Update the basic_repository.go example to work with RSA PSS key scheme

Signed-off-by: Radoslav Dimitrov <[email protected]>
theupdateframework · Sep 19, 2024 · 3c3db96 · 3c3db96
1 parent 0e3e8c1
commit 3c3db96
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/examples/repository/basic_repository.go b/examples/repository/basic_repository.go
@@ -499,7 +499,9 @@ func main() {
 
  // Use a mixture of key types
  // ==========================
- // Create an RSA key
+ // Create an RSA key.
+ // Note TUF should use an RSA PSS key scheme, not RSA PKCS1v15.
+ // Reference: https://theupdateframework.github.io/specification/latest/#file-formats-keys
  anotherRootKeyRSA, _ := rsa.GenerateKey(rand.Reader, 2048)
  if err != nil {
  panic(fmt.Sprintln("basic_repository.go:", "RSA key generation failed", err))
@@ -549,7 +551,7 @@ func main() {
  }
 
  // Sign root with the new RSA and ECDSA keys
- outofbandSignerRSA, err := signature.LoadSigner(anotherRootKeyRSA, crypto.SHA256)
+ outofbandSignerRSA, err := signature.LoadRSAPSSSigner(anotherRootKeyRSA, crypto.SHA256, &rsa.PSSOptions{Hash: crypto.SHA256})
  if err != nil {
  panic(fmt.Sprintln("basic_repository.go:", "loading RSA signer failed", err))
  }

diff --git a/metadata/metadata.go b/metadata/metadata.go
@@ -323,7 +323,9 @@ func (meta *Metadata[T]) VerifyDelegate(delegatedRole string, delegatedMetadata
  }
  }
  // load a verifier based on that key
- // handle RSA PSS keys separately as the LoadVerifier function doesn't identify them correctly
+ // handle RSA PSS scheme separately as the LoadVerifier function doesn't identify it correctly
+ // Note we should support RSA PSS, not RSA PKCS1v15 (which is what LoadVerifier would return)
+ // Reference: https://theupdateframework.github.io/specification/latest/#file-formats-keys
  var verifier signature.Verifier
  if key.Type == KeyTypeRSASSA_PSS_SHA256 {
  // Load a verifier for rsa