Add Sigstore OIDs

README.md

@@ -1,25 +1,30 @@
 # Certificate Information for Go
 
-A golang tool for printing x509 TLS certificates in a format similar to OpenSSL.
+A Golang tool for printing x509 TLS certificates in a format similar to OpenSSL.
+
+This is a (maintained) fork of [grantae/certinfo](https://github.com/grantae/certinfo).
+
+In addition to being able to extract and print standard information from any x509 certificate (request), it also includes capabilities to extract and print properties specific to the [Smallstep toolchain](https://github.com/smallstep) and other, selected OIDs.
 
 ## Installation
 
-``` bash
-go get github.com/grantae/certinfo
+```console
+go get github.com/smallstep/certinfo
 ```
 
 ## Usage
 
 ### Print a certificate from a website
 
-``` go
+```go
 package main
 
 import (
   "crypto/tls"
   "fmt"
-  "github.com/grantae/certinfo"
   "log"
+
+  "github.com/smallstep/certinfo"
 )
 
 func main() {
@@ -44,16 +49,17 @@ func main() {
 
 ### Print a PEM-encoded certificate from a file
 
-``` go
+```go
 package main
 
 import (
   "crypto/x509"
   "encoding/pem"
   "fmt"
-  "github.com/grantae/certinfo"
   "io/ioutil"
   "log"
+
+  "github.com/smallstep/certinfo"
 )
 
 func main() {
@@ -82,13 +88,12 @@ func main() {
 
 ## Testing
 
-``` bash
-go test github.com/grantae/certinfo
+```console
+go test github.com/smallstep/certinfo
 ```
 
 This compares several PEM-encoded certificates with their expected outputs.
 
 ## License
 
 MIT -- see `LICENSE` for more information.
-

certinfo.go

@@ -47,6 +47,17 @@ var (
 	oidUserPrincipalName              = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 20, 2, 3}
 )
 
+// Sigstore (Fulcio) OIDs as documented here: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md
+var (
+	oidSigstoreOIDCIssuer               = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1}
+	oidSigstoreGithubWorkflowTrigger    = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 2}
+	oidSigstoreGithubWorkflowSha        = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 3}
+	oidSigstoreGithubWorkflowName       = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 4}
+	oidSigstoreGithubWorkflowRepository = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 5}
+	oidSigstoreGithubWorkflowRef        = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 6}
+	oidSigstoreOtherName                = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 7}
+)
+
 // stepProvisionerType are string representation of the provisioner type (int)
 // in the step provisioner extension.
 var stepProvisionerType = [...]string{
@@ -445,7 +456,15 @@ func printSubjAltNames(ext pkix.Extension, dnsNames, emailAddresses []string, ip
 					printOtherName(on, buf)
 					return nil //nolint:nilerr // ignore errors as instructed above
 				}
-				buf.WriteString(fmt.Sprintf("%16sUPN:%s", "", upn.UPN))
+				buf.WriteString(fmt.Sprintf("%16sUPN: %s", "", upn.UPN))
+				buf.WriteString("\n")
+			case on.TypeID.Equal(oidSigstoreOtherName):
+				var son string
+				if _, err := asn1.Unmarshal(on.Value.Bytes, &son); err != nil {
+					printOtherName(on, buf)
+					return nil //nolint:nilerr // ignore errors as instructed above
+				}
+				buf.WriteString(fmt.Sprintf("%16sSigstore Identity: %s", "", son))
 				buf.WriteString("\n")
 			default:
 				printOtherName(on, buf)
@@ -961,6 +980,24 @@ func CertificateText(cert *x509.Certificate) (string, error) {
 			case ext.Id.Equal(oidYubicoCspnCertified):
 				printExtensionHeader("X509v3 YubiKey Certification", ext, &buf)
 				buf.WriteString(fmt.Sprintf("%16sCSPN Certified\n", ""))
+			case ext.Id.Equal(oidSigstoreOIDCIssuer):
+				printExtensionHeader("Sigstore OIDC Issuer", ext, &buf)
+				buf.WriteString(fmt.Sprintf("%16s%s\n", "", string(ext.Value)))
+			case ext.Id.Equal(oidSigstoreGithubWorkflowTrigger):
+				printExtensionHeader("Sigstore GitHub Workflow Trigger", ext, &buf)
+				buf.WriteString(fmt.Sprintf("%16s%s\n", "", string(ext.Value)))
+			case ext.Id.Equal(oidSigstoreGithubWorkflowSha):
+				printExtensionHeader("Sigstore GitHub Workflow SHA Hash", ext, &buf)
+				buf.WriteString(fmt.Sprintf("%16s%s\n", "", string(ext.Value)))
+			case ext.Id.Equal(oidSigstoreGithubWorkflowName):
+				printExtensionHeader("Sigstore GitHub Workflow Name", ext, &buf)
+				buf.WriteString(fmt.Sprintf("%16s%s\n", "", string(ext.Value)))
+			case ext.Id.Equal(oidSigstoreGithubWorkflowRepository):
+				printExtensionHeader("Sigstore GitHub Workflow Repository", ext, &buf)
+				buf.WriteString(fmt.Sprintf("%16s%s\n", "", string(ext.Value)))
+			case ext.Id.Equal(oidSigstoreGithubWorkflowRef):
+				printExtensionHeader("Sigstore GitHub Workflow Ref", ext, &buf)
+				buf.WriteString(fmt.Sprintf("%16s%s\n", "", string(ext.Value)))
 			default:
 				buf.WriteString(fmt.Sprintf("%12s%s:", "", ext.Id.String()))
 				if ext.Critical {

certinfo_test.go

@@ -6,6 +6,8 @@ import (
 	"encoding/pem"
 	"os"
 	"testing"
+
+	"github.com/google/go-cmp/cmp"
 )
 
 type InputType int
@@ -54,9 +56,11 @@ func testPair(t *testing.T, certFile, refFile string, inputType InputType) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	if !bytes.Equal(resultData, refData) {
+
+	// Generate a diff and check if it's empty; if not, report error
+	if diff := cmp.Diff(refData, resultData); diff != "" {
 		t.Logf("'%s' did not match reference '%s'\n", certFile, refFile)
-		t.Errorf("Dump follows:\n%s\n", result)
+		t.Errorf("Diff follows:\n%s\n", diff)
 	}
 }
 
@@ -160,3 +164,8 @@ func TestNoCN(t *testing.T) {
 	testPair(t, "test_certs/noCN.csr", "test_certs/noCN.csr.text", tCertificateRequest)
 	testPairShort(t, "test_certs/noCN.csr", "test_certs/noCN.csr.text.short", tCertificateRequest)
 }
+
+func TestSigstoreCertInfo(t *testing.T) {
+	testPair(t, "test_certs/sigstore1.cert.pem", "test_certs/sigstore1.cert.text", tCertificate)
+	testPair(t, "test_certs/sigstore2.cert.pem", "test_certs/sigstore2.cert.text", tCertificate)
+}

go.mod

@@ -4,6 +4,7 @@ go 1.18
 
 require (
 	github.com/google/certificate-transparency-go v1.1.2
+	github.com/google/go-cmp v0.5.9
 	github.com/pkg/errors v0.9.1
 	golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d
 )

go.sum

@@ -329,8 +329,9 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-github/v28 v28.1.1/go.mod h1:bsqJWQX05omyWVmc00nEUql9mhQyv38lDZ8kPZcQVoM=
 github.com/google/go-licenses v0.0.0-20210329231322-ce1d9163b77d/go.mod h1:+TYOmkVoJOpwnS0wfdsJCV9CoD5nJYsHoFk/0CrTK4M=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=

test_certs/sigstore1.cert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNDCCArmgAwIBAgITaA70IVf4zSFlWFf54agVWKKmujAKBggqhkjOPQQDAzAq
+MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIy
+MDIwMTIzMDcyOVoXDTIyMDIwMTIzMTcyOFowEzERMA8GA1UEChMIc2lnc3RvcmUw
+WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQI5IKBPp/19ul6bcP9UMy2WNELVh2n
+IJfasCpb7aDtrDPgv6/VpU+lbcgTqexT/31B29uCO5+lgxnqMb4dMbzno4IB0zCC
+Ac8wDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMAwGA1UdEwEB
+/wQCMAAwHQYDVR0OBBYEFF0R6JsMgKJ39fOXGCfMKRfSY1cuMB8GA1UdIwQYMBaA
+FFjAHl+RRaVmqXrMkKGTItAqxcX6MG0GA1UdEQRmMGSGYmh0dHBzOi8vZ2l0aHVi
+LmNvbS9oc2xhdG1hbi9zeW1mb255LWNsaS8uZ2l0aHViL3dvcmtmbG93cy9yZWxl
+YXNlci55bWxAcmVmcy90YWdzL3Y1LjMuMC1leHAtc2lnbi00MCIGCisGAQQBg78w
+AQUEFGhzbGF0bWFuL3N5bWZvbnktY2xpMCkGCisGAQQBg78wAQYEG3JlZnMvdGFn
+cy92NS4zLjAtZXhwLXNpZ24tNDASBgorBgEEAYO/MAECBARwdXNoMDkGCisGAQQB
+g78wAQEEK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5j
+b20wFQYKKwYBBAGDvzABBAQHUmVsZWFzZTA2BgorBgEEAYO/MAEDBCg3OTE2Zjdh
+NWVmZTRkNDk1ZDcwYTk0ZTRlNDQ3NmVhY2ExMjBhMzFmMAoGCCqGSM49BAMDA2kA
+MGYCMQC+N7bGdPFax1M0aXh5iLrRYsrQJ6LS5yEX7/0/QrugF5Pb+zlIhWJavHnE
+H9AOnfsCMQD6fgSUbwZgoo/8vL2J19FvwWTz4k+prPYY0qackOzpUyt/P0vg2CO9
+UrxPCNx+cUw=
+-----END CERTIFICATE-----

test_certs/sigstore1.cert.text

@@ -0,0 +1,54 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2320580145869058136443151369323359520969369274 (0x680ef42157f8cd21655857f9e1a81558a2a6ba)
+    Signature Algorithm: ECDSA-SHA384
+        Issuer: O=sigstore.dev,CN=sigstore
+        Validity
+            Not Before: Feb 1 23:07:29 2022 UTC
+            Not After : Feb 1 23:17:28 2022 UTC
+        Subject: O=sigstore
+        Subject Public Key Info:
+            Public Key Algorithm: ECDSA
+                Public-Key: (256 bit)
+                X:
+                    08:e4:82:81:3e:9f:f5:f6:e9:7a:6d:c3:fd:50:cc:
+                    b6:58:d1:0b:56:1d:a7:20:97:da:b0:2a:5b:ed:a0:
+                    ed:ac
+                Y:
+                    33:e0:bf:af:d5:a5:4f:a5:6d:c8:13:a9:ec:53:ff:
+                    7d:41:db:db:82:3b:9f:a5:83:19:ea:31:be:1d:31:
+                    bc:e7
+                Curve: P-256
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Extended Key Usage:
+                Code Signing
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Subject Key Identifier:
+                5D:11:E8:9B:0C:80:A2:77:F5:F3:97:18:27:CC:29:17:D2:63:57:2E
+            X509v3 Authority Key Identifier:
+                keyid:58:C0:1E:5F:91:45:A5:66:A9:7A:CC:90:A1:93:22:D0:2A:C5:C5:FA
+            X509v3 Subject Alternative Name:
+                URI:https://github.com/hslatman/symfony-cli/.github/workflows/releaser.yml@refs/tags/v5.3.0-exp-sign-4
+            Sigstore GitHub Workflow Repository:
+                hslatman/symfony-cli
+            Sigstore GitHub Workflow Ref:
+                refs/tags/v5.3.0-exp-sign-4
+            Sigstore GitHub Workflow Trigger:
+                push
+            Sigstore OIDC Issuer:
+                https://token.actions.githubusercontent.com
+            Sigstore GitHub Workflow Name:
+                Release
+            Sigstore GitHub Workflow SHA Hash:
+                7916f7a5efe4d495d70a94e4e4476eaca120a31f
+    Signature Algorithm: ECDSA-SHA384
+         30:66:02:31:00:be:37:b6:c6:74:f1:5a:c7:53:34:69:78:79:
+         88:ba:d1:62:ca:d0:27:a2:d2:e7:21:17:ef:fd:3f:42:bb:a0:
+         17:93:db:fb:39:48:85:62:5a:bc:79:c4:1f:d0:0e:9d:fb:02:
+         31:00:fa:7e:04:94:6f:06:60:a2:8f:fc:bc:bd:89:d7:d1:6f:
+         c1:64:f3:e2:4f:a9:ac:f6:18:d2:a6:9c:90:ec:e9:53:2b:7f:
+         3f:4b:e0:d8:23:bd:52:bc:4f:08:dc:7e:71:4c

test_certs/sigstore2.cert.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICtDCCAlqgAwIBAgIUT3Bh3mWmJp+2wTQUxj19R1vYVKcwCgYIKoZIzj0EAwIw
+aDEMMAoGA1UEBhMDVVNBMQswCQYDVQQIEwJXQTERMA8GA1UEBxMIS2lya2xhbmQx
+FTATBgNVBAkTDDc2NyA2dGggU3QgUzEOMAwGA1UEERMFOTgwMzMxETAPBgNVBAoT
+CHNpZ3N0b3JlMB4XDTIyMDkyOTE4MzcyMVoXDTIyMDkyOTE4NDcyMVowADBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABJUlrKgma8vvHGsin0Lns8ilkZIGfbFoNhp/
+e2HPdLPwmy1IfigG2FRmMjw7DymnC3ce9o1k0zkcCuhc0Pn6PnOjggFIMIIBRDAO
+BgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFDst
+jNbwcRDr33q5Tt0kUjPLrG0sMB8GA1UdIwQYMBaAFN8zJRpf/idR3ooX82oyJ5BC
+UFGjMCsGA1UdEQEB/wQhMB+gHQYKKwYBBAGDvzABB6APDA1mb28hMTI3LjAuMC4x
+MCQGCisGAQQBg78wAQEEFmh0dHA6Ly8xMjcuMC4wLjE6NDU2NjEwgYkGCisGAQQB
+1nkCBAIEewR5AHcAdQAodhoYkCf77zzQ1hoBjXawUFcpx6dBG8y99gT0XUJhUwAA
+AAAAAAU5AAAEAwBGMEQCIAhzbUnllt0pkfDnAvEI/4yEESxXn6d+8bJqQ4i/oU68
+AiBZgxlvo/D//+6I0ztBODY5/U6qYrUZt4a4SX1Uk3y/xzAKBggqhkjOPQQDAgNI
+ADBFAiEAogo/upgvfrjroS72BcIrPznne7NC6mOt0jDVFDfFgswCIArUlhr07ftG
+KCl3yVaw8c5Ck5p5eRSNY/RqZ0YRC7Ir
+-----END CERTIFICATE-----

test_certs/sigstore2.cert.text

@@ -0,0 +1,50 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 453516479926854321636729881678065165927286592679 (0x4f7061de65a6269fb6c13414c63d7d475bd854a7)
+    Signature Algorithm: ECDSA-SHA256
+        Issuer: C=USA,ST=WA,L=Kirkland,STREET=767 6th St S,POSTALCODE=98033,O=sigstore
+        Validity
+            Not Before: Sep 29 18:37:21 2022 UTC
+            Not After : Sep 29 18:47:21 2022 UTC
+        Subject:
+        Subject Public Key Info:
+            Public Key Algorithm: ECDSA
+                Public-Key: (256 bit)
+                X:
+                    95:25:ac:a8:26:6b:cb:ef:1c:6b:22:9f:42:e7:b3:
+                    c8:a5:91:92:06:7d:b1:68:36:1a:7f:7b:61:cf:74:
+                    b3:f0
+                Y:
+                    9b:2d:48:7e:28:06:d8:54:66:32:3c:3b:0f:29:a7:
+                    0b:77:1e:f6:8d:64:d3:39:1c:0a:e8:5c:d0:f9:fa:
+                    3e:73
+                Curve: P-256
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Extended Key Usage:
+                Code Signing
+            X509v3 Subject Key Identifier:
+                3B:2D:8C:D6:F0:71:10:EB:DF:7A:B9:4E:DD:24:52:33:CB:AC:6D:2C
+            X509v3 Authority Key Identifier:
+                keyid:DF:33:25:1A:5F:FE:27:51:DE:8A:17:F3:6A:32:27:90:42:50:51:A3
+            X509v3 Subject Alternative Name: critical
+                Sigstore Identity: foo!127.0.0.1
+            Sigstore OIDC Issuer:
+                http://127.0.0.1:45661
+            RFC6962 Certificate Transparency SCT:
+                SCT [0]:
+                    Version: V1 (0x0)
+                    LogID: KHYaGJAn++880NYaAY12sFBXKcenQRvMvfYE9F1CYVM=
+                    Timestamp: Jan 1 00:00:01.337 1970 UTC
+                    Signature Algorithm: SHA256-ECDSA
+                      30:44:02:20:08:73:6d:49:e5:96:dd:29:91:f0:e7:02:f1:08:
+                      ff:8c:84:11:2c:57:9f:a7:7e:f1:b2:6a:43:88:bf:a1:4e:bc:
+                      02:20:59:83:19:6f:a3:f0:ff:ff:ee:88:d3:3b:41:38:36:39:
+                      fd:4e:aa:62:b5:19:b7:86:b8:49:7d:54:93:7c:bf:c7
+    Signature Algorithm: ECDSA-SHA256
+         30:45:02:21:00:a2:0a:3f:ba:98:2f:7e:b8:eb:a1:2e:f6:05:
+         c2:2b:3f:39:e7:7b:b3:42:ea:63:ad:d2:30:d5:14:37:c5:82:
+         cc:02:20:0a:d4:96:1a:f4:ed:fb:46:28:29:77:c9:56:b0:f1:
+         ce:42:93:9a:79:79:14:8d:63:f4:6a:67:46:11:0b:b2:2b