Add the public key from KMS (sigstore#100)

Signed-off-by: Dan Lorenc <dlorenc@google.com>
mtrmac · Mar 18, 2021 · ddf6533 · ddf6533
1 parent 4c6bd30
commit ddf6533
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 11 deletions.
diff --git a/cmd/cosign/cli/generate_key_pair.go b/cmd/cosign/cli/generate_key_pair.go
@@ -18,6 +18,8 @@ package cli
 
 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"flag"
 	"fmt"
@@ -44,8 +46,9 @@ func GenerateKeyPair() *ffcli.Command {
 
 	return &ffcli.Command{
 		Name:       "generate-key-pair",
-		ShortUsage: "cosign generate-key-pair",
+		ShortUsage: "cosign generate-key-pair [-kms KMSPATH]",
 		ShortHelp:  "generate-key-pair generates a key-pair",
+		LongHelp:   "generate-key-pair generates a key-pair",
 		FlagSet:    flagset,
 		Exec: func(ctx context.Context, args []string) error {
 			return GenerateKeyPairCmd(ctx, *kmsVal)
@@ -59,7 +62,23 @@ func GenerateKeyPairCmd(ctx context.Context, kmsVal string) error {
 		if err != nil {
 			return err
 		}
-		return k.CreateKey(ctx)
+		pub, err := k.CreateKey(ctx)
+		if err != nil {
+			return err
+		}
+		derBytes, err := x509.MarshalPKIXPublicKey(pub)
+		if err != nil {
+			return err
+		}
+		pemBytes := pem.EncodeToMemory(&pem.Block{
+			Type:  "PUBLIC KEY",
+			Bytes: derBytes,
+		})
+		if err := ioutil.WriteFile("cosign.pub", pemBytes, 0600); err != nil {
+			return err
+		}
+		fmt.Fprintln(os.Stderr, "Public key written to cosign.pub")
+		return nil
 	}
 
 	keys, err := cosign.GenerateKeyPair(GetPass)

diff --git a/pkg/cosign/kms/gcp/gcp.go b/pkg/cosign/kms/gcp/gcp.go
@@ -187,9 +187,9 @@ func (g *KMS) keyVersionName(ctx context.Context) (string, error) {
 	return name, nil
 }
 
-func (g *KMS) CreateKey(ctx context.Context) error {
+func (g *KMS) CreateKey(ctx context.Context) (*ecdsa.PublicKey, error) {
 	if err := g.createKeyRing(ctx); err != nil {
-		return errors.Wrap(err, "creating key ring")
+		return nil, errors.Wrap(err, "creating key ring")
 	}
 	return g.createKey(ctx)
 }
@@ -213,15 +213,15 @@ func (g *KMS) createKeyRing(ctx context.Context) error {
 	return err
 }
 
-func (g *KMS) createKey(ctx context.Context) error {
+func (g *KMS) createKey(ctx context.Context) (*ecdsa.PublicKey, error) {
+	name := fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", g.projectID, g.locationID, g.keyRing, g.key)
 	getKeyRequest := &kmspb.GetCryptoKeyRequest{
-		Name: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", g.projectID, g.locationID, g.keyRing, g.key),
+		Name: name,
 	}
 	if result, err := g.client.GetCryptoKey(ctx, getKeyRequest); err == nil {
 		fmt.Printf("Key %s already exists in GCP KMS, skipping creation.\n", result.GetName())
-		return nil
+		return g.PublicKey(ctx)
 	}
-
 	createKeyRequest := &kmspb.CreateCryptoKeyRequest{
 		Parent:      fmt.Sprintf("projects/%s/locations/%s/keyRings/%s", g.projectID, g.locationID, g.keyRing),
 		CryptoKeyId: g.key,
@@ -234,8 +234,8 @@ func (g *KMS) createKey(ctx context.Context) error {
 	}
 	result, err := g.client.CreateCryptoKey(ctx, createKeyRequest)
 	if err != nil {
-		return errors.Wrap(err, "creating crypto key")
+		return nil, errors.Wrap(err, "creating crypto key")
 	}
 	fmt.Printf("Created key %s in GCP KMS\n", result.GetName())
-	return nil
+	return g.PublicKey(ctx)
 }
diff --git a/pkg/cosign/kms/kms.go b/pkg/cosign/kms/kms.go
@@ -29,7 +29,7 @@ import (
 type KMS interface {
 	// CreateKey is responsible for creating an asymmetric key pair
 	// with the ECDSA algorithm on the P-256 Curve with a SHA-256 digest
-	CreateKey(context.Context) error
+	CreateKey(context.Context) (*ecdsa.PublicKey, error)
 
 	// Sign is responsible for signing an image via the keys
 	// stored in KMS