-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use the correct verifier for RSA PSS scheme keys #625
Conversation
I've tested it, and it solves the issue 😃 |
Note that these are just examples essentially, definitely not an exhaustive list of the only schemes that can be supported: I would avoid removing support for the pkcs1v15 scheme if possible as removing optional features can be a real head ache for users... EDIT: the PR does not seem to remove the support, I just looked at comments originally and misunderstood |
Just as an idea... I would love a keytype support test in tuf-conformance: theupdateframework/tuf-conformance#159 -- implementing that would give you keytype test coverage "for free" in go-tuf and should not be more than 20 lines of code. EDIT: I did an initial test in tuf-conformance theupdateframework/tuf-conformance#167 |
See theupdateframework/go-tuf#625 Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
c73d95d
to
3c3db96
Compare
FYI: I'm working on this, should have a working update within a few days. |
@kommendorkapten - Awesome! 🙏 I'd consider this my Christmas gift 😄 |
A lot of the tests are working, I'll hunt down the rest failures tomorrow I hope |
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
to be pss and not pkcs1 v1.5 Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
Signed-off-by: Fredrik Skogman <kommendorkapten@github.com>
b3ced91
to
d6e635c
Compare
This is now ready for review, the tests were failing as they were signed using PKCS#1 v1.5 but the key scheme said |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Works locally as well for me. I'd say it's fine to go in. There are a some smaller nits in there but none of them affect the functionality so I'll refrain from blocking a merge :)
Thank you all for reviewing and contributing to this! 🙌 💯 |
The following PR fixes an issue with go-tuf's support for RSA key types.
Details:
Apparently for RSA key types
signature.LoadVerifier()
is defaulting to returning a verifier that isRSAPKCS1v15Verifier
which corresponds to the RSA PKCS#1 scheme.Based on the latest TUF spec, TUF uses RSA PSS instead of PKCS#1. This manifests itself by causing go-tuf v2 TUF clients to fail metadata verification in case of RSA key types.
The fix for this is to invoke the proper verifier for the PSS scheme. This means that when we are verifying a metadata signed by an RSA key type, we should use
LoadRSAPSSVerifier()
instead of the genericLoadVerifier()
.References:
Credits:
Thanks to @kairoaraujo for reaching out and helping track this together! 🚀 Cheers! 🍻
What's left: