Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support PKCS1 encoded and non-ECDSA CT log public keys #1806

Merged
merged 3 commits into from Apr 27, 2022
Merged

Support PKCS1 encoded and non-ECDSA CT log public keys #1806

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
172b656
Support PKCS1 encoded CT log public keys
haydentherapper Apr 26, 2022
e64d3cc
Update comment
haydentherapper Apr 26, 2022
b9280fb
Remove requirement that key is ECDSA
haydentherapper Apr 26, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 changes: 6 additions & 6 deletions cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go
View file
Open in desktop
Expand Up @@ -89,7 +89,7 @@ func VerifySCT(ctx context.Context, certPEM, chainPEM, rawSCT []byte) error {
return err
}
for _, t := range targets {
pub, err := cryptoutils.UnmarshalPEMToPublicKey(t.Target)
pub, err := getPublicKey(t.Target)
if err != nil {
return err
}
Expand All @@ -109,7 +109,7 @@ func VerifySCT(ctx context.Context, certPEM, chainPEM, rawSCT []byte) error {
if err != nil {
return errors.Wrap(err, "error reading alternate public key file")
}
pubKey, err := getAlternatePublicKey(raw)
pubKey, err := getPublicKey(raw)
if err != nil {
return errors.Wrap(err, "error parsing alternate public key from the file")
}
Expand Down Expand Up @@ -204,9 +204,9 @@ func VerifyEmbeddedSCT(ctx context.Context, chain []*x509.Certificate) error {
}

// Given a byte array, try to construct a public key from it.
// Will try first to see if it's PEM formatted, if not, then it will
// try to parse it as der publics, and failing that
func getAlternatePublicKey(in []byte) (crypto.PublicKey, error) {
// Supports PEM encoded public keys, falling back to DER. Supports
// PKIX and PKCS1 encoded keys.
func getPublicKey(in []byte) (crypto.PublicKey, error) {
var pubKey crypto.PublicKey
var err error
var derBytes []byte
Expand All @@ -222,7 +222,7 @@ func getAlternatePublicKey(in []byte) (crypto.PublicKey, error) {
// Try using the PKCS1 before giving up.
pubKey, err = x509.ParsePKCS1PublicKey(derBytes)
if err != nil {
return nil, errors.Wrap(err, "failed to parse alternate public key")
return nil, errors.Wrap(err, "failed to parse CT log public key")
}
}
return pubKey, nil
Expand Down
4 changes: 2 additions & 2 deletions cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify_test.go
View file
Open in desktop
Expand Up @@ -33,7 +33,7 @@ import (
"github.com/sigstore/sigstore/pkg/cryptoutils"
)

func TestGetAlternatePublicKey(t *testing.T) {
func TestGetPublicKey(t *testing.T) {
wd, err := os.Getwd()
if err != nil {
t.Fatalf("Failed to get cwd: %v", err)
Expand All @@ -58,7 +58,7 @@ func TestGetAlternatePublicKey(t *testing.T) {
if err != nil {
t.Fatalf("Failed to read testfile %s : %v", tc.file, err)
}
got, err := getAlternatePublicKey(bytes)
got, err := getPublicKey(bytes)
switch {
case err == nil && tc.wantErrSub != "":
t.Errorf("Wanted Error for %s but got none", tc.file)
Expand Down