Change username format, enforce identity format #802
Conversation
This updates the username type to avoid the username subject format looking like an email. Fulcio will now specify the subject in the OtherName SAN, and the format will use a ! instead of @. This required some custom ASN.1 marshalling and unmarshalling, since crypto/x509 does not support the OtherName SAN. This also adds enforcement that email subjects match a basic email regex format, and that other types do not look like emails. Fixes sigstore#716 Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
|
cc @woodruffw - Thanks for the suggestion to use OtherName! You also gave me an excuse to dig a bit more into ASN.1 encoding, which may or may not have been productive. :) |
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Codecov Report
@@ Coverage Diff @@
## main #802 +/- ##
==========================================
+ Coverage 54.54% 55.56% +1.01%
==========================================
Files 36 37 +1
Lines 2275 2354 +79
==========================================
+ Hits 1241 1308 +67
- Misses 942 950 +8
- Partials 92 96 +4
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
|
Exciting! I'll update the relevant bits on |
|
Found issue, crypto/x509 doesn't handle a critical SAN extension with a GeneralName like OtherName (not DNS/IP/email/URI). Either needs to be non-critical or figure out if we can fix this in the library |
|
AI: Look at certificate-transparency-go |
|
Found a way to handle this! You can remove unhandled critical extensions before verifying, there's a I've filed a proposal in Go to add support for OtherName too. |
|
@haydentherapper just one comment: a "username" would cause an existing Cosign client to choke, but you found an easy fix and we can roll that out to clients soon. In the meantime, we don't actually have username issuers configured in the public instance so it's not a problem in practice, and we just need to wait. Is that right? The other fixes (e.g., verifying email format) won't break anybody because we've haven't seen any SANs that don't match so we don't need to worry there. |
|
Yes, correct. No impact to production because we don't have any username issuers currently. This could impact someone who's deployed their own instance of Fulcio, but I am doubtful anyone is using the username identity right now, since it's not thoroughly documented. Also it would only impact them once they've updated to the latest Fulcio, so I'll make a note in the release notes to update to the latest Cosign, and we'll not cut a new release until the Cosign fix is out. |
|
@haydentherapper do you have an example certificate that includes the |
|
Sweet, awesome to see this being added! This cert was generated from the tests: |
|
It works, @haydentherapper! ...
X509v3 Authority Key Identifier:
keyid:DF:33:25:1A:5F:FE:27:51:DE:8A:17:F3:6A:32:27:90:42:50:51:A3
X509v3 Subject Alternative Name: critical
Fulcio Identity: foo!127.0.0.1
Fulcio OIDC Issuer:
http://127.0.0.1:45661
RFC6962 Certificate Transparency SCT:
...What do you think would be the best name for these? I've used |
|
I think |
Summary
This updates the username type to avoid the username subject format
looking like an email. Fulcio will now specify the subject in the
OtherName SAN, and the format will use a ! instead of @.
This required some custom ASN.1 marshalling and unmarshalling, since
crypto/x509 does not support the OtherName SAN.
This also adds enforcement that email subjects match a basic email
regex format, and that other types do not look like emails.
Fixes #716
Release Note
Changed username identity format to username!Domain, username now specified in the OtherName SAN. If you have deployed your own instance of Fulcio and are using username issuers, you must update to the latest Cosign release.
Documentation