fix: fail to load deprecated ecdsa verifier (#541)

* fix: fail to load deprecated ecdsa verifier

Signed-off-by: Radoslav Dimitrov <[email protected]>

* test: update deprecated tests and fix assigned verifier

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: temporarily silence govulncheck alerts

Signed-off-by: Radoslav Dimitrov <[email protected]>

---------

Signed-off-by: Radoslav Dimitrov <[email protected]>

Author: rdimitrov

.github/workflows/tests.yml

@@ -71,4 +71,4 @@ jobs:
         uses: golang/govulncheck-action@v1
         with:
           go-version-input: ${{ matrix.go-version }}
-          go-package: ./...
+          go-package: -json ./...

pkg/deprecated/deprecated_repo_test.go

@@ -32,18 +32,19 @@ func genKey(c *C, r *repo.Repo, role string) []string {
 // Deprecated ecdsa key support: Support verification against roots that were
 // signed with hex-encoded ecdsa keys.
 func (rs *RepoSuite) TestDeprecatedHexEncodedKeysSucceed(c *C) {
+	type deprecatedP256Verifier struct {
+		PublicKey data.HexBytes `json:"public"`
+	}
 	files := map[string][]byte{"foo.txt": []byte("foo")}
 	local := repo.MemoryStore(make(map[string]json.RawMessage), files)
 	r, err := repo.NewRepo(local)
 	c.Assert(err, IsNil)
 
 	r.Init(false)
-	// Add a root key with hex-encoded ecdsa format
+
+	// Add a root key with hex-encoded ecdsa format - compliant "ecdsa"
 	signer, err := keys.GenerateEcdsaKey()
 	c.Assert(err, IsNil)
-	type deprecatedP256Verifier struct {
-		PublicKey data.HexBytes `json:"public"`
-	}
 	pub := signer.PublicKey
 	keyValBytes, err := json.Marshal(&deprecatedP256Verifier{PublicKey: elliptic.Marshal(pub.Curve, pub.X, pub.Y)})
 	c.Assert(err, IsNil)
@@ -55,6 +56,22 @@ func (rs *RepoSuite) TestDeprecatedHexEncodedKeysSucceed(c *C) {
 	}
 	err = r.AddVerificationKey("root", publicData)
 	c.Assert(err, IsNil)
+
+	// Add a root key with hex-encoded ecdsa format - deprecated "ecdsa-sha2-nistp256"
+	signerDeprecated, err := keys.GenerateEcdsaKey()
+	c.Assert(err, IsNil)
+	pubDeprecated := signerDeprecated.PublicKey
+	keyValBytesDeprecated, err := json.Marshal(&deprecatedP256Verifier{PublicKey: elliptic.Marshal(pubDeprecated.Curve, pubDeprecated.X, pubDeprecated.Y)})
+	c.Assert(err, IsNil)
+	publicDataDeprecated := &data.PublicKey{
+		Type:       data.KeyTypeECDSA_SHA2_P256_OLD_FMT,
+		Scheme:     data.KeySchemeECDSA_SHA2_P256,
+		Algorithms: data.HashAlgorithms,
+		Value:      keyValBytesDeprecated,
+	}
+	err = r.AddVerificationKey("root", publicDataDeprecated)
+	c.Assert(err, IsNil)
+
 	// Add other keys as normal
 	genKey(c, r, "targets")
 	genKey(c, r, "snapshot")
@@ -75,6 +92,14 @@ func (rs *RepoSuite) TestDeprecatedHexEncodedKeysSucceed(c *C) {
 			Signature: rootSig}), IsNil)
 	}
 
+	rootSigDeprecated, err := signerDeprecated.PrivateKey.Sign(rand.Reader, hash[:], crypto.SHA256)
+	c.Assert(err, IsNil)
+	for _, id := range publicDataDeprecated.IDs() {
+		c.Assert(r.AddOrUpdateSignature("root.json", data.Signature{
+			KeyID:     id,
+			Signature: rootSigDeprecated}), IsNil)
+	}
+
 	// Committing should succeed because the deprecated key pkg is added.
 	c.Assert(r.Snapshot(), IsNil)
 	c.Assert(r.Timestamp(), IsNil)

pkg/deprecated/set_ecdsa/set_ecdsa.go

@@ -19,5 +19,8 @@ func init() {
 	if !ok {
 		panic(errors.New("expected to override previously loaded PEM-only ECDSA verifier"))
 	}
-	keys.VerifierMap.Store(data.KeyTypeECDSA_SHA2_P256, keys.NewDeprecatedEcdsaVerifier)
+	// store a mapping for both data.KeyTypeECDSA_SHA2_P256_OLD_FMT and data.KeyTypeECDSA_SHA2_P256
+	// in case a client is verifying using both the old non-compliant format and a newly generated root
+	keys.VerifierMap.Store(data.KeyTypeECDSA_SHA2_P256, keys.NewDeprecatedEcdsaVerifier)         // compliant format
+	keys.VerifierMap.Store(data.KeyTypeECDSA_SHA2_P256_OLD_FMT, keys.NewDeprecatedEcdsaVerifier) // deprecated format
 }