 1.3.6.1.4.1.57264.1.8 to .22:
         https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md
 
+        In particular, `1.3.6.1.4.1.57264.1.7 | OtherName SAN` is not supported because we
+        believe this is not used in-the-wild.
+
         Values are decoded and returned as strings.
         """
         fulcio_oid = x509.ObjectIdentifier("1.3.6.1.4.1.57264.1")
@@ -218,15 +220,6 @@ def certificate_claims(self) -> dict[str, str]:
                     bytes, der_decode(value, UTF8String)[0]
                 ).decode()
 
-            elif extension.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME:
-                # 1.3.6.1.4.1.57264.1.7 | OtherName SAN
-                # This specifies the username identity in the OtherName Subject Alternative Name,
-                # as defined by RFC5280 4.2.1.6.
-                for name in extension.value.get_values_for_type(x509.OtherName):
-                    extension_oid = x509.ObjectIdentifier("1.3.6.1.4.1.57264.1.7")
-                    if name.type_id == extension_oid:
-                        claims[extension_oid.dotted_string] = name.value.decode()
-
         return claims
 
     def verify(

diff --git a/test/test_impl.py b/test/test_impl.py
@@ -4,13 +4,11 @@
 import os
 from hashlib import sha256
 from pathlib import Path
-from typing import Any, cast
+from typing import Any
 
 import pretend
 import pytest
 import sigstore
-from cryptography import x509
-from cryptography.hazmat._oid import ExtensionOID
 from pydantic import BaseModel, TypeAdapter, ValidationError
 from sigstore.dsse import DigestSet, StatementBuilder, Subject
 from sigstore.models import Bundle
@@ -454,35 +452,6 @@ def test_certificate_claims(self) -> None:
 
         assert not results ^ set(attestation.certificate_claims.items())
 
-    def test_certificate_claims_othername(self, monkeypatch: pytest.MonkeyPatch) -> None:
-        attestation = impl.Attestation.model_validate_json(
-            pypi_attestations_attestation.read_text()
-        )
-
-        certificate = x509.load_der_x509_certificate(attestation.verification_material.certificate)
-        FULCIO_OTHER_NAME_SAN = x509.ObjectIdentifier("1.3.6.1.4.1.57264.1.7")
-
-        alternative_name = certificate.extensions.get_extension_for_oid(
-            ExtensionOID.SUBJECT_ALTERNATIVE_NAME
-        )
-
-        cast(
-            x509.SubjectAlternativeName, alternative_name.value
-        )._general_names._general_names.append(
-            x509.OtherName(
-                FULCIO_OTHER_NAME_SAN,
-                value=b"name",
-            )
-        )
-
-        monkeypatch.setattr(
-            "cryptography.x509.load_der_x509_certificate", lambda *args: certificate
-        )
-
-        assert (FULCIO_OTHER_NAME_SAN.dotted_string, "name") in set(
-            attestation.certificate_claims.items()
-        )
-
 
 def test_from_bundle_missing_signatures() -> None:
     bundle = Bundle.from_json(dist_bundle_path.read_bytes())