From b4d68e95cacf96f04cf656081f84aab2dc430bd2 Mon Sep 17 00:00:00 2001 From: Appu Goundan Date: Wed, 6 Sep 2023 22:54:16 -0400 Subject: [PATCH] Handle pkcs1 rsa keys in trsuted_root Signed-off-by: Appu Goundan --- .../java/dev/sigstore/encryption/Keys.java | 19 +++++++++----- .../dev/sigstore/trustroot/PublicKey.java | 11 +++++--- .../sigstore/tuf/SigstoreTufClientTest.java | 26 +++++++++++++------ 3 files changed, 37 insertions(+), 19 deletions(-) diff --git a/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java b/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java index c7d55b11..265674ad 100644 --- a/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java +++ b/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java @@ -80,13 +80,7 @@ public static PublicKey parsePublicKey(byte[] keyBytes) throw new InvalidKeySpecException("Invalid key, empty PEM section"); } if (section.getType().equals("RSA PUBLIC KEY")) { - ASN1Sequence sequence = ASN1Sequence.getInstance(section.getContent()); - ASN1Integer modulus = ASN1Integer.getInstance(sequence.getObjectAt(0)); - ASN1Integer exponent = ASN1Integer.getInstance(sequence.getObjectAt(1)); - RSAPublicKeySpec keySpec = - new RSAPublicKeySpec(modulus.getPositiveValue(), exponent.getPositiveValue()); - KeyFactory factory = KeyFactory.getInstance("RSA"); - return factory.generatePublic(keySpec); + return parsePkcs1RsaPublicKey(section.getContent()); } // otherwise, we are dealing with PKIX X509 encoded keys @@ -128,6 +122,17 @@ public static PublicKey parsePkixPublicKey(byte[] contents, String algorithm) return factory.generatePublic(spec); } + public static PublicKey parsePkcs1RsaPublicKey(byte[] contents) + throws NoSuchAlgorithmException, InvalidKeySpecException { + ASN1Sequence sequence = ASN1Sequence.getInstance(contents); + ASN1Integer modulus = ASN1Integer.getInstance(sequence.getObjectAt(0)); + ASN1Integer exponent = ASN1Integer.getInstance(sequence.getObjectAt(1)); + RSAPublicKeySpec keySpec = + new RSAPublicKeySpec(modulus.getPositiveValue(), exponent.getPositiveValue()); + KeyFactory factory = KeyFactory.getInstance("RSA"); + return factory.generatePublic(keySpec); + } + /** * Valid values for scheme are: * diff --git a/sigstore-java/src/main/java/dev/sigstore/trustroot/PublicKey.java b/sigstore-java/src/main/java/dev/sigstore/trustroot/PublicKey.java index 5e5ea328..5fb7d357 100644 --- a/sigstore-java/src/main/java/dev/sigstore/trustroot/PublicKey.java +++ b/sigstore-java/src/main/java/dev/sigstore/trustroot/PublicKey.java @@ -31,11 +31,14 @@ public abstract class PublicKey { @Lazy public java.security.PublicKey toJavaPublicKey() - throws InvalidKeySpecException, NoSuchAlgorithmException { - if (!getKeyDetails().equals("PKIX_ECDSA_P256_SHA_256")) { - throw new InvalidKeySpecException("Unsupported key algorithm: " + getKeyDetails()); + throws NoSuchAlgorithmException, InvalidKeySpecException { + if (getKeyDetails().equals("PKIX_ECDSA_P256_SHA_256")) { + return Keys.parsePkixPublicKey(getRawBytes(), "EC"); } - return Keys.parsePkixPublicKey(getRawBytes(), "EC"); + if (getKeyDetails().equals("PKCS1_RSA_PKCS1V5")) { + return Keys.parsePkcs1RsaPublicKey(getRawBytes()); + } + throw new InvalidKeySpecException("Unsupported key algorithm: " + getKeyDetails()); } public static PublicKey from(dev.sigstore.proto.common.v1.PublicKey proto) { diff --git a/sigstore-java/src/test/java/dev/sigstore/tuf/SigstoreTufClientTest.java b/sigstore-java/src/test/java/dev/sigstore/tuf/SigstoreTufClientTest.java index 6104ceaf..ba45d90c 100644 --- a/sigstore-java/src/test/java/dev/sigstore/tuf/SigstoreTufClientTest.java +++ b/sigstore-java/src/test/java/dev/sigstore/tuf/SigstoreTufClientTest.java @@ -17,6 +17,7 @@ import com.google.protobuf.util.JsonFormat; import dev.sigstore.proto.trustroot.v1.TrustedRoot; +import dev.sigstore.trustroot.SigstoreTrustedRoot; import java.io.IOException; import java.nio.charset.StandardCharsets; import java.nio.file.Path; @@ -38,11 +39,8 @@ public void testUpdate_publicGoodHasTrustedRootJson() throws Exception { .tufCacheLocation(localStorePath) .build(); client.forceUpdate(); - Assertions.assertNotNull(client.getSigstoreTrustedRoot()); - Assertions.assertDoesNotThrow(() -> client.getSigstoreTrustedRoot().getTLogs().current()); - Assertions.assertDoesNotThrow(() -> client.getSigstoreTrustedRoot().getCTLogs().current()); - Assertions.assertDoesNotThrow(() -> client.getSigstoreTrustedRoot().getCAs().current()); + assertTrustedRootValid(client.getSigstoreTrustedRoot()); } @Test @@ -50,11 +48,23 @@ public void testUpdate_stagingHasTrustedRootJson() throws Exception { var client = SigstoreTufClient.builder().useStagingInstance().tufCacheLocation(localStorePath).build(); client.forceUpdate(); - Assertions.assertNotNull(client.getSigstoreTrustedRoot()); - Assertions.assertDoesNotThrow(() -> client.getSigstoreTrustedRoot().getTLogs().current()); - Assertions.assertDoesNotThrow(() -> client.getSigstoreTrustedRoot().getCTLogs().current()); - Assertions.assertDoesNotThrow(() -> client.getSigstoreTrustedRoot().getCAs().current()); + assertTrustedRootValid(client.getSigstoreTrustedRoot()); + } + + private void assertTrustedRootValid(SigstoreTrustedRoot trustedRoot) throws Exception { + Assertions.assertNotNull(trustedRoot); + Assertions.assertDoesNotThrow(() -> trustedRoot.getTLogs().current()); + Assertions.assertDoesNotThrow(() -> trustedRoot.getCTLogs().current()); + Assertions.assertDoesNotThrow(() -> trustedRoot.getCAs().current()); + + for (var tlog : trustedRoot.getTLogs()) { + Assertions.assertDoesNotThrow(() -> tlog.getPublicKey().toJavaPublicKey()); + } + + for (var ctlog : trustedRoot.getCTLogs()) { + Assertions.assertDoesNotThrow(() -> ctlog.getPublicKey().toJavaPublicKey()); + } } @Test