1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
commit 548f37171bb96d28553f37dc2e03c4975db697f3 (HEAD -> release-1.6)
Author: Reinhard Tartler <siretart@tauware.de>
Date: Thu Apr 6 20:24:46 2023 -0400
Drop dependency on boulder, disable RSA checks
Index: golang-github-sigstore-sigstore/pkg/cryptoutils/publickey.go
===================================================================
--- golang-github-sigstore-sigstore.orig/pkg/cryptoutils/publickey.go
+++ golang-github-sigstore-sigstore/pkg/cryptoutils/publickey.go
@@ -16,7 +16,6 @@
package cryptoutils
import (
- "context"
"crypto"
"crypto/ecdsa"
"crypto/ed25519"
@@ -30,8 +29,6 @@ import (
"encoding/pem"
"errors"
"fmt"
-
- "github.com/letsencrypt/boulder/goodkey"
)
const (
@@ -139,20 +136,8 @@ func genErrMsg(first, second crypto.Publ
func ValidatePubKey(pub crypto.PublicKey) error {
switch pk := pub.(type) {
case *rsa.PublicKey:
- // goodkey policy enforces:
- // * Size of key: 2048 <= size <= 4096, size % 8 = 0
- // * Exponent E = 65537 (Default exponent for OpenSSL and Golang)
- // * Small primes check for modulus
- // * Weak keys generated by Infineon hardware (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17)
- // * Key is easily factored with Fermat's factorization method
- p, err := goodkey.NewKeyPolicy(&goodkey.Config{FermatRounds: 100}, nil)
- if err != nil {
- // Should not occur, only chances to return errors are if fermat rounds
- // are <0 or when loading blocked/weak keys from disk (not used here)
- return errors.New("unable to initialize key policy")
- }
- // ctx is unused
- return p.GoodKey(context.Background(), pub)
+ // Avoid dependency on Goodkey for debian
+ return nil;
case *ecdsa.PublicKey:
// Unable to use goodkey policy because P-521 curve is not supported
return validateEcdsaKey(pk)
Index: golang-github-sigstore-sigstore/pkg/cryptoutils/publickey_test.go
===================================================================
--- golang-github-sigstore-sigstore.orig/pkg/cryptoutils/publickey_test.go
+++ golang-github-sigstore-sigstore/pkg/cryptoutils/publickey_test.go
@@ -183,6 +183,8 @@ func TestValidatePubKeyUnsupported(t *te
}
func TestValidatePubKeyRsa(t *testing.T) {
+ t.Skip("Validations disabled for Debian")
+
// Validate common RSA key sizes
for _, bits := range []int{2048, 3072, 4096} {
priv, err := rsa.GenerateKey(rand.Reader, bits)
|
