add one more test

Signed-off-by: Asra Ali <asraa@google.com>
sigstore · Sep 15, 2022 · 1405355 · 1405355
1 parent e641243
commit 1405355
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 2 deletions.
diff --git a/cmd/cosign/cli/verify/verify_blob.go b/cmd/cosign/cli/verify/verify_blob.go
@@ -149,13 +149,14 @@ func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail,
 			if err != nil {
 				return fmt.Errorf("getting Fulcio roots: %w", err)
 			}
+
 			co.IntermediateCerts, err = fulcio.GetIntermediates()
 			if err != nil {
 				return fmt.Errorf("getting Fulcio intermediates: %w", err)
 			}
 			co.SigVerifier, err = cosign.ValidateAndUnpackCert(cert, co)
 			if err != nil {
-				return err
+				return fmt.Errorf("validating certRef: %w", err)
 			}
 		} else {
 			// Verify certificate with chain
@@ -195,8 +196,15 @@ func VerifyBlobCmd(ctx context.Context, ko options.KeyOpts, certRef, certEmail,
 				if err != nil {
 					return fmt.Errorf("getting Fulcio intermediates: %w", err)
 				}
+				co.SigVerifier, err = cosign.ValidateAndUnpackCert(cert, co)
+			} else {
+				// Verify certificate with chain
+				chain, err := loadCertChainFromFileOrURL(certChain)
+				if err != nil {
+					return err
+				}
+				co.SigVerifier, err = cosign.ValidateAndUnpackCertWithChain(cert, chain, co)
 			}
-			co.SigVerifier, err = cosign.ValidateAndUnpackCert(cert, co)
 		}
 		if err != nil {
 			return fmt.Errorf("loading verifier from bundle: %w", err)

diff --git a/cmd/cosign/cli/verify/verify_blob_test.go b/cmd/cosign/cli/verify/verify_blob_test.go
@@ -994,6 +994,44 @@ func TestVerifyBlobCmdWithBundle(t *testing.T) {
 			t.Fatalf("expected success without specifying the intermediates, got %v", err)
 		}
 	})
+	t.Run("Intermediate root explicit in non-experimental mode", func(t *testing.T) {
+		identity := "hello@foo.com"
+		issuer := "issuer"
+		leafCert, _, leafPemCert, signer := keyless.genLeafCert(t, identity, issuer)
+
+		// Create blob
+		blob := "someblob"
+
+		// Sign blob with private key
+		sig, err := signer.SignMessage(bytes.NewReader([]byte(blob)))
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// Create bundle
+		entry := genRekorEntry(t, hashedrekord.KIND, hashedrekord.New().DefaultVersion(), []byte(blob), leafPemCert, sig)
+		b := createBundle(t, sig, leafPemCert, keyless.rekorLogID, leafCert.NotBefore.Unix()+1, entry)
+		b.Bundle.SignedEntryTimestamp = keyless.rekorSignPayload(t, b.Bundle.Payload)
+		bundlePath := writeBundleFile(t, keyless.td, b, "bundle.json")
+		blobPath := writeBlobFile(t, keyless.td, blob, "blob.txt")
+
+		// Verify command
+		err = VerifyBlobCmd(context.Background(),
+			options.KeyOpts{BundlePath: bundlePath},
+			"",                              /*certRef*/
+			identity,                        /*certEmail*/
+			issuer,                          /*certOidcIssuer*/
+			os.Getenv("SIGSTORE_ROOT_FILE"), /*certChain*/
+			"",                              /*sigRef*/ // Sig is fetched from bundle
+			blobPath,                        /*blobRef*/
+			// GitHub identity flags start
+			"", "", "", "", "",
+			// GitHub identity flags end
+			false /*enforceSCT*/)
+		if err != nil {
+			t.Fatalf("expected success specifying the intermediates, got %v", err)
+		}
+	})
 }
 
 func TestVerifyBlobCmdInvalidRootCA(t *testing.T) {