Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use ValidatePubKey from sigstore/sigstore #1676

Merged
merged 1 commit into from
Mar 31, 2022
Merged

Use ValidatePubKey from sigstore/sigstore #1676

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ require (
github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87
github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf
github.com/kelseyhightower/envconfig v1.4.0
github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e
github.com/manifoldco/promptui v0.9.0
github.com/miekg/pkcs11 v1.1.1
github.com/mitchellh/go-homedir v1.1.0
Expand All @@ -37,12 +38,13 @@ require (
github.com/secure-systems-lab/go-securesystemslib v0.3.1
github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7
github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3
github.com/sigstore/sigstore v1.1.1-0.20220324220036-a3f98177f3b0
github.com/sigstore/sigstore v1.2.1-0.20220328200116-ef48ee800626
github.com/spf13/cobra v1.4.0
github.com/spf13/viper v1.10.1
github.com/spiffe/go-spiffe/v2 v2.0.0
github.com/stretchr/testify v1.7.1
github.com/theupdateframework/go-tuf v0.0.0-20220211205608-f0c3294f63b9
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
github.com/xanzy/go-gitlab v0.60.0
golang.org/x/net v0.0.0-20220325170049-de3da57026de
golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a
Expand All @@ -51,6 +53,7 @@ require (
golang.org/x/time v0.0.0-20220224211638-0e9765cccd65
google.golang.org/api v0.74.0
gopkg.in/square/go-jose.v2 v2.6.0
gopkg.in/yaml.v2 v2.4.0
k8s.io/api v0.23.5
k8s.io/apimachinery v0.23.5
k8s.io/client-go v0.23.5
Expand Down Expand Up @@ -128,7 +131,7 @@ require (
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/ReneKroon/ttlcache/v2 v2.11.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
github.com/aws/aws-sdk-go v1.43.24 // indirect
github.com/aws/aws-sdk-go v1.43.27 // indirect
github.com/aws/aws-sdk-go-v2 v1.14.0 // indirect
github.com/aws/aws-sdk-go-v2/config v1.14.0 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.9.0 // indirect
Expand Down Expand Up @@ -210,7 +213,7 @@ require (
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
github.com/hashicorp/vault/api v1.4.1 // indirect
github.com/hashicorp/vault/api v1.5.0 // indirect
github.com/imdario/mergo v0.3.12 // indirect
github.com/inconshreveable/mousetrap v1.0.0 // indirect
github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 // indirect
Expand Down Expand Up @@ -238,7 +241,7 @@ require (
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/pelletier/go-toml v1.9.4 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_golang v1.11.1 // indirect
github.com/prometheus/client_golang v1.12.1 // indirect
github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/common v0.32.1 // indirect
github.com/prometheus/statsd_exporter v0.21.0 // indirect
Expand Down Expand Up @@ -302,7 +305,6 @@ require (
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.66.2 // indirect
gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
k8s.io/apiextensions-apiserver v0.23.4 // indirect
k8s.io/gengo v0.0.0-20220307231824-4627b89bbf1b // indirect
Expand Down
180 changes: 169 additions & 11 deletions go.sum
View file
Open in desktop

Large diffs are not rendered by default.

41 changes: 7 additions & 34 deletions pkg/cosign/keys.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,35 +63,6 @@ type KeysBytes struct {
password []byte
}

// Enforce a minimum and maximum RSA key size.
func validateRsaKey(pk *rsa.PrivateKey) error {
// Key size is the bit length of modulus
keySize := pk.N.BitLen()
if keySize < 2048 {
return fmt.Errorf("rsa key size too small, expected >= 2048")
}
if keySize > 4096 {
return fmt.Errorf("rsa key size too large, expected <= 4096")
}
return nil
}

// Enforce that the ECDSA key curve is one of:
// * NIST P-256 (secp256r1, prime256v1)
// * NIST P-384
// * NIST P-521.
// Other EC curves, like secp256k1, are not supported by Go.
func validateEcdsaKey(pk *ecdsa.PrivateKey) error {
switch pk.Curve {
case elliptic.P224():
return fmt.Errorf("unsupported ec curve, expected NIST P-256, P-384, or P-521")
case elliptic.P256(), elliptic.P384(), elliptic.P521():
return nil
default:
return fmt.Errorf("unexpected ec curve")
}
}

func GeneratePrivateKey() (*ecdsa.PrivateKey, error) {
return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
}
Expand All @@ -115,7 +86,7 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {
if err != nil {
return nil, fmt.Errorf("error parsing rsa private key")
}
if err = validateRsaKey(rsaPk); err != nil {
if err = cryptoutils.ValidatePubKey(rsaPk.Public()); err != nil {
return nil, errors.Wrap(err, "error validating rsa key")
}
pk = rsaPk
Expand All @@ -124,7 +95,7 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {
if err != nil {
return nil, fmt.Errorf("error parsing ecdsa private key")
}
if err = validateEcdsaKey(ecdsaPk); err != nil {
if err = cryptoutils.ValidatePubKey(ecdsaPk.Public()); err != nil {
return nil, errors.Wrap(err, "error validating ecdsa key")
}
pk = ecdsaPk
Expand All @@ -135,17 +106,19 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {
}
switch k := pkcs8Pk.(type) {
case *rsa.PrivateKey:
if err = validateRsaKey(k); err != nil {
if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {
return nil, errors.Wrap(err, "error validating rsa key")
}
pk = k
case *ecdsa.PrivateKey:
if err = validateEcdsaKey(k); err != nil {
if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {
return nil, errors.Wrap(err, "error validating ecdsa key")
}
pk = k
case ed25519.PrivateKey:
// Nothing to validate, since ED25519 supports only one key size.
if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {
return nil, errors.Wrap(err, "error validating ed25519 key")
}
pk = k
default:
return nil, fmt.Errorf("unexpected private key")
Expand Down
4 changes: 2 additions & 2 deletions pkg/cosign/keys_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -315,12 +315,12 @@ func TestImportPrivateKey(t *testing.T) {
{
fileName: "invalidrsasmallkey.key",
pemData: invalidrsasmallkey,
expected: errors.New("error validating rsa key: rsa key size too small, expected >= 2048"),
expected: errors.New("error validating rsa key: key too small: 1024"),
},
{
fileName: "invalidrsalargekey.key",
pemData: invalidrsalargekey,
expected: errors.New("error validating rsa key: rsa key size too large, expected <= 4096"),
expected: errors.New("error validating rsa key: key too large: 5120 > 4096"),
},
// EC tests
{
Expand Down
Loading