Add '--cert-identity' flag to support subject alternate names for ver… (

sigstore#2278)

* Add '--cert-identity' flag to support subject alternate names for verification.

Signed-off-by: kpk47 <kkris@google.com>

* Fixing documentation

Signed-off-by: kpk47 <kkris@google.com>

* fix e2e test

Signed-off-by: kpk47 <kkris@google.com>

* Add '--cert-identity' flag to support subject alternate names for verification.

Signed-off-by: kpk47 <kkris@google.com>

* Fixing documentation

Signed-off-by: kpk47 <kkris@google.com>

* fix e2e test

Signed-off-by: kpk47 <kkris@google.com>

* fix unit test

Signed-off-by: kpk47 <kkris@google.com>

Signed-off-by: kpk47 <kkris@google.com>

cmd/cosign/cli/commands.go

@@ -45,6 +45,8 @@ func normalizeCertificateFlags(_ *pflag.FlagSet, name string) pflag.NormalizedNa
 		name = "certificate-oidc-issuer"
 	case "output-cert":
 		name = "output-certificate"
+	case "cert-identity":
+		name = "certificate-identity"
 	}
 	return pflag.NormalizedName(name)
 }

cmd/cosign/cli/options/certificate.go

@@ -22,6 +22,7 @@ import (
 type CertVerifyOptions struct {
 	Cert                         string
 	CertEmail                    string
+	CertIdentity                 string
 	CertOidcIssuer               string
 	CertGithubWorkflowTrigger    string
 	CertGithubWorkflowSha        string
@@ -43,6 +44,9 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.CertEmail, "certificate-email", "",
 		"the email expected in a valid Fulcio certificate")
 
+	cmd.Flags().StringVar(&o.CertIdentity, "certificate-identity", "",
+		"the identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP addresses, and URIs.")
+
 	cmd.Flags().StringVar(&o.CertOidcIssuer, "certificate-oidc-issuer", "",
 		"the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth")
 

cmd/cosign/cli/verify.go

@@ -98,6 +98,7 @@ against the transparency log.`,
 				KeyRef:                       o.Key,
 				CertRef:                      o.CertVerify.Cert,
 				CertEmail:                    o.CertVerify.CertEmail,
+				CertIdentity:                 o.CertVerify.CertIdentity,
 				CertOidcIssuer:               o.CertVerify.CertOidcIssuer,
 				CertGithubWorkflowTrigger:    o.CertVerify.CertGithubWorkflowTrigger,
 				CertGithubWorkflowSha:        o.CertVerify.CertGithubWorkflowSha,
@@ -181,6 +182,7 @@ against the transparency log.`,
 				CheckClaims:                  o.CheckClaims,
 				CertRef:                      o.CertVerify.Cert,
 				CertEmail:                    o.CertVerify.CertEmail,
+				CertIdentity:                 o.CertVerify.CertIdentity,
 				CertOidcIssuer:               o.CertVerify.CertOidcIssuer,
 				CertChain:                    o.CertVerify.CertChain,
 				CertGithubWorkflowTrigger:    o.CertVerify.CertGithubWorkflowTrigger,
@@ -264,7 +266,7 @@ The blob may be specified as a path to a file or - for stdin.`,
 				BundlePath: o.BundlePath,
 			}
 			if err := verify.VerifyBlobCmd(cmd.Context(), ko, o.CertVerify.Cert,
-				o.CertVerify.CertEmail, o.CertVerify.CertOidcIssuer, o.CertVerify.CertChain,
+				o.CertVerify.CertEmail, o.CertVerify.CertIdentity, o.CertVerify.CertOidcIssuer, o.CertVerify.CertChain,
 				o.Signature, args[0], o.CertVerify.CertGithubWorkflowTrigger, o.CertVerify.CertGithubWorkflowSha,
 				o.CertVerify.CertGithubWorkflowName, o.CertVerify.CertGithubWorkflowRepository, o.CertVerify.CertGithubWorkflowRef,
 				o.CertVerify.EnforceSCT); err != nil {

cmd/cosign/cli/verify/verify.go

@@ -52,13 +52,15 @@ type VerifyCommand struct {
 	KeyRef                       string
 	CertRef                      string
 	CertEmail                    string
+	CertIdentity                 string
 	CertOidcIssuer               string
 	CertGithubWorkflowTrigger    string
 	CertGithubWorkflowSha        string
 	CertGithubWorkflowName       string
 	CertGithubWorkflowRepository string
 	CertGithubWorkflowRef        string
 	CertChain                    string
+	CertOidcProvider             string
 	EnforceSCT                   bool
 	Sk                           bool
 	Slot                         string
@@ -100,6 +102,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		Annotations:                  c.Annotations.Annotations,
 		RegistryClientOpts:           ociremoteOpts,
 		CertEmail:                    c.CertEmail,
+		CertIdentity:                 c.CertIdentity,
 		CertOidcIssuer:               c.CertOidcIssuer,
 		CertGithubWorkflowTrigger:    c.CertGithubWorkflowTrigger,
 		CertGithubWorkflowSha:        c.CertGithubWorkflowSha,

cmd/cosign/cli/verify/verify_attestation.go

@@ -46,6 +46,7 @@ type VerifyAttestationCommand struct {
 	KeyRef                       string
 	CertRef                      string
 	CertEmail                    string
+	CertIdentity                 string
 	CertOidcIssuer               string
 	CertGithubWorkflowTrigger    string
 	CertGithubWorkflowSha        string
@@ -80,6 +81,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 	co := &cosign.CheckOpts{
 		RegistryClientOpts:           ociremoteOpts,
 		CertEmail:                    c.CertEmail,
+		CertIdentity:                 c.CertIdentity,
 		CertOidcIssuer:               c.CertOidcIssuer,
 		CertGithubWorkflowTrigger:    c.CertGithubWorkflowTrigger,
 		CertGithubWorkflowSha:        c.CertGithubWorkflowSha,

cmd/cosign/cli/verify/verify_blob.go

@@ -66,7 +66,7 @@ func isb64(data []byte) bool {
 }
 
 // nolint
-func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail,
+func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail, certIdentity,
 	certOidcIssuer, certChain, sigRef, blobRef, certGithubWorkflowTrigger, certGithubWorkflowSha,
 	certGithubWorkflowName,
 	certGithubWorkflowRepository,
@@ -90,6 +90,7 @@ func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail,
 
 	co := &cosign.CheckOpts{
 		CertEmail:                    certEmail,
+		CertIdentity:                 certIdentity,
 		CertOidcIssuer:               certOidcIssuer,
 		CertGithubWorkflowTrigger:    certGithubWorkflowTrigger,
 		CertGithubWorkflowSha:        certGithubWorkflowSha,

cmd/cosign/cli/verify/verify_blob_test.go

@@ -721,6 +721,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",       /*certRef*/ // Cert is fetched from bundle
 			identity, /*certEmail*/
+			"",       /*certIdentity*/
 			issuer,   /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle
@@ -765,6 +766,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",       /*certRef*/ // Cert is fetched from bundle
 			"",       /*certEmail*/
+			"",       /*certIdentity*/
 			"",       /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle
@@ -803,6 +805,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",       /*certRef*/ // Cert is fetched from bundle
 			"",       /*certEmail*/
+			"",       /*certIdentity*/
 			"",       /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle
@@ -841,6 +844,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",       /*certRef*/ // Cert is fetched from bundle
 			"",       /*certEmail*/
+			"",       /*certIdentity*/
 			"",       /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle
@@ -879,6 +883,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",       /*certRef*/ // Cert is fetched from bundle
 			"",       /*certEmail*/
+			"",       /*certIdentity*/
 			"",       /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle
@@ -917,6 +922,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",                    /*certRef*/ // Cert is fetched from bundle
 			"invalid@example.com", /*certEmail*/
+			"",                    /*certIdentity*/
 			issuer,                /*certOidcIssuer*/
 			"",                    /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",                    /*sigRef*/    // Sig is fetched from bundle
@@ -925,7 +931,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			"", "", "", "", "",
 			// GitHub identity flags end
 			false /*enforceSCT*/)
-		if err == nil || !strings.Contains(err.Error(), "expected email not found in certificate") {
+		if err == nil || !strings.Contains(err.Error(), "expected identity not found in certificate") {
 			t.Fatalf("expected error with mismatched identity, got %v", err)
 		}
 	})
@@ -955,6 +961,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",        /*certRef*/ // Cert is fetched from bundle
 			identity,  /*certEmail*/
+			"",        /*certIdentity*/
 			"invalid", /*certOidcIssuer*/
 			"",        /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",        /*sigRef*/    // Sig is fetched from bundle
@@ -994,6 +1001,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			certPath, /*certRef*/
 			identity, /*certEmail*/
+			"",       /*certIdentity*/
 			issuer,   /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle
@@ -1032,6 +1040,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",                              /*certRef*/
 			identity,                        /*certEmail*/
+			"",                              /*certIdentity*/
 			issuer,                          /*certOidcIssuer*/
 			os.Getenv("SIGSTORE_ROOT_FILE"), /*certChain*/
 			"",                              /*sigRef*/ // Sig is fetched from bundle
@@ -1081,6 +1090,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",                  /*certRef*/
 			identity,            /*certEmail*/
+			"",                  /*certIdentity*/
 			issuer,              /*certOidcIssuer*/
 			tmpChainFile.Name(), /*certChain*/
 			"",                  /*sigRef*/ // Sig is fetched from bundle
@@ -1126,6 +1136,7 @@ func TestVerifyBlobCmdInvalidRootCA(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			certPath, /*certRef*/
 			identity, /*certEmail*/
+			"",       /*certIdentity*/
 			issuer,   /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle
@@ -1164,6 +1175,7 @@ func TestVerifyBlobCmdInvalidRootCA(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",       /*certRef*/ // Fetched from bundle
 			identity, /*certEmail*/
+			"",       /*certIdentity*/
 			issuer,   /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle