Skip to content
This repository was archived by the owner on Feb 26, 2024. It is now read-only.

Retrieve root certificate using signing certificate's AIA extension#18

Merged
rochlefebvre merged 5 commits into
mainfrom
root_cert_from_aia
Nov 1, 2021
Merged

Retrieve root certificate using signing certificate's AIA extension#18
rochlefebvre merged 5 commits into
mainfrom
root_cert_from_aia

Conversation

@rochlefebvre
Copy link
Copy Markdown

@rochlefebvre rochlefebvre commented Nov 1, 2021
edited
Loading

Closes #15

The rekord's public key only contains the PEM for the signing certificate. In order to validate the full chain, we must retrieve the issuer's certificate as well, using the coordinates in the authorityInfoAccess extension.

Issued By: sigstore.dev
Issuing Certificate: sigstore
Serial Number: FD4708B0738239116E3C28D60BC1ED4C2176C1
Signature: ecdsa-with-SHA384
Valid From: 19:57:13 29 Oct 2021
Valid To: 20:17:12 29 Oct 2021
Key Usage: Digital Signature
Extended Key Usage: Code Signing
Basic Constraints: CA:FALSE
Subject Key Identifier: 21:8C:20:47:DF:43:6C:AA:36:31:84:BE:75:C9:B0:01:B2:20:8C:B5
Authority Key Identifier: keyid:C8:C5:1D:00:41:9A:24:29:32:51:24:EB:0D:AE:4A:ED:4A:06:D3:EC
Authority Info Access: CA Issuers - URI:http://privateca-content-603fe7e7-0000-2227-bf75-f4f5e80d2954.storage.googleapis.com/ca36a1e96242b9fcb146/ca.crt
Subject Alternative Names: email:roch.lefebvre@shopify.com

I'm also moving much of the certificate deserialization & extension navigation out of the RekordEntry type.

Actuall cert chain validation will come in a future PR.

@rochlefebvre rochlefebvre changed the base branch from main to refactor November 1, 2021 13:09
rochlefebvre
rochlefebvre commented Nov 1, 2021
View reviewed changes
Comment thread lib/rubygems/sigstore/cert_chain.rb

private

def build_chain
Copy link
Copy Markdown
Author

@rochlefebvre rochlefebvre Nov 1, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deserialize the current cert chain, and then iteratively:

  • retrieve the leftmost certificate's parent via AIA coordinates
  • deserialize the file into a Certificate instance
  • prepend it into the chain

The looping stops once we see a cert having in AIA. Checking whether it's actually a CA will be done during chain verification.

rochlefebvre
rochlefebvre commented Nov 1, 2021
View reviewed changes
Comment thread lib/rubygems/sigstore/cert_extensions.rb Outdated
@@ -0,0 +1,25 @@
module Gem::Sigstore::CertExtensions
def method_missing(method, *args, &block)
Copy link
Copy Markdown
Author

@rochlefebvre rochlefebvre Nov 1, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is syntactic sugar that I'm trying out. We're exposing a certificate instance's extensions as attributes. If someone calls cert#some_unknown_extension, then NoMethodError will be raised as usual. We see an example of this in CertChain#retrieve_issuer_cert, above.

I'm on the fence about this, tbh. We could very well do with the #extension("extension name") method bellow, sticking to a more explicit pattern. If we do this, then there is no need to maintain our @extension_hash's keys in snake case.

@rochlefebvre rochlefebvre requested a review from doodzik November 1, 2021 13:22
@rochlefebvre rochlefebvre changed the base branch from refactor to main November 1, 2021 17:25
@rochlefebvre rochlefebvre merged commit a37e8f1 into main Nov 1, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@doodzik doodzik doodzik approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Retrieve root certificate using signing certificate's AIA extension

2 participants

@rochlefebvre @doodzik