Why is the notation for verifying only takes the root certificate in truststore

[omkhard]

What is not working as expected?

We are giving the chain of certificates having from root certificate , intermediate certificate to leaf cert and giving leaf private key for signing , but during verification only root certificate in truststore and subject of leaf certificate is enough for signing.
My question is How is the integrity of leaf key is being verified with the leaf cert and where ? I looked there happens some (hash-algorithm) revocation and it creates a payload and verifies using it. May I get some more in depth knowledge about the Signer's public key integrity check ?

What did you expect to happen?

Explanation

How can we reproduce it?

Chain Signing/Verifying

Describe your environment

wget , OS : Linux , shell: bash

What is the version of your Notation CLI or Notation Library?

1.1.0

[yizha1]

@omkhard I believed you asked the same question on slack channel. As I commented in slack, would you mind checking this verification specification to see whether it helps answer your question. Thanks.

[omkhard]

these are the steps I am trying:

• Creating keys using openssl (config file is for notation specific X509 options, and CA:True)

-> openssl req -x509 -newkey rsa:2048 -keyout root.key -out root.crt -days 365 -nodes -subj "/C=US/ST=WA/L=Seattle/O=Notary/CN=root" -config /root/.config/notation/localkeys/rootTmp.cnf
-> openssl req -out inter1.csr -newkey rsa:2048 -keyout inter1.key -nodes -subj "/C=US/ST=WA/L=Seattle/O=Notary/CN=inter1" -config /root/.config/notation/localkeys/rootTmp.cnf
-> openssl x509 -req -in inter1.csr -CAkey root.key -CA root.crt -days 365 -CAcreateserial -out inter1.crt

• Creating leaf cert using inter1.crt and inter1.key (config file for notation specific leaf x509 options, and CA:False)

-> openssl req -out inter2.csr -newkey rsa:2048 -keyout inter2.key -nodes -subj "/C=US/ST=WA/L=Seattle/O=Notary/CN=inter2" -config ~ubuntu/ctrSign/tmp1.cnf
-> openssl x509 -req -in inter2.csr -CAkey inter1.key -CA inter1.crt -days 365 -CAcreateserial -out inter2.crt -extfile /root/.config/notation/localkeys/v3.ext

• Copying all the ".key"s & ".crt"s in $XDG_CONFIG_HOME/notation/localkeys/ and making a concat.crt using :

-> cat inter2.crt inter1.crt root.crt > concat.crt

• Specifying the concat.crt and inter2.key in $XDG_CONFIG_HOME/notation/signingkeys.json

• Doing Image signing (docker login all are OK, signing happened fine),Signed Successfully.

• During verifying if I am using concat.crt in truststore ($XDG_CONFIG_HOME/notation/truststore/x509/ca/sign/concat.crt) and specifying in $XDG_CONFIG_HOME/notation/trustpolicy.json , and giving x509.subject of leaf certificate. The verification fails.

• But if I give only root.crt in truststore the verification is happening successfully.

Q: Are we not taking the entire chain for verification of an Image signed with the entire chain?

[yizha1]

Q: Are we not taking the entire chain for verification of an Image signed with the entire chain?

Thanks @omkhard for providing these details. Yes, root CA certificates are stored in the trust store. You can check Notary Project trust store spec for details

[JeyJeyGao]

@omkhard The trust store is used to store trusted certificates. When you put root certificates in the trust store, that means you trust these roots. To answer your question, notation requires the entire chain for validation. The chain is stored in the signature envelope, which is added by the signer.

[github-actions]

This issue is stale because it has been opened for 60 days with no activity. Remove stale label or comment. Otherwise, it will be closed in 30 days.