Skip to content

Commit

Permalink
Add validation of public keys to prevent certifying weak keys (#490)
Browse files Browse the repository at this point in the history 
This adds checks for RSA, ECDSA and ED25519 (no-op) keys. This
will prevent Fulcio from signing certificates for the following:
* DSA keys
* RSA keys that are smaller than 2048 or larger than 4096
* RSA keys with weak primes
* ECDSA keys that aren't P256, P384, or P521 (P224 or custom curves)

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
  • Loading branch information
@haydentherapper
haydentherapper committed Mar 29, 2022
1 parent a2bd19a commit 61c9601
Show file tree
Hide file tree
Showing 5 changed files with 326 additions and 59 deletions.
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ require (
github.com/prometheus/client_golang v1.12.1
github.com/prometheus/client_model v0.2.0
github.com/prometheus/common v0.33.0
github.com/sigstore/sigstore v1.1.1-0.20220124143820-3cebf5c58675
github.com/sigstore/sigstore v1.2.1-0.20220328200116-ef48ee800626
github.com/spf13/cobra v1.4.0
github.com/spf13/viper v1.10.1
github.com/stretchr/testify v1.7.1
Expand Down

0 comments on commit 61c9601

Please sign in to comment.