FR: BYO PKI Revocation: CA-issued cert

[vEpiphyte]

Description

In a Bring your Own PKI scenario, a user may want to specify a CRL file ( in addition to a fullchain file ) that can be used to check if the certificate embedded in a signature artifact has been revoked. This could be done by passing in a --crl switch or environment variable? Something like the following:

COSIGN_EXPERIMENTAL=1 \
SIGSTORE_ROOT_FILE=./your/fullchain.pem \
cosign verify --rekor-url="" --crl ./your/crl.pem repo/someImage:someTag 

My target scenario assumes the CA ( and intermediate CAs ) are trusted; but the signing key/cert is revoked; in which case a --crl type of option which allows a user to opt into that CRL aware behavior could act accordingly. With a correct CA chain & current CRL, they should then be able to dis-trust the signing certificate that is baked into an existing signature artifact.

In thinking of this a OpenSSL primitives perspective, we'd be 1) create the store with CA certs, 2) add crls to the store 3) create the certificate context from the cert stored on the artifact 4) see the certificate context fail to validate due to the CRL.

Since its a Bring Your Own PKI situation, questions about the distribution / maintenance of CRL files is outside of the scope of cosign.

This concept builds off of workflows noted in #1554

[MrCrayfish]

Unfortunately the 1.19.4 version is no longer maintained. You will need to upgrade to modern version