Skip to content

Commit

Permalink
Support PKCS1 encoded and non-ECDSA CT log public keys (#1806)
Browse files Browse the repository at this point in the history
* Support PKCS1 encoded CT log public keys

This came up while testing out staging, which uses a PKCS1 encoded
public key. We should be flexible on the supported key format.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

* Update comment

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

* Remove requirement that key is ECDSA

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
  • Loading branch information
haydentherapper authored Apr 27, 2022
1 parent 27caa98 commit 9ef6b20
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 15 deletions.
21 changes: 8 additions & 13 deletions cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ package ctl
import (
"context"
"crypto"
"crypto/ecdsa"
"crypto/sha256"
"crypto/x509"
"encoding/json"
Expand Down Expand Up @@ -89,27 +88,23 @@ func VerifySCT(ctx context.Context, certPEM, chainPEM, rawSCT []byte) error {
return err
}
for _, t := range targets {
pub, err := cryptoutils.UnmarshalPEMToPublicKey(t.Target)
pub, err := getPublicKey(t.Target)
if err != nil {
return err
}
ctPub, ok := pub.(*ecdsa.PublicKey)
if !ok {
return fmt.Errorf("invalid public key: was %T, require *ecdsa.PublicKey", pub)
}
keyID, err := ctutil.GetCTLogID(ctPub)
keyID, err := ctutil.GetCTLogID(pub)
if err != nil {
return errors.Wrap(err, "error getting CTFE public key hash")
}
pubKeys[keyID] = logIDMetadata{ctPub, t.Status}
pubKeys[keyID] = logIDMetadata{pub, t.Status}
}
} else {
fmt.Fprintf(os.Stderr, "**Warning** Using a non-standard public key for verifying SCT: %s\n", rootEnv)
raw, err := os.ReadFile(rootEnv)
if err != nil {
return errors.Wrap(err, "error reading alternate public key file")
}
pubKey, err := getAlternatePublicKey(raw)
pubKey, err := getPublicKey(raw)
if err != nil {
return errors.Wrap(err, "error parsing alternate public key from the file")
}
Expand Down Expand Up @@ -204,9 +199,9 @@ func VerifyEmbeddedSCT(ctx context.Context, chain []*x509.Certificate) error {
}

// Given a byte array, try to construct a public key from it.
// Will try first to see if it's PEM formatted, if not, then it will
// try to parse it as der publics, and failing that
func getAlternatePublicKey(in []byte) (crypto.PublicKey, error) {
// Supports PEM encoded public keys, falling back to DER. Supports
// PKIX and PKCS1 encoded keys.
func getPublicKey(in []byte) (crypto.PublicKey, error) {
var pubKey crypto.PublicKey
var err error
var derBytes []byte
Expand All @@ -222,7 +217,7 @@ func getAlternatePublicKey(in []byte) (crypto.PublicKey, error) {
// Try using the PKCS1 before giving up.
pubKey, err = x509.ParsePKCS1PublicKey(derBytes)
if err != nil {
return nil, errors.Wrap(err, "failed to parse alternate public key")
return nil, errors.Wrap(err, "failed to parse CT log public key")
}
}
return pubKey, nil
Expand Down
4 changes: 2 additions & 2 deletions cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ import (
"github.com/sigstore/sigstore/pkg/cryptoutils"
)

func TestGetAlternatePublicKey(t *testing.T) {
func TestGetPublicKey(t *testing.T) {
wd, err := os.Getwd()
if err != nil {
t.Fatalf("Failed to get cwd: %v", err)
Expand All @@ -58,7 +58,7 @@ func TestGetAlternatePublicKey(t *testing.T) {
if err != nil {
t.Fatalf("Failed to read testfile %s : %v", tc.file, err)
}
got, err := getAlternatePublicKey(bytes)
got, err := getPublicKey(bytes)
switch {
case err == nil && tc.wantErrSub != "":
t.Errorf("Wanted Error for %s but got none", tc.file)
Expand Down

0 comments on commit 9ef6b20

Please sign in to comment.