Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add validation of public keys to prevent certifying weak keys #490

Merged
merged 1 commit into from
Mar 29, 2022

Conversation

haydentherapper
Copy link
Contributor

@haydentherapper haydentherapper commented Mar 29, 2022

This adds checks for RSA, ECDSA and ED25519 (no-op) keys. This
will prevent Fulcio from signing certificates for the following:

  • DSA keys
  • RSA keys that are smaller than 2048 or larger than 4096
  • RSA keys with weak primes
  • ECDSA keys that aren't P256, P384, or P521 (P224 or custom curves)

Signed-off-by: Hayden Blauzvern hblauzvern@google.com

Summary

Ticket Link

Fixes

Release Note

Added validation of public keys. ECDSA keys must be P-256, P-384, or P-521. RSA keys must be between 2048 and 4096, and not generated using weak primes.

@codecov-commenter
Copy link

codecov-commenter commented Mar 29, 2022

Codecov Report

Merging #490 (d0a9f7c) into main (a2bd19a) will increase coverage by 0.47%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##             main     #490      +/-   ##
==========================================
+ Coverage   47.49%   47.97%   +0.47%     
==========================================
  Files          14       14              
  Lines        1059     1063       +4     
==========================================
+ Hits          503      510       +7     
+ Misses        482      480       -2     
+ Partials       74       73       -1     
Impacted Files Coverage Δ
pkg/api/error.go 50.00% <ø> (ø)
pkg/api/ca.go 51.64% <100.00%> (+1.08%) ⬆️
pkg/api/client.go 77.14% <0.00%> (+2.85%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a2bd19a...d0a9f7c. Read the comment docs.

Copy link
Member

@bobcallaway bobcallaway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, we should probably make the release note a bit more verbose

@haydentherapper
Copy link
Contributor Author

Updated the release note.

This adds checks for RSA, ECDSA and ED25519 (no-op) keys. This
will prevent Fulcio from signing certificates for the following:
* DSA keys
* RSA keys that are smaller than 2048 or larger than 4096
* RSA keys with weak primes
* ECDSA keys that aren't P256, P384, or P521 (P224 or custom curves)

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants