feat: add support for additional transparency log key types #197
Conversation
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
vishal-chdhry
force-pushed
the
addn-tlog-key
branch
from
a50d01f to
034e5ba
Compare
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
|
@haydentherapper added the changes, please let me know if this is okay. sorry for the delay on this, I was working on other things (btw, we also added support for sigstore bundle verification in Kyverno, it will be a part of the next release) |
pkg/root/trusted_root.go
Outdated
| case protocommon.PublicKeyDetails_PKIX_ECDSA_P256_SHA_256, | ||
| protocommon.PublicKeyDetails_PKIX_ECDSA_P384_SHA_384, | ||
| protocommon.PublicKeyDetails_PKIX_ECDSA_P521_SHA_512, | ||
| protocommon.PublicKeyDetails_PKIX_ECDSA_P256_HMAC_SHA_256: //nolint:staticcheck |
There was a problem hiding this comment.
We don't need to support PublicKeyDetails_PKIX_ECDSA_P256_HMAC_SHA_256, we've marked this as deprecated.
| BaseURL: tlog.GetBaseUrl(), | ||
| ID: tlog.GetLogId().GetKeyId(), | ||
| HashFunc: hashFunc, | ||
| SignatureHashFunc: crypto.SHA256, |
There was a problem hiding this comment.
The signature hash algorithm will differ depending on the signature scheme. I'd recommend a function like https://github.com/slsa-framework/slsa-verifier/blob/d96b9777090694fa5096ee1b9c710a46b5a66f5e/cli/slsa-verifier/verify/verify_vsa.go#L95-L117 to handle the mapping
tldr - RSA can always be SHA256, ECDSA P256 and P384 should be SHA256, P521 SHA512, and ed25519 is SHA512.
pkg/root/trusted_root.go
Outdated
| case protocommon.PublicKeyDetails_PKIX_RSA_PKCS1V15_2048_SHA256, | ||
| protocommon.PublicKeyDetails_PKIX_RSA_PKCS1V15_3072_SHA256, | ||
| protocommon.PublicKeyDetails_PKIX_RSA_PKCS1V15_4096_SHA256, | ||
| protocommon.PublicKeyDetails_PKIX_RSA_PSS_2048_SHA256, |
There was a problem hiding this comment.
We can skip support for PSS, that would require also changing how we call LoadVerifier, which would require conditionally adding an option to use PSS over PKCS1v1.5. Given loading this verifier is in another package, it'd be a bit too much refactoring to try to connect these for not much gain.
There was a problem hiding this comment.
I have removed PKIX-PSS but I havent removed PKIX-PKCS1v1.5
pkg/root/trusted_root.go
Outdated
| } | ||
| tlogEntry.PublicKey = rsaKey | ||
| case protocommon.PublicKeyDetails_PKIX_ED25519, protocommon.PublicKeyDetails_PKIX_ED25519_PH: //nolint:staticcheck |
There was a problem hiding this comment.
Same here, we can skip PKIX_ED25519_PH, the prehash variant of ed25519 isn't needed, and it would require making changes to LoadVerifier.
Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
Summary
Closes: #65
Adds support for transparency log keys with RSA, other ECDSA curves, and ed25519
Release Note
Documentation