From 852ac8d9add0ebb113595a76f0f6e1c3d731a65e Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Mon, 24 Apr 2023 14:27:28 -0600 Subject: [PATCH] gen, protos: document chain membership policy (#77) * gen, protos: document chain membership policy Signed-off-by: William Woodruff * gen, protos: apply suggestions Signed-off-by: William Woodruff --------- Signed-off-by: William Woodruff --- gen/pb-go/common/v1/sigstore_common.pb.go | 18 +++++++++++++++--- .../dev/sigstore/common/v1/__init__.py | 13 ++++++++++--- .../src/__generated__/sigstore_common.ts | 18 +++++++++++++++--- protos/sigstore_common.proto | 18 +++++++++++++++--- 4 files changed, 55 insertions(+), 12 deletions(-) diff --git a/gen/pb-go/common/v1/sigstore_common.pb.go b/gen/pb-go/common/v1/sigstore_common.pb.go index acd9b10b..4c0e4f1d 100644 --- a/gen/pb-go/common/v1/sigstore_common.pb.go +++ b/gen/pb-go/common/v1/sigstore_common.pb.go @@ -874,9 +874,21 @@ type X509CertificateChain struct { // The chain of certificates, with indices 0 to n. // The first certificate in the array must be the leaf - // certificate used for signing. Any intermediate certificates - // must be stored as offset 1 to n-1, and the root certificate at - // position n. + // certificate used for signing. + // + // Signers MUST NOT include their root CA certificates in their embedded + // certificate chains, and SHOULD NOT include intermediate CA + // certificates that appear in independent roots of trust. + // + // Verifiers MUST validate the chain carefully to ensure that it chains + // up to a root CA certificate that they trust, regardless of whether + // the chain includes additional intermediate/root CA certificates. + // Verifiers MAY enforce additional constraints, such as requiring that + // all intermediate CA certificates appear in an independent root of + // trust. + // + // Verifiers SHOULD handle old or non-complying bundles that have + // additional intermediate/root CA certificates. Certificates []*X509Certificate `protobuf:"bytes,1,rep,name=certificates,proto3" json:"certificates,omitempty"` } diff --git a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py index 5ec1bd31..bc8ceed7 100644 --- a/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py +++ b/gen/pb-python/sigstore_protobuf_specs/dev/sigstore/common/v1/__init__.py @@ -200,9 +200,16 @@ class X509CertificateChain(betterproto.Message): certificates: List["X509Certificate"] = betterproto.message_field(1) """ The chain of certificates, with indices 0 to n. The first certificate in - the array must be the leaf certificate used for signing. Any intermediate - certificates must be stored as offset 1 to n-1, and the root certificate at - position n. + the array must be the leaf certificate used for signing. Signers MUST NOT + include their root CA certificates in their embedded certificate chains, + and SHOULD NOT include intermediate CA certificates that appear in + independent roots of trust. Verifiers MUST validate the chain carefully to + ensure that it chains up to a root CA certificate that they trust, + regardless of whether the chain includes additional intermediate/root CA + certificates. Verifiers MAY enforce additional constraints, such as + requiring that all intermediate CA certificates appear in an independent + root of trust. Verifiers SHOULD handle old or non-complying bundles that + have additional intermediate/root CA certificates. """ diff --git a/gen/pb-typescript/src/__generated__/sigstore_common.ts b/gen/pb-typescript/src/__generated__/sigstore_common.ts index 40f98a4a..082bb8de 100644 --- a/gen/pb-typescript/src/__generated__/sigstore_common.ts +++ b/gen/pb-typescript/src/__generated__/sigstore_common.ts @@ -279,9 +279,21 @@ export interface X509CertificateChain { /** * The chain of certificates, with indices 0 to n. * The first certificate in the array must be the leaf - * certificate used for signing. Any intermediate certificates - * must be stored as offset 1 to n-1, and the root certificate at - * position n. + * certificate used for signing. + * + * Signers MUST NOT include their root CA certificates in their embedded + * certificate chains, and SHOULD NOT include intermediate CA + * certificates that appear in independent roots of trust. + * + * Verifiers MUST validate the chain carefully to ensure that it chains + * up to a root CA certificate that they trust, regardless of whether + * the chain includes additional intermediate/root CA certificates. + * Verifiers MAY enforce additional constraints, such as requiring that + * all intermediate CA certificates appear in an independent root of + * trust. + * + * Verifiers SHOULD handle old or non-complying bundles that have + * additional intermediate/root CA certificates. */ certificates: X509Certificate[]; } diff --git a/protos/sigstore_common.proto b/protos/sigstore_common.proto index 231a17e7..eeb0fb43 100644 --- a/protos/sigstore_common.proto +++ b/protos/sigstore_common.proto @@ -169,9 +169,21 @@ message SubjectAlternativeName { message X509CertificateChain { // The chain of certificates, with indices 0 to n. // The first certificate in the array must be the leaf - // certificate used for signing. Any intermediate certificates - // must be stored as offset 1 to n-1, and the root certificate at - // position n. + // certificate used for signing. + // + // Signers MUST NOT include their root CA certificates in their embedded + // certificate chains, and SHOULD NOT include intermediate CA + // certificates that appear in independent roots of trust. + // + // Verifiers MUST validate the chain carefully to ensure that it chains + // up to a root CA certificate that they trust, regardless of whether + // the chain includes additional intermediate/root CA certificates. + // Verifiers MAY enforce additional constraints, such as requiring that + // all intermediate CA certificates appear in an independent root of + // trust. + // + // Verifiers SHOULD handle old or non-complying bundles that have + // additional intermediate/root CA certificates. repeated X509Certificate certificates = 1; }