From 6e5cb0963cf767f523efde984fedbb5d4b485199 Mon Sep 17 00:00:00 2001 From: Aditya Sirish A Yelgundhalli Date: Sun, 13 Oct 2024 15:30:20 -0400 Subject: [PATCH] Handle GeneralName as SAN Signed-off-by: Aditya Sirish A Yelgundhalli --- internal/fork/ietf-cms/verify.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/internal/fork/ietf-cms/verify.go b/internal/fork/ietf-cms/verify.go index 3b16782c..fb5fb7e0 100644 --- a/internal/fork/ietf-cms/verify.go +++ b/internal/fork/ietf-cms/verify.go @@ -3,9 +3,11 @@ package cms import ( "bytes" "crypto/x509" + "encoding/asn1" "errors" "github.com/github/smimesign/ietf-cms/protocol" + "github.com/sigstore/sigstore/pkg/cryptoutils" ) // Verify verifies the SingerInfos' signatures. Each signature's associated @@ -120,6 +122,23 @@ func (sd *SignedData) verify(econtent []byte, opts x509.VerifyOptions, tsOpts x5 return nil, err } + // Handle certificates where the Subject Alternative Name is not set to + // a supported GeneralName (RFC 5280 4.2.1.6). Go only supports DNS, IP + // addresses, email addresses, or URIs as SANs. Fulcio can issue a + // certificate with an OtherName GeneralName, so remove the unhandled + // critical SAN extension before verifying. + // This matches https://github.com/sigstore/cosign/blob/a0752eb40b500316ac417baf4926a2c2d99b39b8/pkg/cosign/verify.go#L236-L248 + if len(cert.UnhandledCriticalExtensions) > 0 { + var unhandledExts []asn1.ObjectIdentifier + for _, oid := range cert.UnhandledCriticalExtensions { + if !oid.Equal(cryptoutils.SANOID) { + unhandledExts = append(unhandledExts, oid) + } + } + + cert.UnhandledCriticalExtensions = unhandledExts + } + algo := si.X509SignatureAlgorithm() if algo == x509.UnknownSignatureAlgorithm { return nil, protocol.ErrUnsupported