-
Notifications
You must be signed in to change notification settings - Fork 546
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
document ImportKeyPair and LoadPrivateKey functions in pkg/cosign #3776
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3776 +/- ##
==========================================
- Coverage 40.10% 37.09% -3.02%
==========================================
Files 155 200 +45
Lines 10044 12280 +2236
==========================================
+ Hits 4028 4555 +527
- Misses 5530 7178 +1648
- Partials 486 547 +61 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we need to update LoadPrivateKey
to support keys that are not encoded as PKCS8. Its purpose is to load the password-encrypted key which is expected to be generated with GenerateKeyPair
or ImportKeyPair
, both of which output encrypted PKCS8 encoded keys. Did you have another use case in mind?
Let's update the documentation. As for the TODOs, I agree this should be in an internal package, this isn't meant to be general purpose.
pkg/cosign/keys.go
Outdated
|
||
// given already decrypted blob with x509 encoded private key, try different x509.Parse<*>PrivateKey | ||
// functions to load it. | ||
func parsePrivateKey(key []byte) (crypto.PrivateKey, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we revert this change, since it should only be for PKCS8 encoded keys?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently ImportKeyPair() in pkg/cosign supports only private keys in PKCS sigstore#8 form. This change extends it to also support PKCS #1 for RSA keys ("RSA PUBLIC KEY") and SEC 1 for EC keys ("EC PRIVATE KEY"). Fix sigstore#3775. Signed-off-by: Dmitry S <[email protected]>
Signed-off-by: Dmitry S <[email protected]>
Summary
Document the
IMportKeyPair
andLoadPrivateKey
functions in the pkg/cosign to explicitly indicate the supported PKCS #8 format.Fix #3775.
Release Note
NONE
Documentation
A godoc function comments added for
ImportKeyPair
andLoadPrivateKey
.