more refactoring to use cryptoutils

go.mod

@@ -3,6 +3,7 @@ module github.com/sigstore/cosign
 go 1.16
 
 require (
+	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
 	github.com/cyberphone/json-canonicalization v0.0.0-20210303052042-6bc126869bf4
 	github.com/go-openapi/runtime v0.19.29
 	github.com/go-openapi/strfmt v0.20.1
@@ -12,13 +13,14 @@ require (
 	github.com/google/go-containerregistry v0.5.1
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/trillian v1.3.14-0.20210713114448-df474653733c
+	github.com/hashicorp/vault/api v1.1.1 // indirect
 	github.com/manifoldco/promptui v0.8.0
 	github.com/open-policy-agent/opa v0.30.2
 	github.com/peterbourgon/ff/v3 v3.1.0
 	github.com/pkg/errors v0.9.1
 	github.com/sigstore/fulcio v0.0.0-20210720153316-846105495d38
 	github.com/sigstore/rekor v0.2.1-0.20210714185543-38d532d5c0b1
-	github.com/sigstore/sigstore v0.0.0-20210720205156-8a12b31f8ca6
+	github.com/sigstore/sigstore v0.0.0-20210722023421-fd3b69438dba
 	github.com/stretchr/testify v1.7.0
 	github.com/theupdateframework/go-tuf v0.0.0-20210630170422-22a94818d17b
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c

go.sum

@@ -1132,8 +1132,8 @@ github.com/sigstore/fulcio v0.0.0-20210720153316-846105495d38/go.mod h1:FZL7iVdW
 github.com/sigstore/rekor v0.2.1-0.20210714185543-38d532d5c0b1 h1:oSxPcSsScZwrurlM+FjMs+lbjdE/I42WdGy+jV0lO88=
 github.com/sigstore/rekor v0.2.1-0.20210714185543-38d532d5c0b1/go.mod h1:cL9B3+/gp3BG+/bhkSHBA3MQZMten5xM6BhJYd5b5zU=
 github.com/sigstore/sigstore v0.0.0-20210713222344-1fee53516622/go.mod h1:aOSeNrlcHsfUD8Q1hwWd8KloNqBnxEZlu4k47cFg5rg=
-github.com/sigstore/sigstore v0.0.0-20210720205156-8a12b31f8ca6 h1:a4GimMAzOiCya9WNVo07mSuPKP1jh5z/nmug4z5Wh24=
-github.com/sigstore/sigstore v0.0.0-20210720205156-8a12b31f8ca6/go.mod h1:OqEZWzGLbeyDBLpamU3H9ocwyoseksz6qVkZCoDHGyI=
+github.com/sigstore/sigstore v0.0.0-20210722023421-fd3b69438dba h1:NH2JUe2UWJ27vzzCwJPh4xtxfdGsJrtMcm8M1lqhb54=
+github.com/sigstore/sigstore v0.0.0-20210722023421-fd3b69438dba/go.mod h1:p+VFprG1w+oRcb3fgEKa9uvw3/7N9TR0srIi2JerPKo=
 github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=

pkg/cosign/keys.go

@@ -128,24 +128,14 @@ func LoadECDSAPrivateKey(key []byte, pass []byte) (*signature.ECDSASignerVerifie
 	return signature.LoadECDSASignerVerifier(epk, crypto.SHA256)
 }
 
-const pubKeyPemType = "PUBLIC KEY"
-
-func PemToECDSAKey(raw []byte) (*ecdsa.PublicKey, error) {
-	p, _ := pem.Decode(raw)
-	if p == nil {
-		return nil, errors.New("pem.Decode failed")
-	}
-	if p.Type != pubKeyPemType {
-		return nil, fmt.Errorf("not public: %q", p.Type)
-	}
-
-	decoded, err := x509.ParsePKIXPublicKey(p.Bytes)
+func PemToECDSAKey(pemBytes []byte) (*ecdsa.PublicKey, error) {
+	pub, err := cryptoutils.UnmarshalPEMToPublicKey(pemBytes)
 	if err != nil {
 		return nil, err
 	}
-	ed, ok := decoded.(*ecdsa.PublicKey)
+	ecdsaPub, ok := pub.(*ecdsa.PublicKey)
 	if !ok {
-		return nil, fmt.Errorf("invalid public key: was %T, require *ecdsa.PublicKey", raw)
+		return nil, fmt.Errorf("invalid public key: was %T, require *ecdsa.PublicKey", pub)
 	}
-	return ed, nil
+	return ecdsaPub, nil
 }