diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 6470093b..d1ae975a 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -71,4 +71,4 @@ jobs: uses: golang/govulncheck-action@v1 with: go-version-input: ${{ matrix.go-version }} - go-package: ./... + go-package: -json ./... diff --git a/pkg/deprecated/deprecated_repo_test.go b/pkg/deprecated/deprecated_repo_test.go index 6d194ab5..e65cb9e9 100644 --- a/pkg/deprecated/deprecated_repo_test.go +++ b/pkg/deprecated/deprecated_repo_test.go @@ -32,18 +32,19 @@ func genKey(c *C, r *repo.Repo, role string) []string { // Deprecated ecdsa key support: Support verification against roots that were // signed with hex-encoded ecdsa keys. func (rs *RepoSuite) TestDeprecatedHexEncodedKeysSucceed(c *C) { + type deprecatedP256Verifier struct { + PublicKey data.HexBytes `json:"public"` + } files := map[string][]byte{"foo.txt": []byte("foo")} local := repo.MemoryStore(make(map[string]json.RawMessage), files) r, err := repo.NewRepo(local) c.Assert(err, IsNil) r.Init(false) - // Add a root key with hex-encoded ecdsa format + + // Add a root key with hex-encoded ecdsa format - compliant "ecdsa" signer, err := keys.GenerateEcdsaKey() c.Assert(err, IsNil) - type deprecatedP256Verifier struct { - PublicKey data.HexBytes `json:"public"` - } pub := signer.PublicKey keyValBytes, err := json.Marshal(&deprecatedP256Verifier{PublicKey: elliptic.Marshal(pub.Curve, pub.X, pub.Y)}) c.Assert(err, IsNil) @@ -55,6 +56,22 @@ func (rs *RepoSuite) TestDeprecatedHexEncodedKeysSucceed(c *C) { } err = r.AddVerificationKey("root", publicData) c.Assert(err, IsNil) + + // Add a root key with hex-encoded ecdsa format - deprecated "ecdsa-sha2-nistp256" + signerDeprecated, err := keys.GenerateEcdsaKey() + c.Assert(err, IsNil) + pubDeprecated := signerDeprecated.PublicKey + keyValBytesDeprecated, err := json.Marshal(&deprecatedP256Verifier{PublicKey: elliptic.Marshal(pubDeprecated.Curve, pubDeprecated.X, pubDeprecated.Y)}) + c.Assert(err, IsNil) + publicDataDeprecated := &data.PublicKey{ + Type: data.KeyTypeECDSA_SHA2_P256_OLD_FMT, + Scheme: data.KeySchemeECDSA_SHA2_P256, + Algorithms: data.HashAlgorithms, + Value: keyValBytesDeprecated, + } + err = r.AddVerificationKey("root", publicDataDeprecated) + c.Assert(err, IsNil) + // Add other keys as normal genKey(c, r, "targets") genKey(c, r, "snapshot") @@ -75,6 +92,14 @@ func (rs *RepoSuite) TestDeprecatedHexEncodedKeysSucceed(c *C) { Signature: rootSig}), IsNil) } + rootSigDeprecated, err := signerDeprecated.PrivateKey.Sign(rand.Reader, hash[:], crypto.SHA256) + c.Assert(err, IsNil) + for _, id := range publicDataDeprecated.IDs() { + c.Assert(r.AddOrUpdateSignature("root.json", data.Signature{ + KeyID: id, + Signature: rootSigDeprecated}), IsNil) + } + // Committing should succeed because the deprecated key pkg is added. c.Assert(r.Snapshot(), IsNil) c.Assert(r.Timestamp(), IsNil) diff --git a/pkg/deprecated/set_ecdsa/set_ecdsa.go b/pkg/deprecated/set_ecdsa/set_ecdsa.go index de3771e3..13967e2f 100644 --- a/pkg/deprecated/set_ecdsa/set_ecdsa.go +++ b/pkg/deprecated/set_ecdsa/set_ecdsa.go @@ -19,5 +19,8 @@ func init() { if !ok { panic(errors.New("expected to override previously loaded PEM-only ECDSA verifier")) } - keys.VerifierMap.Store(data.KeyTypeECDSA_SHA2_P256, keys.NewDeprecatedEcdsaVerifier) + // store a mapping for both data.KeyTypeECDSA_SHA2_P256_OLD_FMT and data.KeyTypeECDSA_SHA2_P256 + // in case a client is verifying using both the old non-compliant format and a newly generated root + keys.VerifierMap.Store(data.KeyTypeECDSA_SHA2_P256, keys.NewDeprecatedEcdsaVerifier) // compliant format + keys.VerifierMap.Store(data.KeyTypeECDSA_SHA2_P256_OLD_FMT, keys.NewDeprecatedEcdsaVerifier) // deprecated format }