feat: Support ecdsa and RSA keys (#270 with backwards compatibility) #357
Conversation
|
So does this supersede #270 ? |
Yes! It's all the changes there with backwards compatibility for just ECDSA verification: i.e. if a current root (sigstore) is using hex-encoded keys, then they will still be able to verify (no hex-encoded signers supported). Adds testing for making sure deprecation still verifies at the key and repo testing level. |
|
I can also split out just the ECDSA changes. Hoping to get that in ASAP since the next sigstore TUF root to rotate those out relies on it. |
|
Great thanks, LGTM. I did start trying to rebase my changes onto master over the weekend to make these updates, but there were some conflicts that I needed to go read up on and then real life got in the way, so thanks for taking this over. |
|
Thanks very much for all your hard work, Toby! Sorry I didn't get around to reviewing it in time: swamped by work, too... |
|
@theupdateframework/go-tuf-maintainers could I please get one more review on this? really need this |
Yes, sorry, was on PTO, will look tonight |
|
No worries at all -- didn't realize that! Feel free to do it tomorrow, I hope you had some rest :) |
There was a problem hiding this comment.
Thanks very much, Asra!
So just to double-check: what's the worst that can happen re:#363? We are not able to accept malformed/unusable public keys after unmarshaling, correct?
After this is confirmed, I'm happy to attach my approval ASAP tomorrow. Thanks!
Good question, and I'll attach my reply to the issue as well. Currently, we use those functions after we create a Lines 57 to 69 in 355e39c So as long as they're verified during In case someone accidentally corrupts those keys in the key store or TUF metadata, then we would return errors like So worst case, yes, the key becomes un-usable on load. That being said, it would always be good practice to re-validate the keys upon marshalling even if they were loaded in a good state, just in case. (for the issue) |
|
@znewman01 would you be able to PTAL? I really need this for sigstore ga! |
|
ACK can look today (sorry, thought review was blocked for some reason) |
There was a problem hiding this comment.
Do you need to check "breaking change" for this PR?
I left some little comments, nice to resolve but not blocking.
My final concern (again, not blocking) has to do with deprecation. I think it's okay to immediately start producing keys using the new encoding from this library, but for repos that already exist, old clients will be around for a long time. Do we have a migration story there? I guess just wait until hopefully all the old clients are gone and then cut over?
Right! So they can still use EDIT: I just realized that adding the deprecated signer AND verifier into the same package for compatibility is problematic for users who need to make the transition. E.g. I don't want the signer to ONLY be the deprecated version. So: the deprecated package should actually handle EITHER OR format during the transition. WDYT? EDIT on EDIT: Ecdsa Signers were never supported before. So go-tuf only supported ecdsa verification with bad keys. So I think we're in the clear as is. |
Won't this immediately break every old client?
+1
I'm not sure I'm parsing. I think there are the following possible behaviors: For parsing:
This can probably be globally configurable, via the For writing new keys:
IMO we'd want to configure this on a key-by-key basis, rather than globally. It'd be nice if we could do both, but I don't think that's possible. |
Those old clients would need to import
ECDSA Signing was never supported FYI. I just realized this as I was implementing. So I don't think it breaks old clients. They would have already implemented their own signing logic (as we did).
Don't think we need to opt to do this anymore, since it was never supported in the first place. go-tuf only had verification support for keys, which remains on import of D: sorry this is confusing! For parsing, the PR implements default new format, configurable on both. I agree it would be nice to do on a per-key basis, but the problem is keys are identified via the SAME scheme type string. |
Hold on: old clients that do not import |
Maybe we're confused! Old clients that use old go-tuf certainly won't break because they're using an old go-tuf version. Clients that update their go-tuf dependency will break, because now ECDSA verifier expects TUF-compliant keys. Unless they import that deprecated package that understands both. RIght? |
asraa
dismissed stale reviews from znewman01 and trishankatdatadog
via
25dbbe4
Oui. Sorry, just need to be super-clear here about what we meant about "old clients" here and so on. Thanks for the clarification! |
|
IIUC, serializing keys was never done directly by go-tuf. If that's true, then I am okay with (I'm a little confused by the discussion about signing and verifying—the signature format was always okay, right? We're just talking about signers/verifiers because that's the part of the codebase where key serialization happened?)
Let me clarify: won't that immediately break every deployed client that's still using the old version of go-tuf? I'm still fuzzy on the migration story. "Wait a long time before cutting over" isn't a great solution IMO; you typically don't want to break clients no matter how old. I guess an alternative would be to replace the keys with some other key type (say, RSA for the sake of example) whose format was never affected. Then, we can distribute a new |
Correct, signature format was always correct, it's just the way that the public key was serialized in the root metadata or how the private key was stored in the repo keystore.
If they don't update their go-tuf version, they are unaffected: hex ecdsa keys will be the implementation they have in that go-tuf version. Maybe you're asking, if someone is using an old version old client, and the repository owner adds new ECDSA keys their metadata, will the old deployed client break? Yes, but that's akin to using a new feature, right? I'm not sure there's a way to get compatibility here.
I'd say specification deviation and lack of cross-language compatibility is one potential reason :) My feeling though is that this ONLY affected go-tuf clients who were implementing their own ECDSA signers that were compatible with the bad ECDSA verifiers in go-tuf, so they are already aware of managing this implementation.
I see. The current plan would have already supported this, since the 5.root.json would have 5 old ECDSA signatures and 5 new ECDSA signatures. Old clients would think that the new keys are bogus, but the old keys are still there as is. There is a danger of failure on parsing though, rather than ignoring. We can't change key material because that would require overwriting the keyholders existing keys: they would not longer be able to sign with ECDSA |
|
Note: use |
|
When I have approval, I'll squash mine and Toby's commits to one and fix the commit to have |
|
Squashed, and commit message fixed, added DCO to fix Toby's old DCO issue |
…ecification * feat: ECDSA signers are now implemented * feat: RSA verifiers and signers are implemented BREAKING CHANGE: ECDSA verifiers expect PEM-encoded public keys. If you rely on previous behavior of hex-encoded public keys for verifiers, then you must import pkg/deprecated/set_ecdsa that will allow a fallback for hex-encoded ECDSA keys. Co-authored-by: Asra Ali <asraa@google.com> Co-authored-by: Toby Bristow <toby.bristow@qush.com> Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: Asra Ali <asraa@google.com>
asraa
dismissed stale reviews from znewman01 and trishankatdatadog
via
1736e3c
Please fill in the fields below to submit a pull request. The more information that is provided, the better.
Fixes #223
Release Notes:
pkg/deprecated--schemeflag to specify key scheme.Types of changes:
Description of the changes being introduced by the pull request:
Please verify and check that the pull request fulfills the following requirements:
cc @toby-jn: The only changes I made was adding deprecation support and updating your branch!