factor out keylessVerification handler into helper function

Factor out the handling of keyless verification into the new helper function handleKeylessVerification. Add CAIntermediates and CARoots fields to all the Verify[...]Command structures. Signed-off-by: Dmitry S <[email protected]>
sigstore · Jul 2, 2024 · 607bcf8 · 607bcf8
1 parent bd80cf4
commit 607bcf8
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 205 deletions.
diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -174,56 +174,8 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 			return fmt.Errorf("getting Rekor public keys: %w", err)
 		}
 	}
-	if keylessVerification(c.KeyRef, c.Sk) {
-		switch {
-		case c.CertChain != "":
-			chain, err := loadCertChainFromFileOrURL(c.CertChain)
-			if err != nil {
-				return err
-			}
-			co.RootCerts = x509.NewCertPool()
-			co.RootCerts.AddCert(chain[len(chain)-1])
-			if len(chain) > 1 {
-				co.IntermediateCerts = x509.NewCertPool()
-				for _, cert := range chain[:len(chain)-1] {
-					co.IntermediateCerts.AddCert(cert)
-				}
-			}
-		case c.CARoots != "":
-			caRoots, err := loadCertChainFromFileOrURL(c.CARoots)
-			if err != nil {
-				return err
-			}
-			co.RootCerts = x509.NewCertPool()
-			if len(caRoots) > 0 {
-				for _, cert := range caRoots {
-					co.RootCerts.AddCert(cert)
-				}
-			}
-			if c.CAIntermediates != "" {
-				caIntermediates, err := loadCertChainFromFileOrURL(c.CAIntermediates)
-				if err != nil {
-					return err
-				}
-				if len(caIntermediates) > 0 {
-					co.IntermediateCerts = x509.NewCertPool()
-					for _, cert := range caIntermediates {
-						co.IntermediateCerts.AddCert(cert)
-					}
-				}
-			}
-		default:
-			// This performs an online fetch of the Fulcio roots from a TUF repository.
-			// This is needed for verifying keyless certificates (both online and offline).
-			co.RootCerts, err = fulcio.GetRoots()
-			if err != nil {
-				return fmt.Errorf("getting Fulcio roots: %w", err)
-			}
-			co.IntermediateCerts, err = fulcio.GetIntermediates()
-			if err != nil {
-				return fmt.Errorf("getting Fulcio intermediates: %w", err)
-			}
-		}
+	if err := handleKeylessVerification(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
+		return err
 	}
 	keyRef := c.KeyRef
 	certRef := c.CertRef
@@ -556,3 +508,66 @@ func shouldVerifySCT(ignoreSCT bool, keyRef string, sk bool) bool {
 	}
 	return true
 }
+
+// handleKeylessVerification handles the verification of keyless signatures for
+// all verify-* (verify, verify-attestation, verify-blob, verify-blob-attestation) commands.
+// The co *cosign.CheckOpts is both input and output parameter - it gets updated
+// with the root and intermediate certificates needed for verification.
+// If both certChain and caRootsFile are empty strings, the Fulcio roots are loaded.
+func handleKeylessVerification(certChain string,
+	caRootsFile string,
+	caIntermediatesFile string,
+	co *cosign.CheckOpts) error {
+
+	var err error
+	switch {
+	case certChain != "":
+		chain, err := loadCertChainFromFileOrURL(certChain)
+		if err != nil {
+			return err
+		}
+		co.RootCerts = x509.NewCertPool()
+		co.RootCerts.AddCert(chain[len(chain)-1])
+		if len(chain) > 1 {
+			co.IntermediateCerts = x509.NewCertPool()
+			for _, cert := range chain[:len(chain)-1] {
+				co.IntermediateCerts.AddCert(cert)
+			}
+		}
+	case caRootsFile != "":
+		caRoots, err := loadCertChainFromFileOrURL(caRootsFile)
+		if err != nil {
+			return err
+		}
+		co.RootCerts = x509.NewCertPool()
+		if len(caRoots) > 0 {
+			for _, cert := range caRoots {
+				co.RootCerts.AddCert(cert)
+			}
+		}
+		if caIntermediatesFile != "" {
+			caIntermediates, err := loadCertChainFromFileOrURL(caIntermediatesFile)
+			if err != nil {
+				return err
+			}
+			if len(caIntermediates) > 0 {
+				co.IntermediateCerts = x509.NewCertPool()
+				for _, cert := range caIntermediates {
+					co.IntermediateCerts.AddCert(cert)
+				}
+			}
+		}
+	default:
+		// This performs an online fetch of the Fulcio roots from a TUF repository.
+		// This is needed for verifying keyless certificates (both online and offline).
+		co.RootCerts, err = fulcio.GetRoots()
+		if err != nil {
+			return fmt.Errorf("getting Fulcio roots: %w", err)
+		}
+		co.IntermediateCerts, err = fulcio.GetIntermediates()
+		if err != nil {
+			return fmt.Errorf("getting Fulcio intermediates: %w", err)
+		}
+	}
+	return nil
+}
diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go
@@ -17,7 +17,6 @@ package verify
 
 import (
 	"context"
-	"crypto/x509"
 	"errors"
 	"flag"
 	"fmt"
@@ -158,56 +157,8 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 		}
 	}
 
-	if keylessVerification(c.KeyRef, c.Sk) {
-		switch {
-		case c.CertChain != "":
-			chain, err := loadCertChainFromFileOrURL(c.CertChain)
-			if err != nil {
-				return err
-			}
-			co.RootCerts = x509.NewCertPool()
-			co.RootCerts.AddCert(chain[len(chain)-1])
-			if len(chain) > 1 {
-				co.IntermediateCerts = x509.NewCertPool()
-				for _, cert := range chain[:len(chain)-1] {
-					co.IntermediateCerts.AddCert(cert)
-				}
-			}
-		case c.CARoots != "":
-			caRoots, err := loadCertChainFromFileOrURL(c.CARoots)
-			if err != nil {
-				return err
-			}
-			co.RootCerts = x509.NewCertPool()
-			if len(caRoots) > 0 {
-				for _, cert := range caRoots {
-					co.RootCerts.AddCert(cert)
-				}
-			}
-			if c.CAIntermediates != "" {
-				caIntermediates, err := loadCertChainFromFileOrURL(c.CAIntermediates)
-				if err != nil {
-					return err
-				}
-				if len(caIntermediates) > 0 {
-					co.IntermediateCerts = x509.NewCertPool()
-					for _, cert := range caIntermediates {
-						co.IntermediateCerts.AddCert(cert)
-					}
-				}
-			}
-		default:
-			// This performs an online fetch of the Fulcio roots from a TUF repository.
-			// This is needed for verifying keyless certificates (both online and offline).
-			co.RootCerts, err = fulcio.GetRoots()
-			if err != nil {
-				return fmt.Errorf("getting Fulcio roots: %w", err)
-			}
-			co.IntermediateCerts, err = fulcio.GetIntermediates()
-			if err != nil {
-				return fmt.Errorf("getting Fulcio intermediates: %w", err)
-			}
-		}
+	if err := handleKeylessVerification(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
+		return err
 	}
 
 	keyRef := c.KeyRef

diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
@@ -28,7 +28,6 @@ import (
 	"os"
 	"path/filepath"
 
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/v2/internal/ui"
@@ -53,6 +52,8 @@ type VerifyBlobCmd struct {
 	options.KeyOpts
 	options.CertVerifyOptions
 	CertRef                      string
+	CAIntermediates              string
+	CARoots                      string
 	CertChain                    string
 	SigRef                       string
 	CertGithubWorkflowTrigger    string
@@ -151,56 +152,8 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
 			return fmt.Errorf("getting Rekor public keys: %w", err)
 		}
 	}
-	if keylessVerification(c.KeyRef, c.Sk) {
-		switch {
-		case c.CertChain != "":
-			chain, err := loadCertChainFromFileOrURL(c.CertChain)
-			if err != nil {
-				return err
-			}
-			co.RootCerts = x509.NewCertPool()
-			co.RootCerts.AddCert(chain[len(chain)-1])
-			if len(chain) > 1 {
-				co.IntermediateCerts = x509.NewCertPool()
-				for _, cert := range chain[:len(chain)-1] {
-					co.IntermediateCerts.AddCert(cert)
-				}
-			}
-		case c.CARoots != "":
-			caRoots, err := loadCertChainFromFileOrURL(c.CARoots)
-			if err != nil {
-				return err
-			}
-			co.RootCerts = x509.NewCertPool()
-			if len(caRoots) > 0 {
-				for _, cert := range caRoots {
-					co.RootCerts.AddCert(cert)
-				}
-			}
-			if c.CAIntermediates != "" {
-				caIntermediates, err := loadCertChainFromFileOrURL(c.CAIntermediates)
-				if err != nil {
-					return err
-				}
-				if len(caIntermediates) > 0 {
-					co.IntermediateCerts = x509.NewCertPool()
-					for _, cert := range caIntermediates {
-						co.IntermediateCerts.AddCert(cert)
-					}
-				}
-			}
-		default:
-			// This performs an online fetch of the Fulcio roots from a TUF repository.
-			// This is needed for verifying keyless certificates (both online and offline).
-			co.RootCerts, err = fulcio.GetRoots()
-			if err != nil {
-				return fmt.Errorf("getting Fulcio roots: %w", err)
-			}
-			co.IntermediateCerts, err = fulcio.GetIntermediates()
-			if err != nil {
-				return fmt.Errorf("getting Fulcio intermediates: %w", err)
-			}
-		}
+	if err := handleKeylessVerification(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
+		return err
 	}
 
 	// Keys are optional!

diff --git a/cmd/cosign/cli/verify/verify_blob_attestation.go b/cmd/cosign/cli/verify/verify_blob_attestation.go
@@ -30,7 +30,6 @@ import (
 	"path/filepath"
 
 	v1 "github.com/google/go-containerregistry/pkg/v1"
-	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
 	internal "github.com/sigstore/cosign/v2/internal/pkg/cosign"
@@ -52,8 +51,10 @@ type VerifyBlobAttestationCommand struct {
 	options.KeyOpts
 	options.CertVerifyOptions
 
-	CertRef   string
-	CertChain string
+	CertRef         string
+	CertChain       string
+	CAIntermediates string
+	CARoots         string
 
 	CertGithubWorkflowTrigger    string
 	CertGithubWorkflowSHA        string
@@ -169,57 +170,10 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
 			return fmt.Errorf("getting Rekor public keys: %w", err)
 		}
 	}
-	if keylessVerification(c.KeyRef, c.Sk) {
-		switch {
-		case c.CertChain != "":
-			chain, err := loadCertChainFromFileOrURL(c.CertChain)
-			if err != nil {
-				return err
-			}
-			co.RootCerts = x509.NewCertPool()
-			co.RootCerts.AddCert(chain[len(chain)-1])
-			if len(chain) > 1 {
-				co.IntermediateCerts = x509.NewCertPool()
-				for _, cert := range chain[:len(chain)-1] {
-					co.IntermediateCerts.AddCert(cert)
-				}
-			}
-		case c.CARoots != "":
-			caRoots, err := loadCertChainFromFileOrURL(c.CARoots)
-			if err != nil {
-				return err
-			}
-			co.RootCerts = x509.NewCertPool()
-			if len(caRoots) > 0 {
-				for _, cert := range caRoots {
-					co.RootCerts.AddCert(cert)
-				}
-			}
-			if c.CAIntermediates != "" {
-				caIntermediates, err := loadCertChainFromFileOrURL(c.CAIntermediates)
-				if err != nil {
-					return err
-				}
-				if len(caIntermediates) > 0 {
-					co.IntermediateCerts = x509.NewCertPool()
-					for _, cert := range caIntermediates {
-						co.IntermediateCerts.AddCert(cert)
-					}
-				}
-			}
-		default:
-			// This performs an online fetch of the Fulcio roots from a TUF repository.
-			// This is needed for verifying keyless certificates (both online and offline).
-			co.RootCerts, err = fulcio.GetRoots()
-			if err != nil {
-				return fmt.Errorf("getting Fulcio roots: %w", err)
-			}
-			co.IntermediateCerts, err = fulcio.GetIntermediates()
-			if err != nil {
-				return fmt.Errorf("getting Fulcio intermediates: %w", err)
-			}
-		}
+	if err := handleKeylessVerification(c.CertChain, c.CARoots, c.CAIntermediates, co); err != nil {
+		return err
 	}
+
 	// Ignore Signed Certificate Timestamp if the flag is set or a key is provided
 	if shouldVerifySCT(c.IgnoreSCT, c.KeyRef, c.Sk) {
 		co.CTLogPubKeys, err = cosign.GetCTLogPubs(ctx)