Affected by GO-2025-4193 and 1 other vulnerabilities

GO-2025-4193: Fulcio allocates excessive memory during token parsing in github.com/sigstore/fulcio

GO-2026-4311: Fulcio is vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass in github.com/sigstore/fulcio

certificate

package

v1.0.0 Latest Latest Go to latest Published: Oct 17, 2022 License: Apache-2.0 Imports: 3 Imported by: 11

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/sigstore/fulcio

Links

Open Source Insights

Documentation ¶

Overview ¶

Package certificate contains helpers for getting data from Fulcio issued x509 certificates.

Index ¶

Variables
type Extensions
- func ParseExtensions(ext []pkix.Extension) (Extensions, error)
- func (e Extensions) Render() ([]pkix.Extension, error)

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	OIDIssuer                   = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1}
	OIDGitHubWorkflowTrigger    = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 2}
	OIDGitHubWorkflowSHA        = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 3}
	OIDGitHubWorkflowName       = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 4}
	OIDGitHubWorkflowRepository = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 5}
	OIDGitHubWorkflowRef        = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 6}
	OIDOtherName                = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 7}
)

Functions ¶

This section is empty.

Types ¶

type Extensions ¶

type Extensions struct {

	// The OIDC issuer. Should match `iss` claim of ID token or, in the case of
	// a federated login like Dex it should match the issuer URL of the
	// upstream issuer. The issuer is not set the extensions are invalid and
	// will fail to render.
	Issuer string // OID 1.3.6.1.4.1.57264.1.1

	// Triggering event of the Github Workflow. Matches the `event_name` claim of ID
	// tokens from Github Actions
	GithubWorkflowTrigger string // OID 1.3.6.1.4.1.57264.1.2

	// SHA of git commit being built in Github Actions. Matches the `sha` claim of ID
	// tokens from Github Actions
	GithubWorkflowSHA string // OID 1.3.6.1.4.1.57264.1.3

	// Name of Github Actions Workflow. Matches the `workflow` claim of the ID
	// tokens from Github Actions
	GithubWorkflowName string // OID 1.3.6.1.4.1.57264.1.4

	// Repository of the Github Actions Workflow. Matches the `repository` claim of the ID
	// tokens from Github Actions
	GithubWorkflowRepository string // OID 1.3.6.1.4.1.57264.1.5

	// Git Ref of the Github Actions Workflow. Matches the `ref` claim of the ID tokens
	// from Github Actions
	GithubWorkflowRef string // 1.3.6.1.4.1.57264.1.6
}

Extensions contains all custom x509 extensions defined by Fulcio

func ParseExtensions ¶

func ParseExtensions(ext []pkix.Extension) (Extensions, error)

func (Extensions) Render ¶

func (e Extensions) Render() ([]pkix.Extension, error)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL