feat: cert-extensions verify

[developer-guy]

Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com
Co-authored-by: Christian Kotzbauer <@ckotzbauer1>

Summary

This PR will add support for verifying additional claims within the signature cert.

$ COSIGN_EXPERIMENTAL=1 cosign verify aquasec/trivy:0.24.3 --cert-extensions githubWorkflowRepository=aquasecurity/trivy

Ticket Link

Fixes #1625 and #1989

Release Note

feat: cert-extensions verify

🚨 Include some breaking changes, I moved some logic into a different package which might cause breaking changes issues.

cc: @ckotzbauer1

[codecov-commenter]

Codecov Report

Merging #1626 (fd446ed) into main (1832b4c) will decrease coverage by 0.31%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##             main    #1626      +/-   ##
==========================================
- Coverage   27.97%   27.66%   -0.32%     
==========================================
  Files         137      140       +3     
  Lines        7820     7872      +52     
==========================================
- Hits         2188     2178      -10     
- Misses       5403     5465      +62     
  Partials      229      229              

Impacted Files	Coverage Δ
cmd/cosign/cli/options/certextensions.go	0.00% <0.00%> (ø)
cmd/cosign/cli/options/verify.go	0.00% <0.00%> (ø)
cmd/cosign/cli/policy_init.go	1.43% <0.00%> (ø)
cmd/cosign/cli/verify.go	0.00% <0.00%> (ø)
cmd/cosign/cli/verify/verify.go	0.00% <0.00%> (ø)
pkg/cosign/certextensions.go	0.00% <0.00%> (ø)
pkg/cosign/verifiers.go	0.00% <0.00%> (ø)
pkg/cosign/verify.go	11.46% <0.00%> (-0.21%)	⬇️
pkg/signature/certextensions.go	0.00% <0.00%> (ø)
pkg/signature/keys.go	14.68% <ø> (-4.82%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1832b4c...fd446ed. Read the comment docs.

[developer-guy]

PTAL @ckotzbauer

[ckotzbauer]

Thanks @developer-guy for adopting this logic! I think the code overall looks good and solid. It should not break the logic from Kyverno on the next update as the extensions-parameter is not used there (apart from the new location of some functions)

[ckotzbauer]

I'm not sure about this function. Kyverno ignores empty-string values (same as the extension would not be required) and respects shortened values or wildcards. However, it is of course not mandatory that cosign will do the same here. WDYT?

[developer-guy]

It is the function that makes the matching between the actual one and the expected one to decide whether claims are equal, I couldn't understand your comment :/

[ckotzbauer]

Yes, correct. What I mean is, that this function checks for strict equality, wildcards and shortened values are not supported.
E.g. cosign verify aquasec/trivy:0.24.3 --cert-extensions githubWorkflowRepository=aquasecurity/* won't work (with or without asterisk). This is how Kyverno would validate: https://github.com/kyverno/kyverno/blob/main/pkg/cosign/cosign.go#L419-L421

[ckotzbauer]

It is not required to make the validation equal to the Kyverno logic, just want to mention the difference 😉

[haydentherapper]

I'd like to think more about the UX for this. How does the user discover the names of the supported custom OIDs? githubWorkflowTrigger is an internal name in code, I don't think it should become a flag name as-is.

[haydentherapper]

Since this is for verifying certificates, this should be under the existing CertVerifyOptions.

[haydentherapper]

Bumping this comment, we should group this under CertVerifyOptions so it gets pulled into all of the verify commands automatically

[haydentherapper]

This is already covered -

cosign/cmd/cosign/cli/options/certificate.go

Line 25 in 079e28d

CertOidcIssuer string

See #1308 where it was added.

[haydentherapper]

Bumping this comment too - We shouldn't have two ways to verify the issuer

[haydentherapper]

cc @asraa
There was related conversation on this topic in #1313, but focused on subject verification.

[developer-guy]

I'd like to think more about the UX for this. How does the user discover the names of the supported custom OIDs? githubWorkflowTrigger is an internal name in code, I don't think it should become a flag name as-is.

We'll be creating documentation about this to help people to discover these certain extensions about what we are adding to certificates, does it make sense?

[haydentherapper]

I'm wondering if this feature makes sense as flags or if policy should be a part of a file, since this is meant to be repeated for every command, and I'd assume users would want to check in their policy to audit.

[dlorenc]

I'm wondering if this feature makes sense as flags or if policy should be a part of a file, since this is meant to be repeated for every command, and I'd assume users would want to check in their policy to audit.

I don't see an issue with flags and a policy file. Both make sense to me.

[dlorenc]

We'll be creating documentation about this to help people to discover these certain extensions about what we are adding to certificates, does it make sense?

I think we should document the canonical strings/field names somewhere, probably near where the OIDs themselves live, then use those here. I agree the variable names themselves are probably not the best ux.

[developer-guy]

kindly ping @dlorenc

[haydentherapper]

Bumping this comment too - We shouldn't have two ways to verify the issuer

[haydentherapper]

Bumping this comment, we should group this under CertVerifyOptions so it gets pulled into all of the verify commands automatically

[haydentherapper]

I'm not sure what the purpose of this function is, but I'd strongly prefer we continue to group certificate verification under this function -

cosign/pkg/cosign/verify.go

Line 203 in 03e66aa

func CheckCertificatePolicy(cert *x509.Certificate, co *CheckOpts) error {

This goes back to the earlier point too about the existing flag for OIDC issuer.

[haydentherapper]

I think we discussed this on the comments, but it'd be preferrable to match the existing style of a flag per extension instead of have a map.

See https://github.com/sigstore/cosign/blob/aad7c5fcd6e5f854ae48a57e42919039e6d219c0/cmd/cosign/cli/options/certificate.go for existing flags. We should add flags like certificate-github-ref, etc

[haydentherapper]

In the same vein, moving away from a map, I think we should have a field per extension - CertGitHubSha, CertGitHubRef, etc - If this is used a library function, it's not as clean of an interface to take a map, because there's no way to know what is a valid string.

[haydentherapper]

Two high-level comments:

• We need to make sure that the verify* commands do not diverge. This means that if we add a verify flag for cosign verify, it should work for verify, verify attestation, verify blob, verify manifest, and verify dockerfile.
• Most of these changes lack tests. For all of the changes to pkg, please add tests.

[haydentherapper]

nit: Comments for all

[developer-guy]

yep, thank you

[haydentherapper]

Looks like this file is not used, delete?

[developer-guy]

Agree, thank you good catch.

[haydentherapper]

Tests?

[developer-guy]

We already have tests in the keys_test.go file called TestCertExtensions

[haydentherapper]

Can we copy over the tests to a new file? Otherwise, it's not clear that these are tested.

[haydentherapper]

Tests? See

cosign/pkg/cosign/verify_test.go

Line 515 in 802f0a2

func TestValidateAndUnpackCertInvalidOidcIssuer(t *testing.T) {

for examples

GenerateLeafCert in the test utils will need to be updated to support adding all extensions

[developer-guy]

Agree

[haydentherapper]

File unused, delete?

[haydentherapper]

bump, can this be deleted?

[developer-guy]

yep, deleted, thank you.

[haydentherapper]

Also need to update:

• https://github.com/sigstore/cosign/blob/f2c360eb97e52fa7766ecde370f1a48b910d7404/cmd/cosign/cli/dockerfile.go
• https://github.com/sigstore/cosign/blob/f2c360eb97e52fa7766ecde370f1a48b910d7404/cmd/cosign/cli/manifest.go
• https://github.com/sigstore/cosign/blob/03e66aad02cf7c987ea489cdeda1fd580b6b1fc6/cmd/cosign/cli/verify/verify_attestation.go
• https://github.com/sigstore/cosign/blob/03e66aad02cf7c987ea489cdeda1fd580b6b1fc6/cmd/cosign/cli/verify/verify_blob.go

And also update where o.CertVerify.X is added to the command, like line 179 in cmd/cosign/cli/verify.go and in Verify Blob (

cosign/cmd/cosign/cli/verify.go

Line 260 in 03e66aa

o.CertVerify.CertEmail, o.CertVerify.CertOidcIssuer, o.CertVerify.CertChain,

)

[developer-guy]

thank you, I missed those parts.

[haydentherapper]

thanks for updating these!

[haydentherapper]

bump, can this be deleted?

[haydentherapper]

thanks for updating these!

[haydentherapper]

Can we copy over the tests to a new file? Otherwise, it's not clear that these are tested.

[haydentherapper]

nit: To avoid having to update all places where GenerateLeafCert is called, can we create a new function like GenerateLeafCertWithGitHubOIDs or something?

[developer-guy]

that makes a lot of sense, thank you, updated.

[haydentherapper]

Just one thing to update with verify-attestation, looks good otherwise!

[haydentherapper]

Also need to update VerifyAttestation with the new verify options, on line 185

[developer-guy]

good catch @haydentherapper as always

[haydentherapper]

Thanks for the updates, this looks great!