Don't panic if there's unexpected content in PEM file

Update tests, also fix documentation for flags that were removed. Co-authored-by: Dmitry S <[email protected]> Signed-off-by: Zach Steindler <[email protected]>
sigstore · Oct 17, 2024 · b8d58d7 · b8d58d7
1 parent f705836
commit b8d58d7
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 5 deletions.
diff --git a/cmd/cosign/cli/options/trustedroot.go b/cmd/cosign/cli/options/trustedroot.go
@@ -36,7 +36,7 @@ func (o *TrustedRootCreateOptions) AddFlags(cmd *cobra.Command) {
 		"path to a list of CA certificates in PEM format which will be needed "+
 			"when building the certificate chain for the signing certificate. "+
 			"Must start with the parent intermediate CA certificate of the "+
-			"signing certificate and end with the root certificate. Conflicts with --ca-roots and --ca-intermediates.")
+			"signing certificate and end with the root certificate.")
 	_ = cmd.Flags().SetAnnotation("certificate-chain", cobra.BashCompFilenameExt, []string{"cert"})
 
 	cmd.Flags().StringArrayVar(&o.CtfeKeyPath, "ctfe-key", nil,

diff --git a/cmd/cosign/cli/trustedroot/trustedroot.go b/cmd/cosign/cli/trustedroot/trustedroot.go
@@ -162,7 +162,7 @@ func parseCerts(path string) ([]*x509.Certificate, error) {
 		return nil, err
 	}
 
-	for block, contents := pem.Decode(contents); ; block, contents = pem.Decode(contents) {
+	for block, contents := pem.Decode(contents); block != nil; block, contents = pem.Decode(contents) {
 		cert, err := x509.ParseCertificate(block.Bytes)
 		if err != nil {
 			return nil, err

diff --git a/cmd/cosign/cli/trustedroot/trustedroot_test.go b/cmd/cosign/cli/trustedroot/trustedroot_test.go
@@ -35,10 +35,10 @@ func TestCreateCmd(t *testing.T) {
 	// Make some certificate chains
 	td := t.TempDir()
 
-	fulcioChainPath := filepath.Join(td, "fulcio.crt")
+	fulcioChainPath := filepath.Join(td, "fulcio.pem")
 	makeChain(t, fulcioChainPath, 2)
 
-	tsaChainPath := filepath.Join(td, "timestamp.crt")
+	tsaChainPath := filepath.Join(td, "timestamp.pem")
 	makeChain(t, tsaChainPath, 3)
 
 	outPath := filepath.Join(td, "trustedroot.json")
@@ -73,6 +73,7 @@ func TestCreateCmd(t *testing.T) {
 	if len(timestampAuthorities[0].Intermediates) != 2 {
 		t.Fatal("unexpected number of timestamp intermediate certificates")
 	}
+
 }
 
 func makeChain(t *testing.T, path string, size int) {
@@ -120,6 +121,10 @@ func makeChain(t *testing.T, path string, size int) {
 	}
 	err = pem.Encode(fd, block)
 	checkErr(t, err)
+
+	// Ensure we handle unexpected content at the end of the PEM file
+	_, err = fd.Write([]byte("asdf\n"))
+	checkErr(t, err)
 }
 
 func checkErr(t *testing.T, err error) {

diff --git a/doc/cosign_trusted-root_create.md b/doc/cosign_trusted-root_create.md