Added check for empty chain

Signed-off-by: Hayden Blauzvern <[email protected]>
sigstore · Mar 25, 2022 · ca03619 · ca03619
1 parent 0e555cc
commit ca03619
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/cmd/cosign/cli/sign/sign.go b/cmd/cosign/cli/sign/sign.go
@@ -402,6 +402,9 @@ func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef strin
 	if err != nil {
 		return nil, errors.Wrap(err, "loading certificate chain")
 	}
+	if certChain == nil || len(certChain) == 0 {
+		return nil, errors.New("no certificates in certificate chain")
+	}
 	// Verify certificate chain is valid
 	rootPool := x509.NewCertPool()
 	rootPool.AddCert(certChain[len(certChain)-1])

diff --git a/cmd/cosign/cli/sign/sign_test.go b/cmd/cosign/cli/sign/sign_test.go
@@ -179,3 +179,23 @@ func Test_signerFromKeyRefFailure(t *testing.T) {
 		t.Fatalf("expected chain verification error, got %v", err)
 	}
 }
+
+func Test_signerFromKeyRefFailureEmptyChainFile(t *testing.T) {
+	tmpDir := t.TempDir()
+	ctx := context.Background()
+	keyFile, certFile, _, _, _, _ := generateCertificateFiles(t, tmpDir, pass("foo"))
+
+	tmpChainFile, err := os.CreateTemp(tmpDir, "cosign_chain_empty.crt")
+	if err != nil {
+		t.Fatalf("failed to create temp chain file: %v", err)
+	}
+	defer tmpChainFile.Close()
+	if _, err := tmpChainFile.Write([]byte{}); err != nil {
+		t.Fatalf("failed to write chain file: %v", err)
+	}
+
+	_, err = signerFromKeyRef(ctx, certFile, tmpChainFile.Name(), keyFile, pass("foo"))
+	if err == nil || err.Error() != "no certificates in certificate chain" {
+		t.Fatalf("expected empty chain error, got %v", err)
+	}
+}