Support Fulcio certificate "chains" that just have a root

sigstore/sigstore-conformance#112 includes confromance tests with a mock Sigstore where there are no Fulcio intermediate certificates. Signed-off-by: Zach Steindler <[email protected]>
sigstore · Dec 11, 2023 · c67baca · c67baca
1 parent 6a8bf18
commit c67baca
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/pkg/verify/sct.go b/pkg/verify/sct.go
@@ -52,16 +52,21 @@ func VerifySignedCertificateTimestamp(leafCert *x509.Certificate, threshold int,
 		}
 
 		for _, fulcioCa := range fulcioCerts {
+			fulcioChain := make([]*ctx509.Certificate, len(certChain))
+			copy(fulcioChain, certChain)
+
+			var parentCert []byte
+
 			if len(fulcioCa.Intermediates) == 0 {
-				continue
+				parentCert = fulcioCa.Root.Raw
+			} else {
+				parentCert = fulcioCa.Intermediates[0].Raw
 			}
-			fulcioIssuer, err := ctx509.ParseCertificates(fulcioCa.Intermediates[0].Raw)
+
+			fulcioIssuer, err := ctx509.ParseCertificates(parentCert)
 			if err != nil {
 				continue
 			}
-
-			fulcioChain := make([]*ctx509.Certificate, len(certChain))
-			copy(fulcioChain, certChain)
 			fulcioChain = append(fulcioChain, fulcioIssuer...)
 
 			err = ctutil.VerifySCT(key.PublicKey, fulcioChain, sct, true)