Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GPG public key schemas are incompatible with both TUF and in-toto specifications #450

Closed
jku opened this issue Oct 28, 2022 · 3 comments · Fixed by #488
Closed

GPG public key schemas are incompatible with both TUF and in-toto specifications #450

jku opened this issue Oct 28, 2022 · 3 comments · Fixed by #488

Comments

@jku
Copy link
Collaborator

jku commented Oct 28, 2022
edited
Loading

Example:

        {
            "hashes": [
                "pgp+SHA2"
            ],
            "keyid": "7b3abb26b97b655ab9296bd15b0bd02e1c768c43",
            "keyval": {
                "private": "",
                "public": {
                    "e": "010001",
                    "n": "e9ad391502ae32bd4fcc41a0f9970f8901ed6ad1c5c128c02add22721cdc22318b64bec9f9467b6949b19fc2e98ce41906125ad45d0b138f1ad6c5da7bde38092d9e3e697ce8b8373b150b57342dd921d634b873f258f5c15559b52921fa4bb7f482ec43a1c85c3385bd520cedbdc16b2524a64aecf32ac5690e6dd4ee0210a975e1b6c5af164ea69ca64533422432070511068730594793885567bb8f7cffacf6eb5ffdc640e898e599579b21b15e497f5c052112c5fdf7974e7056cd1564fe84f207cb946d1efc521e5031299e6275936e6f9464a735bd4edc8e0cde3fe5b1bf6d3bc1ed12993b865d8fcb9d9a2b2ef2df30cb7f0ab4c0dea819ea017ff195"
                }
            },
            "method": "pgp+rsa-pkcsv1.5",
            "type": "rsa"
        }

and the schemas it uses:

GPG_RSA_PUBKEYVAL_SCHEMA = SCHEMA.Object(
    object_name="GPG_RSA_PUBKEYVAL_SCHEMA", e=SCHEMA.AnyString(), n=HEX_SCHEMA
)
_GPG_RSA_PUBKEY_SCHEMA = SCHEMA.Object(
    object_name="GPG_RSA_PUBKEY_SCHEMA",
    type=SCHEMA.String("rsa"),
    method=SCHEMA.String(GPG_RSA_PUBKEY_METHOD_STRING),
    hashes=SCHEMA.ListOf(SCHEMA.String(GPG_HASH_ALGORITHM_STRING)),
    creation_time=SCHEMA.Optional(UNIX_TIMESTAMP_SCHEMA),
    validity_period=SCHEMA.Optional(SCHEMA.Integer(lo=0)),
    keyid=KEYID_SCHEMA,
    keyval=SCHEMA.Object(
        public=GPG_RSA_PUBKEYVAL_SCHEMA, private=SCHEMA.String("")
    ),
)

This contradicts with the "rsa" type defined in both TUF and in-toto specifications (which define keyval.public as a PEM string). These keys work in in-toto because there's code in in-toto that uses a schema check to figure out which verify function to call, but the metadata is still not spec compliant, and would be impossible for another implementation to use without reverse engineering the reference implementation.
@JustinCappos
Copy link

Ouch. Thanks for catching this.

@jku jku mentioned this issue Oct 31, 2022
Closed
@lukpueh
Copy link
Member

lukpueh commented Nov 2, 2022

Thanks for pointing out the spec incompatibility aspect of this!

#308 already documents the different key metadata formats in tuf and in-toto, and suggests, among other things, to consolidate ['keyval'] values (see e.g. serialized rsa PEM vs. non-serialized rsa numbers).

@lukpueh
Copy link
Member

lukpueh commented Nov 2, 2022

in-toto/specification#33 discusses other spec - implementation inconsistencies of the public key metadata format.

This does not fix the current issue of incompatibility with python-tuf, but I think the correct way is to detach the key and signature format from the specification, and document it as part of an implementation.

@lukpueh lukpueh mentioned this issue Dec 16, 2022
Merged
6 tasks
This was referenced Jan 17, 2023
Merged
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add GPGKey and use with GPGSigner lukpueh/securesystemslib
3 participants
@jku @lukpueh @JustinCappos