fix: fix method for getting leaf certs in Bundle v0.3 (#813)

ramonpetgrave64 · web-flow · commit 17f79583c583 · 2024-10-29T16:43:56.000-04:00
Followup to slsa-framework/slsa-github-generator#3777 This PR adds a missing modification for getting the leaf certificate in the new Bundle format v0.3. In my original experiments, I did have this method in a dev branch, but neglected to include it in the final PR. - main...verify-sigstore-go-Bundlev3#diff-a9bfffae1bd0d145e950805e7a35b8e65adc7a68affa605b484f4831097b989cR98-R107 - https://github.com/slsa-framework/slsa-verifier/pull/799/files ## Testing - I re-used the same attestation file from a failing workflow for unit tests and manual invocation. - https://github.com/slsa-framework/example-package/actions/runs/11511156484 ## Followup - Finish finding a way to test changes within PRs. - slsa-framework/slsa-github-generator#3777 (comment) - #797 --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
diff --git a/verifiers/internal/gha/bundle.go b/verifiers/internal/gha/bundle.go
@@ -99,11 +99,23 @@ func getEnvelopeFromBundleBytes(content []byte) (*dsselib.Envelope, error) {
 
 // getLeafCertFromBundle extracts the signing cert from the Sigstore bundle.
 func getLeafCertFromBundle(bundle *bundle_v1.Bundle) (*x509.Certificate, error) {
+	// Originally, there could be multiple certificates, accessed by `.GetX509CertificateChain().GetCertificates()`.
+	// As of v0.3 of the protos, only a single certificate is in the Bundle's VerificationMaterial,
+	// and it's access by the auto-generated `GetCertificate()`
+	// We keep both methods for backwards compatibility with older bundles.
+	// See: https://github.com/sigstore/protobuf-specs/pull/191.
+
+	// First try the newer method.
+	if bundleCert := bundle.GetVerificationMaterial().GetCertificate(); bundleCert != nil {
+		certBytes := bundleCert.GetRawBytes()
+		return x509.ParseCertificate(certBytes)
+	}
+
+	// Otherwise, try the original method.
 	certChain := bundle.GetVerificationMaterial().GetX509CertificateChain().GetCertificates()
 	if len(certChain) == 0 {
 		return nil, ErrorMissingCertInBundle
 	}
-
 	// The first certificate is the leaf cert: see
 	// https://github.com/sigstore/protobuf-specs/blob/16541696de137c6281d66d075a4924d9bbd181ff/protos/sigstore_common.proto#L170
 	certBytes := certChain[0].GetRawBytes()
diff --git a/verifiers/internal/gha/bundle_test.go b/verifiers/internal/gha/bundle_test.go
@@ -30,9 +30,13 @@ func Test_verifyBundle(t *testing.T) {
 		expected error
 	}{
 		{
-			name: "valid bundle",
+			name: "valid bundle: v0.1",
 			path: "./testdata/bundle/valid.intoto.sigstore",
 		},
+		{
+			name: "valid bundle: v0.3",
+			path: "./testdata/bundle/valid-v0.3.intoto.sigstore",
+		},
 		{
 			name:     "mismatch rekor entry",
 			path:     "./testdata/bundle/mismatch-tlog.intoto.sigstore",
diff --git a/verifiers/internal/gha/testdata/bundle/valid-v0.3.intoto.sigstore b/verifiers/internal/gha/testdata/bundle/valid-v0.3.intoto.sigstore
