Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

expand LoadPrivateKey in pkg/cosign to support Sigstore Encrypted EC keys ("EC PRIVATE KEY" format) #3775

Closed
dmitris opened this issue Jul 10, 2024 · 1 comment · Fixed by #3776
Closed

expand LoadPrivateKey in pkg/cosign to support Sigstore Encrypted EC keys ("EC PRIVATE KEY" format) #3775

dmitris opened this issue Jul 10, 2024 · 1 comment · Fixed by #3776
Labels
enhancement New feature or request

Comments

@dmitris
Copy link
Contributor

dmitris commented Jul 10, 2024

Description

Currently LoadPrivateKey fails if given a Sigstore Encrypted private key. Adding a key as pemcosigneckey below and trying to use it in the unit test TestReadingPrivatePemTypes produces an error: parsing private key: x509: failed to parse private key (use ParseECPrivateKey instead for this key format). Currently, the LoadPrivateKey function assumes the PKCS8 encoding and calls only x509.ParsePKCS8PrivateKey -

cosign/pkg/cosign/keys.go

Line 223 in ca682f2

pk, err := x509.ParsePKCS8PrivateKey(x509Encoded)

If this is a "conscious" requirement, we should document it (and add unit tests with expected failure) - otherwise
let's expand LoadPrivateKey to try different x509 parsing functions to load private keys, at least ParsePKCS8PrivateKey and ParseECPrivateKey, maybe also [ParsePKCS1PrivateKey.

// COSIGN labeled EC key
const pemcosigneckey = `-----BEGIN ENCRYPTED COSIGN PRIVATE KEY-----
eyJrZGYiOnsibmFtZSI6InNjcnlwdCIsInBhcmFtcyI6eyJOIjo2NTUzNiwiciI6
OCwicCI6MX0sInNhbHQiOiJHK3F5WTYrNzhNS0JzMXNGTGs1ajYwcS9kS3Z1czBW
VkhlSHZybC9POTF3PSJ9LCJjaXBoZXIiOnsibmFtZSI6Im5hY2wvc2VjcmV0Ym94
Iiwibm9uY2UiOiJRc2JGdG13WDRDK2ttV3ZCcVRaMEFGOUFYdk1jRmg1SCJ9LCJj
aXBoZXJ0ZXh0IjoiREM5T28zeldiYVQzSXYwdFVnWEdycjUxYW1samwwNlQ5MTNP
VkxPbWpuMWhnK2o2WXRUbWg3SGhZSlY1N2J5eGE0Q281bE9YYmRqbTJ3aklubEd1
Um5aZCt5OExnekpSNzFSeEhKVzgrWmRlcFJmYWJMTjdHbDgrSFZEcERVQ3NxQnRh
VngyblpGbFEwWUl1anZwbFphblNGaUVvdERLVGkxZ3VhUXIwUHNzYU01NXZxbTRY
WS9rPSJ9
-----END ENCRYPTED COSIGN PRIVATE KEY-----`

test case

		{
			pemType:  "COSIGN PEM EC Type",
			pemData:  []byte(pemcosigneckey),
			expected: nil,
		},

Test error:

 $ go test -v -run TestReadingPrivatePemTypes/COSIGN_PEM_EC_Type
=== RUN   TestReadingPrivatePemTypes
=== RUN   TestReadingPrivatePemTypes/COSIGN_PEM_EC_Type
    keys_test.go:358:
        	Error Trace:	/Users/dmitris/gh/sigstore/cosign/pkg/cosign/keys_test.go:358
        	Error:      	Not equal:
        	            	expected: <nil>(<nil>)
        	            	actual  : *fmt.wrapError(&fmt.wrapError{msg:"parsing private key: x509: failed to parse private key (use ParseECPrivateKey instead for this key format)", err:(*errors.errorString)(0x14000a00040)})
        	Test:       	TestReadingPrivatePemTypes/COSIGN_PEM_EC_Type
--- FAIL: TestReadingPrivatePemTypes (0.12s)
    --- FAIL: TestReadingPrivatePemTypes/COSIGN_PEM_EC_Type (0.12s)
FAIL
exit status 1
FAIL	github.com/sigstore/cosign/v2/pkg/cosign	0.784s
@dmitris dmitris added the enhancement New feature or request label Jul 10, 2024
@dmitris dmitris changed the title expand LoadPrivateKey in pkg/cosign to support Sigstore Encrypted EC keys expand LoadPrivateKey in pkg/cosign to support Sigstore Encrypted EC keys ("EC PRIVATE KEY" format) Jul 10, 2024
dmitris added a commit to dmitris/cosign that referenced this issue Jul 10, 2024
@dmitris
support parsing different private key types
29e9d41 
Currently ImportKeyPair() in pkg/cosign supports
only private keys in PKCS sigstore#8 form. This change
extends it to also support PKCS #1 for RSA keys
("RSA PUBLIC KEY") and SEC 1 for EC keys
("EC PRIVATE KEY").

Fix sigstore#3775.

Signed-off-by: Dmitry S <[email protected]>
dmitris added a commit to dmitris/cosign that referenced this issue Jul 10, 2024
@dmitris
support parsing different private key types
2719076 
Currently ImportKeyPair() in pkg/cosign supports
only private keys in PKCS sigstore#8 form. This change
extends it to also support PKCS #1 for RSA keys
("RSA PUBLIC KEY") and SEC 1 for EC keys
("EC PRIVATE KEY").

Fix sigstore#3775.

Signed-off-by: Dmitry S <[email protected]>
@dmitris dmitris mentioned this issue Jul 10, 2024
Merged
dmitris added a commit to dmitris/cosign that referenced this issue Jul 10, 2024
@dmitris
support parsing different private key types
e756968 
Currently ImportKeyPair() in pkg/cosign supports
only private keys in PKCS sigstore#8 form. This change
extends it to also support PKCS #1 for RSA keys
("RSA PUBLIC KEY") and SEC 1 for EC keys
("EC PRIVATE KEY").

Fix sigstore#3775.

Signed-off-by: Dmitry S <[email protected]>
@dmitris
Copy link
Contributor Author

dmitris commented Jul 10, 2024

closing per comments

@dmitris dmitris closed this as completed Jul 10, 2024
dmitris added a commit to dmitris/cosign that referenced this issue Jul 11, 2024
@dmitris
support parsing different private key types
f7c1ea9 
Currently ImportKeyPair() in pkg/cosign supports
only private keys in PKCS sigstore#8 form. This change
extends it to also support PKCS #1 for RSA keys
("RSA PUBLIC KEY") and SEC 1 for EC keys
("EC PRIVATE KEY").

Fix sigstore#3775.

Signed-off-by: Dmitry S <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

document ImportKeyPair and LoadPrivateKey functions in pkg/cosign dmitris/cosign
1 participant
@dmitris