Use ValidatePubKey from sigstore/sigstore

go.mod

@@ -27,6 +27,7 @@ require (
 	github.com/hashicorp/yamux v0.0.0-20211028200310-0bc27b27de87
 	github.com/in-toto/in-toto-golang v0.3.4-0.20211211042327-af1f9fb822bf
 	github.com/kelseyhightower/envconfig v1.4.0
+	github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e
 	github.com/manifoldco/promptui v0.9.0
 	github.com/miekg/pkcs11 v1.1.1
 	github.com/mitchellh/go-homedir v1.1.0
@@ -37,12 +38,13 @@ require (
 	github.com/secure-systems-lab/go-securesystemslib v0.3.1
 	github.com/sigstore/fulcio v0.1.2-0.20220114150912-86a2036f9bc7
 	github.com/sigstore/rekor v0.4.1-0.20220114213500-23f583409af3
-	github.com/sigstore/sigstore v1.1.1-0.20220324220036-a3f98177f3b0
+	github.com/sigstore/sigstore v1.2.1-0.20220328200116-ef48ee800626
 	github.com/spf13/cobra v1.4.0
 	github.com/spf13/viper v1.10.1
 	github.com/spiffe/go-spiffe/v2 v2.0.0
 	github.com/stretchr/testify v1.7.1
 	github.com/theupdateframework/go-tuf v0.0.0-20220211205608-f0c3294f63b9
+	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399
 	github.com/xanzy/go-gitlab v0.60.0
 	golang.org/x/net v0.0.0-20220325170049-de3da57026de
 	golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a
@@ -51,6 +53,7 @@ require (
 	golang.org/x/time v0.0.0-20220224211638-0e9765cccd65
 	google.golang.org/api v0.74.0
 	gopkg.in/square/go-jose.v2 v2.6.0
+	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.23.5
 	k8s.io/apimachinery v0.23.5
 	k8s.io/client-go v0.23.5
@@ -128,7 +131,7 @@ require (
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/ReneKroon/ttlcache/v2 v2.11.0 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
-	github.com/aws/aws-sdk-go v1.43.24 // indirect
+	github.com/aws/aws-sdk-go v1.43.27 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.14.0 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.14.0 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.9.0 // indirect
@@ -210,7 +213,7 @@ require (
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 // indirect
 	github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
-	github.com/hashicorp/vault/api v1.4.1 // indirect
+	github.com/hashicorp/vault/api v1.5.0 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/jedisct1/go-minisign v0.0.0-20210703085342-c1f07ee84431 // indirect
@@ -238,7 +241,7 @@ require (
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml v1.9.4 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.11.1 // indirect
+	github.com/prometheus/client_golang v1.12.1 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/statsd_exporter v0.21.0 // indirect
@@ -302,7 +305,6 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 	k8s.io/apiextensions-apiserver v0.23.4 // indirect
 	k8s.io/gengo v0.0.0-20220307231824-4627b89bbf1b // indirect

pkg/cosign/keys.go

@@ -63,35 +63,6 @@ type KeysBytes struct {
 	password     []byte
 }
 
-// Enforce a minimum and maximum RSA key size.
-func validateRsaKey(pk *rsa.PrivateKey) error {
-	// Key size is the bit length of modulus
-	keySize := pk.N.BitLen()
-	if keySize < 2048 {
-		return fmt.Errorf("rsa key size too small, expected >= 2048")
-	}
-	if keySize > 4096 {
-		return fmt.Errorf("rsa key size too large, expected <= 4096")
-	}
-	return nil
-}
-
-// Enforce that the ECDSA key curve is one of:
-// * NIST P-256 (secp256r1, prime256v1)
-// * NIST P-384
-// * NIST P-521.
-// Other EC curves, like secp256k1, are not supported by Go.
-func validateEcdsaKey(pk *ecdsa.PrivateKey) error {
-	switch pk.Curve {
-	case elliptic.P224():
-		return fmt.Errorf("unsupported ec curve, expected NIST P-256, P-384, or P-521")
-	case elliptic.P256(), elliptic.P384(), elliptic.P521():
-		return nil
-	default:
-		return fmt.Errorf("unexpected ec curve")
-	}
-}
-
 func GeneratePrivateKey() (*ecdsa.PrivateKey, error) {
 	return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 }
@@ -115,7 +86,7 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {
 		if err != nil {
 			return nil, fmt.Errorf("error parsing rsa private key")
 		}
-		if err = validateRsaKey(rsaPk); err != nil {
+		if err = cryptoutils.ValidatePubKey(rsaPk.Public()); err != nil {
 			return nil, errors.Wrap(err, "error validating rsa key")
 		}
 		pk = rsaPk
@@ -124,7 +95,7 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {
 		if err != nil {
 			return nil, fmt.Errorf("error parsing ecdsa private key")
 		}
-		if err = validateEcdsaKey(ecdsaPk); err != nil {
+		if err = cryptoutils.ValidatePubKey(ecdsaPk.Public()); err != nil {
 			return nil, errors.Wrap(err, "error validating ecdsa key")
 		}
 		pk = ecdsaPk
@@ -135,17 +106,19 @@ func ImportKeyPair(keyPath string, pf PassFunc) (*KeysBytes, error) {
 		}
 		switch k := pkcs8Pk.(type) {
 		case *rsa.PrivateKey:
-			if err = validateRsaKey(k); err != nil {
+			if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {
 				return nil, errors.Wrap(err, "error validating rsa key")
 			}
 			pk = k
 		case *ecdsa.PrivateKey:
-			if err = validateEcdsaKey(k); err != nil {
+			if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {
 				return nil, errors.Wrap(err, "error validating ecdsa key")
 			}
 			pk = k
 		case ed25519.PrivateKey:
-			// Nothing to validate, since ED25519 supports only one key size.
+			if err = cryptoutils.ValidatePubKey(k.Public()); err != nil {
+				return nil, errors.Wrap(err, "error validating ed25519 key")
+			}
 			pk = k
 		default:
 			return nil, fmt.Errorf("unexpected private key")

pkg/cosign/keys_test.go

@@ -315,12 +315,12 @@ func TestImportPrivateKey(t *testing.T) {
 		{
 			fileName: "invalidrsasmallkey.key",
 			pemData:  invalidrsasmallkey,
-			expected: errors.New("error validating rsa key: rsa key size too small, expected >= 2048"),
+			expected: errors.New("error validating rsa key: key too small: 1024"),
 		},
 		{
 			fileName: "invalidrsalargekey.key",
 			pemData:  invalidrsalargekey,
-			expected: errors.New("error validating rsa key: rsa key size too large, expected <= 4096"),
+			expected: errors.New("error validating rsa key: key too large: 5120 > 4096"),
 		},
 		// EC tests
 		{