Check certificate policy flags with only a certificate

[haydentherapper]

Flags such as cert-email and cert-oidc-issuer were only checked when a
certificate and its chain were passed to Cosign, or when the certificate
is fetched from either the OCI annotation or from Rekor (for
verify-blob). This adds support for checking certificate policy flags
when only a certificate is passed to Cosign.

Signed-off-by: Hayden Blauzvern hblauzvern@google.com

Summary

Ticket Link

Fixes #1848

Release Note

Fixed checking certificate policy flags when only a certificate is provided

[haydentherapper]

cc @znewman01

[haydentherapper]

Note that I can't reuse ValidateAndUnpackCertWithChain or ValidateAndUnpackCert because both expect a certificate chain.

[znewman01]

Nice refactor in verify.go!

Verified that this fixes my original problem:

$ git checkout hayden/support-cert-checks
$ make
$ ./cosign verify-blob /dev/null --cert /tmp/null.crt  --signature /tmp/null.sig --cert-email bad@example.com
Error: verifying blob [/dev/null]: expected email not found in certificate
main.go:52: error during command execution: verifying blob [/dev/null]: expected email not found in certificate

[znewman01]

Unrelated to this PR but it's a regex??? That's a surprise

Does this open up an attack where someone passes zjn@mail.example.com and I go register mailqexample.com and can pass the check?

[haydentherapper]

@vaikas - FYI, I think you added this originally

[vaikas]

Yeah, I sure did add it. @znewman01, in your particular example, yeah, you'd have to use:
zjn@mail\.example\.com

Let's take this off the thread however, and if we want this to be a non-regexp, I'd be happy to make the change. Would you mind creating an issue, tagging me in it so we have a proper track record and I'll go change it so that it is what folks want.

Thanks for the flagging!!!

[znewman01]

ACK will do :)