File: pki_cert.go

package info (click to toggle)
golang-github-containers-image 5.36.2-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 5,156 kB
  • sloc: sh: 267; makefile: 99
file content (74 lines) | stat: -rw-r--r-- 2,547 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
package signature

import (
	"crypto"
	"crypto/x509"
	"errors"
	"fmt"
	"slices"

	"github.com/containers/image/v5/signature/internal"
	"github.com/sigstore/sigstore/pkg/cryptoutils"
)

type pkiTrustRoot struct {
	caRootsCertificates        *x509.CertPool
	caIntermediateCertificates *x509.CertPool
	subjectEmail               string
	subjectHostname            string
}

func (p *pkiTrustRoot) validate() error {
	if p.subjectEmail == "" && p.subjectHostname == "" {
		return errors.New("Internal inconsistency: PKI use set up without subject email or subject hostname")
	}
	return nil
}

func verifyPKI(pkiTrustRoot *pkiTrustRoot, untrustedCertificateBytes []byte, untrustedIntermediateChainBytes []byte) (crypto.PublicKey, error) {
	var untrustedIntermediatePool *x509.CertPool
	if pkiTrustRoot.caIntermediateCertificates != nil {
		untrustedIntermediatePool = pkiTrustRoot.caIntermediateCertificates.Clone()
	} else {
		untrustedIntermediatePool = x509.NewCertPool()
	}
	if len(untrustedIntermediateChainBytes) > 0 {
		untrustedIntermediateChain, err := cryptoutils.UnmarshalCertificatesFromPEM(untrustedIntermediateChainBytes)
		if err != nil {
			return nil, internal.NewInvalidSignatureError(fmt.Sprintf("loading certificate chain: %v", err))
		}
		if len(untrustedIntermediateChain) > 1 {
			for _, untrustedIntermediateCert := range untrustedIntermediateChain[:len(untrustedIntermediateChain)-1] {
				untrustedIntermediatePool.AddCert(untrustedIntermediateCert)
			}
		}
	}

	untrustedCertificate, err := parseLeafCertFromPEM(untrustedCertificateBytes)
	if err != nil {
		return nil, err
	}

	if _, err := untrustedCertificate.Verify(x509.VerifyOptions{
		Intermediates: untrustedIntermediatePool,
		Roots:         pkiTrustRoot.caRootsCertificates,
		KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
	}); err != nil {
		return nil, internal.NewInvalidSignatureError(fmt.Sprintf("veryfing leaf certificate failed: %v", err))
	}

	if pkiTrustRoot.subjectEmail != "" {
		if !slices.Contains(untrustedCertificate.EmailAddresses, pkiTrustRoot.subjectEmail) {
			return nil, internal.NewInvalidSignatureError(fmt.Sprintf("Required email %q not found (got %q)",
				pkiTrustRoot.subjectEmail,
				untrustedCertificate.EmailAddresses))
		}
	}
	if pkiTrustRoot.subjectHostname != "" {
		if err = untrustedCertificate.VerifyHostname(pkiTrustRoot.subjectHostname); err != nil {
			return nil, internal.NewInvalidSignatureError(fmt.Sprintf("Unexpected subject hostname: %v", err))
		}
	}

	return untrustedCertificate.PublicKey, nil
}