feat: add support for additional transparency log key types#197
feat: add support for additional transparency log key types#197Hayden-IO merged 5 commits intosigstore:mainfrom
Conversation
Hayden-IO
left a comment
There was a problem hiding this comment.
Thanks! Can you add tests for this?
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
a50d01f to
034e5ba
Compare
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
|
@haydentherapper added the changes, please let me know if this is okay. sorry for the delay on this, I was working on other things (btw, we also added support for sigstore bundle verification in Kyverno, it will be a part of the next release) |
Hayden-IO
left a comment
There was a problem hiding this comment.
Thanks for making these updates! A few comments on reducing the number of supported algorithms and updating the digest.
| case protocommon.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256, | ||
| protocommon.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384, | ||
| protocommon.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512, | ||
| protocommon.PublicKeyDetails_PKIX_ECDSA_P256_HMAC_SHA_256: //nolint:staticcheck |
There was a problem hiding this comment.
We don't need to support PublicKeyDetails_PKIX_ECDSA_P256_HMAC_SHA_256, we've marked this as deprecated.
| BaseURL: tlog.GetBaseUrl(), | ||
| ID: tlog.GetLogId().GetKeyId(), | ||
| HashFunc: hashFunc, | ||
| SignatureHashFunc: crypto.SHA256, |
There was a problem hiding this comment.
The signature hash algorithm will differ depending on the signature scheme. I'd recommend a function like https://github.com/slsa-framework/slsa-verifier/blob/d96b9777090694fa5096ee1b9c710a46b5a66f5e/cli/slsa-verifier/verify/verify_vsa.go#L95-L117 to handle the mapping
tldr - RSA can always be SHA256, ECDSA P256 and P384 should be SHA256, P521 SHA512, and ed25519 is SHA512.
| case protocommon.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256, | ||
| protocommon.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256, | ||
| protocommon.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256, | ||
| protocommon.PublicKeyDetails_PKIX_RSA_PSS_2048_SHA256, |
There was a problem hiding this comment.
We can skip support for PSS, that would require also changing how we call LoadVerifier, which would require conditionally adding an option to use PSS over PKCS1v1.5. Given loading this verifier is in another package, it'd be a bit too much refactoring to try to connect these for not much gain.
There was a problem hiding this comment.
I have removed PKIX-PSS but I havent removed PKIX-PKCS1v1.5
| return nil, fmt.Errorf("tlog public key is not RSA: %s", tlog.GetPublicKey().GetKeyDetails()) | ||
| } | ||
| tlogEntry.PublicKey = rsaKey | ||
| case protocommon.PublicKeyDetails_PKIX_ED25519, protocommon.PublicKeyDetails_PKIX_ED25519_PH: //nolint:staticcheck |
There was a problem hiding this comment.
Same here, we can skip PKIX_ED25519_PH, the prehash variant of ed25519 isn't needed, and it would require making changes to LoadVerifier.
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Summary
Closes: #65
Adds support for transparency log keys with RSA, other ECDSA curves, and ed25519
Release Note
Documentation