Skip to content

Commit

Permalink
Make sure a cert passed in via --cert matches the bundle cert (#2652)
Browse files Browse the repository at this point in the history
* Make sure a cert passed in via --cert matches the bundle cert

Signed-off-by: Priya Wadhwa <[email protected]>

* Use cert.Equal for comparison

Signed-off-by: Priya Wadhwa <[email protected]>

Signed-off-by: Priya Wadhwa <[email protected]>
  • Loading branch information
priyawadhwa authored Jan 25, 2023
1 parent 35bf1fe commit 1cf1dff
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 2 deletions.
7 changes: 6 additions & 1 deletion cmd/cosign/cli/verify/verify_blob.go
Original file line number Diff line number Diff line change
Expand Up @@ -214,14 +214,19 @@ func (c *VerifyBlobCmd) Exec(ctx context.Context, blobRef string) error {
if isb64(certBytes) {
certBytes, _ = base64.StdEncoding.DecodeString(b.Cert)
}
cert, err = loadCertFromPEM(certBytes)
bundleCert, err := loadCertFromPEM(certBytes)
if err != nil {
// check if cert is actually a public key
co.SigVerifier, err = sigs.LoadPublicKeyRaw(certBytes, crypto.SHA256)
if err != nil {
return fmt.Errorf("loading verifier from bundle: %w", err)
}
}
// if a cert was passed in, make sure it matches the cert in the bundle
if cert != nil && !cert.Equal(bundleCert) {
return fmt.Errorf("the cert passed in does not match the cert in the provided bundle")
}
cert = bundleCert
}
opts = append(opts, static.WithBundle(b.Bundle))
}
Expand Down
8 changes: 7 additions & 1 deletion cmd/cosign/cli/verify/verify_blob_attestation.go
Original file line number Diff line number Diff line change
Expand Up @@ -251,15 +251,21 @@ func (c *VerifyBlobAttestationCommand) Exec(ctx context.Context, artifactPath st
if isb64(certBytes) {
certBytes, _ = base64.StdEncoding.DecodeString(b.Cert)
}
cert, err = loadCertFromPEM(certBytes)
bundleCert, err := loadCertFromPEM(certBytes)
if err != nil {
// check if cert is actually a public key
co.SigVerifier, err = sigs.LoadPublicKeyRaw(certBytes, crypto.SHA256)
if err != nil {
return fmt.Errorf("loading verifier from bundle: %w", err)
}
}
// if a cert was passed in, make sure it matches the cert in the bundle
if cert != nil && !cert.Equal(bundleCert) {
return fmt.Errorf("the cert passed in does not match the cert in the provided bundle")
}
cert = bundleCert
}

encodedSig, err = base64.StdEncoding.DecodeString(b.Base64Signature)
if err != nil {
return fmt.Errorf("decoding signature: %w", err)
Expand Down

0 comments on commit 1cf1dff

Please sign in to comment.