Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify "long" chains #923

Closed
woodruffw opened this issue Mar 6, 2024 · 4 comments · Fixed by #924
Closed

Verify "long" chains #923

woodruffw opened this issue Mar 6, 2024 · 4 comments · Fixed by #924
Assignees
@woodruffw
Labels
component:api Public APIs component:verification Core verification functionality

Comments

@woodruffw
Copy link
Member

woodruffw commented Mar 6, 2024
edited
Loading

From #910:

Given the root is present in the trusted root file, I would prefer we still validate it. The intermediate being shipped in the trust root is more of an optimization, letting us avoid distributing a CRL if we need to revoke the intermediate cert. The PKI root of trust is supposed to be the Fulcio root cert.

Makes sense! In that case, we can simulate the "long chain" building by passing only the Fulcio root into the trust store and including the intermediate via the intermediates parameter to X509StoreContext. That will ensure we never terminate before the self-signed TA, regardless of OpenSSL flags like X509_V_FLAG_PARTIAL_CHAIN.

Originally posted by @woodruffw in #910 (comment)
@woodruffw woodruffw self-assigned this Mar 6, 2024
@woodruffw woodruffw added component:verification Core verification functionality component:api Public APIs labels Mar 6, 2024
@haydentherapper
Copy link
Contributor

sigstore/protobuf-specs#245 now clarifies this.

@woodruffw
Copy link
Member Author

Awesome! I'll open a PR for this today.

@woodruffw
Copy link
Member Author

I'm looking into this now, and it's moderately complicated by the fact that we now (as of #910) have multiple chains to consider. Given that, I'm going to go with the ~X509_V_FLAG_PARTIAL_CHAIN approach for now and revisit the more general approach if sigstore/protobuf-specs#249 is accepted 🙂

@woodruffw woodruffw mentioned this issue Mar 6, 2024
Merged
@woodruffw
Copy link
Member Author

Opened #924 with the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@woodruffw woodruffw

Labels
component:api Public APIs component:verification Core verification functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

verifier: set store flags explicitly sigstore/sigstore-python
2 participants
@woodruffw @haydentherapper