refactor: remove ring dependency

- replace ring crate with RustCrypto - refactor CosignVerificationKey implementation and interface - fix the code which references CosignVerificationKey Signed-off-by: Xynnn007 <[email protected]>
sigstore · Sep 30, 2022 · d825b23 · d825b23
1 parent 796b50b
commit d825b23
Show file tree

Hide file tree

Showing 17 changed files with 297 additions and 288 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -26,7 +26,6 @@ openidconnect = { version = "2.3", default-features = false, features = [ "reqwe
 pem = "1.0.2"
 picky = { version = "7.0.0-rc.3", default-features = false, features = [ "x509", "ec" ] }
 regex = "1.5.5"
-ring = "0.16.20"
 serde_json = "1.0.79"
 serde = { version = "1.0.136", features = ["derive"] }
 sha2 = "0.10.2"
@@ -44,7 +43,7 @@ pkcs8 = { version = "0.9.0", features = ["pem", "alloc", "pkcs5", "encryption"]
 elliptic-curve = { version = "0.12.2", features = [ "arithmetic", "pem" ] }
 p256 = "0.11.1"
 p384 = "0.11.1"
-ecdsa = { version = "0.14.3", features = [ "pkcs8", "digest" ] }
+ecdsa = { version = "0.14.3", features = [ "pkcs8", "digest", "der" ] }
 digest = "0.10.3"
 signature = { version = "1.5.0", features = [ "digest-preview" ] }
 ed25519 = { version = "1", features = [ "alloc" ] }

diff --git a/examples/cosign/verify/main.rs b/examples/cosign/verify/main.rs
@@ -19,7 +19,7 @@ use sigstore::cosign::verification_constraint::{
     VerificationConstraintVec,
 };
 use sigstore::cosign::{CosignCapabilities, SignatureLayer};
-use sigstore::crypto::SignatureDigestAlgorithm;
+use sigstore::crypto::SigningScheme;
 use sigstore::errors::SigstoreVerifyConstraintsError;
 use sigstore::tuf::SigstoreRepository;
 use std::boxed::Box;
@@ -47,9 +47,9 @@ struct Cli {
     #[clap(short, long, required(false))]
     key: Option<String>,
 
-    /// Digest algorithm to use when processing a signature
-    #[clap(long, default_value = "sha256")]
-    signature_digest_algorithm: String,
+    /// Signing scheme when signing and verifying
+    #[clap(long, required(false))]
+    signing_scheme: Option<String>,
 
     /// Fetch Rekor and Fulcio data from Sigstore's TUF repository"
     #[clap(long)]
@@ -156,11 +156,18 @@ async fn run_app(
     }
     if let Some(path_to_key) = cli.key.as_ref() {
         let key = fs::read(path_to_key).map_err(|e| anyhow!("Cannot read key: {:?}", e))?;
-        let signature_digest_algorithm =
-            SignatureDigestAlgorithm::try_from(cli.signature_digest_algorithm.as_str())
-                .map_err(anyhow::Error::msg)?;
-        let verifier = PublicKeyVerifier::new(&key, signature_digest_algorithm)
-            .map_err(|e| anyhow!("Cannot create public key verifier: {}", e))?;
+
+        let verifier = match &cli.signing_scheme {
+            Some(scheme) => {
+                let signing_scheme =
+                    SigningScheme::try_from(&scheme[..]).map_err(anyhow::Error::msg)?;
+                PublicKeyVerifier::new(&key, &signing_scheme)
+                    .map_err(|e| anyhow!("Cannot create public key verifier: {}", e))?
+            }
+            None => PublicKeyVerifier::try_from(&key)
+                .map_err(|e| anyhow!("Cannot create public key verifier: {}", e))?,
+        };
+
         verification_constraints.push(Box::new(verifier));
     }
 

diff --git a/examples/key_interface/key_pair_gen_and_export/main.rs b/examples/key_interface/key_pair_gen_and_export/main.rs
@@ -14,7 +14,7 @@
 // limitations under the License.
 
 use anyhow::Result;
-use sigstore::crypto::signing_key::SigningScheme;
+use sigstore::crypto::SigningScheme;
 
 const PASSWORD: &str = "example password";
 

diff --git a/examples/key_interface/key_pair_gen_sign_verify/main.rs b/examples/key_interface/key_pair_gen_sign_verify/main.rs
@@ -14,7 +14,7 @@
 // limitations under the License.
 
 use anyhow::{anyhow, Result};
-use sigstore::crypto::{signing_key::SigningScheme, Signature};
+use sigstore::crypto::{Signature, SigningScheme};
 
 const DATA_TO_BE_SIGNED: &str = "this is an example data to be signed";
 

diff --git a/examples/key_interface/key_pair_import/main.rs b/examples/key_interface/key_pair_import/main.rs
@@ -14,10 +14,9 @@
 // limitations under the License.
 
 use anyhow::{bail, Result};
-use ring::signature::ECDSA_P256_SHA256_ASN1;
 use sigstore::crypto::{
     signing_key::{ecdsa::ECDSAKeys, SigStoreKeyPair},
-    CosignVerificationKey, SignatureDigestAlgorithm,
+    CosignVerificationKey, SigningScheme,
 };
 
 const PASSWORD: &str = "password";
@@ -30,13 +29,16 @@ const ECDSA_P256_ASN1_ENCRYPTED_PRIVATE_PEM: &[u8] =
     include_bytes!("./ECDSA_P256_ASN1_ENCRYPTED_PRIVATE_PEM.key");
 
 fn main() -> Result<()> {
-    let _ = CosignVerificationKey::from_pem(
-        ECDSA_P256_ASN1_PUBLIC_PEM,
-        SignatureDigestAlgorithm::Sha256,
-    )?;
+    let _ = CosignVerificationKey::from_pem(ECDSA_P256_ASN1_PUBLIC_PEM, &SigningScheme::default())?;
+    println!("Imported PEM encoded public key as CosignVerificationKey using ECDSA_P256_ASN1_PUBLIC_PEM as verification algorithm.");
+
+    let _ = CosignVerificationKey::from_der(ECDSA_P256_ASN1_PUBLIC_DER, &SigningScheme::default())?;
+    println!("Imported DER encoded public key as CosignVerificationKey using ECDSA_P256_ASN1_PUBLIC_PEM as verification algorithm.");
+
+    let _ = CosignVerificationKey::try_from_pem(ECDSA_P256_ASN1_PUBLIC_PEM)?;
     println!("Imported PEM encoded public key as CosignVerificationKey.");
 
-    let _ = CosignVerificationKey::from_der(ECDSA_P256_ASN1_PUBLIC_DER, &ECDSA_P256_SHA256_ASN1)?;
+    let _ = CosignVerificationKey::try_from_der(ECDSA_P256_ASN1_PUBLIC_DER)?;
     println!("Imported DER encoded public key as CosignVerificationKey.");
 
     let _ = SigStoreKeyPair::from_pem(ECDSA_P256_ASN1_PRIVATE_PEM)?;

diff --git a/src/cosign/bundle.rs b/src/cosign/bundle.rs
@@ -70,7 +70,7 @@ mod tests {
     use serde_json::json;
 
     use crate::cosign::tests::get_rekor_public_key;
-    use crate::crypto::SignatureDigestAlgorithm;
+    use crate::crypto::SigningScheme;
 
     fn build_correct_bundle() -> String {
         let bundle_json = json!({
@@ -101,11 +101,9 @@ mod tests {
 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENptdY/l3nB0yqkXLBWkZWQwo6+cu
 OSWS1X9vPavpiQOoTTGC0xX57OojUadxF1cdQmrsiReWg2Wn4FneJfa8xw==
 -----END PUBLIC KEY-----"#;
-        let not_rekor_pub_key = CosignVerificationKey::from_pem(
-            public_key.as_bytes(),
-            SignatureDigestAlgorithm::default(),
-        )
-        .expect("Cannot create CosignVerificationKey");
+        let not_rekor_pub_key =
+            CosignVerificationKey::from_pem(public_key.as_bytes(), &SigningScheme::default())
+                .expect("Cannot create CosignVerificationKey");
 
         let bundle_json = build_correct_bundle();
         let bundle = Bundle::new_verified(&bundle_json, &not_rekor_pub_key);

diff --git a/src/cosign/client.rs b/src/cosign/client.rs
@@ -137,14 +137,13 @@ impl Client {
 mod tests {
     use super::*;
     use crate::cosign::tests::{get_fulcio_cert_pool, REKOR_PUB_KEY};
-    use crate::{crypto::SignatureDigestAlgorithm, mock_client::test::MockOciClient};
+    use crate::crypto::SigningScheme;
+    use crate::mock_client::test::MockOciClient;
 
     fn build_test_client(mock_client: MockOciClient) -> Client {
-        let rekor_pub_key = CosignVerificationKey::from_pem(
-            REKOR_PUB_KEY.as_bytes(),
-            SignatureDigestAlgorithm::default(),
-        )
-        .expect("Cannot create CosignVerificationKey");
+        let rekor_pub_key =
+            CosignVerificationKey::from_pem(REKOR_PUB_KEY.as_bytes(), &SigningScheme::default())
+                .expect("Cannot create CosignVerificationKey");
 
         Client {
             registry_client: Box::new(mock_client),

diff --git a/src/cosign/client_builder.rs b/src/cosign/client_builder.rs
@@ -16,9 +16,8 @@
 use tracing::info;
 
 use super::client::Client;
-use crate::crypto::{
-    certificate_pool::CertificatePool, CosignVerificationKey, SignatureDigestAlgorithm,
-};
+use crate::crypto::SigningScheme;
+use crate::crypto::{certificate_pool::CertificatePool, CosignVerificationKey};
 use crate::errors::Result;
 use crate::registry::{Certificate, ClientConfig};
 
@@ -125,7 +124,7 @@ impl ClientBuilder {
             }
             Some(data) => Some(CosignVerificationKey::from_pem(
                 data.as_bytes(),
-                SignatureDigestAlgorithm::default(),
+                &SigningScheme::default(),
             )?),
         };
 

diff --git a/src/cosign/mod.rs b/src/cosign/mod.rs
@@ -150,7 +150,7 @@ mod tests {
         AnnotationVerifier, CertSubjectEmailVerifier, VerificationConstraintVec,
     };
     use crate::crypto::certificate_pool::CertificatePool;
-    use crate::crypto::{CosignVerificationKey, SignatureDigestAlgorithm};
+    use crate::crypto::{CosignVerificationKey, SigningScheme};
     use crate::simple_signing::Optional;
 
     pub(crate) const REKOR_PUB_KEY: &str = r#"-----BEGIN PUBLIC KEY-----
@@ -201,11 +201,8 @@ TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ
     }
 
     pub(crate) fn get_rekor_public_key() -> CosignVerificationKey {
-        CosignVerificationKey::from_pem(
-            REKOR_PUB_KEY.as_bytes(),
-            SignatureDigestAlgorithm::default(),
-        )
-        .expect("Cannot create test REKOR_PUB_KEY")
+        CosignVerificationKey::from_pem(REKOR_PUB_KEY.as_bytes(), &SigningScheme::default())
+            .expect("Cannot create test REKOR_PUB_KEY")
     }
 
     #[test]

diff --git a/src/cosign/signature_layers.rs b/src/cosign/signature_layers.rs
@@ -31,9 +31,7 @@ use super::constants::{
 };
 use crate::crypto::certificate_pool::CertificatePool;
 use crate::{
-    crypto::{
-        self, CosignVerificationKey, Signature, SIGSTORE_DEFAULT_SIGNATURE_VERIFICATION_ALGORITHM,
-    },
+    crypto::{self, CosignVerificationKey, Signature, SigningScheme},
     errors::{Result, SigstoreError},
     simple_signing::SimpleSigning,
 };
@@ -366,10 +364,8 @@ impl CertificateSignature {
         crypto::certificate::is_trusted(&cert, integrated_time)?;
 
         let subject = CertificateSubject::from_certificate(&cert)?;
-        let verification_key = CosignVerificationKey::from_der(
-            cert.public_key().raw,
-            SIGSTORE_DEFAULT_SIGNATURE_VERIFICATION_ALGORITHM,
-        )?;
+        let verification_key =
+            CosignVerificationKey::from_der(cert.public_key().raw, &SigningScheme::default())?;
 
         let issuer = get_cert_extension_by_oid(&cert, SIGSTORE_ISSUER_OID, "Issuer")?;
 
@@ -464,7 +460,6 @@ pub(crate) mod tests {
     use std::convert::TryFrom;
 
     use crate::cosign::tests::{get_fulcio_cert_pool, get_rekor_public_key};
-    use crate::crypto::SignatureDigestAlgorithm;
 
     pub(crate) fn build_correct_signature_layer_without_bundle(
     ) -> (SignatureLayer, CosignVerificationKey) {
@@ -474,11 +469,9 @@ OSWS1X9vPavpiQOoTTGC0xX57OojUadxF1cdQmrsiReWg2Wn4FneJfa8xw==
 -----END PUBLIC KEY-----"#;
 
         let signature = String::from("MEUCIQD6q/COgzOyW0YH1Dk+CCYSt4uAhm3FDHUwvPI55zwnlwIgE0ZK58ZOWpZw8YVmBapJhBqCfdPekIknimuO0xH8Jh8=");
-        let verification_key = CosignVerificationKey::from_pem(
-            public_key.as_bytes(),
-            SignatureDigestAlgorithm::default(),
-        )
-        .expect("Cannot create CosignVerificationKey");
+        let verification_key =
+            CosignVerificationKey::from_pem(public_key.as_bytes(), &SigningScheme::default())
+                .expect("Cannot create CosignVerificationKey");
         let ss_value = json!({
             "critical": {
                 "identity": {
@@ -576,7 +569,7 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETJP9cqpUQsn2ggmJniWGjHdlsHzD
 JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ==
 -----END PUBLIC KEY-----"#
                 .as_bytes(),
-            SignatureDigestAlgorithm::default(),
+            &SigningScheme::default(),
         )
         .expect("Cannot create CosignVerificationKey");
 
@@ -789,7 +782,7 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETJP9cqpUQsn2ggmJniWGjHdlsHzD
 JsB89BPhZYch0U0hKANx5TY+ncrm0s8bfJxxHoenAEFhwhuXeb4PqIrtoQ==
 -----END PUBLIC KEY-----"#
                 .as_bytes(),
-            SignatureDigestAlgorithm::default(),
+            &SigningScheme::default(),
         )
         .expect("Cannot create CosignVerificationKey");
         assert!(!sl.is_signed_by_key(&verification_key));

diff --git a/src/cosign/verification_constraint.rs b/src/cosign/verification_constraint.rs
@@ -31,7 +31,7 @@
 use std::collections::HashMap;
 
 use super::signature_layers::{CertificateSubject, SignatureLayer};
-use crate::crypto::{CosignVerificationKey, SignatureDigestAlgorithm};
+use crate::crypto::{CosignVerificationKey, SigningScheme};
 use crate::errors::Result;
 
 /// A list of objects implementing the [`VerificationConstraint`] trait
@@ -79,11 +79,20 @@ impl PublicKeyVerifier {
     /// Create a new instance of `PublicKeyVerifier`.
     /// The `key_raw` variable holds a PEM encoded rapresentation of the
     /// public key to be used at verification time.
-    pub fn new(
-        key_raw: &[u8],
-        signature_digest_algorithm: SignatureDigestAlgorithm,
-    ) -> Result<Self> {
-        let key = CosignVerificationKey::from_pem(key_raw, signature_digest_algorithm)?;
+    pub fn new(key_raw: &[u8], signing_scheme: &SigningScheme) -> Result<Self> {
+        let key = CosignVerificationKey::from_pem(key_raw, signing_scheme)?;
+        Ok(PublicKeyVerifier { key })
+    }
+
+    /// Create a new instance of `PublicKeyVerifier`.
+    /// The `key_raw` variable holds a PEM encoded rapresentation of the
+    /// public key to be used at verification time. The verification
+    /// algorithm will be derived from the public key type:
+    /// * `EC public key with P-256 curve`: `ECDSA_P256_SHA256_ASN1`
+    /// * `EC public key with P-384 curve`: `ECDSA_P384_SHA384_ASN1`
+    /// * `Ed25519 public key`: `Ed25519`
+    pub fn try_from(key_raw: &[u8]) -> Result<Self> {
+        let key = CosignVerificationKey::try_from_pem(key_raw)?;
         Ok(PublicKeyVerifier { key })
     }
 }