feat: cert-extensions verify

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com> Co-authored-by: Christian Kotzbauer <@ckotzbauer1> Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
sigstore · Jun 3, 2022 · 7225580 · 7225580
1 parent ae90c74
commit 7225580
Show file tree

Hide file tree

Showing 16 changed files with 364 additions and 116 deletions.
diff --git a/cmd/cosign/cli/options/certextensions.go b/cmd/cosign/cli/options/certextensions.go
@@ -0,0 +1,53 @@
+//
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package options
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/spf13/cobra"
+
+	sigs "github.com/sigstore/cosign/pkg/signature"
+)
+
+// CertExtensionOptions is the top level wrapper for the annotations.
+type CertExtensionOptions struct {
+	CertExtensions []string
+}
+
+var _ Interface = (*CertExtensionOptions)(nil)
+
+func (o *CertExtensionOptions) CertExtensionsMap() (sigs.CertExtensionsMap, error) {
+	ce := sigs.CertExtensionsMap{}
+	for _, a := range o.CertExtensions {
+		kv := strings.Split(a, "=")
+		if len(kv) != 2 {
+			return ce, fmt.Errorf("unable to parse cert extension: %s", a)
+		}
+		if ce.CertExtensions == nil {
+			ce.CertExtensions = map[string]string{}
+		}
+		ce.CertExtensions[kv[0]] = kv[1]
+	}
+	return ce, nil
+}
+
+// AddFlags implements Interface
+func (o *CertExtensionOptions) AddFlags(cmd *cobra.Command) {
+	cmd.Flags().StringSliceVarP(&o.CertExtensions, "cert-extensions", "", nil,
+		"extra key=value pairs to verify")
+}
diff --git a/cmd/cosign/cli/options/certificate.go b/cmd/cosign/cli/options/certificate.go
@@ -20,11 +20,16 @@ import (
 
 // CertVerifyOptions is the wrapper for certificate verification.
 type CertVerifyOptions struct {
-	Cert           string
-	CertEmail      string
-	CertOidcIssuer string
-	CertChain      string
-	EnforceSCT     bool
+	Cert                         string
+	CertEmail                    string
+	CertOidcIssuer               string
+	CertGithubWorkflowTrigger    string
+	CertGithubWorkflowSha        string
+	CertGithubWorkflowName       string
+	CertGithubWorkflowRepository string
+	CertGithubWorkflowRef        string
+	CertChain                    string
+	EnforceSCT                   bool
 }
 
 var _ Interface = (*RekorOptions)(nil)
@@ -40,6 +45,23 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.CertOidcIssuer, "certificate-oidc-issuer", "",
 		"the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth")
 
+	// -- Cert extensions begin --
+	// Source: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md
+	cmd.Flags().StringVar(&o.CertGithubWorkflowTrigger, "certificate-github-workflow-trigger", "",
+		"contains the event_name claim from the GitHub OIDC Identity token that contains the name of the event that triggered the workflow run")
+
+	cmd.Flags().StringVar(&o.CertGithubWorkflowSha, "certificate-github-workflow-sha", "",
+		"contains the sha claim from the GitHub OIDC Identity token that contains the commit SHA that the workflow run was based upon.")
+
+	cmd.Flags().StringVar(&o.CertGithubWorkflowName, "certificate-github-workflow-name", "",
+		"contains the workflow claim from the GitHub OIDC Identity token that contains the name of the executed workflow.")
+
+	cmd.Flags().StringVar(&o.CertGithubWorkflowRepository, "certificate-github-workflow-repository", "",
+		"contains the repository claim from the GitHub OIDC Identity token that contains the repository that the workflow run was based upon")
+
+	cmd.Flags().StringVar(&o.CertGithubWorkflowRef, "certificate-github-workflow-ref", "",
+		"contains the ref claim from the GitHub OIDC Identity token that contains the git ref that the workflow run was based upon.")
+	// -- Cert extensions end --
 	cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "",
 		"path to a list of CA certificates in PEM format which will be needed "+
 			"when building the certificate chain for the signing certificate. "+

diff --git a/cmd/cosign/cli/policy_init.go b/cmd/cosign/cli/policy_init.go
@@ -202,7 +202,8 @@ func signPolicy() *cobra.Command {
 				return errors.New("error decoding certificate")
 			}
 			signerEmail := sigs.CertSubject(certs[0])
-			signerIssuer := sigs.CertIssuerExtension(certs[0])
+			ce := cosign.CertExtensions{Cert: certs[0]}
+			signerIssuer := ce.GetIssuer()
 
 			// Retrieve root.json from registry.
 			imgName := rootPath(o.ImageRef)

diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go
@@ -93,23 +93,28 @@ against the transparency log.`,
 			}
 
 			v := verify.VerifyCommand{
-				RegistryOptions: o.Registry,
-				CheckClaims:     o.CheckClaims,
-				KeyRef:          o.Key,
-				CertRef:         o.CertVerify.Cert,
-				CertEmail:       o.CertVerify.CertEmail,
-				CertOidcIssuer:  o.CertVerify.CertOidcIssuer,
-				CertChain:       o.CertVerify.CertChain,
-				EnforceSCT:      o.CertVerify.EnforceSCT,
-				Sk:              o.SecurityKey.Use,
-				Slot:            o.SecurityKey.Slot,
-				Output:          o.Output,
-				RekorURL:        o.Rekor.URL,
-				Attachment:      o.Attachment,
-				Annotations:     annotations,
-				HashAlgorithm:   hashAlgorithm,
-				SignatureRef:    o.SignatureRef,
-				LocalImage:      o.LocalImage,
+				RegistryOptions:              o.Registry,
+				CheckClaims:                  o.CheckClaims,
+				KeyRef:                       o.Key,
+				CertRef:                      o.CertVerify.Cert,
+				CertEmail:                    o.CertVerify.CertEmail,
+				CertOidcIssuer:               o.CertVerify.CertOidcIssuer,
+				CertGithubWorkflowTrigger:    o.CertVerify.CertGithubWorkflowTrigger,
+				CertGithubWorkflowSha:        o.CertVerify.CertGithubWorkflowSha,
+				CertGithubWorkflowName:       o.CertVerify.CertGithubWorkflowName,
+				CertGithubWorkflowRepository: o.CertVerify.CertGithubWorkflowRepository,
+				CertGithubWorkflowRef:        o.CertVerify.CertGithubWorkflowRef,
+				CertChain:                    o.CertVerify.CertChain,
+				EnforceSCT:                   o.CertVerify.EnforceSCT,
+				Sk:                           o.SecurityKey.Use,
+				Slot:                         o.SecurityKey.Slot,
+				Output:                       o.Output,
+				RekorURL:                     o.Rekor.URL,
+				Attachment:                   o.Attachment,
+				Annotations:                  annotations,
+				HashAlgorithm:                hashAlgorithm,
+				SignatureRef:                 o.SignatureRef,
+				LocalImage:                   o.LocalImage,
 			}
 
 			return v.Exec(cmd.Context(), args)

diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -48,22 +48,27 @@ import (
 // nolint
 type VerifyCommand struct {
 	options.RegistryOptions
-	CheckClaims    bool
-	KeyRef         string
-	CertRef        string
-	CertEmail      string
-	CertOidcIssuer string
-	CertChain      string
-	EnforceSCT     bool
-	Sk             bool
-	Slot           string
-	Output         string
-	RekorURL       string
-	Attachment     string
-	Annotations    sigs.AnnotationsMap
-	SignatureRef   string
-	HashAlgorithm  crypto.Hash
-	LocalImage     bool
+	CheckClaims                  bool
+	KeyRef                       string
+	CertRef                      string
+	CertEmail                    string
+	CertOidcIssuer               string
+	CertGithubWorkflowTrigger    string
+	CertGithubWorkflowSha        string
+	CertGithubWorkflowName       string
+	CertGithubWorkflowRepository string
+	CertGithubWorkflowRef        string
+	CertChain                    string
+	EnforceSCT                   bool
+	Sk                           bool
+	Slot                         string
+	Output                       string
+	RekorURL                     string
+	Attachment                   string
+	Annotations                  sigs.AnnotationsMap
+	SignatureRef                 string
+	HashAlgorithm                crypto.Hash
+	LocalImage                   bool
 }
 
 // Exec runs the verification command
@@ -92,12 +97,17 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		return fmt.Errorf("constructing client options: %w", err)
 	}
 	co := &cosign.CheckOpts{
-		Annotations:        c.Annotations.Annotations,
-		RegistryClientOpts: ociremoteOpts,
-		CertEmail:          c.CertEmail,
-		CertOidcIssuer:     c.CertOidcIssuer,
-		EnforceSCT:         c.EnforceSCT,
-		SignatureRef:       c.SignatureRef,
+		Annotations:                  c.Annotations.Annotations,
+		RegistryClientOpts:           ociremoteOpts,
+		CertEmail:                    c.CertEmail,
+		CertOidcIssuer:               c.CertOidcIssuer,
+		CertGithubWorkflowTrigger:    c.CertGithubWorkflowTrigger,
+		CertGithubWorkflowSha:        c.CertGithubWorkflowSha,
+		CertGithubWorkflowName:       c.CertGithubWorkflowName,
+		CertGithubWorkflowRepository: c.CertGithubWorkflowRepository,
+		CertGithubWorkflowRef:        c.CertGithubWorkflowRef,
+		EnforceSCT:                   c.EnforceSCT,
+		SignatureRef:                 c.SignatureRef,
 	}
 	if c.CheckClaims {
 		co.ClaimVerifier = cosign.SimpleClaimVerifier
@@ -233,8 +243,9 @@ func PrintVerification(imgRef string, verified []oci.Signature, output string) {
 	case "text":
 		for _, sig := range verified {
 			if cert, err := sig.Cert(); err == nil && cert != nil {
+				ce := cosign.CertExtensions{Cert: cert}
 				fmt.Fprintln(os.Stderr, "Certificate subject: ", sigs.CertSubject(cert))
-				if issuerURL := sigs.CertIssuerExtension(cert); issuerURL != "" {
+				if issuerURL := ce.GetIssuer(); issuerURL != "" {
 					fmt.Fprintln(os.Stderr, "Certificate issuer URL: ", issuerURL)
 				}
 			}
@@ -263,11 +274,12 @@ func PrintVerification(imgRef string, verified []oci.Signature, output string) {
 			}
 
 			if cert, err := sig.Cert(); err == nil && cert != nil {
+				ce := cosign.CertExtensions{Cert: cert}
 				if ss.Optional == nil {
 					ss.Optional = make(map[string]interface{})
 				}
 				ss.Optional["Subject"] = sigs.CertSubject(cert)
-				if issuerURL := sigs.CertIssuerExtension(cert); issuerURL != "" {
+				if issuerURL := ce.GetIssuer(); issuerURL != "" {
 					ss.Optional["Issuer"] = issuerURL
 				}
 			}

diff --git a/doc/cosign_dockerfile_verify.md b/doc/cosign_dockerfile_verify.md
diff --git a/doc/cosign_manifest_verify.md b/doc/cosign_manifest_verify.md
diff --git a/doc/cosign_verify-attestation.md b/doc/cosign_verify-attestation.md
diff --git a/doc/cosign_verify-blob.md b/doc/cosign_verify-blob.md