From 70e1ac458652dc477501b7723de61bd21e6af24a Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Tue, 7 May 2024 17:35:55 +0200 Subject: [PATCH 1/3] sigstore: add new verification policies for missing extensions Signed-off-by: Facundo Tuesca --- pyproject.toml | 1 + sigstore/verify/policy.py | 193 ++++++++++++++++++ test/unit/assets/bundle_v3_github.whl | Bin 0 -> 9172 bytes .../unit/assets/bundle_v3_github.whl.sigstore | 1 + test/unit/verify/test_policy.py | 40 ++++ 5 files changed, 235 insertions(+) create mode 100644 test/unit/assets/bundle_v3_github.whl create mode 100644 test/unit/assets/bundle_v3_github.whl.sigstore diff --git a/pyproject.toml b/pyproject.toml index 821b51f6..f28a267d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -28,6 +28,7 @@ dependencies = [ "cryptography >= 42", "id >= 1.1.0", "importlib_resources ~= 5.7; python_version < '3.11'", + "pyasn1", "pydantic >= 2,< 3", "pyjwt >= 2.1", "pyOpenSSL >= 23.0.0", diff --git a/sigstore/verify/policy.py b/sigstore/verify/policy.py index 24bab4be..4e931918 100644 --- a/sigstore/verify/policy.py +++ b/sigstore/verify/policy.py @@ -32,6 +32,8 @@ SubjectAlternativeName, UniformResourceIdentifier, ) +from pyasn1.codec.der.decoder import decode as der_decode +from pyasn1.type.char import UTF8String from sigstore.errors import VerificationError @@ -45,6 +47,23 @@ _OIDC_GITHUB_WORKFLOW_REPOSITORY_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.5") _OIDC_GITHUB_WORKFLOW_REF_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.6") _OTHERNAME_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.7") +_OIDC_ISSUER_V2_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.8") +_OIDC_BUILD_SIGNER_URI_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.9") +_OIDC_BUILD_SIGNER_DIGEST_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.10") +_OIDC_RUNNER_ENVIRONMENT_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.11") +_OIDC_SOURCE_REPOSITORY_URI_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.12") +_OIDC_SOURCE_REPOSITORY_DIGEST_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.13") +_OIDC_SOURCE_REPOSITORY_REF_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.14") +_OIDC_SOURCE_REPOSITORY_IDENTIFIER_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.15") +_OIDC_SOURCE_REPOSITORY_OWNER_URI_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.16") +_OIDC_SOURCE_REPOSITORY_OWNER_IDENTIFIER_OID = ObjectIdentifier( + "1.3.6.1.4.1.57264.1.17" +) +_OIDC_BUILD_CONFIG_URI_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.18") +_OIDC_BUILD_CONFIG_DIGEST_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.19") +_OIDC_BUILD_TRIGGER_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.20") +_OIDC_RUN_INVOCATION_URI_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.21") +_OIDC_SOURCE_REPOSITORY_VISIBILITY_OID = ObjectIdentifier("1.3.6.1.4.1.57264.1.22") class _SingleX509ExtPolicy(ABC): @@ -93,6 +112,41 @@ def verify(self, cert: Certificate) -> None: ) +class _SingleX509ExtPolicyDer(_SingleX509ExtPolicy): + """ + An base class for verification policies that boil down to checking a single + X.509 extension's value, where the value is formatted as a DER-encoded string, + the ASN.1 tag is UTF8String (0x0C) and the tag class is universal. + """ + + def verify(self, cert: Certificate) -> None: + """ + Verify this policy against `cert`. + + Raises `VerificationError` on failure. + """ + try: + ext = cert.extensions.get_extension_for_oid(self.oid).value + except ExtensionNotFound: + raise VerificationError( + ( + f"Certificate does not contain {self.__class__.__name__} " + f"({self.oid.dotted_string}) extension" + ) + ) + + # NOTE(ww): mypy is confused by the `Extension[ExtensionType]` returned + # by `get_extension_for_oid` above. + ext_value = der_decode(ext.value, UTF8String)[0].decode() # type: ignore[attr-defined] + if ext_value != self._value: + raise VerificationError( + ( + f"Certificate's {self.__class__.__name__} does not match " + f"(got {ext_value}, expected {self._value})" + ) + ) + + class OIDCIssuer(_SingleX509ExtPolicy): """ Verifies the certificate's OIDC issuer, identified by @@ -147,6 +201,145 @@ class GitHubWorkflowRef(_SingleX509ExtPolicy): oid = _OIDC_GITHUB_WORKFLOW_REF_OID +class OIDCIssuerV2(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC issuer, identified by + an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.8`. + The difference with `OIDCIssuer` is that the value for + this extension is formatted to the RFC 5280 specification + as a DER-encoded string. + """ + + oid = _OIDC_ISSUER_V2_OID + + +class OIDCBuildSignerURI(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC Build Signer URI, identified by + an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.9`. + """ + + oid = _OIDC_BUILD_SIGNER_URI_OID + + +class OIDCBuildSignerDigest(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC Build Signer Digest, identified by + an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.10`. + """ + + oid = _OIDC_BUILD_SIGNER_DIGEST_OID + + +class OIDCRunnerEnvironment(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC Runner Environment, identified by + an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.11`. + """ + + oid = _OIDC_RUNNER_ENVIRONMENT_OID + + +class OIDCSourceRepositoryURI(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC Source Repository URI, identified by + an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.12`. + """ + + oid = _OIDC_SOURCE_REPOSITORY_URI_OID + + +class OIDCSourceRepositoryDigest(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC Source Repository Digest, identified by + an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.13`. + """ + + oid = _OIDC_SOURCE_REPOSITORY_DIGEST_OID + + +class OIDCSourceRepositoryRef(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC Source Repository Ref, identified by + an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.14`. + """ + + oid = _OIDC_SOURCE_REPOSITORY_REF_OID + + +class OIDCSourceRepositoryIdentifier(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC Source Repository Identifier, identified by + an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.15`. + """ + + oid = _OIDC_SOURCE_REPOSITORY_IDENTIFIER_OID + + +class OIDCSourceRepositoryOwnerURI(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC Source Repository Owner URI, identified by + an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.16`. + """ + + oid = _OIDC_SOURCE_REPOSITORY_OWNER_URI_OID + + +class OIDCSourceRepositoryOwnerIdentifier(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC Source Repository Owner Identifier, identified by + an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.17`. + """ + + oid = _OIDC_SOURCE_REPOSITORY_OWNER_IDENTIFIER_OID + + +class OIDCBuildConfigURI(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC Build Config URI, identified by + an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.18`. + """ + + oid = _OIDC_BUILD_CONFIG_URI_OID + + +class OIDCBuildConfigDigest(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC Build Config Digest, identified by + an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.19`. + """ + + oid = _OIDC_BUILD_CONFIG_DIGEST_OID + + +class OIDCBuildTrigger(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC Build Trigger, identified by + an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.20`. + """ + + oid = _OIDC_BUILD_TRIGGER_OID + + +class OIDCRunInvocationURI(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC Run Invocation URI, identified by + an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.21`. + """ + + oid = _OIDC_RUN_INVOCATION_URI_OID + + +class OIDCSourceRepositoryVisibility(_SingleX509ExtPolicyDer): + """ + Verifies the certificate's OIDC Source Repository Visibility + At Signing, identified by an X.509v3 extension tagged with + `1.3.6.1.4.1.57264.1.22`. + """ + + oid = _OIDC_SOURCE_REPOSITORY_VISIBILITY_OID + + class VerificationPolicy(Protocol): """ A protocol type describing the interface that all verification policies diff --git a/test/unit/assets/bundle_v3_github.whl b/test/unit/assets/bundle_v3_github.whl new file mode 100644 index 0000000000000000000000000000000000000000..00225acb8a344bb16015f9c172c21f3faa557f19 GIT binary patch literal 9172 zcmaKS1yCK`vh~5;-QC^Y9S-gi9D)RQcXtc!?h=B#yZgc2odg1bKlj;p@Atp^_SBxK znd-Hwt9R|$tGil70Rj>e006)O@V>j~__%u#(SQK}w|^$apRdlAX1qMSTr5UL*7nw} zMn=qzUUrGf3J`3l!#6LO65iH@msO-+gJCMM&-()|YE!q`1kOe*Q!LoAG~TW)K}=R$ z5v&h}p1m?9sr&8Hw6f_bG2>of+9)xJut{VC_twH8N}rHykGX-1&1y9n8tr28h)qg@ zwTlz!*3)r{uZd_@$_1hhwOCj-2Z#hWeYU$}9n;r0#$`DkWg08K6}g#dT->P6E-56!oLTrziWWUHNTNDYx^VQm)XWHCKXv5X`JjFbb*aS&4k;Bq* zf@_jg{Np;z$qry51p_4D8>R9Fsm4+cIr(CmsCPt@Wop9m{0v^h#};vqR~UMJ#IeIz z?BTA;_BPj@ydx8->vkS6K@CxS#C<*Je&M;^B`ikqj(FjVXsa3GQTdm+I*Nk%oWlVC z90ULW>OaTT+RpLIpP+W@+BtxD(ciC)#M(&69qiVfenHzMOEA0P=zd8l8YjkfM9fa6 z&5i?BQeuq~9QN)Y(v2tAxPllQ>Ch)BoGqWH1VC5r0yyFvbXLG;{ZgbpW-=5{re@2G6qq* zXDKRERFx!H;<=0uyF=vPymt}8ey{YtPtj2G7bYFc4R2Nz=B&U&=Qb06@6qY&y%&2P zm&L2I59NCjoRgHvi*f7E!tKH$ubf~6vf<8Z#2hljKnD`(;{K~a6IUNl_me}hz7vDP z(`AA7Wk#<^Z_uZN5r~e4iNW4mYrp*hpWP&gXYaXL?PvF}9VXZ$DoH9aonTtH1$1+{ zxvvF5w@dwzN4wjSYK`VIrzV2uUX~_OQrc`pO_7$3?!jrUp7qM)#z{iX4v*)1m7oh( zelcJg`3aIFjT-d=oBbDJmt)-ZXEe_JegH=bjdsNG{)VL*%a8O#C3nROyC%3 zwO%$u)Y&X#3qPCM-K1GpRnfnV_aSf{ zPLhRh8#GIr43LDXgjGWx`~CZ^!@-&IHm0?Kv;aW5_e=B$j(>nd6uYA&-7nZbw51E? zY%g9r`?Wcc*h?#yB%~Wo6ynjLh*${A!m+$ML25B)v*63422d}`g%&mb9wp~C4s=fa6Z!ILf#5I9AV!gbU{2VL>uAiveHf`1U=LPON8*nF;w zMsFXeoA52?Wddxw;L-Qz*q0UeciPX=M<=D&fHOh%aC&bvN1$qV$*LjGfbtkR4N5Yt zBRD;iH|XRN^|M4p#n;yLW;WPBF4zatN_#6Jd#sis;tr3bcv2kZ_qM!V3;faNI@ z=EHskVeU8yK=o5+stU&T zm~KM6Y3O1#Ur8mUu`$~Rre1;bANXi$c}YPaaZ?TR@xBBE4BS9cv68^AQGl`hXqG~- z^80u>iY}d4#d?eI>IF$BbF028E04Dt=a6V;pB~Q08XTc=5o-5wROw6XLNyygD13DY zm8x3no~Ks=jaEs9b-_a0a$%c8k$|AOF5JxXKk1e1FWW%!Xjg6nwhJNC6Utr0FJ$KiDlkx;Z4 zw6^JM1s)L{(A@P$PLn2%;NRTSG|u4yK|^Ra6mFaGOLTZ$wd8KyBf4YWo)C3Oldi^S zW+6PXQ7K46VpFTWD0u_AHgj0adZ+8xVx1W!Dir%J~TB&qK|A>*fB#J(>17@o`*bB2oL7{bCHaTwWLvq=I zA!7gTYQj2d$&tReK;mf_9Dvnrmg4Gz(+F68jkCbG8wn**NuCK1Z{6DL0Vt%Huq^-r5(wc1QnUBVN%B}vF1 zMssZ9imfL@)h+TIEeBo@-#oUWYmTVDwRZG~R6ReKxExpNj^uD_(Ap@WU&2D`D)I zscn-4>&fy_4Re_hNrQ-5H|ubFn2gO7!fx{LQaAb{n6PdMzS&dY>*1{xcBh41>GeiL zVMrM5(BQLJ`?#eK)sckM%*!6B+Cf0G$gc4(>j(SNOC05KD1F8n<-*nGKmEO&HhjFm z?0Y&0wubLR0b%5?L=p7H%>7$j@ z*Y_6;tkF{WIE8G#@HXP%5oglI$So1*Jvx9MuLK)eY0TIA4RE7~$X>&bDq38s*M+3AEmc zSL+tqnOuIs!>OsYq6DMpxQ_J^?BeF>*})nbPDyJbfzBwZxAOi=2xpUaTdswT-(YHZ*_Js+#7fW zJ>3vA>TE@NcvNQ}{l2&Vj&^givTx#|ANh1O`m{AYDBx=_r_VDv{oDKH0YaDzY-egX zuF9<(MrCH&$ji?1U6Nz(N0YT=wK)wm?^(f@i_lAY)vUUG%_45CSS751s_iTr#yh7y zslCoL_mE`}T0X*=WSD-H{FemNVtMR)q_I}Z&8uOQfu&oqL7y^0{bi(bZ#C6eby#c7=efiMs66QW_)k!i@{28H56N#a z`vnm~lY2-f``wKtG9nw>qC=F`(h)Eu(_N`}M8i=Ge$xumV(Z|WpZgUmLa(2HiX%#= zqUXflc+tJlGzDVSULGnHJ~$fjeD$f`691`O0S%OP%OkDu&^l0Jaw=o`Ys>P1w=nY8K-=UaOU2>7G?`6FskvhXqG69VwjDXXyD;t%K`bna}5YfqO?* z5{~jvD=6(U!Ckoig|IJ17h6_mH@jb@EpDA!fAfS6w4XN#+;cdNuBrGhtu)_`ILf0^v7Z%jwI6=XvC^uc1eAa=TLpGT~ zxSN*RVOV>CORi*#xG)bRuy~@-xl@JXjLgoJ23$L>L%%;7qJv0jd(x0|S5@h?+F+zb zBvH(;?4_;;40tcy+GqO!Ib5Phfm6-rswoU?(fypl%Aw#01O&oCus6qo*+CLO#v-`Nxlfm7mM~!r5Q)-S)zqmo2@Qdp`y;~%V zq|3g-K{~}?URtPtfzN&pHEp{GQp&P_A<%;g2vB+Xf_m`TJy>{*ot6?@W>_EIzvA_%qle*RmMJ>M8JNmf+3q(DNNv199iz$T*<|2cglb zRzD5W(Di&O?BVC-&7T2nCZ{dNP=`7RPQKx;a5Jw?2)6yvs1<$`WOD}?bD0XY#WZ<3 zhkp7>4;0uKy27A4aXy+aCNRIbT;^n=3SI+ta~X8Xet}^i>cx|(P^!#1Nw_k33)>zG z6?%NgnlGzMIuS!tLF!}qz(E~e3nIdB>cg;@g@>~o7@vc@EN-a2e1!%n zE(R@*Pegt){N9v=e>r_)83DnNoVeM6#v?Fhcv7;Qn)@B<5soNsq4391RKQVPArg1) zJr>$73a*^_Q}d;(7%!?vThB)DFW`OI#0wMhX|&44v8itHhZ)Nuppvz$SRK0C4C_#7 zKOgSU_rO05Uh8mWh4*I`V)!WSbmUuF<3;;w2Cyma*Y!m!UBG}Vm5Wos)X=?ilu?R4mqRfv>TOS0ct?2 ze-PDozJnC$btt-Ux3gWR+LxWPyjI@}IOZNL9vH&!m<>nV-FH7mB}-uP4NWwD9~KYk zZD%N2&@Q_@R3yY)$|h`#l&)E?bZzpxbpg%(FXD!aQI*g2hg|utp|YUDo(kfh1iM;D zGLmx>l@6E4cPEzx$>)RCGmyEsn5a;eI#uyu3D@8zjcQ}r z(Xl|4NMyRLw{=fQC$W5W+2Q=5OV%W>N>RM zq7T1=h`PMm>+AFz`_GBK$`I=Wi!(PtsRAIH**ZjUX7htYbVnb~yutAU zXVWX%+I*LF2*6_Aw;3m8Kb{DN~2GY=C#;>D+eq!0=rHYEv`*)dIl=(Bm8suJWZrsxf@HtyridBy0 zTf7R?^l?s{c#}g)MC~M@^M!za#PH*`@RRB z6Xf4aw75sS-Cff%gs(mM$4shPr^{zQ6l{;Ju`4s75Mzwb^};|hhP~_%%+akp8b&SQ z+3Y|N(RU9WX<05FaX!Z?HD9z)>%{gUhoQ@0m=fdRHT0{3^5Q;`UxzlnB@ONkxT-ZnnoheUO3s^pwvd#54RQzqD3N}BuRotfGc3pE$-Y2ym zXrF(*Q=A@}Wf&og5pW_WC2wd{zY~7%6&eV>?xWFJ7%x?MR*YF)tU%Ji^OS*ud8~_6 zgi*4YJ^n_P9lYbq)usZzrWTMNLvU5$HlP5~^96s0bLShOjI6Rx*z8j~iDS|V2D>Nc zVzGwTqKtUi^pIO-Si*{cE@!fN=Z?%m4bbcUx#P zMmgrmyRpM)+kR+^zxQje4-0m+$dE{SH9>(umP25^Bmen=9Os^VTAZ9Z^n8v6bPm6G zib7dY_*k9m#lizptE|be&9S{h*bOFD8)-)DtA-1L*wRw?nZgaT0 zmt|+q`nV)NQHesj*%1Ra7#rbk$!0Ube)#(1|Cg(ftou(|HsHgG(;sG<_W?59h0^L;(?Zl8ug z*QV?faVhyMBd=H(P&sEj-U^}dsh~YU@@@T4CYU$q;9}6-v@8@_; z!4;b>E@3;@@hr2UjHLY283B&LWnWXrr~O>dIrxMvT;#P}wq-G%m&;oYOpC>z=;fhf zaMBuGUpw%av?%^m=(gZ`WTY(DU9w^P3en0wCD)6tLfwqMcO6U(bIuNk%3{_F zeC=P#GZ}7M^w9DEOG)8P3|J&ZCu|imy%fW_HUe)pa`=&ry4eMtte_F)!pPPxu{E*d zNo^)a;whXRqqD$*#{TDJ!Ul|eEq46a%SlVXQvS4DRMbiUSJ>_W1-fLPHiR6$aI=p8VdmTPVzzie1{HNCOtpEnJc$<4Z1Wq<(^asx}?0$z@~XqEgQ6wfmmhlk zz?zj-p>HJoSc77b5~o&13E=k~x6jX$@tGGUSh5&bOi{^qwUhK*Z_BKb{n~+AT0!Vx zOr5s4yw2tY)%;+8yB8eqRZ5?EFaEyRh`4|U>8{%w4vrC>JV{K>^RJz#YKwlg$wF1tA7G%*)88^5wU?p8+=Ib*=2crOVf-vIHJ zCsR-3vTb)|!T>&HE-E8N+&Up2+Oe=DmGUuI+&c!=uAwLWPYU(%ZsMrqR~wfVGxf2v zN+>)pdSu@pr_*R3X@t+k)x~JRRr<3lYsGitTrV6gADR0(LVj{7W!9YR6quRZiJgOT zK9~cMv?ARx5+KYS=e}K($8`~yD|=y&AvmFd&uj8YWo+Wp;%q1@o|25r(&SKAD-(C6 zMUv1&X`x$+TaJ9;I8h+((PQDt+FU3Q@5jCJd$ zI{rd^SUMRRL9npD7iao%d9_|a7vnkbtupe`x8qgBdh_X-IeXG2%j3blw)I=uYS|qZ zfQun6`?&Y(of3z#!}Agf5h%X(dj^^wmd!?UQElbgcom$`mbkTm9!X0ZSw~X`9U4n_ zW2b%;UpMdB!T|RVSk3eF-AP&aVQZH>JVP|SJksS-g zcaC{CL6cTfV-H^Cq#t+F!DgRA>-p7}0mTmVV(V0nqyJ@)ceHy6p+b_6=m|Szo7u@V zN`8ZNd%5@9OrUb0LD*%B`205yHanCo^-Vl0+2_%Dk(8x;^TW@R;n{rH;3GL#@~xeS z^RldqL~)b)Yz0T{aT0HQo*$1`r!c`|bD^8hT4SBpTUmtfyF*O%{c`Q9RKIuEvc_Fk zxau_5T9~q8Ng043@|}_PyovEEs@+~4C5-KziT9RT}N)Fl2t ze)eio63S|lZd0A^!K?tlT=x!oMPlga9GD!vPBVH%Gh+^>*dLv*vQ&Q~sf=?2vni~M zwAD8&r^bDhNZHgDq|mQf(~aBXatW(nU0k~qW;S0vpy>RebVIk=-Fn8myD99!xFKhU)aNoH^aWGhTh>ux%WLc&VQr|-+{-JXqZ6<^56nSXDX&S5lc4><;Ws&g4!Wp zXtfL!I77GoO5v1%xmU+lz>P-CWhCX;*0Oz~%KGD&lslZJ-;{(FK}rVYV61Q{TOU85 zzDnGKquKT#=Ow%|ax}NSeg;JOCTA80i5YN9yoJV^8gUXHj@>A3YY)Qe%AC=JW7u}W z-W+xtEH503fb7&Ve6X?ZS6pd7f(L_jduFv<^8XAOSpKKH3sC|;Q&BMkj|fV{vU$>>SOpj`XAQ+T;Ki+?TGLf`oF8)e@Fkl+Wi;0 z;4k#Qt9}17+5aYr{vsQ}`yW^SKeGRjNPnmLyQKMxN*({-Q~kHV`8(U+_sm~xqNM+x a?LT*riUJh$KkQ-tTsME#W0ve6Z~qSo5WoQd literal 0 HcmV?d00001 diff --git a/test/unit/assets/bundle_v3_github.whl.sigstore b/test/unit/assets/bundle_v3_github.whl.sigstore new file mode 100644 index 00000000..f00a4a78 --- /dev/null +++ b/test/unit/assets/bundle_v3_github.whl.sigstore @@ -0,0 +1 @@ +{"mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.2", "verificationMaterial": {"x509CertificateChain": {"certificates": [{"rawBytes": "MIIGzzCCBlSgAwIBAgIUM29bvYkrDKnBVZmVeloTUMlZqNYwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwMzE5MjI0MTE1WhcNMjQwMzE5MjI1MTE1WjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1q8wmpmK0vesCD05ZE1o5Jyu+g/CtLZLXNEZiIomh1jquPMCZrhlPdOfzQws+E+IUBX3pcVUxtn4rYKnMH39oaOCBXMwggVvMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU0PaUbhtp84Orb2YatvZkIjkZiOEwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wZgYDVR0RAQH/BFwwWoZYaHR0cHM6Ly9naXRodWIuY29tL3RyYWlsb2ZiaXRzL3JmYzg3ODUucHkvLmdpdGh1Yi93b3JrZmxvd3MvcmVsZWFzZS55bWxAcmVmcy90YWdzL3YwLjEuMjA5BgorBgEEAYO/MAEBBCtodHRwczovL3Rva2VuLmFjdGlvbnMuZ2l0aHVidXNlcmNvbnRlbnQuY29tMBUGCisGAQQBg78wAQIEB3JlbGVhc2UwNgYKKwYBBAGDvzABAwQoZDhiNGE2NDQ1ZjM4YzQ4YjkxMzdhODA5OTcwNmQ5YjgwNzMxNDZlNDAVBgorBgEEAYO/MAEEBAdyZWxlYXNlMCQGCisGAQQBg78wAQUEFnRyYWlsb2ZiaXRzL3JmYzg3ODUucHkwHgYKKwYBBAGDvzABBgQQcmVmcy90YWdzL3YwLjEuMjA7BgorBgEEAYO/MAEIBC0MK2h0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20waAYKKwYBBAGDvzABCQRaDFhodHRwczovL2dpdGh1Yi5jb20vdHJhaWxvZmJpdHMvcmZjODc4NS5weS8uZ2l0aHViL3dvcmtmbG93cy9yZWxlYXNlLnltbEByZWZzL3RhZ3MvdjAuMS4yMDgGCisGAQQBg78wAQoEKgwoZDhiNGE2NDQ1ZjM4YzQ4YjkxMzdhODA5OTcwNmQ5YjgwNzMxNDZlNDAdBgorBgEEAYO/MAELBA8MDWdpdGh1Yi1ob3N0ZWQwOQYKKwYBBAGDvzABDAQrDClodHRwczovL2dpdGh1Yi5jb20vdHJhaWxvZmJpdHMvcmZjODc4NS5weTA4BgorBgEEAYO/MAENBCoMKGQ4YjRhNjQ0NWYzOGM0OGI5MTM3YTgwOTk3MDZkOWI4MDczMTQ2ZTQwIAYKKwYBBAGDvzABDgQSDBByZWZzL3RhZ3MvdjAuMS4yMBkGCisGAQQBg78wAQ8ECwwJNzY4MjEzOTk3MC4GCisGAQQBg78wARAEIAweaHR0cHM6Ly9naXRodWIuY29tL3RyYWlsb2ZiaXRzMBcGCisGAQQBg78wAREECQwHMjMxNDQyMzBoBgorBgEEAYO/MAESBFoMWGh0dHBzOi8vZ2l0aHViLmNvbS90cmFpbG9mYml0cy9yZmM4Nzg1LnB5Ly5naXRodWIvd29ya2Zsb3dzL3JlbGVhc2UueW1sQHJlZnMvdGFncy92MC4xLjIwOAYKKwYBBAGDvzABEwQqDChkOGI0YTY0NDVmMzhjNDhiOTEzN2E4MDk5NzA2ZDliODA3MzE0NmU0MBcGCisGAQQBg78wARQECQwHcmVsZWFzZTBcBgorBgEEAYO/MAEVBE4MTGh0dHBzOi8vZ2l0aHViLmNvbS90cmFpbG9mYml0cy9yZmM4Nzg1LnB5L2FjdGlvbnMvcnVucy84MzUxMDU4NTAxL2F0dGVtcHRzLzEwFgYKKwYBBAGDvzABFgQIDAZwdWJsaWMwgYoGCisGAQQB1nkCBAIEfAR6AHgAdgDdPTBqxscRMmMZHhyZZzcCokpeuN48rf+HinKALynujgAAAY5Y4EK+AAAEAwBHMEUCIDagfjpw1AZX374vFXGDSZgJ9Kqrcq7Tk/Us3f7nmVQ1AiEA4esGBrDhflbIUujUmYC3eUWFFBgXHfABLiSDwciTQw8wCgYIKoZIzj0EAwMDaQAwZgIxAM6gKI5vKoqcvTkv87Foq3WXNYmAhPj3qaQ5ocXQXsWzHeNWGB6lSHTG3ENyapqYBgIxAMJW9ly3JXEdI5ydHfz+GZoh1kyc0XFUPp4V4kVjnUXY+KtoQWKSPHaZMkYC/szXhg=="}]}, "tlogEntries": [{"logIndex": "79605083", "logId": {"keyId": "wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="}, "kindVersion": {"kind": "hashedrekord", "version": "0.0.1"}, "integratedTime": "1710888076", "inclusionPromise": {"signedEntryTimestamp": "MEYCIQD8ohK48/Ls8D4Qd3dQZl6geplAt0p5Sgpa1wabniB/ZgIhALsVfKCe1m2KKtaEImxijm5bO2K49NltHWafJE2a1hnr"}, "inclusionProof": {"logIndex": "75441652", "rootHash": "uAqI3id6JHPMMNUltHIKHuX1kVHpm5y7jSfnbaRO+E4=", "treeSize": "75441653", "hashes": ["XoeIGlDW7f2lVjTlQEXPaV7szUXY2BECAEKtNA/lgfk=", "Pz5CyFQH78eikJoZuJ44Ls4R5najWJ1nKWunxb/vxeM=", "COo4wZnRb/d6zZOa7RP1euSRFb7H5EX5bYXs4HEQ0uU=", "1A4EnFDN5UCHjrJDWPuYDmY+ZLb4B+Jvis+k3ti+wjs=", "bBpWKtQryG7/tMDt9HDvKk/Fp3S+q7gTnYF56qGKMiI=", "ZR8qbYzXTNaK4SaofTZtbR0srNmOJ0Yx891OF5/G2gQ=", "7MueyMCRkh/GaluPkJl3xQFyXFq/SS9xykP299KtvS0=", "kFt/VRwfXksHcnd9vpdeifz3N16KyWQoDxAPfLlRwTA=", "gtt9e0foHZTCS9w+epNsmDWbwvX4FNV1EAg0rhxLfjg=", "BGqH+LzVuhuqCLiUvBJaB2hlsvtu2a15qq1WGw6mG44=", "OeS7D4kPES7ChE7kWSEmhbAMqBcKVj/z8/afMK4Y3pI=", "JtjqvAqFyXXYjWlZfDzElHpEzdBjsz1LmGFJuYx0kTU=", "s/ZIVcfcD4/nuZwUtQf4ydGsIAkGTPTzk3b0zhUC95k=", "YU1jZY/fp5tJdGF/i+/7ez8107O4/lOUp7acMPFEaOA=", "7Z18YLBAvejEV4nJHIKoks/xlijnhR005qTW2w4QtHg=", "98enzMaC+x5oCMvIZQA5z8vu2apDMCFvE/935NfuPw8="], "checkpoint": {"envelope": "rekor.sigstore.dev - 2605736670972794746\n75441653\nuAqI3id6JHPMMNUltHIKHuX1kVHpm5y7jSfnbaRO+E4=\n\n\u2014 rekor.sigstore.dev wNI9ajBGAiEA5perJLLm94gCQOQT5/vO29OXWNZ1SoengZDZ/U6vsOUCIQDBL0BIkCjWGR6V622znnVpXF5D1g0jPgajBlHh8uSc8g==\n"}}, "canonicalizedBody": "eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiJjNGU5MmU5ZWNjODI4YmVmMmFhN2RiYTFkZThhYzk4MzUxMWY3NTMyYTBkZjExYzc3MGQzOTA5OWEyNWNmMjAxIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUUNlSDZFM01wWm5nV0E2UlBnOEhBbC9aNzY0aFRGWXljTnlGM1IrbVBUU2JBSWhBUGdNUzhxQk04bENFVTJYVzc2NW15TU16Mnp1eXU5aVRGNDBQSCtYWmxKUSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVZDZla05EUW14VFowRjNTVUpCWjBsVlRUSTVZblpaYTNKRVMyNUNWbHB0Vm1Wc2IxUlZUV3hhY1U1WmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDE2UlRWTmFra3dUVlJGTVZkb1kwNU5hbEYzVFhwRk5VMXFTVEZOVkVVeFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVV4Y1RoM2JYQnRTekIyWlhORFJEQTFXa1V4YnpWS2VYVXJaeTlEZEV4YVRGaE9SVm9LYVVsdmJXZ3hhbkYxVUUxRFduSm9iRkJrVDJaNlVYZHpLMFVyU1ZWQ1dETndZMVpWZUhSdU5ISlpTMjVOU0RNNWIyRlBRMEpZVFhkbloxWjJUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlV3VUdGVkNtSm9kSEE0TkU5eVlqSlpZWFIyV210SmFtdGFhVTlGZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDFwbldVUldVakJTUVZGSUwwSkdkM2RYYjFwWllVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVEROU2VWbFhiSE5pTWxwcFlWaFNlZ3BNTTBwdFdYcG5NMDlFVlhWalNHdDJURzFrY0dSSGFERlphVGt6WWpOS2NscHRlSFprTTAxMlkyMVdjMXBYUm5wYVV6VTFZbGQ0UVdOdFZtMWplVGt3Q2xsWFpIcE1NMWwzVEdwRmRVMXFRVFZDWjI5eVFtZEZSVUZaVHk5TlFVVkNRa04wYjJSSVVuZGplbTkyVEROU2RtRXlWblZNYlVacVpFZHNkbUp1VFhVS1dqSnNNR0ZJVm1sa1dFNXNZMjFPZG1KdVVteGlibEYxV1RJNWRFMUNWVWREYVhOSFFWRlJRbWMzT0hkQlVVbEZRak5LYkdKSFZtaGpNbFYzVG1kWlN3cExkMWxDUWtGSFJIWjZRVUpCZDFGdldrUm9hVTVIUlRKT1JGRXhXbXBOTkZsNlVUUlphbXQ0VFhwa2FFOUVRVFZQVkdOM1RtMVJOVmxxWjNkT2VrMTRDazVFV214T1JFRldRbWR2Y2tKblJVVkJXVTh2VFVGRlJVSkJaSGxhVjNoc1dWaE9iRTFEVVVkRGFYTkhRVkZSUW1jM09IZEJVVlZGUm01U2VWbFhiSE1LWWpKYWFXRllVbnBNTTBwdFdYcG5NMDlFVlhWalNHdDNTR2RaUzB0M1dVSkNRVWRFZG5wQlFrSm5VVkZqYlZadFkzazVNRmxYWkhwTU0xbDNUR3BGZFFwTmFrRTNRbWR2Y2tKblJVVkJXVTh2VFVGRlNVSkRNRTFMTW1nd1pFaENlazlwT0haa1J6bHlXbGMwZFZsWFRqQmhWemwxWTNrMWJtRllVbTlrVjBveENtTXlWbmxaTWpsMVpFZFdkV1JETldwaU1qQjNZVUZaUzB0M1dVSkNRVWRFZG5wQlFrTlJVbUZFUm1odlpFaFNkMk42YjNaTU1tUndaRWRvTVZscE5Xb0tZakl3ZG1SSVNtaGhWM2gyV20xS2NHUklUWFpqYlZwcVQwUmpORTVUTlhkbFV6aDFXakpzTUdGSVZtbE1NMlIyWTIxMGJXSkhPVE5qZVRsNVdsZDRiQXBaV0U1c1RHNXNkR0pGUW5sYVYxcDZURE5TYUZvelRYWmtha0YxVFZNMGVVMUVaMGREYVhOSFFWRlJRbWMzT0hkQlVXOUZTMmQzYjFwRWFHbE9SMFV5Q2s1RVVURmFhazAwV1hwUk5GbHFhM2hOZW1Sb1QwUkJOVTlVWTNkT2JWRTFXV3BuZDA1NlRYaE9SRnBzVGtSQlpFSm5iM0pDWjBWRlFWbFBMMDFCUlV3S1FrRTRUVVJYWkhCa1IyZ3hXV2t4YjJJelRqQmFWMUYzVDFGWlMwdDNXVUpDUVVkRWRucEJRa1JCVVhKRVEyeHZaRWhTZDJONmIzWk1NbVJ3WkVkb01RcFphVFZxWWpJd2RtUklTbWhoVjNoMldtMUtjR1JJVFhaamJWcHFUMFJqTkU1VE5YZGxWRUUwUW1kdmNrSm5SVVZCV1U4dlRVRkZUa0pEYjAxTFIxRTBDbGxxVW1oT2FsRXdUbGRaZWs5SFRUQlBSMGsxVFZSTk0xbFVaM2RQVkdzelRVUmFhMDlYU1RSTlJHTjZUVlJSTWxwVVVYZEpRVmxMUzNkWlFrSkJSMFFLZG5wQlFrUm5VVk5FUWtKNVdsZGFla3d6VW1oYU0wMTJaR3BCZFUxVE5IbE5RbXRIUTJselIwRlJVVUpuTnpoM1FWRTRSVU4zZDBwT2VsazBUV3BGZWdwUFZHc3pUVU0wUjBOcGMwZEJVVkZDWnpjNGQwRlNRVVZKUVhkbFlVaFNNR05JVFRaTWVUbHVZVmhTYjJSWFNYVlpNamwwVEROU2VWbFhiSE5pTWxwcENtRllVbnBOUW1OSFEybHpSMEZSVVVKbk56aDNRVkpGUlVOUmQwaE5hazE0VGtSUmVVMTZRbTlDWjI5eVFtZEZSVUZaVHk5TlFVVlRRa1p2VFZkSGFEQUtaRWhDZWs5cE9IWmFNbXd3WVVoV2FVeHRUblppVXprd1kyMUdjR0pIT1cxWmJXd3dZM2s1ZVZwdFRUUk9lbWN4VEc1Q05VeDVOVzVoV0ZKdlpGZEpkZ3BrTWpsNVlUSmFjMkl6WkhwTU0wcHNZa2RXYUdNeVZYVmxWekZ6VVVoS2JGcHVUWFprUjBadVkzazVNazFETkhoTWFrbDNUMEZaUzB0M1dVSkNRVWRFQ25aNlFVSkZkMUZ4UkVOb2EwOUhTVEJaVkZrd1RrUldiVTE2YUdwT1JHaHBUMVJGZWs0eVJUUk5SR3MxVG5wQk1scEViR2xQUkVFelRYcEZNRTV0VlRBS1RVSmpSME5wYzBkQlVWRkNaemM0ZDBGU1VVVkRVWGRJWTIxV2MxcFhSbnBhVkVKalFtZHZja0puUlVWQldVOHZUVUZGVmtKRk5FMVVSMmd3WkVoQ2VncFBhVGgyV2pKc01HRklWbWxNYlU1MllsTTVNR050Um5CaVJ6bHRXVzFzTUdONU9YbGFiVTAwVG5wbk1VeHVRalZNTWtacVpFZHNkbUp1VFhaamJsWjFDbU41T0RSTmVsVjRUVVJWTkU1VVFYaE1Na1l3WkVkV2RHTklVbnBNZWtWM1JtZFpTMHQzV1VKQ1FVZEVkbnBCUWtablVVbEVRVnAzWkZkS2MyRlhUWGNLWjFsdlIwTnBjMGRCVVZGQ01XNXJRMEpCU1VWbVFWSTJRVWhuUVdSblJHUlFWRUp4ZUhOalVrMXRUVnBJYUhsYVducGpRMjlyY0dWMVRqUTRjbVlyU0FwcGJrdEJUSGx1ZFdwblFVRkJXVFZaTkVWTEswRkJRVVZCZDBKSVRVVlZRMGxFWVdkbWFuQjNNVUZhV0RNM05IWkdXRWRFVTFwblNqbExjWEpqY1RkVUNtc3ZWWE16WmpkdWJWWlJNVUZwUlVFMFpYTkhRbkpFYUdac1lrbFZkV3BWYlZsRE0yVlZWMFpHUW1kWVNHWkJRa3hwVTBSM1kybFVVWGM0ZDBObldVa0tTMjlhU1hwcU1FVkJkMDFFWVZGQmQxcG5TWGhCVFRablMwazFka3R2Y1dOMlZHdDJPRGRHYjNFelYxaE9XVzFCYUZCcU0zRmhVVFZ2WTFoUldITlhlZ3BJWlU1WFIwSTJiRk5JVkVjelJVNTVZWEJ4V1VKblNYaEJUVXBYT1d4NU0wcFlSV1JKTlhsa1NHWjZLMGRhYjJneGEzbGpNRmhHVlZCd05GWTBhMVpxQ201VldGa3JTM1J2VVZkTFUxQklZVnBOYTFsREwzTjZXR2huUFQwS0xTMHRMUzFGVGtRZ1EwVlNWRWxHU1VOQlZFVXRMUzB0TFFvPSJ9fX19"}]}, "messageSignature": {"messageDigest": {"algorithm": "SHA2_256", "digest": "xOkunsyCi+8qp9uh3orJg1EfdTKg3xHHcNOQmaJc8gE="}, "signature": "MEYCIQCeH6E3MpZngWA6RPg8HAl/Z764hTFYycNyF3R+mPTSbAIhAPgMS8qBM8lCEU2XW765myMMz2zuyu9iTF40PH+XZlJQ"}} diff --git a/test/unit/verify/test_policy.py b/test/unit/verify/test_policy.py index fcdabc52..40ab44d5 100644 --- a/test/unit/verify/test_policy.py +++ b/test/unit/verify/test_policy.py @@ -151,3 +151,43 @@ def test_fails_no_san_match(self, signing_bundle): match="Certificate's SANs do not match", ): policy_.verify(bundle.signing_certificate) + + +class TestSingleExtPolicy: + def test_succeeds(self, signing_bundle): + _, bundle = signing_bundle("bundle_v3_github.whl") + + verification_policy_extensions = [ + policy.OIDCIssuer("https://token.actions.githubusercontent.com"), + policy.GitHubWorkflowTrigger("release"), + policy.GitHubWorkflowSHA("d8b4a6445f38c48b9137a8099706d9b8073146e4"), + policy.GitHubWorkflowName("release"), + policy.GitHubWorkflowRepository("trailofbits/rfc8785.py"), + policy.GitHubWorkflowRef("refs/tags/v0.1.2"), + policy.OIDCIssuerV2("https://token.actions.githubusercontent.com"), + policy.OIDCBuildSignerURI( + "https://github.com/trailofbits/rfc8785.py/.github/workflows/release.yml@refs/tags/v0.1.2" + ), + policy.OIDCBuildSignerDigest("d8b4a6445f38c48b9137a8099706d9b8073146e4"), + policy.OIDCRunnerEnvironment("github-hosted"), + policy.OIDCSourceRepositoryURI("https://github.com/trailofbits/rfc8785.py"), + policy.OIDCSourceRepositoryDigest( + "d8b4a6445f38c48b9137a8099706d9b8073146e4" + ), + policy.OIDCSourceRepositoryRef("refs/tags/v0.1.2"), + policy.OIDCSourceRepositoryIdentifier("768213997"), + policy.OIDCSourceRepositoryOwnerURI("https://github.com/trailofbits"), + policy.OIDCSourceRepositoryOwnerIdentifier("2314423"), + policy.OIDCBuildConfigURI( + "https://github.com/trailofbits/rfc8785.py/.github/workflows/release.yml@refs/tags/v0.1.2" + ), + policy.OIDCBuildConfigDigest("d8b4a6445f38c48b9137a8099706d9b8073146e4"), + policy.OIDCBuildTrigger("release"), + policy.OIDCRunInvocationURI( + "https://github.com/trailofbits/rfc8785.py/actions/runs/8351058501/attempts/1" + ), + policy.OIDCSourceRepositoryVisibility("public"), + ] + + policy_ = policy.AllOf(verification_policy_extensions) + policy_.verify(bundle.signing_certificate) From 47f73f22d98ff33127b661e6f5bc147d2595b0ab Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Tue, 7 May 2024 17:55:39 +0200 Subject: [PATCH 2/3] Rename policy class Signed-off-by: Facundo Tuesca --- sigstore/verify/policy.py | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/sigstore/verify/policy.py b/sigstore/verify/policy.py index 4e931918..e83483a3 100644 --- a/sigstore/verify/policy.py +++ b/sigstore/verify/policy.py @@ -112,7 +112,7 @@ def verify(self, cert: Certificate) -> None: ) -class _SingleX509ExtPolicyDer(_SingleX509ExtPolicy): +class _SingleX509ExtPolicyV2(_SingleX509ExtPolicy): """ An base class for verification policies that boil down to checking a single X.509 extension's value, where the value is formatted as a DER-encoded string, @@ -201,7 +201,7 @@ class GitHubWorkflowRef(_SingleX509ExtPolicy): oid = _OIDC_GITHUB_WORKFLOW_REF_OID -class OIDCIssuerV2(_SingleX509ExtPolicyDer): +class OIDCIssuerV2(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC issuer, identified by an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.8`. @@ -213,7 +213,7 @@ class OIDCIssuerV2(_SingleX509ExtPolicyDer): oid = _OIDC_ISSUER_V2_OID -class OIDCBuildSignerURI(_SingleX509ExtPolicyDer): +class OIDCBuildSignerURI(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC Build Signer URI, identified by an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.9`. @@ -222,7 +222,7 @@ class OIDCBuildSignerURI(_SingleX509ExtPolicyDer): oid = _OIDC_BUILD_SIGNER_URI_OID -class OIDCBuildSignerDigest(_SingleX509ExtPolicyDer): +class OIDCBuildSignerDigest(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC Build Signer Digest, identified by an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.10`. @@ -231,7 +231,7 @@ class OIDCBuildSignerDigest(_SingleX509ExtPolicyDer): oid = _OIDC_BUILD_SIGNER_DIGEST_OID -class OIDCRunnerEnvironment(_SingleX509ExtPolicyDer): +class OIDCRunnerEnvironment(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC Runner Environment, identified by an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.11`. @@ -240,7 +240,7 @@ class OIDCRunnerEnvironment(_SingleX509ExtPolicyDer): oid = _OIDC_RUNNER_ENVIRONMENT_OID -class OIDCSourceRepositoryURI(_SingleX509ExtPolicyDer): +class OIDCSourceRepositoryURI(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC Source Repository URI, identified by an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.12`. @@ -249,7 +249,7 @@ class OIDCSourceRepositoryURI(_SingleX509ExtPolicyDer): oid = _OIDC_SOURCE_REPOSITORY_URI_OID -class OIDCSourceRepositoryDigest(_SingleX509ExtPolicyDer): +class OIDCSourceRepositoryDigest(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC Source Repository Digest, identified by an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.13`. @@ -258,7 +258,7 @@ class OIDCSourceRepositoryDigest(_SingleX509ExtPolicyDer): oid = _OIDC_SOURCE_REPOSITORY_DIGEST_OID -class OIDCSourceRepositoryRef(_SingleX509ExtPolicyDer): +class OIDCSourceRepositoryRef(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC Source Repository Ref, identified by an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.14`. @@ -267,7 +267,7 @@ class OIDCSourceRepositoryRef(_SingleX509ExtPolicyDer): oid = _OIDC_SOURCE_REPOSITORY_REF_OID -class OIDCSourceRepositoryIdentifier(_SingleX509ExtPolicyDer): +class OIDCSourceRepositoryIdentifier(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC Source Repository Identifier, identified by an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.15`. @@ -276,7 +276,7 @@ class OIDCSourceRepositoryIdentifier(_SingleX509ExtPolicyDer): oid = _OIDC_SOURCE_REPOSITORY_IDENTIFIER_OID -class OIDCSourceRepositoryOwnerURI(_SingleX509ExtPolicyDer): +class OIDCSourceRepositoryOwnerURI(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC Source Repository Owner URI, identified by an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.16`. @@ -285,7 +285,7 @@ class OIDCSourceRepositoryOwnerURI(_SingleX509ExtPolicyDer): oid = _OIDC_SOURCE_REPOSITORY_OWNER_URI_OID -class OIDCSourceRepositoryOwnerIdentifier(_SingleX509ExtPolicyDer): +class OIDCSourceRepositoryOwnerIdentifier(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC Source Repository Owner Identifier, identified by an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.17`. @@ -294,7 +294,7 @@ class OIDCSourceRepositoryOwnerIdentifier(_SingleX509ExtPolicyDer): oid = _OIDC_SOURCE_REPOSITORY_OWNER_IDENTIFIER_OID -class OIDCBuildConfigURI(_SingleX509ExtPolicyDer): +class OIDCBuildConfigURI(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC Build Config URI, identified by an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.18`. @@ -303,7 +303,7 @@ class OIDCBuildConfigURI(_SingleX509ExtPolicyDer): oid = _OIDC_BUILD_CONFIG_URI_OID -class OIDCBuildConfigDigest(_SingleX509ExtPolicyDer): +class OIDCBuildConfigDigest(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC Build Config Digest, identified by an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.19`. @@ -312,7 +312,7 @@ class OIDCBuildConfigDigest(_SingleX509ExtPolicyDer): oid = _OIDC_BUILD_CONFIG_DIGEST_OID -class OIDCBuildTrigger(_SingleX509ExtPolicyDer): +class OIDCBuildTrigger(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC Build Trigger, identified by an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.20`. @@ -321,7 +321,7 @@ class OIDCBuildTrigger(_SingleX509ExtPolicyDer): oid = _OIDC_BUILD_TRIGGER_OID -class OIDCRunInvocationURI(_SingleX509ExtPolicyDer): +class OIDCRunInvocationURI(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC Run Invocation URI, identified by an X.509v3 extension tagged with `1.3.6.1.4.1.57264.1.21`. @@ -330,7 +330,7 @@ class OIDCRunInvocationURI(_SingleX509ExtPolicyDer): oid = _OIDC_RUN_INVOCATION_URI_OID -class OIDCSourceRepositoryVisibility(_SingleX509ExtPolicyDer): +class OIDCSourceRepositoryVisibility(_SingleX509ExtPolicyV2): """ Verifies the certificate's OIDC Source Repository Visibility At Signing, identified by an X.509v3 extension tagged with From 936be652d33e4da8caa47940b1cc75c322adb377 Mon Sep 17 00:00:00 2001 From: Facundo Tuesca Date: Tue, 7 May 2024 17:59:49 +0200 Subject: [PATCH 3/3] Update pyproject.toml Co-authored-by: William Woodruff Signed-off-by: Facundo Tuesca --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index f28a267d..c92334a1 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -28,7 +28,7 @@ dependencies = [ "cryptography >= 42", "id >= 1.1.0", "importlib_resources ~= 5.7; python_version < '3.11'", - "pyasn1", + "pyasn1 ~= 0.6", "pydantic >= 2,< 3", "pyjwt >= 2.1", "pyOpenSSL >= 23.0.0",