From 51caf324f906f9e54e294ff6604b90f8c90e6b95 Mon Sep 17 00:00:00 2001 From: Riccardo Schirone Date: Tue, 16 Jan 2024 14:15:55 +0100 Subject: [PATCH] Added support for Ed25519ph in HashedRekord entries - Made X509 Signatures configurable with SignerVerifierOptions - Removed existing check that limited the use of Ed25519 keys in HashedRekord entries - Used Ed25519ph Signer/Verifier for HashedRekord entries Signed-off-by: Riccardo Schirone --- pkg/pki/x509/x509.go | 12 +++++++++--- pkg/types/hashedrekord/v0.0.1/entry.go | 9 ++------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/pkg/pki/x509/x509.go b/pkg/pki/x509/x509.go index b8d0148ee..600044b1e 100644 --- a/pkg/pki/x509/x509.go +++ b/pkg/pki/x509/x509.go @@ -38,17 +38,23 @@ import ( var EmailAddressOID asn1.ObjectIdentifier = []int{1, 2, 840, 113549, 1, 9, 1} type Signature struct { - signature []byte + signature []byte + signerVerifierOpts []sigsig.SignerVerifierOption } // NewSignature creates and validates an x509 signature object func NewSignature(r io.Reader) (*Signature, error) { + return NewSignatureWithOpts(r) +} + +func NewSignatureWithOpts(r io.Reader, opts ...sigsig.SignerVerifierOption) (*Signature, error) { b, err := io.ReadAll(r) if err != nil { return nil, err } return &Signature{ - signature: b, + signature: b, + signerVerifierOpts: opts, }, nil } @@ -84,7 +90,7 @@ func (s Signature) Verify(r io.Reader, k interface{}, opts ...sigsig.VerifyOptio } } - verifier, err := sigsig.LoadVerifier(p, crypto.SHA256) + verifier, err := sigsig.LoadVerifierWithOpts(p, crypto.SHA256, s.signerVerifierOpts...) if err != nil { return err } diff --git a/pkg/types/hashedrekord/v0.0.1/entry.go b/pkg/types/hashedrekord/v0.0.1/entry.go index e9136fef0..5098b9475 100644 --- a/pkg/types/hashedrekord/v0.0.1/entry.go +++ b/pkg/types/hashedrekord/v0.0.1/entry.go @@ -19,7 +19,6 @@ import ( "bytes" "context" "crypto" - "crypto/ed25519" "crypto/sha256" "encoding/hex" "encoding/json" @@ -40,6 +39,7 @@ import ( "github.com/sigstore/rekor/pkg/types" hashedrekord "github.com/sigstore/rekor/pkg/types/hashedrekord" "github.com/sigstore/rekor/pkg/util" + "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/options" ) @@ -148,7 +148,7 @@ func (v *V001Entry) validate() (pki.Signature, pki.PublicKey, error) { return nil, nil, types.ValidationError(errors.New("missing signature")) } // Hashed rekord type only works for x509 signature types - sigObj, err := x509.NewSignature(bytes.NewReader(sig.Content)) + sigObj, err := x509.NewSignatureWithOpts(bytes.NewReader(sig.Content), signature.WithED25519ph()) if err != nil { return nil, nil, types.ValidationError(err) } @@ -162,11 +162,6 @@ func (v *V001Entry) validate() (pki.Signature, pki.PublicKey, error) { return nil, nil, types.ValidationError(err) } - _, isEd25519 := keyObj.CryptoPubKey().(ed25519.PublicKey) - if isEd25519 { - return nil, nil, types.ValidationError(errors.New("ed25519 unsupported for hashedrekord")) - } - data := v.HashedRekordObj.Data if data == nil { return nil, nil, types.ValidationError(errors.New("missing data"))