Support other Public keys than ecdsa when verifying SCT #1240

vaikas · 2021-12-22T05:55:31Z

Description

For verifying the SCT cosign seems to assume that public keys are always going to be Elliptical. I also verified that if I spin up an instance of CT Log here:
https://github.com/google/certificate-transparency-go/blob/master/trillian/docs/ManualDeployment.md#key-generation

With RSA keys, then cosign is unable to verify the SCT produced by the CT Log.

And with some debugging magic enabled, it fails:

getting signer: getting key from Fulcio: verifying SCT: cannot verify RSA signature with *ecdsa.PublicKey key

So, I was planning to add other public key types supported for verification.

The text was updated successfully, but these errors were encountered:

vaikas · 2021-12-22T05:55:55Z

I can't assign to myself, but I'll be happy to work on this.

dlorenc · 2021-12-22T10:18:17Z

+1!

vaikas added the enhancement New feature or request label Dec 22, 2021

vaikas mentioned this issue Dec 22, 2021

Add support for other public key types for SCT verification, allow override for testing. #1241

Merged

dlorenc closed this as completed in #1241 Dec 22, 2021

Provide feedback