Skip to content

Commit

Permalink
handle RSA keys in truste_root.json (#1072)
Browse files Browse the repository at this point in the history
Signed-off-by: Brian DeHamer <[email protected]>
  • Loading branch information
bdehamer authored Mar 15, 2024
1 parent a15a575 commit 46caed8
Show file tree
Hide file tree
Showing 6 changed files with 51 additions and 10 deletions.
5 changes: 5 additions & 0 deletions .changeset/silent-bugs-explain.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"@sigstore/verify": patch
---

Fix bug related to loading RSA keys from the trusted key material
5 changes: 5 additions & 0 deletions .changeset/three-rats-sleep.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"@sigstore/core": minor
---

Update `createPublicKey` to support both "spki" and "pkcs1" key types
7 changes: 5 additions & 2 deletions packages/core/src/crypto.ts
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,14 @@ export type { KeyObject } from 'crypto';

const SHA256_ALGORITHM = 'sha256';

export function createPublicKey(key: string | Buffer): crypto.KeyObject {
export function createPublicKey(
key: string | Buffer,
type: 'spki' | 'pkcs1' = 'spki'
): crypto.KeyObject {
if (typeof key === 'string') {
return crypto.createPublicKey(key);
} else {
return crypto.createPublicKey({ key, format: 'der', type: 'spki' });
return crypto.createPublicKey({ key, format: 'der', type: type });
}
}

Expand Down
16 changes: 16 additions & 0 deletions packages/verify/src/__tests__/__fixtures__/trust.ts
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,22 @@ const trustedRootJSON = {
},
],
ctlogs: [
{
baseUrl: 'https://ctfe.sigstage.dev/test',
hashAlgorithm: 'SHA2_256',
publicKey: {
rawBytes:
'MIICCgKCAgEA27A2MPQXm0I0v7/Ly5BIauDjRZF5Jor9vU+QheoE2UIIsZHcyYq3slHzSSHy2lLj1ZD2d91CtJ492ZXqnBmsr4TwZ9jQ05tW2mGIRI8u2DqN8LpuNYZGz/f9SZrjhQQmUttqWmtu3UoLfKz6NbNXUnoo+NhZFcFRLXJ8VporVhuiAmL7zqT53cXR3yQfFPCUDeGnRksnlhVIAJc3AHZZSHQJ8DEXMhh35TVv2nYhTI3rID7GwjXXw4ocz7RGDD37ky6p39Tl5NB71gT1eSqhZhGHEYHIPXraEBd5+3w9qIuLWlp5Ej/K6Mu4ELioXKCUimCbwy+Cs8UhHFlqcyg4AysOHJwIadXIa8LsY51jnVSGrGOEBZevopmQPNPtyfFY3dmXSS+6Z3RD2Gd6oDnNGJzpSyEk410Ag5uvNDfYzJLCWX9tU8lIxNwdFYmIwpd89HijyRyoGnoJ3entd63cvKfuuix5r+GHyKp1Xm1L5j5AWM6P+z0xigwkiXnt+adexAl1J9wdDxv/pUFEESRF4DG8DFGVtbdH6aR1A5/vD4krO4tC1QYUSeyL5Mvsw8WRqIFHcXtgybtxylljvNcGMV1KXQC8UFDmpGZVDSHx6v3e/BHMrZ7gjoCCfVMZ/cFcQi0W2AIHPYEMH/C95J2r4XbHMRdYXpovpOoT5Ca78gsCAwEAAQ==',
keyDetails: 'PKCS1_RSA_PKCS1V5',
validFor: {
start: '2021-03-14T00:00:00.000Z',
end: '2022-07-31T00:00:00.000Z',
},
},
logId: {
keyId: 'G3wUKk6ZK6ffHh/FdCRUE2wVekyzHEEIpSG4savnv0w=',
},
},
{
baseUrl: 'https://ctfe.sigstore.dev/test',
hashAlgorithm: 'SHA2_256',
Expand Down
2 changes: 1 addition & 1 deletion packages/verify/src/__tests__/trust/index.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ describe('toTrustMaterial', () => {
expect(result.certificateAuthorities).toHaveLength(2);
expect(result.timestampAuthorities).toHaveLength(1);
expect(result.tlogs).toHaveLength(1);
expect(result.ctlogs).toHaveLength(2);
expect(result.ctlogs).toHaveLength(3);

expect(() => result.publicKey('FOO')).toThrowWithCode(
VerificationError,
Expand Down
26 changes: 19 additions & 7 deletions packages/verify/src/trust/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,12 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
import { X509Certificate, crypto } from '@sigstore/core';

import type {
CertificateAuthority,
PublicKey,
TransparencyLogInstance,
TrustedRoot,
import {
PublicKeyDetails,
type CertificateAuthority,
type PublicKey,
type TransparencyLogInstance,
type TrustedRoot,
} from '@sigstore/protobuf-specs';
import { VerificationError } from '../error';
import type {
Expand Down Expand Up @@ -60,9 +60,21 @@ export function toTrustMaterial(
function createTLogAuthority(
tlogInstance: TransparencyLogInstance
): TLogAuthority {
const keyDetails = tlogInstance.publicKey!.keyDetails;
const keyType =
keyDetails === PublicKeyDetails.PKCS1_RSA_PKCS1V5 ||
keyDetails === PublicKeyDetails.PKIX_RSA_PKCS1V5 ||
keyDetails === PublicKeyDetails.PKIX_RSA_PKCS1V15_2048_SHA256 ||
keyDetails === PublicKeyDetails.PKIX_RSA_PKCS1V15_3072_SHA256 ||
keyDetails === PublicKeyDetails.PKIX_RSA_PKCS1V15_4096_SHA256
? 'pkcs1'
: 'spki';
return {
logID: tlogInstance.logId!.keyId,
publicKey: crypto.createPublicKey(tlogInstance.publicKey!.rawBytes!),
publicKey: crypto.createPublicKey(
tlogInstance.publicKey!.rawBytes!,
keyType
),
validFor: {
start: tlogInstance.publicKey!.validFor?.start || BEGINNING_OF_TIME,
end: tlogInstance.publicKey!.validFor?.end || END_OF_TIME,
Expand Down

0 comments on commit 46caed8

Please sign in to comment.