Fix unhandled extension issue for cached certs (#583)

Signed-off-by: Aditya Sirish A Yelgundhalli <[email protected]>
sigstore · Oct 21, 2024 · da79e4b · da79e4b
1 parent 02af74d
commit da79e4b
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/internal/cache/client.go b/internal/cache/client.go
@@ -18,6 +18,7 @@ import (
 	"context"
 	"crypto"
 	"crypto/x509"
+	"encoding/asn1"
 	"fmt"
 	"net/rpc"
 	"os"
@@ -59,6 +60,17 @@ func (c *Client) GetCredentials(_ context.Context, cfg *config.Config) (crypto.P
 	}
 	// There should really only be 1 cert, but check them all anyway.
 	for _, cert := range certs {
+		if len(cert.UnhandledCriticalExtensions) > 0 {
+			var unhandledExts []asn1.ObjectIdentifier
+			for _, oid := range cert.UnhandledCriticalExtensions {
+				if !oid.Equal(cryptoutils.SANOID) {
+					unhandledExts = append(unhandledExts, oid)
+				}
+			}
+
+			cert.UnhandledCriticalExtensions = unhandledExts
+		}
+
 		if _, err := cert.Verify(x509.VerifyOptions{
 			Roots:         c.Roots,
 			Intermediates: c.Intermediates,

diff --git a/internal/fulcio/identity.go b/internal/fulcio/identity.go
@@ -99,7 +99,7 @@ func NewIdentity(ctx context.Context, cfg *config.Config, in io.Reader, out io.W
 
 	if cacheClient != nil {
 		if err := id.CacheCert(ctx, cacheClient); err != nil {
-			fmt.Fprintf(out, "error storing identity in cache: %v", err)
+			fmt.Fprintf(out, "error storing identity in cache: %v\n", err)
 		}
 	}