Description
When providing self-signed CA & signed CERT from rootcertbundle if the keys are ECDSA, the current implementation under registry/auth/token/util.go seems to use PublicKey.Params.Gx & Gy to generate the thumbprint.
Seems incorrect since both keys without any EC PARAM section end up with the same thumbprint key of the same empty or default values.
Reproduce
- Make a self-signed CA cert with ECDSA keys as a pem file
- Sign another certificate with ECDSA keys as a pem file
- Merge both files under the same root.crt file
- Configure the registry under auth with:
auth:
token:
rootcertbundle: /etc/distribution/root.crt
When the registry starts there will be only one valid trustedkey with the wrong thumbprint.
Expected behavior
If I use another library like JWX or JWTK in java I would expect the thumbprints to be the same
registry version
HEAD
Additional Info
No response
Description
When providing self-signed CA & signed CERT from rootcertbundle if the keys are ECDSA, the current implementation under registry/auth/token/util.go seems to use PublicKey.Params.Gx & Gy to generate the thumbprint.
Seems incorrect since both keys without any EC PARAM section end up with the same thumbprint key of the same empty or default values.
Reproduce
When the registry starts there will be only one valid trustedkey with the wrong thumbprint.
Expected behavior
If I use another library like JWX or JWTK in java I would expect the thumbprints to be the same
registry version
HEAD
Additional Info
No response