Consolidate certificate expiry logic #2504
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
@@ Coverage Diff @@
## main #2504 +/- ##
==========================================
- Coverage 30.16% 30.14% -0.02%
==========================================
Files 139 139
Lines 8583 8595 +12
==========================================
+ Hits 2589 2591 +2
- Misses 5621 5629 +8
- Partials 373 375 +2
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
asraa
reviewed
Dec 2, 2022
haydentherapper
force-pushed
the
processing-order-1
branch
from
229b5b2
to
c9af038
Compare
asraa
reviewed
Dec 2, 2022
asraa
previously approved these changes
Dec 2, 2022
|
@cpanato Any idea about why the windows test is failing? Not sure how best to debug this. |
haydentherapper
force-pushed
the
processing-order-1
branch
from
1bd5cda
to
23cf1cb
Compare
asraa
reviewed
Dec 6, 2022
asraa
reviewed
Dec 6, 2022
Should not change behavior now, but this should make it easier to move code around. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Let's decrease the risk of a caller not noticing an error, and make it a bit shorter to read and more clear that they are all, in fact, error paths. This may change the return value in some cases. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This will allow us to move the certificate expiry responsibility to the caller. Should not change behavior, assuming timestamp.ParseResponse can't fail for an alraedy verified response. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... from VerifyRFC3161Timestamp, which has no reason to care, to verifyInternal. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Don't repeat the conditions, and make the flow a bit clearer. Should not change behavior, unless there are multiple reasons to reject the signature. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We will use them to decouple the bundle handling from certificate expiry verification. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Should not change behavior, just to prepare a further move Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Another small step. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Now, we always validate certificate expiration against _some_ time. Even if we don't interact with Rekor bundles at all, we validate it against the current time. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Consolidate all the expiry checks into one place. Should not change behavior, unless there are multiple reasons to reject the signature. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Do them before looking at the certificate at all; we need to do this first to obtain signature creation times. This may affect user-visible error messages; adjust a test. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Signed-off-by: Hayden B <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
haydentherapper
force-pushed
the
processing-order-1
branch
from
7349b6c
to
844de7c
Compare
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
mtrmac
commented
Dec 7, 2022
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
asraa
reviewed
Dec 7, 2022
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
asraa
reviewed
Dec 7, 2022
asraa
approved these changes
Dec 7, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This is a subset of #2482 as requested in #2482 (comment) (a bit larger than that):
verifyInternalnow has one place (although not yet the correct place) to do certificate expiry checks, instead of that happening inVerifyRFC3161TimestampSee #2482 for previous discussion, and the general rationale of only using data after it is verified (which is not what this PR really does, but it’s a prerequisite).
Release Note
cosign verify-blob --cert-chain … --certificate … --skip-tlog-verifynow requires the leaf certificate to not be expired.Documentation