Switch to cryptoutils function for SANS (#3185)

It was moved to s/s awhile ago. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
sigstore · Aug 12, 2023 · 667e328 · 667e328
1 parent 9c9a33f
commit 667e328
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 64 deletions.
diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -296,7 +296,7 @@ func CheckCertificatePolicy(cert *x509.Certificate, co *CheckOpts) error {
 		return err
 	}
 	oidcIssuer := ce.GetIssuer()
-	sans := getSubjectAlternateNames(cert)
+	sans := cryptoutils.GetSubjectAlternateNames(cert)
 	// If there are identities given, go through them and if one of them
 	// matches, call that good, otherwise, return an error.
 	if len(co.Identities) > 0 {
@@ -399,29 +399,6 @@ func validateCertExtensions(ce CertExtensions, co *CheckOpts) error {
 	return nil
 }
 
-// getSubjectAlternateNames returns all of the following for a Certificate.
-// DNSNames
-// EmailAddresses
-// IPAddresses
-// URIs
-func getSubjectAlternateNames(cert *x509.Certificate) []string {
-	sans := []string{}
-	sans = append(sans, cert.DNSNames...)
-	sans = append(sans, cert.EmailAddresses...)
-	for _, ip := range cert.IPAddresses {
-		sans = append(sans, ip.String())
-	}
-	for _, uri := range cert.URIs {
-		sans = append(sans, uri.String())
-	}
-	// ignore error if there's no OtherName SAN
-	otherName, _ := cryptoutils.UnmarshalOtherNameSAN(cert.Extensions)
-	if len(otherName) > 0 {
-		sans = append(sans, otherName)
-	}
-	return sans
-}
-
 // ValidateAndUnpackCertWithChain creates a Verifier from a certificate. Verifies that the certificate
 // chains up to the provided root. Chain should start with the parent of the certificate and end with the root.
 // Optionally verifies the subject and issuer of the certificate.

diff --git a/pkg/cosign/verify_test.go b/pkg/cosign/verify_test.go
@@ -1318,46 +1318,6 @@ func TestTrustedCertSuccessChainFromRoot(t *testing.T) {
 	}
 }
 
-func Test_getSubjectAltnernativeNames(t *testing.T) {
-	rootCert, rootKey, _ := test.GenerateRootCa()
-	subCert, subKey, _ := test.GenerateSubordinateCa(rootCert, rootKey)
-
-	// generate with OtherName, which will override other SANs
-	ext, err := cryptoutils.MarshalOtherNameSAN("subject-othername", true)
-	if err != nil {
-		t.Fatalf("error marshalling SANs: %v", err)
-	}
-	exts := []pkix.Extension{*ext}
-	leafCert, _, _ := test.GenerateLeafCert("unused@mail.com", "oidc-issuer", subCert, subKey, exts...)
-
-	sans := getSubjectAlternateNames(leafCert)
-	if len(sans) != 1 {
-		t.Fatalf("expected 1 SAN field, got %d", len(sans))
-	}
-	if sans[0] != "subject-othername" {
-		t.Fatalf("unexpected OtherName SAN value")
-	}
-
-	// generate with all other SANs
-	leafCert, _, _ = test.GenerateLeafCertWithSubjectAlternateNames([]string{"subject-dns"}, []string{"subject-email"}, []net.IP{{1, 2, 3, 4}}, []*url.URL{{Path: "testURL"}}, "oidc-issuer", subCert, subKey)
-	sans = getSubjectAlternateNames(leafCert)
-	if len(sans) != 4 {
-		t.Fatalf("expected 1 SAN field, got %d", len(sans))
-	}
-	if sans[0] != "subject-dns" {
-		t.Fatalf("unexpected DNS SAN value")
-	}
-	if sans[1] != "subject-email" {
-		t.Fatalf("unexpected email SAN value")
-	}
-	if sans[2] != "1.2.3.4" {
-		t.Fatalf("unexpected IP SAN value")
-	}
-	if sans[3] != "testURL" {
-		t.Fatalf("unexpected URL SAN value")
-	}
-}
-
 func TestVerifyRFC3161Timestamp(t *testing.T) {
 	// generate signed artifact
 	rootCert, rootKey, _ := test.GenerateRootCa()