Extract all subjects from SANs for x509 verifier (#1632)

* Extract all subjects from SANs for x509 verifier Validation is also handled during certificate creation, so the contents of the x509 cert should follow rfc5280. Signed-off-by: Hayden Blauzvern <[email protected]> * fix lint Signed-off-by: Hayden Blauzvern <[email protected]> --------- Signed-off-by: Hayden Blauzvern <[email protected]>
sigstore · Aug 14, 2023 · 08ea39a · 08ea39a
1 parent ea666c7
commit 08ea39a
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 20 deletions.
diff --git a/pkg/pki/x509/x509.go b/pkg/pki/x509/x509.go
@@ -195,31 +195,17 @@ func (k PublicKey) EmailAddresses() []string {
 
 // Subjects implements the pki.PublicKey interface
 func (k PublicKey) Subjects() []string {
-	var names []string
+	var subjects []string
 	var cert *x509.Certificate
 	if k.cert != nil {
 		cert = k.cert.c
 	} else if len(k.certs) > 0 {
 		cert = k.certs[0]
 	}
 	if cert != nil {
-		validate := validator.New()
-		for _, name := range cert.EmailAddresses {
-			if errs := validate.Var(name, "required,email"); errs == nil {
-				names = append(names, strings.ToLower(name))
-			}
-		}
-		for _, name := range cert.URIs {
-			if errs := validate.Var(name.String(), "required,uri"); errs == nil {
-				names = append(names, strings.ToLower(name.String()))
-			}
-		}
-		otherName, _ := cryptoutils.UnmarshalOtherNameSAN(cert.Extensions)
-		if len(otherName) > 0 {
-			names = append(names, otherName)
-		}
+		subjects = cryptoutils.GetSubjectAlternateNames(cert)
 	}
-	return names
+	return subjects
 }
 
 // Identities implements the pki.PublicKey interface

diff --git a/pkg/pki/x509/x509_test.go b/pkg/pki/x509/x509_test.go
@@ -22,6 +22,7 @@ import (
 	"crypto/ed25519"
 	"crypto/rsa"
 	"crypto/x509"
+	"net"
 	"net/url"
 	"reflect"
 	"strings"
@@ -249,8 +250,9 @@ func TestSignature_VerifyFail(t *testing.T) {
 func TestPublicKeyWithCertChain(t *testing.T) {
 	rootCert, rootKey, _ := testutils.GenerateRootCa()
 	subCert, subKey, _ := testutils.GenerateSubordinateCa(rootCert, rootKey)
-	url, _ := url.Parse("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.1.1")
-	leafCert, leafKey, _ := testutils.GenerateLeafCert("[email protected]", "oidc-issuer", url, subCert, subKey)
+	subjectURL, _ := url.Parse("https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v1.1.1")
+	leafCert, leafKey, _ := testutils.GenerateLeafCertWithSubjectAlternateNames(
+		[]string{"example.com"}, []string{"[email protected]"}, []net.IP{{1, 1, 1, 1}}, []*url.URL{subjectURL}, "oidc-issuer", subCert, subKey)
 	leafCertPEM, _ := cryptoutils.MarshalCertificateToPEM(leafCert)
 
 	pemCertChain, err := cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{leafCert, subCert, rootCert})
@@ -274,7 +276,10 @@ func TestPublicKeyWithCertChain(t *testing.T) {
 		t.Fatalf("expected matching subjects, expected %v, got %v", leafCert.EmailAddresses, pub.EmailAddresses())
 	}
 
-	expectedSubjects := leafCert.EmailAddresses
+	var expectedSubjects []string
+	expectedSubjects = append(expectedSubjects, leafCert.DNSNames...)
+	expectedSubjects = append(expectedSubjects, leafCert.EmailAddresses...)
+	expectedSubjects = append(expectedSubjects, leafCert.IPAddresses[0].String())
 	expectedSubjects = append(expectedSubjects, leafCert.URIs[0].String())
 	if !reflect.DeepEqual(pub.Subjects(), expectedSubjects) {
 		t.Fatalf("expected matching subjects, expected %v, got %v", expectedSubjects, pub.Subjects())