Allow configurable client signing algorithms#1938
Conversation
Co-authored-by: Alex Cameron <asc@tetsuo.sh> Co-authored-by: Riccardo Schirone <riccardo.schirone@trailofbits.com> Signed-off-by: Alex Cameron <asc@tetsuo.sh> Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
|
cc @haydentherapper |
f046e70 to
5d81096
Compare
5d81096 to
277af89
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1938 +/- ##
==========================================
- Coverage 57.93% 51.80% -6.14%
==========================================
Files 50 73 +23
Lines 3119 5683 +2564
==========================================
+ Hits 1807 2944 +1137
- Misses 1154 2463 +1309
- Partials 158 276 +118 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
Hayden-IO
left a comment
There was a problem hiding this comment.
two tiny comments, looks great otherwise, thanks!
Signed-off-by: Riccardo Schirone <riccardo.schirone@trailofbits.com>
| // The proof of possession signature always uses SHA-256, unless the key algorithm is ED25519 | ||
| hashFunc = crypto.SHA256 | ||
| if _, ok := publicKey.(ed25519.PublicKey); ok { | ||
| hashFunc = crypto.Hash(0) | ||
| } |
There was a problem hiding this comment.
I was testing the Cosign changes and I've realized this is not good in general.
Something like this seems to work:
switch pk := publicKey.(type) {
case ed25519.PublicKey:
// Fulcio only works with PureEd25519
hashFunc = crypto.Hash(0)
case *ecdsa.PublicKey:
switch pk.Curve {
case elliptic.P256():
hashFunc = crypto.SHA256
case elliptic.P384():
hashFunc = crypto.SHA384
case elliptic.P521():
hashFunc = crypto.SHA512
default:
hashFunc = crypto.SHA256
}
case *rsa.PublicKey:
hashFunc = crypto.SHA256
default:
hashFunc = crypto.SHA256
}
// Check proof of possession signature
if err := challenges.CheckSignatureWithOpts(publicKey, proofOfPossession, principal.Name(ctx), options.WithHash(hashFunc)); err != nil {
return nil, handleFulcioGRPCError(ctx, codes.InvalidArgument, err, invalidSignature)
}@haydentherapper what do you think about this?
There was a problem hiding this comment.
Is this a breaking change? Currently, it's assumed that the digest is always SHA256 regardless of key type.
Can we work around this and note this as something to correct in a major version bump?
What about other clients as well? -python for example, is it always using sha256? Or has it just so happened that we didn't notice this because only RSA and ECDSA-P256 keys have been used?
There was a problem hiding this comment.
Is this a breaking change? Currently, it's assumed that the digest is always SHA256 regardless of key type.
I guess it is, yes. Right now even if you use a elliptic.P384, you use sha256 so this would break things.
What about other clients as well? -python for example, is it always using sha256? Or has it just so happened that we didn't notice this because only RSA and ECDSA-P256 keys have been used?
sigstore-python always uses sha256 (https://github.com/sigstore/sigstore-python/blob/main/sigstore/sign.py#L158).
Can we work around this and note this as something to correct in a major version bump?
Ok I think we can get away with just enforcing SHA256 when doing SignMessage for the fulcio proof of possesion. We probably need to pay attention to just ed25519 because it would fail in that case, but apart from that it should be good.
Thanks for the feedback!
|
Thank you! |
Summary
This PR adds a --client-signing-algorithms flag to Fulcio to restrict what key/hash combinations are allowed.
Closes #1388
This is based on #1517, but I could not mark it as Ready because done by @tetsuo-cpp .
Release Note
Documentation