Skip to content

Commit

Permalink
_verify: Add Fulcio intermediate certificate (#110)
Browse files Browse the repository at this point in the history
  • Loading branch information
@tetsuo-cpp
tetsuo-cpp authored Jun 3, 2022
1 parent 6f5620e commit bfa850e
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 0 deletions.
14 changes: 14 additions & 0 deletions sigstore/_store/fulcio_intermediate.crt.pem
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
-----BEGIN CERTIFICATE-----
MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw
KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
MjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl
LmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C
AQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7
7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS
0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB
BQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp
KFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI
zj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR
nZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP
mygUY7Ii2zbdCdliiow=
-----END CERTIFICATE-----
6 changes: 6 additions & 0 deletions sigstore/_verify.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,9 @@


FULCIO_ROOT_CERT = resources.read_binary("sigstore._store", "fulcio.crt.pem")
FULCIO_INTERMEDIATE_CERT = resources.read_binary(
"sigstore._store", "fulcio_intermediate.crt.pem"
)


class VerificationResult(BaseModel):
Expand Down Expand Up @@ -115,13 +118,16 @@ def verify(
# 1) Verify that the signing certificate is signed by the root certificate and that the signing
# certificate was valid at the time of signing.
root = load_pem_x509_certificate(FULCIO_ROOT_CERT)
intermediate = load_pem_x509_certificate(FULCIO_INTERMEDIATE_CERT)

sign_date = cert.not_valid_before
openssl_cert = X509.from_cryptography(cert)
openssl_root = X509.from_cryptography(root)
openssl_intermediate = X509.from_cryptography(intermediate)

store = X509Store()
store.add_cert(openssl_root)
store.add_cert(openssl_intermediate)
store.set_time(sign_date)
store_ctx = X509StoreContext(store, openssl_cert)
store_ctx.verify_certificate()
Expand Down

0 comments on commit bfa850e

Please sign in to comment.