sigstore · haydentherapper · Jan 3, 2024 · Jan 3, 2024
diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -345,7 +345,11 @@ func PrintVerification(ctx context.Context, verified []oci.Signature, output str
 		for _, sig := range verified {
 			if cert, err := sig.Cert(); err == nil && cert != nil {
 				ce := cosign.CertExtensions{Cert: cert}
-				ui.Infof(ctx, "Certificate subject: %s", sigs.CertSubject(cert))
+				sub := ""
+				if sans := cryptoutils.GetSubjectAlternateNames(cert); len(sans) > 0 {
+					sub = sans[0]
+				}
+				ui.Infof(ctx, "Certificate subject: %s", sub)
 				if issuerURL := ce.GetIssuer(); issuerURL != "" {
 					ui.Infof(ctx, "Certificate issuer URL: %s", issuerURL)
 				}
@@ -398,7 +402,11 @@ func PrintVerification(ctx context.Context, verified []oci.Signature, output str
 				if ss.Optional == nil {
 					ss.Optional = make(map[string]interface{})
 				}
-				ss.Optional["Subject"] = sigs.CertSubject(cert)
+				sub := ""
+				if sans := cryptoutils.GetSubjectAlternateNames(cert); len(sans) > 0 {
+					sub = sans[0]
+				}
+				ss.Optional["Subject"] = sub
 				if issuerURL := ce.GetIssuer(); issuerURL != "" {
 					ss.Optional["Issuer"] = issuerURL
 					ss.Optional[cosign.CertExtensionOIDCIssuer] = issuerURL

diff --git a/pkg/signature/keys.go b/pkg/signature/keys.go
@@ -17,7 +17,6 @@ package signature
 import (
 	"context"
 	"crypto"
-	"crypto/x509"
 	"errors"
 	"fmt"
 	"strings"
@@ -234,18 +233,3 @@ func PublicKeyPem(key signature.PublicKeyProvider, pkOpts ...signature.PublicKey
 	}
 	return cryptoutils.MarshalPublicKeyToPEM(pub)
 }
-
-func CertSubject(c *x509.Certificate) string {
-	switch {
-	case c.EmailAddresses != nil:
-		return c.EmailAddresses[0]
-	case c.URIs != nil:
-		return c.URIs[0].String()
-	}
-	// ignore error if there's no OtherName SAN
-	otherName, _ := cryptoutils.UnmarshalOtherNameSAN(c.Extensions)
-	if len(otherName) > 0 {
-		return otherName
-	}
-	return ""
-}
diff --git a/pkg/signature/keys_test.go b/pkg/signature/keys_test.go
@@ -17,17 +17,12 @@ package signature
 import (
 	"context"
 	"crypto"
-	"crypto/x509/pkix"
 	"errors"
-	"net"
-	"net/url"
 	"os"
 	"testing"
 
 	"github.com/sigstore/cosign/v2/pkg/blob"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
-	"github.com/sigstore/cosign/v2/test"
-	"github.com/sigstore/sigstore/pkg/cryptoutils"
 	sigsignature "github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/kms"
 )
@@ -172,32 +167,3 @@ func pass(s string) cosign.PassFunc {
 		return []byte(s), nil
 	}
 }
-
-func TestCertSubject(t *testing.T) {
-	rootCert, rootKey, _ := test.GenerateRootCa()
-	subCert, subKey, _ := test.GenerateSubordinateCa(rootCert, rootKey)
-
-	// generate with OtherName, which will override other SANs
-	ext, err := cryptoutils.MarshalOtherNameSAN("subject-othername", true)
-	if err != nil {
-		t.Fatalf("error marshalling SANs: %v", err)
-	}
-	exts := []pkix.Extension{*ext}
-	leafCert, _, _ := test.GenerateLeafCert("unused", "oidc-issuer", subCert, subKey, exts...)
-	if otherName := CertSubject(leafCert); otherName != "subject-othername" {
-		t.Fatalf("unexpected otherName, got %s", otherName)
-	}
-
-	// generate with email
-	leafCert, _, _ = test.GenerateLeafCert("subject-email", "oidc-issuer", subCert, subKey)
-	if email := CertSubject(leafCert); email != "subject-email" {
-		t.Fatalf("unexpected email address, got %s", email)
-	}
-
-	// generate with URI
-	uri, _ := url.Parse("spiffe://domain/user")
-	leafCert, _, _ = test.GenerateLeafCertWithSubjectAlternateNames([]string{}, []string{}, []net.IP{}, []*url.URL{uri}, "oidc-issuer", subCert, subKey)
-	if uri := CertSubject(leafCert); uri != "spiffe://domain/user" {
-		t.Fatalf("unexpected URI, got %s", uri)
-	}
-}