include only leaf certificate in bundle

Signed-off-by: Brian DeHamer <[email protected]>
sigstore · May 4, 2023 · ba6ec39 · ba6ec39
1 parent 151e9db
commit ba6ec39
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 10 deletions.
diff --git a/.changeset/few-buttons-share.md b/.changeset/few-buttons-share.md
@@ -0,0 +1,5 @@
+---
+'sigstore': minor
+---
+
+Generated bundle excludes Fulcio root and intermediate certificates
diff --git a/src/__tests__/ca/index.test.ts b/src/__tests__/ca/index.test.ts
@@ -81,7 +81,7 @@ tbn02XdfIl+ZhQqUZv88dgDB86bfKyoOokA7fagAEOulkquhKKoOxdOySQ==
           challenge
         );
 
-        expect(result).toEqual([leafCertificate, rootCertificate]);
+        expect(result).toEqual([leafCertificate]);
       });
     });
 

diff --git a/src/__tests__/sign.test.ts b/src/__tests__/sign.test.ts
@@ -177,13 +177,10 @@ describe('Signer', () => {
                 const chain =
                   bundle.verificationMaterial.content.x509CertificateChain;
                 expect(chain).toBeTruthy();
-                expect(chain.certificates).toHaveLength(2);
+                expect(chain.certificates).toHaveLength(1);
                 expect(chain.certificates[0].rawBytes).toEqual(
                   pem.toDER(leafCertificate)
                 );
-                expect(chain.certificates[1].rawBytes).toEqual(
-                  pem.toDER(rootCertificate)
-                );
               } else {
                 fail('Expected x509CertificateChain');
               }
@@ -269,13 +266,10 @@ describe('Signer', () => {
               const chain =
                 bundle.verificationMaterial.content.x509CertificateChain;
               expect(chain).toBeTruthy();
-              expect(chain.certificates).toHaveLength(2);
+              expect(chain.certificates).toHaveLength(1);
               expect(chain.certificates[0].rawBytes).toEqual(
                 pem.toDER(leafCertificate)
               );
-              expect(chain.certificates[1].rawBytes).toEqual(
-                pem.toDER(rootCertificate)
-              );
             } else {
               fail('Expected x509CertificateChain');
             }

diff --git a/src/ca/index.ts b/src/ca/index.ts
@@ -47,7 +47,13 @@ export class CAClient implements CA {
     try {
       const certificate = await this.fulcio.createSigningCertificate(request);
 
-      return certificate.signedCertificateEmbeddedSct.chain.certificates;
+      // Return the first certificate in the chain, which is the signing
+      // certificate. Specifically not returning the rest of the chain to
+      // mitigate the risk of errors when verifying the certificate chain.
+      return certificate.signedCertificateEmbeddedSct.chain.certificates.slice(
+        0,
+        1
+      );
     } catch (err) {
       throw new InternalError({
         code: 'CA_CREATE_SIGNING_CERTIFICATE_ERROR',
-Original file line number
+Diff line change
@@ Expand Up / @@ -81,7 +81,7 @@ tbn02XdfIl+ZhQqUZv88dgDB86bfKyoOokA7fagAEOulkquhKKoOxdOySQ== @@
               challenge
             );
-            expect(result).toEqual([leafCertificate, rootCertificate]);
+            expect(result).toEqual([leafCertificate]);
           });
         });
@@ Expand Down @@