Skip to content

Commit

Permalink
Add '--cert-identity' flag to support subject alternate names for ver… (
Browse files Browse the repository at this point in the history
sigstore#2278)

* Add '--cert-identity' flag to support subject alternate names for verification.

Signed-off-by: kpk47 <kkris@google.com>

* Fixing documentation

Signed-off-by: kpk47 <kkris@google.com>

* fix e2e test

Signed-off-by: kpk47 <kkris@google.com>

* Add '--cert-identity' flag to support subject alternate names for verification.

Signed-off-by: kpk47 <kkris@google.com>

* Fixing documentation

Signed-off-by: kpk47 <kkris@google.com>

* fix e2e test

Signed-off-by: kpk47 <kkris@google.com>

* fix unit test

Signed-off-by: kpk47 <kkris@google.com>

Signed-off-by: kpk47 <kkris@google.com>
  • Loading branch information
kpk47 authored Oct 11, 2022
1 parent 22d3468 commit d795dcb
Show file tree
Hide file tree
Showing 15 changed files with 209 additions and 23 deletions.
2 changes: 2 additions & 0 deletions cmd/cosign/cli/commands.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ func normalizeCertificateFlags(_ *pflag.FlagSet, name string) pflag.NormalizedNa
name = "certificate-oidc-issuer"
case "output-cert":
name = "output-certificate"
case "cert-identity":
name = "certificate-identity"
}
return pflag.NormalizedName(name)
}
Expand Down
4 changes: 4 additions & 0 deletions cmd/cosign/cli/options/certificate.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
type CertVerifyOptions struct {
Cert string
CertEmail string
CertIdentity string
CertOidcIssuer string
CertGithubWorkflowTrigger string
CertGithubWorkflowSha string
Expand All @@ -43,6 +44,9 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
cmd.Flags().StringVar(&o.CertEmail, "certificate-email", "",
"the email expected in a valid Fulcio certificate")

cmd.Flags().StringVar(&o.CertIdentity, "certificate-identity", "",
"the identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP addresses, and URIs.")

cmd.Flags().StringVar(&o.CertOidcIssuer, "certificate-oidc-issuer", "",
"the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth")

Expand Down
4 changes: 3 additions & 1 deletion cmd/cosign/cli/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,7 @@ against the transparency log.`,
KeyRef: o.Key,
CertRef: o.CertVerify.Cert,
CertEmail: o.CertVerify.CertEmail,
CertIdentity: o.CertVerify.CertIdentity,
CertOidcIssuer: o.CertVerify.CertOidcIssuer,
CertGithubWorkflowTrigger: o.CertVerify.CertGithubWorkflowTrigger,
CertGithubWorkflowSha: o.CertVerify.CertGithubWorkflowSha,
Expand Down Expand Up @@ -181,6 +182,7 @@ against the transparency log.`,
CheckClaims: o.CheckClaims,
CertRef: o.CertVerify.Cert,
CertEmail: o.CertVerify.CertEmail,
CertIdentity: o.CertVerify.CertIdentity,
CertOidcIssuer: o.CertVerify.CertOidcIssuer,
CertChain: o.CertVerify.CertChain,
CertGithubWorkflowTrigger: o.CertVerify.CertGithubWorkflowTrigger,
Expand Down Expand Up @@ -264,7 +266,7 @@ The blob may be specified as a path to a file or - for stdin.`,
BundlePath: o.BundlePath,
}
if err := verify.VerifyBlobCmd(cmd.Context(), ko, o.CertVerify.Cert,
o.CertVerify.CertEmail, o.CertVerify.CertOidcIssuer, o.CertVerify.CertChain,
o.CertVerify.CertEmail, o.CertVerify.CertIdentity, o.CertVerify.CertOidcIssuer, o.CertVerify.CertChain,
o.Signature, args[0], o.CertVerify.CertGithubWorkflowTrigger, o.CertVerify.CertGithubWorkflowSha,
o.CertVerify.CertGithubWorkflowName, o.CertVerify.CertGithubWorkflowRepository, o.CertVerify.CertGithubWorkflowRef,
o.CertVerify.EnforceSCT); err != nil {
Expand Down
3 changes: 3 additions & 0 deletions cmd/cosign/cli/verify/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,13 +52,15 @@ type VerifyCommand struct {
KeyRef string
CertRef string
CertEmail string
CertIdentity string
CertOidcIssuer string
CertGithubWorkflowTrigger string
CertGithubWorkflowSha string
CertGithubWorkflowName string
CertGithubWorkflowRepository string
CertGithubWorkflowRef string
CertChain string
CertOidcProvider string
EnforceSCT bool
Sk bool
Slot string
Expand Down Expand Up @@ -100,6 +102,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
Annotations: c.Annotations.Annotations,
RegistryClientOpts: ociremoteOpts,
CertEmail: c.CertEmail,
CertIdentity: c.CertIdentity,
CertOidcIssuer: c.CertOidcIssuer,
CertGithubWorkflowTrigger: c.CertGithubWorkflowTrigger,
CertGithubWorkflowSha: c.CertGithubWorkflowSha,
Expand Down
2 changes: 2 additions & 0 deletions cmd/cosign/cli/verify/verify_attestation.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ type VerifyAttestationCommand struct {
KeyRef string
CertRef string
CertEmail string
CertIdentity string
CertOidcIssuer string
CertGithubWorkflowTrigger string
CertGithubWorkflowSha string
Expand Down Expand Up @@ -80,6 +81,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
co := &cosign.CheckOpts{
RegistryClientOpts: ociremoteOpts,
CertEmail: c.CertEmail,
CertIdentity: c.CertIdentity,
CertOidcIssuer: c.CertOidcIssuer,
CertGithubWorkflowTrigger: c.CertGithubWorkflowTrigger,
CertGithubWorkflowSha: c.CertGithubWorkflowSha,
Expand Down
3 changes: 2 additions & 1 deletion cmd/cosign/cli/verify/verify_blob.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ func isb64(data []byte) bool {
}

// nolint
func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail,
func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail, certIdentity,
certOidcIssuer, certChain, sigRef, blobRef, certGithubWorkflowTrigger, certGithubWorkflowSha,
certGithubWorkflowName,
certGithubWorkflowRepository,
Expand All @@ -90,6 +90,7 @@ func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail,

co := &cosign.CheckOpts{
CertEmail: certEmail,
CertIdentity: certIdentity,
CertOidcIssuer: certOidcIssuer,
CertGithubWorkflowTrigger: certGithubWorkflowTrigger,
CertGithubWorkflowSha: certGithubWorkflowSha,
Expand Down
14 changes: 13 additions & 1 deletion cmd/cosign/cli/verify/verify_blob_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -721,6 +721,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
options.KeyOpts{BundlePath: bundlePath},
"", /*certRef*/ // Cert is fetched from bundle
identity, /*certEmail*/
"", /*certIdentity*/
issuer, /*certOidcIssuer*/
"", /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
"", /*sigRef*/ // Sig is fetched from bundle
Expand Down Expand Up @@ -765,6 +766,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
options.KeyOpts{BundlePath: bundlePath},
"", /*certRef*/ // Cert is fetched from bundle
"", /*certEmail*/
"", /*certIdentity*/
"", /*certOidcIssuer*/
"", /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
"", /*sigRef*/ // Sig is fetched from bundle
Expand Down Expand Up @@ -803,6 +805,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
options.KeyOpts{BundlePath: bundlePath},
"", /*certRef*/ // Cert is fetched from bundle
"", /*certEmail*/
"", /*certIdentity*/
"", /*certOidcIssuer*/
"", /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
"", /*sigRef*/ // Sig is fetched from bundle
Expand Down Expand Up @@ -841,6 +844,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
options.KeyOpts{BundlePath: bundlePath},
"", /*certRef*/ // Cert is fetched from bundle
"", /*certEmail*/
"", /*certIdentity*/
"", /*certOidcIssuer*/
"", /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
"", /*sigRef*/ // Sig is fetched from bundle
Expand Down Expand Up @@ -879,6 +883,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
options.KeyOpts{BundlePath: bundlePath},
"", /*certRef*/ // Cert is fetched from bundle
"", /*certEmail*/
"", /*certIdentity*/
"", /*certOidcIssuer*/
"", /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
"", /*sigRef*/ // Sig is fetched from bundle
Expand Down Expand Up @@ -917,6 +922,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
options.KeyOpts{BundlePath: bundlePath},
"", /*certRef*/ // Cert is fetched from bundle
"invalid@example.com", /*certEmail*/
"", /*certIdentity*/
issuer, /*certOidcIssuer*/
"", /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
"", /*sigRef*/ // Sig is fetched from bundle
Expand All @@ -925,7 +931,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
"", "", "", "", "",
// GitHub identity flags end
false /*enforceSCT*/)
if err == nil || !strings.Contains(err.Error(), "expected email not found in certificate") {
if err == nil || !strings.Contains(err.Error(), "expected identity not found in certificate") {
t.Fatalf("expected error with mismatched identity, got %v", err)
}
})
Expand Down Expand Up @@ -955,6 +961,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
options.KeyOpts{BundlePath: bundlePath},
"", /*certRef*/ // Cert is fetched from bundle
identity, /*certEmail*/
"", /*certIdentity*/
"invalid", /*certOidcIssuer*/
"", /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
"", /*sigRef*/ // Sig is fetched from bundle
Expand Down Expand Up @@ -994,6 +1001,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
options.KeyOpts{BundlePath: bundlePath},
certPath, /*certRef*/
identity, /*certEmail*/
"", /*certIdentity*/
issuer, /*certOidcIssuer*/
"", /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
"", /*sigRef*/ // Sig is fetched from bundle
Expand Down Expand Up @@ -1032,6 +1040,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
options.KeyOpts{BundlePath: bundlePath},
"", /*certRef*/
identity, /*certEmail*/
"", /*certIdentity*/
issuer, /*certOidcIssuer*/
os.Getenv("SIGSTORE_ROOT_FILE"), /*certChain*/
"", /*sigRef*/ // Sig is fetched from bundle
Expand Down Expand Up @@ -1081,6 +1090,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
options.KeyOpts{BundlePath: bundlePath},
"", /*certRef*/
identity, /*certEmail*/
"", /*certIdentity*/
issuer, /*certOidcIssuer*/
tmpChainFile.Name(), /*certChain*/
"", /*sigRef*/ // Sig is fetched from bundle
Expand Down Expand Up @@ -1126,6 +1136,7 @@ func TestVerifyBlobCmdInvalidRootCA(t *testing.T) {
options.KeyOpts{BundlePath: bundlePath},
certPath, /*certRef*/
identity, /*certEmail*/
"", /*certIdentity*/
issuer, /*certOidcIssuer*/
"", /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
"", /*sigRef*/ // Sig is fetched from bundle
Expand Down Expand Up @@ -1164,6 +1175,7 @@ func TestVerifyBlobCmdInvalidRootCA(t *testing.T) {
options.KeyOpts{BundlePath: bundlePath},
"", /*certRef*/ // Fetched from bundle
identity, /*certEmail*/
"", /*certIdentity*/
issuer, /*certOidcIssuer*/
"", /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
"", /*sigRef*/ // Sig is fetched from bundle
Expand Down
1 change: 1 addition & 0 deletions doc/cosign_dockerfile_verify.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_manifest_verify.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_verify-attestation.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_verify-blob.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_verify.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit d795dcb

Please sign in to comment.