Skip to content

Commit

Permalink
Merge pull request #204 from flavio/update-crypto-libs
Browse files Browse the repository at this point in the history 
chore: update crypto deps
  • Loading branch information
@flavio
flavio authored Feb 9, 2023
2 parents dbb5655 + 1cf6679 commit 836f567
Show file tree
Hide file tree
Showing 5 changed files with 53 additions and 78 deletions.
14 changes: 7 additions & 7 deletions Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,30 +53,30 @@ base64 = "0.21.0"
cached = { version = "0.42.0", optional = true }
cfg-if = "1.0.0"
digest = "0.10.3"
ecdsa = { version = "0.14.3", features = [ "pkcs8", "digest", "der" ] }
ed25519 = { version = "1", features = [ "alloc" ] }
ed25519-dalek-fiat = "0.1.0"
ecdsa = { version = "0.15", features = [ "pkcs8", "digest", "der" ] }
ed25519 = { version = "2", features = [ "alloc" ] }
ed25519-dalek = { version = "2.0.0-pre.0", features = [ "pkcs8", "rand_core" ] }
elliptic-curve = { version = "0.12.2", features = [ "arithmetic", "pem" ] }
lazy_static = "1.4.0"
oci-distribution = { version = "0.9", default-features = false, optional = true }
olpc-cjson = "0.1"
open = "3.0.1"
openidconnect = { version = "2.3", default-features = false, features = [ "reqwest" ], optional = true}
p256 = "0.11.1"
p384 = "0.11.1"
p256 = "0.12"
p384 = "0.12"
pem = "1.0.2"
picky = { version = "7.0.0-rc.3", default-features = false, features = [ "x509", "ec" ] }
pkcs1 = "0.4.0"
pkcs8 = { version = "0.9.0", features = ["pem", "alloc", "pkcs5", "encryption"] }
rand = { version = "0.8.5", features = [ "getrandom", "std" ] }
regex = { version = "1.5.5", optional = true }
reqwest = { version = "0.11", default-features = false, features = ["json", "multipart"], optional = true}
rsa = "0.7.0"
rsa = "0.8"
scrypt = "0.10.0"
serde = { version = "1.0.136", features = ["derive"] }
serde_json = "1.0.79"
sha2 = { version = "0.10.6", features = ["oid"] }
signature = { version = "1.5.0", features = [ "digest-preview" ] }
signature = { version = "2.0" }
thiserror = "1.0.30"
tokio = { version = "1.17.0", features = ["full"] }
tough = { version = "0.12", features = [ "http" ], optional = true }
Expand Down
68 changes: 21 additions & 47 deletions src/crypto/signing_key/ed25519.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,9 +62,9 @@
use std::convert::TryFrom;

use ed25519::{pkcs8::PublicKeyBytes, KeypairBytes};
use ed25519::KeypairBytes;
use ed25519_dalek::{Signer as _, SigningKey};
use pkcs8::{DecodePrivateKey, EncodePrivateKey, EncodePublicKey};
use signature::Signer as _;
use x509_parser::nom::AsBytes;

use crate::{
Expand All @@ -77,11 +77,10 @@ use super::{
SIGSTORE_PRIVATE_KEY_PEM_LABEL,
};

#[derive(Debug)]
#[derive(Debug, Clone)]
pub struct Ed25519Keys {
key_pair: ed25519_dalek_fiat::Keypair,
key_pair_bytes: KeypairBytes,
public_key_bytes: PublicKeyBytes,
signing_key: ed25519_dalek::SigningKey,
verifying_key: ed25519_dalek::VerifyingKey,
}

impl Ed25519Keys {
Expand All @@ -90,17 +89,11 @@ impl Ed25519Keys {
/// generated.
pub fn new() -> Result<Self> {
let mut csprng = rand::rngs::OsRng {};
let key_pair = ed25519_dalek_fiat::Keypair::generate(&mut csprng);
let key_pair_bytes = KeypairBytes::from_bytes(&key_pair.to_bytes());
let public_key_bytes = PublicKeyBytes::try_from(&key_pair_bytes).map_err(|e| {
SigstoreError::PKCS8SpkiError(format!(
"ED25519 convert from keypair to public key failed: {e}"
))
})?;
let signing_key = SigningKey::generate(&mut csprng);
let verifying_key = signing_key.verifying_key();
Ok(Self {
key_pair,
key_pair_bytes,
public_key_bytes,
signing_key,
verifying_key,
})
}

Expand Down Expand Up @@ -172,21 +165,16 @@ impl Ed25519Keys {

/// Builds a `Ed25519Keys` from a `KeypairBytes`.
fn from_key_pair_bytes(key_pair_bytes: KeypairBytes) -> Result<Self> {
let public_key_bytes = PublicKeyBytes::try_from(&key_pair_bytes).map_err(|e| {
SigstoreError::PKCS8SpkiError(format!(
"ED25519 convert from keypair to public key failed: {e}"
))
})?;
let key_pair = ed25519_dalek_fiat::Keypair::from_bytes(
let signing_key = ed25519_dalek::SigningKey::from_keypair_bytes(
&key_pair_bytes.to_bytes().ok_or_else(|| {
SigstoreError::PKCS8SpkiError("No public key info in given key_pair_bytes.".into())
})?,
)?;
let verifying_key = signing_key.verifying_key();

Ok(Self {
key_pair,
public_key_bytes,
key_pair_bytes,
signing_key,
verifying_key,
})
}

Expand All @@ -202,15 +190,15 @@ impl Ed25519Keys {
impl KeyPair for Ed25519Keys {
/// Return the public key in PEM-encoded SPKI format.
fn public_key_to_pem(&self) -> Result<String> {
self.public_key_bytes
self.verifying_key
.to_public_key_pem(pkcs8::LineEnding::LF)
.map_err(|e| SigstoreError::PKCS8SpkiError(e.to_string()))
}

/// Return the public key in asn.1 SPKI format.
fn public_key_to_der(&self) -> Result<Vec<u8>> {
Ok(self
.public_key_bytes
.verifying_key
.to_public_key_der()
.map_err(|e| SigstoreError::PKCS8SpkiError(e.to_string()))?
.to_vec())
Expand All @@ -235,15 +223,15 @@ impl KeyPair for Ed25519Keys {

/// Return the private key in pkcs8 PEM-encoded format.
fn private_key_to_pem(&self) -> Result<zeroize::Zeroizing<String>> {
self.key_pair_bytes
self.signing_key
.to_pkcs8_pem(pkcs8::LineEnding::LF)
.map_err(|e| SigstoreError::PKCS8SpkiError(e.to_string()))
}

/// Return the private key in asn.1 pkcs8 format.
fn private_key_to_der(&self) -> Result<zeroize::Zeroizing<Vec<u8>>> {
let pkcs8 = self
.key_pair_bytes
.signing_key
.to_pkcs8_der()
.map_err(|e| SigstoreError::PKCS8Error(e.to_string()))?;
Ok(pkcs8.to_bytes())
Expand All @@ -267,23 +255,9 @@ pub struct Ed25519Signer {

impl Ed25519Signer {
pub fn from_ed25519_keys(ed25519_keys: &Ed25519Keys) -> Result<Self> {
let key_pair_bytes =
KeypairBytes::from_bytes(&ed25519_keys.key_pair_bytes.to_bytes().ok_or_else(|| {
SigstoreError::PKCS8SpkiError("No public key info in given key_pair_bytes.".into())
})?);
let public_key_bytes = PublicKeyBytes::try_from(&key_pair_bytes).map_err(|e| {
SigstoreError::PKCS8SpkiError(format!(
"ED25519 convert from keypair to public key failed: {e}"
))
})?;

let key_pair = Ed25519Keys {
key_pair: ed25519_dalek_fiat::Keypair::from_bytes(&ed25519_keys.key_pair.to_bytes())?,
key_pair_bytes,
public_key_bytes,
};

Ok(Self { key_pair })
Ok(Self {
key_pair: ed25519_keys.clone(),
})
}

/// Return the ref to the keypair inside the signer
Expand All @@ -300,7 +274,7 @@ impl Signer for Ed25519Signer {

/// Sign the given message using Ed25519
fn sign(&self, msg: &[u8]) -> Result<Vec<u8>> {
let signature = self.key_pair.key_pair.try_sign(msg)?;
let signature = self.key_pair.signing_key.try_sign(msg)?;
Ok(signature.to_vec())
}
}
Expand Down
15 changes: 8 additions & 7 deletions src/crypto/signing_key/rsa/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@
//! ```
use ::rsa::{pkcs1v15::SigningKey, pss::BlindedSigningKey};
use signature::RandomizedSigner;
use ecdsa::SignatureEncoding;
use signature::{Keypair, RandomizedSigner};

use self::keypair::RSAKeys;

Expand Down Expand Up @@ -162,22 +163,22 @@ impl RSASigner {
pub fn to_verification_key(&self) -> Result<CosignVerificationKey> {
Ok(match self {
RSASigner::RSA_PSS_SHA256(signer, _) => {
CosignVerificationKey::RSA_PSS_SHA256(signer.into())
CosignVerificationKey::RSA_PSS_SHA256(signer.verifying_key())
}
RSASigner::RSA_PSS_SHA384(signer, _) => {
CosignVerificationKey::RSA_PSS_SHA384(signer.into())
CosignVerificationKey::RSA_PSS_SHA384(signer.verifying_key())
}
RSASigner::RSA_PSS_SHA512(signer, _) => {
CosignVerificationKey::RSA_PSS_SHA512(signer.into())
CosignVerificationKey::RSA_PSS_SHA512(signer.verifying_key())
}
RSASigner::RSA_PKCS1_SHA256(signer, _) => {
CosignVerificationKey::RSA_PKCS1_SHA256(signer.into())
CosignVerificationKey::RSA_PKCS1_SHA256(signer.verifying_key())
}
RSASigner::RSA_PKCS1_SHA384(signer, _) => {
CosignVerificationKey::RSA_PKCS1_SHA384(signer.into())
CosignVerificationKey::RSA_PKCS1_SHA384(signer.verifying_key())
}
RSASigner::RSA_PKCS1_SHA512(signer, _) => {
CosignVerificationKey::RSA_PKCS1_SHA512(signer.into())
CosignVerificationKey::RSA_PKCS1_SHA512(signer.verifying_key())
}
})
}
Expand Down
31 changes: 14 additions & 17 deletions src/crypto/verification_key.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,9 @@ use base64::{engine::general_purpose::STANDARD as BASE64_STD_ENGINE, Engine as _
use pkcs8::DecodePublicKey;
use rsa::{pkcs1v15, pss};
use sha2::{Digest, Sha256, Sha384};
use signature::{DigestVerifier, Signature as _, Verifier};
use signature::{DigestVerifier, Verifier};
use std::convert::TryFrom;
use x509_parser::{prelude::FromDer, x509::SubjectPublicKeyInfo};
use x509_parser::x509::SubjectPublicKeyInfo;

use super::{
signing_key::{KeyPair, SigStoreSigner},
Expand Down Expand Up @@ -52,7 +52,7 @@ pub enum CosignVerificationKey {
RSA_PKCS1_SHA512(pkcs1v15::VerifyingKey<sha2::Sha512>),
ECDSA_P256_SHA256_ASN1(ecdsa::VerifyingKey<p256::NistP256>),
ECDSA_P384_SHA384_ASN1(ecdsa::VerifyingKey<p384::NistP384>),
ED25519(ed25519_dalek_fiat::PublicKey),
ED25519(ed25519_dalek::VerifyingKey),
}

/// Attempts to convert a [x509 Subject Public Key Info](SubjectPublicKeyInfo) object into
Expand Down Expand Up @@ -169,12 +169,9 @@ impl CosignVerificationKey {
))
})?,
),
SigningScheme::ED25519 => {
let (_, public_key) = SubjectPublicKeyInfo::from_der(der_data)?;
CosignVerificationKey::ED25519(ed25519_dalek_fiat::PublicKey::from_bytes(
&public_key.subject_public_key.data,
)?)
}
SigningScheme::ED25519 => CosignVerificationKey::ED25519(
ed25519_dalek::VerifyingKey::from_public_key_der(der_data)?,
),
})
}

Expand All @@ -192,7 +189,7 @@ impl CosignVerificationKey {
} else if let Ok(ed25519bytes) =
ed25519::pkcs8::PublicKeyBytes::from_public_key_der(der_data)
{
Ok(Self::ED25519(ed25519_dalek_fiat::PublicKey::from_bytes(
Ok(Self::ED25519(ed25519_dalek::VerifyingKey::from_bytes(
ed25519bytes.as_ref(),
)?))
} else if let Ok(rsapk) = rsa::RsaPublicKey::from_public_key_der(der_data) {
Expand Down Expand Up @@ -247,37 +244,37 @@ impl CosignVerificationKey {

match self {
CosignVerificationKey::RSA_PSS_SHA256(inner) => {
let sig = pss::Signature::from_bytes(&sig)?;
let sig = pss::Signature::try_from(sig.as_slice())?;
inner
.verify(msg, &sig)
.map_err(|_| SigstoreError::PublicKeyVerificationError)
}
CosignVerificationKey::RSA_PSS_SHA384(inner) => {
let sig = pss::Signature::from_bytes(&sig)?;
let sig = pss::Signature::try_from(sig.as_slice())?;
inner
.verify(msg, &sig)
.map_err(|_| SigstoreError::PublicKeyVerificationError)
}
CosignVerificationKey::RSA_PSS_SHA512(inner) => {
let sig = pss::Signature::from_bytes(&sig)?;
let sig = pss::Signature::try_from(sig.as_slice())?;
inner
.verify(msg, &sig)
.map_err(|_| SigstoreError::PublicKeyVerificationError)
}
CosignVerificationKey::RSA_PKCS1_SHA256(inner) => {
let sig = pkcs1v15::Signature::from_bytes(&sig)?;
let sig = pkcs1v15::Signature::try_from(sig.as_slice())?;
inner
.verify(msg, &sig)
.map_err(|_| SigstoreError::PublicKeyVerificationError)
}
CosignVerificationKey::RSA_PKCS1_SHA384(inner) => {
let sig = pkcs1v15::Signature::from_bytes(&sig)?;
let sig = pkcs1v15::Signature::try_from(sig.as_slice())?;
inner
.verify(msg, &sig)
.map_err(|_| SigstoreError::PublicKeyVerificationError)
}
CosignVerificationKey::RSA_PKCS1_SHA512(inner) => {
let sig = pkcs1v15::Signature::from_bytes(&sig)?;
let sig = pkcs1v15::Signature::try_from(sig.as_slice())?;
inner
.verify(msg, &sig)
.map_err(|_| SigstoreError::PublicKeyVerificationError)
Expand All @@ -300,7 +297,7 @@ impl CosignVerificationKey {
.map_err(|_| SigstoreError::PublicKeyVerificationError)
}
CosignVerificationKey::ED25519(inner) => {
let sig = ed25519::Signature::from_bytes(&sig[..])
let sig = ed25519::Signature::from_slice(sig.as_slice())
.map_err(|_| SigstoreError::PublicKeyVerificationError)?;
inner
.verify(msg, &sig)
Expand Down
3 changes: 3 additions & 0 deletions src/errors.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,4 +214,7 @@ pub enum SigstoreError {

#[error(transparent)]
PKCS1Error(#[from] pkcs1::Error),

#[error(transparent)]
ED25519PKCS1Error(#[from] ed25519_dalek::pkcs8::spki::Error),
}

0 comments on commit 836f567

Please sign in to comment.