From e38186c4528d08a9c2ca951f11ca7abda626a28b Mon Sep 17 00:00:00 2001 From: Alexis Date: Wed, 20 Nov 2024 17:31:27 +0100 Subject: [PATCH] Remove support for `1.3.6.1.4.1.57264.1.7` --- src/pypi_attestations/_impl.py | 15 ++++----------- test/test_impl.py | 33 +-------------------------------- 2 files changed, 5 insertions(+), 43 deletions(-) diff --git a/src/pypi_attestations/_impl.py b/src/pypi_attestations/_impl.py index 6740700..b3ec746 100644 --- a/src/pypi_attestations/_impl.py +++ b/src/pypi_attestations/_impl.py @@ -13,7 +13,6 @@ import sigstore.errors from annotated_types import MinLen # noqa: TCH002 from cryptography import x509 -from cryptography.hazmat._oid import ExtensionOID from cryptography.hazmat.primitives import serialization from packaging.utils import parse_sdist_filename, parse_wheel_filename from pyasn1.codec.der.decoder import decode as der_decode @@ -197,9 +196,12 @@ def certificate_claims(self) -> dict[str, str]: """Return the claims present in the certificate that match non-deprecated Fulcio OIDs. The complete list is available on Fulcio documentation, but we only return - non deprecated extensions (from 1.3.6.1.4.1.57264.1.7 to .22): + the extensions from 1.3.6.1.4.1.57264.1.8 to .22: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md + In particular, `1.3.6.1.4.1.57264.1.7 | OtherName SAN` is not supported because we + believe this is not used in-the-wild. + Values are decoded and returned as strings. """ fulcio_oid = x509.ObjectIdentifier("1.3.6.1.4.1.57264.1") @@ -218,15 +220,6 @@ def certificate_claims(self) -> dict[str, str]: bytes, der_decode(value, UTF8String)[0] ).decode() - elif extension.oid == ExtensionOID.SUBJECT_ALTERNATIVE_NAME: - # 1.3.6.1.4.1.57264.1.7 | OtherName SAN - # This specifies the username identity in the OtherName Subject Alternative Name, - # as defined by RFC5280 4.2.1.6. - for name in extension.value.get_values_for_type(x509.OtherName): - extension_oid = x509.ObjectIdentifier("1.3.6.1.4.1.57264.1.7") - if name.type_id == extension_oid: - claims[extension_oid.dotted_string] = name.value.decode() - return claims def verify( diff --git a/test/test_impl.py b/test/test_impl.py index e9dbccf..ac3c8d7 100644 --- a/test/test_impl.py +++ b/test/test_impl.py @@ -4,13 +4,11 @@ import os from hashlib import sha256 from pathlib import Path -from typing import Any, cast +from typing import Any import pretend import pytest import sigstore -from cryptography import x509 -from cryptography.hazmat._oid import ExtensionOID from pydantic import BaseModel, TypeAdapter, ValidationError from sigstore.dsse import DigestSet, StatementBuilder, Subject from sigstore.models import Bundle @@ -454,35 +452,6 @@ def test_certificate_claims(self) -> None: assert not results ^ set(attestation.certificate_claims.items()) - def test_certificate_claims_othername(self, monkeypatch: pytest.MonkeyPatch) -> None: - attestation = impl.Attestation.model_validate_json( - pypi_attestations_attestation.read_text() - ) - - certificate = x509.load_der_x509_certificate(attestation.verification_material.certificate) - FULCIO_OTHER_NAME_SAN = x509.ObjectIdentifier("1.3.6.1.4.1.57264.1.7") - - alternative_name = certificate.extensions.get_extension_for_oid( - ExtensionOID.SUBJECT_ALTERNATIVE_NAME - ) - - cast( - x509.SubjectAlternativeName, alternative_name.value - )._general_names._general_names.append( - x509.OtherName( - FULCIO_OTHER_NAME_SAN, - value=b"name", - ) - ) - - monkeypatch.setattr( - "cryptography.x509.load_der_x509_certificate", lambda *args: certificate - ) - - assert (FULCIO_OTHER_NAME_SAN.dotted_string, "name") in set( - attestation.certificate_claims.items() - ) - def test_from_bundle_missing_signatures() -> None: bundle = Bundle.from_json(dist_bundle_path.read_bytes())