Skip to content

Commit

Permalink
Reorganizing verify_bundle.go based on pull request feedback
Browse files Browse the repository at this point in the history
Also align with #3879

Signed-off-by: Zach Steindler <[email protected]>
  • Loading branch information
steiza committed Sep 23, 2024
1 parent d38c01b commit d3222ee
Show file tree
Hide file tree
Showing 5 changed files with 242 additions and 164 deletions.
82 changes: 52 additions & 30 deletions cmd/cosign/cli/verify/verify_blob.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ import (
sigs "github.com/sigstore/cosign/v2/pkg/signature"

sgbundle "github.com/sigstore/sigstore-go/pkg/bundle"
"github.com/sigstore/sigstore-go/pkg/root"
"github.com/sigstore/sigstore/pkg/cryptoutils"
)

Expand Down Expand Up @@ -82,7 +83,7 @@ func (c *VerifyBlobCmd) loadTSACertificates(ctx context.Context) (*cosign.TSACer
}

// nolint
func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) (err error) {
// Require a certificate/key OR a local bundle file that has the cert.
if options.NOf(c.KeyRef, c.CertRef, c.Sk, c.BundlePath) == 0 {
return fmt.Errorf("provide a key with --key or --sk, a certificate to verify against with --certificate, or a bundle with --bundle")
Expand All @@ -93,33 +94,6 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
return &options.PubKeyParseError{}
}

if c.KeyOpts.NewBundleFormat {
if options.NOf(c.RFC3161TimestampPath, c.TSACertChainPath, c.RekorURL, c.CertChain, c.CARoots, c.CAIntermediates, c.CertRef, c.SigRef, c.SCTRef) > 1 {
return fmt.Errorf("when using --new-bundle-format, please supply signed content with --bundle and verification content with --trusted-root")
}
b, err := sgbundle.LoadJSONFromPath(c.BundlePath)
if err != nil {
return err
}
_, err = verifyNewBundle(ctx, b, c.TrustedRootPath, c.KeyRef, c.Slot, c.CertVerifyOptions.CertOidcIssuer, c.CertVerifyOptions.CertOidcIssuerRegexp, c.CertVerifyOptions.CertIdentity, c.CertVerifyOptions.CertIdentityRegexp, c.CertGithubWorkflowTrigger, c.CertGithubWorkflowSHA, c.CertGithubWorkflowName, c.CertGithubWorkflowRepository, c.CertGithubWorkflowRef, blobRef, c.Sk, c.IgnoreTlog, c.UseSignedTimestamps, c.IgnoreSCT)
if err == nil {
ui.Infof(ctx, "Verified OK")
}
return err
}

var cert *x509.Certificate
opts := make([]static.Option, 0)

sig, err := base64signature(c.SigRef, c.BundlePath)
if err != nil {
return err
}
sigBytes, err := base64.StdEncoding.DecodeString(sig)
if err != nil {
return err
}

co := &cosign.CheckOpts{
CertGithubWorkflowTrigger: c.CertGithubWorkflowTrigger,
CertGithubWorkflowSha: c.CertGithubWorkflowSHA,
Expand Down Expand Up @@ -152,7 +126,50 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
if err != nil {
return fmt.Errorf("loading public key from token: %w", err)
}
case c.CertRef != "":
}

var trustedroot *root.TrustedRoot
co.TrustedMaterial, trustedroot, err = makeTrustedMaterial(c.TrustedRootPath, &co.SigVerifier)
if err != nil {
return err
}

co.VerifierOptions = makeVerifierOptions(trustedroot, c.IgnoreTlog, c.UseSignedTimestamps, c.IgnoreSCT)

if c.KeyOpts.NewBundleFormat {
if options.NOf(c.RFC3161TimestampPath, c.TSACertChainPath, c.RekorURL, c.CertChain, c.CARoots, c.CAIntermediates, c.CertRef, c.SigRef, c.SCTRef) > 1 {
return fmt.Errorf("when using --new-bundle-format, please supply signed content with --bundle and verification content with --trusted-root")
}
b, err := sgbundle.LoadJSONFromPath(c.BundlePath)
if err != nil {
return err
}

co.IdentityPolicies, err = makeIdentityPolicy(b, c.CertVerifyOptions, c.CertGithubWorkflowTrigger, c.CertGithubWorkflowSHA, c.CertGithubWorkflowName, c.CertGithubWorkflowRepository, c.CertGithubWorkflowRef)
if err != nil {
return err
}

_, err = verifyNewBundle(b, co, blobRef)
if err == nil {
ui.Infof(ctx, "Verified OK")
}
return err
}

var cert *x509.Certificate
opts := make([]static.Option, 0)

sig, err := base64signature(c.SigRef, c.BundlePath)
if err != nil {
return err
}
sigBytes, err := base64.StdEncoding.DecodeString(sig)
if err != nil {
return err
}

if c.CertRef != "" {
cert, err = loadCertFromFileOrURL(c.CertRef)
if err != nil {
return err
Expand Down Expand Up @@ -228,7 +245,12 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
return err
}

_, err = verifyNewBundle(ctx, b, c.TrustedRootPath, c.KeyRef, c.Slot, c.CertVerifyOptions.CertOidcIssuer, c.CertVerifyOptions.CertOidcIssuerRegexp, c.CertVerifyOptions.CertIdentity, c.CertVerifyOptions.CertIdentityRegexp, c.CertGithubWorkflowTrigger, c.CertGithubWorkflowSHA, c.CertGithubWorkflowName, c.CertGithubWorkflowRepository, c.CertGithubWorkflowRef, blobRef, c.Sk, c.IgnoreTlog, c.UseSignedTimestamps, c.IgnoreSCT)
co.IdentityPolicies, err = makeIdentityPolicy(b, c.CertVerifyOptions, c.CertGithubWorkflowTrigger, c.CertGithubWorkflowSHA, c.CertGithubWorkflowName, c.CertGithubWorkflowRepository, c.CertGithubWorkflowRef)

if err != nil {
return err
}
_, err = verifyNewBundle(b, co, blobRef)
if err == nil {
ui.Infof(ctx, "Verified OK")
}
Expand Down
85 changes: 54 additions & 31 deletions cmd/cosign/cli/verify/verify_blob_attestation.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ import (
"github.com/sigstore/cosign/v2/pkg/policy"
sigs "github.com/sigstore/cosign/v2/pkg/signature"
sgbundle "github.com/sigstore/sigstore-go/pkg/bundle"
"github.com/sigstore/sigstore-go/pkg/root"
"github.com/sigstore/sigstore/pkg/cryptoutils"
)

Expand Down Expand Up @@ -94,36 +95,6 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
return &options.KeyParseError{}
}

if c.KeyOpts.NewBundleFormat {
if options.NOf(c.RFC3161TimestampPath, c.TSACertChainPath, c.RekorURL, c.CertChain, c.CARoots, c.CAIntermediates, c.CertRef, c.SCTRef) > 1 {
return fmt.Errorf("when using --new-bundle-format, please supply signed content with --bundle and verification content with --trusted-root")
}
b, err := sgbundle.LoadJSONFromPath(c.BundlePath)
if err != nil {
return err
}
result, err := verifyNewBundle(ctx, b, c.TrustedRootPath, c.KeyRef, c.Slot, c.CertVerifyOptions.CertOidcIssuer, c.CertVerifyOptions.CertOidcIssuerRegexp, c.CertVerifyOptions.CertIdentity, c.CertVerifyOptions.CertIdentityRegexp, c.CertGithubWorkflowTrigger, c.CertGithubWorkflowSHA, c.CertGithubWorkflowName, c.CertGithubWorkflowRepository, c.CertGithubWorkflowRef, artifactPath, c.Sk, c.IgnoreTlog, c.UseSignedTimestamps, c.IgnoreSCT)
if err != nil {
return err
}
if c.PredicateType != "" && result.Statement.GetPredicateType() != c.PredicateType {
return fmt.Errorf("invalid predicate type, expected %s got %s", c.PredicateType, result.Statement.GetPredicateType())
}
fmt.Fprintln(os.Stderr, "Verified OK")
return nil
}

var cert *x509.Certificate
opts := make([]static.Option, 0)

var encodedSig []byte
if c.SignaturePath != "" {
encodedSig, err = os.ReadFile(filepath.Clean(c.SignaturePath))
if err != nil {
return fmt.Errorf("reading %s: %w", c.SignaturePath, err)
}
}

co := &cosign.CheckOpts{
CertGithubWorkflowTrigger: c.CertGithubWorkflowTrigger,
CertGithubWorkflowSha: c.CertGithubWorkflowSHA,
Expand Down Expand Up @@ -156,6 +127,53 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
if err != nil {
return fmt.Errorf("loading public key from token: %w", err)
}
}

var trustedroot *root.TrustedRoot
co.TrustedMaterial, trustedroot, err = makeTrustedMaterial(c.TrustedRootPath, &co.SigVerifier)
if err != nil {
return err
}

co.VerifierOptions = makeVerifierOptions(trustedroot, c.IgnoreTlog, c.UseSignedTimestamps, c.IgnoreSCT)

if c.KeyOpts.NewBundleFormat {
if options.NOf(c.RFC3161TimestampPath, c.TSACertChainPath, c.RekorURL, c.CertChain, c.CARoots, c.CAIntermediates, c.CertRef, c.SCTRef) > 1 {
return fmt.Errorf("when using --new-bundle-format, please supply signed content with --bundle and verification content with --trusted-root")
}
b, err := sgbundle.LoadJSONFromPath(c.BundlePath)
if err != nil {
return err
}

co.IdentityPolicies, err = makeIdentityPolicy(b, c.CertVerifyOptions, c.CertGithubWorkflowTrigger, c.CertGithubWorkflowSHA, c.CertGithubWorkflowName, c.CertGithubWorkflowRepository, c.CertGithubWorkflowRef)
if err != nil {
return err
}

result, err := verifyNewBundle(b, co, artifactPath)
if err != nil {
return err
}
if c.PredicateType != "" && result.Statement.GetPredicateType() != c.PredicateType {
return fmt.Errorf("invalid predicate type, expected %s got %s", c.PredicateType, result.Statement.GetPredicateType())
}
fmt.Fprintln(os.Stderr, "Verified OK")
return nil
}

var cert *x509.Certificate
opts := make([]static.Option, 0)

var encodedSig []byte
if c.SignaturePath != "" {
encodedSig, err = os.ReadFile(filepath.Clean(c.SignaturePath))
if err != nil {
return fmt.Errorf("reading %s: %w", c.SignaturePath, err)
}
}

switch {
case c.CertRef != "":
cert, err = loadCertFromFileOrURL(c.CertRef)
if err != nil {
Expand Down Expand Up @@ -246,7 +264,12 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
return err
}

result, err := verifyNewBundle(ctx, b, c.TrustedRootPath, c.KeyRef, c.Slot, c.CertVerifyOptions.CertOidcIssuer, c.CertVerifyOptions.CertOidcIssuerRegexp, c.CertVerifyOptions.CertIdentity, c.CertVerifyOptions.CertIdentityRegexp, c.CertGithubWorkflowTrigger, c.CertGithubWorkflowSHA, c.CertGithubWorkflowName, c.CertGithubWorkflowRepository, c.CertGithubWorkflowRef, artifactPath, c.Sk, c.IgnoreTlog, c.UseSignedTimestamps, c.IgnoreSCT)
co.IdentityPolicies, err = makeIdentityPolicy(b, c.CertVerifyOptions, c.CertGithubWorkflowTrigger, c.CertGithubWorkflowSHA, c.CertGithubWorkflowName, c.CertGithubWorkflowRepository, c.CertGithubWorkflowRef)
if err != nil {
return err
}

result, err := verifyNewBundle(b, co, artifactPath)
if err != nil {
return err
}
Expand Down
Loading

0 comments on commit d3222ee

Please sign in to comment.