Key ID generation is incorrect for non-ECDSA keys #954

woodruffw · 2024-04-03T15:37:02Z

See sigstore/rekor#2062 for the full context here. TL;DR: we have an internal key_id helper that essentially does SHA256(DER(SPKI(key)), which is correct for ECDSA keys but not for Ed25519 or RSA.

Following #953 this will no longer cause failures, but will be suboptimal in terms of searching all keys in the keyring. We should fix our key ID generation and handling to make it more optimal.

The text was updated successfully, but these errors were encountered:

haydentherapper · 2024-04-03T21:26:35Z

Pending agreement, I think we should have RSA be the same key ID calculation. Doing the complex computation with 0xff doesn't feel worthwhile.

Also note the update on the thread, I think we can put checkpoint key ID in the trust root so that clients don't have to compute it.

woodruffw · 2024-04-03T21:32:07Z

Pending agreement, I think we should have RSA be the same key ID calculation. Doing the complex computation with 0xff doesn't feel worthwhile.

SGTM!

woodruffw added bug Something isn't working component:verification Core verification functionality labels Apr 3, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Key ID generation is incorrect for non-ECDSA keys #954

Key ID generation is incorrect for non-ECDSA keys #954

woodruffw commented Apr 3, 2024

haydentherapper commented Apr 3, 2024 •

edited

woodruffw commented Apr 3, 2024

Key ID generation is incorrect for non-ECDSA keys #954

Key ID generation is incorrect for non-ECDSA keys #954

Comments

woodruffw commented Apr 3, 2024

haydentherapper commented Apr 3, 2024 • edited

woodruffw commented Apr 3, 2024

haydentherapper commented Apr 3, 2024 •

edited