From d39479df125a732ec39c84de7e3bb408180a2a17 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Fri, 6 Sep 2024 14:42:43 -0400 Subject: [PATCH 1/2] Allow parsing of certificates from Fulcio if ctlog is disabled Signed-off-by: Cody Soyland --- pkg/sign/certificate.go | 17 +++++++++++++---- pkg/sign/certificate_test.go | 2 +- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/pkg/sign/certificate.go b/pkg/sign/certificate.go index af002bc4..c5df5112 100644 --- a/pkg/sign/certificate.go +++ b/pkg/sign/certificate.go @@ -72,13 +72,18 @@ type publicKey struct { } type fulcioResponse struct { - SctCertWithChain signedCertificateEmbeddedSct `json:"signedCertificateEmbeddedSct"` + SignedCertificateEmbeddedSct signedCertificateEmbeddedSct `json:"signedCertificateEmbeddedSct"` + SignedCertificateDetachedSct signedCertificateDetachedSct `json:"signedCertificateDetachedSct"` } type signedCertificateEmbeddedSct struct { Chain chain `json:"chain"` } +type signedCertificateDetachedSct struct { + Chain chain `json:"chain"` +} + type chain struct { Certificates []string `json:"certificates"` } @@ -204,12 +209,16 @@ func (f *Fulcio) GetCertificate(ctx context.Context, keypair Keypair, opts *Cert return nil, err } - certs := fulcioResp.SctCertWithChain.Chain.Certificates - if len(certs) == 0 { + var cert []byte + if len(fulcioResp.SignedCertificateEmbeddedSct.Chain.Certificates) > 0 { + cert = []byte(fulcioResp.SignedCertificateEmbeddedSct.Chain.Certificates[0]) + } else if len(fulcioResp.SignedCertificateDetachedSct.Chain.Certificates) > 0 { + cert = []byte(fulcioResp.SignedCertificateDetachedSct.Chain.Certificates[0]) + } else { return nil, errors.New("Fulcio returned no certificates") } - certBlock, _ := pem.Decode([]byte(certs[0])) + certBlock, _ := pem.Decode(cert) if certBlock == nil { return nil, errors.New("unable to parse Fulcio certificate") } diff --git a/pkg/sign/certificate_test.go b/pkg/sign/certificate_test.go index df1e7fb8..196f70dd 100644 --- a/pkg/sign/certificate_test.go +++ b/pkg/sign/certificate_test.go @@ -56,7 +56,7 @@ func getFulcioResponse() (*http.Response, error) { })) responseStruct := fulcioResponse{ - SctCertWithChain: signedCertificateEmbeddedSct{ + SignedCertificateEmbeddedSct: signedCertificateEmbeddedSct{ Chain: chain{ Certificates: []string{certPEM}, }, From ddfd1e186aee9af7d84f4db889bd2d58bce77b24 Mon Sep 17 00:00:00 2001 From: Cody Soyland Date: Fri, 6 Sep 2024 14:57:55 -0400 Subject: [PATCH 2/2] Change if/else to switch Signed-off-by: Cody Soyland --- pkg/sign/certificate.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/pkg/sign/certificate.go b/pkg/sign/certificate.go index c5df5112..ddf32fb0 100644 --- a/pkg/sign/certificate.go +++ b/pkg/sign/certificate.go @@ -210,11 +210,12 @@ func (f *Fulcio) GetCertificate(ctx context.Context, keypair Keypair, opts *Cert } var cert []byte - if len(fulcioResp.SignedCertificateEmbeddedSct.Chain.Certificates) > 0 { + switch { + case len(fulcioResp.SignedCertificateEmbeddedSct.Chain.Certificates) > 0: cert = []byte(fulcioResp.SignedCertificateEmbeddedSct.Chain.Certificates[0]) - } else if len(fulcioResp.SignedCertificateDetachedSct.Chain.Certificates) > 0 { + case len(fulcioResp.SignedCertificateDetachedSct.Chain.Certificates) > 0: cert = []byte(fulcioResp.SignedCertificateDetachedSct.Chain.Certificates[0]) - } else { + default: return nil, errors.New("Fulcio returned no certificates") }