File: avoid-boulder.patch

package info (click to toggle)
golang-github-sigstore-sigstore 1.9.5-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 2,052 kB
  • sloc: makefile: 87; sh: 45
file content (134 lines) | stat: -rw-r--r-- 4,247 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
 
From: Reinhard Tartler <siretart@tauware.de>
Date: Thu, 6 Apr 2023 20:24:46 -0400
Subject: avoid-boulder
Forwarded: not-needed

    Drop dependency on boulder, disable RSA checks
---
 pkg/cryptoutils/publickey.go      | 41 +--------------------------------------
 pkg/cryptoutils/publickey_test.go | 13 ++++---------
 2 files changed, 5 insertions(+), 49 deletions(-)

diff --git a/pkg/cryptoutils/publickey.go b/pkg/cryptoutils/publickey.go
index 5296036..64c3539 100644
--- a/pkg/cryptoutils/publickey.go
+++ b/pkg/cryptoutils/publickey.go
@@ -16,7 +16,6 @@
 package cryptoutils
 
 import (
-	"context"
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/ed25519"
@@ -29,8 +28,6 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-
-	"github.com/letsencrypt/boulder/goodkey"
 )
 
 const (
@@ -136,44 +133,8 @@ func genErrMsg(first, second crypto.PublicKey, keyType string) string {
 
 // ValidatePubKey validates the parameters of an RSA, ECDSA, or ED25519 public key.
 func ValidatePubKey(pub crypto.PublicKey) error {
-	// goodkey policy enforces:
-	// * RSA
-	//   * Size of key: 2048 <= size <= 4096, size % 8 = 0
-	//   * Exponent E = 65537 (Default exponent for OpenSSL and Golang)
-	//   * Small primes check for modulus
-	//   * Weak keys generated by Infineon hardware (see https://crocs.fi.muni.cz/public/papers/rsa_ccs17)
-	//   * Key is easily factored with Fermat's factorization method
-	// * EC
-	//   * Public key Q is not the identity element (Ø)
-	//   * Public key Q's x and y are within [0, p-1]
-	//   * Public key Q is on the curve
-	//   * Public key Q's order matches the subgroups (nQ = Ø)
-	allowedKeys := &goodkey.AllowedKeys{
-		RSA2048:   true,
-		RSA3072:   true,
-		RSA4096:   true,
-		ECDSAP256: true,
-		ECDSAP384: true,
-		ECDSAP521: true,
-	}
-	cfg := &goodkey.Config{
-		FermatRounds: 100,
-		AllowedKeys:  allowedKeys,
-	}
-	p, err := goodkey.NewPolicy(cfg, nil)
-	if err != nil {
-		// Should not occur, only chances to return errors are if fermat rounds
-		// are <0 or when loading blocked/weak keys from disk (not used here)
-		return errors.New("unable to initialize key policy")
-	}
-
+	// Avoid dependency on Goodkey for Debian
 	switch pk := pub.(type) {
-	case *rsa.PublicKey:
-		// ctx is unused
-		return p.GoodKey(context.Background(), pub)
-	case *ecdsa.PublicKey:
-		// ctx is unused
-		return p.GoodKey(context.Background(), pub)
 	case ed25519.PublicKey:
 		return validateEd25519Key(pk)
 	}
diff --git a/pkg/cryptoutils/publickey_test.go b/pkg/cryptoutils/publickey_test.go
index ea44dc7..4dcd27a 100644
--- a/pkg/cryptoutils/publickey_test.go
+++ b/pkg/cryptoutils/publickey_test.go
@@ -23,12 +23,10 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
-	"errors"
 	"strings"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
-	"github.com/letsencrypt/boulder/goodkey"
 )
 
 func verifyPublicKeyPEMRoundtrip(t *testing.T, pub crypto.PublicKey) {
@@ -185,6 +183,8 @@ func TestValidatePubKeyUnsupported(t *testing.T) {
 }
 
 func TestValidatePubKeyRsa(t *testing.T) {
+	t.Skip("Validations disabled for Debian")
+
 	// Validate common RSA key sizes
 	for _, bits := range []int{2048, 3072, 4096} {
 		priv, err := rsa.GenerateKey(rand.Reader, bits)
@@ -230,6 +230,7 @@ func (t testCurve) Params() *elliptic.CurveParams {
 }
 
 func TestValidatePubKeyEcdsa(t *testing.T) {
+	t.Skip("Validations disabled for Debian")
 	for _, curve := range []elliptic.Curve{elliptic.P256(), elliptic.P384(), elliptic.P521()} {
 		priv, err := ecdsa.GenerateKey(curve, rand.Reader)
 		if err != nil {
@@ -245,20 +246,14 @@ func TestValidatePubKeyEcdsa(t *testing.T) {
 		}
 	}
 	// Fails with smalller curve
-	priv, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
+	_, err := ecdsa.GenerateKey(elliptic.P224(), rand.Reader)
 	if err != nil {
 		t.Fatalf("ecdsa.GenerateKey failed: %v", err)
 	}
-	if err := ValidatePubKey(priv.Public()); err == nil || !errors.Is(err, goodkey.ErrBadKey) {
-		t.Errorf("expected unsupported curve, got %v", err)
-	}
 	// Fails with unknown curve
 	err = ValidatePubKey(&ecdsa.PublicKey{
 		Curve: testCurve{},
 	})
-	if err == nil || !errors.Is(err, goodkey.ErrBadKey) {
-		t.Errorf("expected unexpected curve, got %v", err)
-	}
 }
 
 func TestValidatePubKeyEd25519(t *testing.T) {