Skip to content

Commit 8554eb6

Browse files
cmurphycmurphy
authored
Updates for SAN parsing (#229)
* Remove Type for SubjectAlternativeName Simplify certificate identities by removing the Type attribute from the SubjectAlternativeName type. The CA is expected to handle validating that SAN values match their designated types. Signed-off-by: Colleen Murphy <[email protected]> * Support OtherName SAN in Fulcio cert Add support for parsing and verifying a Fulcio certificate with a username identity issued from an OIDC provider. See [1]. [1] https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#1361415726417--othername-san Signed-off-by: Colleen Murphy <[email protected]> --------- Signed-off-by: Colleen Murphy <[email protected]>
1 parent fef0ebe commit 8554eb6

File tree

14 files changed

+244
-89
lines changed

14 files changed

+244
-89
lines changed

cmd/conformance/main.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -284,7 +284,7 @@ func main() {
284284

285285
identityPolicies := []verify.PolicyOption{}
286286
if *certOIDC != "" || *certSAN != "" {
287-
certID, err := verify.NewShortCertificateIdentity(*certOIDC, *certSAN, "", "")
287+
certID, err := verify.NewShortCertificateIdentity(*certOIDC, *certSAN, "")
288288
if err != nil {
289289
fmt.Println(err)
290290
os.Exit(1)
@@ -333,7 +333,7 @@ func main() {
333333
// Configure verification options
334334
identityPolicies := []verify.PolicyOption{}
335335
if *certOIDC != "" || *certSAN != "" {
336-
certID, err := verify.NewShortCertificateIdentity(*certOIDC, *certSAN, "", "")
336+
certID, err := verify.NewShortCertificateIdentity(*certOIDC, *certSAN, "")
337337
if err != nil {
338338
fmt.Println(err)
339339
os.Exit(1)

cmd/sigstore-go/main.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@ func run() error {
120120
verifierConfig = append(verifierConfig, verify.WithOnlineVerification())
121121
}
122122

123-
certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, *expectedSAN, "", *expectedSANRegex)
123+
certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, *expectedSAN, *expectedSANRegex)
124124
if err != nil {
125125
return err
126126
}

docs/verification.md

+2-2
Original file line numberDiff line numberDiff line change
@@ -95,7 +95,7 @@ Then, we need to prepare the expected artifact digest. Note that this option has
9595
In this case, we also need to prepare the expected certificate identity. Note that this option has an alternative option `WithoutIdentitiesUnsafe`. This is a failsafe to ensure that the caller is aware that simply verifying the bundle is not enough, you must also verify the contents of the bundle against a specific identity. If your bundle was signed with a key, and thus does not have a certificate identity, a better choice is to use the `WithKey` option.
9696

9797
```go
98-
certID, err := verify.NewShortCertificateIdentity("https://token.actions.githubusercontent.com", "", "", "^https://github.com/sigstore/sigstore-js/")
98+
certID, err := verify.NewShortCertificateIdentity("https://token.actions.githubusercontent.com", "", "^https://github.com/sigstore/sigstore-js/")
9999
if err != nil {
100100
panic(err)
101101
}
@@ -221,7 +221,7 @@ func main() {
221221
panic(err)
222222
}
223223

224-
certID, err := verify.NewShortCertificateIdentity("https://token.actions.githubusercontent.com", "", "", "^https://github.com/sigstore/sigstore-js/")
224+
certID, err := verify.NewShortCertificateIdentity("https://token.actions.githubusercontent.com", "", "^https://github.com/sigstore/sigstore-js/")
225225
if err != nil {
226226
panic(err)
227227
}

examples/oci-image-verification/main.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -134,7 +134,7 @@ func run() error {
134134
}
135135

136136
if *expectedOIDIssuer != "" || *expectedSAN != "" || *expectedSANRegex != "" {
137-
certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, *expectedSAN, "", *expectedSANRegex)
137+
certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, *expectedSAN, *expectedSANRegex)
138138
if err != nil {
139139
return err
140140
}

pkg/fulcio/certificate/summarize.go

+11-26
Original file line numberDiff line numberDiff line change
@@ -19,29 +19,13 @@ import (
1919
"errors"
2020
"fmt"
2121
"reflect"
22-
)
23-
24-
// Normally, we would make this an int and use iota to assign values. However,
25-
// our goal is to allow users to evaluate this data with a policy engine.
26-
// Defining the types as strings should make it easier for end users to discover
27-
// and use the NameType field.
28-
type SubjectAlternativeNameType string
2922

30-
const (
31-
SubjectAlternativeNameTypeUnspecified SubjectAlternativeNameType = "Unspecified"
32-
SubjectAlternativeNameTypeEmail SubjectAlternativeNameType = "Email"
33-
SubjectAlternativeNameTypeURI SubjectAlternativeNameType = "URI"
34-
SubjectAlternativeNameTypeOther SubjectAlternativeNameType = "Other"
23+
"github.com/sigstore/sigstore/pkg/cryptoutils"
3524
)
3625

37-
type SubjectAlternativeName struct {
38-
Type SubjectAlternativeNameType `json:"type,omitempty"`
39-
Value string `json:"value,omitempty"`
40-
}
41-
4226
type Summary struct {
43-
CertificateIssuer string `json:"certificateIssuer"`
44-
SubjectAlternativeName SubjectAlternativeName `json:"subjectAlternativeName"`
27+
CertificateIssuer string `json:"certificateIssuer"`
28+
SubjectAlternativeName string `json:"subjectAlternativeName"`
4529
Extensions
4630
}
4731

@@ -62,17 +46,18 @@ func SummarizeCertificate(cert *x509.Certificate) (Summary, error) {
6246
return Summary{}, err
6347
}
6448

65-
san := SubjectAlternativeName{}
49+
var san string
6650

6751
switch {
6852
case len(cert.URIs) > 0:
69-
san.Type = SubjectAlternativeNameTypeURI
70-
san.Value = cert.URIs[0].String()
53+
san = cert.URIs[0].String()
7154
case len(cert.EmailAddresses) > 0:
72-
san.Type = SubjectAlternativeNameTypeEmail
73-
san.Value = cert.EmailAddresses[0]
74-
default:
75-
// TODO: Support OtherName SANs i.e. https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#1361415726417--othername-san
55+
san = cert.EmailAddresses[0]
56+
}
57+
if san == "" {
58+
san, _ = cryptoutils.UnmarshalOtherNameSAN(cert.Extensions)
59+
}
60+
if san == "" {
7661
return Summary{}, errors.New("No Subject Alternative Name found")
7762
}
7863

pkg/fulcio/certificate/summarize_test.go

+26-2
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ func TestSummarizeCertificateWithActionsBundle(t *testing.T) {
4343

4444
expected := certificate.Summary{
4545
CertificateIssuer: "CN=sigstore-intermediate,O=sigstore.dev",
46-
SubjectAlternativeName: certificate.SubjectAlternativeName{Type: "URI", Value: "https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main"},
46+
SubjectAlternativeName: "https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main",
4747
Extensions: certificate.Extensions{
4848
Issuer: "https://token.actions.githubusercontent.com",
4949
GithubWorkflowTrigger: "push",
@@ -92,7 +92,7 @@ func TestSummarizeCertificateWithOauthBundle(t *testing.T) {
9292

9393
expected := certificate.Summary{
9494
CertificateIssuer: "CN=sigstore-intermediate,O=sigstore.dev",
95-
SubjectAlternativeName: certificate.SubjectAlternativeName{Type: "Email", Value: "[email protected]"},
95+
SubjectAlternativeName: "[email protected]",
9696
Extensions: certificate.Extensions{
9797
Issuer: "https://github.com/login/oauth",
9898
},
@@ -101,6 +101,30 @@ func TestSummarizeCertificateWithOauthBundle(t *testing.T) {
101101
assert.Equal(t, expected, cs)
102102
}
103103

104+
func TestSummarizeCertificateWithOtherNameSAN(t *testing.T) {
105+
entity := data.OthernameBundle(t)
106+
vc, err := entity.VerificationContent()
107+
if err != nil {
108+
t.Fatalf("failed to get verification content: %v", err)
109+
}
110+
111+
leaf := vc.GetCertificate()
112+
113+
if leaf == nil {
114+
t.Fatalf("expected verification content to be a certificate chain")
115+
}
116+
cs, err := certificate.SummarizeCertificate(leaf)
117+
assert.NoError(t, err)
118+
expected := certificate.Summary{
119+
CertificateIssuer: "O=Linux Foundation,POSTALCODE=57274,STREET=548 Market St,L=San Francisco,ST=California,C=USA",
120+
SubjectAlternativeName: "foo!oidc.local",
121+
Extensions: certificate.Extensions{
122+
Issuer: "http://oidc.local:8080",
123+
},
124+
}
125+
assert.Equal(t, expected, cs)
126+
}
127+
104128
func TestCompareExtensions(t *testing.T) {
105129
// Test that the extensions are equal
106130
actualExt := certificate.Extensions{

pkg/testing/data/data.go

+21-1
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,9 @@ var SigstoreBundle2SigRaw []byte
4646
//go:embed [email protected]
4747
var SigstoreJS200ProvenanceBundleRaw []byte
4848

49+
//go:embed othernameBundle.json
50+
var OthernameBundleRaw []byte
51+
4952
// TestBundle creates *bundle.ProtobufBundle from a raw byte stream
5053
// containing a JSON encoded protobuf bundle.
5154
func TestBundle(t *testing.T, raw []byte) *bundle.ProtobufBundle {
@@ -77,7 +80,13 @@ func SigstoreJS200ProvenanceBundle(t *testing.T) *bundle.ProtobufBundle {
7780
return TestBundle(t, SigstoreJS200ProvenanceBundleRaw)
7881
}
7982

80-
// PublicGoodTrustedMaterialRoot retruns a *root.TrustedRoot for PGI.
83+
// OthernameBundle returns a test *sigstore.Bundle that contains verification
84+
// content for an artifact signed with an Othername identity.
85+
func OthernameBundle(t *testing.T) *bundle.ProtobufBundle {
86+
return TestBundle(t, OthernameBundleRaw)
87+
}
88+
89+
// PublicGoodTrustedMaterialRoot returns a *root.TrustedRoot for PGI.
8190
func PublicGoodTrustedMaterialRoot(t *testing.T) *root.TrustedRoot {
8291
trustedrootJSON, _ := os.ReadFile("../../examples/trusted-root-public-good.json")
8392
trustedRoot, _ := root.NewTrustedRootFromJSON(trustedrootJSON)
@@ -86,3 +95,14 @@ func PublicGoodTrustedMaterialRoot(t *testing.T) *root.TrustedRoot {
8695

8796
return trustedRoot
8897
}
98+
99+
// ScaffoldingTrustedMaterialRoot returns a *root.TrustedRoot for a private
100+
// sigstore deployment.
101+
func ScaffoldingTrustedMaterialRoot(t *testing.T) *root.TrustedRoot {
102+
trustedrootJSON, _ := os.ReadFile("../testing/data/trusted-root-scaffolding.json")
103+
trustedRoot, _ := root.NewTrustedRootFromJSON(trustedrootJSON)
104+
105+
assert.NotNil(t, trustedRoot)
106+
107+
return trustedRoot
108+
}

pkg/testing/data/othernameBundle.json

+44
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
{
2+
"mediaType": "application/vnd.dev.sigstore.bundle.v0.3+json",
3+
"verificationMaterial": {
4+
"certificate": {
5+
"rawBytes": "MIIEtTCCAp2gAwIBAgIUQo007zs0OhGOK8/Acik+axa7ve0wDQYJKoZIhvcNAQELBQAwfjEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRYwFAYDVQQJEw01NDggTWFya2V0IFN0MQ4wDAYDVQQREwU1NzI3NDEZMBcGA1UEChMQTGludXggRm91bmRhdGlvbjAeFw0yNDA3MTIxOTA2MjhaFw0yNDA3MTIxOTE2MjhaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ2fasaLzAQ6NW1DeN47ahLQ+4B/yykTNrlPN1L4/Fd2n7+Khk2Np0sCOzn1q1J3A9ctTaLwhmaWx98VXVax9uNo4IBcjCCAW4wDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBQav7zimj6IhRI/bEru7UNoUd2MMDAfBgNVHSMEGDAWgBSPD5vlHaXVMRD4Ul0X+y/OAJEl7TAsBgNVHREBAf8EIjAgoB4GCisGAQQBg78wAQegEAwOZm9vIW9pZGMubG9jYWwwJAYKKwYBBAGDvzABAQQWaHR0cDovL29pZGMubG9jYWw6ODA4MDAmBgorBgEEAYO/MAEIBBgMFmh0dHA6Ly9vaWRjLmxvY2FsOjgwODAwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDesHDYHzkyPSGM4zeGpsPji0+Fkuo5K601DwRJUWQDXAAAAZCoVvGxAAAEAwBHMEUCIF8KATnGR/A0M00weGYISnKlMHu+/PQPLXu7yO0G2itfAiEA2k2BG9Hzdp2AcgverhnsegnXxjKNO5FNtnwW/jnOIo4wDQYJKoZIhvcNAQELBQADggIBAGODe/vPPzDxaroHlIm/2uGoAl7a/aWJZvjobg7a9QqSM43nFhprRF3C518jATPxmzr0xzmDMOcI6+aT1ezK6pBRK5U/vY+mLzYHxBg9CcBDd6A8mOl89Qn1x6awSXoq+3D950Eww3vHfEJUS5gAFfD0SE91Y9L6fN1u9VzfcB27sTHfnfCk78iQf+sA0KWaTFgekCTkWetP9839efcQo5xY5JkxHzCWxKDsZrZqH3goGHCqdIL93g06QLJIHqOH3ztMvfkYbLmVuTV2RiysdYVhD6sJRlEKyiXtaXwthqdbsgbiKD8gRmQRJir961PoxTKkSvHhdafVmVUYtkWO6wQ98PwmOY0Poj+3zWoOAsnzqr0jwFn8QVNdeWKlDmzXqdXn5aBoXBphlQy/j2u1TWsl8Hc7JL+HhmV3GhqRbhD31WxVAQqi0poK7ig3ZB+q36TXvesmLEWenICplXscUy2Lr39C5sBeiLwLse3aaXse95YHqJkYgP44cS33/mmTmy2C1Fc4Pu01akUhLx69/sgLHS/3G2+UqgG8nslz2N7l7SUXat4Djqec1XQvoWG/f7kUbn3+dt0N8vv4YHVqVyaW7QkXcP6hyjnT8chmjsqCSCy8KWsgxr0pqpLCrrumlSke1BJGL4EZm0hSDvrh0dhqTgros8GZsYq8AJBAAmqj"
6+
},
7+
"tlogEntries": [
8+
{
9+
"logIndex": "3",
10+
"logId": {
11+
"keyId": "9vs1fkgdlblPyMuWiLRAQbEg0hmDHE6UwC92VxyLS8g="
12+
},
13+
"kindVersion": {
14+
"kind": "hashedrekord",
15+
"version": "0.0.1"
16+
},
17+
"integratedTime": "1720811189",
18+
"inclusionPromise": {
19+
"signedEntryTimestamp": "MEUCIQDlRe4vCqGTap9Bko4TN9scDU7E7ideUfC51cEwxJJVJwIgBhimuSEUEUTuJ8rISl9UyMZvZp2hi1m7SSDIZM/ZkAA="
20+
},
21+
"inclusionProof": {
22+
"logIndex": "3",
23+
"rootHash": "uZYUY33ENx3NVSOphL2yVZLM+fjGXvOvRoQ15T82jp8=",
24+
"treeSize": "4",
25+
"hashes": [
26+
"7KJPHdqkyM0JutlXYl4X0P0KU4VrWQKzjU6khYDdypw=",
27+
"t2F/5pUpEDAGCLrNbBywFrpk6eTM03yRmqxCkwO8nd0="
28+
],
29+
"checkpoint": {
30+
"envelope": "rekor-00001-deployment-56bf7777c9-jds5x - 6364419738405537866\n4\nuZYUY33ENx3NVSOphL2yVZLM+fjGXvOvRoQ15T82jp8=\n\n— rekor-00001-deployment-56bf7777c9-jds5x 9vs1fjBFAiBU8kwsoJjjEntsK485B35Sa4xhVryfMnnsv+V3fjujFgIhAOe8Okg1uwIH0no5NG3YvR57Fq0rwdxTxLqrsj2Ox1aj\n"
31+
}
32+
},
33+
"canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJiYzEwM2I0YTg0OTcxZWY2NDU5YjI5NGEyYjk4NTY4YTJiZmI3MmNkZWQwOWQ0YWNkMWUxNjM2NmE0MDFmOTViIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJQ2pKYmY1ZXZRRzBjZUN1SHEvZ1VWeWI4dFU5OHBaaVFudTcxYkRuT2drbUFpRUF0bzZLeTJYQjhPeitab1NQRzRQSjg3cnNUejFkR1h0V3V5LzU4OXZXZlB3PSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVVjBWRU5EUVhBeVowRjNTVUpCWjBsVlVXOHdNRGQ2Y3pCUGFFZFBTemd2UVdOcGF5dGhlR0UzZG1Vd2QwUlJXVXBMYjFwSmFIWmpUa0ZSUlV3S1FsRkJkMlpxUlUxTlFXOUhRVEZWUlVKb1RVUldWazVDVFZKTmQwVlJXVVJXVVZGSlJYZHdSRmxYZUhCYWJUbDVZbTFzYUUxU1dYZEdRVmxFVmxGUlNBcEZkekZVV1ZjMFoxSnVTbWhpYlU1d1l6Sk9kazFTV1hkR1FWbEVWbEZSU2tWM01ERk9SR2RuVkZkR2VXRXlWakJKUms0d1RWRTBkMFJCV1VSV1VWRlNDa1YzVlRGT2Vra3pUa1JGV2sxQ1kwZEJNVlZGUTJoTlVWUkhiSFZrV0dkblVtMDVNV0p0VW1oa1IyeDJZbXBCWlVaM01IbE9SRUV6VFZSSmVFOVVRVElLVFdwb1lVWjNNSGxPUkVFelRWUkplRTlVUlRKTmFtaGhUVUZCZDFkVVFWUkNaMk54YUd0cVQxQlJTVUpDWjJkeGFHdHFUMUJSVFVKQ2QwNURRVUZSTWdwbVlYTmhUSHBCVVRaT1Z6RkVaVTQwTjJGb1RGRXJORUl2ZVhsclZFNXliRkJPTVV3MEwwWmtNbTQzSzB0b2F6Sk9jREJ6UTA5NmJqRnhNVW96UVRsakNuUlVZVXgzYUcxaFYzZzVPRlpZVm1GNE9YVk9ielJKUW1OcVEwTkJWelIzUkdkWlJGWlNNRkJCVVVndlFrRlJSRUZuWlVGTlFrMUhRVEZWWkVwUlVVMEtUVUZ2UjBORGMwZEJVVlZHUW5kTlJFMUNNRWRCTVZWa1JHZFJWMEpDVVdGMk4zcHBiV28yU1doU1NTOWlSWEoxTjFWT2IxVmtNazFOUkVGbVFtZE9WZ3BJVTAxRlIwUkJWMmRDVTFCRU5YWnNTR0ZZVmsxU1JEUlZiREJZSzNrdlQwRktSV3czVkVGelFtZE9Wa2hTUlVKQlpqaEZTV3BCWjI5Q05FZERhWE5IQ2tGUlVVSm5OemgzUVZGbFowVkJkMDlhYlRsMlNWYzVjRnBIVFhWaVJ6bHFXVmQzZDBwQldVdExkMWxDUWtGSFJIWjZRVUpCVVZGWFlVaFNNR05FYjNZS1RESTVjRnBIVFhWaVJ6bHFXVmQzTms5RVFUUk5SRUZ0UW1kdmNrSm5SVVZCV1U4dlRVRkZTVUpDWjAxR2JXZ3daRWhCTmt4NU9YWmhWMUpxVEcxNGRncFpNa1p6VDJwbmQwOUVRWGRuV1c5SFEybHpSMEZSVVVJeGJtdERRa0ZKUldaQlVqWkJTR2RCWkdkRVpYTklSRmxJZW10NVVGTkhUVFI2WlVkd2MxQnFDbWt3SzBacmRXODFTell3TVVSM1VrcFZWMUZFV0VGQlFVRmFRMjlXZGtkNFFVRkJSVUYzUWtoTlJWVkRTVVk0UzBGVWJrZFNMMEV3VFRBd2QyVkhXVWtLVTI1TGJFMUlkU3N2VUZGUVRGaDFOM2xQTUVjeWFYUm1RV2xGUVRKck1rSkhPVWg2WkhBeVFXTm5kbVZ5YUc1elpXZHVXSGhxUzA1UE5VWk9kRzUzVndvdmFtNVBTVzgwZDBSUldVcExiMXBKYUhaalRrRlJSVXhDVVVGRVoyZEpRa0ZIVDBSbEwzWlFVSHBFZUdGeWIwaHNTVzB2TW5WSGIwRnNOMkV2WVZkS0NscDJhbTlpWnpkaE9WRnhVMDAwTTI1R2FIQnlVa1l6UXpVeE9HcEJWRkI0YlhweU1IaDZiVVJOVDJOSk5pdGhWREZsZWtzMmNFSlNTelZWTDNaWksyMEtUSHBaU0hoQ1p6bERZMEpFWkRaQk9HMVBiRGc1VVc0eGVEWmhkMU5ZYjNFck0wUTVOVEJGZDNjemRraG1SVXBWVXpWblFVWm1SREJUUlRreFdUbE1OZ3BtVGpGMU9WWjZabU5DTWpkelZFaG1ibVpEYXpjNGFWRm1LM05CTUV0WFlWUkdaMlZyUTFSclYyVjBVRGs0TXpsbFptTlJielY0V1RWS2EzaElla05YQ25oTFJITmFjbHB4U0RObmIwZElRM0ZrU1V3NU0yY3dObEZNU2tsSWNVOUlNM3AwVFhabWExbGlURzFXZFZSV01sSnBlWE5rV1Zab1JEWnpTbEpzUlVzS2VXbFlkR0ZZZDNSb2NXUmljMmRpYVV0RU9HZFNiVkZTU21seU9UWXhVRzk0VkV0clUzWklhR1JoWmxadFZsVlpkR3RYVHpaM1VUazRVSGR0VDFrd1VBcHZhaXN6ZWxkdlQwRnpibnB4Y2pCcWQwWnVPRkZXVG1SbFYwdHNSRzE2V0hGa1dHNDFZVUp2V0VKd2FHeFJlUzlxTW5VeFZGZHpiRGhJWXpkS1RDdElDbWh0VmpOSGFIRlNZbWhFTXpGWGVGWkJVWEZwTUhCdlN6ZHBaek5hUWl0eE16WlVXSFpsYzIxTVJWZGxia2xEY0d4WWMyTlZlVEpNY2pNNVF6VnpRbVVLYVV4M1RITmxNMkZoV0hObE9UVlpTSEZLYTFsblVEUTBZMU16TXk5dGJWUnRlVEpETVVaak5GQjFNREZoYTFWb1RIZzJPUzl6WjB4SVV5OHpSeklyVlFweFowYzRibk5zZWpKT04ydzNVMVZZWVhRMFJHcHhaV014V0ZGMmIxZEhMMlkzYTFWaWJqTXJaSFF3VGpoMmRqUlpTRlp4Vm5saFZ6ZFJhMWhqVURab0NubHFibFE0WTJodGFuTnhRMU5EZVRoTFYzTm5lSEl3Y0hGd1RFTnljblZ0YkZOclpURkNTa2RNTkVWYWJUQm9VMFIyY21nd1pHaHhWR2R5YjNNNFIxb0tjMWx4T0VGS1FrRkJiWEZxQ2kwdExTMHRSVTVFSUVORlVsUkpSa2xEUVZSRkxTMHRMUzBLIn19fX0="
34+
}
35+
]
36+
},
37+
"messageSignature": {
38+
"messageDigest": {
39+
"algorithm": "SHA2_256",
40+
"digest": "vBA7SoSXHvZFmylKK5hWiiv7cs3tCdSs0eFjZqQB+Vs="
41+
},
42+
"signature": "MEUCICjJbf5evQG0ceCuHq/gUVyb8tU98pZiQnu71bDnOgkmAiEAto6Ky2XB8Oz+ZoSPG4PJ87rsTz1dGXtWuy/589vWfPw="
43+
}
44+
}

pkg/testing/data/trusted-root-scaffolding.json

+53
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
{
2+
"mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
3+
"tlogs": [
4+
{
5+
"baseUrl": "http://rekor.rekor-system.172.18.255.1.sslip.io",
6+
"hashAlgorithm": "SHA2_256",
7+
"publicKey": {
8+
"rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnPyeVMLRWPJQpCHcUdG41k+oJiQEjX4uGSX7ujPH7Iv5zQD3VYiHhyQ/oMJvc1vx+2Zk2DBcBhN9IT0eZjB2RQ==",
9+
"keyDetails": "PKIX_ECDSA_P256_SHA_256",
10+
"validFor": {
11+
"start": "2024-07-12T18:35:53Z"
12+
}
13+
},
14+
"logId": {
15+
"keyId": "9vs1fkgdlblPyMuWiLRAQbEg0hmDHE6UwC92VxyLS8g="
16+
}
17+
}
18+
],
19+
"certificateAuthorities": [
20+
{
21+
"subject": {
22+
"organization": "Linux Foundation"
23+
},
24+
"uri": "http://fulcio.fulcio-system.172.18.255.1.sslip.io",
25+
"certChain": {
26+
"certificates": [
27+
{
28+
"rawBytes": "MIIFwzCCA6ugAwIBAgIIGOK4JTIvAnQwDQYJKoZIhvcNAQELBQAwfjEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRYwFAYDVQQJEw01NDggTWFya2V0IFN0MQ4wDAYDVQQREwU1NzI3NDEZMBcGA1UEChMQTGludXggRm91bmRhdGlvbjAeFw0yNDA3MTEyMjI4NDFaFw0yNTA3MTEyMjI4NDFaMH4xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEWMBQGA1UECRMNNTQ4IE1hcmtldCBTdDEOMAwGA1UEERMFNTcyNzQxGTAXBgNVBAoTEExpbnV4IEZvdW5kYXRpb24wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCrq2z5byNpomZGJsrEloYzae0zU6bZK2x+9C16DdocsLavJNX2MaxQ28imb5YYp4z6M52SDPW4NZKCtJRSOp4Z+jK6194z6r08SCbU4JdU6qhBWhzb5PqDN8JYImnWAsUAg2MHu8DWDHsNVfyivxkqeeyTf/c4aAJX0YqVv8WnvEnI6rstV6CO3/Q7VqZrK3vfUH4rFuiIBwCO1TLnVh9RHARM43oDdeKAQLKh2p4PD6VoOVPNEw8uxuokG8qyJZOUVgUETovR8E3puTVn3iopea2BvMADZQA1u6MT4MCjY/Hqv+RdQ6W4c2eyey/ZZSoiQUZmkO2YTqtYPH2B+ucDmIOJ07MtraFeB1CXfRlPa5sv02N6NzZN/iD66GQ/fV2PiuMyJVmhnYJp0Yf3onVmmpxIEOkUDnWudUtMJHZuLy0rhu/hAid6l0KEGjXlBvXu7txZHw1AMerQbvn5VJdPgm4PT/5xK5f1PpPGxVZwGkjmBMZmj9+hRt0OHH59aK31vqGqPbQtIXguAlF89O1UaZv4JGnpdaJl4K3huXnahcI16+8s+Vu9sJ4dfZT/NlFV26a4aU7q+E7yH3n8+zmsk3+l06BWxz7R6SSp6Fx4yPB/3SBs2c5SJ5k6a+/3SssqVHWwgSZD6cXDt1ByYDMjkHFExV0oLDr0Q057l/ainQIDAQABo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNVHQ4EFgQUjw+b5R2l1TEQ+FJdF/svzgCRJe0wDQYJKoZIhvcNAQELBQADggIBAECAX4HbC+MWJS5+D6aZmu7P85ZDzHMpIk5LJiAJwLUIOZwF4K0z9AOHE/nqg5+PnZGWWI3a9UheuzsZauerz/jaP8thBWjVDJCROJZpMMvALAjJfgIFJw3YLNPUup0EL4UohZ7iWoD6e/vfY64DKzCpdfGDRfcBCnWqBIYeSSPNqH+i0L059oR9kXv3jwR4os0CWk8TUMBYGeDADeE27QuZ4qafLkmOaqp//yWXwOoe4MZBxettZz/Nib5RRhCxRQ88hbs/zH3T5bBgp+DZ0anjy2iVhOj2x02mdD6Zcb32JgEJLQHCTAdGamcdulQDXC+YS9N2U0ap8J3tZCrEPQkdkeRzJ2EzQx38NIiY16BPlAqnnRpOZiXqee4O7bni4qdyVAYpkArSRNvKQbTyLHYLiQ+TEMs0SboajbQtC38I4ztZXr2ozM2b1MU0d3rBLsozmAhqT99od8wiBValo0EEi2mSxArRHy0puIOMs1i4kIz2yTbyeEI5pnkq/2uaX+RPmS2UB83SmbZ7Ex9eNe6QjnMhCv5fU0wcjtwwPp0GMMRulErGvnZ39PRMjEH79C8Nfhx9nZZoEN5VCG9qrM1KMlDLwNc09W5RJTYRQ7d41sC2hdMgwmxVJ08Ai3XMn7xiJ9JwnaypClc14XsQERoy2afgBUME9CL00G20nVYb"
29+
}
30+
]
31+
},
32+
"validFor": {
33+
"start": "2024-07-12T18:35:53Z"
34+
}
35+
}
36+
],
37+
"ctlogs": [
38+
{
39+
"baseUrl": "http://ctlog.ctlog-system.172.18.255.1.sslip.io",
40+
"hashAlgorithm": "SHA2_256",
41+
"publicKey": {
42+
"rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ7v1OnMWwYi4O5oaycBsWKom3McZBDzNqXsIOq9AXc3z2HOeWVbaDd1V/9c91WRFyAv77Ao9hS9D9MEboT7lZg==",
43+
"keyDetails": "PKIX_ECDSA_P256_SHA_256",
44+
"validFor": {
45+
"start": "2024-07-12T18:35:53Z"
46+
}
47+
},
48+
"logId": {
49+
"keyId": "3rBw2B85Mj0hjOM3hqbD44tPhZLqOSutNQ8ESVFkA1w="
50+
}
51+
}
52+
]
53+
}

0 commit comments

Comments
 (0)