Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HashedRekord Signer/Validator LoadOptions question #2368

Open
ret2libc opened this issue Feb 13, 2025 · 3 comments
Open

HashedRekord Signer/Validator LoadOptions question #2368

ret2libc opened this issue Feb 13, 2025 · 3 comments
Labels
question Further information is requested

Comments

@ret2libc
Copy link
Contributor

Question
As part of making the sigstore ecosystem crypto-agile, we (@trailofbits) have been making a few changes over the past ~year, see sigstore/sig-clients#16 .

Some of the changes that were done include 9865ca9 , 92742be , and faae13b .

One of the main changes to support ed25519ph was done in 92742be and it required passing a WithEd25519ph() option when creating the sigObj

92742be#diff-1211bf2bcbf1dac120447571e8a2d0940bb66a0b3c2554ecb040c54407c6173cR150

		return nil, nil, types.ValidationError(errors.New("missing signature"))
	}
	// Hashed rekord type only works for x509 signature types
-	sigObj, err := x509.NewSignature(bytes.NewReader(sig.Content))
+	sigObj, err := x509.NewSignatureWithOpts(bytes.NewReader(sig.Content), options.WithED25519ph())
	if err != nil {
		return nil, nil, types.ValidationError(err)
	}

However, this would not work if e.g. you want to use RSA PSS (which also require special LoadOption to be passed to the LoadSignerVerifier functions). For that to work, validate would have to know which LoadOptions to use, however that information cannot be determined from any of the available information and it would likely require a new version of the hashedrekord schema to include those options.

What are your thoughts on this?

cc @haydentherapper @bobcallaway
@ret2libc ret2libc added the question Further information is requested label Feb 13, 2025
@haydentherapper
Copy link
Contributor

I'm leaning towards accepting that we can't concurrently support RSA-PKCS1v1.5 and RSA-PSS. For hashedrekord, support ed25519ph has more meaningful value in that it unlocks using ed25519 whereas RSA-PSS isn't much more useful over the other RSA scheme.

The only other solution I could think of that I think we had discussed was creating multiple verifiers and trying to verify a signature with each but I don't love this approach, seems prone to error.

@ret2libc
Copy link
Contributor Author

The only other solution I could think of that I think we had discussed was creating multiple verifiers and trying to verify a signature with each but I don't love this approach, seems prone to error.

I think we have discussed this on the cosign-side to maintain backward compatibility, where we sometimes verify with both pure-ed25519 and ed25519ph, but I agree doing this on rekor-side seems worse.

@haydentherapper
Copy link
Contributor

Given the lack of RSA-PSS support throughout Sigstore clients as well, I think what we have now is sufficient. As we add more algorithms for PQC, I think we should avoid needing options, with each PQ key uniquely identifiable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ret2libc @haydentherapper