Add support for intermediate certificates when verifiying

[haydentherapper]

This adds an intermediate CA certificate pool to CheckOpts, allowing for
those using the Cosign library to pass intermediate CA certificates to
validate a certificate chain.

Next steps:

• Add an option for specifying chain by command line. I need to look into how --cert is working currently.
• Research if we can add the chain to a Rekor entry too

Signed-off-by: Hayden Blauzvern hblauzvern@google.com

Summary

Ticket Link

Ref #1554

Release Note

Added library support for intermediate CA certificates when verifying
Added support for verifying OCI images with a certificate chain

[haydentherapper]

cc @bburky @dlorenc

[haydentherapper]

Moving to draft, going to work on some of the other TODOs in this PR

[dlorenc]

Nice!

[hectorj2f]

lgtm

[bburky]

This looks good, and is definitely needed as part of validating the chain correctly.

Is the intent to connect this to Chain() in pkg/oci/internal/signature/layer.go? I think all of the certs in the chain annotation can be loaded into co.IntermediateCerts? (the final cert in the chain will be a root, but I think you can provide it as an intermediate for validation purposes, trust in it comes from it being present in co.RootCerts too.)

Edit: I see you mentioned "Include the intermediates from the OCI Chain annotation" in this issue too now. Looks good.

[haydentherapper]

Yep, planning to add that to this PR before moving it out of a draft! Wrote up a document outlining all of the places we need to make updates to support intermediates, feel free to take a look.

[codecov-commenter]

Codecov Report

Merging #1631 (0b30662) into main (2fcf30e) will increase coverage by 0.29%.
The diff coverage is 48.38%.

❗ Current head 0b30662 differs from pull request most recent head 0eee964. Consider uploading reports for the commit 0eee964 to get more accurate results

@@            Coverage Diff             @@
##             main    #1631      +/-   ##
==========================================
+ Coverage   27.97%   28.27%   +0.29%     
==========================================
  Files         137      137              
  Lines        7820     7847      +27     
==========================================
+ Hits         2188     2219      +31     
+ Misses       5403     5387      -16     
- Partials      229      241      +12     

Impacted Files	Coverage Δ
pkg/cosign/verify.go	16.43% <48.38%> (+4.76%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2fcf30e...0eee964. Read the comment docs.

[haydentherapper]

Added support for extracting the chain from the OCI annotation.

[haydentherapper]

@dlorenc @hectorj2f Do y'all have any other comments?

[dlorenc]

The plan in your doc sgtm, thanks! This pr looks good too!

[hectorj2f]

@haydentherapper lgtm, thanks