From 553f90ee124a9e57f440bc8f9181e3617efb7310 Mon Sep 17 00:00:00 2001 From: Xynnn007 Date: Tue, 13 Sep 2022 15:08:42 +0800 Subject: [PATCH] refactor: remove ring dependency - replace ring crate with RustCrypto - refactor CosignVerificationKey implementation and interface - fix the code which references CosignVerificationKey Signed-off-by: Xynnn007 --- Cargo.toml | 3 +- examples/cosign/verify/main.rs | 15 +- .../key_pair_gen_and_export/main.rs | 2 +- .../key_pair_gen_sign_verify/main.rs | 2 +- .../key_interface/key_pair_import/main.rs | 10 +- src/cosign/bundle.rs | 10 +- src/cosign/client.rs | 11 +- src/cosign/client_builder.rs | 7 +- src/cosign/mod.rs | 9 +- src/cosign/signature_layers.rs | 23 +- src/cosign/verification_constraint.rs | 9 +- src/crypto/mod.rs | 82 ++++--- src/crypto/signing_key/ecdsa/ec.rs | 36 ++- src/crypto/signing_key/ed25519.rs | 22 +- src/crypto/signing_key/mod.rs | 66 +----- src/crypto/verification_key.rs | 218 +++++++++--------- src/lib.rs | 4 +- 17 files changed, 239 insertions(+), 290 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index cfedc7d535..440ca14805 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -26,7 +26,6 @@ openidconnect = { version = "2.3", default-features = false, features = [ "reqwe pem = "1.0.2" picky = { version = "7.0.0-rc.3", default-features = false, features = [ "x509", "ec" ] } regex = "1.5.5" -ring = "0.16.20" serde_json = "1.0.79" serde = { version = "1.0.136", features = ["derive"] } sha2 = "0.10.2" @@ -44,7 +43,7 @@ pkcs8 = { version = "0.9.0", features = ["pem", "alloc", "pkcs5", "encryption"] elliptic-curve = { version = "0.12.2", features = [ "arithmetic", "pem" ] } p256 = "0.11.1" p384 = "0.11.1" -ecdsa = { version = "0.14.3", features = [ "pkcs8", "digest" ] } +ecdsa = { version = "0.14.3", features = [ "pkcs8", "digest", "der" ] } digest = "0.10.3" signature = { version = "1.5.0", features = [ "digest-preview" ] } ed25519 = { version = "1", features = [ "alloc" ] } diff --git a/examples/cosign/verify/main.rs b/examples/cosign/verify/main.rs index 015a660110..ab5f8dec17 100644 --- a/examples/cosign/verify/main.rs +++ b/examples/cosign/verify/main.rs @@ -19,7 +19,7 @@ use sigstore::cosign::verification_constraint::{ VerificationConstraintVec, }; use sigstore::cosign::{CosignCapabilities, SignatureLayer}; -use sigstore::crypto::SignatureDigestAlgorithm; +use sigstore::crypto::SigningScheme; use sigstore::errors::SigstoreVerifyConstraintsError; use sigstore::tuf::SigstoreRepository; use std::boxed::Box; @@ -47,9 +47,9 @@ struct Cli { #[clap(short, long, required(false))] key: Option, - /// Digest algorithm to use when processing a signature - #[clap(long, default_value = "sha256")] - signature_digest_algorithm: String, + /// Signing scheme when signing and verifying + #[clap(long, default_value = "ECDSA_P256_SHA256_ASN1")] + signing_scheme: String, /// Fetch Rekor and Fulcio data from Sigstore's TUF repository" #[clap(long)] @@ -156,10 +156,9 @@ async fn run_app( } if let Some(path_to_key) = cli.key.as_ref() { let key = fs::read(path_to_key).map_err(|e| anyhow!("Cannot read key: {:?}", e))?; - let signature_digest_algorithm = - SignatureDigestAlgorithm::try_from(cli.signature_digest_algorithm.as_str()) - .map_err(anyhow::Error::msg)?; - let verifier = PublicKeyVerifier::new(&key, signature_digest_algorithm) + let signing_scheme = + SigningScheme::try_from(cli.signing_scheme.as_str()).map_err(anyhow::Error::msg)?; + let verifier = PublicKeyVerifier::new(&key, &signing_scheme) .map_err(|e| anyhow!("Cannot create public key verifier: {}", e))?; verification_constraints.push(Box::new(verifier)); } diff --git a/examples/key_interface/key_pair_gen_and_export/main.rs b/examples/key_interface/key_pair_gen_and_export/main.rs index c6542eeac0..902acd288d 100644 --- a/examples/key_interface/key_pair_gen_and_export/main.rs +++ b/examples/key_interface/key_pair_gen_and_export/main.rs @@ -14,7 +14,7 @@ // limitations under the License. use anyhow::Result; -use sigstore::crypto::signing_key::SigningScheme; +use sigstore::crypto::SigningScheme; const PASSWORD: &str = "example password"; diff --git a/examples/key_interface/key_pair_gen_sign_verify/main.rs b/examples/key_interface/key_pair_gen_sign_verify/main.rs index a1b29da3ca..b8fcb4e2b6 100644 --- a/examples/key_interface/key_pair_gen_sign_verify/main.rs +++ b/examples/key_interface/key_pair_gen_sign_verify/main.rs @@ -14,7 +14,7 @@ // limitations under the License. use anyhow::{anyhow, Result}; -use sigstore::crypto::{signing_key::SigningScheme, Signature}; +use sigstore::crypto::{Signature, SigningScheme}; const DATA_TO_BE_SIGNED: &str = "this is an example data to be signed"; diff --git a/examples/key_interface/key_pair_import/main.rs b/examples/key_interface/key_pair_import/main.rs index 82ec038b7e..8aa85dc7d1 100644 --- a/examples/key_interface/key_pair_import/main.rs +++ b/examples/key_interface/key_pair_import/main.rs @@ -14,10 +14,9 @@ // limitations under the License. use anyhow::{bail, Result}; -use ring::signature::ECDSA_P256_SHA256_ASN1; use sigstore::crypto::{ signing_key::{ecdsa::ECDSAKeys, SigStoreKeyPair}, - CosignVerificationKey, SignatureDigestAlgorithm, + CosignVerificationKey, SigningScheme, }; const PASSWORD: &str = "password"; @@ -30,13 +29,10 @@ const ECDSA_P256_ASN1_ENCRYPTED_PRIVATE_PEM: &[u8] = include_bytes!("./ECDSA_P256_ASN1_ENCRYPTED_PRIVATE_PEM.key"); fn main() -> Result<()> { - let _ = CosignVerificationKey::from_pem( - ECDSA_P256_ASN1_PUBLIC_PEM, - SignatureDigestAlgorithm::Sha256, - )?; + let _ = CosignVerificationKey::from_pem(ECDSA_P256_ASN1_PUBLIC_PEM, &SigningScheme::default())?; println!("Imported PEM encoded public key as CosignVerificationKey."); - let _ = CosignVerificationKey::from_der(ECDSA_P256_ASN1_PUBLIC_DER, &ECDSA_P256_SHA256_ASN1)?; + let _ = CosignVerificationKey::from_der(ECDSA_P256_ASN1_PUBLIC_DER, &SigningScheme::default())?; println!("Imported DER encoded public key as CosignVerificationKey."); let _ = SigStoreKeyPair::from_pem(ECDSA_P256_ASN1_PRIVATE_PEM)?; diff --git a/src/cosign/bundle.rs b/src/cosign/bundle.rs index 74e3284d03..4d661a94fb 100644 --- a/src/cosign/bundle.rs +++ b/src/cosign/bundle.rs @@ -70,7 +70,7 @@ mod tests { use serde_json::json; use crate::cosign::tests::get_rekor_public_key; - use crate::crypto::SignatureDigestAlgorithm; + use crate::crypto::SigningScheme; fn build_correct_bundle() -> String { let bundle_json = json!({ @@ -101,11 +101,9 @@ mod tests { MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENptdY/l3nB0yqkXLBWkZWQwo6+cu OSWS1X9vPavpiQOoTTGC0xX57OojUadxF1cdQmrsiReWg2Wn4FneJfa8xw== -----END PUBLIC KEY-----"#; - let not_rekor_pub_key = CosignVerificationKey::from_pem( - public_key.as_bytes(), - SignatureDigestAlgorithm::default(), - ) - .expect("Cannot create CosignVerificationKey"); + let not_rekor_pub_key = + CosignVerificationKey::from_pem(public_key.as_bytes(), &SigningScheme::default()) + .expect("Cannot create CosignVerificationKey"); let bundle_json = build_correct_bundle(); let bundle = Bundle::new_verified(&bundle_json, ¬_rekor_pub_key); diff --git a/src/cosign/client.rs b/src/cosign/client.rs index 8300144338..bcb1cf7219 100644 --- a/src/cosign/client.rs +++ b/src/cosign/client.rs @@ -137,14 +137,13 @@ impl Client { mod tests { use super::*; use crate::cosign::tests::{get_fulcio_cert_pool, REKOR_PUB_KEY}; - use crate::{crypto::SignatureDigestAlgorithm, mock_client::test::MockOciClient}; + use crate::crypto::SigningScheme; + use crate::mock_client::test::MockOciClient; fn build_test_client(mock_client: MockOciClient) -> Client { - let rekor_pub_key = CosignVerificationKey::from_pem( - REKOR_PUB_KEY.as_bytes(), - SignatureDigestAlgorithm::default(), - ) - .expect("Cannot create CosignVerificationKey"); + let rekor_pub_key = + CosignVerificationKey::from_pem(REKOR_PUB_KEY.as_bytes(), &SigningScheme::default()) + .expect("Cannot create CosignVerificationKey"); Client { registry_client: Box::new(mock_client), diff --git a/src/cosign/client_builder.rs b/src/cosign/client_builder.rs index fdc71e90dd..6445834d80 100644 --- a/src/cosign/client_builder.rs +++ b/src/cosign/client_builder.rs @@ -16,9 +16,8 @@ use tracing::info; use super::client::Client; -use crate::crypto::{ - certificate_pool::CertificatePool, CosignVerificationKey, SignatureDigestAlgorithm, -}; +use crate::crypto::SigningScheme; +use crate::crypto::{certificate_pool::CertificatePool, CosignVerificationKey}; use crate::errors::Result; use crate::registry::{Certificate, ClientConfig}; @@ -125,7 +124,7 @@ impl ClientBuilder { } Some(data) => Some(CosignVerificationKey::from_pem( data.as_bytes(), - SignatureDigestAlgorithm::default(), + &SigningScheme::default(), )?), }; diff --git a/src/cosign/mod.rs b/src/cosign/mod.rs index a1eec3cbaa..c7d4f8e062 100644 --- a/src/cosign/mod.rs +++ b/src/cosign/mod.rs @@ -150,7 +150,7 @@ mod tests { AnnotationVerifier, CertSubjectEmailVerifier, VerificationConstraintVec, }; use crate::crypto::certificate_pool::CertificatePool; - use crate::crypto::{CosignVerificationKey, SignatureDigestAlgorithm}; + use crate::crypto::{CosignVerificationKey, SigningScheme}; use crate::simple_signing::Optional; pub(crate) const REKOR_PUB_KEY: &str = r#"-----BEGIN PUBLIC KEY----- @@ -201,11 +201,8 @@ TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ } pub(crate) fn get_rekor_public_key() -> CosignVerificationKey { - CosignVerificationKey::from_pem( - REKOR_PUB_KEY.as_bytes(), - SignatureDigestAlgorithm::default(), - ) - .expect("Cannot create test REKOR_PUB_KEY") + CosignVerificationKey::from_pem(REKOR_PUB_KEY.as_bytes(), &SigningScheme::default()) + .expect("Cannot create test REKOR_PUB_KEY") } #[test] diff --git a/src/cosign/signature_layers.rs b/src/cosign/signature_layers.rs index fd5f6aeeee..40e6ab18e0 100644 --- a/src/cosign/signature_layers.rs +++ b/src/cosign/signature_layers.rs @@ -31,9 +31,7 @@ use super::constants::{ }; use crate::crypto::certificate_pool::CertificatePool; use crate::{ - crypto::{ - self, CosignVerificationKey, Signature, SIGSTORE_DEFAULT_SIGNATURE_VERIFICATION_ALGORITHM, - }, + crypto::{self, CosignVerificationKey, Signature, SigningScheme}, errors::{Result, SigstoreError}, simple_signing::SimpleSigning, }; @@ -366,10 +364,8 @@ impl CertificateSignature { crypto::certificate::is_trusted(&cert, integrated_time)?; let subject = CertificateSubject::from_certificate(&cert)?; - let verification_key = CosignVerificationKey::from_der( - cert.public_key().raw, - SIGSTORE_DEFAULT_SIGNATURE_VERIFICATION_ALGORITHM, - )?; + let verification_key = + CosignVerificationKey::from_der(cert.public_key().raw, &SigningScheme::default())?; let issuer = get_cert_extension_by_oid(&cert, SIGSTORE_ISSUER_OID, "Issuer")?; @@ -464,7 +460,6 @@ pub(crate) mod tests { use std::convert::TryFrom; use crate::cosign::tests::{get_fulcio_cert_pool, get_rekor_public_key}; - use crate::crypto::SignatureDigestAlgorithm; pub(crate) fn build_correct_signature_layer_without_bundle( ) -> (SignatureLayer, CosignVerificationKey) { @@ -474,11 +469,9 @@ OSWS1X9vPavpiQOoTTGC0xX57OojUadxF1cdQmrsiReWg2Wn4FneJfa8xw== -----END PUBLIC KEY-----"#; let signature = String::from("MEUCIQD6q/COgzOyW0YH1Dk+CCYSt4uAhm3FDHUwvPI55zwnlwIgE0ZK58ZOWpZw8YVmBapJhBqCfdPekIknimuO0xH8Jh8="); - let verification_key = CosignVerificationKey::from_pem( - public_key.as_bytes(), - SignatureDigestAlgorithm::default(), - ) - .expect("Cannot create CosignVerificationKey"); + let verification_key = + CosignVerificationKey::from_pem(public_key.as_bytes(), &SigningScheme::default()) + .expect("Cannot create CosignVerificationKey"); let ss_value = json!({ "critical": { "identity": { @@ -576,7 +569,7 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETJP9cqpUQsn2ggmJniWGjHdlsHzD JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ== -----END PUBLIC KEY-----"# .as_bytes(), - SignatureDigestAlgorithm::default(), + &SigningScheme::default(), ) .expect("Cannot create CosignVerificationKey"); @@ -789,7 +782,7 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETJP9cqpUQsn2ggmJniWGjHdlsHzD JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ== -----END PUBLIC KEY-----"# .as_bytes(), - SignatureDigestAlgorithm::default(), + &SigningScheme::default(), ) .expect("Cannot create CosignVerificationKey"); assert!(!sl.is_signed_by_key(&verification_key)); diff --git a/src/cosign/verification_constraint.rs b/src/cosign/verification_constraint.rs index a850ab02be..53c0aadc73 100644 --- a/src/cosign/verification_constraint.rs +++ b/src/cosign/verification_constraint.rs @@ -31,7 +31,7 @@ use std::collections::HashMap; use super::signature_layers::{CertificateSubject, SignatureLayer}; -use crate::crypto::{CosignVerificationKey, SignatureDigestAlgorithm}; +use crate::crypto::{CosignVerificationKey, SigningScheme}; use crate::errors::Result; /// A list of objects implementing the [`VerificationConstraint`] trait @@ -79,11 +79,8 @@ impl PublicKeyVerifier { /// Create a new instance of `PublicKeyVerifier`. /// The `key_raw` variable holds a PEM encoded rapresentation of the /// public key to be used at verification time. - pub fn new( - key_raw: &[u8], - signature_digest_algorithm: SignatureDigestAlgorithm, - ) -> Result { - let key = CosignVerificationKey::from_pem(key_raw, signature_digest_algorithm)?; + pub fn new(key_raw: &[u8], signing_scheme: &SigningScheme) -> Result { + let key = CosignVerificationKey::from_pem(key_raw, signing_scheme)?; Ok(PublicKeyVerifier { key }) } } diff --git a/src/crypto/mod.rs b/src/crypto/mod.rs index d422d9c329..3d2f3edb02 100644 --- a/src/crypto/mod.rs +++ b/src/crypto/mod.rs @@ -15,44 +15,70 @@ //! Structures and constants required to perform cryptographic operations. -use ring::signature; +use sha2::{Sha256, Sha384}; use std::convert::TryFrom; -/// The default signature verification algorithm used by Sigstore. -/// Sigstore relies on NIST P-256 -/// NIST P-256 is a Weierstrass curve specified in [FIPS 186-4: Digital Signature Standard (DSS)](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf). -/// Also known as prime256v1 (ANSI X9.62) and secp256r1 (SECG) -pub static SIGSTORE_DEFAULT_SIGNATURE_VERIFICATION_ALGORITHM: - &signature::EcdsaVerificationAlgorithm = &signature::ECDSA_P256_SHA256_ASN1; - -/// Describes the signature digest algorithms supported. -/// The default one is sha256. -#[derive(Debug, Clone)] -pub enum SignatureDigestAlgorithm { - Sha256, - Sha384, - Sha512, +use crate::errors::*; + +pub use signing_key::SigStoreSigner; +pub use verification_key::CosignVerificationKey; + +/// Different digital signature algorithms. +/// * `ECDSA_P256_SHA256_ASN1`: ASN.1 DER-encoded ECDSA +/// signatures using the P-256 curve and SHA-256. It +/// is the default signing scheme. +/// * `ECDSA_P384_SHA384_ASN1`: ASN.1 DER-encoded ECDSA +/// signatures using the P-384 curve and SHA-384. +/// * `ED25519`: ECDSA signature using SHA2-512 +/// as the digest function and curve edwards25519. The +/// signature format please refer +/// to [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032.html#section-5.1.6). +#[allow(non_camel_case_types)] +#[derive(Debug, Clone, Copy)] +pub enum SigningScheme { + // TODO: Support RSA + ECDSA_P256_SHA256_ASN1, + ECDSA_P384_SHA384_ASN1, + ED25519, } -impl TryFrom<&str> for SignatureDigestAlgorithm { +impl TryFrom<&str> for SigningScheme { type Error = String; fn try_from(value: &str) -> std::result::Result { match value { - "sha256" => Ok(Self::Sha256), - "sha384" => Ok(Self::Sha384), - "sha512" => Ok(Self::Sha512), - unknown => Err(format!( - "Unsupported signature digest algorithm: {}", - unknown - )), + "ECDSA_P256_SHA256_ASN1" => Ok(Self::ECDSA_P256_SHA256_ASN1), + "ECDSA_P384_SHA384_ASN1" => Ok(Self::ECDSA_P384_SHA384_ASN1), + "ED25519" => Ok(Self::ED25519), + unknown => Err(format!("Unsupported signing algorithm: {}", unknown)), } } } -impl Default for SignatureDigestAlgorithm { +impl SigningScheme { + /// Create a key-pair due to the given signing scheme. + pub fn create_signer(&self) -> Result { + Ok(match self { + SigningScheme::ECDSA_P256_SHA256_ASN1 => SigStoreSigner::ECDSA_P256_SHA256_ASN1( + EcdsaSigner::<_, Sha256>::from_ecdsa_keys(&EcdsaKeys::::new()?)?, + ), + SigningScheme::ECDSA_P384_SHA384_ASN1 => SigStoreSigner::ECDSA_P384_SHA384_ASN1( + EcdsaSigner::<_, Sha384>::from_ecdsa_keys(&EcdsaKeys::::new()?)?, + ), + SigningScheme::ED25519 => { + SigStoreSigner::ED25519(Ed25519Signer::from_ed25519_keys(&Ed25519Keys::new()?)?) + } + }) + } +} + +/// The default signature verification algorithm used by Sigstore. +/// Sigstore relies on NIST P-256 +/// NIST P-256 is a Weierstrass curve specified in [FIPS 186-4: Digital Signature Standard (DSS)](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf). +/// Also known as prime256v1 (ANSI X9.62) and secp256r1 (SECG) +impl Default for SigningScheme { fn default() -> Self { - Self::Sha256 + SigningScheme::ECDSA_P256_SHA256_ASN1 } } @@ -68,7 +94,11 @@ pub(crate) mod certificate; pub(crate) mod certificate_pool; pub mod verification_key; -pub use verification_key::CosignVerificationKey; + +use self::signing_key::{ + ecdsa::ec::{EcdsaKeys, EcdsaSigner}, + ed25519::{Ed25519Keys, Ed25519Signer}, +}; pub mod signing_key; diff --git a/src/crypto/signing_key/ecdsa/ec.rs b/src/crypto/signing_key/ecdsa/ec.rs index 41069cf7b2..d91c703652 100644 --- a/src/crypto/signing_key/ecdsa/ec.rs +++ b/src/crypto/signing_key/ecdsa/ec.rs @@ -94,7 +94,8 @@ use crate::{ kdf, KeyPair, Signer, COSIGN_PRIVATE_KEY_PEM_LABEL, PRIVATE_KEY_PEM_LABEL, SIGSTORE_PRIVATE_KEY_PEM_LABEL, }, - CosignVerificationKey, SignatureDigestAlgorithm, + verification_key::CosignVerificationKey, + SigningScheme, }, errors::*, }; @@ -267,12 +268,9 @@ where } /// Derive the relative [`CosignVerificationKey`]. - fn to_verification_key( - &self, - signature_digest_algorithm: SignatureDigestAlgorithm, - ) -> Result { + fn to_verification_key(&self, signing_scheme: &SigningScheme) -> Result { let pem = self.public_key_to_pem()?; - CosignVerificationKey::from_pem(pem.as_bytes(), signature_digest_algorithm) + CosignVerificationKey::from_pem(pem.as_bytes(), signing_scheme) } } @@ -378,11 +376,10 @@ where mod tests { use std::fs; - use ring::signature::ECDSA_P256_SHA256_ASN1; - use crate::crypto::{ signing_key::{tests::MESSAGE, KeyPair, Signer}, - CosignVerificationKey, Signature, SignatureDigestAlgorithm, + verification_key::CosignVerificationKey, + Signature, SigningScheme, }; use super::{EcdsaKeys, EcdsaSigner}; @@ -466,16 +463,14 @@ mod tests { let pubkey = key .public_key_to_pem() .expect("export private key to PEM format failed."); - assert!(CosignVerificationKey::from_pem( - pubkey.as_bytes(), - SignatureDigestAlgorithm::Sha256 - ) - .is_ok()); + assert!( + CosignVerificationKey::from_pem(pubkey.as_bytes(), &SigningScheme::default(),).is_ok() + ); let pubkey = key .public_key_to_der() .expect("export private key to DER format failed."); assert!( - CosignVerificationKey::from_der(&pubkey, &ECDSA_P256_SHA256_ASN1).is_ok(), + CosignVerificationKey::from_der(&pubkey, &SigningScheme::default()).is_ok(), "can not create CosignVerificationKey from der bytes." ); } @@ -487,8 +482,7 @@ mod tests { let key = EcdsaKeys::::new().expect("create ecdsa keys with P256 curve failed."); assert!( - key.to_verification_key(SignatureDigestAlgorithm::Sha256) - .is_ok(), + key.to_verification_key(&SigningScheme::default()).is_ok(), "can not create CosignVerificationKey from EcdsaKeys via `to_verification_key`." ); } @@ -511,9 +505,11 @@ mod tests { let sig = signer .sign(MESSAGE.as_bytes()) .expect("signing message failed."); - let verification_key = - CosignVerificationKey::from_pem(pubkey.as_bytes(), SignatureDigestAlgorithm::Sha256) - .expect("convert CosignVerificationKey from public key failed."); + let verification_key = CosignVerificationKey::from_pem( + pubkey.as_bytes(), + &SigningScheme::ECDSA_P256_SHA256_ASN1, + ) + .expect("convert CosignVerificationKey from public key failed."); let signature = Signature::Raw(&sig); assert!( verification_key diff --git a/src/crypto/signing_key/ed25519.rs b/src/crypto/signing_key/ed25519.rs index ddf95a805d..8eac825542 100644 --- a/src/crypto/signing_key/ed25519.rs +++ b/src/crypto/signing_key/ed25519.rs @@ -68,7 +68,7 @@ use signature::Signer as _; use x509_parser::nom::AsBytes; use crate::{ - crypto::{CosignVerificationKey, SignatureDigestAlgorithm}, + crypto::{verification_key::CosignVerificationKey, SigningScheme}, errors::*, }; @@ -258,10 +258,10 @@ impl KeyPair for Ed25519Keys { /// Derive the relative [`CosignVerificationKey`]. fn to_verification_key( &self, - _signature_digest_algorithm: SignatureDigestAlgorithm, + _signature_digest_algorithm: &SigningScheme, ) -> Result { let der = self.public_key_to_der()?; - let res = CosignVerificationKey::from_der(&der, &ring::signature::ED25519)?; + let res = CosignVerificationKey::from_der(&der, &SigningScheme::ED25519)?; Ok(res) } } @@ -315,11 +315,10 @@ impl Signer for Ed25519Signer { mod tests { use std::fs; - use ring::signature::ED25519; - use crate::crypto::{ signing_key::{tests::MESSAGE, KeyPair, Signer}, - CosignVerificationKey, Signature, SignatureDigestAlgorithm, + verification_key::CosignVerificationKey, + Signature, SigningScheme, }; use super::{Ed25519Keys, Ed25519Signer}; @@ -399,16 +398,16 @@ mod tests { let pubkey = key .public_key_to_pem() .expect("export private key to PEM format failed."); + println!("{}", pubkey); assert!( - CosignVerificationKey::from_pem(pubkey.as_bytes(), SignatureDigestAlgorithm::Sha256) - .is_ok(), + CosignVerificationKey::from_pem(pubkey.as_bytes(), &SigningScheme::ED25519).is_ok(), "can not convert public key in PEM format into CosignVerificationKey.", ); let pubkey = key .public_key_to_der() .expect("export private key to DER format failed."); assert!( - CosignVerificationKey::from_der(&pubkey, &ED25519).is_ok(), + CosignVerificationKey::from_der(&pubkey, &SigningScheme::ED25519).is_ok(), "can not create CosignVerificationKey from der bytes." ); } @@ -419,8 +418,7 @@ mod tests { fn ecdsa_derive_verification_key() { let key = Ed25519Keys::new().expect("create ed25519 keys failed."); assert!( - key.to_verification_key(SignatureDigestAlgorithm::Sha256) - .is_ok(), + key.to_verification_key(&SigningScheme::ED25519).is_ok(), "can not create CosignVerificationKey from EcdsaKeys via `to_verification_key`.", ); } @@ -442,7 +440,7 @@ mod tests { .sign(MESSAGE.as_bytes()) .expect("signing message failed."); let verification_key = - CosignVerificationKey::from_pem(pubkey.as_bytes(), SignatureDigestAlgorithm::Sha256) + CosignVerificationKey::from_pem(pubkey.as_bytes(), &SigningScheme::ED25519) .expect("convert CosignVerificationKey from public key failed."); let signature = Signature::Raw(&sig); assert!( diff --git a/src/crypto/signing_key/mod.rs b/src/crypto/signing_key/mod.rs index 070a69342e..7695cde4bc 100644 --- a/src/crypto/signing_key/mod.rs +++ b/src/crypto/signing_key/mod.rs @@ -37,7 +37,7 @@ //! //! ```rust //! use sigstore::crypto::signing_key::SigStoreSigner; -//! use sigstore::crypto::signing_key::SigningScheme; +//! use sigstore::crypto::SigningScheme; //! use sigstore::crypto::Signature; //! //! let test_data = b"test message"; @@ -62,28 +62,21 @@ //! More use cases please refer to <`https://github.com/sigstore/sigstore-rs/tree/main/examples/key_interface`> use elliptic_curve::zeroize::Zeroizing; -use sha2::{Sha256, Sha384}; use crate::errors::*; use self::{ - ecdsa::{ - ec::{EcdsaKeys, EcdsaSigner}, - ECDSAKeys, - }, + ecdsa::{ec::EcdsaSigner, ECDSAKeys}, ed25519::{Ed25519Keys, Ed25519Signer}, }; -use super::{CosignVerificationKey, SignatureDigestAlgorithm}; +use super::{verification_key::CosignVerificationKey, SigningScheme}; pub mod ecdsa; pub mod ed25519; pub mod kdf; pub mod rsa; -/// Defatult signing algorithm used in sigstore. -pub const SIGSTORE_DEFAULT_SIGNING_ALGORITHM: SigningScheme = SigningScheme::ECDSA_P256_SHA256_ASN1; - /// The label for pem of cosign generated encrypted private keys. pub const COSIGN_PRIVATE_KEY_PEM_LABEL: &str = "ENCRYPTED COSIGN PRIVATE KEY"; @@ -124,7 +117,7 @@ pub trait KeyPair { /// the public key. fn to_verification_key( &self, - signature_digest_algorithm: SignatureDigestAlgorithm, + signature_digest_algorithm: &SigningScheme, ) -> Result; } @@ -205,9 +198,9 @@ impl SigStoreKeyPair { /// the public key. pub fn to_verification_key( &self, - signature_digest_algorithm: SignatureDigestAlgorithm, + signing_scheme: &SigningScheme, ) -> Result { - sigstore_keypair_code!(to_verification_key(signature_digest_algorithm), self) + sigstore_keypair_code!(to_verification_key(signing_scheme), self) } } @@ -222,41 +215,6 @@ pub trait Signer { fn sign(&self, msg: &[u8]) -> Result>; } -/// Different digital signature algorithms. -/// * `ECDSA_P256_SHA256_ASN1`: ASN.1 DER-encoded ECDSA -/// signatures using the P-256 curve and SHA-256. -/// * `ECDSA_P384_SHA384_ASN1`: ASN.1 DER-encoded ECDSA -/// signatures using the P-384 curve and SHA-384. -/// * `ED25519`: ECDSA signature using SHA2-512 -/// as the digest function and curve edwards25519. The -/// signature format please refer -/// to [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032.html#section-5.1.6). -#[allow(non_camel_case_types)] -#[derive(Debug, Clone, Copy)] -pub enum SigningScheme { - // TODO: Support RSA - ECDSA_P256_SHA256_ASN1, - ECDSA_P384_SHA384_ASN1, - ED25519, -} - -impl SigningScheme { - /// Create a key-pair due to the given signing scheme. - pub fn create_signer(&self) -> Result { - Ok(match self { - SigningScheme::ECDSA_P256_SHA256_ASN1 => SigStoreSigner::ECDSA_P256_SHA256_ASN1( - EcdsaSigner::<_, Sha256>::from_ecdsa_keys(&EcdsaKeys::::new()?)?, - ), - SigningScheme::ECDSA_P384_SHA384_ASN1 => SigStoreSigner::ECDSA_P384_SHA384_ASN1( - EcdsaSigner::<_, Sha384>::from_ecdsa_keys(&EcdsaKeys::::new()?)?, - ), - SigningScheme::ED25519 => { - SigStoreSigner::ED25519(Ed25519Signer::from_ed25519_keys(&Ed25519Keys::new()?)?) - } - }) - } -} - #[allow(non_camel_case_types)] pub enum SigStoreSigner { ECDSA_P256_SHA256_ASN1(EcdsaSigner), @@ -282,14 +240,14 @@ impl SigStoreSigner { /// `to_verification_key` will derive the verification_key for the `SigStoreSigner`. pub fn to_verification_key(&self) -> Result { - let signature_digest_algorithm = match self { - SigStoreSigner::ECDSA_P256_SHA256_ASN1(_) => SignatureDigestAlgorithm::Sha256, - SigStoreSigner::ECDSA_P384_SHA384_ASN1(_) => SignatureDigestAlgorithm::Sha384, - _ => SignatureDigestAlgorithm::Sha256, + let signing_scheme = match self { + SigStoreSigner::ECDSA_P256_SHA256_ASN1(_) => SigningScheme::ECDSA_P256_SHA256_ASN1, + SigStoreSigner::ECDSA_P384_SHA384_ASN1(_) => SigningScheme::ECDSA_P384_SHA384_ASN1, + SigStoreSigner::ED25519(_) => SigningScheme::ED25519, }; self.as_inner() .key_pair() - .to_verification_key(signature_digest_algorithm) + .to_verification_key(&signing_scheme) } /// `key_pair` will return the reference of the `SigStoreKeyPair` enum due to `SigStoreSigner`. @@ -312,7 +270,7 @@ impl SigStoreSigner { mod tests { use rstest::rstest; - use crate::crypto::{signing_key::SigningScheme, CosignVerificationKey, Signature}; + use crate::crypto::{verification_key::CosignVerificationKey, Signature, SigningScheme}; /// This is a test MESSAGE used to be signed by all signing test. pub const MESSAGE: &str = r#"{ diff --git a/src/crypto/verification_key.rs b/src/crypto/verification_key.rs index abf4b7c8e4..37b7d9aa13 100644 --- a/src/crypto/verification_key.rs +++ b/src/crypto/verification_key.rs @@ -13,94 +13,70 @@ // See the License for the specific language governing permissions and // limitations under the License. -use ring::signature::{self, UnparsedPublicKey, VerificationAlgorithm}; -use x509_parser::{oid_registry::*, prelude::FromDer, x509::SubjectPublicKeyInfo}; +use ecdsa::VerifyingKey; +use pkcs8::DecodePublicKey; +use sha2::{Digest, Sha256, Sha384}; +use signature::{DigestVerifier, Verifier}; +use x509_parser::{prelude::FromDer, x509::SubjectPublicKeyInfo}; use super::{ signing_key::{KeyPair, SigStoreSigner}, - Signature, SignatureDigestAlgorithm, + Signature, SigningScheme, }; -use crate::errors::{Result, SigstoreError}; + +use crate::errors::*; /// A key that can be used to verify signatures. /// -/// Underneath leverages [`ring`](https://crates.io/crates/ring) to implement all -/// the cryptographic operatations. -/// /// Currently the following key formats are supported: /// -/// * RSA keys of 2048-8192 bits, PKCS#1.5 padding, and SHA-256 as digest algorithm -/// * RSA keys of 2048-8192 bits, PKCS#1.5 padding, and SHA-384 as digest algorithm -/// * RSA keys of 2048-8192 bits, PKCS#1.5 padding, and SHA-512 as digest algorithm /// * Ed25519 keys, and SHA-512 as the digest algorithm /// * ECDSA keys, ASN.1 DER-encoded, using the P-256 curve and SHA-256 as digest algorithm /// * ECDSA keys, ASN.1 DER-encoded, using the P-384 curve and SHA-384 as digest algorithm +#[allow(non_camel_case_types)] #[derive(Debug, Clone)] -pub struct CosignVerificationKey { - verification_algorithm: &'static dyn VerificationAlgorithm, - data: Vec, +pub enum CosignVerificationKey { + ECDSA_P256_SHA256_ASN1(VerifyingKey), + ECDSA_P384_SHA384_ASN1(VerifyingKey), + ED25519(ed25519_dalek_fiat::PublicKey), } impl CosignVerificationKey { - /// Builds a `CosignVerificationKey` from DER-encoded data. The methods takes care + /// Builds a [`CosignVerificationKey`] from DER-encoded data. The methods takes care /// of extracting the SubjectPublicKeyInfo from the DER-encoded data. - pub fn from_der( - der_data: &[u8], - verification_algorithm: &'static dyn signature::VerificationAlgorithm, - ) -> Result { - let (_, public_key) = SubjectPublicKeyInfo::from_der(der_data)?; - let data = public_key.subject_public_key.data.into_owned(); - - Ok(Self { - data, - verification_algorithm, + pub fn from_der(der_data: &[u8], signing_scheme: &SigningScheme) -> Result { + Ok(match signing_scheme { + SigningScheme::ECDSA_P256_SHA256_ASN1 => CosignVerificationKey::ECDSA_P256_SHA256_ASN1( + VerifyingKey::from_public_key_der(der_data).map_err(|e| { + SigstoreError::PKCS8SpkiError(format!( + "Ecdsa-P256 from der bytes to public key failed: {}", + e, + )) + })?, + ), + SigningScheme::ECDSA_P384_SHA384_ASN1 => CosignVerificationKey::ECDSA_P384_SHA384_ASN1( + VerifyingKey::from_public_key_der(der_data).map_err(|e| { + SigstoreError::PKCS8SpkiError(format!( + "Ecdsa-P384 from der bytes to public key failed: {}", + e, + )) + })?, + ), + SigningScheme::ED25519 => { + let (_, public_key) = SubjectPublicKeyInfo::from_der(der_data)?; + CosignVerificationKey::ED25519(ed25519_dalek_fiat::PublicKey::from_bytes( + &public_key.subject_public_key.data, + )?) + } }) } - /// Builds a `CosignVerificationKey` from PEM-encoded data. The methods takes care + /// Builds a [`CosignVerificationKey`] from PEM-encoded data. The methods takes care /// of decoding the PEM-encoded data and then extracting the SubjectPublicKeyInfo /// from the DER-encoded bytes. - pub fn from_pem( - pem_data: &[u8], - signature_digest_algorithm: SignatureDigestAlgorithm, - ) -> Result { + pub fn from_pem(pem_data: &[u8], signing_scheme: &SigningScheme) -> Result { let key_pem = pem::parse(pem_data)?; - - let (_, public_key) = SubjectPublicKeyInfo::from_der(key_pem.contents.as_slice())?; - - let signature_alg = &public_key.algorithm.algorithm; - let verification_algorithm: Result<&dyn signature::VerificationAlgorithm> = - if *signature_alg == OID_PKCS1_RSAENCRYPTION { - match signature_digest_algorithm { - SignatureDigestAlgorithm::Sha256 => Ok(&signature::RSA_PKCS1_2048_8192_SHA256), - SignatureDigestAlgorithm::Sha384 => Ok(&signature::RSA_PKCS1_2048_8192_SHA384), - SignatureDigestAlgorithm::Sha512 => Ok(&signature::RSA_PKCS1_2048_8192_SHA512), - } - } else if *signature_alg == OID_SIG_ED25519 { - Ok(&signature::ED25519) - } else if *signature_alg == OID_KEY_TYPE_EC_PUBLIC_KEY { - match signature_digest_algorithm { - SignatureDigestAlgorithm::Sha256 => Ok(&signature::ECDSA_P256_SHA256_ASN1), - SignatureDigestAlgorithm::Sha384 => Ok(&signature::ECDSA_P384_SHA384_ASN1), - SignatureDigestAlgorithm::Sha512 => { - Err(SigstoreError::PublicKeyUnsupportedAlgorithmError( - "Cannot use ECDSA with sha512 digest".to_string(), - )) - } - } - } else { - Err(SigstoreError::PublicKeyUnsupportedAlgorithmError( - "unknown algorithm".to_string(), - )) - }; - - let verification_algorithm = verification_algorithm?; - let data = public_key.subject_public_key.data.into_owned(); - - Ok(Self { - verification_algorithm, - data, - }) + Self::from_der(key_pem.contents.as_slice(), signing_scheme) } /// Builds a `CosignVerificationKey` from [`SigStoreSigner`]. The methods will derive @@ -111,25 +87,44 @@ impl CosignVerificationKey { /// Builds a `CosignVerificationKey` from [`KeyPair`]. The methods will derive /// a `CosignVerificationKey` from the given [`KeyPair`]'s public key. - pub fn from_key_pair( - signer: &dyn KeyPair, - signature_digest_algorithm: SignatureDigestAlgorithm, - ) -> Result { - signer.to_verification_key(signature_digest_algorithm) + pub fn from_key_pair(signer: &dyn KeyPair, signing_scheme: &SigningScheme) -> Result { + signer.to_verification_key(signing_scheme) } /// Verify the signature provided has been actually generated by the given key /// when signing the provided message. pub fn verify_signature(&self, signature: Signature, msg: &[u8]) -> Result<()> { - let key = UnparsedPublicKey::new(self.verification_algorithm, &self.data); - let sig = match signature { Signature::Raw(data) => data.to_owned(), Signature::Base64Encoded(data) => base64::decode(data)?, }; - key.verify(msg, &sig) - .map_err(|_| SigstoreError::PublicKeyVerificationError) + match self { + // ECDSA signatures are encoded in der. + CosignVerificationKey::ECDSA_P256_SHA256_ASN1(inner) => { + let mut hasher = Sha256::new(); + digest::Digest::update(&mut hasher, msg); + let sig = ecdsa::Signature::from_der(&sig)?; + inner + .verify_digest(hasher, &sig) + .map_err(|_| SigstoreError::PublicKeyVerificationError) + } + CosignVerificationKey::ECDSA_P384_SHA384_ASN1(inner) => { + let mut hasher = Sha384::new(); + digest::Digest::update(&mut hasher, msg); + let sig = ecdsa::Signature::from_der(&sig)?; + inner + .verify_digest(hasher, &sig) + .map_err(|_| SigstoreError::PublicKeyVerificationError) + } + CosignVerificationKey::ED25519(inner) => { + let sig = ed25519::Signature::from_bytes(&sig[..]) + .map_err(|_| SigstoreError::PublicKeyVerificationError)?; + inner + .verify(msg, &sig) + .map_err(|_| SigstoreError::PublicKeyVerificationError) + } + } } } @@ -141,11 +136,9 @@ mod tests { #[test] fn verify_signature_success() { let signature = Signature::Base64Encoded(b"MEUCIQD6q/COgzOyW0YH1Dk+CCYSt4uAhm3FDHUwvPI55zwnlwIgE0ZK58ZOWpZw8YVmBapJhBqCfdPekIknimuO0xH8Jh8="); - let verification_key = CosignVerificationKey::from_pem( - PUBLIC_KEY.as_bytes(), - SignatureDigestAlgorithm::default(), - ) - .expect("Cannot create CosignVerificationKey"); + let verification_key = + CosignVerificationKey::from_pem(PUBLIC_KEY.as_bytes(), &SigningScheme::default()) + .expect("Cannot create CosignVerificationKey"); let msg = r#"{"critical":{"identity":{"docker-reference":"registry-testing.svc.lan/busybox"},"image":{"docker-manifest-digest":"sha256:f3cfc9d0dbf931d3db4685ec659b7ac68e2a578219da4aae65427886e649b06b"},"type":"cosign container image signature"},"optional":null}"#; let outcome = verification_key.verify_signature(signature, &msg.as_bytes()); @@ -155,11 +148,9 @@ mod tests { #[test] fn verify_signature_failure_because_wrong_msg() { let signature = Signature::Base64Encoded(b"MEUCIQD6q/COgzOyW0YH1Dk+CCYSt4uAhm3FDHUwvPI55zwnlwIgE0ZK58ZOWpZw8YVmBapJhBqCfdPekIknimuO0xH8Jh8="); - let verification_key = CosignVerificationKey::from_pem( - PUBLIC_KEY.as_bytes(), - SignatureDigestAlgorithm::default(), - ) - .expect("Cannot create CosignVerificationKey"); + let verification_key = + CosignVerificationKey::from_pem(PUBLIC_KEY.as_bytes(), &SigningScheme::default()) + .expect("Cannot create CosignVerificationKey"); let msg = "hello world"; let err = verification_key @@ -175,11 +166,9 @@ mod tests { #[test] fn verify_signature_failure_because_wrong_signature() { let signature = Signature::Base64Encoded(b"this is a signature"); - let verification_key = CosignVerificationKey::from_pem( - PUBLIC_KEY.as_bytes(), - SignatureDigestAlgorithm::default(), - ) - .expect("Cannot create CosignVerificationKey"); + let verification_key = + CosignVerificationKey::from_pem(PUBLIC_KEY.as_bytes(), &SigningScheme::default()) + .expect("Cannot create CosignVerificationKey"); let msg = r#"{"critical":{"identity":{"docker-reference":"registry-testing.svc.lan/busybox"},"image":{"docker-manifest-digest":"sha256:f3cfc9d0dbf931d3db4685ec659b7ac68e2a578219da4aae65427886e649b06b"},"type":"cosign container image signature"},"optional":null}"#; let err = verification_key @@ -202,7 +191,7 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETJP9cqpUQsn2ggmJniWGjHdlsHzD JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ== -----END PUBLIC KEY-----"# .as_bytes(), - SignatureDigestAlgorithm::default(), + &SigningScheme::default(), ) .expect("Cannot create CosignVerificationKey"); let msg = r#"{"critical":{"identity":{"docker-reference":"registry-testing.svc.lan/busybox"},"image":{"docker-manifest-digest":"sha256:f3cfc9d0dbf931d3db4685ec659b7ac68e2a578219da4aae65427886e649b06b"},"type":"cosign container image signature"},"optional":null}"#; @@ -217,28 +206,29 @@ JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ== assert!(found, "Didn't get expected error, got {:?} instead", err); } - #[test] - fn verify_rsa_signature() { - let signature = Signature::Base64Encoded(b"umasnfYJyLbYPjiq1wIy086Ns+CrgiMoQUSGqPqlUmtWsY0hbngJ73hPfJFrppviPKdBeuUiiwgKagBKIXLEXjwxQp4eE3szwqkKoAnR/lByb7ahLgVQ4MB6xDQaHD53MYtj7aOvd4O7FqJltVVjEn7nM/Du2tL5y3jf6lD7VfHZE8uRocRlyppt8SfTc5L12mVlZ0YlfKYkd334A4y/reCy3Yws0j356Wj7GLScMU5uR11Y2y41rSyYm5uXhTerwNFXsRcPMAmenMarCdCmt4Lf4wpcJBCU172xiK+rIhbMgkLjjA772+auSYf1E8CySVah5CD0Td5YC3y8vIIYaA=="); - - let verification_key = CosignVerificationKey::from_pem( - r#"-----BEGIN PUBLIC KEY----- -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvM/dHoi6nSy7hbKHLYUr -Xy6Bv35JbdoIzny5vSFiRXApr0KS56U8PugdGmh+vd7H8YNlx2YOJxzv02Blsrcm -WDZcXjE3Xpsi/IHFfRZLOdwwR+u8MNFxwRUVzxyIzKGtbREVVfXPfb2Xc6FL5/tE -vQtUKuR6XdzSaav2RnV5IybCB09s0Np0AUbdi5EfSe4INuqgY+VFYLjvM5onbAQL -N3bFLS4Quk66Dhv93Zi6NwopwL1F07UPC5uadkyePStP3PA0OAOemj9vZADOWx5a -dsGCKISs8iphNC5mDVoLy8Ry49Ms3eQXRjVQOMco3YNf8AhsIdxDNBVN8VTDKVkE -DwIDAQAB ------END PUBLIC KEY-----"# - .as_bytes(), - SignatureDigestAlgorithm::default(), - ) - .expect("Cannot create CosignVerificationKey"); - let msg = r#"{"critical":{"identity":{"docker-reference":"registry.suse.com/suse/sle-micro/5.0/toolbox"},"image":{"docker-manifest-digest":"sha256:356631f7603526a0af827741f5fe005acf19b7ef7705a34241a91c2d47a6db5e"},"type":"cosign container image signature"},"optional":{"creator":"OBS"}}"#; - - assert!(verification_key - .verify_signature(signature, &msg.as_bytes()) - .is_ok()); - } + // TODO: After add rsa signing and verification + // #[test] + // fn verify_rsa_signature() { + // let signature = Signature::Base64Encoded(b"umasnfYJyLbYPjiq1wIy086Ns+CrgiMoQUSGqPqlUmtWsY0hbngJ73hPfJFrppviPKdBeuUiiwgKagBKIXLEXjwxQp4eE3szwqkKoAnR/lByb7ahLgVQ4MB6xDQaHD53MYtj7aOvd4O7FqJltVVjEn7nM/Du2tL5y3jf6lD7VfHZE8uRocRlyppt8SfTc5L12mVlZ0YlfKYkd334A4y/reCy3Yws0j356Wj7GLScMU5uR11Y2y41rSyYm5uXhTerwNFXsRcPMAmenMarCdCmt4Lf4wpcJBCU172xiK+rIhbMgkLjjA772+auSYf1E8CySVah5CD0Td5YC3y8vIIYaA=="); + + // let verification_key = CosignVerificationKey::from_pem( + // r#"-----BEGIN PUBLIC KEY----- + // MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvM/dHoi6nSy7hbKHLYUr + // Xy6Bv35JbdoIzny5vSFiRXApr0KS56U8PugdGmh+vd7H8YNlx2YOJxzv02Blsrcm + // WDZcXjE3Xpsi/IHFfRZLOdwwR+u8MNFxwRUVzxyIzKGtbREVVfXPfb2Xc6FL5/tE + // vQtUKuR6XdzSaav2RnV5IybCB09s0Np0AUbdi5EfSe4INuqgY+VFYLjvM5onbAQL + // N3bFLS4Quk66Dhv93Zi6NwopwL1F07UPC5uadkyePStP3PA0OAOemj9vZADOWx5a + // dsGCKISs8iphNC5mDVoLy8Ry49Ms3eQXRjVQOMco3YNf8AhsIdxDNBVN8VTDKVkE + // DwIDAQAB + // -----END PUBLIC KEY-----"# + // .as_bytes(), + // &SigningScheme::RSA, + // ) + // .expect("Cannot create CosignVerificationKey"); + // let msg = r#"{"critical":{"identity":{"docker-reference":"registry.suse.com/suse/sle-micro/5.0/toolbox"},"image":{"docker-manifest-digest":"sha256:356631f7603526a0af827741f5fe005acf19b7ef7705a34241a91c2d47a6db5e"},"type":"cosign container image signature"},"optional":{"creator":"OBS"}}"#; + + // assert!(verification_key + // .verify_signature(signature, &msg.as_bytes()) + // .is_ok()); + // } } diff --git a/src/lib.rs b/src/lib.rs index 84ab28d866..ab56ff0b0f 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -68,7 +68,7 @@ //! PublicKeyVerifier, //! VerificationConstraintVec, //! }; -//! use crate::sigstore::crypto::SignatureDigestAlgorithm; +//! use crate::sigstore::crypto::SigningScheme; //! use crate::sigstore::errors::SigstoreError; //! use sigstore::errors::SigstoreVerifyConstraintsError; //! @@ -117,7 +117,7 @@ //! .expect("Cannot read contents of cosign public key"); //! let pub_key_verifier = PublicKeyVerifier::new( //! &verification_key, -//! SignatureDigestAlgorithm::default(), +//! &SigningScheme::default(), //! ).expect("Could not create verifier"); //! //! let verification_constraints: VerificationConstraintVec = vec![