From da79e4b01ce0a408b85f44cd36f96ff352ddb184 Mon Sep 17 00:00:00 2001 From: Aditya Sirish <8928778+adityasaky@users.noreply.github.com> Date: Mon, 21 Oct 2024 16:56:21 -0400 Subject: [PATCH] Fix unhandled extension issue for cached certs (#583) Signed-off-by: Aditya Sirish A Yelgundhalli --- internal/cache/client.go | 12 ++++++++++++ internal/fulcio/identity.go | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/internal/cache/client.go b/internal/cache/client.go index 824c594e..4685ad7c 100644 --- a/internal/cache/client.go +++ b/internal/cache/client.go @@ -18,6 +18,7 @@ import ( "context" "crypto" "crypto/x509" + "encoding/asn1" "fmt" "net/rpc" "os" @@ -59,6 +60,17 @@ func (c *Client) GetCredentials(_ context.Context, cfg *config.Config) (crypto.P } // There should really only be 1 cert, but check them all anyway. for _, cert := range certs { + if len(cert.UnhandledCriticalExtensions) > 0 { + var unhandledExts []asn1.ObjectIdentifier + for _, oid := range cert.UnhandledCriticalExtensions { + if !oid.Equal(cryptoutils.SANOID) { + unhandledExts = append(unhandledExts, oid) + } + } + + cert.UnhandledCriticalExtensions = unhandledExts + } + if _, err := cert.Verify(x509.VerifyOptions{ Roots: c.Roots, Intermediates: c.Intermediates, diff --git a/internal/fulcio/identity.go b/internal/fulcio/identity.go index 79748c87..6491eb7d 100644 --- a/internal/fulcio/identity.go +++ b/internal/fulcio/identity.go @@ -99,7 +99,7 @@ func NewIdentity(ctx context.Context, cfg *config.Config, in io.Reader, out io.W if cacheClient != nil { if err := id.CacheCert(ctx, cacheClient); err != nil { - fmt.Fprintf(out, "error storing identity in cache: %v", err) + fmt.Fprintf(out, "error storing identity in cache: %v\n", err) } }