Fix a bug in x509 certificate handling. (#461)

The CryptoPubKey function only returned the key value, but we should retrieve it from the cert if set. This fixes the rest of #918. Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>
sigstore · Oct 19, 2021 · 66e0ab1 · 66e0ab1
1 parent 5653100
commit 66e0ab1
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/pkg/pki/x509/x509.go b/pkg/pki/x509/x509.go
@@ -139,6 +139,9 @@ func (k PublicKey) CanonicalValue() (encoded []byte, err error) {
 }
 
 func (k PublicKey) CryptoPubKey() crypto.PublicKey {
+	if k.cert != nil {
+		return k.cert.c.PublicKey
+	}
 	return k.key
 }
 

diff --git a/pkg/types/intoto/v0.0.1/entry_test.go b/pkg/types/intoto/v0.0.1/entry_test.go
@@ -27,6 +27,7 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
+	"math/big"
 	"reflect"
 	"testing"
 
@@ -90,6 +91,23 @@ func TestV001Entry_Unmarshal(t *testing.T) {
 		Type:  "PUBLIC KEY",
 	})
 
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ca := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+	}
+	caBytes, err := x509.CreateCertificate(rand.Reader, ca, ca, &priv.PublicKey, priv)
+	if err != nil {
+		t.Fatal(err)
+	}
+	pemBytes := pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: caBytes,
+	})
+
 	invalid, err := json.Marshal(dsse.Envelope{
 		Payload: "hello",
 		Signatures: []dsse.Signature{
@@ -139,6 +157,16 @@ func TestV001Entry_Unmarshal(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "cert",
+			it: &models.IntotoV001Schema{
+				PublicKey: p([]byte(pemBytes)),
+				Content: &models.IntotoV001SchemaContent{
+					Envelope: envelope(t, priv, validPayload, "text"),
+				},
+			},
+			wantErr: false,
+		},
 		{
 			name: "invalid",
 			it: &models.IntotoV001Schema{