Skip to content

Commit

Permalink
Switch to ECDSA based key in fulcio-createcerts (#1303)
Browse files Browse the repository at this point in the history
* Switch to ECDSA based key in fulcio-createcerts

Internally we ran into some issues, so I'm upgrading to the ECDSA key. This also matches what we do in rekor-createsecret so improves uniformity across the codebase.

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* update public key

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

---------

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>
  • Loading branch information
priyawadhwa authored Oct 11, 2024
1 parent 7a9289e commit b934909
Showing 1 changed file with 22 additions and 18 deletions.
40 changes: 22 additions & 18 deletions cmd/fulcio/createcerts/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,9 @@
package main

import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
Expand All @@ -36,11 +37,6 @@ import (
"sigs.k8s.io/release-utils/version"
)

const (
// Key in the configmap holding the value of the tree.
bitSize = 4096
)

var (
secretName = flag.String("secret", "fulcio-secrets", "Name of the secret to create for the certs")
pubkeySecretName = flag.String("pubkeysecret", "fulcio-pub-key", "Name of the secret that holds the public Fulcio information like cert / public key")
Expand All @@ -54,6 +50,7 @@ var (

func main() {
flag.Parse()

ns := os.Getenv("NAMESPACE")
if ns == "" {
panic("env variable NAMESPACE must be set")
Expand Down Expand Up @@ -101,13 +98,11 @@ func main() {
// createAll creates a password protected keypair, and returns PEM encoded
// CA Cert, crypto.PublicKey, crypto.PrivateKey, password
func createAll() ([]byte, []byte, []byte, string, error) {
// Generate RSA key.
key, err := rsa.GenerateKey(rand.Reader, bitSize)
// Generate ECDSA key.
privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
return nil, nil, nil, "", fmt.Errorf("GenerateKey failed: %w", err)
return nil, nil, nil, "", fmt.Errorf("failed to generate ecdsa key: %w", err)
}
// Extract public component.
pub := key.Public()

serialNumber, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
if err != nil {
Expand All @@ -130,18 +125,23 @@ func createAll() ([]byte, []byte, []byte, string, error) {
BasicConstraintsValid: true,
MaxPathLen: 1,
}
derBytes, err := x509.CreateCertificate(rand.Reader, rootCA, rootCA, pub, key)

derBytes, err := x509.CreateCertificate(rand.Reader, rootCA, rootCA, privateKey.Public(), privateKey)
if err != nil {
return nil, nil, nil, "", fmt.Errorf("failed to create certificate: %w", err)
}
certPEM := pem.EncodeToMemory(
&pem.Block{Type: "CERTIFICATE", Bytes: derBytes},
)

// Encode private key to PKCS#1 ASN.1 PEM.
// Encode private key to PKCS #8 ASN.1 PEM.
marshalledPrivKey, err := x509.MarshalPKCS8PrivateKey(privateKey)
if err != nil {
return nil, nil, nil, "", fmt.Errorf("marshal pkcs8 private key: %w", err)
}
block := &pem.Block{
Type: "RSA PRIVATE KEY",
Bytes: x509.MarshalPKCS1PrivateKey(key),
Type: "PRIVATE KEY",
Bytes: marshalledPrivKey,
}

// Generate a uuid as a password
Expand All @@ -158,11 +158,15 @@ func createAll() ([]byte, []byte, []byte, string, error) {
if privPEM == nil {
return nil, nil, nil, "", fmt.Errorf("EncodeToMemory private key failed: %w", err)
}
// Encode public key to PKCS#1 ASN.1 PEM.

marshalledPubKey, err := x509.MarshalPKIXPublicKey(privateKey.Public())
if err != nil {
return nil, nil, nil, "", fmt.Errorf("failed to unmarshal public key: %w", err)
}
pubPEM := pem.EncodeToMemory(
&pem.Block{
Type: "RSA PUBLIC KEY",
Bytes: x509.MarshalPKCS1PublicKey(pub.(*rsa.PublicKey)),
Type: "PUBLIC KEY",
Bytes: marshalledPubKey,
},
)
if pubPEM == nil {
Expand Down

0 comments on commit b934909

Please sign in to comment.