Support rsa-pkcs1v15-sha256 keys (#86)

In preparation for tuf-conformance using them Signed-off-by: Samuel Giddins <[email protected]>
sigstore · Aug 22, 2024 · 17d38b5 · 17d38b5
1 parent 316f248
commit 17d38b5
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 4 deletions.
diff --git a/lib/sigstore/internal/key.rb b/lib/sigstore/internal/key.rb
@@ -104,7 +104,7 @@ def initialize(...)
           raise ArgumentError, "key must be an OpenSSL::PKey::RSA" unless @key.is_a?(OpenSSL::PKey::RSA)
 
           case @schema
-          when "rsassa-pss-sha256"
+          when "rsassa-pss-sha256", "rsa-pkcs1v15-sha256"
             # supported
           else
             raise ArgumentError, "Unsupported schema #{schema}"
@@ -115,6 +115,8 @@ def verify(_algo, signature, data)
           case @schema
           when "rsassa-pss-sha256"
             @key.verify_pss("sha256", signature, data, salt_length: :auto, mgf1_hash: "SHA256")
+          when "rsa-pkcs1v15-sha256"
+            super
           else
             raise ArgumentError, "Unsupported schema #{schema}"
           end

diff --git a/lib/sigstore/tuf/roles.rb b/lib/sigstore/tuf/roles.rb
@@ -81,7 +81,7 @@ def verify_delegate(type, bytes, signatures)
       signatures.each do |signature|
         key_id = signature.fetch("keyid")
         unless @keys.include?(key_id)
-          logger.warn "Unknown key_id=#{key_id.inspect} missing from #{@keys}"
+          logger.warn "Unknown key_id=#{key_id.inspect} missing from #{@keys.keys}"
           next
         end
 
@@ -90,7 +90,9 @@ def verify_delegate(type, bytes, signatures)
         verified = key.verify("sha256", signature_bytes, bytes)
 
         added = verified_key_ids.add?(key_id) if verified
-        logger.debug { "key_id=#{key_id.inspect} type=#{type} verified=#{verified} added=#{added.inspect}" }
+        logger.debug do
+          "key_id=#{key_id.inspect} type=#{type} verified=#{verified} added=#{added.nil? ? added.inspect : true}"
+        end
       end
       count = verified_key_ids.size
 

diff --git a/lib/sigstore/tuf/trusted_metadata_set.rb b/lib/sigstore/tuf/trusted_metadata_set.rb
@@ -119,7 +119,7 @@ def update_delegated_targets(data, role, parent_role)
       check_final_snapshot
 
       delegator = @trusted_set.fetch(parent_role)
-      logger.debug { "Updating #{role} delegated by #{parent_role.inspect} to #{delegator.inspect}" }
+      logger.debug { "Updating #{role} delegated by #{parent_role.inspect} to #{delegator.class}" }
       raise Error::BadUpdateOrder, "cannot load targets before delegator" unless delegator
 
       logger.debug { "Updating #{role} delegated by #{parent_role}" }