Change username format, enforce identity format (#802)

* Change username format, enforce identity format

This updates the username type to avoid the username subject format
looking like an email. Fulcio will now specify the subject in the
OtherName SAN, and the format will use a ! instead of @.

This required some custom ASN.1 marshalling and unmarshalling, since
crypto/x509 does not support the OtherName SAN.

This also adds enforcement that email subjects match a basic email
regex format, and that other types do not look like emails.

Fixes #716

Signed-off-by: Hayden Blauzvern <[email protected]>

docs/oid-info.md

@@ -52,6 +52,11 @@ This contains the `ref` claim from the GitHub OIDC Identity token that contains
 the git ref that the workflow run was based upon.
 [(docs)][github-oidc-doc]
 
+### 1.3.6.1.4.1.57264.1.7 | OtherName SAN
+
+This specifies the username identity in the OtherName Subject Alternative Name, as
+defined by [RFC5280 4.2.1.6](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.6).
+
 <!-- References -->
 [github-oidc-doc]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
 [oid-link]: http://oid-info.com/get/1.3.6.1.4.1.57264

docs/oidc.md

@@ -163,4 +163,4 @@ Additionally, the configuration must include `SubjectDomain`, for example `examp
 
 * The issuer in the configuration must partially match the domain in the configuration. The top level domain and second level domain must match. The user who updates the Fulcio configuration must also have control over both the issuer and domain configuration fields (Verified either manually or through an ACME-style challenge).
 
-`SubjectDomain` is appended to `sub` to form an email, `sub@SubjectDomain`, and included as a SAN email address.
+`SubjectDomain` is appended to `sub` to form an identity, `sub!SubjectDomain`, and included as an OtherName SAN.

go.mod

@@ -6,6 +6,7 @@ require (
 	cloud.google.com/go/security v1.8.0
 	github.com/PaesslerAG/jsonpath v0.1.1
 	github.com/ThalesIgnite/crypto11 v1.2.5
+	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d
 	github.com/coreos/go-oidc/v3 v3.4.0
 	github.com/fsnotify/fsnotify v1.5.4
 	github.com/goadesign/goa v2.2.5+incompatible

go.sum

@@ -181,6 +181,8 @@ github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a/go.mod h1:DAHtR1m6lCRdSC2Tm3DSWRPvIPr6xNKyeHdqDQSQT+A=
+github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d h1:Byv0BzEl3/e6D5CLfI0j/7hiIEtvGVFPCZ7Ei2oq8iQ=
+github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU=
 github.com/aws/aws-sdk-go v1.15.27/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZoCYDt7FT0=
 github.com/aws/aws-sdk-go v1.19.18/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=

pkg/certificate/extensions.go

@@ -27,6 +27,7 @@ var (
 	OIDGitHubWorkflowName       = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 4}
 	OIDGitHubWorkflowRepository = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 5}
 	OIDGitHubWorkflowRef        = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 6}
+	OIDOtherName                = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 7}
 )
 
 // Extensions contains all custom x509 extensions defined by Fulcio

pkg/identity/email/principal.go

@@ -18,7 +18,9 @@ import (
 	"context"
 	"crypto/x509"
 	"errors"
+	"fmt"
 
+	"github.com/asaskevich/govalidator"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/sigstore/fulcio/pkg/certificate"
 	"github.com/sigstore/fulcio/pkg/config"
@@ -40,6 +42,10 @@ func PrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (identity.Pr
 		return nil, errors.New("email_verified claim was false")
 	}
 
+	if !govalidator.IsEmail(emailAddress) {
+		return nil, fmt.Errorf("email address is not valid")
+	}
+
 	cfg, ok := config.FromContext(ctx).GetIssuer(token.Issuer)
 	if !ok {
 		return nil, errors.New("invalid configuration for OIDC ID Token issuer")

pkg/identity/email/principal_test.go

@@ -144,6 +144,25 @@ func TestPrincipalFromIDToken(t *testing.T) {
 			},
 			WantErr: true,
 		},
+		`Invalid email address should error`: {
+			Claims: map[string]interface{}{
+				"aud":            "sigstore",
+				"iss":            "https://iss.example.com",
+				"sub":            "doesntmatter",
+				"email":          "foo.com",
+				"email_verified": true,
+			},
+			Config: config.FulcioConfig{
+				OIDCIssuers: map[string]config.OIDCIssuer{
+					"https://iss.example.com": {
+						IssuerURL: "https://iss.example.com",
+						Type:      config.IssuerTypeEmail,
+						ClientID:  "sigstore",
+					},
+				},
+			},
+			WantErr: true,
+		},
 		`No issuer configured for token`: {
 			Claims: map[string]interface{}{
 				"aud":            "sigstore",

pkg/identity/uri/principal.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"net/url"
 
+	"github.com/asaskevich/govalidator"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/sigstore/fulcio/pkg/certificate"
 	"github.com/sigstore/fulcio/pkg/config"
@@ -40,6 +41,10 @@ func PrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (identity.Pr
 		return nil, errors.New("invalid configuration for OIDC ID Token issuer")
 	}
 
+	if govalidator.IsEmail(uriWithSubject) {
+		return nil, fmt.Errorf("uri subject should not be an email address")
+	}
+
 	// The subject hostname must exactly match the subject domain from the configuration
 	uSubject, err := url.Parse(uriWithSubject)
 	if err != nil {

pkg/identity/uri/principal_test.go

@@ -47,6 +47,10 @@ func TestPrincipalFromIDToken(t *testing.T) {
 			Token:   &oidc.IDToken{Issuer: "https://notaccounts.example.com", Subject: "https://example.com/users/1"},
 			WantErr: true,
 		},
+		`Subject as an email address should error`: {
+			Token:   &oidc.IDToken{Issuer: "https://accounts.example.com", Subject: "[email protected]"},
+			WantErr: true,
+		},
 		`Incorrect subject domain hostname should error`: {
 			Token:   &oidc.IDToken{Issuer: "https://accounts.example.com", Subject: "https://notexample.com/users/1"},
 			WantErr: true,

pkg/identity/username/othername.go

@@ -0,0 +1,125 @@
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package username
+
+import (
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"errors"
+	"fmt"
+
+	"github.com/sigstore/fulcio/pkg/certificate"
+)
+
+// OtherName describes a name related to a certificate which is not in one
+// of the standard name formats. RFC 5280, 4.2.1.6:
+//
+//	OtherName ::= SEQUENCE {
+//	     type-id    OBJECT IDENTIFIER,
+//	     value      [0] EXPLICIT ANY DEFINED BY type-id }
+//
+// OtherName for Fulcio-issued certificates only supports UTF-8 strings as values.
+type OtherName struct {
+	ID    asn1.ObjectIdentifier
+	Value string `asn1:"utf8,explicit,tag:0"`
+}
+
+// MarshalSANS creates a Subject Alternative Name extension
+// with an OtherName sequence. RFC 5280, 4.2.1.6:
+//
+// SubjectAltName ::= GeneralNames
+// GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+// GeneralName ::= CHOICE {
+//
+//	otherName                       [0]     OtherName,
+//	... }
+func MarshalSANS(name string, critical bool) (*pkix.Extension, error) {
+	var rawValues []asn1.RawValue
+	o := OtherName{
+		ID:    certificate.OIDOtherName,
+		Value: name,
+	}
+	bytes, err := asn1.MarshalWithParams(o, "tag:0")
+	if err != nil {
+		return nil, err
+	}
+	rawValues = append(rawValues, asn1.RawValue{FullBytes: bytes})
+
+	sans, err := asn1.Marshal(rawValues)
+	if err != nil {
+		return nil, err
+	}
+	return &pkix.Extension{
+		Id:       asn1.ObjectIdentifier{2, 5, 29, 17},
+		Critical: critical,
+		Value:    sans,
+	}, nil
+}
+
+// UnmarshalSANs extracts a UTF-8 string from the OtherName
+// field in the Subject Alternative Name extension.
+func UnmarshalSANS(exts []pkix.Extension) (string, error) {
+	var otherNames []string
+
+	for _, e := range exts {
+		if !e.Id.Equal(asn1.ObjectIdentifier{2, 5, 29, 17}) {
+			continue
+		}
+
+		var seq asn1.RawValue
+		rest, err := asn1.Unmarshal(e.Value, &seq)
+		if err != nil {
+			return "", err
+		} else if len(rest) != 0 {
+			return "", fmt.Errorf("trailing data after X.509 extension")
+		}
+		if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
+			return "", asn1.StructuralError{Msg: "bad SAN sequence"}
+		}
+
+		rest = seq.Bytes
+		for len(rest) > 0 {
+			var v asn1.RawValue
+			rest, err = asn1.Unmarshal(rest, &v)
+			if err != nil {
+				return "", err
+			}
+
+			// skip all GeneralName fields except OtherName
+			if v.Tag != 0 {
+				continue
+			}
+
+			var other OtherName
+			_, err := asn1.UnmarshalWithParams(v.FullBytes, &other, "tag:0")
+			if err != nil {
+				return "", fmt.Errorf("could not parse requested OtherName SAN: %v", err)
+			}
+			if !other.ID.Equal(certificate.OIDOtherName) {
+				return "", fmt.Errorf("unexpected OID for OtherName, expected %v, got %v", certificate.OIDOtherName, other.ID)
+			}
+			otherNames = append(otherNames, other.Value)
+		}
+	}
+
+	if len(otherNames) == 0 {
+		return "", errors.New("no OtherName found")
+	}
+	if len(otherNames) != 1 {
+		return "", errors.New("expected only one OtherName")
+	}
+
+	return otherNames[0], nil
+}