rekor v2: Use the correct keytype in the entry request

jku · jku · commit 324647cfa6cd · 2025-06-06T14:29:38.000+03:00
We only generate secp256r1 so can skip checking all of the other types
for now.

Signed-off-by: Jussi Kukkonen &lt;jkukkonen@google.com&gt;
diff --git a/sigstore/_internal/rekor/__init__.py b/sigstore/_internal/rekor/__init__.py
@@ -37,6 +37,7 @@
 
 class EntryRequest(dict[str, Any]):
     """Entry request payload, for either rekor v1 or v2"""
+
     pass
 
 
diff --git a/sigstore/_internal/rekor/client_v2.py b/sigstore/_internal/rekor/client_v2.py
@@ -24,6 +24,7 @@
 import rekor_types
 import requests
 from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicKey
 from cryptography.x509 import Certificate
 from sigstore_protobuf_specs.dev.sigstore.common import v1 as common_v1
 from sigstore_protobuf_specs.dev.sigstore.rekor import v2
@@ -37,8 +38,6 @@
 
 _logger = logging.getLogger(__name__)
 
-DEFAULT_KEY_DETAILS = common_v1.PublicKeyDetails.PKIX_ECDSA_P384_SHA_256
-
 
 class _V2EntryRequest(EntryRequest):
     @classmethod
@@ -99,6 +98,18 @@ def create_entry(self, payload: EntryRequest) -> LogEntry:
         _logger.debug(f"integrated: {integrated_entry}")
         return LogEntry._from_dict_rekor(integrated_entry)
 
+    @staticmethod
+    def _get_key_details(certificate: Certificate) -> common_v1.PublicKeyDetails:
+        """Determine PublicKeyDetails from a certificate
+
+        We know that sign.Signer only uses secp256r1 so do not support anything else"""
+        public_key = certificate.public_key()
+        if isinstance(public_key, EllipticCurvePublicKey):
+            if public_key.curve.name == "secp256r1":
+                return common_v1.PublicKeyDetails.PKIX_ECDSA_P256_SHA_256
+            raise ValueError(f"Unsupported EC curve: {public_key.curve.name}")
+        raise ValueError(f"Unsupported public key type: {type(public_key)}")
+
     @classmethod
     def _build_hashed_rekord_request(
         cls,
@@ -109,6 +120,7 @@ def _build_hashed_rekord_request(
         """
         Construct a hashed rekord request to submit to Rekor.
         """
+
         req = v2.HashedRekordRequestV002(
             digest=hashed_input.digest,
             signature=v2.Signature(
@@ -119,7 +131,7 @@ def _build_hashed_rekord_request(
                             encoding=serialization.Encoding.DER
                         )
                     ),
-                    key_details=DEFAULT_KEY_DETAILS,  # type: ignore[arg-type]
+                    key_details=cls._get_key_details(certificate),
                 ),
             ),
         )
@@ -151,7 +163,7 @@ def _build_dsse_request(
                             encoding=serialization.Encoding.DER
                         )
                     ),
-                    key_details=DEFAULT_KEY_DETAILS,  # type: ignore[arg-type]
+                    key_details=cls._get_key_details(certificate),
                 )
             ],
         )
