1"use strict"; 2Object.defineProperty(exports, "__esModule", { value: true }); 3exports.verifyCertificate = exports.verifyPublicKey = void 0; 4/* 5Copyright 2023 The Sigstore Authors. 6 7Licensed under the Apache License, Version 2.0 (the "License"); 8you may not use this file except in compliance with the License. 9You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13Unless required by applicable law or agreed to in writing, software 14distributed under the License is distributed on an "AS IS" BASIS, 15WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16See the License for the specific language governing permissions and 17limitations under the License. 18*/ 19const core_1 = require("@sigstore/core"); 20const error_1 = require("../error"); 21const certificate_1 = require("./certificate"); 22const sct_1 = require("./sct"); 23const OID_FULCIO_ISSUER_V1 = '1.3.6.1.4.1.57264.1.1'; 24const OID_FULCIO_ISSUER_V2 = '1.3.6.1.4.1.57264.1.8'; 25function verifyPublicKey(hint, timestamps, trustMaterial) { 26 const key = trustMaterial.publicKey(hint); 27 timestamps.forEach((timestamp) => { 28 if (!key.validFor(timestamp)) { 29 throw new error_1.VerificationError({ 30 code: 'PUBLIC_KEY_ERROR', 31 message: `Public key is not valid for timestamp: ${timestamp.toISOString()}`, 32 }); 33 } 34 }); 35 return { key: key.publicKey }; 36} 37exports.verifyPublicKey = verifyPublicKey; 38function verifyCertificate(leaf, timestamps, trustMaterial) { 39 // Check that leaf certificate chains to a trusted CA 40 const path = (0, certificate_1.verifyCertificateChain)(leaf, trustMaterial.certificateAuthorities); 41 // Check that ALL certificates are valid for ALL of the timestamps 42 const validForDate = timestamps.every((timestamp) => path.every((cert) => cert.validForDate(timestamp))); 43 if (!validForDate) { 44 throw new error_1.VerificationError({ 45 code: 'CERTIFICATE_ERROR', 46 message: 'certificate is not valid or expired at the specified date', 47 }); 48 } 49 return { 50 scts: (0, sct_1.verifySCTs)(path[0], path[1], trustMaterial.ctlogs), 51 signer: getSigner(path[0]), 52 }; 53} 54exports.verifyCertificate = verifyCertificate; 55function getSigner(cert) { 56 let issuer; 57 const issuerExtension = cert.extension(OID_FULCIO_ISSUER_V2); 58 if (issuerExtension) { 59 issuer = issuerExtension.valueObj.subs?.[0]?.value.toString('ascii'); 60 } 61 else { 62 issuer = cert.extension(OID_FULCIO_ISSUER_V1)?.value.toString('ascii'); 63 } 64 const identity = { 65 extensions: { issuer }, 66 subjectAlternativeName: cert.subjectAltName, 67 }; 68 return { 69 key: core_1.crypto.createPublicKey(cert.publicKey), 70 identity, 71 }; 72} 73