Skip to content

Commit

Permalink
address PR feedback
Browse files Browse the repository at this point in the history
* simplify switch statements (remove unnecessary brackets)
* reword help text for '--ca-roots' and '--ca-intermediates'
flags for clarity

Signed-off-by: Dmitry S <[email protected]>
  • Loading branch information
dmitris committed Feb 6, 2024
1 parent 88f72b9 commit 449147a
Show file tree
Hide file tree
Showing 2 changed files with 38 additions and 42 deletions.
4 changes: 3 additions & 1 deletion cmd/cosign/cli/options/certificate.go
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,9 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
// -- Cert extensions end --
cmd.Flags().StringVar(&o.CAIntermediates, "ca-intermediates", "",
"path to a file of intermediate CA certificates in PEM format which will be needed "+
"when building the certificate chains for the signing certificate. Conflicts with --certificate-chain.")
"when building the certificate chains for the signing certificate. "+
"The flag is optional, when used must be used together with --ca-roots, conflicts "+
"with --certificate-chain.")
_ = cmd.Flags().SetAnnotation("ca-intermediates", cobra.BashCompFilenameExt, []string{"cert"})
cmd.Flags().StringVar(&o.CARoots, "ca-roots", "",
"path to a bundle file of CA certificates in PEM format which will be needed "+
Expand Down
76 changes: 35 additions & 41 deletions cmd/cosign/cli/verify/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -181,57 +181,51 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
if keylessVerification(c.KeyRef, c.Sk) {
switch {
case c.CertChain != "":
{
chain, err := loadCertChainFromFileOrURL(c.CertChain)
if err != nil {
return err
}
co.RootCerts = x509.NewCertPool()
co.RootCerts.AddCert(chain[len(chain)-1])
if len(chain) > 1 {
co.IntermediateCerts = x509.NewCertPool()
for _, cert := range chain[:len(chain)-1] {
co.IntermediateCerts.AddCert(cert)
}
chain, err := loadCertChainFromFileOrURL(c.CertChain)
if err != nil {
return err
}
co.RootCerts = x509.NewCertPool()
co.RootCerts.AddCert(chain[len(chain)-1])
if len(chain) > 1 {
co.IntermediateCerts = x509.NewCertPool()
for _, cert := range chain[:len(chain)-1] {
co.IntermediateCerts.AddCert(cert)
}
}
case c.CARoots != "":
{
caRoots, err := loadCertChainFromFileOrURL(c.CARoots)
caRoots, err := loadCertChainFromFileOrURL(c.CARoots)
if err != nil {
return err
}
co.RootCerts = x509.NewCertPool()
if len(caRoots) > 0 {
for _, cert := range caRoots {
co.RootCerts.AddCert(cert)
}
}
if c.CAIntermediates != "" {
caIntermediates, err := loadCertChainFromFileOrURL(c.CAIntermediates)
if err != nil {
return err
}
co.RootCerts = x509.NewCertPool()
if len(caRoots) > 0 {
for _, cert := range caRoots {
co.RootCerts.AddCert(cert)
}
}
if c.CAIntermediates != "" {
caIntermediates, err := loadCertChainFromFileOrURL(c.CAIntermediates)
if err != nil {
return err
}
if len(caIntermediates) > 0 {
co.IntermediateCerts = x509.NewCertPool()
for _, cert := range caIntermediates {
co.IntermediateCerts.AddCert(cert)
}
if len(caIntermediates) > 0 {
co.IntermediateCerts = x509.NewCertPool()
for _, cert := range caIntermediates {
co.IntermediateCerts.AddCert(cert)
}
}
}
default:
{
// This performs an online fetch of the Fulcio roots. This is needed
// for verifying keyless certificates (both online and offline).
co.RootCerts, err = fulcio.GetRoots()
if err != nil {
return fmt.Errorf("getting Fulcio roots: %w", err)
}
co.IntermediateCerts, err = fulcio.GetIntermediates()
if err != nil {
return fmt.Errorf("getting Fulcio intermediates: %w", err)
}
// This performs an online fetch of the Fulcio roots from a TUF repository.
// This is needed for verifying keyless certificates (both online and offline).
co.RootCerts, err = fulcio.GetRoots()
if err != nil {
return fmt.Errorf("getting Fulcio roots: %w", err)
}
co.IntermediateCerts, err = fulcio.GetIntermediates()
if err != nil {
return fmt.Errorf("getting Fulcio intermediates: %w", err)
}
}
}
Expand Down

0 comments on commit 449147a

Please sign in to comment.