diff --git a/pkg/cosign/kubernetes/webhook/validation.go b/pkg/cosign/kubernetes/webhook/validation.go index f32bbc6068cd..be74173daa73 100644 --- a/pkg/cosign/kubernetes/webhook/validation.go +++ b/pkg/cosign/kubernetes/webhook/validation.go @@ -87,12 +87,16 @@ func validSignatures(ctx context.Context, ref name.Reference, verifier signature // validSignaturesWithFulcio expects a Fulcio Cert to verify against. An // optional rekorClient can also be given, if nil passed, default is assumed. func validSignaturesWithFulcio(ctx context.Context, ref name.Reference, fulcioRoots *x509.CertPool, rekorClient *client.Rekor, identities []v1alpha1.Identity, opts ...ociremote.Option) ([]oci.Signature, error) { + ids := make([]cosign.Identity, len(identities)) + for i, id := range identities { + ids[i] = cosign.Identity{Issuer: id.Issuer, Subject: id.Subject} + } sigs, _, err := cosignVerifySignatures(ctx, ref, &cosign.CheckOpts{ RegistryClientOpts: opts, RootCerts: fulcioRoots, RekorClient: rekorClient, ClaimVerifier: cosign.SimpleClaimVerifier, - Identities: identities, + Identities: ids, }) return sigs, err } diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go index b00ed733c756..f60c40ead317 100644 --- a/pkg/cosign/verify.go +++ b/pkg/cosign/verify.go @@ -32,7 +32,6 @@ import ( "time" "github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioverifier/ctl" - "github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1" cbundle "github.com/sigstore/cosign/pkg/cosign/bundle" "github.com/sigstore/cosign/pkg/cosign/tuf" @@ -58,6 +57,13 @@ import ( sigPayload "github.com/sigstore/sigstore/pkg/signature/payload" ) +// Identity specifies an issuer/subject to verify a signature against. +// Both Issuer/Subject support regexp. +type Identity struct { + Issuer string + Subject string +} + // CheckOpts are the options for checking signatures. type CheckOpts struct { // RegistryClientOpts are the options for interacting with the container registry. @@ -94,7 +100,7 @@ type CheckOpts struct { // Identities is an array of Identity (Subject, Issuer) matchers that have // to be met for the signature to ve valid. // Supercedes CertEmail / CertOidcIssuer - Identities []v1alpha1.Identity + Identities []Identity } func getSignedEntity(signedImgRef name.Reference, regClientOpts []ociremote.Option) (oci.SignedEntity, v1.Hash, error) { @@ -189,7 +195,6 @@ func ValidateAndUnpackCert(cert *x509.Certificate, co *CheckOpts) (signature.Ver for _, identity := range co.Identities { issuerMatches := false // Check the issuer first - fmt.Fprintf(os.Stderr, "Checking identity: %+v", identity) if identity.Issuer != "" { issuer := getIssuer(cert) if regex, err := regexp.Compile(identity.Issuer); err != nil { diff --git a/pkg/cosign/verify_test.go b/pkg/cosign/verify_test.go index 3f735c6d3ece..6208cd020326 100644 --- a/pkg/cosign/verify_test.go +++ b/pkg/cosign/verify_test.go @@ -40,7 +40,6 @@ import ( "github.com/in-toto/in-toto-golang/in_toto" "github.com/pkg/errors" "github.com/secure-systems-lab/go-securesystemslib/dsse" - "github.com/sigstore/cosign/pkg/apis/cosigned/v1alpha1" "github.com/sigstore/cosign/pkg/cosign/bundle" ctuf "github.com/sigstore/cosign/pkg/cosign/tuf" "github.com/sigstore/cosign/pkg/oci/static" @@ -558,7 +557,7 @@ func TestValidateAndUnpackCertWithIdentities(t *testing.T) { oidcIssuer := "https://accounts.google.com" tests := []struct { - identities []v1alpha1.Identity + identities []Identity wantErrSubstring string dnsNames []string emailAddresses []string @@ -566,48 +565,48 @@ func TestValidateAndUnpackCertWithIdentities(t *testing.T) { uris []*url.URL }{ {identities: nil /* No matches required, checks out */}, - {identities: []v1alpha1.Identity{ // Strict match on both + {identities: []Identity{ // Strict match on both {Subject: emailSubject, Issuer: oidcIssuer}}, emailAddresses: []string{emailSubject}, wantErrSubstring: ""}, - {identities: []v1alpha1.Identity{ // just issuer + {identities: []Identity{ // just issuer {Issuer: oidcIssuer}}, emailAddresses: []string{emailSubject}, wantErrSubstring: ""}, - {identities: []v1alpha1.Identity{ // just subject + {identities: []Identity{ // just subject {Subject: emailSubject}}, emailAddresses: []string{emailSubject}, wantErrSubstring: ""}, - {identities: []v1alpha1.Identity{ // mis-match + {identities: []Identity{ // mis-match {Subject: "wrongsubject", Issuer: oidcIssuer}, {Subject: emailSubject, Issuer: "wrongissuer"}}, emailAddresses: []string{emailSubject}, wantErrSubstring: "none of the expected identities matched"}, - {identities: []v1alpha1.Identity{ // one good identity, other does not match + {identities: []Identity{ // one good identity, other does not match {Subject: "wrongsubject", Issuer: "wrongissuer"}, {Subject: emailSubject, Issuer: oidcIssuer}}, emailAddresses: []string{emailSubject}, wantErrSubstring: ""}, - {identities: []v1alpha1.Identity{ // illegal regex for subject + {identities: []Identity{ // illegal regex for subject {Subject: "****", Issuer: oidcIssuer}}, emailAddresses: []string{emailSubject}, wantErrSubstring: "malformed subject in identity"}, - {identities: []v1alpha1.Identity{ // illegal regex for issuer + {identities: []Identity{ // illegal regex for issuer {Subject: emailSubject, Issuer: "****"}}, wantErrSubstring: "malformed issuer in identity"}, - {identities: []v1alpha1.Identity{ // regex matches + {identities: []Identity{ // regex matches {Subject: ".*example.com", Issuer: ".*accounts.google.*"}}, emailAddresses: []string{emailSubject}, wantErrSubstring: ""}, - {identities: []v1alpha1.Identity{ // regex matches dnsNames + {identities: []Identity{ // regex matches dnsNames {Subject: ".*ubject.example.com", Issuer: ".*accounts.google.*"}}, dnsNames: dnsSubjects, wantErrSubstring: ""}, - {identities: []v1alpha1.Identity{ // regex matches ip + {identities: []Identity{ // regex matches ip {Subject: "1.2.3.*", Issuer: ".*accounts.google.*"}}, ipAddresses: ipSubjects, wantErrSubstring: ""}, - {identities: []v1alpha1.Identity{ // regex matches urls + {identities: []Identity{ // regex matches urls {Subject: ".*url.examp.*", Issuer: ".*accounts.google.*"}}, uris: uriSubjects, wantErrSubstring: ""},