From a81cb730fcd987051dbdfe9b2665178bc051f05f Mon Sep 17 00:00:00 2001 From: Meredith Lancaster Date: Thu, 31 Oct 2024 16:14:28 -0600 Subject: [PATCH] update VerifyCertExtensions args Signed-off-by: Meredith Lancaster --- .../attestation/verification/extensions.go | 32 ++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/pkg/cmd/attestation/verification/extensions.go b/pkg/cmd/attestation/verification/extensions.go index 67cc48f18..b41d7f559 100644 --- a/pkg/cmd/attestation/verification/extensions.go +++ b/pkg/cmd/attestation/verification/extensions.go @@ -4,6 +4,8 @@ import ( "errors" "fmt" "strings" + + "github.com/sigstore/sigstore-go/pkg/fulcio/certificate" ) var ( @@ -18,7 +20,7 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, ec Enforcement var atLeastOneVerified bool for _, attestation := range results { - if err := verifyCertExtensions(attestation, ec); err != nil { + if err := verifyCertExtensions(*attestation.VerificationResult.Signature.Certificate, ec); err != nil { return err } atLeastOneVerified = true @@ -32,30 +34,30 @@ func VerifyCertExtensions(results []*AttestationProcessingResult, ec Enforcement } func verifyCertExtensions(verifiedCert certificate.Summary, criteria EnforcementCriteria) error { - if c.Extensions.SourceRepositoryOwnerURI != "" { - sourceRepositoryOwnerURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryOwnerURI - if !strings.EqualFold(c.Extensions.SourceRepositoryOwnerURI, sourceRepositoryOwnerURI) { - return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", c.Extensions.SourceRepositoryOwnerURI, sourceRepositoryOwnerURI) + if criteria.Extensions.SourceRepositoryOwnerURI != "" { + sourceRepositoryOwnerURI := verifiedCert.Extensions.SourceRepositoryOwnerURI + if !strings.EqualFold(criteria.Extensions.SourceRepositoryOwnerURI, sourceRepositoryOwnerURI) { + return fmt.Errorf("expected SourceRepositoryOwnerURI to be %s, got %s", criteria.Extensions.SourceRepositoryOwnerURI, sourceRepositoryOwnerURI) } } // if repo is set, check the SourceRepositoryURI field - if c.Extensions.SourceRepositoryURI != "" { - sourceRepositoryURI := attestation.VerificationResult.Signature.Certificate.Extensions.SourceRepositoryURI - if !strings.EqualFold(c.Extensions.SourceRepositoryURI, sourceRepositoryURI) { - return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", c.Extensions.SourceRepositoryURI, sourceRepositoryURI) + if criteria.Extensions.SourceRepositoryURI != "" { + sourceRepositoryURI := verifiedCert.Extensions.SourceRepositoryURI + if !strings.EqualFold(criteria.Extensions.SourceRepositoryURI, sourceRepositoryURI) { + return fmt.Errorf("expected SourceRepositoryURI to be %s, got %s", criteria.Extensions.SourceRepositoryURI, sourceRepositoryURI) } } // if issuer is anything other than the default, use the user-provided value; // otherwise, select the appropriate default based on the tenant - if c.OIDCIssuer != "" { - certIssuer := attestation.VerificationResult.Signature.Certificate.Extensions.Issuer - if !strings.EqualFold(c.OIDCIssuer, certIssuer) { - if strings.Index(certIssuer, c.OIDCIssuer+"/") == 0 { - return fmt.Errorf("expected Issuer to be %s, got %s -- if you have a custom OIDC issuer policy for your enterprise, use the --cert-oidc-issuer flag with your expected issuer", c.OIDCIssuer, certIssuer) + if criteria.OIDCIssuer != "" { + certIssuer := verifiedCert.Extensions.Issuer + if !strings.EqualFold(criteria.OIDCIssuer, certIssuer) { + if strings.Index(certIssuer, criteria.OIDCIssuer+"/") == 0 { + return fmt.Errorf("expected Issuer to be %s, got %s -- if you have a custom OIDC issuer policy for your enterprise, use the --cert-oidc-issuer flag with your expected issuer", criteria.OIDCIssuer, certIssuer) } - return fmt.Errorf("expected Issuer to be %s, got %s", c.OIDCIssuer, certIssuer) + return fmt.Errorf("expected Issuer to be %s, got %s", criteria.OIDCIssuer, certIssuer) } }