diff --git a/fuzzing/src/main/java/fuzzing/KeysParsingFuzzer.java b/fuzzing/src/main/java/fuzzing/KeysParsingFuzzer.java index 5d44ea3a..39373821 100644 --- a/fuzzing/src/main/java/fuzzing/KeysParsingFuzzer.java +++ b/fuzzing/src/main/java/fuzzing/KeysParsingFuzzer.java @@ -16,18 +16,31 @@ package fuzzing; import com.code_intelligence.jazzer.api.FuzzedDataProvider; +import com.google.errorprone.annotations.CanIgnoreReturnValue; import dev.sigstore.encryption.Keys; -import java.io.IOException; -import java.security.NoSuchAlgorithmException; +import java.security.PublicKey; import java.security.spec.InvalidKeySpecException; public class KeysParsingFuzzer { + + @FunctionalInterface + interface Parser { + @CanIgnoreReturnValue + PublicKey parse(byte[] contents) throws InvalidKeySpecException; + } + public static void fuzzerTestOneInput(FuzzedDataProvider data) { try { - byte[] byteArray = data.consumeRemainingAsBytes(); + Parser parser = + data.pickValue( + new Parser[] { + Keys::parseRsaPkcs1, Keys::parseRsa, Keys::parseEcdsa, Keys::parseEd25519, + }); + byte[] keyContents = data.consumeRemainingAsBytes(); + + parser.parse(keyContents); - Keys.parsePublicKey(byteArray); - } catch (IOException | InvalidKeySpecException | NoSuchAlgorithmException e) { + } catch (InvalidKeySpecException e) { // known exceptions } } diff --git a/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java b/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java index 13440b0e..0fe288d7 100644 --- a/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java +++ b/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java @@ -15,95 +15,90 @@ */ package dev.sigstore.encryption; -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.InputStreamReader; -import java.nio.charset.StandardCharsets; import java.security.KeyFactory; import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; import java.security.PublicKey; import java.security.Security; import java.security.spec.InvalidKeySpecException; import java.security.spec.RSAPublicKeySpec; import java.security.spec.X509EncodedKeySpec; -import java.util.List; import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.ASN1Sequence; -import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.jce.provider.BouncyCastleProvider; -import org.bouncycastle.openssl.PEMParser; -import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; -import org.bouncycastle.util.encoders.DecoderException; /** For internal use. Key related utility functions. */ public class Keys { - private static final List<String> SUPPORTED_KEY_TYPES = - List.of("ECDSA", "EC", "RSA", "Ed25519", "EdDSA"); - static { Security.addProvider(new BouncyCastleProvider()); } /** - * Takes a PEM formatted public key in bytes and constructs a {@code PublicKey} with it. + * Takes a PKIX DER formatted ECDSA public key in bytes and constructs a {@code PublicKey} with + * it. * - * <p>This method supports the follow public key algorithms: RSA, EdDSA, EC. + * @param contents the public key bytes + * @return a PublicKey object + * @throws InvalidKeySpecException if the public key material is invalid + */ + public static PublicKey parseEcdsa(byte[] contents) throws InvalidKeySpecException { + return parse(contents, "ECDSA"); + } + + /** + * Takes a PKIX DER formatted Ed25519 public key in bytes and constructs a {@code PublicKey} with + * it. * - * @throws InvalidKeySpecException if the PEM does not contain just one public key. - * @throws NoSuchAlgorithmException if the public key is using an unsupported algorithm. + * @param contents the public key bytes + * @return a PublicKey object + * @throws InvalidKeySpecException if the public key material is invalid */ - public static PublicKey parsePublicKey(byte[] keyBytes) - throws InvalidKeySpecException, IOException, NoSuchAlgorithmException { - try (PEMParser pemParser = - new PEMParser( - new InputStreamReader(new ByteArrayInputStream(keyBytes), StandardCharsets.UTF_8))) { - var keyObj = pemParser.readObject(); // throws DecoderException - if (keyObj == null) { - throw new InvalidKeySpecException( - "sigstore public keys must be only a single PEM encoded public key"); - } - JcaPEMKeyConverter converter = new JcaPEMKeyConverter(); - converter.setProvider(BouncyCastleProvider.PROVIDER_NAME); - if (keyObj instanceof SubjectPublicKeyInfo) { - PublicKey pk = converter.getPublicKey((SubjectPublicKeyInfo) keyObj); - if (!SUPPORTED_KEY_TYPES.contains(pk.getAlgorithm())) { - throw new NoSuchAlgorithmException("Unsupported key type: " + pk.getAlgorithm()); - } - return pk; - } - throw new InvalidKeySpecException("Could not parse PEM section into public key"); - } catch (DecoderException e) { - throw new InvalidKeySpecException("Invalid key, could not parse PEM section"); - } + public static PublicKey parseEd25519(byte[] contents) throws InvalidKeySpecException { + return parse(contents, "Ed25519"); } /** - * Takes a PKIX DER formatted public key in bytes and constructs a {@code PublicKey} with it. + * Takes a PKIX DER formatted RSA public key in bytes and constructs a {@code PublicKey} with it. * - * <p>This method is known to work with keys algorithms: RSA, EdDSA, EC. + * @param contents the public key bytes + * @return a PublicKey object + * @throws InvalidKeySpecException if the public key material is invalid + */ + public static PublicKey parseRsa(byte[] contents) throws InvalidKeySpecException { + return parse(contents, "RSA"); + } + + /** + * Takes a PKCS1 DER formatted RSA public key in bytes and constructs a {@code PublicKey} with it. * * @param contents the public key bytes - * @param algorithm the key algorithm * @return a PublicKey object - * @throws NoSuchAlgorithmException if we don't support the scheme provided * @throws InvalidKeySpecException if the public key material is invalid */ - public static PublicKey parsePkixPublicKey(byte[] contents, String algorithm) - throws NoSuchAlgorithmException, InvalidKeySpecException { - X509EncodedKeySpec spec = new X509EncodedKeySpec(contents); - KeyFactory factory = KeyFactory.getInstance(algorithm); - return factory.generatePublic(spec); + public static PublicKey parseRsaPkcs1(byte[] contents) throws InvalidKeySpecException { + try { + ASN1Sequence sequence = ASN1Sequence.getInstance(contents); + ASN1Integer modulus = ASN1Integer.getInstance(sequence.getObjectAt(0)); + ASN1Integer exponent = ASN1Integer.getInstance(sequence.getObjectAt(1)); + RSAPublicKeySpec keySpec = + new RSAPublicKeySpec(modulus.getPositiveValue(), exponent.getPositiveValue()); + KeyFactory factory = KeyFactory.getInstance("RSA", "BC"); + return factory.generatePublic(keySpec); + } catch (IllegalArgumentException | NullPointerException e) { + throw new InvalidKeySpecException("Failed to parse pkcs1 rsa key", e); + } catch (NoSuchProviderException | NoSuchAlgorithmException e) { + throw new RuntimeException(e); + } } - public static PublicKey parsePkcs1RsaPublicKey(byte[] contents) - throws NoSuchAlgorithmException, InvalidKeySpecException { - ASN1Sequence sequence = ASN1Sequence.getInstance(contents); - ASN1Integer modulus = ASN1Integer.getInstance(sequence.getObjectAt(0)); - ASN1Integer exponent = ASN1Integer.getInstance(sequence.getObjectAt(1)); - RSAPublicKeySpec keySpec = - new RSAPublicKeySpec(modulus.getPositiveValue(), exponent.getPositiveValue()); - KeyFactory factory = KeyFactory.getInstance("RSA"); - return factory.generatePublic(keySpec); + private static PublicKey parse(byte[] contents, String type) throws InvalidKeySpecException { + try { + var keySpec = new X509EncodedKeySpec(contents); + var factory = KeyFactory.getInstance(type, BouncyCastleProvider.PROVIDER_NAME); + return factory.generatePublic(keySpec); + } catch (NoSuchProviderException | NoSuchAlgorithmException e) { + throw new RuntimeException(e); + } } } diff --git a/sigstore-java/src/main/java/dev/sigstore/trustroot/PublicKey.java b/sigstore-java/src/main/java/dev/sigstore/trustroot/PublicKey.java index 5fb7d357..e27b439c 100644 --- a/sigstore-java/src/main/java/dev/sigstore/trustroot/PublicKey.java +++ b/sigstore-java/src/main/java/dev/sigstore/trustroot/PublicKey.java @@ -33,10 +33,13 @@ public abstract class PublicKey { public java.security.PublicKey toJavaPublicKey() throws NoSuchAlgorithmException, InvalidKeySpecException { if (getKeyDetails().equals("PKIX_ECDSA_P256_SHA_256")) { - return Keys.parsePkixPublicKey(getRawBytes(), "EC"); + return Keys.parseEcdsa(getRawBytes()); + } + if (getKeyDetails().startsWith("PKIX_RSA")) { + return Keys.parseRsa(getRawBytes()); } if (getKeyDetails().equals("PKCS1_RSA_PKCS1V5")) { - return Keys.parsePkcs1RsaPublicKey(getRawBytes()); + return Keys.parseRsaPkcs1(getRawBytes()); } throw new InvalidKeySpecException("Unsupported key algorithm: " + getKeyDetails()); } diff --git a/sigstore-java/src/test/java/dev/sigstore/encryption/KeysTest.java b/sigstore-java/src/test/java/dev/sigstore/encryption/KeysTest.java index 5c8081ad..c5f5ca94 100644 --- a/sigstore-java/src/test/java/dev/sigstore/encryption/KeysTest.java +++ b/sigstore-java/src/test/java/dev/sigstore/encryption/KeysTest.java @@ -15,13 +15,6 @@ */ package dev.sigstore.encryption; -import static org.junit.jupiter.api.Assertions.*; - -import com.google.common.io.Resources; -import java.io.IOException; -import java.nio.charset.StandardCharsets; -import java.security.NoSuchAlgorithmException; -import java.security.PublicKey; import java.security.spec.InvalidKeySpecException; import org.bouncycastle.util.encoders.Base64; import org.junit.jupiter.api.Assertions; @@ -29,102 +22,61 @@ class KeysTest { - static final String RSA_PUB_PATH = "dev/sigstore/samples/keys/test-rsa.pub"; - static final String RSA_PUB_PKCS1_PATH = "dev/sigstore/samples/keys/test-rsa-pkcs1.pub"; - static final String EC_PUB_PATH = "dev/sigstore/samples/keys/test-ec.pub"; - static final String ED25519_PUB_PATH = "dev/sigstore/samples/keys/test-ed25519.pub"; - static final String DSA_PUB_PATH = "dev/sigstore/samples/keys/test-dsa.pub"; - - static final String ECDSA_SHA2_NISTP256 = - "dev/sigstore/samples/keys/test-ecdsa-sha2-nistp256.pub"; - - @Test - void parsePublicKey_invalid() { - var key = - "-----BEGIN Ã-----\nMGMGB1gFB00gFM0EEEEEEEzEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFB00gFM0EEEEEEEzEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEFGB1g070v129B1700372=\n-----END ïI"; - Assertions.assertThrows( - IOException.class, () -> Keys.parsePublicKey(key.getBytes(StandardCharsets.UTF_8))); - } - - @Test - void parsePublicKey_rsa() throws IOException, InvalidKeySpecException, NoSuchAlgorithmException { - PublicKey result = - Keys.parsePublicKey(Resources.toByteArray(Resources.getResource(RSA_PUB_PATH))); - assertEquals("RSA", result.getAlgorithm()); - } - - @Test - void parsePublicKey_rsaPkcs1() - throws IOException, InvalidKeySpecException, NoSuchAlgorithmException { - PublicKey result = - Keys.parsePublicKey(Resources.toByteArray(Resources.getResource(RSA_PUB_PKCS1_PATH))); - assertEquals("RSA", result.getAlgorithm()); - } - - @Test - void parsePublicKey_ec() throws IOException, InvalidKeySpecException, NoSuchAlgorithmException { - PublicKey result = - Keys.parsePublicKey(Resources.toByteArray(Resources.getResource(EC_PUB_PATH))); - assertEquals("ECDSA", result.getAlgorithm()); - } - @Test - void parsePublicKey_ed25519() - throws IOException, InvalidKeySpecException, NoSuchAlgorithmException { - PublicKey result = - Keys.parsePublicKey(Resources.toByteArray(Resources.getResource(ED25519_PUB_PATH))); - // BouncyCastle names the algorithm differently than the JDK (Ed25519 vs EdDSA) but we - // force the converter to use BouncyCastle always. - assertEquals("Ed25519", result.getAlgorithm()); + void parseRsa() throws InvalidKeySpecException { + var base64Key = + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAghWkDAnX9F5QZZ9NxIWg9vcjULtD/kkbQwlcSm22e06FrgOdiFy1fKN/Ng32qEk1ZIKyi0HFzZxzPIcvg7eaFTRb7+AQiG6eMDmUzPGr67Jp0Di2ncH9+uOZmv4PVKovvQLq7qnEwbDk0HttxUscLQ2e36Lfv/2lpGW7apVmHVMoC5kwZ3KTiAk/DUtDhD4VQjU2rBy6OneO6pm6vdNzG4Jktjc0uUKFCRRUzydGEh05PgC9vSQu/EOiU+7aQPV1ZDUGpjg9tOM0SgaTOU3YSUfGiXZNHoiS2HwLyQPaxiHR2NPVH75bwnUFBHhdMxT1rhU+yLhXaweDQW6GQ0ti8wIDAQAB"; + Assertions.assertEquals("RSA", Keys.parseRsa(Base64.decode(base64Key)).getAlgorithm()); } @Test - void parsePublicKey_dsaShouldFail() { + void parseRsa_bad() { + var base64Key = + "MIIBIjANBgkqhkiG8w0BAQEFAAOCAQ8AMIIBCgKCAQEAghWkDAnX9F5QZZ9NxIWg9vcjULtD/kkbQwlcSm22e06FrgOdiFy1fKN/Ng32qEk1ZIKyi0HFzZxzPIcvg7eaFTRb7+AQiG6eMDmUzPGr67Jp0Di2ncH9+uOZmv4PVKovvQLq7qnEwbDk0HttxUscLQ2e36Lfv/2lpGW7apVmHVMoC5kwZ3KTiAk/DUtDhD4VQjU2rBy6OneO6pm6vdNzG4Jktjc0uUKFCRRUzydGEh05PgC9vSQu/EOiU+7aQPV1ZDUGpjg9tOM0SgaTOU3YSUfGiXZNHoiS2HwLyQPaxiHR2NPVH75bwnUFBHhdMxT1rhU+yLhXaweDQW6GQ0ti8wIDAQAB"; Assertions.assertThrows( - NoSuchAlgorithmException.class, - () -> Keys.parsePublicKey(Resources.toByteArray(Resources.getResource(DSA_PUB_PATH)))); + InvalidKeySpecException.class, () -> Keys.parseRsa(Base64.decode(base64Key))); } @Test - void parseTufPublicKeyPemEncoded_sha2_nistp256() - throws IOException, InvalidKeySpecException, NoSuchAlgorithmException { - PublicKey result = - Keys.parsePublicKey(Resources.toByteArray(Resources.getResource(ECDSA_SHA2_NISTP256))); - assertEquals("ECDSA", result.getAlgorithm()); - } - - @Test - void parsePkixPublicKey_rsa() throws NoSuchAlgorithmException, InvalidKeySpecException { + void parseRsaPkcs1() throws InvalidKeySpecException { var base64Key = - "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAghWkDAnX9F5QZZ9NxIWg9vcjULtD/kkbQwlcSm22e06FrgOdiFy1fKN/Ng32qEk1ZIKyi0HFzZxzPIcvg7eaFTRb7+AQiG6eMDmUzPGr67Jp0Di2ncH9+uOZmv4PVKovvQLq7qnEwbDk0HttxUscLQ2e36Lfv/2lpGW7apVmHVMoC5kwZ3KTiAk/DUtDhD4VQjU2rBy6OneO6pm6vdNzG4Jktjc0uUKFCRRUzydGEh05PgC9vSQu/EOiU+7aQPV1ZDUGpjg9tOM0SgaTOU3YSUfGiXZNHoiS2HwLyQPaxiHR2NPVH75bwnUFBHhdMxT1rhU+yLhXaweDQW6GQ0ti8wIDAQAB"; - Assertions.assertNotNull(Keys.parsePkixPublicKey(Base64.decode(base64Key), "RSA")); + "MIICCgKCAgEA27A2MPQXm0I0v7/Ly5BIauDjRZF5Jor9vU+QheoE2UIIsZHcyYq3slHzSSHy2lLj1ZD2d91CtJ492ZXqnBmsr4TwZ9jQ05tW2mGIRI8u2DqN8LpuNYZGz/f9SZrjhQQmUttqWmtu3UoLfKz6NbNXUnoo+NhZFcFRLXJ8VporVhuiAmL7zqT53cXR3yQfFPCUDeGnRksnlhVIAJc3AHZZSHQJ8DEXMhh35TVv2nYhTI3rID7GwjXXw4ocz7RGDD37ky6p39Tl5NB71gT1eSqhZhGHEYHIPXraEBd5+3w9qIuLWlp5Ej/K6Mu4ELioXKCUimCbwy+Cs8UhHFlqcyg4AysOHJwIadXIa8LsY51jnVSGrGOEBZevopmQPNPtyfFY3dmXSS+6Z3RD2Gd6oDnNGJzpSyEk410Ag5uvNDfYzJLCWX9tU8lIxNwdFYmIwpd89HijyRyoGnoJ3entd63cvKfuuix5r+GHyKp1Xm1L5j5AWM6P+z0xigwkiXnt+adexAl1J9wdDxv/pUFEESRF4DG8DFGVtbdH6aR1A5/vD4krO4tC1QYUSeyL5Mvsw8WRqIFHcXtgybtxylljvNcGMV1KXQC8UFDmpGZVDSHx6v3e/BHMrZ7gjoCCfVMZ/cFcQi0W2AIHPYEMH/C95J2r4XbHMRdYXpovpOoT5Ca78gsCAwEAAQ=="; + Assertions.assertEquals("RSA", Keys.parseRsaPkcs1(Base64.decode(base64Key)).getAlgorithm()); } @Test - void parsePkixPublicKey_rsaKeyButWrongAlgorithm() { + void parseRsaPkcs1_bad() throws InvalidKeySpecException { var base64Key = - "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAghWkDAnX9F5QZZ9NxIWg9vcjULtD/kkbQwlcSm22e06FrgOdiFy1fKN/Ng32qEk1ZIKyi0HFzZxzPIcvg7eaFTRb7+AQiG6eMDmUzPGr67Jp0Di2ncH9+uOZmv4PVKovvQLq7qnEwbDk0HttxUscLQ2e36Lfv/2lpGW7apVmHVMoC5kwZ3KTiAk/DUtDhD4VQjU2rBy6OneO6pm6vdNzG4Jktjc0uUKFCRRUzydGEh05PgC9vSQu/EOiU+7aQPV1ZDUGpjg9tOM0SgaTOU3YSUfGiXZNHoiS2HwLyQPaxiHR2NPVH75bwnUFBHhdMxT1rhU+yLhXaweDQW6GQ0ti8wIDAQAB"; + "MIIBIjANBgkqikiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAghWkDAnX9F5QZZ9NxIWg9vcjULtD/kkbQwlcSm22e06FrgOdiFy1fKN/Ng32qEk1ZIKyi0HFzZxzPIcvg7eaFTRb7+AQiG6eMDmUzPGr67Jp0Di2ncH9+uOZmv4PVKovvQLq7qnEwbDk0HttxUscLQ2e36Lfv/2lpGW7apVmHVMoC5kwZ3KTiAk/DUtDhD4VQjU2rBy6OneO6pm6vdNzG4Jktjc0uUKFCRRUzydGEh05PgC9vSQu/EOiU+7aQPV1ZDUGpjg9tOM0SgaTOU3YSUfGiXZNHoiS2HwLyQPaxiHR2NPVH75bwnUFBHhdMxT1rhU+yLhXaweDQW6GQ0ti8wIDAQAB"; Assertions.assertThrows( - InvalidKeySpecException.class, - () -> Keys.parsePkixPublicKey(Base64.decode(base64Key), "EC")); + InvalidKeySpecException.class, () -> Keys.parseRsaPkcs1(Base64.decode(base64Key))); } @Test - void parsePkixPublicKey_eddsa() throws NoSuchAlgorithmException, InvalidKeySpecException { + void parseEd25519() throws InvalidKeySpecException { var base64Key = "MCowBQYDK2VwAyEAixzZOnx34hveTZ69J5iBCkmerK5Oh7EzJqTh3YY55jI="; - Assertions.assertNotNull(Keys.parsePkixPublicKey(Base64.decode(base64Key), "EdDSA")); + Assertions.assertEquals("Ed25519", Keys.parseEd25519(Base64.decode(base64Key)).getAlgorithm()); } @Test - void parsePkixPublicKey_ecdsa() throws NoSuchAlgorithmException, InvalidKeySpecException { + void parseEd25519_bad() { + var base64Key = "MCowBQYDK2VxAyEAixzZOnx34hveTZ69J5iBCkmerK5Oh7EzJqTh3YY55jI="; + Assertions.assertThrows( + InvalidKeySpecException.class, () -> Keys.parseEd25519(Base64.decode(base64Key))); + } + + @Test + void parseEcdsa() throws InvalidKeySpecException { var base64Key = "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEVqBnvab9XEVlTLW4iGKBIdrL6Sxf0x5vclZyXtR6hl79/o+RSgyr1ZQKLLCUC20imDWUgFMmfLu4UUiKNcI2uQ=="; - Assertions.assertNotNull(Keys.parsePkixPublicKey(Base64.decode(base64Key), "EC")); + Assertions.assertNotNull(Keys.parseEcdsa(Base64.decode(base64Key))); } @Test - void parsePublicKey_failOnBadPEM() throws Exception { - byte[] byteArray = "-----BEGIN A-----\nBBBBB-----END A".getBytes(StandardCharsets.UTF_8); - Assertions.assertThrows(IOException.class, () -> Keys.parsePublicKey(byteArray)); + void parseEcdsa_bad() { + var base64Key = + "MFkwEwYHKoZIzj0CAQYIKoZJzj0DAQcDQgAEVqBnvab9XEVlTLW4iGKBIdrL6Sxf0x5vclZyXtR6hl79/o+RSgyr1ZQKLLCUC20imDWUgFMmfLu4UUiKNcI2uQ=="; + Assertions.assertThrows( + InvalidKeySpecException.class, () -> Keys.parseEcdsa(Base64.decode(base64Key))); } } diff --git a/sigstore-java/src/test/java/dev/sigstore/encryption/certificates/transparency/CTVerifierTest.java b/sigstore-java/src/test/java/dev/sigstore/encryption/certificates/transparency/CTVerifierTest.java index 33b3efed..e433ebeb 100644 --- a/sigstore-java/src/test/java/dev/sigstore/encryption/certificates/transparency/CTVerifierTest.java +++ b/sigstore-java/src/test/java/dev/sigstore/encryption/certificates/transparency/CTVerifierTest.java @@ -20,10 +20,12 @@ import com.google.common.io.Resources; import dev.sigstore.encryption.Keys; import dev.sigstore.encryption.certificates.Certificates; +import java.nio.charset.StandardCharsets; import java.security.PublicKey; import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.List; +import org.bouncycastle.util.encoders.Base64; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -55,11 +57,16 @@ public void setUp() throws Exception { Resources.getResource( "dev/sigstore/samples/certificatetransparency/cert-ct-embedded.pem"))); - PublicKey key = - Keys.parsePublicKey( - Resources.toByteArray( + // a little hacky pem parser, but lightweight + String keyData = + Resources.toString( Resources.getResource( - "dev/sigstore/samples/certificatetransparency/ct-server-key-public.pem"))); + "dev/sigstore/samples/certificatetransparency/ct-server-key-public.pem"), + StandardCharsets.UTF_8) + .replace("-----BEGIN PUBLIC KEY-----", "") + .replace("-----END PUBLIC KEY-----", "") + .replaceAll("\\s", ""); + PublicKey key = Keys.parseEcdsa(Base64.decode(keyData)); final CTLogInfo log = new CTLogInfo(key, "Test Log", "foo"); CTLogStore store = diff --git a/sigstore-java/src/test/resources/dev/sigstore/samples/keys/README.md b/sigstore-java/src/test/resources/dev/sigstore/samples/keys/README.md deleted file mode 100644 index bdae4b3e..00000000 --- a/sigstore-java/src/test/resources/dev/sigstore/samples/keys/README.md +++ /dev/null @@ -1,24 +0,0 @@ -These test keys were creating using the following commands: - -**test-ec.pub** - actually this was copied from [here](https://github.com/sigstore/sigstore-java/blob/main/src/test/resources/dev/sigstore/samples/fulcio-response/valid/ctfe.pub). - -**test-rsa.pub** -``` -step crypto keypair ctfe-rsa.pub tmp.key -kty RSA --no-password --insecure -``` -**test-rsa-pkcs1.pub** -``` -ssh-keygen -t rsa -f test-rsa-tmp -ssh-keygen -f test-rsa-tmp.pub -e -m pem > test-rsa.pub -``` - -**test-ed25519.pub** -``` -step crypto keypair ctfe-ed25519.pub tmp.key -kty OKP --curve Ed25519 --no-password --insecure -``` - -**test-dsa.pub** -``` -ssh-keygen -t dsa -f test-dsa -ssh-keygen -f test-dsa.pub -e -m pem > test-dsa.pub.pem -``` \ No newline at end of file diff --git a/sigstore-java/src/test/resources/dev/sigstore/samples/keys/test-dsa.pub b/sigstore-java/src/test/resources/dev/sigstore/samples/keys/test-dsa.pub deleted file mode 100644 index c6d480f2..00000000 --- a/sigstore-java/src/test/resources/dev/sigstore/samples/keys/test-dsa.pub +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN PUBLIC KEY----- -MIIBtjCCASsGByqGSM44BAEwggEeAoGBAOcFfuB5gZiU4q9B0A/zQWD8v96BKTXD -arJ4gaCdIDaLJ6UbcwVBJzNHFCUOpuQLbBQ8kMs5DlbyGXwj4JXqWzOR0YKSWvJ1 -hswwCZlpYLBSYtsDXHfrycmCVfffrri6LwVPbMuBaERlQwJfdB8TsfY3cuvwP/6v -EQmK/OD7qvjPAhUAqOje7Tdd7n2X508RwbJMfB+lvuMCgYAeG8WNVRVz1/oWI44J -0UxAElcRhtXNmzr86OrLmyv9av7eEovPbrTP5Nq7HqtVW1JMXmbNObiVh22nBkTE -RDd2B8E7jQte2SO9U8Gkq0sBjwrIn4+v4RgHvwxGh5Zhyfd+F78y/44WIJf5Dbeo -nbXSPCuGG8t/W1GHS8+VmsRoaAOBhAACgYBns+W/r9A1+bglvDuihzhGeW7MAvoN -qE+L8N8x8+RW2GyVxrNrFsBbXjfsblkc+N3xyF+SdAZ2TLwbAg03TrvCyqXLHHYb -fCUXYzE7JTbmgnd0+9E5yMeWu6giBdrMYQvLRAe8R/cxm5/pQ8oQuE+V89x3JOkH -fPS0RlDVXz8dcg== ------END PUBLIC KEY----- diff --git a/sigstore-java/src/test/resources/dev/sigstore/samples/keys/test-ecdsa-sha2-nistp256.pub b/sigstore-java/src/test/resources/dev/sigstore/samples/keys/test-ecdsa-sha2-nistp256.pub deleted file mode 100644 index 5280c00a..00000000 --- a/sigstore-java/src/test/resources/dev/sigstore/samples/keys/test-ecdsa-sha2-nistp256.pub +++ /dev/null @@ -1,4 +0,0 @@ ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAESGuAvwkSNuixTs4Eqq3oODQgoA8Y -xXfSHLtkQHswcnU7jGgRkuNU7GiZftUxqeEN06IgSc9WFWD94jcE4RLTBQ== ------END PUBLIC KEY----- diff --git a/sigstore-java/src/test/resources/dev/sigstore/samples/keys/test-ed25519.pub b/sigstore-java/src/test/resources/dev/sigstore/samples/keys/test-ed25519.pub deleted file mode 100644 index b1cbc9a4..00000000 --- a/sigstore-java/src/test/resources/dev/sigstore/samples/keys/test-ed25519.pub +++ /dev/null @@ -1,3 +0,0 @@ ------BEGIN PUBLIC KEY----- -MCowBQYDK2VwAyEAtcQsiHXtWIXgfKtQ7YD+XBAR43FNSMEk+ADk9gwZN+k= ------END PUBLIC KEY----- diff --git a/sigstore-java/src/test/resources/dev/sigstore/samples/keys/test-rsa-pkcs1.pub b/sigstore-java/src/test/resources/dev/sigstore/samples/keys/test-rsa-pkcs1.pub deleted file mode 100644 index 377e671c..00000000 --- a/sigstore-java/src/test/resources/dev/sigstore/samples/keys/test-rsa-pkcs1.pub +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN RSA PUBLIC KEY----- -MIICCgKCAgEA2E1Sn23V7A3xHug1yMiELQGsCJ6BMFgOyu2c6Dm56762TU4ZqnI6 -fbpCakfc+bhFDqphvt8PzXhI4g0xzqZS4EQQaeMkELdaFttLQG3TYT2yTjMiVIza -sheDJoIhX/+ZK7q2JntyuX3xL0RrVyChj8ClNU6EK3o21KK6G/JF/3CeVxjR0RX9 -zMdEN2a2bAVMiOjs/DXeuiU6UxwZ8Pial0RsO4cEzbPiZftNrDOxkDJ8tu7XgpJN -29KNMi9pvgCe1jGAE5sAzyAKzfv9dE5vmlrVwjuNuOP8/XtjKo/9emLZkDnxJTFS -2U40B6Bbllor4TcVR5vYeWUkIFevQqcHdWa9LRZx/I+wjGizd43uEanSMaoBXGvv -u9Zum73pmjoEIRrjtyd7KpIjo4wwCGg/rbichv3Mkpcchp04Oos+Wg4jmB/WKCPL -7itJUXEQrYDVg9sMgg5ZZdkAA/5yDtnBtCQ5X/RDHSuULlbUFrVB7jnNsNCA0slu -gzTPAPR0CnF2WRMnMMnKZQOo2oZJHrOsZDZyTEWXzqlM8rSJif1JiOWpXJiaaADQ -OKaSdNZRlHk29FTRCXADVpR43HXDGJB9zjDIz5DtCwrxo4KQMFOeD8H5RxsZWZ+T -Frruugxm0kt44ei1YUPy48R736HxeBBfZSNrgK0O1FYPneps9peJkr8CAwEAAQ== ------END RSA PUBLIC KEY-----