Change username format, enforce identity format

docs/oid-info.md

@@ -52,6 +52,11 @@ This contains the `ref` claim from the GitHub OIDC Identity token that contains
 the git ref that the workflow run was based upon.
 [(docs)][github-oidc-doc]
 
+### 1.3.6.1.4.1.57264.1.7 | OtherName SAN
+
+This specifies the username identity in the OtherName Subject Alternative Name, as
+defined by [RFC5280 4.2.1.6](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6).
+
 <!-- References -->
 [github-oidc-doc]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
 [oid-link]: http://oid-info.com/get/1.3.6.1.4.1.57264

docs/oidc.md

@@ -163,4 +163,4 @@ Additionally, the configuration must include `SubjectDomain`, for example `examp
 
 * The issuer in the configuration must partially match the domain in the configuration. The top level domain and second level domain must match. The user who updates the Fulcio configuration must also have control over both the issuer and domain configuration fields (Verified either manually or through an ACME-style challenge).
 
-`SubjectDomain` is appended to `sub` to form an email, `sub@SubjectDomain`, and included as a SAN email address.
+`SubjectDomain` is appended to `sub` to form an identity, `sub!SubjectDomain`, and included as an OtherName SAN.

pkg/certificate/extensions.go

@@ -27,6 +27,7 @@ var (
 	OIDGitHubWorkflowName       = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 4}
 	OIDGitHubWorkflowRepository = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 5}
 	OIDGitHubWorkflowRef        = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 6}
+	OIDOtherName                = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 7}
 )
 
 // Extensions contains all custom x509 extensions defined by Fulcio

pkg/identity/email/principal.go

@@ -18,6 +18,8 @@ import (
 	"context"
 	"crypto/x509"
 	"errors"
+	"fmt"
+	"regexp"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/sigstore/fulcio/pkg/certificate"
@@ -40,6 +42,11 @@ func PrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (identity.Pr
 		return nil, errors.New("email_verified claim was false")
 	}
 
+	emailRegex := regexp.MustCompile(`^.+@.+\..+$`)
+	if !emailRegex.MatchString(emailAddress) {
+		return nil, fmt.Errorf("email address is not valid")
+	}
+
 	cfg, ok := config.FromContext(ctx).GetIssuer(token.Issuer)
 	if !ok {
 		return nil, errors.New("invalid configuration for OIDC ID Token issuer")

pkg/identity/email/principal_test.go

@@ -144,6 +144,25 @@ func TestPrincipalFromIDToken(t *testing.T) {
 			},
 			WantErr: true,
 		},
+		`Invalid email address should error`: {
+			Claims: map[string]interface{}{
+				"aud":            "sigstore",
+				"iss":            "https://iss.example.com",
+				"sub":            "doesntmatter",
+				"email":          "foo.com",
+				"email_verified": true,
+			},
+			Config: config.FulcioConfig{
+				OIDCIssuers: map[string]config.OIDCIssuer{
+					"https://iss.example.com": {
+						IssuerURL: "https://iss.example.com",
+						Type:      config.IssuerTypeEmail,
+						ClientID:  "sigstore",
+					},
+				},
+			},
+			WantErr: true,
+		},
 		`No issuer configured for token`: {
 			Claims: map[string]interface{}{
 				"aud":            "sigstore",

pkg/identity/uri/principal.go

@@ -20,6 +20,7 @@ import (
 	"errors"
 	"fmt"
 	"net/url"
+	"regexp"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/sigstore/fulcio/pkg/certificate"
@@ -40,6 +41,11 @@ func PrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (identity.Pr
 		return nil, errors.New("invalid configuration for OIDC ID Token issuer")
 	}
 
+	emailRegex := regexp.MustCompile(`^.+@.+\..+$`)
+	if emailRegex.MatchString(uriWithSubject) {
+		return nil, fmt.Errorf("uri subject should not be an email address")
+	}
+
 	// The subject hostname must exactly match the subject domain from the configuration
 	uSubject, err := url.Parse(uriWithSubject)
 	if err != nil {

pkg/identity/uri/principal_test.go

@@ -47,6 +47,10 @@ func TestPrincipalFromIDToken(t *testing.T) {
 			Token:   &oidc.IDToken{Issuer: "https://notaccounts.example.com", Subject: "https://example.com/users/1"},
 			WantErr: true,
 		},
+		`Subject as an email address should error`: {
+			Token:   &oidc.IDToken{Issuer: "https://accounts.example.com", Subject: "user@example.com"},
+			WantErr: true,
+		},
 		`Incorrect subject domain hostname should error`: {
 			Token:   &oidc.IDToken{Issuer: "https://accounts.example.com", Subject: "https://notexample.com/users/1"},
 			WantErr: true,

pkg/identity/username/othername.go

@@ -0,0 +1,125 @@
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package username
+
+import (
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"errors"
+	"fmt"
+
+	"github.com/sigstore/fulcio/pkg/certificate"
+)
+
+// OtherName describes a name related to a certificate which is not in one
+// of the standard name formats. RFC 5280, 4.2.1.6:
+//
+//	OtherName ::= SEQUENCE {
+//	     type-id    OBJECT IDENTIFIER,
+//	     value      [0] EXPLICIT ANY DEFINED BY type-id }
+//
+// OtherName for Fulcio-issued certificates only supports UTF-8 strings as values.
+type OtherName struct {
+	ID    asn1.ObjectIdentifier
+	Value string `asn1:"utf8,explicit,tag:0"`
+}
+
+// MarshalSANS creates a Subject Alternative Name extension
+// with an OtherName sequence. RFC 5280, 4.2.1.6:
+//
+// SubjectAltName ::= GeneralNames
+// GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+// GeneralName ::= CHOICE {
+//
+//	otherName                       [0]     OtherName,
+//	... }
+func MarshalSANS(name string, critical bool) (*pkix.Extension, error) {
+	var rawValues []asn1.RawValue
+	o := OtherName{
+		ID:    certificate.OIDOtherName,
+		Value: name,
+	}
+	bytes, err := asn1.MarshalWithParams(o, "tag:0")
+	if err != nil {
+		return nil, err
+	}
+	rawValues = append(rawValues, asn1.RawValue{FullBytes: bytes})
+
+	sans, err := asn1.Marshal(rawValues)
+	if err != nil {
+		return nil, err
+	}
+	return &pkix.Extension{
+		Id:       asn1.ObjectIdentifier{2, 5, 29, 17},
+		Critical: critical,
+		Value:    sans,
+	}, nil
+}
+
+// UnmarshalSANs extracts a UTF-8 string from the OtherName
+// field in the Subject Alternative Name extension.
+func UnmarshalSANS(exts []pkix.Extension) (string, error) {
+	var otherNames []string
+
+	for _, e := range exts {
+		if !e.Id.Equal(asn1.ObjectIdentifier{2, 5, 29, 17}) {
+			continue
+		}
+
+		var seq asn1.RawValue
+		rest, err := asn1.Unmarshal(e.Value, &seq)
+		if err != nil {
+			return "", err
+		} else if len(rest) != 0 {
+			return "", fmt.Errorf("trailing data after X.509 extension")
+		}
+		if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
+			return "", asn1.StructuralError{Msg: "bad SAN sequence"}
+		}
+
+		rest = seq.Bytes
+		for len(rest) > 0 {
+			var v asn1.RawValue
+			rest, err = asn1.Unmarshal(rest, &v)
+			if err != nil {
+				return "", err
+			}
+
+			// skip all GeneralName fields except OtherName
+			if v.Tag != 0 {
+				continue
+			}
+
+			var other OtherName
+			_, err := asn1.UnmarshalWithParams(v.FullBytes, &other, "tag:0")
+			if err != nil {
+				return "", fmt.Errorf("could not parse requested OtherName SAN: %v", err)
+			}
+			if !other.ID.Equal(certificate.OIDOtherName) {
+				return "", fmt.Errorf("unexpected OID for OtherName, expected %v, got %v", certificate.OIDOtherName, other.ID)
+			}
+			otherNames = append(otherNames, other.Value)
+		}
+	}
+
+	if len(otherNames) == 0 {
+		return "", errors.New("no OtherName found")
+	}
+	if len(otherNames) != 1 {
+		return "", errors.New("expected only one OtherName")
+	}
+
+	return otherNames[0], nil
+}