Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Minor refactoring of Fulcio SCT handling #1259

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

jku
Copy link
Member

@jku jku commented Dec 13, 2024

Summary

Simplify SCT management in fulcio client and the sites that need to call verify_sct()

  • SCTs are only needed inside verify_sct(): Make them an implementation detail and stop exposing them in FulcioCertificateSigningResponse (which is internal, so this is not an API change)
  • The only functional change is that FulcioCertificateSigningResponse may now exist without a valid SCT: In practice Signer works just like before since we call verify_sct() on the cert immediately after getting the response
  • Also remove an unused exception

There are two commits but I recommend reviewing the PR as a whole.
Fixes #1258.

Release Note

N/A: No public API changes or CLI changes are expected.

@jku jku marked this pull request as ready for review December 17, 2024 09:00
@jku
Copy link
Member Author

jku commented Dec 17, 2024

Looks ok to me even with fresh eyes, marking ready for review.

@javanlacerda do you want to have a look?

@jku jku requested a review from javanlacerda December 17, 2024 09:01
@jku jku force-pushed the fulcio-sct-minor-refactor branch from 97c854f to 41b8609 Compare December 17, 2024 09:06
@jku
Copy link
Member Author

jku commented Dec 17, 2024

/gcbrun

@jku
Copy link
Member Author

jku commented Dec 17, 2024

I have no idea how to remove the old failed GCB check from the results:

  • this looks like a GitHub inconsistency (the commit was not yet in the git server instance that GCB was using on the first run)
  • for some reason the check is uniquely named so subsequent passing checks don't override the result

@di
Copy link
Member

di commented Dec 18, 2024

I have no idea how to remove the old failed GCB check from the results

Probably not necessary since the check is not required, but I agree that's annoying!

@woodruffw
Copy link
Member

woodruffw commented Dec 19, 2024

Yeah, weird -- I was thinking it might be a Pulimi thing but it's not configured there either. Hopefully it just expires at some point, but agreed with @di about it being a nonblocker 🙂

Edit: Yeah, looks like it got invalidated and removed.

f"Unexpected embedded SCT count in response: {len(precert_scts_extension)} != 1"
if len(timestamps) != 1:
raise VerificationError(
f"Expected one certificate timestamp, found {len(timestamps)}."
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nitpick: no periods in exceptons

Suggested change
f"Expected one certificate timestamp, found {len(timestamps)}."
f"Expected one certificate timestamp, found {len(timestamps)}"

woodruffw
woodruffw previously approved these changes Dec 19, 2024
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @jku! One small nitpick 🙂

jku added 2 commits December 30, 2024 11:22
Functionality should not change: Except a few more errors are handled.
The sct module API changes but it is internal.

* Remove one unnecessary internal exception and one unused exception
* We only support a single SCT: simplify the sct module API
* Make sure all errors raised in sct.get_signed_certificate_timestamp()
  are actually handled (by only raising ValueError and handling that)
* Handle SCT parsing errors during verify

Signed-off-by: Jussi Kukkonen <[email protected]>
Simplify FulcioCertificateSigningResponse by removing sct field from it.
This changes the (internal) fulcio module API.

The only place that needs the SCT is verify_sct() and it already gets
the certificate which it can trivially get the SCT from.

This makes get_signed_certificate_timestamp() an internal implementation
detail of verify_sct() which is nice.

FulcioSigningCert.post() changes in that it could now return a response
without an SCT: this is ok as it is immediately verified in
the callsite in Signer._signing_cert().

Signed-off-by: Jussi Kukkonen <[email protected]>
@jku jku force-pushed the fulcio-sct-minor-refactor branch from 500c4ac to f8fe4ce Compare December 30, 2024 09:22
@jku
Copy link
Member Author

jku commented Dec 30, 2024

rebased and fixed the suggested exception message

@jku jku requested a review from woodruffw December 30, 2024 09:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

refactor sct handling
3 participants