-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
_verify: Create a new X509Store
for each verify
call
#174
Conversation
Signed-off-by: Alex Cameron <alex.cameron@trailofbits.com>
bfa7e06
to
0e41a92
Compare
Signed-off-by: Alex Cameron <alex.cameron@trailofbits.com>
I think there might be an underlying issue to report to either In the meantime, let's just get it working again with this patch. |
Yeah, that smells like a PyOpenSSL (or underlying OpenSSL) bug to me, or at least a documentation error. I'd suggest filing it here: https://github.com/pyca/pyopenssl |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
sigstore/_verify.py
Outdated
store = X509Store() | ||
for parent_cert_pem in self._fulcio_certificate_chain: | ||
parent_cert = load_pem_x509_certificate(parent_cert_pem) | ||
parent_cert_ossl = X509.from_cryptography(parent_cert) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually it'd probably be better to do this in the constructor and just store the parent_cert_ossl
s for each chain member.
Signed-off-by: Alex Cameron <alex.cameron@trailofbits.com>
4e1c030
to
95f7348
Compare
Ok, I've removed the duplicate work. I'll let you take another look and pull the trigger on it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM structurally. We should probably get some tests in the CI that exercise this code path, so that we don't regress here in the future.
Closes #173