Fix cert attachment for new bundle with signing config

Without this change, if an image is signed with `--certificate` and also
using signing config and the new bundle format (the defaults), the logic
routes to sigstore-go signing which does not natively understand signing
with a cert that is not issued by Fulcio. This means that only the
public key is uploaded to the bundle, so the image cannot be verified
using the certificate. This change ensures the certificate is passed
through to the bundle if it is provided with `sign`, `attest`, and
`attest-blob` . The `sign-blob` command does not support
`--certificate`.

Signed-off-by: Colleen Murphy <[email protected]>

Author: cmurphy

cmd/cosign/cli/sign/sign_blob.go

@@ -77,7 +77,7 @@ func SignBlobCmd(ctx context.Context, ro *options.RootOptions, ko options.KeyOpt
 	}
 
 	if ko.SigningConfig != nil {
-		keypair, idToken, err := signcommon.GetKeypairAndToken(ctx, ko, "", "")
+		keypair, _, idToken, err := signcommon.GetKeypairAndToken(ctx, ko, "", "")
 		if err != nil {
 			return nil, fmt.Errorf("getting keypair and token: %w", err)
 		}
@@ -95,7 +95,7 @@ func SignBlobCmd(ctx context.Context, ro *options.RootOptions, ko options.KeyOpt
 			Data: data,
 		}
 
-		bundle, err := cbundle.SignData(ctx, content, keypair, idToken, ko.SigningConfig, ko.TrustedMaterial)
+		bundle, err := cbundle.SignData(ctx, content, keypair, idToken, nil, ko.SigningConfig, ko.TrustedMaterial)
 		if err != nil {
 			return nil, fmt.Errorf("signing bundle: %w", err)
 		}

cmd/cosign/cli/signcommon/common.go

@@ -96,30 +96,32 @@ func getEphemeralKeypairOptions(signingAlgorithm string) (*sign.EphemeralKeypair
 
 // GetKeypairAndToken creates a keypair object from provided key or cert flags or generates an ephemeral key.
 // For an ephemeral key, it also uses the key to fetch an OIDC token, the pair of which are later used to get a Fulcio cert.
-func GetKeypairAndToken(ctx context.Context, ko options.KeyOpts, cert, certChain string) (sign.Keypair, string, error) {
+func GetKeypairAndToken(ctx context.Context, ko options.KeyOpts, cert, certChain string) (sign.Keypair, []byte, string, error) {
 	var keypair sign.Keypair
 	var ephemeralKeypair bool
 	var idToken string
 	var sv *SignerVerifier
+	var certBytes []byte
 	var err error
 
 	if ko.Sk || ko.Slot != "" || ko.KeyRef != "" || cert != "" {
 		sv, _, err = signerFromKeyOpts(ctx, cert, certChain, ko)
 		if err != nil {
-			return nil, "", fmt.Errorf("getting signer: %w", err)
+			return nil, nil, "", fmt.Errorf("getting signer: %w", err)
 		}
 		keypair, err = key.NewSignerVerifierKeypair(sv, ko.DefaultLoadOptions)
 		if err != nil {
-			return nil, "", fmt.Errorf("creating signerverifier keypair: %w", err)
+			return nil, nil, "", fmt.Errorf("creating signerverifier keypair: %w", err)
 		}
+		certBytes = sv.Cert
 	} else {
 		ephemeralKeypairOptions, err := getEphemeralKeypairOptions(ko.SigningAlgorithm)
 		if err != nil {
-			return nil, "", fmt.Errorf("getting ephemeral keypair options: %w", err)
+			return nil, nil, "", fmt.Errorf("getting ephemeral keypair options: %w", err)
 		}
 		keypair, err = sign.NewEphemeralKeypair(ephemeralKeypairOptions)
 		if err != nil {
-			return nil, "", fmt.Errorf("generating keypair: %w", err)
+			return nil, nil, "", fmt.Errorf("generating keypair: %w", err)
 		}
 		ephemeralKeypair = true
 	}
@@ -142,11 +144,11 @@ func GetKeypairAndToken(ctx context.Context, ko options.KeyOpts, cert, certChain
 			RedirectURL:      ko.OIDCRedirectURL,
 		})
 		if err != nil {
-			return nil, "", fmt.Errorf("retrieving ID token: %w", err)
+			return nil, nil, "", fmt.Errorf("retrieving ID token: %w", err)
 		}
 	}
 
-	return keypair, idToken, nil
+	return keypair, certBytes, idToken, nil
 }
 
 func keylessSigner(ctx context.Context, ko options.KeyOpts, sv *SignerVerifier) (*SignerVerifier, error) {
@@ -526,7 +528,7 @@ func WriteBundle(ctx context.Context, sv *SignerVerifier, rekorEntry *models.Log
 
 // WriteNewBundleWithSigningConfig uses signing config and trusted root to fetch responses from services for the bundle and writes the bundle to the OCI remote layer.
 func WriteNewBundleWithSigningConfig(ctx context.Context, ko options.KeyOpts, cert, certChain string, bundleOpts CommonBundleOpts, signingConfig *root.SigningConfig, trustedMaterial root.TrustedMaterial) error {
-	keypair, idToken, err := GetKeypairAndToken(ctx, ko, cert, certChain)
+	keypair, certBytes, idToken, err := GetKeypairAndToken(ctx, ko, cert, certChain)
 	if err != nil {
 		return fmt.Errorf("getting keypair and token: %w", err)
 	}
@@ -535,7 +537,7 @@ func WriteNewBundleWithSigningConfig(ctx context.Context, ko options.KeyOpts, ce
 		Data:        bundleOpts.Payload,
 		PayloadType: "application/vnd.in-toto+json",
 	}
-	bundle, err := cbundle.SignData(ctx, content, keypair, idToken, signingConfig, trustedMaterial)
+	bundle, err := cbundle.SignData(ctx, content, keypair, idToken, certBytes, signingConfig, trustedMaterial)
 	if err != nil {
 		return fmt.Errorf("signing bundle: %w", err)
 	}

pkg/cosign/bundle/sign.go

@@ -29,14 +29,15 @@ import (
 	"google.golang.org/protobuf/encoding/protojson"
 )
 
-func SignData(ctx context.Context, content sign.Content, keypair sign.Keypair, idToken string, signingConfig *root.SigningConfig, trustedMaterial root.TrustedMaterial) ([]byte, error) {
+func SignData(ctx context.Context, content sign.Content, keypair sign.Keypair, idToken string, cert []byte, signingConfig *root.SigningConfig, trustedMaterial root.TrustedMaterial) ([]byte, error) {
 	var opts sign.BundleOptions
 
 	if trustedMaterial != nil {
 		opts.TrustedRoot = trustedMaterial
 	}
 
-	if idToken != "" {
+	switch {
+	case idToken != "":
 		if len(signingConfig.FulcioCertificateAuthorityURLs()) == 0 {
 			return nil, fmt.Errorf("no fulcio URLs provided in signing config")
 		}
@@ -53,7 +54,9 @@ func SignData(ctx context.Context, content sign.Content, keypair sign.Keypair, i
 		opts.CertificateProviderOptions = &sign.CertificateProviderOptions{
 			IDToken: idToken,
 		}
-	} else {
+	case cert != nil:
+		opts.CertificateProvider = &localCertProvider{cert}
+	default:
 		publicKeyPem, err := keypair.GetPublicKeyPem()
 		if err != nil {
 			return nil, err
@@ -130,3 +133,15 @@ type verifyTrustedMaterial struct {
 func (v *verifyTrustedMaterial) PublicKeyVerifier(hint string) (root.TimeConstrainedVerifier, error) {
 	return v.keyTrustedMaterial.PublicKeyVerifier(hint)
 }
+
+type localCertProvider struct {
+	cert []byte
+}
+
+func (c *localCertProvider) GetCertificate(_ context.Context, _ sign.Keypair, _ *sign.CertificateProviderOptions) ([]byte, error) {
+	certBlock, _ := pem.Decode(c.cert)
+	if certBlock == nil {
+		return nil, fmt.Errorf("could not decode cert")
+	}
+	return certBlock.Bytes, nil
+}

test/e2e_test.go

@@ -21,16 +21,20 @@ import (
 	"bytes"
 	"context"
 	"crypto"
+	"crypto/ecdsa"
 	"crypto/ed25519"
+	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/sha256"
 	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"io"
+	"math/big"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -572,8 +576,7 @@ func downloadTSACerts(downloadDirectory string, tsaServer string) (string, strin
 	return leafPath, intermediatePath, rootPath, nil
 }
 
-func prepareTrustedRoot(t *testing.T, tsaURL string) string {
-	downloadDirectory := t.TempDir()
+func trustedRootCmd(t *testing.T, downloadDirectory, tsaURL string) *trustedroot.CreateCmd {
 	caPath := filepath.Join(downloadDirectory, "fulcio.crt.pem")
 	caFP, err := os.Create(caPath)
 	must(err, t)
@@ -602,8 +605,22 @@ func prepareTrustedRoot(t *testing.T, tsaURL string) string {
 		must(downloadFile(tsaURL+"/api/v1/timestamp/certchain", tsaFP), t)
 		cmd.TSACertChainPath = []string{tsaPath}
 	}
+	return cmd
+}
+
+func prepareTrustedRoot(t *testing.T, tsaURL string) string {
+	downloadDirectory := t.TempDir()
+	cmd := trustedRootCmd(t, downloadDirectory, tsaURL)
 	must(cmd.Exec(context.TODO()), t)
-	return out
+	return cmd.Out
+}
+
+func prepareTrustedRootWithSelfSignedCertificate(t *testing.T, certPath, tsaURL string) string {
+	td := t.TempDir()
+	cmd := trustedRootCmd(t, td, tsaURL)
+	cmd.CertChain = append(cmd.CertChain, certPath)
+	must(cmd.Exec(context.TODO()), t)
+	return cmd.Out
 }
 
 func TestSignVerifyWithTUFMirror(t *testing.T) {
@@ -889,8 +906,12 @@ func TestSignAttestVerifyBlobWithSigningConfig(t *testing.T) {
 	mirror := tufServer.URL
 	trustedRoot := prepareTrustedRoot(t, tsaServer.URL)
 	signingConfigStr := prepareSigningConfig(t, fulcioURL, rekorURL, "unused", tsaServer.URL+"/api/v1/timestamp")
+	sc, err := os.ReadFile(signingConfigStr)
+	must(err, t)
+	fmt.Println(string(sc))
+	fmt.Println(fulcioURL)
 
-	_, err := newTUF(tufMirror, []targetInfo{
+	_, err = newTUF(tufMirror, []targetInfo{
 		{
 			name:   "trusted_root.json",
 			source: trustedRoot,
@@ -1094,6 +1115,113 @@ func TestSignAttestVerifyContainerWithSigningConfig(t *testing.T) {
 	must(verifyAttestation.Exec(ctx, []string{imgName}), t)
 }
 
+func TestSignVerifyContainerWithSigningConfigWithCertificate(t *testing.T) {
+	tufLocalCache := t.TempDir()
+	t.Setenv("TUF_ROOT", tufLocalCache)
+	viper.Set("timestamp-signer", "memory")
+	viper.Set("timestamp-signer-hash", "sha256")
+	tsaAPIServer := server.NewRestAPIServer("localhost", 0, []string{"http"}, false, 10*time.Second, 10*time.Second)
+	tsaServer := httptest.NewServer(tsaAPIServer.GetHandler())
+	t.Cleanup(tsaServer.Close)
+	tufMirror := t.TempDir()
+	tufServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.FileServer(http.Dir(tufMirror)).ServeHTTP(w, r)
+	}))
+	mirror := tufServer.URL
+
+	cert, privKey, err := selfSignedCertificate()
+	must(err, t)
+	keysDir := t.TempDir()
+	privKeyPath := filepath.Join(keysDir, "priv.key")
+	privDer, err := x509.MarshalECPrivateKey(privKey)
+	must(err, t)
+	keyWriter, err := os.OpenFile(privKeyPath, os.O_WRONLY|os.O_CREATE, 0o600)
+	must(err, t)
+	defer keyWriter.Close()
+	block := &pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: privDer,
+	}
+	must(pem.Encode(keyWriter, block), t)
+
+	certPath := filepath.Join(keysDir, "cert.pem")
+	certWriter, err := os.OpenFile(certPath, os.O_WRONLY|os.O_CREATE, 0o600)
+	must(err, t)
+	defer certWriter.Close()
+	block = &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: cert.Raw,
+	}
+	must(pem.Encode(certWriter, block), t)
+
+	keys, err := cosign.ImportKeyPair(privKeyPath, passFunc)
+	must(err, t)
+	importKeyPath := filepath.Join(keysDir, "import-priv.key")
+	must(os.WriteFile(importKeyPath, keys.PrivateBytes, 0o600), t)
+
+	trustedRoot := prepareTrustedRootWithSelfSignedCertificate(t, certPath, tsaServer.URL)
+	signingConfigStr := prepareSigningConfig(t, fulcioURL, rekorURL, "unused", tsaServer.URL+"/api/v1/timestamp")
+
+	_, err = newTUF(tufMirror, []targetInfo{
+		{
+			name:   "trusted_root.json",
+			source: trustedRoot,
+		},
+		{
+			name:   "signing_config.v0.2.json",
+			source: signingConfigStr,
+		},
+	})
+	must(err, t)
+
+	repo, stop := reg(t)
+	defer stop()
+	imgName := path.Join(repo, "cosign-e2e")
+
+	_, _, cleanup := mkimage(t, imgName)
+	defer cleanup()
+
+	ctx := context.Background()
+
+	rootPath := filepath.Join(tufMirror, "1.root.json")
+	must(initialize.DoInitialize(ctx, rootPath, mirror), t)
+
+	ko := options.KeyOpts{
+		NewBundleFormat:  true,
+		SkipConfirmation: true,
+		KeyRef:           importKeyPath,
+		PassFunc:         passFunc,
+	}
+	trustedMaterial, err := cosign.TrustedRoot()
+	must(err, t)
+	ko.TrustedMaterial = trustedMaterial
+	signingConfig, err := cosign.SigningConfig()
+	must(err, t)
+	ko.SigningConfig = signingConfig
+
+	// Sign image with cert in bundle format
+	so := options.SignOptions{
+		Upload:          true,
+		NewBundleFormat: true,
+		Key:             importKeyPath,
+		Cert:            certPath,
+		TlogUpload:      false,
+	}
+	must(sign.SignCmd(ctx, ro, ko, so, []string{imgName}), t)
+
+	// Verify image
+	cmd := cliverify.VerifyCommand{
+		CertVerifyOptions: options.CertVerifyOptions{
+			CertOidcIssuerRegexp: ".*",
+			CertIdentity:         "[email protected]",
+		},
+		NewBundleFormat: true,
+		IgnoreSCT:       true,
+	}
+	args := []string{imgName}
+	must(cmd.Exec(ctx, args), t)
+}
+
 func TestSignVerifyWithSigningConfigWithKey(t *testing.T) {
 	tufLocalCache := t.TempDir()
 	t.Setenv("TUF_ROOT", tufLocalCache)
@@ -4369,3 +4497,31 @@ func TestAttestVerifyUploadFalse(t *testing.T) {
 	must(err, t)
 	assert.Contains(t, out.String(), fmt.Sprintf("sha256:%s", hex.EncodeToString(h.Sum(nil))))
 }
+
+func selfSignedCertificate() (*x509.Certificate, *ecdsa.PrivateKey, error) {
+	priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		return nil, nil, err
+	}
+	ct := &x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			CommonName:   "self.signed.cert",
+			Organization: []string{"dev"},
+		},
+		EmailAddresses: []string{"[email protected]"},
+		NotBefore:      time.Now().Add(-1 * time.Minute),
+		NotAfter:       time.Now().Add(24 * time.Hour),
+		KeyUsage:       x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:    []x509.ExtKeyUsage{x509.ExtKeyUsageCodeSigning},
+	}
+	certBytes, err := x509.CreateCertificate(rand.Reader, ct, ct, &priv.PublicKey, priv)
+	if err != nil {
+		return nil, nil, err
+	}
+	cert, err := x509.ParseCertificate(certBytes)
+	if err != nil {
+		return nil, nil, err
+	}
+	return cert, priv, nil
+}