The rekord's public key only contains the PEM for the signing certificate. In order to validate the full chain, we must retrieve the issuer's certificate as well, using the coordinates in the authorityInfoAccess extension.
Issued By: sigstore.dev
Issuing Certificate: sigstore
Serial Number: FD4708B0738239116E3C28D60BC1ED4C2176C1
Signature: ecdsa-with-SHA384
Valid From: 19:57:13 29 Oct 2021
Valid To: 20:17:12 29 Oct 2021
Key Usage: Digital Signature
Extended Key Usage: Code Signing
Basic Constraints: CA:FALSE
Subject Key Identifier: 21:8C:20:47:DF:43:6C:AA:36:31:84:BE:75:C9:B0:01:B2:20:8C:B5
Authority Key Identifier: keyid:C8:C5:1D:00:41:9A:24:29:32:51:24:EB:0D:AE:4A:ED:4A:06:D3:EC
Authority Info Access: CA Issuers - URI:http://privateca-content-603fe7e7-0000-2227-bf75-f4f5e80d2954.storage.googleapis.com/ca36a1e96242b9fcb146/ca.crt
Subject Alternative Names: email:roch.lefebvre@shopify.com
I'm also moving much of the certificate deserialization & extension navigation out of the RekordEntry type.
Actuall cert chain validation will come in a future PR.
Closes #15
The rekord's public key only contains the PEM for the signing certificate. In order to validate the full chain, we must retrieve the issuer's certificate as well, using the coordinates in the authorityInfoAccess extension.
I'm also moving much of the certificate deserialization & extension navigation out of the RekordEntry type.
Actuall cert chain validation will come in a future PR.