Add method to check for public key equality (#346)

This is useful when comparing a provided public key with a key from another source such as a certificate. Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
sigstore · Mar 24, 2022 · a3f9817 · a3f9817
1 parent e538709
commit a3f9817
Show file tree

Hide file tree

Showing 2 changed files with 101 additions and 0 deletions.
diff --git a/pkg/cryptoutils/publickey.go b/pkg/cryptoutils/publickey.go
@@ -17,12 +17,17 @@ package cryptoutils
 
 import (
 	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/rsa"
 	"crypto/sha1" // nolint:gosec
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/asn1"
+	"encoding/hex"
 	"encoding/pem"
 	"errors"
+	"fmt"
 )
 
 const (
@@ -78,3 +83,40 @@ func SKID(pub crypto.PublicKey) ([]byte, error) {
 	skid := sha1.Sum(spki.SubjectPublicKey.Bytes) // nolint:gosec
 	return skid[:], nil
 }
+
+// EqualKeys compares two public keys. Supports RSA, ECDSA and ED25519.
+// If not equal, the error message contains hex-encoded SHA1 hashes of the DER-encoded keys
+func EqualKeys(first, second crypto.PublicKey) error {
+	switch pub := first.(type) {
+	case *rsa.PublicKey:
+		if !pub.Equal(second) {
+			return fmt.Errorf(genErrMsg(first, second, "rsa"))
+		}
+	case *ecdsa.PublicKey:
+		if !pub.Equal(second) {
+			return fmt.Errorf(genErrMsg(first, second, "ecdsa"))
+		}
+	case ed25519.PublicKey:
+		if !pub.Equal(second) {
+			return fmt.Errorf(genErrMsg(first, second, "ed25519"))
+		}
+	default:
+		return errors.New("unsupported key type")
+	}
+	return nil
+}
+
+// genErrMsg generates an error message for EqualKeys
+func genErrMsg(first, second crypto.PublicKey, keyType string) string {
+	msg := fmt.Sprintf("%s public keys are not equal", keyType)
+	// Calculate SKID to include in error message
+	firstSKID, err := SKID(first)
+	if err != nil {
+		return msg
+	}
+	secondSKID, err := SKID(second)
+	if err != nil {
+		return msg
+	}
+	return fmt.Sprintf("%s (%s, %s)", msg, hex.EncodeToString(firstSKID), hex.EncodeToString(secondSKID))
+}
diff --git a/pkg/cryptoutils/publickey_test.go b/pkg/cryptoutils/publickey_test.go
@@ -21,6 +21,7 @@ import (
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/rsa"
+	"strings"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
@@ -112,3 +113,61 @@ func TestSKIDED25519(t *testing.T) {
 		t.Fatalf("SKID failed: %v", skid)
 	}
 }
+
+func TestEqualKeys(t *testing.T) {
+	// Test RSA (success and failure)
+	privRsa, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("rsa.GenerateKey failed: %v", err)
+	}
+	privRsa2, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		t.Fatalf("rsa.GenerateKey failed: %v", err)
+	}
+	if err := EqualKeys(privRsa.Public(), privRsa.Public()); err != nil {
+		t.Fatalf("unexpected error for rsa equality, got %v", err)
+	}
+	if err := EqualKeys(privRsa.Public(), privRsa2.Public()); err == nil || !strings.Contains(err.Error(), "rsa public keys are not equal") {
+		t.Fatalf("expected error for different rsa keys, got %v", err)
+	}
+	// Test ECDSA (success and failure)
+	privEcdsa, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("ecdsa.GenerateKey failed: %v", err)
+	}
+	privEcdsa2, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("ecdsa.GenerateKey failed: %v", err)
+	}
+	if err := EqualKeys(privEcdsa.Public(), privEcdsa.Public()); err != nil {
+		t.Fatalf("unexpected error for ecdsa equality, got %v", err)
+	}
+	if err := EqualKeys(privEcdsa.Public(), privEcdsa2.Public()); err == nil || !strings.Contains(err.Error(), "ecdsa public keys are not equal") {
+		t.Fatalf("expected error for different ecdsa keys, got %v", err)
+	}
+	// Test ED25519 (success and failure)
+	pubEd, _, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		t.Fatalf("ed25519.GenerateKey failed: %v", err)
+	}
+	pubEd2, _, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		t.Fatalf("ed25519.GenerateKey failed: %v", err)
+	}
+	if err := EqualKeys(pubEd, pubEd); err != nil {
+		t.Fatalf("unexpected error for ed25519 equality, got %v", err)
+	}
+	if err := EqualKeys(pubEd, pubEd2); err == nil || !strings.Contains(err.Error(), "ed25519 public keys are not equal") {
+		t.Fatalf("expected error for different ed25519 keys, got %v", err)
+	}
+	// Keys of different type are not equal
+	if err := EqualKeys(privRsa.Public(), pubEd); err == nil || !strings.Contains(err.Error(), "are not equal") {
+		t.Fatalf("expected error for different key types, got %v", err)
+	}
+	// Fails with unexpected key type
+	type PublicKey struct {
+	}
+	if err := EqualKeys(PublicKey{}, PublicKey{}); err == nil || err.Error() != "unsupported key type" {
+		t.Fatalf("expected error for unsupported key type, got %v", err)
+	}
+}