From 46caed80e5e8865812e589025b2ff1d959fbe368 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Fri, 15 Mar 2024 12:42:21 -0700 Subject: [PATCH] handle RSA keys in truste_root.json (#1072) Signed-off-by: Brian DeHamer --- .changeset/silent-bugs-explain.md | 5 ++++ .changeset/three-rats-sleep.md | 5 ++++ packages/core/src/crypto.ts | 7 +++-- .../src/__tests__/__fixtures__/trust.ts | 16 ++++++++++++ .../verify/src/__tests__/trust/index.test.ts | 2 +- packages/verify/src/trust/index.ts | 26 ++++++++++++++----- 6 files changed, 51 insertions(+), 10 deletions(-) create mode 100644 .changeset/silent-bugs-explain.md create mode 100644 .changeset/three-rats-sleep.md diff --git a/.changeset/silent-bugs-explain.md b/.changeset/silent-bugs-explain.md new file mode 100644 index 00000000..4e21eb3e --- /dev/null +++ b/.changeset/silent-bugs-explain.md @@ -0,0 +1,5 @@ +--- +"@sigstore/verify": patch +--- + +Fix bug related to loading RSA keys from the trusted key material diff --git a/.changeset/three-rats-sleep.md b/.changeset/three-rats-sleep.md new file mode 100644 index 00000000..f2186e39 --- /dev/null +++ b/.changeset/three-rats-sleep.md @@ -0,0 +1,5 @@ +--- +"@sigstore/core": minor +--- + +Update `createPublicKey` to support both "spki" and "pkcs1" key types diff --git a/packages/core/src/crypto.ts b/packages/core/src/crypto.ts index 279be4af..f97a0844 100644 --- a/packages/core/src/crypto.ts +++ b/packages/core/src/crypto.ts @@ -18,11 +18,14 @@ export type { KeyObject } from 'crypto'; const SHA256_ALGORITHM = 'sha256'; -export function createPublicKey(key: string | Buffer): crypto.KeyObject { +export function createPublicKey( + key: string | Buffer, + type: 'spki' | 'pkcs1' = 'spki' +): crypto.KeyObject { if (typeof key === 'string') { return crypto.createPublicKey(key); } else { - return crypto.createPublicKey({ key, format: 'der', type: 'spki' }); + return crypto.createPublicKey({ key, format: 'der', type: type }); } } diff --git a/packages/verify/src/__tests__/__fixtures__/trust.ts b/packages/verify/src/__tests__/__fixtures__/trust.ts index b9195660..7f2ffecb 100644 --- a/packages/verify/src/__tests__/__fixtures__/trust.ts +++ b/packages/verify/src/__tests__/__fixtures__/trust.ts @@ -76,6 +76,22 @@ const trustedRootJSON = { }, ], ctlogs: [ + { + baseUrl: 'https://ctfe.sigstage.dev/test', + hashAlgorithm: 'SHA2_256', + publicKey: { + rawBytes: + 'MIICCgKCAgEA27A2MPQXm0I0v7/Ly5BIauDjRZF5Jor9vU+QheoE2UIIsZHcyYq3slHzSSHy2lLj1ZD2d91CtJ492ZXqnBmsr4TwZ9jQ05tW2mGIRI8u2DqN8LpuNYZGz/f9SZrjhQQmUttqWmtu3UoLfKz6NbNXUnoo+NhZFcFRLXJ8VporVhuiAmL7zqT53cXR3yQfFPCUDeGnRksnlhVIAJc3AHZZSHQJ8DEXMhh35TVv2nYhTI3rID7GwjXXw4ocz7RGDD37ky6p39Tl5NB71gT1eSqhZhGHEYHIPXraEBd5+3w9qIuLWlp5Ej/K6Mu4ELioXKCUimCbwy+Cs8UhHFlqcyg4AysOHJwIadXIa8LsY51jnVSGrGOEBZevopmQPNPtyfFY3dmXSS+6Z3RD2Gd6oDnNGJzpSyEk410Ag5uvNDfYzJLCWX9tU8lIxNwdFYmIwpd89HijyRyoGnoJ3entd63cvKfuuix5r+GHyKp1Xm1L5j5AWM6P+z0xigwkiXnt+adexAl1J9wdDxv/pUFEESRF4DG8DFGVtbdH6aR1A5/vD4krO4tC1QYUSeyL5Mvsw8WRqIFHcXtgybtxylljvNcGMV1KXQC8UFDmpGZVDSHx6v3e/BHMrZ7gjoCCfVMZ/cFcQi0W2AIHPYEMH/C95J2r4XbHMRdYXpovpOoT5Ca78gsCAwEAAQ==', + keyDetails: 'PKCS1_RSA_PKCS1V5', + validFor: { + start: '2021-03-14T00:00:00.000Z', + end: '2022-07-31T00:00:00.000Z', + }, + }, + logId: { + keyId: 'G3wUKk6ZK6ffHh/FdCRUE2wVekyzHEEIpSG4savnv0w=', + }, + }, { baseUrl: 'https://ctfe.sigstore.dev/test', hashAlgorithm: 'SHA2_256', diff --git a/packages/verify/src/__tests__/trust/index.test.ts b/packages/verify/src/__tests__/trust/index.test.ts index e40973ea..9ef1c6dd 100644 --- a/packages/verify/src/__tests__/trust/index.test.ts +++ b/packages/verify/src/__tests__/trust/index.test.ts @@ -24,7 +24,7 @@ describe('toTrustMaterial', () => { expect(result.certificateAuthorities).toHaveLength(2); expect(result.timestampAuthorities).toHaveLength(1); expect(result.tlogs).toHaveLength(1); - expect(result.ctlogs).toHaveLength(2); + expect(result.ctlogs).toHaveLength(3); expect(() => result.publicKey('FOO')).toThrowWithCode( VerificationError, diff --git a/packages/verify/src/trust/index.ts b/packages/verify/src/trust/index.ts index bd7be1d0..a9b5c9b0 100644 --- a/packages/verify/src/trust/index.ts +++ b/packages/verify/src/trust/index.ts @@ -14,12 +14,12 @@ See the License for the specific language governing permissions and limitations under the License. */ import { X509Certificate, crypto } from '@sigstore/core'; - -import type { - CertificateAuthority, - PublicKey, - TransparencyLogInstance, - TrustedRoot, +import { + PublicKeyDetails, + type CertificateAuthority, + type PublicKey, + type TransparencyLogInstance, + type TrustedRoot, } from '@sigstore/protobuf-specs'; import { VerificationError } from '../error'; import type { @@ -60,9 +60,21 @@ export function toTrustMaterial( function createTLogAuthority( tlogInstance: TransparencyLogInstance ): TLogAuthority { + const keyDetails = tlogInstance.publicKey!.keyDetails; + const keyType = + keyDetails === PublicKeyDetails.PKCS1_RSA_PKCS1V5 || + keyDetails === PublicKeyDetails.PKIX_RSA_PKCS1V5 || + keyDetails === PublicKeyDetails.PKIX_RSA_PKCS1V15_2048_SHA256 || + keyDetails === PublicKeyDetails.PKIX_RSA_PKCS1V15_3072_SHA256 || + keyDetails === PublicKeyDetails.PKIX_RSA_PKCS1V15_4096_SHA256 + ? 'pkcs1' + : 'spki'; return { logID: tlogInstance.logId!.keyId, - publicKey: crypto.createPublicKey(tlogInstance.publicKey!.rawBytes!), + publicKey: crypto.createPublicKey( + tlogInstance.publicKey!.rawBytes!, + keyType + ), validFor: { start: tlogInstance.publicKey!.validFor?.start || BEGINNING_OF_TIME, end: tlogInstance.publicKey!.validFor?.end || END_OF_TIME,