Skip to content

require timestamping leaf certificate to be an end-entity#1416

Open
dxbjavid wants to merge 1 commit into
sigstore:mainfrom
dxbjavid:leaf-end-entity
Open

require timestamping leaf certificate to be an end-entity#1416
dxbjavid wants to merge 1 commit into
sigstore:mainfrom
dxbjavid:leaf-end-entity

Conversation

@dxbjavid

Copy link
Copy Markdown
Contributor

verifyLeafCert and VerifyCertChain enforce that a timestamping leaf has a single critical timestamping EKU but never look at its basic constraints, so a certificate that asserts the CA bit while carrying that EKU is accepted as a TSA signer. crypto/x509 chain verification does not reject a CA certificate used as the leaf, so nothing else catches it, and that goes against RFC 3161 2.3 which expects the TSA certificate to be an end-entity and keeps certificate-issuing keys separate from timestamp-signing keys. This rejects a leaf whose basic constraints mark it as a CA in both the response-verification and issuance-chain paths.

Signed-off-by: Javid Khan <dxbjavid@gmail.com>
@dxbjavid dxbjavid requested a review from a team as a code owner June 30, 2026 12:58
@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 26.39%. Comparing base (6fd19b0) to head (4832d39).
⚠️ Report is 669 commits behind head on main.

Additional details and impacted files
@@             Coverage Diff             @@
##             main    #1416       +/-   ##
===========================================
- Coverage   52.85%   26.39%   -26.46%     
===========================================
  Files          20       55       +35     
  Lines        1209     3171     +1962     
===========================================
+ Hits          639      837      +198     
- Misses        509     2282     +1773     
+ Partials       61       52        -9     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant