Cosign Certificate Chain Validation Vulnerability Allowing Signature Verification with Expired CA Certificates

A vulnerability exists in Cosign, a tool for code signing and transparency in containers and binaries, in versions through 3.0.4. The issue arises during the verification of artifact signatures with certificates. Cosign incorrectly validates issuing certificates that expire before the leaf certificate, allowing signatures to be considered valid even when they should be expired based on the provided timestamp. This flaw can lead to the acceptance of signatures that should be invalid, particularly in private deployments with customized public key infrastructures (PKIs).

Impact

This vulnerability can cause signatures to be incorrectly validated, allowing artifacts to be considered signed when they should not be, due to expired certificates in the issuing chain.

Reproduction

To reproduce this vulnerability, create a certificate chain where the root CA is valid from 12pm to 2pm, the intermediate CA from 12:30pm to 1:30pm, and the leaf certificate from 1pm to 3pm. Generate a signature at 2:30pm with a signed timestamp. During verification, Cosign will use the leaf certificate's 'not before' time, which is valid, but will not account for the expiration of the root and intermediate CAs, leading to a false validation of the signature.

Remediation

Users should upgrade to Cosign version 3.0.5, which addresses this vulnerability by ensuring that the entire certificate chain is validated against the appropriate timestamps.