Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for importing PKCS#8 private keys, and add validation #1300

Merged
merged 1 commit into from Jan 12, 2022
Merged

Add support for importing PKCS#8 private keys, and add validation #1300

merged 1 commit into from Jan 12, 2022

Conversation

haydentherapper
Copy link
Contributor

Summary

This adds support for PKCS#8 encoded private keys, which means
we can also import ED25519 keys. I've added tests for PKCS#8
RSA and ECDSA keys too.

I also added some validation of keys before importing. For RSA,
we will require that the key size be between 2048 and 4096.
For ECDSA keys, we will only disallow NIST P-224, since Cosign
generates P-256 by default. Other curves are not supported
by Go's crypto library.

Signed-off-by: Hayden Blauzvern hblauzvern@google.com

Ticket Link

#549

Release Note

* Added support for importing PKCS#8 private keys
* Added validation of imported private keys

@haydentherapper
Add support for importing PKCS#8 private keys, and add validation
497d590 
This adds support for PKCS#8 encoded private keys, which means
we can also import ED25519 keys. I've added tests for PKCS#8
RSA and ECDSA keys too.

I also added some validation of keys before importing. For RSA,
we will require that the key size be between 2048 and 4096.
For ECDSA keys, we will only disallow NIST P-224, since Cosign
generates P-256 by default. Other curves are not supported
by Go's crypto library.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
@haydentherapper
Copy link
Contributor Author

cc @venafi-iw

@haydentherapper
Copy link
Contributor Author

It's up for debate if we want to have an upper bound on the size of the RSA key, but larger than 4096 gets a bit unwieldy, requiring more storage space and some verification libraries can't handle large RSA keys.

@dlorenc
Copy link
Member

dlorenc commented Jan 12, 2022

This looks awesome!

@dlorenc dlorenc merged commit 754d33e into sigstore:main Jan 12, 2022
@github-actions github-actions bot added this to the v1.5.0 milestone Jan 12, 2022
@haydentherapper haydentherapper deleted the key-enforcement branch January 12, 2022 17:59
mlieberman85 pushed a commit to mlieberman85/cosign that referenced this pull request May 6, 2022
@haydentherapper @mlieberman85
Add support for importing PKCS#8 private keys, and add validation (si…
3c02b0b 
…gstore#1300)

This adds support for PKCS#8 encoded private keys, which means
we can also import ED25519 keys. I've added tests for PKCS#8
RSA and ECDSA keys too.

I also added some validation of keys before importing. For RSA,
we will require that the key size be between 2048 and 4096.
For ECDSA keys, we will only disallow NIST P-224, since Cosign
generates P-256 by default. Other curves are not supported
by Go's crypto library.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.5.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@haydentherapper @dlorenc