LoadPrivateKey: allow EC private keys

Signed-off-by: Dmitry S <[email protected]>
sigstore · Jul 9, 2024 · bd2216c · bd2216c
1 parent 1334726
commit bd2216c
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 18 deletions.
diff --git a/pkg/cosign/keys.go b/pkg/cosign/keys.go
@@ -29,6 +29,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/secure-systems-lab/go-securesystemslib/encrypted"
 	"github.com/sigstore/cosign/v2/pkg/oci/static"
@@ -221,7 +222,15 @@ func LoadPrivateKey(key []byte, pass []byte) (signature.SignerVerifier, error) {
 
 	pk, err := x509.ParsePKCS8PrivateKey(x509Encoded)
 	if err != nil {
-		return nil, fmt.Errorf("parsing private key: %w", err)
+		if strings.Contains(err.Error(), "x509: failed to parse private key (use ParseECPrivateKey instead for this key format)") {
+			pk2, err2 := x509.ParseECPrivateKey(x509Encoded)
+			if err2 != nil {
+				return nil, fmt.Errorf("parsing EC private key: %w, x509.ParsePKCS8PrivateKey: %w", err2, err)
+			}
+			pk = pk2
+		} else {
+			return nil, fmt.Errorf("parsing private key: %w", err)
+		}
 	}
 	switch pk := pk.(type) {
 	case *rsa.PrivateKey:

diff --git a/test/e2e_test.go b/test/e2e_test.go
@@ -953,7 +953,8 @@ func TestVerifyWithCARoots(t *testing.T) {
 
 	// Now sign the blob with one key
 	ko := options.KeyOpts{
-		KeyRef: privKeyRef,
+		KeyRef:   privKeyRef,
+		PassFunc: passFunc,
 	}
 	blobSig, err := sign.SignBlobCmd(ro, ko, blobRef, true, "", "", false)
 	if err != nil {
@@ -970,6 +971,7 @@ func TestVerifyWithCARoots(t *testing.T) {
 		rootRef   string
 		subRef    string
 		leafRef   string
+		skipBlob  bool // skip the verify-blob test (for cases that need the image)
 		wantError bool
 	}{
 		{
@@ -978,6 +980,7 @@ func TestVerifyWithCARoots(t *testing.T) {
 			pemsubRef,
 			pemleafRef,
 			false,
+			false,
 		},
 		// NB - "confusely" switching the root and intermediate PEM files does _NOT_ (currently) produce an error
 		// - the Go crypto/x509 package doesn't strictly verify that the certificate chain is anchored
@@ -991,33 +994,38 @@ func TestVerifyWithCARoots(t *testing.T) {
 			pemrootRef,
 			pemleafRef,
 			false,
+			false,
 		},
 		{
 			"leave out the root certificate",
 			"",
 			pemsubRef,
 			pemleafRef,
+			false,
 			true,
 		},
 		{
 			"leave out the intermediate certificate",
 			pemrootRef,
 			"",
 			pemleafRef,
+			false,
 			true,
 		},
 		{
 			"leave out the codesigning leaf certificate which is extracted from the image",
 			pemrootRef,
 			pemsubRef,
 			"",
+			true,
 			false,
 		},
 		{
 			"wrong leaf certificate",
 			pemrootRef,
 			pemsubRef,
 			pemleafRef02,
+			false,
 			true,
 		},
 		{
@@ -1026,26 +1034,30 @@ func TestVerifyWithCARoots(t *testing.T) {
 			pemsubBundleRef,
 			pemleafRef,
 			false,
+			false,
 		},
 		{
 			"wrong root and intermediates bundles",
 			pemrootRef02,
 			pemsubRef02,
 			pemleafRef,
+			false,
 			true,
 		},
 		{
 			"wrong root undle",
 			pemrootRef02,
 			pemsubBundleRef,
 			pemleafRef,
+			false,
 			true,
 		},
 		{
 			"wrong intermediates bundle",
 			pemrootRef,
 			pemsubRef02,
 			pemleafRef,
+			false,
 			true,
 		},
 	}
@@ -1065,6 +1077,9 @@ func TestVerifyWithCARoots(t *testing.T) {
 				t.Errorf("%s - unexpected error: %v", tt.name, err)
 			}
 		}
+		if tt.skipBlob {
+			continue
+		}
 		err = verifyBlobKeylessWithCARoots(blobRef,
 			string(blobSig),
 			tt.rootRef,

diff --git a/test/helpers.go b/test/helpers.go
@@ -47,6 +47,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/registry"
 	"github.com/google/go-containerregistry/pkg/v1/random"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/theupdateframework/go-tuf/encrypted"
 
 	// Initialize all known client auth plugins
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
@@ -285,24 +286,16 @@ func keypair(t *testing.T, td string) (*cosign.KeysBytes, string, string) {
 
 // convert the given ecdsa.PrivateKey to a PEM encoded string, import into sigstore format,
 // and write to the given file path. Returns the path to the imported key (<td>/<fname>)
-func importECDSAPrivateKey(t *testing.T, priv *ecdsa.PrivateKey, td, fname string) string {
+func importECDSAPrivateKey(t *testing.T, privKey *ecdsa.PrivateKey, td, fname string) string {
 	t.Helper()
-	pemBytes, err := ecdsaPrivateKeyToPEM(priv)
-	if err != nil {
-		t.Fatal(err)
-	}
-	// write the PEM encoded private key to a file
-	privKeyPath := filepath.Join(td, fname)
-	if err := os.WriteFile(privKeyPath, pemBytes, 0600); err != nil {
-		t.Fatal(err)
-	}
-	// import the private key into sigstore format
-	keys, err := cosign.ImportKeyPair(privKeyPath, passFunc)
-	if err != nil {
-		t.Fatal(err)
-	}
+	x509Encoded, _ := x509.MarshalECPrivateKey(privKey)
+	encBytes, _ := encrypted.Encrypt(x509Encoded, keyPass)
+	keyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  cosign.CosignPrivateKeyPemType,
+		Bytes: encBytes})
+
 	cosignKeyPath := filepath.Join(td, fname)
-	if err := os.WriteFile(cosignKeyPath, keys.PrivateBytes, 0600); err != nil {
+	if err := os.WriteFile(cosignKeyPath, keyPEM, 0600); err != nil {
 		t.Fatal(err)
 	}
 	return cosignKeyPath