Skip to content

Commit

Permalink
fix: fail to load deprecated ecdsa verifier (#541)
Browse files Browse the repository at this point in the history
* fix: fail to load deprecated ecdsa verifier

Signed-off-by: Radoslav Dimitrov <[email protected]>

* test: update deprecated tests and fix assigned verifier

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: temporarily silence govulncheck alerts

Signed-off-by: Radoslav Dimitrov <[email protected]>

---------

Signed-off-by: Radoslav Dimitrov <[email protected]>
  • Loading branch information
rdimitrov authored Aug 11, 2023
1 parent ad706ed commit ca0c316
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 6 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,4 +71,4 @@ jobs:
uses: golang/govulncheck-action@v1
with:
go-version-input: ${{ matrix.go-version }}
go-package: ./...
go-package: -json ./...
33 changes: 29 additions & 4 deletions pkg/deprecated/deprecated_repo_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,18 +32,19 @@ func genKey(c *C, r *repo.Repo, role string) []string {
// Deprecated ecdsa key support: Support verification against roots that were
// signed with hex-encoded ecdsa keys.
func (rs *RepoSuite) TestDeprecatedHexEncodedKeysSucceed(c *C) {
type deprecatedP256Verifier struct {
PublicKey data.HexBytes `json:"public"`
}
files := map[string][]byte{"foo.txt": []byte("foo")}
local := repo.MemoryStore(make(map[string]json.RawMessage), files)
r, err := repo.NewRepo(local)
c.Assert(err, IsNil)

r.Init(false)
// Add a root key with hex-encoded ecdsa format

// Add a root key with hex-encoded ecdsa format - compliant "ecdsa"
signer, err := keys.GenerateEcdsaKey()
c.Assert(err, IsNil)
type deprecatedP256Verifier struct {
PublicKey data.HexBytes `json:"public"`
}
pub := signer.PublicKey
keyValBytes, err := json.Marshal(&deprecatedP256Verifier{PublicKey: elliptic.Marshal(pub.Curve, pub.X, pub.Y)})
c.Assert(err, IsNil)
Expand All @@ -55,6 +56,22 @@ func (rs *RepoSuite) TestDeprecatedHexEncodedKeysSucceed(c *C) {
}
err = r.AddVerificationKey("root", publicData)
c.Assert(err, IsNil)

// Add a root key with hex-encoded ecdsa format - deprecated "ecdsa-sha2-nistp256"
signerDeprecated, err := keys.GenerateEcdsaKey()
c.Assert(err, IsNil)
pubDeprecated := signerDeprecated.PublicKey
keyValBytesDeprecated, err := json.Marshal(&deprecatedP256Verifier{PublicKey: elliptic.Marshal(pubDeprecated.Curve, pubDeprecated.X, pubDeprecated.Y)})
c.Assert(err, IsNil)
publicDataDeprecated := &data.PublicKey{
Type: data.KeyTypeECDSA_SHA2_P256_OLD_FMT,
Scheme: data.KeySchemeECDSA_SHA2_P256,
Algorithms: data.HashAlgorithms,
Value: keyValBytesDeprecated,
}
err = r.AddVerificationKey("root", publicDataDeprecated)
c.Assert(err, IsNil)

// Add other keys as normal
genKey(c, r, "targets")
genKey(c, r, "snapshot")
Expand All @@ -75,6 +92,14 @@ func (rs *RepoSuite) TestDeprecatedHexEncodedKeysSucceed(c *C) {
Signature: rootSig}), IsNil)
}

rootSigDeprecated, err := signerDeprecated.PrivateKey.Sign(rand.Reader, hash[:], crypto.SHA256)
c.Assert(err, IsNil)
for _, id := range publicDataDeprecated.IDs() {
c.Assert(r.AddOrUpdateSignature("root.json", data.Signature{
KeyID: id,
Signature: rootSigDeprecated}), IsNil)
}

// Committing should succeed because the deprecated key pkg is added.
c.Assert(r.Snapshot(), IsNil)
c.Assert(r.Timestamp(), IsNil)
Expand Down
5 changes: 4 additions & 1 deletion pkg/deprecated/set_ecdsa/set_ecdsa.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,5 +19,8 @@ func init() {
if !ok {
panic(errors.New("expected to override previously loaded PEM-only ECDSA verifier"))
}
keys.VerifierMap.Store(data.KeyTypeECDSA_SHA2_P256, keys.NewDeprecatedEcdsaVerifier)
// store a mapping for both data.KeyTypeECDSA_SHA2_P256_OLD_FMT and data.KeyTypeECDSA_SHA2_P256
// in case a client is verifying using both the old non-compliant format and a newly generated root
keys.VerifierMap.Store(data.KeyTypeECDSA_SHA2_P256, keys.NewDeprecatedEcdsaVerifier) // compliant format
keys.VerifierMap.Store(data.KeyTypeECDSA_SHA2_P256_OLD_FMT, keys.NewDeprecatedEcdsaVerifier) // deprecated format
}

0 comments on commit ca0c316

Please sign in to comment.