Merge pull request #493 from sigstore/parse-pkcs-rsa-from-tuf

loosebazooka · web-flow · commit 4215134dcad1 · 2023-09-07T07:50:05.000-04:00
Handle pkcs1 rsa keys in trsuted_root
diff --git a/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java b/sigstore-java/src/main/java/dev/sigstore/encryption/Keys.java
@@ -80,13 +80,7 @@ public static PublicKey parsePublicKey(byte[] keyBytes)
       throw new InvalidKeySpecException("Invalid key, empty PEM section");
     }
     if (section.getType().equals("RSA PUBLIC KEY")) {
-      ASN1Sequence sequence = ASN1Sequence.getInstance(section.getContent());
-      ASN1Integer modulus = ASN1Integer.getInstance(sequence.getObjectAt(0));
-      ASN1Integer exponent = ASN1Integer.getInstance(sequence.getObjectAt(1));
-      RSAPublicKeySpec keySpec =
-          new RSAPublicKeySpec(modulus.getPositiveValue(), exponent.getPositiveValue());
-      KeyFactory factory = KeyFactory.getInstance("RSA");
-      return factory.generatePublic(keySpec);
+      return parsePkcs1RsaPublicKey(section.getContent());
     }
 
     // otherwise, we are dealing with PKIX X509 encoded keys
@@ -128,6 +122,17 @@ public static PublicKey parsePkixPublicKey(byte[] contents, String algorithm)
     return factory.generatePublic(spec);
   }
 
+  public static PublicKey parsePkcs1RsaPublicKey(byte[] contents)
+      throws NoSuchAlgorithmException, InvalidKeySpecException {
+    ASN1Sequence sequence = ASN1Sequence.getInstance(contents);
+    ASN1Integer modulus = ASN1Integer.getInstance(sequence.getObjectAt(0));
+    ASN1Integer exponent = ASN1Integer.getInstance(sequence.getObjectAt(1));
+    RSAPublicKeySpec keySpec =
+        new RSAPublicKeySpec(modulus.getPositiveValue(), exponent.getPositiveValue());
+    KeyFactory factory = KeyFactory.getInstance("RSA");
+    return factory.generatePublic(keySpec);
+  }
+
   /**
    * Valid values for scheme are:
    *
diff --git a/sigstore-java/src/main/java/dev/sigstore/trustroot/PublicKey.java b/sigstore-java/src/main/java/dev/sigstore/trustroot/PublicKey.java
@@ -31,11 +31,14 @@ public abstract class PublicKey {
 
   @Lazy
   public java.security.PublicKey toJavaPublicKey()
-      throws InvalidKeySpecException, NoSuchAlgorithmException {
-    if (!getKeyDetails().equals("PKIX_ECDSA_P256_SHA_256")) {
-      throw new InvalidKeySpecException("Unsupported key algorithm: " + getKeyDetails());
+      throws NoSuchAlgorithmException, InvalidKeySpecException {
+    if (getKeyDetails().equals("PKIX_ECDSA_P256_SHA_256")) {
+      return Keys.parsePkixPublicKey(getRawBytes(), "EC");
     }
-    return Keys.parsePkixPublicKey(getRawBytes(), "EC");
+    if (getKeyDetails().equals("PKCS1_RSA_PKCS1V5")) {
+      return Keys.parsePkcs1RsaPublicKey(getRawBytes());
+    }
+    throw new InvalidKeySpecException("Unsupported key algorithm: " + getKeyDetails());
   }
 
   public static PublicKey from(dev.sigstore.proto.common.v1.PublicKey proto) {
diff --git a/sigstore-java/src/test/java/dev/sigstore/tuf/SigstoreTufClientTest.java b/sigstore-java/src/test/java/dev/sigstore/tuf/SigstoreTufClientTest.java
@@ -17,6 +17,7 @@
 
 import com.google.protobuf.util.JsonFormat;
 import dev.sigstore.proto.trustroot.v1.TrustedRoot;
+import dev.sigstore.trustroot.SigstoreTrustedRoot;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Path;
@@ -38,23 +39,32 @@ public void testUpdate_publicGoodHasTrustedRootJson() throws Exception {
             .tufCacheLocation(localStorePath)
             .build();
     client.forceUpdate();
-    Assertions.assertNotNull(client.getSigstoreTrustedRoot());
 
-    Assertions.assertDoesNotThrow(() -> client.getSigstoreTrustedRoot().getTLogs().current());
-    Assertions.assertDoesNotThrow(() -> client.getSigstoreTrustedRoot().getCTLogs().current());
-    Assertions.assertDoesNotThrow(() -> client.getSigstoreTrustedRoot().getCAs().current());
+    assertTrustedRootValid(client.getSigstoreTrustedRoot());
   }
 
   @Test
   public void testUpdate_stagingHasTrustedRootJson() throws Exception {
     var client =
         SigstoreTufClient.builder().useStagingInstance().tufCacheLocation(localStorePath).build();
     client.forceUpdate();
-    Assertions.assertNotNull(client.getSigstoreTrustedRoot());
 
-    Assertions.assertDoesNotThrow(() -> client.getSigstoreTrustedRoot().getTLogs().current());
-    Assertions.assertDoesNotThrow(() -> client.getSigstoreTrustedRoot().getCTLogs().current());
-    Assertions.assertDoesNotThrow(() -> client.getSigstoreTrustedRoot().getCAs().current());
+    assertTrustedRootValid(client.getSigstoreTrustedRoot());
+  }
+
+  private void assertTrustedRootValid(SigstoreTrustedRoot trustedRoot) throws Exception {
+    Assertions.assertNotNull(trustedRoot);
+    Assertions.assertDoesNotThrow(() -> trustedRoot.getTLogs().current());
+    Assertions.assertDoesNotThrow(() -> trustedRoot.getCTLogs().current());
+    Assertions.assertDoesNotThrow(() -> trustedRoot.getCAs().current());
+
+    for (var tlog : trustedRoot.getTLogs()) {
+      Assertions.assertDoesNotThrow(() -> tlog.getPublicKey().toJavaPublicKey());
+    }
+
+    for (var ctlog : trustedRoot.getCTLogs()) {
+      Assertions.assertDoesNotThrow(() -> ctlog.getPublicKey().toJavaPublicKey());
+    }
   }
 
   @Test
