Mark OIDs as deprecated, use URL concatentation

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
sigstore · Mar 24, 2023 · 00f2715 · 00f2715
1 parent efc080b
commit 00f2715
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 15 deletions.
diff --git a/pkg/certificate/extensions.go b/pkg/certificate/extensions.go
@@ -22,14 +22,18 @@ import (
 )
 
 var (
-	// BEGIN: Deprecated
-	OIDIssuer                   = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1}
-	OIDGitHubWorkflowTrigger    = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 2}
-	OIDGitHubWorkflowSHA        = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 3}
-	OIDGitHubWorkflowName       = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 4}
+	// Deprecated: Use OIDIssuerV2
+	OIDIssuer = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1}
+	// Deprecated: Use OIDBuildTrigger
+	OIDGitHubWorkflowTrigger = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 2}
+	// Deprecated: Use OIDSourceRepositoryDigest
+	OIDGitHubWorkflowSHA = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 3}
+	// Deprecated: Use OIDBuildConfigURI or OIDBuildConfigDigest
+	OIDGitHubWorkflowName = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 4}
+	// Deprecated: Use SourceRepositoryURI
 	OIDGitHubWorkflowRepository = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 5}
-	OIDGitHubWorkflowRef        = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 6}
-	// END: Deprecated
+	// Deprecated: Use OIDSourceRepositoryRef
+	OIDGitHubWorkflowRef = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 6}
 
 	OIDOtherName = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 7}
 	OIDIssuerV2  = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 8}

diff --git a/pkg/identity/github/principal.go b/pkg/identity/github/principal.go
@@ -179,12 +179,13 @@ func (w workflowPrincipal) Name(ctx context.Context) string {
 }
 
 func (w workflowPrincipal) Embed(ctx context.Context, cert *x509.Certificate) error {
-	// Set workflow URL to SubjectAlternativeName on certificate
-	parsed, err := url.Parse(w.url + w.jobWorkflowRef)
+	baseURL, err := url.Parse(w.url)
 	if err != nil {
 		return err
 	}
-	cert.URIs = []*url.URL{parsed}
+
+	// Set workflow ref URL to SubjectAlternativeName on certificate
+	cert.URIs = []*url.URL{baseURL.JoinPath(w.jobWorkflowRef)}
 
 	// Embed additional information into custom extensions
 	cert.ExtraExtensions, err = certificate.Extensions{
@@ -197,19 +198,19 @@ func (w workflowPrincipal) Embed(ctx context.Context, cert *x509.Certificate) er
 		GithubWorkflowRef:        w.ref,
 		// END: Deprecated
 
-		BuildSignerURI:                  w.url + w.jobWorkflowRef,
+		BuildSignerURI:                  baseURL.JoinPath(w.jobWorkflowRef).String(),
 		BuildSignerDigest:               w.jobWorkflowSha,
 		RunnerEnvironment:               w.runnerEnvironment,
-		SourceRepositoryURI:             w.url + w.repository,
+		SourceRepositoryURI:             baseURL.JoinPath(w.repository).String(),
 		SourceRepositoryDigest:          w.sha,
 		SourceRepositoryRef:             w.ref,
 		SourceRepositoryIdentifier:      w.repositoryID,
-		SourceRepositoryOwnerURI:        w.url + w.repositoryOwner,
+		SourceRepositoryOwnerURI:        baseURL.JoinPath(w.repositoryOwner).String(),
 		SourceRepositoryOwnerIdentifier: w.repositoryOwnerID,
-		BuildConfigURI:                  w.url + w.workflowRef,
+		BuildConfigURI:                  baseURL.JoinPath(w.workflowRef).String(),
 		BuildConfigDigest:               w.workflowSha,
 		BuildTrigger:                    w.eventName,
-		RunInvocationURI:                w.url + w.repository + "/actions/runs/" + w.runID + "/attempts/" + w.runAttempt,
+		RunInvocationURI:                baseURL.JoinPath(w.repository, "actions/runs", w.runID, "attempts", w.runAttempt).String(),
 	}.Render()
 	if err != nil {
 		return err