[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1029170: ITP: golang-github-sigstore-sigstore -- Common go library shared across sigstore services and clients



On Wed, Apr 12, 2023 at 3:53 PM Leo Antunes <leo@antun.es> wrote:
Sorry for the late reply. My laptop decided it was a good time to break, so I'll have even less time to work on this in the next few days/weeks :/

------- Original Message -------
On Sunday, March 26th, 2023 at 22:07, Reinhard Tartler <siretart@gmail.com> wrote:

> Sounds good.
>
> I'm happy to take on the easier dependencies, such as pkg/browser or jellydator/ttlcache.


That would be a huge help already!


https://tracker.debian.org/pkg/golang-github-jellydator-ttlcache
https://tracker.debian.org/pkg/golang-github-pkg-browser

you're welcome :-)

-- unfortunately, I made a mistake: I packaged version 3 of jellydator-ttlcache, which has a significantly different API than version2, which sigstore currently uses.

I'm considering either downgrading the package, or making sigstore use v3. I guess the latter is better in the long term. Mh.


> But the dependency on boulder is giving me a massive headache. It is really unfortunate that they chose to use such a heavy dependency for a rather simple task (goodkey). What are your thoughts on resolving this?


I didn't dive deep into the code, but I suspect we can patch away the boulder dep. I'll gladly give it a try as soon as I have a workable laptop again (but feel free to jump in if you find the time!)


I think this patch should do it:

modified   pkg/cryptoutils/publickey.go
@@ -16,7 +16,6 @@
 package cryptoutils
 
 import (
- "context"
  "crypto"
  "crypto/ecdsa"
  "crypto/ed25519"
@@ -30,8 +29,6 @@ import (
  "encoding/pem"
  "errors"
  "fmt"
-
- "github.com/letsencrypt/boulder/goodkey"
 )
 
 const (
@@ -139,20 +136,8 @@ func genErrMsg(first, second crypto.PublicKey, keyType string) string {
 func ValidatePubKey(pub crypto.PublicKey) error {
  switch pk := pub.(type) {
  case *rsa.PublicKey:
- // goodkey policy enforces:
- // * Size of key: 2048 <= size <= 4096, size % 8 = 0
- // * Exponent E = 65537 (Default exponent for OpenSSL and Golang)
- // * Small primes check for modulus
- // * Weak keys generated by Infineon hardware (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17)
- // * Key is easily factored with Fermat's factorization method
- p, err := goodkey.NewKeyPolicy(&goodkey.Config{FermatRounds: 100}, nil)
- if err != nil {
- // Should not occur, only chances to return errors are if fermat rounds
- // are <0 or when loading blocked/weak keys from disk (not used here)
- return errors.New("unable to initialize key policy")
- }
- // ctx is unused
- return p.GoodKey(context.Background(), pub)
+ // Avoid dependency on Goodkey for debian
+ return nil;
  case *ecdsa.PublicKey:
  // Unable to use goodkey policy because P-521 curve is not supported
  return validateEcdsaKey(pk)
modified   pkg/cryptoutils/publickey_test.go
@@ -183,6 +183,8 @@ func TestValidatePubKeyUnsupported(t *testing.T) {
 }
 
 func TestValidatePubKeyRsa(t *testing.T) {
+ t.Skip("Validations disabled for Debian")
+
  // Validate common RSA key sizes
  for _, bits := range []int{2048, 3072, 4096} {
  priv, err := rsa.GenerateKey(rand.Reader, bits)



--
regards,
    Reinhard
Reply to: