From b93490987c716288761702750c900dc2cc507774 Mon Sep 17 00:00:00 2001 From: Priya Wadhwa Date: Thu, 10 Oct 2024 23:08:04 -0700 Subject: [PATCH] Switch to ECDSA based key in fulcio-createcerts (#1303) * Switch to ECDSA based key in fulcio-createcerts Internally we ran into some issues, so I'm upgrading to the ECDSA key. This also matches what we do in rekor-createsecret so improves uniformity across the codebase. Signed-off-by: Priya Wadhwa * update public key Signed-off-by: Priya Wadhwa --------- Signed-off-by: Priya Wadhwa --- cmd/fulcio/createcerts/main.go | 40 +++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/cmd/fulcio/createcerts/main.go b/cmd/fulcio/createcerts/main.go index e1252211e..3ebb0a0e7 100644 --- a/cmd/fulcio/createcerts/main.go +++ b/cmd/fulcio/createcerts/main.go @@ -15,8 +15,9 @@ package main import ( + "crypto/ecdsa" + "crypto/elliptic" "crypto/rand" - "crypto/rsa" "crypto/x509" "crypto/x509/pkix" "encoding/pem" @@ -36,11 +37,6 @@ import ( "sigs.k8s.io/release-utils/version" ) -const ( - // Key in the configmap holding the value of the tree. - bitSize = 4096 -) - var ( secretName = flag.String("secret", "fulcio-secrets", "Name of the secret to create for the certs") pubkeySecretName = flag.String("pubkeysecret", "fulcio-pub-key", "Name of the secret that holds the public Fulcio information like cert / public key") @@ -54,6 +50,7 @@ var ( func main() { flag.Parse() + ns := os.Getenv("NAMESPACE") if ns == "" { panic("env variable NAMESPACE must be set") @@ -101,13 +98,11 @@ func main() { // createAll creates a password protected keypair, and returns PEM encoded // CA Cert, crypto.PublicKey, crypto.PrivateKey, password func createAll() ([]byte, []byte, []byte, string, error) { - // Generate RSA key. - key, err := rsa.GenerateKey(rand.Reader, bitSize) + // Generate ECDSA key. + privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) if err != nil { - return nil, nil, nil, "", fmt.Errorf("GenerateKey failed: %w", err) + return nil, nil, nil, "", fmt.Errorf("failed to generate ecdsa key: %w", err) } - // Extract public component. - pub := key.Public() serialNumber, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64)) if err != nil { @@ -130,7 +125,8 @@ func createAll() ([]byte, []byte, []byte, string, error) { BasicConstraintsValid: true, MaxPathLen: 1, } - derBytes, err := x509.CreateCertificate(rand.Reader, rootCA, rootCA, pub, key) + + derBytes, err := x509.CreateCertificate(rand.Reader, rootCA, rootCA, privateKey.Public(), privateKey) if err != nil { return nil, nil, nil, "", fmt.Errorf("failed to create certificate: %w", err) } @@ -138,10 +134,14 @@ func createAll() ([]byte, []byte, []byte, string, error) { &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}, ) - // Encode private key to PKCS#1 ASN.1 PEM. + // Encode private key to PKCS #8 ASN.1 PEM. + marshalledPrivKey, err := x509.MarshalPKCS8PrivateKey(privateKey) + if err != nil { + return nil, nil, nil, "", fmt.Errorf("marshal pkcs8 private key: %w", err) + } block := &pem.Block{ - Type: "RSA PRIVATE KEY", - Bytes: x509.MarshalPKCS1PrivateKey(key), + Type: "PRIVATE KEY", + Bytes: marshalledPrivKey, } // Generate a uuid as a password @@ -158,11 +158,15 @@ func createAll() ([]byte, []byte, []byte, string, error) { if privPEM == nil { return nil, nil, nil, "", fmt.Errorf("EncodeToMemory private key failed: %w", err) } - // Encode public key to PKCS#1 ASN.1 PEM. + + marshalledPubKey, err := x509.MarshalPKIXPublicKey(privateKey.Public()) + if err != nil { + return nil, nil, nil, "", fmt.Errorf("failed to unmarshal public key: %w", err) + } pubPEM := pem.EncodeToMemory( &pem.Block{ - Type: "RSA PUBLIC KEY", - Bytes: x509.MarshalPKCS1PublicKey(pub.(*rsa.PublicKey)), + Type: "PUBLIC KEY", + Bytes: marshalledPubKey, }, ) if pubPEM == nil {