Skip to content

Commit

Permalink
Add --ca-roots flag for 'cosign verify'
Browse files Browse the repository at this point in the history
Add --ca-roots command-line flag for 'cosign verify'
to enable verifying cosign signatures using PEM bundles
of CA roots. Whether to also add --ca-intermediates flag
is TBD.  Unit tests will be added in the next commit(s).

Fixes sigstore#3462.

Signed-off-by: Dmitry S <[email protected]>
  • Loading branch information
dmitris committed Jun 25, 2024
1 parent 6a97d53 commit fc354ca
Show file tree
Hide file tree
Showing 10 changed files with 84 additions and 49 deletions.
10 changes: 5 additions & 5 deletions cmd/cosign/cli/options/certificate.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ type CertVerifyOptions struct {
CertGithubWorkflowName string
CertGithubWorkflowRepository string
CertGithubWorkflowRef string
CertBundle string
CARoots string
CertChain string
SCT string
IgnoreSCT bool
Expand Down Expand Up @@ -76,18 +76,18 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
cmd.Flags().StringVar(&o.CertGithubWorkflowRef, "certificate-github-workflow-ref", "",
"contains the ref claim from the GitHub OIDC Identity token that contains the git ref that the workflow run was based upon.")
// -- Cert extensions end --
cmd.Flags().StringVar(&o.CertBundle, "certificate-bundle", "",
cmd.Flags().StringVar(&o.CARoots, "ca-roots", "",
"path to a bundle file of CA certificates in PEM format which will be needed "+
"when building the certificate chains for the signing certificate. Conflicts with --certificate-chain.")
_ = cmd.Flags().SetAnnotation("certificate-bundle", cobra.BashCompFilenameExt, []string{"cert"})
_ = cmd.Flags().SetAnnotation("ca-roots", cobra.BashCompFilenameExt, []string{"cert"})

cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "",
"path to a list of CA certificates in PEM format which will be needed "+
"when building the certificate chain for the signing certificate. "+
"Must start with the parent intermediate CA certificate of the "+
"signing certificate and end with the root certificate. Conflicts with --certificate-bundle.")
"signing certificate and end with the root certificate. Conflicts with --ca-roots.")
_ = cmd.Flags().SetAnnotation("certificate-chain", cobra.BashCompFilenameExt, []string{"cert"})
cmd.MarkFlagsMutuallyExclusive("certificate-bundle", "certificate-chain")
cmd.MarkFlagsMutuallyExclusive("ca-roots", "certificate-chain")

cmd.Flags().StringVar(&o.SCT, "sct", "",
"path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. "+
Expand Down
2 changes: 1 addition & 1 deletion cmd/cosign/cli/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ against the transparency log.`,
CertGithubWorkflowName: o.CertVerify.CertGithubWorkflowName,
CertGithubWorkflowRepository: o.CertVerify.CertGithubWorkflowRepository,
CertGithubWorkflowRef: o.CertVerify.CertGithubWorkflowRef,
CertBundle: o.CertVerify.CertBundle,
CARoots: o.CertVerify.CARoots,
CertChain: o.CertVerify.CertChain,
IgnoreSCT: o.CertVerify.IgnoreSCT,
SCTRef: o.CertVerify.SCT,
Expand Down
87 changes: 56 additions & 31 deletions cmd/cosign/cli/verify/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ type VerifyCommand struct {
CertGithubWorkflowName string
CertGithubWorkflowRepository string
CertGithubWorkflowRef string
CertBundle string
CARoots string
CertChain string
CertOidcProvider string
IgnoreSCT bool
Expand Down Expand Up @@ -174,29 +174,47 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
}
}
if keylessVerification(c.KeyRef, c.Sk) {
if c.CertChain != "" {
chain, err := loadCertChainFromFileOrURL(c.CertChain)
if err != nil {
return err
}
co.RootCerts = x509.NewCertPool()
co.RootCerts.AddCert(chain[len(chain)-1])
if len(chain) > 1 {
co.IntermediateCerts = x509.NewCertPool()
for _, cert := range chain[:len(chain)-1] {
co.IntermediateCerts.AddCert(cert)
switch {
case c.CertChain != "":
{
chain, err := loadCertChainFromFileOrURL(c.CertChain)
if err != nil {
return err
}
co.RootCerts = x509.NewCertPool()
co.RootCerts.AddCert(chain[len(chain)-1])
if len(chain) > 1 {
co.IntermediateCerts = x509.NewCertPool()
for _, cert := range chain[:len(chain)-1] {
co.IntermediateCerts.AddCert(cert)
}
}
}
} else {
// This performs an online fetch of the Fulcio roots. This is needed
// for verifying keyless certificates (both online and offline).
co.RootCerts, err = fulcio.GetRoots()
if err != nil {
return fmt.Errorf("getting Fulcio roots: %w", err)
case c.CARoots != "":
{
caRoots, err := loadCertChainFromFileOrURL(c.CARoots)
if err != nil {
return err
}
co.RootCerts = x509.NewCertPool()
if len(caRoots) > 0 {
for _, cert := range caRoots {
co.RootCerts.AddCert(cert)
}
}
}
co.IntermediateCerts, err = fulcio.GetIntermediates()
if err != nil {
return fmt.Errorf("getting Fulcio intermediates: %w", err)
default:
{
// This performs an online fetch of the Fulcio roots. This is needed
// for verifying keyless certificates (both online and offline).
co.RootCerts, err = fulcio.GetRoots()
if err != nil {
return fmt.Errorf("getting Fulcio roots: %w", err)
}
co.IntermediateCerts, err = fulcio.GetIntermediates()
if err != nil {
return fmt.Errorf("getting Fulcio intermediates: %w", err)
}
}
}
}
Expand Down Expand Up @@ -238,8 +256,8 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
if err != nil {
return err
}
if c.CertChain == "" {
// If no certChain is passed, the Fulcio root certificate will be used
if c.CertChain == "" && c.CARoots == "" {
// If no certChain and no CARoots are passed, the Fulcio root certificate will be used
co.RootCerts, err = fulcio.GetRoots()
if err != nil {
return fmt.Errorf("getting Fulcio roots: %w", err)
Expand All @@ -253,14 +271,21 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
return err
}
} else {
// Verify certificate with chain
chain, err := loadCertChainFromFileOrURL(c.CertChain)
if err != nil {
return err
}
pubKey, err = cosign.ValidateAndUnpackCertWithChain(cert, chain, co)
if err != nil {
return err
if c.CARoots == "" {
// Verify certificate with chain
chain, err := loadCertChainFromFileOrURL(c.CertChain)
if err != nil {
return err
}
pubKey, err = cosign.ValidateAndUnpackCertWithChain(cert, chain, co)
if err != nil {
return err
}
} else {
pubKey, err = cosign.ValidateAndUnpackCertWithCertPools(cert, co)
if err != nil {
return err
}
}
}
if c.SCTRef != "" {
Expand Down
4 changes: 2 additions & 2 deletions doc/cosign_dockerfile_verify.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions doc/cosign_manifest_verify.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions doc/cosign_verify-attestation.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions doc/cosign_verify-blob-attestation.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions doc/cosign_verify-blob.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit fc354ca

Please sign in to comment.