Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client Spec: How to check fulcio-returned SAN against ID Token #21

Open
segiddins opened this issue Sep 17, 2024 · 0 comments
Open

Client Spec: How to check fulcio-returned SAN against ID Token #21

segiddins opened this issue Sep 17, 2024 · 0 comments
Labels
question Further information is requested

Comments

@segiddins
Copy link
Member

Question
The spec says

Check that the leaf certificate contains a subject (as SubjectAlternativeName) that matches the subject in the OIDC credential presented with the certificate signing request, and encodes the appropriate OIDC issuer in an extension with OID 1.3.6.1.4.1.57264.1.8.

But the SAN values are constructed by fulcio in a way that does not show up in any of the protos:

The type of the SAN is from https://github.com/sigstore/fulcio/blob/b2186c01da1ddf807bde3ea8c450226d8e001d88/pkg/config/config.go#L182-L201

https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md otherwise describes the extensions, but doesn't include the SAN

And ultimately the principal comes from https://github.com/sigstore/fulcio/blob/e86540d3be25166b75abff38aa81fcb003f924b6/pkg/challenges/challenges.go#L55-L89, and is dependent on the token issuer!

If we want clients to validate the returned cert, this needs to either go into the sigstore protos for fulcio, or else be clearly documented so clients can mirror the fulcio behavior
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@segiddins