diff --git a/cmd/cosign/cli/options/trustedroot.go b/cmd/cosign/cli/options/trustedroot.go index 66497690ae7..298d34d9c8a 100644 --- a/cmd/cosign/cli/options/trustedroot.go +++ b/cmd/cosign/cli/options/trustedroot.go @@ -36,7 +36,7 @@ func (o *TrustedRootCreateOptions) AddFlags(cmd *cobra.Command) { "path to a list of CA certificates in PEM format which will be needed "+ "when building the certificate chain for the signing certificate. "+ "Must start with the parent intermediate CA certificate of the "+ - "signing certificate and end with the root certificate. Conflicts with --ca-roots and --ca-intermediates.") + "signing certificate and end with the root certificate.") _ = cmd.Flags().SetAnnotation("certificate-chain", cobra.BashCompFilenameExt, []string{"cert"}) cmd.Flags().StringArrayVar(&o.CtfeKeyPath, "ctfe-key", nil, diff --git a/cmd/cosign/cli/trustedroot/trustedroot.go b/cmd/cosign/cli/trustedroot/trustedroot.go index ee2faef41ac..305ba51facf 100644 --- a/cmd/cosign/cli/trustedroot/trustedroot.go +++ b/cmd/cosign/cli/trustedroot/trustedroot.go @@ -162,7 +162,7 @@ func parseCerts(path string) ([]*x509.Certificate, error) { return nil, err } - for block, contents := pem.Decode(contents); ; block, contents = pem.Decode(contents) { + for block, contents := pem.Decode(contents); block != nil; block, contents = pem.Decode(contents) { cert, err := x509.ParseCertificate(block.Bytes) if err != nil { return nil, err diff --git a/cmd/cosign/cli/trustedroot/trustedroot_test.go b/cmd/cosign/cli/trustedroot/trustedroot_test.go index 746edff639c..9e0f1b32cc0 100644 --- a/cmd/cosign/cli/trustedroot/trustedroot_test.go +++ b/cmd/cosign/cli/trustedroot/trustedroot_test.go @@ -35,10 +35,10 @@ func TestCreateCmd(t *testing.T) { // Make some certificate chains td := t.TempDir() - fulcioChainPath := filepath.Join(td, "fulcio.crt") + fulcioChainPath := filepath.Join(td, "fulcio.pem") makeChain(t, fulcioChainPath, 2) - tsaChainPath := filepath.Join(td, "timestamp.crt") + tsaChainPath := filepath.Join(td, "timestamp.pem") makeChain(t, tsaChainPath, 3) outPath := filepath.Join(td, "trustedroot.json") @@ -73,6 +73,7 @@ func TestCreateCmd(t *testing.T) { if len(timestampAuthorities[0].Intermediates) != 2 { t.Fatal("unexpected number of timestamp intermediate certificates") } + } func makeChain(t *testing.T, path string, size int) { @@ -120,6 +121,10 @@ func makeChain(t *testing.T, path string, size int) { } err = pem.Encode(fd, block) checkErr(t, err) + + // Ensure we handle unexpected content at the end of the PEM file + _, err = fd.Write([]byte("asdf\n")) + checkErr(t, err) } func checkErr(t *testing.T, err error) { diff --git a/doc/cosign_trusted-root_create.md b/doc/cosign_trusted-root_create.md index 0d62614d187..486aa8a8a44 100644 --- a/doc/cosign_trusted-root_create.md +++ b/doc/cosign_trusted-root_create.md @@ -13,7 +13,7 @@ cosign trusted-root create [flags] ### Options ``` - --certificate-chain stringArray path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Conflicts with --ca-roots and --ca-intermediates. + --certificate-chain stringArray path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. --ctfe-key stringArray path to a PEM-encoded public key used by certificate authority for certificate transparency log. --ctfe-start-time stringArray RFC 3339 string describing validity start time for key use by certificate transparency log. -h, --help help for create