factor out keyless verification helper function

cmd/cosign/cli/verify/verify.go

@@ -175,54 +175,8 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		}
 	}
 	if keylessVerification(c.KeyRef, c.Sk) {
-		switch {
-		case c.CertChain != "":
-			chain, err := loadCertChainFromFileOrURL(c.CertChain)
-			if err != nil {
-				return err
-			}
-			co.RootCerts = x509.NewCertPool()
-			co.RootCerts.AddCert(chain[len(chain)-1])
-			if len(chain) > 1 {
-				co.IntermediateCerts = x509.NewCertPool()
-				for _, cert := range chain[:len(chain)-1] {
-					co.IntermediateCerts.AddCert(cert)
-				}
-			}
-		case c.CARoots != "":
-			caRoots, err := loadCertChainFromFileOrURL(c.CARoots)
-			if err != nil {
-				return err
-			}
-			co.RootCerts = x509.NewCertPool()
-			if len(caRoots) > 0 {
-				for _, cert := range caRoots {
-					co.RootCerts.AddCert(cert)
-				}
-			}
-			if c.CAIntermediates != "" {
-				caIntermediates, err := loadCertChainFromFileOrURL(c.CAIntermediates)
-				if err != nil {
-					return err
-				}
-				if len(caIntermediates) > 0 {
-					co.IntermediateCerts = x509.NewCertPool()
-					for _, cert := range caIntermediates {
-						co.IntermediateCerts.AddCert(cert)
-					}
-				}
-			}
-		default:
-			// This performs an online fetch of the Fulcio roots from a TUF repository.
-			// This is needed for verifying keyless certificates (both online and offline).
-			co.RootCerts, err = fulcio.GetRoots()
-			if err != nil {
-				return fmt.Errorf("getting Fulcio roots: %w", err)
-			}
-			co.IntermediateCerts, err = fulcio.GetIntermediates()
-			if err != nil {
-				return fmt.Errorf("getting Fulcio intermediates: %w", err)
-			}
+		if err := handleKeylessVerification(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
+			return err
 		}
 	}
 	keyRef := c.KeyRef
@@ -556,3 +510,69 @@ func shouldVerifySCT(ignoreSCT bool, keyRef string, sk bool) bool {
 	}
 	return true
 }
+
+// handleKeylessVerification handles the verification of keyless signatures
+// for verify commands.
+//
+// (TODO(dmitris) - mention verify, verify-attestation, verify-blob, verify-blob-attestation
+// commands when they are extended to call this function).
+//
+// The co *cosign.CheckOpts is both input and output parameter - it gets updated
+// with the root and intermediate certificates needed for verification.
+// If both certChain and caRootsFile are empty strings, the Fulcio roots are loaded.
+func handleKeylessVerification(certChain string,
+	caRootsFile string,
+	caIntermediatesFile string,
+	co *cosign.CheckOpts) error {
+	var err error
+	switch {
+	case certChain != "":
+		chain, err := loadCertChainFromFileOrURL(certChain)
+		if err != nil {
+			return err
+		}
+		co.RootCerts = x509.NewCertPool()
+		co.RootCerts.AddCert(chain[len(chain)-1])
+		if len(chain) > 1 {
+			co.IntermediateCerts = x509.NewCertPool()
+			for _, cert := range chain[:len(chain)-1] {
+				co.IntermediateCerts.AddCert(cert)
+			}
+		}
+	case caRootsFile != "":
+		caRoots, err := loadCertChainFromFileOrURL(caRootsFile)
+		if err != nil {
+			return err
+		}
+		co.RootCerts = x509.NewCertPool()
+		if len(caRoots) > 0 {
+			for _, cert := range caRoots {
+				co.RootCerts.AddCert(cert)
+			}
+		}
+		if caIntermediatesFile != "" {
+			caIntermediates, err := loadCertChainFromFileOrURL(caIntermediatesFile)
+			if err != nil {
+				return err
+			}
+			if len(caIntermediates) > 0 {
+				co.IntermediateCerts = x509.NewCertPool()
+				for _, cert := range caIntermediates {
+					co.IntermediateCerts.AddCert(cert)
+				}
+			}
+		}
+	default:
+		// This performs an online fetch of the Fulcio roots from a TUF repository.
+		// This is needed for verifying keyless certificates (both online and offline).
+		co.RootCerts, err = fulcio.GetRoots()
+		if err != nil {
+			return fmt.Errorf("getting Fulcio roots: %w", err)
+		}
+		co.IntermediateCerts, err = fulcio.GetIntermediates()
+		if err != nil {
+			return fmt.Errorf("getting Fulcio intermediates: %w", err)
+		}
+	}
+	return nil
+}