Merge remote-tracking branch 'upstream/main' into issue872

sigstore · Jun 20, 2022 · 0d8f60a · 0d8f60a
2 parents 8212c78 + 85e60c5
commit 0d8f60a
Show file tree

Hide file tree

Showing 7 changed files with 238 additions and 160 deletions.
diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml
@@ -25,4 +25,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@97790d29c7fb370b5e1edbec513501e78789337d # v1
+        uses: actions/dependency-review-action@1c59cdf2a9c7f29c90e8da32237eb04b81bad9f0 # v2
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -86,7 +86,7 @@ jobs:
         uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3
         if: failure()
         with:
-          name: Docker Compose logs
+          name: E2E Docker Compose logs
           path: /tmp/docker-compose.log
 
   sharding-e2e:
@@ -110,7 +110,7 @@ jobs:
         uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3
         if: failure()
         with:
-          name: Docker Compose logs
+          name: Sharding E2E Docker Compose logs
           path: /tmp/docker-compose.log
 
   issue-872-e2e:

diff --git a/CHANGELOG.md b/CHANGELOG.md
diff --git a/pkg/pki/x509/testutils/cert_test_utils.go b/pkg/pki/x509/testutils/cert_test_utils.go
@@ -67,7 +67,7 @@ func GenerateRootCa() (*x509.Certificate, *ecdsa.PrivateKey, error) {
 			CommonName:   "sigstore",
 			Organization: []string{"sigstore.dev"},
 		},
-		NotBefore:             time.Now().Add(-5 * time.Minute),
+		NotBefore:             time.Now().Add(-10 * time.Minute),
 		NotAfter:              time.Now().Add(5 * time.Hour),
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		BasicConstraintsValid: true,
@@ -94,7 +94,7 @@ func GenerateSubordinateCa(rootTemplate *x509.Certificate, rootPriv crypto.Signe
 			CommonName:   "sigstore-sub",
 			Organization: []string{"sigstore.dev"},
 		},
-		NotBefore:             time.Now().Add(-2 * time.Minute),
+		NotBefore:             time.Now().Add(-9 * time.Minute),
 		NotAfter:              time.Now().Add(2 * time.Hour),
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
 		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
@@ -144,3 +144,33 @@ func GenerateLeafCert(subject string, oidcIssuer string, parentTemplate *x509.Ce
 
 	return cert, priv, nil
 }
+
+func GenerateExpiredLeafCert(subject string, oidcIssuer string, parentTemplate *x509.Certificate, parentPriv crypto.Signer) (*x509.Certificate, *ecdsa.PrivateKey, error) {
+	certTemplate := &x509.Certificate{
+		SerialNumber:   big.NewInt(1),
+		EmailAddresses: []string{subject},
+		NotBefore:      time.Now().Add(-5 * time.Minute),
+		NotAfter:       time.Now().Add(-2 * time.Minute),
+		KeyUsage:       x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:    []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
+		IsCA:           false,
+		ExtraExtensions: []pkix.Extension{{
+			// OID for OIDC Issuer extension
+			Id:       asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1},
+			Critical: false,
+			Value:    []byte(oidcIssuer),
+		}},
+	}
+
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	cert, err := createCertificate(certTemplate, parentTemplate, &priv.PublicKey, parentPriv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return cert, priv, nil
+}
diff --git a/pkg/pki/x509/x509.go b/pkg/pki/x509/x509.go
@@ -211,6 +211,8 @@ func verifyCertChain(certChain []*x509.Certificate) error {
 		Intermediates: subPool,
 		// Allow any key usage
 		KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
+		// Expired certificates can be uploaded and should be verifiable
+		CurrentTime: certChain[0].NotBefore,
 	}); err != nil {
 		return err
 	}

diff --git a/pkg/pki/x509/x509_test.go b/pkg/pki/x509/x509_test.go
@@ -250,6 +250,18 @@ func TestPublicKeyWithCertChain(t *testing.T) {
 		t.Fatalf("unexpected error verifying signature, %v", err)
 	}
 
+	// Verify works with expired certificate
+	leafCert, leafKey, _ = testutils.GenerateExpiredLeafCert("subject@example.com", "oidc-issuer", subCert, subKey)
+	pemCertChain, _ = cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{leafCert, subCert, rootCert})
+	pub, _ = NewPublicKey(bytes.NewReader(pemCertChain))
+	signer, _ = signature.LoadSigner(leafKey, crypto.SHA256)
+	sigBytes, _ = signer.SignMessage(bytes.NewReader(data))
+	s, _ = NewSignature(bytes.NewReader(sigBytes))
+	err = s.Verify(bytes.NewReader(data), pub)
+	if err != nil {
+		t.Fatalf("unexpected error verifying signature with expired cert: %v", err)
+	}
+
 	// Verify error with invalid chain
 	pemCertChain, _ = cryptoutils.MarshalCertificatesToPEM([]*x509.Certificate{leafCert, rootCert})
 	pub, _ = NewPublicKey(bytes.NewReader(pemCertChain))

diff --git a/tests/sharding-e2e-test.sh b/tests/sharding-e2e-test.sh
@@ -81,6 +81,21 @@ function waitForRekorServer () {
   echo
 }
 
+function collectLogsOnFailure () {
+    if [[ "$1" -ne "0" ]]; then
+        echo "failure detected, collecting docker-compose logs"
+        docker-compose logs --no-color > /tmp/docker-compose.log
+        exit $1
+    elif docker-compose logs --no-color | grep -q "panic: runtime error:" ; then
+        # if we're here, we found a panic
+        echo "failing due to panics detected in logs"
+        docker-compose logs --no-color > /tmp/docker-compose.log
+        exit 1
+    fi
+    exit 0
+}
+trap "collectLogsOnFailure $?" EXIT
+
 echo "Waiting for rekor server to come up..."
 waitForRekorServer
 
@@ -231,11 +246,11 @@ echo "Testing /api/v1/log/entries/retrieve endpoint..."
 UUID1=$($REKOR_CLI get --log-index 0 --rekor_server http://localhost:3000 --format json | jq -r .UUID)
 UUID2=$($REKOR_CLI get --log-index 3 --rekor_server http://localhost:3000 --format json | jq -r .UUID)
 
-HEX_INITIAL_TREE_ID=$(printf "%x" $INITIAL_TREE_ID | awk '{printf "%016s", $0}')
-HEX_INITIAL_SHARD_ID=$(printf "%x" $SHARD_TREE_ID | awk '{printf "%016s", $0}')
+HEX_INITIAL_TREE_ID=$(printf "%x" $INITIAL_TREE_ID | awk '{ for(c = 0; c < 16 ; c++) s = s"0"; s = s$1; print substr(s, 1 + length(s) - 16);}')
+HEX_INITIAL_SHARD_ID=$(printf "%x" $SHARD_TREE_ID | awk '{ for(c = 0; c < 16 ; c++) s = s"0"; s = s$1; print substr(s, 1 + length(s) - 16);}')
 
-ENTRY_ID_1=$HEX_INITIAL_TREE_ID$UUID1
-ENTRY_ID_2=$HEX_INITIAL_SHARD_ID$UUID2
+ENTRY_ID_1=$(echo -n "$HEX_INITIAL_TREE_ID$UUID1" | xargs echo -n)
+ENTRY_ID_2=$(echo -n "$HEX_INITIAL_SHARD_ID$UUID2" | xargs echo -n)
 
 # -f makes sure we exit on failure
 NUM_ELEMENTS=$(curl -f http://localhost:3000/api/v1/log/entries/retrieve -H "Content-Type: application/json" -H "Accept: application/json" -d "{ \"entryUUIDs\": [\"$ENTRY_ID_1\", \"$ENTRY_ID_2\"]}" | jq '. | length')