Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use the correct verifier for RSA PSS scheme keys #625

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Use the correct verifier for RSA PSS scheme keys #625

wants to merge 2 commits into from

Conversation

rdimitrov
Copy link
Contributor

@rdimitrov rdimitrov commented Mar 9, 2024
edited

The following PR fixes an issue with go-tuf's support for RSA key types.

Details:

Apparently for RSA key types signature.LoadVerifier() is defaulting to returning a verifier that is RSAPKCS1v15Verifier which corresponds to the RSA PKCS#1 scheme.

Based on the latest TUF spec, TUF uses RSA PSS instead of PKCS#1. This manifests itself by causing go-tuf v2 TUF clients to fail metadata verification in case of RSA key types.

The fix for this is to invoke the proper verifier for the PSS scheme. This means that when we are verifying a metadata signed by an RSA key type, we should use LoadRSAPSSVerifier() instead of the generic LoadVerifier().

References:

Credits:

Thanks to @kairoaraujo for reaching out and helping track this together! 馃殌 Cheers! 馃嵒

What's left:

  • Update the tests

@rdimitrov
Explicitly use LoadRSAPSSVerifier for RSASSA_PSS_SHA256 keys
14b3c92 
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
@rdimitrov
Update the basic_repository.go example to work with RSA PSS key scheme
c73d95d 
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
@rdimitrov rdimitrov self-assigned this Mar 9, 2024
@rdimitrov rdimitrov added the bug label Mar 9, 2024
@rdimitrov rdimitrov marked this pull request as draft March 9, 2024 00:34
@kairoaraujo
Copy link

I've tested it, and it solves the issue 馃槂

@trishankatdatadog trishankatdatadog mentioned this pull request Mar 9, 2024
Open
haydentherapper
haydentherapper reviewed Mar 19, 2024
View reviewed changes
metadata/metadata.go
if !ok {
return &ErrType{Msg: "failed to convert public key to RSA PSS key"}
}
verifier, err = signature.LoadRSAPSSVerifier(publicKeyRSAPSS, hash, &rsa.PSSOptions{Hash: crypto.SHA256})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI, if you're using the Verifier interface, you can also load a verifier with a PSS option now - https://github.com/sigstore/sigstore/blob/main/pkg/signature/signerverifier_test.go#L30-L38

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@rdimitrov rdimitrov

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rdimitrov @kairoaraujo @haydentherapper