Add flag to verify OIDC issuer in certificate (#1308)

This adds support for --cert-oidc-issuer. In combination with --cert-email, users should be able to verify and pin the expected identity of the Fulcio certificate. Also added certificate generation test utilities. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
sigstore · Jan 14, 2022 · 079e28d · 079e28d
1 parent 2c96cf3
commit 079e28d
Show file tree

Hide file tree

Showing 16 changed files with 320 additions and 35 deletions.
diff --git a/cmd/cosign/cli/dockerfile.go b/cmd/cosign/cli/dockerfile.go
@@ -90,6 +90,7 @@ Shell-like variables in the Dockerfile's FROM lines will be substituted with val
 					KeyRef:          o.Key,
 					CertRef:         o.CertVerify.Cert,
 					CertEmail:       o.CertVerify.CertEmail,
+					CertOidcIssuer:  o.CertVerify.CertOidcIssuer,
 					Sk:              o.SecurityKey.Use,
 					Slot:            o.SecurityKey.Slot,
 					Output:          o.Output,

diff --git a/cmd/cosign/cli/manifest.go b/cmd/cosign/cli/manifest.go
@@ -85,6 +85,7 @@ against the transparency log.`,
 					KeyRef:          o.Key,
 					CertRef:         o.CertVerify.Cert,
 					CertEmail:       o.CertVerify.CertEmail,
+					CertOidcIssuer:  o.CertVerify.CertOidcIssuer,
 					Sk:              o.SecurityKey.Use,
 					Slot:            o.SecurityKey.Slot,
 					Output:          o.Output,

diff --git a/cmd/cosign/cli/options/certificate.go b/cmd/cosign/cli/options/certificate.go
@@ -20,8 +20,9 @@ import (
 
 // CertVerifyOptions is the wrapper for certificate verification.
 type CertVerifyOptions struct {
-	Cert      string
-	CertEmail string
+	Cert           string
+	CertEmail      string
+	CertOidcIssuer string
 }
 
 var _ Interface = (*RekorOptions)(nil)
@@ -33,4 +34,7 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.CertEmail, "cert-email", "",
 		"the email expected in a valid Fulcio certificate")
+
+	cmd.Flags().StringVar(&o.CertOidcIssuer, "cert-oidc-issuer", "",
+		"the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth")
 }
diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go
@@ -92,6 +92,7 @@ against the transparency log.`,
 				KeyRef:          o.Key,
 				CertRef:         o.CertVerify.Cert,
 				CertEmail:       o.CertVerify.CertEmail,
+				CertOidcIssuer:  o.CertVerify.CertOidcIssuer,
 				Sk:              o.SecurityKey.Use,
 				Slot:            o.SecurityKey.Slot,
 				Output:          o.Output,
@@ -161,6 +162,7 @@ against the transparency log.`,
 				CheckClaims:     o.CheckClaims,
 				CertRef:         o.CertVerify.Cert,
 				CertEmail:       o.CertVerify.CertEmail,
+				CertOidcIssuer:  o.CertVerify.CertOidcIssuer,
 				KeyRef:          o.Key,
 				Sk:              o.SecurityKey.Use,
 				Slot:            o.SecurityKey.Slot,
@@ -238,7 +240,7 @@ The blob may be specified as a path to a file or - for stdin.`,
 				RekorURL: o.Rekor.URL,
 			}
 			if err := verify.VerifyBlobCmd(cmd.Context(), ko, o.CertVerify.Cert,
-				o.CertVerify.CertEmail, o.Signature, args[0]); err != nil {
+				o.CertVerify.CertEmail, o.CertVerify.CertOidcIssuer, o.Signature, args[0]); err != nil {
 				return errors.Wrapf(err, "verifying blob %s", args)
 			}
 			return nil

diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -48,19 +48,20 @@ import (
 // nolint
 type VerifyCommand struct {
 	options.RegistryOptions
-	CheckClaims   bool
-	KeyRef        string
-	CertRef       string
-	CertEmail     string
-	Sk            bool
-	Slot          string
-	Output        string
-	RekorURL      string
-	Attachment    string
-	Annotations   sigs.AnnotationsMap
-	SignatureRef  string
-	HashAlgorithm crypto.Hash
-	LocalImage    bool
+	CheckClaims    bool
+	KeyRef         string
+	CertRef        string
+	CertEmail      string
+	CertOidcIssuer string
+	Sk             bool
+	Slot           string
+	Output         string
+	RekorURL       string
+	Attachment     string
+	Annotations    sigs.AnnotationsMap
+	SignatureRef   string
+	HashAlgorithm  crypto.Hash
+	LocalImage     bool
 }
 
 // Exec runs the verification command
@@ -92,6 +93,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		Annotations:        c.Annotations.Annotations,
 		RegistryClientOpts: ociremoteOpts,
 		CertEmail:          c.CertEmail,
+		CertOidcIssuer:     c.CertOidcIssuer,
 		SignatureRef:       c.SignatureRef,
 	}
 	if c.CheckClaims {

diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go
@@ -47,17 +47,18 @@ import (
 // nolint
 type VerifyAttestationCommand struct {
 	options.RegistryOptions
-	CheckClaims   bool
-	CertRef       string
-	CertEmail     string
-	KeyRef        string
-	Sk            bool
-	Slot          string
-	Output        string
-	RekorURL      string
-	PredicateType string
-	Policies      []string
-	LocalImage    bool
+	CheckClaims    bool
+	CertRef        string
+	CertEmail      string
+	CertOidcIssuer string
+	KeyRef         string
+	Sk             bool
+	Slot           string
+	Output         string
+	RekorURL       string
+	PredicateType  string
+	Policies       []string
+	LocalImage     bool
 }
 
 // Exec runs the verification command
@@ -77,6 +78,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 	co := &cosign.CheckOpts{
 		RegistryClientOpts: ociremoteOpts,
 		CertEmail:          c.CertEmail,
+		CertOidcIssuer:     c.CertOidcIssuer,
 	}
 	if c.CheckClaims {
 		co.ClaimVerifier = cosign.IntotoSubjectClaimVerifier

diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
@@ -54,7 +54,7 @@ func isb64(data []byte) bool {
 }
 
 // nolint
-func VerifyBlobCmd(ctx context.Context, ko sign.KeyOpts, certRef, certEmail, sigRef, blobRef string) error {
+func VerifyBlobCmd(ctx context.Context, ko sign.KeyOpts, certRef, certEmail, certOidcIssuer, sigRef, blobRef string) error {
 	var verifier signature.Verifier
 	var cert *x509.Certificate
 
@@ -128,8 +128,9 @@ func VerifyBlobCmd(ctx context.Context, ko sign.KeyOpts, certRef, certEmail, sig
 		}
 
 		co := &cosign.CheckOpts{
-			RootCerts: fulcio.GetRoots(),
-			CertEmail: certEmail,
+			RootCerts:      fulcio.GetRoots(),
+			CertEmail:      certEmail,
+			CertOidcIssuer: certOidcIssuer,
 		}
 		cert = certs[0]
 		verifier, err = cosign.ValidateAndUnpackCert(cert, co)

diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md
diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md
diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md
diff --git a/doc/cosign_verify-blob.md b/doc/cosign_verify-blob.md
diff --git a/doc/cosign_verify.md b/doc/cosign_verify.md
diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -21,6 +21,7 @@ import (
 	"crypto/ecdsa"
 	"crypto/sha256"
 	"crypto/x509"
+	"encoding/asn1"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
@@ -75,6 +76,8 @@ type CheckOpts struct {
 	RootCerts *x509.CertPool
 	// CertEmail is the email expected for a certificate to be valid. The empty string means any certificate can be valid.
 	CertEmail string
+	// CertOidcIssuer is the OIDC issuer expected for a certificate to be valid. The empty string means any certificate can be valid.
+	CertOidcIssuer string
 
 	// SignatureRef is the reference to the signature file
 	SignatureRef string
@@ -160,6 +163,18 @@ func ValidateAndUnpackCert(cert *x509.Certificate, co *CheckOpts) (signature.Ver
 			return nil, errors.New("expected email not found in certificate")
 		}
 	}
+	if co.CertOidcIssuer != "" {
+		issuer := ""
+		for _, ext := range cert.Extensions {
+			if ext.Id.Equal(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 1}) {
+				issuer = string(ext.Value)
+				break
+			}
+		}
+		if issuer != co.CertOidcIssuer {
+			return nil, errors.New("expected oidc issuer not found in certificate")
+		}
+	}
 	return verifier, nil
 }
 
@@ -697,7 +712,6 @@ func TrustedCert(cert *x509.Certificate, roots *x509.CertPool) error {
 		CurrentTime: cert.NotBefore,
 		Roots:       roots,
 		KeyUsages: []x509.ExtKeyUsage{
-			x509.ExtKeyUsage(x509.KeyUsageDigitalSignature),
 			x509.ExtKeyUsageCodeSigning,
 		},
 	}); err != nil {

diff --git a/pkg/cosign/verify_test.go b/pkg/cosign/verify_test.go
@@ -17,6 +17,7 @@ package cosign
 import (
 	"context"
 	"crypto"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
 	"io"
@@ -26,7 +27,9 @@ import (
 	"github.com/pkg/errors"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 	"github.com/sigstore/cosign/pkg/types"
+	"github.com/sigstore/cosign/test"
 	"github.com/sigstore/sigstore/pkg/signature"
+	"github.com/stretchr/testify/require"
 )
 
 type mockVerifier struct {
@@ -89,3 +92,107 @@ func Test_verifyOCIAttestation(t *testing.T) {
 		t.Error("verifyOCIAttestation() expected invalid payload type error, got nil")
 	}
 }
+
+func TestValidateAndUnpackCertSuccess(t *testing.T) {
+	subject := "email@email"
+	oidcIssuer := "https://accounts.google.com"
+
+	rootCert, rootKey, _ := test.GenerateRootCa()
+	leafCert, _, _ := test.GenerateLeafCert(subject, oidcIssuer, rootCert, rootKey)
+
+	rootPool := x509.NewCertPool()
+	rootPool.AddCert(rootCert)
+
+	co := &CheckOpts{
+		RootCerts:      rootPool,
+		CertEmail:      subject,
+		CertOidcIssuer: oidcIssuer,
+	}
+
+	_, err := ValidateAndUnpackCert(leafCert, co)
+	if err != nil {
+		t.Errorf("ValidateAndUnpackCert expected no error, got err = %v", err)
+	}
+}
+
+func TestValidateAndUnpackCertSuccessAllowAllValues(t *testing.T) {
+	subject := "email@email"
+	oidcIssuer := "https://accounts.google.com"
+
+	rootCert, rootKey, _ := test.GenerateRootCa()
+	leafCert, _, _ := test.GenerateLeafCert(subject, oidcIssuer, rootCert, rootKey)
+
+	rootPool := x509.NewCertPool()
+	rootPool.AddCert(rootCert)
+
+	co := &CheckOpts{
+		RootCerts: rootPool,
+	}
+
+	_, err := ValidateAndUnpackCert(leafCert, co)
+	if err != nil {
+		t.Errorf("ValidateAndUnpackCert expected no error, got err = %v", err)
+	}
+}
+
+func TestValidateAndUnpackCertInvalidRoot(t *testing.T) {
+	subject := "email@email"
+	oidcIssuer := "https://accounts.google.com"
+
+	rootCert, rootKey, _ := test.GenerateRootCa()
+	leafCert, _, _ := test.GenerateLeafCert(subject, oidcIssuer, rootCert, rootKey)
+
+	otherRoot, _, _ := test.GenerateRootCa()
+
+	rootPool := x509.NewCertPool()
+	rootPool.AddCert(otherRoot)
+
+	co := &CheckOpts{
+		RootCerts:      rootPool,
+		CertEmail:      subject,
+		CertOidcIssuer: oidcIssuer,
+	}
+
+	_, err := ValidateAndUnpackCert(leafCert, co)
+	require.Contains(t, err.Error(), "certificate signed by unknown authority")
+}
+
+func TestValidateAndUnpackCertInvalidOidcIssuer(t *testing.T) {
+	subject := "email@email"
+	oidcIssuer := "https://accounts.google.com"
+
+	rootCert, rootKey, _ := test.GenerateRootCa()
+	leafCert, _, _ := test.GenerateLeafCert(subject, oidcIssuer, rootCert, rootKey)
+
+	rootPool := x509.NewCertPool()
+	rootPool.AddCert(rootCert)
+
+	co := &CheckOpts{
+		RootCerts:      rootPool,
+		CertEmail:      subject,
+		CertOidcIssuer: "other",
+	}
+
+	_, err := ValidateAndUnpackCert(leafCert, co)
+	require.Contains(t, err.Error(), "expected oidc issuer not found in certificate")
+}
+
+func TestValidateAndUnpackCertInvalidEmail(t *testing.T) {
+	subject := "email@email"
+	oidcIssuer := "https://accounts.google.com"
+
+	rootCert, rootKey, _ := test.GenerateRootCa()
+	leafCert, _, _ := test.GenerateLeafCert(subject, oidcIssuer, rootCert, rootKey)
+
+	rootPool := x509.NewCertPool()
+	rootPool.AddCert(rootCert)
+
+	co := &CheckOpts{
+		RootCerts:      rootPool,
+		CertEmail:      "other",
+		CertOidcIssuer: oidcIssuer,
+	}
+
+	_, err := ValidateAndUnpackCert(leafCert, co)
+	require.Contains(t, err.Error(), "expected email not found in certificate")
+}