Add --ca-intermediates flag

Add --ca-intermediates flag to enable to pass a PEM file with intermediate CA certificates. One can use either --ca-roots, optionally together with --ca-intermediates - or --certificate-chain, which contains zero, one or several intermediate CA certificate followed by the root CA certificate. Expand the helper Go program test/gencert/main.go to allow to generate root and intermediate CA certificates, and a certificate signed by the intermediate CA. Expand the functional test e2e_tsa_certbundle.sh to test the --ca-intermediates flag (together with --ca-roots). Fixed sigstore#3462. Signed-off-by: Dmitry S <[email protected]>
dmitris · Jun 18, 2024 · a12ab9e · a12ab9e
1 parent da897e9
commit a12ab9e
Show file tree

Hide file tree

Showing 13 changed files with 391 additions and 52 deletions.
diff --git a/cmd/cosign/cli/options/certificate.go b/cmd/cosign/cli/options/certificate.go
@@ -33,6 +33,7 @@ type CertVerifyOptions struct {
 	CertGithubWorkflowName       string
 	CertGithubWorkflowRepository string
 	CertGithubWorkflowRef        string
+	CAIntermediates              string
 	CARoots                      string
 	CertChain                    string
 	SCT                          string
@@ -76,6 +77,10 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.CertGithubWorkflowRef, "certificate-github-workflow-ref", "",
 		"contains the ref claim from the GitHub OIDC Identity token that contains the git ref that the workflow run was based upon.")
 	// -- Cert extensions end --
+	cmd.Flags().StringVar(&o.CAIntermediates, "ca-intermediates", "",
+		"path to a file of intermediate CA certificates in PEM format which will be needed "+
+			"when building the certificate chains for the signing certificate. Conflicts with --certificate-chain.")
+	_ = cmd.Flags().SetAnnotation("ca-intermediates", cobra.BashCompFilenameExt, []string{"cert"})
 	cmd.Flags().StringVar(&o.CARoots, "ca-roots", "",
 		"path to a bundle file of CA certificates in PEM format which will be needed "+
 			"when building the certificate chains for the signing certificate. Conflicts with --certificate-chain.")
@@ -85,9 +90,10 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 		"path to a list of CA certificates in PEM format which will be needed "+
 			"when building the certificate chain for the signing certificate. "+
 			"Must start with the parent intermediate CA certificate of the "+
-			"signing certificate and end with the root certificate. Conflicts with --ca-roots.")
+			"signing certificate and end with the root certificate. Conflicts with --ca-roots and --ca-intermediates.")
 	_ = cmd.Flags().SetAnnotation("certificate-chain", cobra.BashCompFilenameExt, []string{"cert"})
 	cmd.MarkFlagsMutuallyExclusive("ca-roots", "certificate-chain")
+	cmd.MarkFlagsMutuallyExclusive("ca-intermediates", "certificate-chain")
 
 	cmd.Flags().StringVar(&o.SCT, "sct", "",
 		"path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. "+

diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go
@@ -62,6 +62,10 @@ against the transparency log.`,
   # verify image with local certificate and certificate chain
   cosign verify --cert cosign.crt --cert-chain chain.crt <IMAGE>
 
+  # verify image with local certificate and certificate bundles of CA roots
+  # and (optionally) CA intermediates
+  cosign verify --cert cosign.crt --ca-roots ca-roots.pem --ca-intermediates ca-intermediates.pem <IMAGE>
+
   # verify image using keyless verification with the given certificate
   # chain and identity parameters, without Fulcio roots (for BYO PKI):
   cosign verify --cert-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity [email protected] <IMAGE>
@@ -115,6 +119,7 @@ against the transparency log.`,
 				CertGithubWorkflowName:       o.CertVerify.CertGithubWorkflowName,
 				CertGithubWorkflowRepository: o.CertVerify.CertGithubWorkflowRepository,
 				CertGithubWorkflowRef:        o.CertVerify.CertGithubWorkflowRef,
+				CAIntermediates:              o.CertVerify.CAIntermediates,
 				CARoots:                      o.CertVerify.CARoots,
 				CertChain:                    o.CertVerify.CertChain,
 				IgnoreSCT:                    o.CertVerify.IgnoreSCT,

diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -60,6 +60,7 @@ type VerifyCommand struct {
 	CertGithubWorkflowName       string
 	CertGithubWorkflowRepository string
 	CertGithubWorkflowRef        string
+	CAIntermediates              string
 	CARoots                      string
 	CertChain                    string
 	CertOidcProvider             string
@@ -206,6 +207,18 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 						co.RootCerts.AddCert(cert)
 					}
 				}
+				if c.CAIntermediates != "" {
+					caIntermediates, err := loadCertChainFromFileOrURL(c.CAIntermediates)
+					if err != nil {
+						return err
+					}
+					if len(caIntermediates) > 0 {
+						co.IntermediateCerts = x509.NewCertPool()
+						for _, cert := range caIntermediates {
+							co.IntermediateCerts.AddCert(cert)
+						}
+					}
+				}
 			}
 		default:
 			{

diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md
diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md
diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md
diff --git a/doc/cosign_verify-blob-attestation.md b/doc/cosign_verify-blob-attestation.md
diff --git a/doc/cosign_verify-blob.md b/doc/cosign_verify-blob.md
diff --git a/doc/cosign_verify.md b/doc/cosign_verify.md