Skip to content

Commit

Permalink
Use ValidatePubKey from sigstore/sigstore
Browse files Browse the repository at this point in the history
This improves RSA, ECDSA, and ED25519 (no-op) validation for imported keys.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
  • Loading branch information
haydentherapper committed Mar 31, 2022
1 parent ac682db commit 52b3dc1
Show file tree
Hide file tree
Showing 52 changed files with 10,524 additions and 570 deletions.
15 changes: 10 additions & 5 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,9 @@ require (
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.3
github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87
github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf
github.com/jmhodges/clock v0.0.0-20160418191101-880ee4c33548
github.com/kelseyhightower/envconfig v1.4.0
github.com/letsencrypt/boulder v0.0.0-20220322173223-dd8be8d7b02c
github.com/manifoldco/promptui v0.9.0
github.com/miekg/pkcs11 v1.1.1
github.com/mitchellh/go-homedir v1.1.0
Expand All @@ -37,12 +39,13 @@ require (
github.com/secure-systems-lab/go-securesystemslib v0.3.1
github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7
github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3
github.com/sigstore/sigstore v1.1.1-0.20220324220036-a3f98177f3b0
github.com/sigstore/sigstore v1.2.1-0.20220328200116-ef48ee800626
github.com/spf13/cobra v1.4.0
github.com/spf13/viper v1.10.1
github.com/spiffe/go-spiffe/v2 v2.0.0
github.com/stretchr/testify v1.7.1
github.com/theupdateframework/go-tuf v0.0.0-20220211205608-f0c3294f63b9
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
github.com/xanzy/go-gitlab v0.60.0
golang.org/x/net v0.0.0-20220325170049-de3da57026de
golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a
Expand All @@ -51,6 +54,7 @@ require (
golang.org/x/time v0.0.0-20220224211638-0e9765cccd65
google.golang.org/api v0.74.0
gopkg.in/square/go-jose.v2 v2.6.0
gopkg.in/yaml.v2 v2.4.0
k8s.io/api v0.23.5
k8s.io/apimachinery v0.23.5
k8s.io/client-go v0.23.5
Expand Down Expand Up @@ -128,7 +132,7 @@ require (
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/ReneKroon/ttlcache/v2 v2.11.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
github.com/aws/aws-sdk-go v1.43.24 // indirect
github.com/aws/aws-sdk-go v1.43.27 // indirect
github.com/aws/aws-sdk-go-v2 v1.14.0 // indirect
github.com/aws/aws-sdk-go-v2/config v1.14.0 // indirect
github.com/aws/aws-sdk-go-v2/credentials v1.9.0 // indirect
Expand Down Expand Up @@ -210,7 +214,7 @@ require (
github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
github.com/hashicorp/vault/api v1.4.1 // indirect
github.com/hashicorp/vault/api v1.5.0 // indirect
github.com/imdario/mergo v0.3.12 // indirect
github.com/inconshreveable/mousetrap v1.0.0 // indirect
github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 // indirect
Expand Down Expand Up @@ -238,7 +242,7 @@ require (
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/pelletier/go-toml v1.9.4 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/prometheus/client_golang v1.11.1 // indirect
github.com/prometheus/client_golang v1.12.1 // indirect
github.com/prometheus/client_model v0.2.0 // indirect
github.com/prometheus/common v0.32.1 // indirect
github.com/prometheus/statsd_exporter v0.21.0 // indirect
Expand Down Expand Up @@ -302,11 +306,12 @@ require (
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.66.2 // indirect
gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
k8s.io/apiextensions-apiserver v0.23.4 // indirect
k8s.io/gengo v0.0.0-20220307231824-4627b89bbf1b // indirect
k8s.io/klog/v2 v2.60.1-0.20220317184644-43cc75f9ae89 // indirect
sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
)

replace github.com/letsencrypt/boulder v0.0.0-20220322173223-dd8be8d7b02c => github.com/cpanato/boulder v0.0.0-20220331091241-d354056fcaf9
178 changes: 167 additions & 11 deletions go.sum

Large diffs are not rendered by default.

41 changes: 7 additions & 34 deletions pkg/cosign/keys.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,35 +63,6 @@ type KeysBytes struct {
password []byte
}

// Enforce a minimum and maximum RSA key size.
func validateRsaKey(pk *rsa.PrivateKey) error {
// Key size is the bit length of modulus
keySize := pk.N.BitLen()
if keySize < 2048 {
return fmt.Errorf("rsa key size too small, expected >= 2048")
}
if keySize > 4096 {
return fmt.Errorf("rsa key size too large, expected <= 4096")
}
return nil
}

// Enforce that the ECDSA key curve is one of:
// * NIST P-256 (secp256r1, prime256v1)
// * NIST P-384
// * NIST P-521.
// Other EC curves, like secp256k1, are not supported by Go.
func validateEcdsaKey(pk *ecdsa.PrivateKey) error {
switch pk.Curve {
case elliptic.P224():
return fmt.Errorf("unsupported ec curve, expected NIST P-256, P-384, or P-521")
case elliptic.P256(), elliptic.P384(), elliptic.P521():
return nil
default:
return fmt.Errorf("unexpected ec curve")
}
}

func GeneratePrivateKey() (*ecdsa.PrivateKey, error) {
return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
}
Expand All @@ -115,7 +86,7 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {
if err != nil {
return nil, fmt.Errorf("error parsing rsa private key")
}
if err = validateRsaKey(rsaPk); err != nil {
if err = cryptoutils.ValidatePubKey(rsaPk.Public()); err != nil {
return nil, errors.Wrap(err, "error validating rsa key")
}
pk = rsaPk
Expand All @@ -124,7 +95,7 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {
if err != nil {
return nil, fmt.Errorf("error parsing ecdsa private key")
}
if err = validateEcdsaKey(ecdsaPk); err != nil {
if err = cryptoutils.ValidatePubKey(ecdsaPk.Public()); err != nil {
return nil, errors.Wrap(err, "error validating ecdsa key")
}
pk = ecdsaPk
Expand All @@ -135,17 +106,19 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {
}
switch k := pkcs8Pk.(type) {
case *rsa.PrivateKey:
if err = validateRsaKey(k); err != nil {
if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {
return nil, errors.Wrap(err, "error validating rsa key")
}
pk = k
case *ecdsa.PrivateKey:
if err = validateEcdsaKey(k); err != nil {
if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {
return nil, errors.Wrap(err, "error validating ecdsa key")
}
pk = k
case ed25519.PrivateKey:
// Nothing to validate, since ED25519 supports only one key size.
if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {
return nil, errors.Wrap(err, "error validating ed25519 key")
}
pk = k
default:
return nil, fmt.Errorf("unexpected private key")
Expand Down
4 changes: 2 additions & 2 deletions pkg/cosign/keys_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -315,12 +315,12 @@ func TestImportPrivateKey(t *testing.T) {
{
fileName: "invalidrsasmallkey.key",
pemData: invalidrsasmallkey,
expected: errors.New("error validating rsa key: rsa key size too small, expected >= 2048"),
expected: errors.New("error validating rsa key: key too small: 1024"),
},
{
fileName: "invalidrsalargekey.key",
pemData: invalidrsalargekey,
expected: errors.New("error validating rsa key: rsa key size too large, expected <= 4096"),
expected: errors.New("error validating rsa key: key too large: 5120 > 4096"),
},
// EC tests
{
Expand Down
Loading

0 comments on commit 52b3dc1

Please sign in to comment.