search

sigstore / sigstore-python

A Sigstore client written in Python
https://pypi.org/p/sigstore
Other
227 stars 49 forks source link

Verify "long" chains #923

Closed woodruffw closed 8 months ago

woodruffw commented 8 months ago

From #910:

Given the root is present in the trusted root file, I would prefer we still validate it. The intermediate being shipped in the trust root is more of an optimization, letting us avoid distributing a CRL if we need to revoke the intermediate cert. The PKI root of trust is supposed to be the Fulcio root cert.

Makes sense! In that case, we can simulate the "long chain" building by passing only the Fulcio root into the trust store and including the intermediate via the intermediates parameter to X509StoreContext. That will ensure we never terminate before the self-signed TA, regardless of OpenSSL flags like X509_V_FLAG_PARTIAL_CHAIN.

_Originally posted by @woodruffw in https://github.com/sigstore/sigstore-python/pull/910#discussion_r1511920994_

haydentherapper commented 8 months ago

https://github.com/sigstore/protobuf-specs/pull/245 now clarifies this.

woodruffw commented 8 months ago

Awesome! I'll open a PR for this today.

woodruffw commented 8 months ago

I'm looking into this now, and it's moderately complicated by the fact that we now (as of #910) have multiple chains to consider. Given that, I'm going to go with the ~X509_V_FLAG_PARTIAL_CHAIN approach for now and revisit the more general approach if https://github.com/sigstore/protobuf-specs/issues/249 is accepted 🙂

woodruffw commented 8 months ago

Opened #924 with the fix.