Class: Sigstore::Policy::Identity

Inherits:

Object

• Object
• Sigstore::Policy::Identity

Defined in:

lib/sigstore/policy.rb

Instance Method Summary

• #initialize(identity:, issuer:) ⇒ Identity constructor

  A new instance of Identity.

• #verify(cert) ⇒ Object

Constructor Details

#initialize(identity:, issuer:) ⇒ Identity

Returns a new instance of Identity.

# File 'lib/sigstore/policy.rb', line 83

def initialize(identity:, issuer:)
  @identity = identity
  @issuer = AnyOf.new(OIDCIssuer.new(issuer), OIDCIssuerV2.new(issuer))
end

Instance Method Details

#verify(cert) ⇒ Object

Raises:

• (Error::InvalidCertificate)

# File 'lib/sigstore/policy.rb', line 88

def verify(cert)
  issuer_verified = @issuer.verify(cert)
  return issuer_verified unless issuer_verified.verified?

  san_ext = cert.extension(Sigstore::Internal::X509::Extension::SubjectAlternativeName)
  raise Error::InvalidCertificate, "Certificate does not contain subjectAltName extension" unless san_ext

  verified = san_ext.general_names.any? { |_, id| id == @identity }
  unless verified
    return VerificationFailure.new(
      "Certificate's SANs do not match #{@identity}; actual SANs: #{san_ext.general_names}"
    )
  end

  VerificationSuccess.new
end