Skip to content

Commit

Permalink
Add validation of public keys to prevent certifying weak keys
Browse files Browse the repository at this point in the history 
This adds checks for RSA, ECDSA and ED25519 (no-op) keys. This
will prevent Fulcio from signing certificates for the following:
* DSA keys
* RSA keys that are smaller than 2048 or larger than 4096
* RSA keys with weak primes
* ECDSA keys that aren't P256, P384, or P521 (P224 or custom curves)

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
  • Loading branch information
@haydentherapper
haydentherapper committed Mar 29, 2022
1 parent a2bd19a commit d0a9f7c
Show file tree
Hide file tree
Showing 5 changed files with 326 additions and 59 deletions.
2 changes: 1 addition & 1 deletion go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ require (
github.com/prometheus/client_golang v1.12.1
github.com/prometheus/client_model v0.2.0
github.com/prometheus/common v0.33.0
github.com/sigstore/sigstore v1.1.1-0.20220124143820-3cebf5c58675
github.com/sigstore/sigstore v1.2.1-0.20220328200116-ef48ee800626
github.com/spf13/cobra v1.4.0
github.com/spf13/viper v1.10.1
github.com/stretchr/testify v1.7.1
Expand Down

0 comments on commit d0a9f7c

Please sign in to comment.