From ddf65331a1c488fd4b85c0c08618a8493001a096 Mon Sep 17 00:00:00 2001 From: dlorenc Date: Thu, 18 Mar 2021 15:30:24 -0500 Subject: [PATCH] Add the public key from KMS (#100) Signed-off-by: Dan Lorenc --- cmd/cosign/cli/generate_key_pair.go | 23 +++++++++++++++++++++-- pkg/cosign/kms/gcp/gcp.go | 16 ++++++++-------- pkg/cosign/kms/kms.go | 2 +- 3 files changed, 30 insertions(+), 11 deletions(-) diff --git a/cmd/cosign/cli/generate_key_pair.go b/cmd/cosign/cli/generate_key_pair.go index 9ac20019a..dee4f3842 100644 --- a/cmd/cosign/cli/generate_key_pair.go +++ b/cmd/cosign/cli/generate_key_pair.go @@ -18,6 +18,8 @@ package cli import ( "context" + "crypto/x509" + "encoding/pem" "errors" "flag" "fmt" @@ -44,8 +46,9 @@ func GenerateKeyPair() *ffcli.Command { return &ffcli.Command{ Name: "generate-key-pair", - ShortUsage: "cosign generate-key-pair", + ShortUsage: "cosign generate-key-pair [-kms KMSPATH]", ShortHelp: "generate-key-pair generates a key-pair", + LongHelp: "generate-key-pair generates a key-pair", FlagSet: flagset, Exec: func(ctx context.Context, args []string) error { return GenerateKeyPairCmd(ctx, *kmsVal) @@ -59,7 +62,23 @@ func GenerateKeyPairCmd(ctx context.Context, kmsVal string) error { if err != nil { return err } - return k.CreateKey(ctx) + pub, err := k.CreateKey(ctx) + if err != nil { + return err + } + derBytes, err := x509.MarshalPKIXPublicKey(pub) + if err != nil { + return err + } + pemBytes := pem.EncodeToMemory(&pem.Block{ + Type: "PUBLIC KEY", + Bytes: derBytes, + }) + if err := ioutil.WriteFile("cosign.pub", pemBytes, 0600); err != nil { + return err + } + fmt.Fprintln(os.Stderr, "Public key written to cosign.pub") + return nil } keys, err := cosign.GenerateKeyPair(GetPass) diff --git a/pkg/cosign/kms/gcp/gcp.go b/pkg/cosign/kms/gcp/gcp.go index 182a3ce3e..1e8374e5f 100644 --- a/pkg/cosign/kms/gcp/gcp.go +++ b/pkg/cosign/kms/gcp/gcp.go @@ -187,9 +187,9 @@ func (g *KMS) keyVersionName(ctx context.Context) (string, error) { return name, nil } -func (g *KMS) CreateKey(ctx context.Context) error { +func (g *KMS) CreateKey(ctx context.Context) (*ecdsa.PublicKey, error) { if err := g.createKeyRing(ctx); err != nil { - return errors.Wrap(err, "creating key ring") + return nil, errors.Wrap(err, "creating key ring") } return g.createKey(ctx) } @@ -213,15 +213,15 @@ func (g *KMS) createKeyRing(ctx context.Context) error { return err } -func (g *KMS) createKey(ctx context.Context) error { +func (g *KMS) createKey(ctx context.Context) (*ecdsa.PublicKey, error) { + name := fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", g.projectID, g.locationID, g.keyRing, g.key) getKeyRequest := &kmspb.GetCryptoKeyRequest{ - Name: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s/cryptoKeys/%s", g.projectID, g.locationID, g.keyRing, g.key), + Name: name, } if result, err := g.client.GetCryptoKey(ctx, getKeyRequest); err == nil { fmt.Printf("Key %s already exists in GCP KMS, skipping creation.\n", result.GetName()) - return nil + return g.PublicKey(ctx) } - createKeyRequest := &kmspb.CreateCryptoKeyRequest{ Parent: fmt.Sprintf("projects/%s/locations/%s/keyRings/%s", g.projectID, g.locationID, g.keyRing), CryptoKeyId: g.key, @@ -234,8 +234,8 @@ func (g *KMS) createKey(ctx context.Context) error { } result, err := g.client.CreateCryptoKey(ctx, createKeyRequest) if err != nil { - return errors.Wrap(err, "creating crypto key") + return nil, errors.Wrap(err, "creating crypto key") } fmt.Printf("Created key %s in GCP KMS\n", result.GetName()) - return nil + return g.PublicKey(ctx) } diff --git a/pkg/cosign/kms/kms.go b/pkg/cosign/kms/kms.go index d6837a4e2..f4129fe41 100644 --- a/pkg/cosign/kms/kms.go +++ b/pkg/cosign/kms/kms.go @@ -29,7 +29,7 @@ import ( type KMS interface { // CreateKey is responsible for creating an asymmetric key pair // with the ECDSA algorithm on the P-256 Curve with a SHA-256 digest - CreateKey(context.Context) error + CreateKey(context.Context) (*ecdsa.PublicKey, error) // Sign is responsible for signing an image via the keys // stored in KMS