Skip to content

Commit 1b20379

Browse files
ditetsuo-cpp
di
and
tetsuo-cpp
authored
Support multiple issuers and alternative proofs (sigstore#23)
* Change signed_email_address to signed_proof * Support alternative proofs * Add types-pyjwt as dev dependency * Type hints * Simplify OIDC issuers structure Co-authored-by: Alex Cameron <asc@tetsuo.sh>
1 parent b68721d commit 1b20379

File tree

3 files changed

+45
-2
lines changed

3 files changed

+45
-2
lines changed

setup.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@
4343
"mypy",
4444
"types-cryptography",
4545
"types-requests",
46+
"types-pyjwt",
4647
]
4748
},
4849
classifiers=[

sigstore/_internal/fulcio/_client.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ class FulcioCertificateSigningRequest:
7070
"""Certificate request"""
7171

7272
public_key: ec.EllipticCurvePublicKey
73-
signed_email_address: bytes
73+
signed_proof: bytes
7474

7575
@property
7676
def data(self) -> str:
@@ -82,7 +82,7 @@ def data(self) -> str:
8282
"publicKey": {
8383
"content": base64.b64encode(content).decode(),
8484
},
85-
"signedEmailAddress": base64.b64encode(self.signed_email_address).decode(),
85+
"signedEmailAddress": base64.b64encode(self.signed_proof).decode(),
8686
}
8787
return json.dumps(data)
8888

sigstore/_internal/oidc.py

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
import jwt
2+
3+
# From https://github.com/sigstore/fulcio/blob/b2186c01da1ddf807bde3ea8c450226d8e001d88/pkg/config/config.go#L182-L201 # noqa
4+
OIDC_ISSUERS = {
5+
"https://accounts.google.com": "email",
6+
"https://oauth2.sigstore.dev/auth": "email",
7+
"https://token.actions.githubusercontent.com": "sub",
8+
}
9+
AUDIENCE = "sigstore"
10+
11+
12+
class IdentityError(Exception):
13+
pass
14+
15+
16+
class Identity:
17+
def __init__(self, identity_token: str) -> None:
18+
identity_jwt = jwt.decode(identity_token, options={"verify_signature": False})
19+
20+
if "iss" not in identity_jwt:
21+
raise IdentityError("Identity token missing the required 'iss' claim")
22+
23+
iss = identity_jwt.get("iss")
24+
25+
if iss not in OIDC_ISSUERS:
26+
raise IdentityError(f"Not a valid OIDC issuer: {iss!r}")
27+
28+
if "aud" not in identity_jwt:
29+
raise IdentityError("Identity token missing the required 'aud' claim")
30+
31+
aud = identity_jwt.get("aud")
32+
33+
if aud != AUDIENCE:
34+
raise IdentityError(f"Audience should be {AUDIENCE!r}, not {aud!r}")
35+
36+
proof_claim = OIDC_ISSUERS[iss]
37+
if proof_claim not in identity_jwt:
38+
raise IdentityError(
39+
f"Identity token missing the required {proof_claim!r} claim"
40+
)
41+
42+
self.proof = identity_jwt.get(proof_claim)

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy