Updating sign-blob to also support signing with a certificate (#4547)

---------

Signed-off-by: Zach Steindler <steiza@github.com>

Author: steiza

cmd/cosign/cli/options/attest_blob.go

@@ -72,14 +72,14 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) {
 	_ = cmd.MarkFlagFilename("key", privateKeyExts...)
 
 	cmd.Flags().StringVar(&o.Cert, "certificate", "",
-		"path to the X.509 certificate in PEM format to include in the OCI Signature")
+		"path to the X.509 certificate for signing attestation")
 	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "",
 		"path to a list of CA X.509 certificates in PEM format which will be needed "+
-			"when building the certificate chain for the signing certificate. "+
+			"when building the certificate chain for the signed attestation. "+
 			"Must start with the parent intermediate CA certificate of the "+
-			"signing certificate and end with the root certificate. Included in the OCI Signature")
+			"signing certificate and end with the root certificate.")
 	_ = cmd.MarkFlagFilename("certificate-chain", certificateExts...)
 
 	cmd.Flags().StringVar(&o.OutputSignature, "output-signature", "",

cmd/cosign/cli/options/signblob.go

@@ -29,6 +29,8 @@ import (
 // The new output-certificate flag is only in use when COSIGN_EXPERIMENTAL is enabled
 type SignBlobOptions struct {
 	Key                  string
+	Cert                 string
+	CertChain            string
 	Base64Output         bool
 	Output               string // deprecated: TODO remove when the output flag is fully deprecated
 	OutputSignature      string // TODO: this should be the root output file arg.
@@ -69,6 +71,17 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) {
 		"path to the private key file, KMS URI or Kubernetes Secret")
 	_ = cmd.MarkFlagFilename("key", privateKeyExts...)
 
+	cmd.Flags().StringVar(&o.Cert, "certificate", "",
+		"path to the X.509 certificate for signing attestation")
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
+
+	cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "",
+		"path to a list of CA X.509 certificates in PEM format which will be needed "+
+			"when building the certificate chain for the signed attestation. "+
+			"Must start with the parent intermediate CA certificate of the "+
+			"signing certificate and end with the root certificate.")
+	_ = cmd.MarkFlagFilename("certificate-chain", certificateExts...)
+
 	cmd.Flags().BoolVar(&o.Base64Output, "b64", true,
 		"whether to base64 encode the output")
 

cmd/cosign/cli/sign/sign_blob.go

@@ -58,44 +58,41 @@ func getPayload(ctx context.Context, payloadPath string, hashFunction crypto.Has
 }
 
 // nolint
-func SignBlobCmd(ctx context.Context, ro *options.RootOptions, ko options.KeyOpts, payloadPath string, b64 bool, outputSignature string, outputCertificate string, tlogUpload bool) ([]byte, error) {
+func SignBlobCmd(ctx context.Context, ro *options.RootOptions, ko options.KeyOpts, payloadPath, certPath, certChainPath string, b64 bool, outputSignature string, outputCertificate string, tlogUpload bool) ([]byte, error) {
 	var payload internal.HashReader
 
 	ctx, cancel := context.WithTimeout(ctx, ro.Timeout)
 	defer cancel()
 
-	shouldUpload, err := signcommon.ShouldUploadToTlog(ctx, ko, nil, tlogUpload)
-	if err != nil {
-		return nil, fmt.Errorf("upload to tlog: %w", err)
-	}
-
-	if !shouldUpload {
+	// TODO - this does not take ko.SigningConfig into account
+	if !tlogUpload {
 		// To maintain backwards compatibility with older cosign versions,
 		// we do not use ed25519ph for ed25519 keys when the signatures are not
 		// uploaded to the Tlog.
 		ko.DefaultLoadOptions = &[]signature.LoadOption{}
 	}
 
-	if ko.SigningConfig != nil {
-		keypair, _, idToken, err := signcommon.GetKeypairAndToken(ctx, ko, "", "")
-		if err != nil {
-			return nil, fmt.Errorf("getting keypair and token: %w", err)
-		}
+	keypair, sv, certBytes, idToken, err := signcommon.GetKeypairAndToken(ctx, ko, certPath, certChainPath)
+	if err != nil {
+		return nil, fmt.Errorf("getting keypair and token: %w", err)
+	}
 
-		payload, closePayload, err := getPayload(ctx, payloadPath, protoHashAlgoToHash(keypair.GetHashAlgorithm()))
-		if err != nil {
-			return nil, fmt.Errorf("getting payload: %w", err)
-		}
-		defer closePayload()
+	hashFunction := protoHashAlgoToHash(keypair.GetHashAlgorithm())
+	payload, closePayload, err := getPayload(ctx, payloadPath, hashFunction)
+	if err != nil {
+		return nil, fmt.Errorf("getting payload: %w", err)
+	}
+	defer closePayload()
+
+	if ko.SigningConfig != nil {
 		data, err := io.ReadAll(&payload)
 		if err != nil {
 			return nil, fmt.Errorf("reading payload: %w", err)
 		}
 		content := &sign.PlainData{
 			Data: data,
 		}
-
-		bundle, err := cbundle.SignData(ctx, content, keypair, idToken, nil, ko.SigningConfig, ko.TrustedMaterial)
+		bundle, err := cbundle.SignData(ctx, content, keypair, idToken, certBytes, ko.SigningConfig, ko.TrustedMaterial)
 		if err != nil {
 			return nil, fmt.Errorf("signing bundle: %w", err)
 		}
@@ -106,15 +103,9 @@ func SignBlobCmd(ctx context.Context, ro *options.RootOptions, ko options.KeyOpt
 		return bundle, nil
 	}
 
-	sv, closeSV, err := signcommon.GetSignerVerifier(ctx, "", "", ko)
-	if err != nil {
-		return nil, fmt.Errorf("getting signer: %w", err)
-	}
-	defer closeSV()
-
-	hashFunction, err := getHashFunction(sv, ko)
+	shouldUpload, err := signcommon.ShouldUploadToTlog(ctx, ko, nil, tlogUpload)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("upload to tlog: %w", err)
 	}
 
 	if hashFunction != crypto.SHA256 && !ko.NewBundleFormat && (shouldUpload || (!ko.Sk && ko.KeyRef == "")) {
@@ -127,12 +118,6 @@ func SignBlobCmd(ctx context.Context, ro *options.RootOptions, ko options.KeyOpt
 		ui.Infof(ctx, "Continuing with non SHA256 hash function and old bundle format")
 	}
 
-	payload, closePayload, err := getPayload(ctx, payloadPath, hashFunction)
-	if err != nil {
-		return nil, err
-	}
-	defer closePayload()
-
 	sig, err := sv.SignMessage(&payload, signatureoptions.WithContext(ctx))
 	if err != nil {
 		return nil, fmt.Errorf("signing blob: %w", err)
@@ -277,35 +262,6 @@ func extractCertificate(ctx context.Context, sv *signcommon.SignerVerifier) ([]b
 	return nil, nil
 }
 
-func getHashFunction(sv *signcommon.SignerVerifier, ko options.KeyOpts) (crypto.Hash, error) {
-	if ko.Sk || ko.KeyRef != "" {
-		pubKey, err := sv.PublicKey()
-		if err != nil {
-			return crypto.Hash(0), fmt.Errorf("error getting public key: %w", err)
-		}
-
-		defaultLoadOptions := cosign.GetDefaultLoadOptions(ko.DefaultLoadOptions)
-
-		// TODO: Ideally the SignerVerifier should have a method to get the hash function
-		algo, err := signature.GetDefaultAlgorithmDetails(pubKey, *defaultLoadOptions...)
-		if err != nil {
-			return crypto.Hash(0), fmt.Errorf("error getting default algorithm details: %w", err)
-		}
-		return algo.GetHashType(), nil
-	}
-
-	// New key was generated, using the signing	algorithm specified by the user
-	keyDetails, err := signcommon.ParseSignatureAlgorithmFlag(ko.SigningAlgorithm)
-	if err != nil {
-		return crypto.Hash(0), fmt.Errorf("parsing signature algorithm: %w", err)
-	}
-	algo, err := signature.GetAlgorithmDetails(keyDetails)
-	if err != nil {
-		return crypto.Hash(0), fmt.Errorf("getting algorithm details: %w", err)
-	}
-	return algo.GetHashType(), nil
-}
-
 func hashFuncToProtoBundle(hashFunc crypto.Hash) protocommon.HashAlgorithm {
 	switch hashFunc {
 	case crypto.SHA256:

cmd/cosign/cli/sign/sign_blob_test.go

@@ -15,11 +15,15 @@
 package sign
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"os"
 	"path/filepath"
 	"testing"
 
+	"github.com/secure-systems-lab/go-securesystemslib/encrypted"
 	"github.com/sigstore/cosign/v3/cmd/cosign/cli/options"
+	"github.com/sigstore/cosign/v3/internal/test"
 	"github.com/sigstore/cosign/v3/pkg/cosign"
 )
 
@@ -37,7 +41,7 @@ func TestSignBlobCmd(t *testing.T) {
 	keyOpts := options.KeyOpts{KeyRef: keyRef, BundlePath: bundlePath}
 
 	// Test happy path
-	_, err := SignBlobCmd(t.Context(), rootOpts, keyOpts, blobPath, true, "", "", false)
+	_, err := SignBlobCmd(t.Context(), rootOpts, keyOpts, blobPath, "", "", true, "", "", false)
 	if err != nil {
 		t.Fatalf("unexpected error %v", err)
 	}
@@ -46,7 +50,32 @@ func TestSignBlobCmd(t *testing.T) {
 	keyOpts.NewBundleFormat = true
 	sigPath := filepath.Join(td, "output.sig")
 	certPath := filepath.Join(td, "output.pem")
-	_, err = SignBlobCmd(t.Context(), rootOpts, keyOpts, blobPath, false, sigPath, certPath, false)
+	_, err = SignBlobCmd(t.Context(), rootOpts, keyOpts, blobPath, "", "", false, sigPath, certPath, false)
+	if err != nil {
+		t.Fatalf("unexpected error %v", err)
+	}
+
+	// Test signing with a certificate
+	rootCert, rootKey, _ := test.GenerateRootCa()
+	cert, certPrivKey, _ := test.GenerateLeafCert("subject", "oidc-issuer", rootCert, rootKey)
+	certPemBytes := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
+	signCertPath := writeFile(t, td, string(certPemBytes), "cert.pem")
+	x509Encoded, err := x509.MarshalPKCS8PrivateKey(certPrivKey)
+	if err != nil {
+		t.Fatalf("unexpected error %v", err)
+	}
+	encBytes, err := encrypted.Encrypt(x509Encoded, nil)
+	if err != nil {
+		t.Fatalf("unexpected error %v", err)
+	}
+	pemBytes := pem.EncodeToMemory(&pem.Block{
+		Bytes: encBytes,
+		Type:  cosign.SigstorePrivateKeyPemType,
+	})
+	certPrivKeyRef := writeFile(t, td, string(pemBytes), "certkey.pem")
+	keyOpts.KeyRef = certPrivKeyRef
+
+	_, err = SignBlobCmd(t.Context(), rootOpts, keyOpts, blobPath, signCertPath, "", false, "", "", false)
 	if err != nil {
 		t.Fatalf("unexpected error %v", err)
 	}

cmd/cosign/cli/signblob.go

@@ -127,7 +127,7 @@ func SignBlob() *cobra.Command {
 					o.OutputSignature = o.Output
 				}
 
-				if _, err := sign.SignBlobCmd(cmd.Context(), ro, ko, blob, o.Base64Output, o.OutputSignature, o.OutputCertificate, o.TlogUpload); err != nil {
+				if _, err := sign.SignBlobCmd(cmd.Context(), ro, ko, blob, o.Cert, o.CertChain, o.Base64Output, o.OutputSignature, o.OutputCertificate, o.TlogUpload); err != nil {
 					return fmt.Errorf("signing %s: %w", blob, err)
 				}
 			}

cmd/cosign/cli/signcommon/common.go

@@ -83,72 +83,53 @@ func (c *SignerVerifier) Bytes(ctx context.Context) ([]byte, error) {
 	return pemBytes, nil
 }
 
-func getEphemeralKeypairOptions(signingAlgorithm string) (*sign.EphemeralKeypairOptions, error) {
-	keyDetails, err := ParseSignatureAlgorithmFlag(signingAlgorithm)
-	if err != nil {
-		return nil, fmt.Errorf("parsing signature algorithm: %w", err)
-	}
-
-	return &sign.EphemeralKeypairOptions{
-		Algorithm: keyDetails,
-	}, nil
-}
-
 // GetKeypairAndToken creates a keypair object from provided key or cert flags or generates an ephemeral key.
 // For an ephemeral key, it also uses the key to fetch an OIDC token, the pair of which are later used to get a Fulcio cert.
-func GetKeypairAndToken(ctx context.Context, ko options.KeyOpts, cert, certChain string) (sign.Keypair, []byte, string, error) {
+func GetKeypairAndToken(ctx context.Context, ko options.KeyOpts, cert, certChain string) (sign.Keypair, *SignerVerifier, []byte, string, error) {
 	var keypair sign.Keypair
 	var ephemeralKeypair bool
 	var idToken string
 	var sv *SignerVerifier
 	var certBytes []byte
 	var err error
 
-	if ko.Sk || ko.Slot != "" || ko.KeyRef != "" || cert != "" {
-		sv, _, err = signerFromKeyOpts(ctx, cert, certChain, ko)
-		if err != nil {
-			return nil, nil, "", fmt.Errorf("getting signer: %w", err)
-		}
-		keypair, err = key.NewSignerVerifierKeypair(sv, ko.DefaultLoadOptions)
-		if err != nil {
-			return nil, nil, "", fmt.Errorf("creating signerverifier keypair: %w", err)
-		}
-		certBytes = sv.Cert
-	} else {
-		ephemeralKeypairOptions, err := getEphemeralKeypairOptions(ko.SigningAlgorithm)
-		if err != nil {
-			return nil, nil, "", fmt.Errorf("getting ephemeral keypair options: %w", err)
-		}
-		keypair, err = sign.NewEphemeralKeypair(ephemeralKeypairOptions)
-		if err != nil {
-			return nil, nil, "", fmt.Errorf("generating keypair: %w", err)
-		}
-		ephemeralKeypair = true
+	sv, ephemeralKeypair, err = signerFromKeyOpts(ctx, cert, certChain, ko)
+	if err != nil {
+		return nil, nil, nil, "", fmt.Errorf("getting signer: %w", err)
 	}
+	keypair, err = key.NewSignerVerifierKeypair(sv, ko.DefaultLoadOptions)
+	if err != nil {
+		return nil, nil, nil, "", fmt.Errorf("creating signerverifier keypair: %w", err)
+	}
+	certBytes = sv.Cert
 	defer func() {
 		if sv != nil {
 			sv.Close()
 		}
 	}()
 
 	if ephemeralKeypair || ko.IssueCertificateForExistingKey {
-		idToken, err = auth.RetrieveIDToken(ctx, auth.IDTokenConfig{
-			TokenOrPath:      ko.IDToken,
-			DisableProviders: ko.OIDCDisableProviders,
-			Provider:         ko.OIDCProvider,
-			AuthFlow:         ko.FulcioAuthFlow,
-			SkipConfirm:      ko.SkipConfirmation,
-			OIDCServices:     ko.SigningConfig.OIDCProviderURLs(),
-			ClientID:         ko.OIDCClientID,
-			ClientSecret:     ko.OIDCClientSecret,
-			RedirectURL:      ko.OIDCRedirectURL,
-		})
+		if ko.SigningConfig == nil {
+			sv, err = keylessSigner(ctx, ko, sv)
+		} else {
+			idToken, err = auth.RetrieveIDToken(ctx, auth.IDTokenConfig{
+				TokenOrPath:      ko.IDToken,
+				DisableProviders: ko.OIDCDisableProviders,
+				Provider:         ko.OIDCProvider,
+				AuthFlow:         ko.FulcioAuthFlow,
+				SkipConfirm:      ko.SkipConfirmation,
+				OIDCServices:     ko.SigningConfig.OIDCProviderURLs(),
+				ClientID:         ko.OIDCClientID,
+				ClientSecret:     ko.OIDCClientSecret,
+				RedirectURL:      ko.OIDCRedirectURL,
+			})
+		}
 		if err != nil {
-			return nil, nil, "", fmt.Errorf("retrieving ID token: %w", err)
+			return nil, nil, nil, "", fmt.Errorf("retrieving ID token: %w", err)
 		}
 	}
 
-	return keypair, certBytes, idToken, nil
+	return keypair, sv, certBytes, idToken, nil
 }
 
 func keylessSigner(ctx context.Context, ko options.KeyOpts, sv *SignerVerifier) (*SignerVerifier, error) {
@@ -528,7 +509,7 @@ func WriteBundle(ctx context.Context, sv *SignerVerifier, rekorEntry *models.Log
 
 // WriteNewBundleWithSigningConfig uses signing config and trusted root to fetch responses from services for the bundle and writes the bundle to the OCI remote layer.
 func WriteNewBundleWithSigningConfig(ctx context.Context, ko options.KeyOpts, cert, certChain string, bundleOpts CommonBundleOpts, signingConfig *root.SigningConfig, trustedMaterial root.TrustedMaterial) error {
-	keypair, certBytes, idToken, err := GetKeypairAndToken(ctx, ko, cert, certChain)
+	keypair, _, certBytes, idToken, err := GetKeypairAndToken(ctx, ko, cert, certChain)
 	if err != nil {
 		return fmt.Errorf("getting keypair and token: %w", err)
 	}