Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for longer RSA keys #20

Open
tomaszkrzyzanowski opened this issue Mar 8, 2024 · 2 comments · May be fixed by #21
Open

Support for longer RSA keys #20

tomaszkrzyzanowski opened this issue Mar 8, 2024 · 2 comments · May be fixed by #21
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@tomaszkrzyzanowski
Copy link

Hello!

As for now, keyhelper is limited to supporting only RSA2048 keys, while notation CLI and Vault's transit secret engine is supporting longer keys (3072 and 4096 bit).

I would appreciate it if keyhelper could detect the key length and use the right key length during importing key to transit engine
@cipherboy
Copy link

This sounds like a great RFE @tomaszkrzyzanowski -- are you interested in providing a PR for this? I think wrapPrivateKey:

notation-hashicorp-vault/cmd/key-helper/importKey.go

Line 101 in 10173d8

func wrapPrivateKey(wrappingKey string, privateKeyPath string) (string, error) {

can be updated to return another string or int corresponding to the key type+length (either in transit format or otherwise just the raw number of bits).

If you move this cast earlier:

notation-hashicorp-vault/cmd/key-helper/importKey.go

Line 131 in 10173d8

parsedKey.(*rsa.PublicKey),

you can just call the Size() method. And then obviously importKeyToTransit would need to be updated accordingly:

https://github.com/notaryproject/notation-hashicorp-vault/blob/main/cmd/key-helper/importKey.go#L154

I don't know off the top of my head if Notary supports other types of keys (ECDSA?) but given the upcoming PQC standards, I'd imagine it'd want to start doing so... So perhaps returning the string would be most optimal and ECDSA/... support can be added more easily.

HTH!

@cipherboy cipherboy added enhancement New feature or request good first issue Good for newcomers labels Mar 19, 2024
@tomaszkrzyzanowski tomaszkrzyzanowski linked a pull request Mar 19, 2024 that will close this issue
Open
@tomaszkrzyzanowski
Copy link
Author

@cipherboy I was already working locally on support for this and in #21 is what I have implemented with mostly standard libraries.

There were a few differences in how Notation and Vault defines names for ie. hash algorithms, and I tried to cover this with maps.

Moreover, when I started, I haven't had bigger awareness of notation-go library, and I'm thinking if it's fine to leave it as is or maybe reimplement this with notation-go/signature parts instead?

My code was mostly written before your suggestion about contribution, so I decided to show it as it is, but I can rework it accordingly to your description in previous message :)

BR,
Tomasz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
2 participants
@cipherboy @tomaszkrzyzanowski