sigstore · vaikas · Jun 7, 2022 · Jun 3, 2022 · Jun 6, 2022 · Jun 6, 2022
@@ -125,8 +125,12 @@ spec:
                               properties:
                                 issuer:
                                   type: string
+                                issuerRE:
+                                  type: string
                                 subject:
                                   type: string
+                                subjectRE:
+                                  type: string
                           url:
                             type: string
                       name:

@@ -179,12 +179,17 @@ type ConfigMapReference struct {
 }
 
 // Identity may contain the issuer and/or the subject found in the transparency log.
-// Either field supports a pattern glob.
+// Issuer/Subject uses a strict match, while IssuerRE and SubjectRE apply
+// a regex for matching.
 type Identity struct {
 	// +optional
 	Issuer string `json:"issuer,omitempty"`
 	// +optional
 	Subject string `json:"subject,omitempty"`
+	// +optional
+	IssuerRE string `json:"issuerRE,omitempty"`
+	// +optional
+	SubjectRE string `json:"subjectRE,omitempty"`
 }
 
 // ClusterImagePolicyList is a list of ClusterImagePolicy resources

@@ -193,14 +193,14 @@ func (p *Policy) Validate(ctx context.Context) *apis.FieldError {
 
 func (identity *Identity) Validate(ctx context.Context) *apis.FieldError {
 	var errs *apis.FieldError
-	if identity.Issuer == "" && identity.Subject == "" {
-		errs = errs.Also(apis.ErrMissingOneOf("issuer", "subject"))
+	if identity.Issuer == "" && identity.Subject == "" && identity.IssuerRE == "" && identity.SubjectRE == "" {
+		errs = errs.Also(apis.ErrMissingOneOf("issuer", "subject", "issuerRE", "subjectRE"))
 	}
-	if identity.Issuer != "" {
-		errs = errs.Also(ValidateRegex(identity.Issuer).ViaField("issuer"))
+	if identity.IssuerRE != "" {
+		errs = errs.Also(ValidateRegex(identity.IssuerRE).ViaField("issuerRE"))
 	}
-	if identity.Subject != "" {
-		errs = errs.Also(ValidateRegex(identity.Subject).ViaField("subject"))
+	if identity.SubjectRE != "" {
+		errs = errs.Also(ValidateRegex(identity.SubjectRE).ViaField("subjectRE"))
 	}
 	return errs
 }

@@ -649,7 +649,7 @@ func TestIdentitiesValidation(t *testing.T) {
 		{
 			name:        "Should fail when issuer has invalid regex",
 			expectErr:   true,
-			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].issuer\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
+			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].issuerRE\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
 			policy: ClusterImagePolicy{
 				Spec: ClusterImagePolicySpec{
 					Images: []ImagePattern{
@@ -660,7 +660,7 @@ func TestIdentitiesValidation(t *testing.T) {
 					Authorities: []Authority{
 						{
 							Keyless: &KeylessRef{
-								Identities: []Identity{{Issuer: "****"}},
+								Identities: []Identity{{IssuerRE: "****"}},
 							},
 						},
 					},
@@ -670,7 +670,7 @@ func TestIdentitiesValidation(t *testing.T) {
 		{
 			name:        "Should fail when subject has invalid regex",
 			expectErr:   true,
-			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].subject\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
+			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].subjectRE\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
 			policy: ClusterImagePolicy{
 				Spec: ClusterImagePolicySpec{
 					Images: []ImagePattern{
@@ -681,7 +681,7 @@ func TestIdentitiesValidation(t *testing.T) {
 					Authorities: []Authority{
 						{
 							Keyless: &KeylessRef{
-								Identities: []Identity{{Subject: "****"}},
+								Identities: []Identity{{SubjectRE: "****"}},
 							},
 						},
 					},

@@ -179,12 +179,17 @@ type ConfigMapReference struct {
 }
 
 // Identity may contain the issuer and/or the subject found in the transparency log.
-// Either field supports a pattern glob.
+// Issuer/Subject uses a strict match, while IssuerRE and SubjectRE apply
+// a regex for matching.
 type Identity struct {
 	// +optional
 	Issuer string `json:"issuer,omitempty"`
 	// +optional
 	Subject string `json:"subject,omitempty"`
+	// +optional
+	IssuerRE string `json:"issuerRE,omitempty"`
+	// +optional
+	SubjectRE string `json:"subjectRE,omitempty"`
 }
 
 // ClusterImagePolicyList is a list of ClusterImagePolicy resources

@@ -193,14 +193,14 @@ func (p *Policy) Validate(ctx context.Context) *apis.FieldError {
 
 func (identity *Identity) Validate(ctx context.Context) *apis.FieldError {
 	var errs *apis.FieldError
-	if identity.Issuer == "" && identity.Subject == "" {
-		errs = errs.Also(apis.ErrMissingOneOf("issuer", "subject"))
+	if identity.Issuer == "" && identity.Subject == "" && identity.IssuerRE == "" && identity.SubjectRE == "" {
+		errs = errs.Also(apis.ErrMissingOneOf("issuer", "subject", "issuerRE", "subjectRE"))
 	}
-	if identity.Issuer != "" {
-		errs = errs.Also(ValidateRegex(identity.Issuer).ViaField("issuer"))
+	if identity.IssuerRE != "" {
+		errs = errs.Also(ValidateRegex(identity.IssuerRE).ViaField("issuerRE"))
 	}
-	if identity.Subject != "" {
-		errs = errs.Also(ValidateRegex(identity.Subject).ViaField("subject"))
+	if identity.SubjectRE != "" {
+		errs = errs.Also(ValidateRegex(identity.SubjectRE).ViaField("subjectRE"))
 	}
 	return errs
 }

@@ -615,7 +615,7 @@ func TestIdentitiesValidation(t *testing.T) {
 		{
 			name:        "Should fail when issuer has invalid regex",
 			expectErr:   true,
-			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].issuer\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
+			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].issuerRE\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
 			policy: ClusterImagePolicy{
 				Spec: ClusterImagePolicySpec{
 					Images: []ImagePattern{
@@ -626,7 +626,7 @@ func TestIdentitiesValidation(t *testing.T) {
 					Authorities: []Authority{
 						{
 							Keyless: &KeylessRef{
-								Identities: []Identity{{Issuer: "****"}},
+								Identities: []Identity{{IssuerRE: "****"}},
 							},
 						},
 					},
@@ -636,7 +636,7 @@ func TestIdentitiesValidation(t *testing.T) {
 		{
 			name:        "Should fail when subject has invalid regex",
 			expectErr:   true,
-			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].subject\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
+			errorString: "invalid value: ****: spec.authorities[0].keyless.identities[0].subjectRE\nregex is invalid: error parsing regexp: missing argument to repetition operator: `*`",
 			policy: ClusterImagePolicy{
 				Spec: ClusterImagePolicySpec{
 					Images: []ImagePattern{
@@ -647,7 +647,7 @@ func TestIdentitiesValidation(t *testing.T) {
 					Authorities: []Authority{
 						{
 							Keyless: &KeylessRef{
-								Identities: []Identity{{Subject: "****"}},
+								Identities: []Identity{{SubjectRE: "****"}},
 							},
 						},
 					},
@@ -666,7 +666,7 @@ func TestIdentitiesValidation(t *testing.T) {
 					Authorities: []Authority{
 						{
 							Keyless: &KeylessRef{
-								Identities: []Identity{{Subject: ".*subject.*", Issuer: ".*issuer.*"}},
+								Identities: []Identity{{SubjectRE: ".*subject.*", IssuerRE: ".*issuer.*"}},
 							},
 						},
 					},

@@ -91,7 +91,7 @@ func validSignatures(ctx context.Context, ref name.Reference, verifier signature
 func validSignaturesWithFulcio(ctx context.Context, ref name.Reference, fulcioRoots *x509.CertPool, rekorClient *client.Rekor, identities []v1alpha1.Identity, opts ...ociremote.Option) ([]oci.Signature, error) {
 	ids := make([]cosign.Identity, len(identities))
 	for i, id := range identities {
-		ids[i] = cosign.Identity{Issuer: id.Issuer, Subject: id.Subject}
+		ids[i] = cosign.Identity{Issuer: id.Issuer, Subject: id.Subject, IssuerRE: id.IssuerRE, SubjectRE: id.SubjectRE}
 	}
 	sigs, _, err := cosignVerifySignatures(ctx, ref, &cosign.CheckOpts{
 		RegistryClientOpts: opts,
@@ -118,7 +118,7 @@ func validAttestations(ctx context.Context, ref name.Reference, verifier signatu
 func validAttestationsWithFulcio(ctx context.Context, ref name.Reference, fulcioRoots *x509.CertPool, rekorClient *client.Rekor, identities []v1alpha1.Identity, opts ...ociremote.Option) ([]oci.Signature, error) {
 	ids := make([]cosign.Identity, len(identities))
 	for i, id := range identities {
-		ids[i] = cosign.Identity{Issuer: id.Issuer, Subject: id.Subject}
+		ids[i] = cosign.Identity{Issuer: id.Issuer, Subject: id.Subject, IssuerRE: id.IssuerRE, SubjectRE: id.SubjectRE}
 	}
 
 	attestations, _, err := cosignVerifyAttestations(ctx, ref, &cosign.CheckOpts{

@@ -58,10 +58,13 @@ import (
 )
 
 // Identity specifies an issuer/subject to verify a signature against.
-// Both Issuer/Subject support regexp.
+// Both IssuerRE/SubjectRE support regexp while Issuer/Subject are for strict
+// matching
 type Identity struct {
-	Issuer  string
-	Subject string
+	Issuer    string
+	Subject   string
+	IssuerRE  string
+	SubjectRE string
 }
 
 // CheckOpts are the options for checking signatures.
@@ -224,31 +227,42 @@ func CheckCertificatePolicy(cert *x509.Certificate, co *CheckOpts) error {
 		for _, identity := range co.Identities {
 			issuerMatches := false
 			// Check the issuer first
-			if identity.Issuer != "" {
+			if identity.IssuerRE != "" {
 				issuer := getIssuer(cert)
-				if regex, err := regexp.Compile(identity.Issuer); err != nil {
-					return fmt.Errorf("malformed issuer in identity: %s : %w", identity.Issuer, err)
+				if regex, err := regexp.Compile(identity.IssuerRE); err != nil {
+					return fmt.Errorf("malformed issuer in identity: %s : %w", identity.IssuerRE, err)
 				} else if regex.MatchString(issuer) {
 					issuerMatches = true
 				}
+			} else if identity.Issuer != "" {
+				if identity.Issuer == getIssuer(cert) {
+					issuerMatches = true
+				}
 			} else {
 				// No issuer constraint on this identity, so checks out
 				issuerMatches = true
 			}
 
 			// Then the subject
 			subjectMatches := false
-			if identity.Subject != "" {
-				regex, err := regexp.Compile(identity.Subject)
+			if identity.SubjectRE != "" {
+				regex, err := regexp.Compile(identity.SubjectRE)
 				if err != nil {
-					return fmt.Errorf("malformed subject in identity: %s : %w", identity.Subject, err)
+					return fmt.Errorf("malformed subject in identity: %s : %w", identity.SubjectRE, err)
 				}
 				for _, san := range getSubjectAlternateNames(cert) {
 					if regex.MatchString(san) {
 						subjectMatches = true
 						break
 					}
 				}
+			} else if identity.Subject != "" {
+				for _, san := range getSubjectAlternateNames(cert) {
+					if san == identity.Subject {
+						subjectMatches = true
+						break
+					}
+				}
 			} else {
 				// No subject constraint on this identity, so checks out
 				subjectMatches = true

@@ -652,16 +652,13 @@ func TestValidateAndUnpackCertWithIdentities(t *testing.T) {
 		{identities: nil /* No matches required, checks out */},
 		{identities: []Identity{ // Strict match on both
 			{Subject: emailSubject, Issuer: oidcIssuer}},
-			emailAddresses:   []string{emailSubject},
-			wantErrSubstring: ""},
+			emailAddresses: []string{emailSubject}},
 		{identities: []Identity{ // just issuer
 			{Issuer: oidcIssuer}},
-			emailAddresses:   []string{emailSubject},
-			wantErrSubstring: ""},
+			emailAddresses: []string{emailSubject}},
 		{identities: []Identity{ // just subject
 			{Subject: emailSubject}},
-			emailAddresses:   []string{emailSubject},
-			wantErrSubstring: ""},
+			emailAddresses: []string{emailSubject}},
 		{identities: []Identity{ // mis-match
 			{Subject: "wrongsubject", Issuer: oidcIssuer},
 			{Subject: emailSubject, Issuer: "wrongissuer"}},
@@ -670,29 +667,28 @@ func TestValidateAndUnpackCertWithIdentities(t *testing.T) {
 		{identities: []Identity{ // one good identity, other does not match
 			{Subject: "wrongsubject", Issuer: "wrongissuer"},
 			{Subject: emailSubject, Issuer: oidcIssuer}},
-			emailAddresses:   []string{emailSubject},
-			wantErrSubstring: ""},
+			emailAddresses: []string{emailSubject}},
 		{identities: []Identity{ // illegal regex for subject
-			{Subject: "****", Issuer: oidcIssuer}},
+			{SubjectRE: "****", Issuer: oidcIssuer}},
 			emailAddresses:   []string{emailSubject},
 			wantErrSubstring: "malformed subject in identity"},
 		{identities: []Identity{ // illegal regex for issuer
-			{Subject: emailSubject, Issuer: "****"}},
+			{Subject: emailSubject, IssuerRE: "****"}},
 			wantErrSubstring: "malformed issuer in identity"},
 		{identities: []Identity{ // regex matches
-			{Subject: ".*example.com", Issuer: ".*accounts.google.*"}},
+			{SubjectRE: ".*example.com", IssuerRE: ".*accounts.google.*"}},
 			emailAddresses:   []string{emailSubject},
 			wantErrSubstring: ""},
 		{identities: []Identity{ // regex matches dnsNames
-			{Subject: ".*ubject.example.com", Issuer: ".*accounts.google.*"}},
+			{SubjectRE: ".*ubject.example.com", IssuerRE: ".*accounts.google.*"}},
 			dnsNames:         dnsSubjects,
 			wantErrSubstring: ""},
 		{identities: []Identity{ // regex matches ip
-			{Subject: "1.2.3.*", Issuer: ".*accounts.google.*"}},
+			{SubjectRE: "1.2.3.*", IssuerRE: ".*accounts.google.*"}},
 			ipAddresses:      ipSubjects,
 			wantErrSubstring: ""},
 		{identities: []Identity{ // regex matches urls
-			{Subject: ".*url.examp.*", Issuer: ".*accounts.google.*"}},
+			{SubjectRE: ".*url.examp.*", IssuerRE: ".*accounts.google.*"}},
 			uris:             uriSubjects,
 			wantErrSubstring: ""},
 	}

@@ -23,7 +23,7 @@ spec:
   - keyless:
       url: http://fulcio.fulcio-system.svc
       identities:
-      - issuer: .*kubernetes.securenamespace.*
-        subject: .*kubernetes.io/namespaces/securenamespace/serviceaccounts/default
+      - issuerRE: .*kubernetes.securenamespace.*
+        subjectRE: .*kubernetes.io/namespaces/securenamespace/serviceaccounts/default
     ctlog:
       url: http://rekor.rekor-system.svc
@@ -23,7 +23,7 @@ spec:
   - keyless:
       url: http://fulcio.fulcio-system.svc
       identities:
-      - issuer: .*kubernetes.default.*
-        subject: .*kubernetes.io/namespaces/default/serviceaccounts/default
+      - issuerRE: .*kubernetes.default.*
+        subjectRE: .*kubernetes.io/namespaces/default/serviceaccounts/default
     ctlog:
       url: http://rekor.rekor-system.svc