slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

feat: verify certs are recorded in CT

Open laurentsimon opened this issue 2 years ago • 5 comments

We should try to turn on this option if possible, stapling or anything the server supports.

laurentsimon avatar Jan 27 '23 23:01 laurentsimon

We can do this. It requires regenerating some of the older testcases that didn't have SCT's added by default.

asraa avatar Jan 30 '23 19:01 asraa

I think we're talking about 2 different things and both have value :)

  1. When connecting to rekor, ensure the TLS connection verifies presence of the cert in the CT
  2. Verify the cert used by SIgstore (Rekor's cert used to sign the SET, leaf cert used to sign an attestation) have an CT entry

Correct?

laurentsimon avatar Jan 30 '23 19:01 laurentsimon

Oops, we are, I read this too fast :)

When connecting to rekor, ensure the TLS connection verifies presence of the cert in the CT

So this is ensuring the cert connection to TUF verifies the SCT?

asraa avatar Jan 30 '23 20:01 asraa

Yes. I'm realizing this may not be strictly necessary for verification, since TUF does not need TLS. Maybe better suited for the generator during OIDC <-> cert with Fulcio; it would ensure someone else cannot get the OIDC token. (I have another tracking issue in the other repo)

laurentsimon avatar Jan 30 '23 23:01 laurentsimon

let's also add a comment in the code that CT is verified for leaf certs, as per https://github.com/sigstore/cosign/blob/5d2964c3d7cb33dada6e945aac2c80008780475d/pkg/cosign/verify.go#L237

laurentsimon avatar Feb 16 '23 19:02 laurentsimon