Skip to content

Commit

Permalink
Add 1.3.6 changelog, test IEEE P1363 sigs in DSSE (#2063)
Browse files Browse the repository at this point in the history
* Bump sigstore/sigstore, add 1.3.6 changelog

Signed-off-by: Hayden Blauzvern <[email protected]>

* Add test

Signed-off-by: Hayden Blauzvern <[email protected]>

---------

Signed-off-by: Hayden Blauzvern <[email protected]>
  • Loading branch information
haydentherapper authored Apr 2, 2024
1 parent c0668d1 commit a678856
Show file tree
Hide file tree
Showing 2 changed files with 110 additions and 0 deletions.
23 changes: 23 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,26 @@
# v1.3.6

## New Features

* Add support for IEEE P1363 encoded ECDSA signatures
* Add index performance script (#2042)
* Add support for ed25519ph user keys in hashedrekord (#1945)
* Add metrics for index insertion (#2015)
* Add TLS support for Redis Client implementation (#1998)

## Bug Fixes

* fix typo in remoteIp and set full name for trace field

## Contributors

* Bob Callaway
* Colleen Murphy
* cpanato
* Hayden B
* Mihkel Pärna
* Riccardo Schirone

# v1.3.5

## New Features
Expand Down
87 changes: 87 additions & 0 deletions pkg/types/dsse/v0.0.1/entry_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (
"crypto/rand"
"crypto/sha256"
"crypto/x509"
"encoding/asn1"
"encoding/base64"
"encoding/hex"
"encoding/json"
Expand Down Expand Up @@ -62,6 +63,52 @@ func TestNewEntryReturnType(t *testing.T) {
}
}

type ecdsaSignature struct {
R, S *big.Int
}

// From https://github.com/tink-crypto/tink/blob/43c17d490a6c8391bb5384278963cb59f4b65495/go/signature/subtle/encoding.go#L62
func ieeeSignatureSize(curveName string) (int, error) {
switch curveName {
case elliptic.P256().Params().Name:
return 64, nil
case elliptic.P384().Params().Name:
return 96, nil
case elliptic.P521().Params().Name:
return 132, nil
default:
return 0, fmt.Errorf("ieeeP1363 unsupported curve name: %q", curveName)
}
}

// From https://github.com/tink-crypto/tink/blob/43c17d490a6c8391bb5384278963cb59f4b65495/go/signature/subtle/encoding.go#L75
func ieeeP1363Encode(sig *ecdsaSignature, curveName string) ([]byte, error) {
sigSize, err := ieeeSignatureSize(curveName)
if err != nil {
return nil, err
}

enc := make([]byte, sigSize)

// sigR and sigS must be half the size of the signature. If not, we need to pad them with zeros.
offset := 0
if len(sig.R.Bytes()) < (sigSize / 2) {
offset += (sigSize / 2) - len(sig.R.Bytes())
}
// Copy sigR after any zero-padding.
copy(enc[offset:], sig.R.Bytes())

// Skip the bytes of sigR.
offset = sigSize / 2
if len(sig.S.Bytes()) < (sigSize / 2) {
offset += (sigSize / 2) - len(sig.S.Bytes())
}
// Copy sigS after sigR and any zero-padding.
copy(enc[offset:], sig.S.Bytes())

return enc, nil
}

func envelope(t *testing.T, k *ecdsa.PrivateKey, payload []byte) *dsse.Envelope {

s, err := signature.LoadECDSASigner(k, crypto.SHA256)
Expand Down Expand Up @@ -118,6 +165,30 @@ func createRekorEnvelope(dsseEnv *dsse.Envelope, pub [][]byte) *models.DSSEV001S
return proposedContent
}

// transformECDSASignatures converts ASN.1 encoded ECDSA signatures (SEQ{r, s})
// to IEEE P1363 encoding (r||s)
func transformECDSASignatures(t *testing.T, k *ecdsa.PrivateKey, dsseEnv *dsse.Envelope) *dsse.Envelope {
sigs := dsseEnv.Signatures
var newSigs []dsse.Signature
for _, b64sig := range sigs {
sig, err := base64.StdEncoding.DecodeString(b64sig.Sig)
if err != nil {
t.Fatal(err)
}
ecdsaSig := ecdsaSignature{}
if _, err := asn1.Unmarshal(sig, &ecdsaSig); err != nil {
t.Fatal(err)
}
ieeeP1363Sig, err := ieeeP1363Encode(&ecdsaSig, k.Params().Name)
if err != nil {
t.Fatal(err)
}
newSigs = append(newSigs, dsse.Signature{KeyID: b64sig.KeyID, Sig: base64.StdEncoding.EncodeToString(ieeeP1363Sig)})
}
dsseEnv.Signatures = newSigs
return dsseEnv
}

func TestV001Entry_Unmarshal(t *testing.T) {
key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
Expand Down Expand Up @@ -197,6 +268,22 @@ func TestV001Entry_Unmarshal(t *testing.T) {
},
wantErr: false,
},
{
env: envelope(t, key, []byte(validPayload)),
name: "key with IEEE P1361 sig",
it: &models.DSSEV001Schema{
ProposedContent: createRekorEnvelope(transformECDSASignatures(t, key, envelope(t, key, []byte(validPayload))), [][]byte{pub}),
},
wantErr: false,
},
{
env: envelope(t, priv, []byte(validPayload)),
name: "cert with IEEE P1361 sig",
it: &models.DSSEV001Schema{
ProposedContent: createRekorEnvelope(transformECDSASignatures(t, priv, envelope(t, priv, []byte(validPayload))), [][]byte{pemBytes}),
},
wantErr: false,
},
{
env: &invalid,
name: "invalid",
Expand Down

0 comments on commit a678856

Please sign in to comment.