-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Local Cert verify not working for Azure KMS #1384
Comments
Key type: RSA |
I am also experiencing this bug -- RSA key size 4096 with cosign 2.2 |
@malancas Any guesses? I don't have the environment to repro this. |
@haydentherapper I have some ideas, I'll take a look at replicating today. |
Any Updates here? |
@malancas Can you tell me your ideas? I could check them because we still have the error in our environment. |
@d7h I'm taking a look into this today. Just to confirm, are you encountering the error after updating to the latest version of Cosign? |
@malancas Ok, thanks. Yes: GitVersion: 2.2.2 |
I've identified the cause of the bug and am currently working on a solution |
@malancas Hello, I wanted to inquire about the current status because our company has to decide on a signature product shortly. Our security team wants to have RSA encryption. Unfortunately, verification against the public key in Azure is not an option. |
@dh7 after some additional debugging and reading through the Azure Key Vault. documentation, I think the issue may have to do with the presence of an optional flag when calling the I am seeing a separate bug in the |
@malancas Unfortunately, I still encounter the same error even when specifying the |
@malancas I have no idea about GO and only a little bit about cryptography, but as far as I can see, when verified locally, the error is thrown here: https://github.com/golang/go/blob/master/src/crypto/rsa/pkcs1v15.go#L351. When verifying against Azure directly, it never reaches this function in this class. I don't know why. I think the same key should end up in the same description algorithm; it doesn't matter if it's stored in a different location. I don't Know if this helps somehow. |
Thanks for the information here, I will look into this code and debug. |
@malancas thanks for looking into this issue. I am running into the same issue. Is there an update on the fix? |
I took a look at this and I think it's related to the way the azure signer verifier is implemented. The signer ASN.1 encodes the sig payload returned from AKV as an ASN.1 format. I'm not an expert in this but from the code comments it seems that this is part of ECDSA format. This is likely the reason for why RSA verifier throws the length mismatch error? sigstore/pkg/signature/kms/azure/signer.go Line 117 in 8b208f7
Verifying without downloading the Public Key from AKV uses the azure signer verifiers |
Thanks for adding your findings here. I'm going to take a look at this section of the code and debug. |
@malancas I decided to test the hypothesis that the ASN.1 encoding was causing the issue. I manually unwrapped the ASN.1 encoding from the sig before passing to the cosign RSA PKCS1v15 verifier and it worked. Looks like a fix would involve detecting the key type and if it's RSA, return the raw signature instead of ASN.1 encoding. |
Thanks for testing and adding this context, I can take a look at opening a PR to fix this. |
Description
Using cosign with Azure KMS results in different behavior for validation with KMS and local pub cert.
But when I use the created public certificate, the result is as follows:
I also exported the key again and tried to reproduce, with the same result:
Is there anything I did wrong or is there a bug in the verification?
-->
Version
cosign version
GitVersion: v2.2.0
GitCommit: 546f1c5b91ef58d6b034a402d0211d980184a0e5
GitTreeState: clean
BuildDate: 2023-08-31T18:52:52Z
GoVersion: go1.21.0
Compiler: gc
Platform: linux/amd64
-->
The text was updated successfully, but these errors were encountered: