sigstore · steiza · Jul 24, 2024 · Jul 18, 2024 · Jul 23, 2024
@@ -284,7 +284,7 @@ func main() {
 
 		identityPolicies := []verify.PolicyOption{}
 		if *certOIDC != "" || *certSAN != "" {
-			certID, err := verify.NewShortCertificateIdentity(*certOIDC, *certSAN, "")
+			certID, err := verify.NewShortCertificateIdentity(*certOIDC, "", *certSAN, "")
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)
@@ -333,7 +333,7 @@ func main() {
 		// Configure verification options
 		identityPolicies := []verify.PolicyOption{}
 		if *certOIDC != "" || *certSAN != "" {
-			certID, err := verify.NewShortCertificateIdentity(*certOIDC, *certSAN, "")
+			certID, err := verify.NewShortCertificateIdentity(*certOIDC, "", *certSAN, "")
 			if err != nil {
 				fmt.Println(err)
 				os.Exit(1)

@@ -120,7 +120,7 @@ func run() error {
 		verifierConfig = append(verifierConfig, verify.WithOnlineVerification())
 	}
 
-	certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, *expectedSAN, *expectedSANRegex)
+	certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, "", *expectedSAN, *expectedSANRegex)
 	if err != nil {
 		return err
 	}

@@ -95,7 +95,7 @@ Then, we need to prepare the expected artifact digest. Note that this option has
 In this case, we also need to prepare the expected certificate identity. Note that this option has an alternative option `WithoutIdentitiesUnsafe`. This is a failsafe to ensure that the caller is aware that simply verifying the bundle is not enough, you must also verify the contents of the bundle against a specific identity. If your bundle was signed with a key, and thus does not have a certificate identity, a better choice is to use the `WithKey` option.
 
 ```go
-	certID, err := verify.NewShortCertificateIdentity("https://token.actions.githubusercontent.com", "", "^https://github.com/sigstore/sigstore-js/")
+	certID, err := verify.NewShortCertificateIdentity("https://token.actions.githubusercontent.com", "", "", "^https://github.com/sigstore/sigstore-js/")
 	if err != nil {
 		panic(err)
 	}
@@ -221,7 +221,7 @@ func main() {
 		panic(err)
 	}
 
-	certID, err := verify.NewShortCertificateIdentity("https://token.actions.githubusercontent.com", "", "^https://github.com/sigstore/sigstore-js/")
+	certID, err := verify.NewShortCertificateIdentity("https://token.actions.githubusercontent.com", "", "", "^https://github.com/sigstore/sigstore-js/")
 	if err != nil {
 		panic(err)
 	}

@@ -134,7 +134,7 @@ func run() error {
 	}
 
 	if *expectedOIDIssuer != "" || *expectedSAN != "" || *expectedSANRegex != "" {
-		certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, *expectedSAN, *expectedSANRegex)
+		certID, err := verify.NewShortCertificateIdentity(*expectedOIDIssuer, "", *expectedSAN, *expectedSANRegex)
 		if err != nil {
 			return err
 		}

@@ -30,6 +30,7 @@ type SubjectAlternativeNameMatcher struct {
 
 type CertificateIdentity struct {
 	SubjectAlternativeName SubjectAlternativeNameMatcher `json:"subjectAlternativeName"`
+	IssuerRegexp           *regexp.Regexp
 	certificate.Extensions
 }
 
@@ -116,15 +117,19 @@ func (s SubjectAlternativeNameMatcher) Verify(actualCert certificate.Summary) er
 	return nil
 }
 
-func NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, extensions certificate.Extensions) (CertificateIdentity, error) {
+func NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, issuerRegexp *regexp.Regexp, extensions certificate.Extensions) (CertificateIdentity, error) {
 	if sanMatcher.SubjectAlternativeName == "" && sanMatcher.Regexp.String() == "" {
 		return CertificateIdentity{}, errors.New("when verifying a certificate identity, there must be subject alternative name criteria")
 	}
 
-	certID := CertificateIdentity{SubjectAlternativeName: sanMatcher, Extensions: extensions}
+	certID := CertificateIdentity{
+		SubjectAlternativeName: sanMatcher,
+		IssuerRegexp:           issuerRegexp,
+		Extensions:             extensions,
+	}
 
-	if certID.Issuer == "" {
-		return CertificateIdentity{}, errors.New("when verifying a certificate identity, the Issuer field can't be empty")
+	if certID.Issuer == "" && issuerRegexp == nil {
+		return CertificateIdentity{}, errors.New("when verifying a certificate identity, must specify Issuer criteria")
 	}
 
 	return certID, nil
@@ -133,13 +138,23 @@ func NewCertificateIdentity(sanMatcher SubjectAlternativeNameMatcher, extensions
 // NewShortCertificateIdentity provides a more convenient way of initializing
 // a CertificiateIdentity with a SAN and the Issuer OID extension. If you need
 // to check more OID extensions, use NewCertificateIdentity instead.
-func NewShortCertificateIdentity(issuer, sanValue, sanRegex string) (CertificateIdentity, error) {
+func NewShortCertificateIdentity(issuer, issuerRegex, sanValue, sanRegex string) (CertificateIdentity, error) {
+	var r *regexp.Regexp
+	var err error
+
+	if issuerRegex != "" {
+		r, err = regexp.Compile(issuerRegex)
+		if err != nil {
+			return CertificateIdentity{}, err
+		}
+	}
+
 	sanMatcher, err := NewSANMatcher(sanValue, sanRegex)
 	if err != nil {
 		return CertificateIdentity{}, err
 	}
 
-	return NewCertificateIdentity(sanMatcher, certificate.Extensions{Issuer: issuer})
+	return NewCertificateIdentity(sanMatcher, r, certificate.Extensions{Issuer: issuer})
 }
 
 // Verify verifies the CertificateIdentities, and if ANY of them match the cert,
@@ -164,5 +179,10 @@ func (c CertificateIdentity) Verify(actualCert certificate.Summary) error {
 	if err = c.SubjectAlternativeName.Verify(actualCert); err != nil {
 		return err
 	}
+	if c.IssuerRegexp != nil {
+		if !c.IssuerRegexp.MatchString(actualCert.Extensions.Issuer) {
+			return fmt.Errorf("expected issuer value to match regex \"%s\", got \"%s\"", c.IssuerRegexp.String(), actualCert.Extensions.Issuer)
+		}
+	}
 	return certificate.CompareExtensions(c.Extensions, actualCert.Extensions)
 }
@@ -15,6 +15,7 @@
 package verify
 
 import (
+	"regexp"
 	"testing"
 
 	"github.com/sigstore/sigstore-go/pkg/fulcio/certificate"
@@ -23,6 +24,7 @@ import (
 
 const (
 	ActionsIssuerValue = "https://token.actions.githubusercontent.com"
+	ActionsIssuerRegex = "githubusercontent.com$"
 	SigstoreSanValue   = "https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main"
 	SigstoreSanRegex   = "^https://github.com/sigstore/sigstore-js/"
 )
@@ -57,32 +59,39 @@ func TestCertificateIdentityVerify(t *testing.T) {
 	}
 
 	// First, let's test happy paths:
-	issuerOnlyID, _ := certIDForTesting("", "", ActionsIssuerValue, "")
+	issuerOnlyID, _ := certIDForTesting("", "", ActionsIssuerValue, "", "")
 	assert.NoError(t, issuerOnlyID.Verify(actualCert))
 
-	sanValueOnly, _ := certIDForTesting(SigstoreSanValue, "", "", "")
+	issuerOnlyRegex, _ := certIDForTesting("", "", "", ActionsIssuerRegex, "")
+	assert.NoError(t, issuerOnlyRegex.Verify(actualCert))
+
+	sanValueOnly, _ := certIDForTesting(SigstoreSanValue, "", "", "", "")
 	assert.NoError(t, sanValueOnly.Verify(actualCert))
 
-	sanRegexOnly, _ := certIDForTesting("", SigstoreSanRegex, "", "")
+	sanRegexOnly, _ := certIDForTesting("", SigstoreSanRegex, "", "", "")
 	assert.NoError(t, sanRegexOnly.Verify(actualCert))
 
 	// multiple values can be specified
-	sanRegexAndIssuer, _ := certIDForTesting("", SigstoreSanRegex, ActionsIssuerValue, "github-hosted")
+	sanRegexAndIssuer, _ := certIDForTesting("", SigstoreSanRegex, ActionsIssuerValue, "", "github-hosted")
 	assert.NoError(t, sanRegexAndIssuer.Verify(actualCert))
 
 	// unhappy paths:
 	// wrong issuer
-	sanRegexAndWrongIssuer, _ := certIDForTesting("", SigstoreSanRegex, "https://token.actions.example.com", "")
+	sanRegexAndWrongIssuer, _ := certIDForTesting("", SigstoreSanRegex, "https://token.actions.example.com", "", "")
 	errCompareExtensions := &certificate.ErrCompareExtensions{}
 	assert.ErrorAs(t, sanRegexAndWrongIssuer.Verify(actualCert), &errCompareExtensions)
 	assert.Equal(t, "expected Issuer to be \"https://token.actions.example.com\", got \"https://token.actions.githubusercontent.com\"", errCompareExtensions.Error())
 
 	// bad san regex
-	badRegex, _ := certIDForTesting("", "^badregex.*", "", "")
+	badRegex, _ := certIDForTesting("", "^badregex.*", "", "", "")
 	errSANValueRegexMismatch := &ErrSANValueRegexMismatch{}
 	assert.ErrorAs(t, badRegex.Verify(actualCert), &errSANValueRegexMismatch)
 	assert.Equal(t, "expected SAN value to match regex \"^badregex.*\", got \"https://github.com/sigstore/sigstore-js/.github/workflows/release.yml@refs/heads/main\"", errSANValueRegexMismatch.Error())
 
+	// bad issuer regex
+	badIssuerRegex, _ := certIDForTesting("", "", "", "^badregex$", "")
+	assert.Error(t, badIssuerRegex.Verify(actualCert))
+
 	// if we have an array of certIDs, only one needs to match
 	ci, err := CertificateIdentities{sanRegexAndWrongIssuer, sanRegexAndIssuer}.Verify(actualCert)
 	assert.NoError(t, err)
@@ -105,24 +114,38 @@ func TestCertificateIdentityVerify(t *testing.T) {
 }
 
 func TestThatCertIDsAreFullySpecified(t *testing.T) {
-	_, err := NewShortCertificateIdentity("", "", "")
+	_, err := NewShortCertificateIdentity("", "", "", "")
+	assert.Error(t, err)
+
+	_, err = NewShortCertificateIdentity("foobar", "", "", "")
 	assert.Error(t, err)
 
-	_, err = NewShortCertificateIdentity("foobar", "", "")
+	_, err = NewShortCertificateIdentity("", ActionsIssuerRegex, "", "")
 	assert.Error(t, err)
 
-	_, err = NewShortCertificateIdentity("", "", SigstoreSanRegex)
+	_, err = NewShortCertificateIdentity("", "", "", SigstoreSanRegex)
 	assert.Error(t, err)
 
-	_, err = NewShortCertificateIdentity("foobar", "", SigstoreSanRegex)
+	_, err = NewShortCertificateIdentity("foobar", "", "", SigstoreSanRegex)
+	assert.Nil(t, err)
+
+	_, err = NewShortCertificateIdentity("", ActionsIssuerRegex, "", SigstoreSanRegex)
 	assert.Nil(t, err)
 }
 
-func certIDForTesting(sanValue, sanRegex, issuer, runnerEnv string) (CertificateIdentity, error) {
+func certIDForTesting(sanValue, sanRegex, issuer, issuerRegex, runnerEnv string) (CertificateIdentity, error) {
 	san, err := NewSANMatcher(sanValue, sanRegex)
 	if err != nil {
 		return CertificateIdentity{}, err
 	}
 
-	return CertificateIdentity{SubjectAlternativeName: san, Extensions: certificate.Extensions{Issuer: issuer, RunnerEnvironment: runnerEnv}}, nil
+	var r *regexp.Regexp
+	if issuerRegex != "" {
+		r, err = regexp.Compile(issuerRegex)
+		if err != nil {
+			return CertificateIdentity{}, err
+		}
+	}
+
+	return CertificateIdentity{SubjectAlternativeName: san, IssuerRegexp: r, Extensions: certificate.Extensions{Issuer: issuer, RunnerEnvironment: runnerEnv}}, nil
 }
@@ -210,7 +210,7 @@ func TestEntityWithOthernameSan(t *testing.T) {
 	digest, err := hex.DecodeString("bc103b4a84971ef6459b294a2b98568a2bfb72cded09d4acd1e16366a401f95b")
 	assert.NoError(t, err)
 
-	certID, err := verify.NewShortCertificateIdentity("http://oidc.local:8080", "foo!oidc.local", "")
+	certID, err := verify.NewShortCertificateIdentity("http://oidc.local:8080", "", "foo!oidc.local", "")
 	assert.NoError(t, err)
 	res, err := v.Verify(entity, verify.NewPolicy(verify.WithArtifactDigest("sha256", digest), verify.WithCertificateIdentity(certID)))
 	assert.NoError(t, err)
@@ -220,7 +220,7 @@ func TestEntityWithOthernameSan(t *testing.T) {
 	assert.Equal(t, res.VerifiedIdentity.SubjectAlternativeName.SubjectAlternativeName, "foo!oidc.local")
 
 	// an email address doesn't verify
-	certID, err = verify.NewShortCertificateIdentity("http://oidc.local:8080", "foo@oidc.local", "")
+	certID, err = verify.NewShortCertificateIdentity("http://oidc.local:8080", "", "foo@oidc.local", "")
 	assert.NoError(t, err)
 	_, err = v.Verify(entity, verify.NewPolicy(verify.WithArtifactDigest("sha256", digest), verify.WithCertificateIdentity(certID)))
 	assert.Error(t, err)
@@ -235,7 +235,7 @@ func TestVerifyPolicyOptionErors(t *testing.T) {
 	verifier, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))
 	assert.Nil(t, err)
 
-	goodCertID, err := verify.NewShortCertificateIdentity(verify.ActionsIssuerValue, "", verify.SigstoreSanRegex)
+	goodCertID, err := verify.NewShortCertificateIdentity(verify.ActionsIssuerValue, "", "", verify.SigstoreSanRegex)
 	assert.Nil(t, err)
 
 	digest, _ := hex.DecodeString("46d4e2f74c4877316640000a6fdf8a8b59f1e0847667973e9859f774dd31b8f1e0937813b777fb66a2ac67d50540fe34640966eee9fc2ccca387082b4c85cd3c")
@@ -326,8 +326,8 @@ func TestEntitySignedByPublicGoodWithCertificateIdentityVerifiesSuccessfully(t *
 	tr := data.PublicGoodTrustedMaterialRoot(t)
 	entity := data.SigstoreJS200ProvenanceBundle(t)
 
-	goodCI, _ := verify.NewShortCertificateIdentity(verify.ActionsIssuerValue, "", verify.SigstoreSanRegex)
-	badCI, _ := verify.NewShortCertificateIdentity(verify.ActionsIssuerValue, "BadSANValue", "")
+	goodCI, _ := verify.NewShortCertificateIdentity(verify.ActionsIssuerValue, "", "", verify.SigstoreSanRegex)
+	badCI, _ := verify.NewShortCertificateIdentity(verify.ActionsIssuerValue, "", "BadSANValue", "")
 
 	verifier, err := verify.NewSignedEntityVerifier(tr, verify.WithTransparencyLog(1), verify.WithObserverTimestamps(1))