sigstore · znewman01 · Oct 11, 2022 · Sep 23, 2022 · Sep 26, 2022 · Sep 29, 2022
diff --git a/cmd/cosign/cli/commands.go b/cmd/cosign/cli/commands.go
@@ -45,6 +45,8 @@ func normalizeCertificateFlags(_ *pflag.FlagSet, name string) pflag.NormalizedNa
 		name = "certificate-oidc-issuer"
 	case "output-cert":
 		name = "output-certificate"
+	case "cert-identity":
+		name = "certificate-identity"
 	}
 	return pflag.NormalizedName(name)
 }

diff --git a/cmd/cosign/cli/options/certificate.go b/cmd/cosign/cli/options/certificate.go
@@ -22,6 +22,7 @@ import (
 type CertVerifyOptions struct {
 	Cert                         string
 	CertEmail                    string
+	CertIdentity                 string
 	CertOidcIssuer               string
 	CertGithubWorkflowTrigger    string
 	CertGithubWorkflowSha        string
@@ -43,6 +44,9 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.CertEmail, "certificate-email", "",
 		"the email expected in a valid Fulcio certificate")
 
+	cmd.Flags().StringVar(&o.CertIdentity, "certificate-identity", "",
+		"the identity expected in a valid Fulcio certificate")
+
 	cmd.Flags().StringVar(&o.CertOidcIssuer, "certificate-oidc-issuer", "",
 		"the OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth")
 

diff --git a/cmd/cosign/cli/verify.go b/cmd/cosign/cli/verify.go
@@ -98,6 +98,7 @@ against the transparency log.`,
 				KeyRef:                       o.Key,
 				CertRef:                      o.CertVerify.Cert,
 				CertEmail:                    o.CertVerify.CertEmail,
+				CertIdentity:                 o.CertVerify.CertIdentity,
 				CertOidcIssuer:               o.CertVerify.CertOidcIssuer,
 				CertGithubWorkflowTrigger:    o.CertVerify.CertGithubWorkflowTrigger,
 				CertGithubWorkflowSha:        o.CertVerify.CertGithubWorkflowSha,
@@ -181,6 +182,7 @@ against the transparency log.`,
 				CheckClaims:                  o.CheckClaims,
 				CertRef:                      o.CertVerify.Cert,
 				CertEmail:                    o.CertVerify.CertEmail,
+				CertIdentity:                 o.CertVerify.CertIdentity,
 				CertOidcIssuer:               o.CertVerify.CertOidcIssuer,
 				CertChain:                    o.CertVerify.CertChain,
 				CertGithubWorkflowTrigger:    o.CertVerify.CertGithubWorkflowTrigger,
@@ -264,7 +266,7 @@ The blob may be specified as a path to a file or - for stdin.`,
 				BundlePath: o.BundlePath,
 			}
 			if err := verify.VerifyBlobCmd(cmd.Context(), ko, o.CertVerify.Cert,
-				o.CertVerify.CertEmail, o.CertVerify.CertOidcIssuer, o.CertVerify.CertChain,
+				o.CertVerify.CertEmail, o.CertVerify.CertIdentity, o.CertVerify.CertOidcIssuer, o.CertVerify.CertChain,
 				o.Signature, args[0], o.CertVerify.CertGithubWorkflowTrigger, o.CertVerify.CertGithubWorkflowSha,
 				o.CertVerify.CertGithubWorkflowName, o.CertVerify.CertGithubWorkflowRepository, o.CertVerify.CertGithubWorkflowRef,
 				o.CertVerify.EnforceSCT); err != nil {

diff --git a/cmd/cosign/cli/verify/verify.go b/cmd/cosign/cli/verify/verify.go
@@ -52,13 +52,15 @@ type VerifyCommand struct {
 	KeyRef                       string
 	CertRef                      string
 	CertEmail                    string
+	CertIdentity                 string
 	CertOidcIssuer               string
 	CertGithubWorkflowTrigger    string
 	CertGithubWorkflowSha        string
 	CertGithubWorkflowName       string
 	CertGithubWorkflowRepository string
 	CertGithubWorkflowRef        string
 	CertChain                    string
+	CertOidcProvider             string
 	EnforceSCT                   bool
 	Sk                           bool
 	Slot                         string
@@ -100,6 +102,7 @@ func (c *VerifyCommand) Exec(ctx context.Context, images []string) (err error) {
 		Annotations:                  c.Annotations.Annotations,
 		RegistryClientOpts:           ociremoteOpts,
 		CertEmail:                    c.CertEmail,
+		CertIdentity:                 c.CertIdentity,
 		CertOidcIssuer:               c.CertOidcIssuer,
 		CertGithubWorkflowTrigger:    c.CertGithubWorkflowTrigger,
 		CertGithubWorkflowSha:        c.CertGithubWorkflowSha,

diff --git a/cmd/cosign/cli/verify/verify_attestation.go b/cmd/cosign/cli/verify/verify_attestation.go
@@ -46,6 +46,7 @@ type VerifyAttestationCommand struct {
 	KeyRef                       string
 	CertRef                      string
 	CertEmail                    string
+	CertIdentity                 string
 	CertOidcIssuer               string
 	CertGithubWorkflowTrigger    string
 	CertGithubWorkflowSha        string
@@ -80,6 +81,7 @@ func (c *VerifyAttestationCommand) Exec(ctx context.Context, images []string) (e
 	co := &cosign.CheckOpts{
 		RegistryClientOpts:           ociremoteOpts,
 		CertEmail:                    c.CertEmail,
+		CertIdentity:                 c.CertIdentity,
 		CertOidcIssuer:               c.CertOidcIssuer,
 		CertGithubWorkflowTrigger:    c.CertGithubWorkflowTrigger,
 		CertGithubWorkflowSha:        c.CertGithubWorkflowSha,

diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
@@ -66,7 +66,7 @@ func isb64(data []byte) bool {
 }
 
 // nolint
-func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail,
+func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail, certIdentity,
 	certOidcIssuer, certChain, sigRef, blobRef, certGithubWorkflowTrigger, certGithubWorkflowSha,
 	certGithubWorkflowName,
 	certGithubWorkflowRepository,
@@ -90,6 +90,7 @@ func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail,
 
 	co := &cosign.CheckOpts{
 		CertEmail:                    certEmail,
+		CertIdentity:                 certIdentity,
 		CertOidcIssuer:               certOidcIssuer,
 		CertGithubWorkflowTrigger:    certGithubWorkflowTrigger,
 		CertGithubWorkflowSha:        certGithubWorkflowSha,

diff --git a/cmd/cosign/cli/verify/verify_blob_test.go b/cmd/cosign/cli/verify/verify_blob_test.go
@@ -710,6 +710,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",       /*certRef*/ // Cert is fetched from bundle
 			identity, /*certEmail*/
+			"",       /*certIdentity*/
 			issuer,   /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle
@@ -754,6 +755,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",       /*certRef*/ // Cert is fetched from bundle
 			"",       /*certEmail*/
+			"",       /*certIdentity*/
 			"",       /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle
@@ -792,6 +794,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",       /*certRef*/ // Cert is fetched from bundle
 			"",       /*certEmail*/
+			"",       /*certIdentity*/
 			"",       /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle
@@ -830,6 +833,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",       /*certRef*/ // Cert is fetched from bundle
 			"",       /*certEmail*/
+			"",       /*certIdentity*/
 			"",       /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle
@@ -868,6 +872,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",       /*certRef*/ // Cert is fetched from bundle
 			"",       /*certEmail*/
+			"",       /*certIdentity*/
 			"",       /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle
@@ -906,6 +911,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",                    /*certRef*/ // Cert is fetched from bundle
 			"[email protected]", /*certEmail*/
+			"",                    /*certIdentity*/
 			issuer,                /*certOidcIssuer*/
 			"",                    /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",                    /*sigRef*/    // Sig is fetched from bundle
@@ -914,7 +920,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			"", "", "", "", "",
 			// GitHub identity flags end
 			false /*enforceSCT*/)
-		if err == nil || !strings.Contains(err.Error(), "expected email not found in certificate") {
+		if err == nil || !strings.Contains(err.Error(), "expected identity not found in certificate") {
 			t.Fatalf("expected error with mismatched identity, got %v", err)
 		}
 	})
@@ -944,6 +950,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",        /*certRef*/ // Cert is fetched from bundle
 			identity,  /*certEmail*/
+			"",        /*certIdentity*/
 			"invalid", /*certOidcIssuer*/
 			"",        /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",        /*sigRef*/    // Sig is fetched from bundle
@@ -983,6 +990,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			certPath, /*certRef*/
 			identity, /*certEmail*/
+			"",       /*certIdentity*/
 			issuer,   /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle
@@ -1021,6 +1029,7 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",                              /*certRef*/
 			identity,                        /*certEmail*/
+			"",                              /*certIdentity*/
 			issuer,                          /*certOidcIssuer*/
 			os.Getenv("SIGSTORE_ROOT_FILE"), /*certChain*/
 			"",                              /*sigRef*/ // Sig is fetched from bundle
@@ -1066,6 +1075,7 @@ func TestVerifyBlobCmdInvalidRootCA(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			certPath, /*certRef*/
 			identity, /*certEmail*/
+			"",       /*certIdentity*/
 			issuer,   /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle
@@ -1104,6 +1114,7 @@ func TestVerifyBlobCmdInvalidRootCA(t *testing.T) {
 			options.KeyOpts{BundlePath: bundlePath},
 			"",       /*certRef*/ // Fetched from bundle
 			identity, /*certEmail*/
+			"",       /*certIdentity*/
 			issuer,   /*certOidcIssuer*/
 			"",       /*certChain*/ // Chain is fetched from TUF/SIGSTORE_ROOT_FILE
 			"",       /*sigRef*/    // Sig is fetched from bundle

diff --git a/pkg/cosign/verify.go b/pkg/cosign/verify.go
@@ -91,6 +91,8 @@ type CheckOpts struct {
 	IntermediateCerts *x509.CertPool
 	// CertEmail is the email expected for a certificate to be valid. The empty string means any certificate can be valid.
 	CertEmail string
+	// CertIdentity is the identity expected for a certificate to be valid.
+	CertIdentity string
 	// CertOidcIssuer is the OIDC issuer expected for a certificate to be valid. The empty string means any certificate can be valid.
 	CertOidcIssuer string
 
@@ -217,17 +219,9 @@ func ValidateAndUnpackCert(cert *x509.Certificate, co *CheckOpts) (signature.Ver
 // the expected values.
 func CheckCertificatePolicy(cert *x509.Certificate, co *CheckOpts) error {
 	ce := CertExtensions{Cert: cert}
-	if co.CertEmail != "" {
-		emailVerified := false
-		for _, em := range cert.EmailAddresses {
-			if co.CertEmail == em {
-				emailVerified = true
-				break
-			}
-		}
-		if !emailVerified {
-			return &VerificationError{"expected email not found in certificate"}
-		}
+
+	if err := validateCertIdentity(cert, co); err != nil {
+		return err
 	}
 
 	if err := validateCertExtensions(ce, co); err != nil {
@@ -330,6 +324,35 @@ func validateCertExtensions(ce CertExtensions, co *CheckOpts) error {
 	return nil
 }
 
+func validateCertIdentity(cert *x509.Certificate, co *CheckOpts) error {
+	// TODO: Make it mandatory to include one of these options.
+	if co.CertEmail == "" && co.CertIdentity == "" {
+		return nil
+	}
+
+	for _, dns := range cert.DNSNames {
+		if co.CertIdentity == dns {
+			return nil
+		}
+	}
+	for _, em := range cert.EmailAddresses {
+		if co.CertIdentity == em || co.CertEmail == em {
+			return nil
+		}
+	}
+	for _, ip := range cert.IPAddresses {
+		if co.CertIdentity == ip.String() {
+			return nil
+		}
+	}
+	for _, uri := range cert.URIs {
+		if co.CertIdentity == uri.String() {
+			return nil
+		}
+	}
+	return &VerificationError{"expected identity not found in certificate"}
+}
+
 // getSubjectAlternateNames returns all of the following for a Certificate.
 // DNSNames
 // EmailAddresses