Skip to content

Commit

Permalink
Add validation of public keys to prevent certifying weak keys
Browse files Browse the repository at this point in the history 
This adds checks for RSA, ECDSA and ED25519 (no-op) keys. This
will prevent Fulcio from signing certificates for the following:
* DSA keys
* RSA keys that are smaller than 2048 or larger than 4096
* RSA keys with weak primes
* ECDSA keys that aren't P256, P384, or P521 (P224 or custom curves)

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
  • Loading branch information
@haydentherapper
haydentherapper committed Mar 29, 2022
1 parent 97da739 commit c59f4f9
Show file tree
Hide file tree
Showing 5 changed files with 326 additions and 59 deletions.
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ require (
github.com/prometheus/client_golang v1.12.1
github.com/prometheus/client_model v0.2.0
github.com/prometheus/common v0.32.1
github.com/sigstore/sigstore v1.1.1-0.20220124143820-3cebf5c58675
github.com/sigstore/sigstore v1.2.1-0.20220328200116-ef48ee800626
github.com/spf13/cobra v1.4.0
github.com/spf13/viper v1.10.1
github.com/stretchr/testify v1.7.1
Expand Down

0 comments on commit c59f4f9

Please sign in to comment.