Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add back support for RSA for legacy deployed CTLogs. #341

Merged
merged 2 commits into from
Sep 9, 2022
Merged

Add back support for RSA for legacy deployed CTLogs. #341

merged 2 commits into from
Sep 9, 2022

Conversation

vaikas
Copy link
Contributor

@vaikas vaikas commented Sep 8, 2022

Signed-off-by: Ville Aikas vaikas@chainguard.dev

Summary

While I started playing around with testing the newly created config library, realized that we need to still be able to
deal with legacy configs (created with the RSA private key). So handle them both + tests for unmarshaling/round-tripping.

Release Note

Documentation

@vaikas
Add back support for RSA for legacy deployed CTLogs.
fb649c9 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
haydentherapper
haydentherapper reviewed Sep 8, 2022
View reviewed changes
pkg/ctlog/config.go
if err != nil {
return nil, fmt.Errorf("failed to parse private key PEM: %w", err)
return nil, fmt.Errorf("failed to decrypt private PEMKeyFile: %w", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to not return in order to fall through to trying to decode pkcs8?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I don't understand what you mean. Even in the legacy cases, these were always encrypted but it was just that the keys created were just created as RSA keys. Does that make sense? I think this should always fail if decrypt fails because the keys handed to CTLog must be encrypted.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep sorry, was thinking this was doing a different operation. This looks good!

@vaikas
remove cruft, comments about cast to signer.
801250c 
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
@vaikas vaikas merged commit 0bfdd34 into sigstore:main Sep 9, 2022
@vaikas vaikas deleted the use-new-code branch September 9, 2022 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@haydentherapper haydentherapper haydentherapper approved these changes

@priyawadhwa priyawadhwa priyawadhwa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@vaikas @haydentherapper @priyawadhwa