Correctly decode Cosign-generated payloads

... which can have "optional": null . Signed-off-by: Miloslav Trmač <mitr@redhat.com>
containers · Jul 7, 2022 · 113dcc4 · 113dcc4
1 parent 81f5e6d
commit 113dcc4
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 13 deletions.
diff --git a/signature/internal/cosign_payload.go b/signature/internal/cosign_payload.go
@@ -1,6 +1,7 @@
 package internal
 
 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -107,20 +108,23 @@ func (s *UntrustedCosignPayload) strictUnmarshalJSON(data []byte) error {
 	var creatorID string
 	var timestamp float64
 	var gotCreatorID, gotTimestamp = false, false
-	if err := ParanoidUnmarshalJSONObject(optional, func(key string) interface{} {
-		switch key {
-		case "creator":
-			gotCreatorID = true
-			return &creatorID
-		case "timestamp":
-			gotTimestamp = true
-			return &timestamp
-		default:
-			var ignore interface{}
-			return &ignore
+	// Cosign generates "optional": null if there are no user-specified annotations.
+	if !bytes.Equal(optional, []byte("null")) {
+		if err := ParanoidUnmarshalJSONObject(optional, func(key string) interface{} {
+			switch key {
+			case "creator":
+				gotCreatorID = true
+				return &creatorID
+			case "timestamp":
+				gotTimestamp = true
+				return &timestamp
+			default:
+				var ignore interface{}
+				return &ignore
+			}
+		}); err != nil {
+			return err
 		}
-	}); err != nil {
-		return err
 	}
 	if gotCreatorID {
 		s.UntrustedCreatorID = &creatorID

diff --git a/signature/internal/cosign_payload_test.go b/signature/internal/cosign_payload_test.go
@@ -131,6 +131,15 @@ func TestUntrustedCosignPayloadUnmarshalJSON(t *testing.T) {
 	s = successfullyUnmarshalUntrustedCosignPayload(t, validJSON)
 	assert.Equal(t, validSig, s)
 
+	// A Cosign-generated payload is handled correctly
+	s = successfullyUnmarshalUntrustedCosignPayload(t, []byte(`{"critical":{"identity":{"docker-reference":"192.168.64.2:5000/cosign-signed-multi"},"image":{"docker-manifest-digest":"sha256:43955d6857268cc948ae9b370b221091057de83c4962da0826f9a2bdc9bd6b44"},"type":"cosign container image signature"},"optional":null}`))
+	assert.Equal(t, UntrustedCosignPayload{
+		UntrustedDockerManifestDigest: "sha256:43955d6857268cc948ae9b370b221091057de83c4962da0826f9a2bdc9bd6b44",
+		UntrustedDockerReference:      "192.168.64.2:5000/cosign-signed-multi",
+		UntrustedCreatorID:            nil,
+		UntrustedTimestamp:            nil,
+	}, s)
+
 	// Various ways to corrupt the JSON
 	breakFns := []func(mSI){
 		// A top-level field is missing