Class X509Extensions

Namespace: Sigstore.Crypto

Assembly: Sigstore.dll

Helpers for reading Sigstore / Fulcio-specific X.509 extensions. OID semantics are documented in fulcio oid-info.

public static class X509Extensions

Inheritance: object

X509Extensions

Inherited Members: object.Equals(object)

object.Equals(object, object)

object.GetHashCode()

object.GetType()

object.MemberwiseClone()

object.ReferenceEquals(object, object)

object.ToString()

Fields

FulcioOtherNameOid

OtherName SAN type OID used by Fulcio for workload identities.

public const string FulcioOtherNameOid = "1.3.6.1.4.1.57264.1.7"

Field Value

string

OidcIssuerOid

Fulcio OID for OIDC issuer (RFC 5280 extension value, UTF-8 string).

public const string OidcIssuerOid = "1.3.6.1.4.1.57264.1.8"

Field Value

string

OidcIssuerOidLegacy

Fulcio OID for OIDC issuer (legacy string form).

public const string OidcIssuerOidLegacy = "1.3.6.1.4.1.57264.1.1"

Field Value

string

OidcTokenSubjectOid

Fulcio OID for raw OIDC token sub claim (UTF-8 string).

public const string OidcTokenSubjectOid = "1.3.6.1.4.1.57264.1.24"

Field Value

string

Methods

GetSubjectAlternativeNameUris(X509Certificate2)

Collects URI values from the Subject Alternative Name extension. Includes both standard URI SANs and Fulcio OtherName SANs (OID 1.3.6.1.4.1.57264.1.7).

public static IReadOnlyList<string> GetSubjectAlternativeNameUris(X509Certificate2 certificate)

Parameters

certificate X509Certificate2: Certificate to inspect.

Returns

IReadOnlyList<string>: URIs present in the SAN extension.

TryGetFulcioStringExtension(X509Certificate2, string, out string)

Attempts to read a UTF-8 string from a Fulcio custom extension (OIDs ending in .8 and .24).

public static bool TryGetFulcioStringExtension(X509Certificate2 certificate, string oidValue, out string value)

Parameters

certificate X509Certificate2: Certificate to inspect.
oidValue string: Dot-notation OID.
value string: Decoded string when present.

Returns

bool: true when the extension exists and could be decoded.

TryGetPrimaryIdentityUri(X509Certificate2, out string)

Returns the first URI identity string suitable for comparing against --certificate-identity.

public static bool TryGetPrimaryIdentityUri(X509Certificate2 certificate, out string identity)

Parameters

certificate X509Certificate2: Leaf certificate.
identity string: SAN URI or empty.

Returns

bool: true when a URI SAN exists.

Table of Contents

Class X509Extensions

Fields

FulcioOtherNameOid

Field Value

OidcIssuerOid

Field Value

OidcIssuerOidLegacy

Field Value

OidcTokenSubjectOid

Field Value

Methods

GetSubjectAlternativeNameUris(X509Certificate2)

Parameters

Returns

TryGetFulcioStringExtension(X509Certificate2, string, out string)

Parameters

Returns

TryGetPrimaryIdentityUri(X509Certificate2, out string)

Parameters

Returns