diff options
Diffstat (limited to 'debian/patches/avoid-boulder.patch')
-rw-r--r-- | debian/patches/avoid-boulder.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/debian/patches/avoid-boulder.patch b/debian/patches/avoid-boulder.patch new file mode 100644 index 0000000..9cbee94 --- /dev/null +++ b/debian/patches/avoid-boulder.patch @@ -0,0 +1,63 @@ +commit 548f37171bb96d28553f37dc2e03c4975db697f3 (HEAD -> release-1.6) +Author: Reinhard Tartler <siretart@tauware.de> +Date: Thu Apr 6 20:24:46 2023 -0400 + + Drop dependency on boulder, disable RSA checks + +Index: golang-github-sigstore-sigstore/pkg/cryptoutils/publickey.go +=================================================================== +--- golang-github-sigstore-sigstore.orig/pkg/cryptoutils/publickey.go ++++ golang-github-sigstore-sigstore/pkg/cryptoutils/publickey.go +@@ -16,7 +16,6 @@ + package cryptoutils + + import ( +- "context" + "crypto" + "crypto/ecdsa" + "crypto/ed25519" +@@ -30,8 +29,6 @@ import ( + "encoding/pem" + "errors" + "fmt" +- +- "github.com/letsencrypt/boulder/goodkey" + ) + + const ( +@@ -139,20 +136,8 @@ func genErrMsg(first, second crypto.Publ + func ValidatePubKey(pub crypto.PublicKey) error { + switch pk := pub.(type) { + case *rsa.PublicKey: +- // goodkey policy enforces: +- // * Size of key: 2048 <= size <= 4096, size % 8 = 0 +- // * Exponent E = 65537 (Default exponent for OpenSSL and Golang) +- // * Small primes check for modulus +- // * Weak keys generated by Infineon hardware (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17) +- // * Key is easily factored with Fermat's factorization method +- p, err := goodkey.NewKeyPolicy(&goodkey.Config{FermatRounds: 100}, nil) +- if err != nil { +- // Should not occur, only chances to return errors are if fermat rounds +- // are <0 or when loading blocked/weak keys from disk (not used here) +- return errors.New("unable to initialize key policy") +- } +- // ctx is unused +- return p.GoodKey(context.Background(), pub) ++ // Avoid dependency on Goodkey for debian ++ return nil; + case *ecdsa.PublicKey: + // Unable to use goodkey policy because P-521 curve is not supported + return validateEcdsaKey(pk) +Index: golang-github-sigstore-sigstore/pkg/cryptoutils/publickey_test.go +=================================================================== +--- golang-github-sigstore-sigstore.orig/pkg/cryptoutils/publickey_test.go ++++ golang-github-sigstore-sigstore/pkg/cryptoutils/publickey_test.go +@@ -183,6 +183,8 @@ func TestValidatePubKeyUnsupported(t *te + } + + func TestValidatePubKeyRsa(t *testing.T) { ++ t.Skip("Validations disabled for Debian") ++ + // Validate common RSA key sizes + for _, bits := range []int{2048, 3072, 4096} { + priv, err := rsa.GenerateKey(rand.Reader, bits) |