-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add interface for certificate validation #298
Comments
For the API, are you thinking this would be provided by a special Something like this? func WithCustomCertificateValidator(validateCert func(*x509.Certificate) (bool, error)) VerifierOption {
return func(c *VerifierConfig) error {
c.validateCert = validateCert
}
} This could definitely be done, but I wonder if this is flexible enough, as some clients would need more control over the actual verification process in https://github.com/sigstore/sigstore-go/blob/main/pkg/verify/certificate.go -- such as modification of the I think my other proposal could provide this same functionality, allowing the client complete control over the certificate verification process. A custom |
@kommendorkapten Did you have an example in mind for how to handle "other custom logic that would require access to the timestamp and trusted material"? Is your thought to keep it simple, expecting implementers to design their own structs to contain any other verification material necessary for validating the certificate? |
@haydentherapper yes, keeping the interface simple. My thinking was to make scenarios that works more like typical X.509 PKI easy to implement, where the time in question is the current date. We could have an optional parameter being sent too which is one of observed timestamps, by calling this function for each timestamp, and only count those entries that are valid. @codysoyland wasn't aware of that, will look more into that issue. Is you thinking that the struct would provide a method like |
An other option could be to further modify @codysoyland's #300 to expose the chains in the |
@kommendorkapten I wrote up an example on how to use a custom |
Description
Originally discussed here: #253 (comment)
The original implementation was made against the operational mode of PGI using ephemeral certificates and the trust root delivered via TUF. This mode of operation allows us to make the following simplifications:
However, for private deployments these preconditions may not always be met, and certain users may want to rely on a more traditional PKI, where untrusted certificates are provided in the Sigstore bundle, and CLRs or OCSP is used to verify validity of the certificate.
To achieve required security using Certificates in Sigstore-go the client has to perform certificate verification themselves, by parsing the Sigstore bundle and then verify the certificate, which is not great UX.
Proposed is to add the support for a callback function:
That would then called for each certificate found in the bundle, including the end entity certificate.
To not complicate the logic for the default policy (using PGI), if the callback function is not set, it would set it to the a function that always returns true.
Trust root
Should the callback method be called for the certificates found in the trust root? My take is no. The trust root is created and provide by the client, and so the client could perform the certificate verification prior to composing the trust root.
The text was updated successfully, but these errors were encountered: