Switch to ECDSA based key in fulcio-createcerts (#1303)

* Switch to ECDSA based key in fulcio-createcerts Internally we ran into some issues, so I'm upgrading to the ECDSA key. This also matches what we do in rekor-createsecret so improves uniformity across the codebase. Signed-off-by: Priya Wadhwa <[email protected]> * update public key Signed-off-by: Priya Wadhwa <[email protected]> --------- Signed-off-by: Priya Wadhwa <[email protected]>
sigstore · Oct 11, 2024 · b934909 · b934909
1 parent 7a9289e
commit b934909
Showing 1 changed file with 22 additions and 18 deletions.
diff --git a/cmd/fulcio/createcerts/main.go b/cmd/fulcio/createcerts/main.go
@@ -15,8 +15,9 @@
 package main
 
 import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
@@ -36,11 +37,6 @@ import (
 	"sigs.k8s.io/release-utils/version"
 )
 
-const (
-	// Key in the configmap holding the value of the tree.
-	bitSize = 4096
-)
-
 var (
 	secretName       = flag.String("secret", "fulcio-secrets", "Name of the secret to create for the certs")
 	pubkeySecretName = flag.String("pubkeysecret", "fulcio-pub-key", "Name of the secret that holds the public Fulcio information like cert / public key")
@@ -54,6 +50,7 @@ var (
 
 func main() {
 	flag.Parse()
+
 	ns := os.Getenv("NAMESPACE")
 	if ns == "" {
 		panic("env variable NAMESPACE must be set")
@@ -101,13 +98,11 @@ func main() {
 // createAll creates a password protected keypair, and returns PEM encoded
 // CA Cert, crypto.PublicKey, crypto.PrivateKey, password
 func createAll() ([]byte, []byte, []byte, string, error) {
-	// Generate RSA key.
-	key, err := rsa.GenerateKey(rand.Reader, bitSize)
+	// Generate ECDSA key.
+	privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
 	if err != nil {
-		return nil, nil, nil, "", fmt.Errorf("GenerateKey failed: %w", err)
+		return nil, nil, nil, "", fmt.Errorf("failed to generate ecdsa key: %w", err)
 	}
-	// Extract public component.
-	pub := key.Public()
 
 	serialNumber, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
 	if err != nil {
@@ -130,18 +125,23 @@ func createAll() ([]byte, []byte, []byte, string, error) {
 		BasicConstraintsValid: true,
 		MaxPathLen:            1,
 	}
-	derBytes, err := x509.CreateCertificate(rand.Reader, rootCA, rootCA, pub, key)
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, rootCA, rootCA, privateKey.Public(), privateKey)
 	if err != nil {
 		return nil, nil, nil, "", fmt.Errorf("failed to create certificate: %w", err)
 	}
 	certPEM := pem.EncodeToMemory(
 		&pem.Block{Type: "CERTIFICATE", Bytes: derBytes},
 	)
 
-	// Encode private key to PKCS#1 ASN.1 PEM.
+	// Encode private key to PKCS #8 ASN.1 PEM.
+	marshalledPrivKey, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	if err != nil {
+		return nil, nil, nil, "", fmt.Errorf("marshal pkcs8 private key: %w", err)
+	}
 	block := &pem.Block{
-		Type:  "RSA PRIVATE KEY",
-		Bytes: x509.MarshalPKCS1PrivateKey(key),
+		Type:  "PRIVATE KEY",
+		Bytes: marshalledPrivKey,
 	}
 
 	// Generate a uuid as a password
@@ -158,11 +158,15 @@ func createAll() ([]byte, []byte, []byte, string, error) {
 	if privPEM == nil {
 		return nil, nil, nil, "", fmt.Errorf("EncodeToMemory private key failed: %w", err)
 	}
-	// Encode public key to PKCS#1 ASN.1 PEM.
+
+	marshalledPubKey, err := x509.MarshalPKIXPublicKey(privateKey.Public())
+	if err != nil {
+		return nil, nil, nil, "", fmt.Errorf("failed to unmarshal public key: %w", err)
+	}
 	pubPEM := pem.EncodeToMemory(
 		&pem.Block{
-			Type:  "RSA PUBLIC KEY",
-			Bytes: x509.MarshalPKCS1PublicKey(pub.(*rsa.PublicKey)),
+			Type:  "PUBLIC KEY",
+			Bytes: marshalledPubKey,
 		},
 	)
 	if pubPEM == nil {