From bfa850ef8ead47bf59a3e21e01077eed6937ad6f Mon Sep 17 00:00:00 2001
From: Alex Cameron <asc@tetsuo.sh>
Date: Fri, 3 Jun 2022 23:01:01 +1000
Subject: [PATCH] _verify: Add Fulcio intermediate certificate (#110)

---
 sigstore/_store/fulcio_intermediate.crt.pem | 14 ++++++++++++++
 sigstore/_verify.py                         |  6 ++++++
 2 files changed, 20 insertions(+)
 create mode 100644 sigstore/_store/fulcio_intermediate.crt.pem

diff --git a/sigstore/_store/fulcio_intermediate.crt.pem b/sigstore/_store/fulcio_intermediate.crt.pem
new file mode 100644
index 00000000..6d1c298b
--- /dev/null
+++ b/sigstore/_store/fulcio_intermediate.crt.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMw
+KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
+MjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3Jl
+LmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0C
+AQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV7
+7LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS
+0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYB
+BQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjp
+KFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZI
+zj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJR
+nZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsP
+mygUY7Ii2zbdCdliiow=
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/sigstore/_verify.py b/sigstore/_verify.py
index 0d004892..302594bd 100644
--- a/sigstore/_verify.py
+++ b/sigstore/_verify.py
@@ -51,6 +51,9 @@
 
 
 FULCIO_ROOT_CERT = resources.read_binary("sigstore._store", "fulcio.crt.pem")
+FULCIO_INTERMEDIATE_CERT = resources.read_binary(
+    "sigstore._store", "fulcio_intermediate.crt.pem"
+)
 
 
 class VerificationResult(BaseModel):
@@ -115,13 +118,16 @@ def verify(
     # 1) Verify that the signing certificate is signed by the root certificate and that the signing
     #    certificate was valid at the time of signing.
     root = load_pem_x509_certificate(FULCIO_ROOT_CERT)
+    intermediate = load_pem_x509_certificate(FULCIO_INTERMEDIATE_CERT)
 
     sign_date = cert.not_valid_before
     openssl_cert = X509.from_cryptography(cert)
     openssl_root = X509.from_cryptography(root)
+    openssl_intermediate = X509.from_cryptography(intermediate)
 
     store = X509Store()
     store.add_cert(openssl_root)
+    store.add_cert(openssl_intermediate)
     store.set_time(sign_date)
     store_ctx = X509StoreContext(store, openssl_cert)
     store_ctx.verify_certificate()