-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for certificate chain to verify certificate #1659
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1659 +/- ##
==========================================
+ Coverage 28.18% 28.73% +0.54%
==========================================
Files 139 139
Lines 7997 8214 +217
==========================================
+ Hits 2254 2360 +106
- Misses 5495 5602 +107
- Partials 248 252 +4
Continue to review full report at Codecov.
|
This adds a flag to provide a chain of CA certificates to verify a certificate provided by flag. Callers should include a chain from the parent of the certificate to the root. While it'd be ideal to force the root to be specified out of band, by TUF, that code is currently intertwined with expectations around Fulcio and Rekor usage. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
faa1cbe
to
0dd4508
Compare
This also checks if the certificate matches a subject provided via flag. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
9374678
to
7950fa2
Compare
I'm putting my verification notes and comments here, let me know if you'd rather all the comments in one place. Is the following expected to work? Sign with a full chain, and verify with only the root? I was unable to get this to work. I verified the chain using
Some follow up operations could make sense to add longer term:
|
I'm actually not sure if A user may want to provide a root bundle, not a specific chain for verification. This isn't possible with a |
No, it would not work without the intermediate. The verification library needs the intermediate CA in order to build a chain from leaf to root. For OpenSSL,
See the last part of this comment.
This actually should work! It would require the
Good find, will update this!
This gets back to an initial remark I made about not supporting roots specified from the command line. I agree that it'd be reasonable to support a root bundle (and a bundle of intermediates for path finding too). I'd prefer to encourage users to use TUF for this however. This provides an out-of-band mechanism for forming the trust bundle, and that trust bundle can be verified by the TUF framework (Users can provide their own TUF metadata via My concern with providing a certificate chain without pinning the certificate means a client could be coerced into using a chain that issued a certificate from an untrusted identity. The same issue arises with a trust bundle. By pinning the certificate and/or the identity of the certificate, this risk is reduced (the assumption being it should be easier to confirm a trusted identity rather than a trusted chain). |
Ok thanks, it sounds like validation is working as intended then. This does support verifying "is this image signed by this specific cert with this specific full chain". I look forward to seeing how other tooling can take advantage of these signatures and provide flexible verification policy. |
* Add support for certificate chain to verify certificate This adds a flag to provide a chain of CA certificates to verify a certificate provided by flag. Callers should include a chain from the parent of the certificate to the root. While it'd be ideal to force the root to be specified out of band, by TUF, that code is currently intertwined with expectations around Fulcio and Rekor usage. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Fix test Signed-off-by: Hayden Blauzvern <hblauzvern@google.com> * Use function to validate certificate chain This also checks if the certificate matches a subject provided via flag. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
This adds a flag to provide a chain of CA certificates to verify a
certificate provided by flag. Callers should include a chain from the
parent of the certificate to the root.
While it'd be ideal to force the root to be specified out of band, by
TUF, that code is currently intertwined with expectations around Fulcio
and Rekor usage.
Signed-off-by: Hayden Blauzvern hblauzvern@google.com
Summary
Ticket Link
Ref #1554
Release Note