Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor challenge verification #580

Merged
merged 2 commits into from May 17, 2022
Merged

Refactor challenge verification #580

merged 2 commits into from May 17, 2022

Conversation

nsmith5
Copy link
Contributor

@nsmith5 nsmith5 commented May 12, 2022

Summary

The challenge verification logic is sort of mixed up with the OIDC token parsing at the moment. This work makes two changes to this logic to make it a little easier to understand (there is one commit per change so you can read one at a time if desired)

  • Break up the OIDC parsing logic and proof of possession verification in ExtractSubject into two seperate things
  • Group all the logic for verifying a CSR together and all the logic for verify a signed subject proof of possession together. Make a really clear branch in logic between these two completely different challenges.

@haydentherapper
Copy link
Contributor

I’ve got to prep for a presentation, so I’ll take a look at this first thing Monday.

haydentherapper
haydentherapper reviewed May 13, 2022
View reviewed changes
pkg/api/grpc_server.go Outdated Show resolved Hide resolved
pkg/api/grpc_server.go Outdated Show resolved Hide resolved
pkg/api/grpc_server.go Outdated Show resolved Hide resolved
pkg/api/grpc_server.go Outdated Show resolved Hide resolved
@nsmith5 nsmith5 force-pushed the refactor-challenge-verification branch from 46fab85 to 3fde015 Compare May 16, 2022 15:33
@nsmith5 nsmith5 force-pushed the refactor-challenge-verification branch from 3fde015 to 62efc87 Compare May 16, 2022 16:17
Nathan Smith added 2 commits May 16, 2022 09:26
Break up token parsing and proof of possession verification
acadb79 
Signed-off-by: Nathan Smith <nathan@chainguard.dev>
Group proof of possession logic by challenge type
57dbda7 
There are two challenges a caller can use to prove they possess their
private key:
- Submit a CSR
- Sign the subject or email from their ID token
Previously the logic to verify these two types of challenges was
interweaved. This work splits the verification into two different
branches and groups the logic of each type of verification together.

Signed-off-by: Nathan Smith <nathan@chainguard.dev>
@nsmith5 nsmith5 force-pushed the refactor-challenge-verification branch from 62efc87 to 57dbda7 Compare May 16, 2022 16:26
@dlorenc dlorenc merged commit c041c98 into sigstore:main May 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@nsmith5 @haydentherapper @dlorenc