Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug: Trigger/SHA OID extension mixup for GitHub workflow #437

Closed
asraa opened this issue Feb 24, 2022 · 2 comments
Closed

Bug: Trigger/SHA OID extension mixup for GitHub workflow #437

asraa opened this issue Feb 24, 2022 · 2 comments
Labels
bug Something isn't working

Comments

@asraa
Copy link
Contributor

asraa commented Feb 24, 2022

Description

I produced a handful of signing certificates from GitHub workflows, and wanted to extract some context information from the OID extensions. It seems like the trigger and SHA are mixed up:

-----BEGIN CERTIFICATE-----
MIIDWzCCAuGgAwIBAgITHRNNOnUpUE5AGex9g7/sDIxtjDAKBggqhkjOPQQDAzAq
MRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIy
MDIyNDE1MjIxMFoXDTIyMDIyNDE1NDIwOVowADBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABMdCwayludE0NLLt39x6nZAuM2F93ZmqAC1NtRX4OkI3NzcMWpvcl/74
UixBcMsORhNT9QmluECVNyAJ2/UektOjggIOMIICCjAOBgNVHQ8BAf8EBAMCB4Aw
EwYDVR0lBAwwCgYIKwYBBQUHAwMwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUfepv
bsJ9Esj0ynEV0GpYW8UCZQ8wHwYDVR0jBBgwFoAUyMUdAEGaJCkyUSTrDa5K7UoG
0+wwgY0GCCsGAQUFBwEBBIGAMH4wfAYIKwYBBQUHMAKGcGh0dHA6Ly9wcml2YXRl
Y2EtY29udGVudC02MDNmZTdlNy0wMDAwLTIyMjctYmY3NS1mNGY1ZTgwZDI5NTQu
c3RvcmFnZS5nb29nbGVhcGlzLmNvbS9jYTM2YTFlOTYyNDJiOWZjYjE0Ni9jYS5j
cnQwcQYDVR0RAQH/BGcwZYZjaHR0cHM6Ly9naXRodWIuY29tL2FzcmFhL3Nsc2Et
b24tZ2l0aHViLy5naXRodWIvd29ya2Zsb3dzL3Nsc2EtYnVpbGRlci1nby55bWxA
cmVmcy9oZWFkcy9wcm92LXdyaXRlMDkGCisGAQQBg78wAQEEK2h0dHBzOi8vdG9r
ZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20wHwYKKwYBBAGDvzABAwQR
d29ya2Zsb3dfZGlzcGF0Y2gwNgYKKwYBBAGDvzABAgQoNDUwNjI5MGUyZThmZWIx
ZjM0YjI3YTA0NGY3Y2M4NjNjODMwZWY2YjAKBggqhkjOPQQDAwNoADBlAjAuO10m
6wsYEK/EIrMnCo0r3020yDuY/yxWFh3YJKxx88nKBIi9Dxbi9+iLZGjS84gCMQCJ
WAUmGl/VIuNUuKwqHs/Ud/q3Jw7zafODSK66jbuHQpvTzebbSSpd3Y19jwSonSU=
-----END CERTIFICATE-----

has the extensions:

            X509v3 Subject Alternative Name: critical
                URI:https://github.com/asraa/slsa-on-github/.github/workflows/slsa-builder-go.yml@refs/heads/prov-write
            1.3.6.1.4.1.57264.1.1: 
                https://token.actions.githubusercontent.com
            1.3.6.1.4.1.57264.1.3: 
                workflow_dispatch
            1.3.6.1.4.1.57264.1.2: 
                4506290e2e8feb1f34b27a044f7cc863c830ef6b

but I expect the trigger to be defined at 1.3.6.1.4.1.57264.1.2 and sha to be at 1.3.6.1.4.1.57264.1.3.

As far as I can tell, the code extracts the correct claims, and the correct pkix.Extensions are added, so I'm very confused why this is happening!

refs:
https://github.com/sigstore/fulcio/blob/c74e2cfb763dd32def5dc921ff49f579fa262d96/docs/oid-info.md#1361415726412--github-workflow-trigger

@asraa asraa added the bug Something isn't working label Feb 24, 2022
@asraa
Copy link
Contributor Author

asraa commented Feb 24, 2022

It seems like extensions in #306 are also not added. Maybe the CA backend isn't handling extensions correctly with the additional ones?

@asraa
Copy link
Contributor Author

asraa commented Feb 28, 2022

Closing, this was because the code was using the v1beta API

@asraa asraa closed this as completed Feb 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant