Add TSA certificate related flags and fields for cosign attest (#4079)

* Add TSA certificate related flags and fields for cosign attest

Add the following command-line flags for `cosign attest`:
* timestamp-client-cacert
* timestamp-client-cert
* timestamp-client-key
* timestamp-server-name
to enable the mTLS connections to the custom TSA server
using non-public CA roots. Also add the supporting fields
in the AttestOptions struct.

All the added fields are optional with empty defaults -
not providing them should not make any difference for those
who do not need them.

The patch is authored by Aditya Mahendrakar (@maditya).

Signed-off-by: Dmitry Savintsev <dsavints@gmail.com>

* Add TSA certificate flag/fields for cosign attest-blob

Signed-off-by: Dmitry Savintsev <dsavints@gmail.com>

---------

Signed-off-by: Dmitry Savintsev <dsavints@gmail.com>

Author: dmitris

cmd/cosign/cli/attest.go

@@ -86,6 +86,10 @@ func Attest() *cobra.Command {
 				OIDCRedirectURL:          o.OIDC.RedirectURL,
 				OIDCProvider:             o.OIDC.Provider,
 				SkipConfirmation:         o.SkipConfirmation,
+				TSAClientCACert:          o.TSAClientCACert,
+				TSAClientKey:             o.TSAClientKey,
+				TSAClientCert:            o.TSAClientCert,
+				TSAServerName:            o.TSAServerName,
 				TSAServerURL:             o.TSAServerURL,
 			}
 			attestCommand := attest.AttestCommand{

cmd/cosign/cli/attest/attest.go

@@ -183,7 +183,16 @@ func (c *AttestCommand) Exec(ctx context.Context, imageRef string) error {
 		// to send to the timestamp authority based on our output format.
 		//
 		// See cmd/cosign/cli/attest/attest_blob.go
-		responseBytes, err := tsa.GetTimestampedSignature(signedPayload, tsaclient.NewTSAClient(c.KeyOpts.TSAServerURL))
+		tc := tsaclient.NewTSAClient(c.KeyOpts.TSAServerURL)
+		if c.KeyOpts.TSAClientCert != "" {
+			tc = tsaclient.NewTSAClientMTLS(c.KeyOpts.TSAServerURL,
+				c.KeyOpts.TSAClientCACert,
+				c.KeyOpts.TSAClientCert,
+				c.KeyOpts.TSAClientKey,
+				c.KeyOpts.TSAServerName,
+			)
+		}
+		responseBytes, err := tsa.GetTimestampedSignature(signedPayload, tc)
 		if err != nil {
 			return err
 		}

cmd/cosign/cli/attest/attest_blob.go

@@ -40,7 +40,7 @@ import (
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/rekor"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/sign"
 	"github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa"
-	"github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client"
+	tsaclient "github.com/sigstore/cosign/v2/internal/pkg/cosign/tsa/client"
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 	"github.com/sigstore/cosign/v2/pkg/cosign/attestation"
 	cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle"
@@ -165,7 +165,16 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
 	var timestampBytes []byte
 	var rekorEntry *models.LogEntryAnon
 
-	if c.TSAServerURL != "" {
+	if c.KeyOpts.TSAServerURL != "" {
+		tc := tsaclient.NewTSAClient(c.KeyOpts.TSAServerURL)
+		if c.TSAClientCert != "" {
+			tc = tsaclient.NewTSAClientMTLS(c.KeyOpts.TSAServerURL,
+				c.KeyOpts.TSAClientCACert,
+				c.KeyOpts.TSAClientCert,
+				c.KeyOpts.TSAClientKey,
+				c.KeyOpts.TSAServerName,
+			)
+		}
 		// We need to decide what signature to send to the timestamp authority.
 		//
 		// Historically, cosign sent `sig`, which is the entire JSON DSSE
@@ -186,12 +195,12 @@ func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error
 				return err
 			}
 
-			timestampBytes, err = tsa.GetTimestampedSignature(envelopeSigBytes, client.NewTSAClient(c.TSAServerURL))
+			timestampBytes, err = tsa.GetTimestampedSignature(envelopeSigBytes, tc)
 			if err != nil {
 				return err
 			}
 		} else {
-			timestampBytes, err = tsa.GetTimestampedSignature(sig, client.NewTSAClient(c.TSAServerURL))
+			timestampBytes, err = tsa.GetTimestampedSignature(sig, tc)
 			if err != nil {
 				return err
 			}

cmd/cosign/cli/attest_blob.go

@@ -70,6 +70,10 @@ func AttestBlob() *cobra.Command {
 				OIDCRedirectURL:          o.OIDC.RedirectURL,
 				OIDCProvider:             o.OIDC.Provider,
 				SkipConfirmation:         o.SkipConfirmation,
+				TSAClientCACert:          o.TSAClientCACert,
+				TSAClientKey:             o.TSAClientKey,
+				TSAClientCert:            o.TSAClientCert,
+				TSAServerName:            o.TSAServerName,
 				TSAServerURL:             o.TSAServerURL,
 				RFC3161TimestampPath:     o.RFC3161TimestampPath,
 				BundlePath:               o.BundlePath,

cmd/cosign/cli/options/attest.go

@@ -29,6 +29,10 @@ type AttestOptions struct {
 	Replace                 bool
 	SkipConfirmation        bool
 	TlogUpload              bool
+	TSAClientCACert         string
+	TSAClientCert           string
+	TSAClientKey            string
+	TSAServerName           string
 	TSAServerURL            string
 	RekorEntryType          string
 	RecordCreationTimestamp bool
@@ -85,6 +89,18 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.RekorEntryType, "rekor-entry-type", "dsse",
 		"specifies the type to be used for a rekor entry upload. Options are intoto or dsse (default). ")
 
+	cmd.Flags().StringVar(&o.TSAClientCACert, "timestamp-client-cacert", "",
+		"path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server")
+
+	cmd.Flags().StringVar(&o.TSAClientCert, "timestamp-client-cert", "",
+		"path to the X.509 certificate file in PEM format to be used for the connection to the TSA Server")
+
+	cmd.Flags().StringVar(&o.TSAClientKey, "timestamp-client-key", "",
+		"path to the X.509 private key file in PEM format to be used, together with the 'timestamp-client-cert' value, for the connection to the TSA Server")
+
+	cmd.Flags().StringVar(&o.TSAServerName, "timestamp-server-name", "",
+		"SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server")
+
 	cmd.Flags().StringVar(&o.TSAServerURL, "timestamp-server-url", "",
 		"url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr")
 

cmd/cosign/cli/options/attest_blob.go

@@ -26,6 +26,10 @@ type AttestBlobOptions struct {
 
 	SkipConfirmation     bool
 	TlogUpload           bool
+	TSAClientCACert      string
+	TSAClientCert        string
+	TSAClientKey         string
+	TSAServerName        string
 	TSAServerURL         string
 	RFC3161TimestampPath string
 
@@ -103,6 +107,18 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.RekorEntryType, "rekor-entry-type", "dsse",
 		"specifies the type to be used for a rekor entry upload. Options are intoto or dsse (default). ")
 
+	cmd.Flags().StringVar(&o.TSAClientCACert, "timestamp-client-cacert", "",
+		"path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server")
+
+	cmd.Flags().StringVar(&o.TSAClientCert, "timestamp-client-cert", "",
+		"path to the X.509 certificate file in PEM format to be used for the connection to the TSA Server")
+
+	cmd.Flags().StringVar(&o.TSAClientKey, "timestamp-client-key", "",
+		"path to the X.509 private key file in PEM format to be used, together with the 'timestamp-client-cert' value, for the connection to the TSA Server")
+
+	cmd.Flags().StringVar(&o.TSAServerName, "timestamp-server-name", "",
+		"SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server")
+
 	cmd.Flags().StringVar(&o.TSAServerURL, "timestamp-server-url", "",
 		"url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr")