Add support for ed25519 keys (#1377)

* add support for ed25519 keys

Signed-off-by: Ramon Petgrave <[email protected]>

* add changelog self link

Signed-off-by: Ramon Petgrave <[email protected]>

* lint

Signed-off-by: Ramon Petgrave <[email protected]>

* use latest tsa release, not latest tag

Signed-off-by: Ramon Petgrave <[email protected]>

* add changelog for tsa test fix

Signed-off-by: Ramon Petgrave <[email protected]>

* add tests

Signed-off-by: Ramon Petgrave <[email protected]>

* dosctring for test

Signed-off-by: Ramon Petgrave <[email protected]>

* format

Signed-off-by: Ramon Petgrave <[email protected]>

* fix filename

Signed-off-by: Ramon Petgrave <[email protected]>

---------

Signed-off-by: Ramon Petgrave <[email protected]>

Author: ramonpetgrave64

.github/workflows/ci.yml

@@ -68,7 +68,7 @@ jobs:
         if: ${{ matrix.conf.os == 'ubuntu-latest' }}
         run: |
           # Fetch the latest sigstore/timestamp-authority build
-          SIGSTORE_TIMESTAMP_VERSION=$(gh api /repos/sigstore/timestamp-authority/tags --jq '.[0].name')
+          SIGSTORE_TIMESTAMP_VERSION=$(gh api /repos/sigstore/timestamp-authority/releases --jq '.[0].tag_name')
           wget https://github.com/sigstore/timestamp-authority/releases/download/${SIGSTORE_TIMESTAMP_VERSION}/timestamp-server-linux-amd64 -O /tmp/timestamp-server
           chmod +x /tmp/timestamp-server
 

CHANGELOG.md

@@ -8,6 +8,11 @@ All versions prior to 0.9.0 are untracked.
 
 ## [Unreleased]
 
+### Added
+
+* Added support for ed25519 keys.
+  [#1377](https://github.com/sigstore/sigstore-python/pull/1377)
+
 ### Fixed
 
 * TSA: Changed the Timestamp Authority requests to explicitly use sha256 for message digests.
@@ -20,6 +25,10 @@ All versions prior to 0.9.0 are untracked.
 * API: Make Rekor APIs compatible with Rekor v2 by removing trailing slashes
   from endpoints ([#1366](https://github.com/sigstore/sigstore-python/pull/1366))
 
+* CI: Timestamp Authority tests use latest release, not latest tag, of
+  [sigstore/timestamp-authority](https://github.com/sigstore/timestamp-authority)
+  [#1377](https://github.com/sigstore/sigstore-python/pull/1377)
+
 ### Changed
 
 * `--trust-config` now requires a file with SigningConfig v0.2, and is able to fully

sigstore/_internal/trust.py

@@ -23,12 +23,12 @@
 from datetime import datetime, timezone
 from enum import Enum
 from pathlib import Path
-from typing import ClassVar, NewType
+from typing import ClassVar, NewType, Optional
 
 import cryptography.hazmat.primitives.asymmetric.padding as padding
 from cryptography.exceptions import InvalidSignature
 from cryptography.hazmat.primitives import hashes
-from cryptography.hazmat.primitives.asymmetric import ec, rsa
+from cryptography.hazmat.primitives.asymmetric import ec, ed25519, rsa
 from cryptography.x509 import (
     Certificate,
     load_der_x509_certificate,
@@ -94,7 +94,7 @@ class Key:
     Represents a key in a `Keyring`.
     """
 
-    hash_algorithm: hashes.HashAlgorithm
+    hash_algorithm: Optional[hashes.HashAlgorithm]
     key: PublicKey
     key_id: KeyID
 
@@ -121,7 +121,7 @@ def __init__(self, public_key: _PublicKey) -> None:
         if not public_key.raw_bytes:
             raise VerificationError("public key is empty")
 
-        hash_algorithm: hashes.HashAlgorithm
+        hash_algorithm: Optional[hashes.HashAlgorithm]
         if public_key.key_details in self._RSA_SHA_256_DETAILS:
             hash_algorithm = hashes.SHA256()
             key = load_der_public_key(public_key.raw_bytes, types=(rsa.RSAPublicKey,))
@@ -130,6 +130,11 @@ def __init__(self, public_key: _PublicKey) -> None:
             key = load_der_public_key(
                 public_key.raw_bytes, types=(ec.EllipticCurvePublicKey,)
             )
+        elif public_key.key_details == _PublicKeyDetails.PKIX_ED25519:
+            hash_algorithm = None
+            key = load_der_public_key(
+                public_key.raw_bytes, types=(ed25519.Ed25519PublicKey,)
+            )
         else:
             raise VerificationError(f"unsupported key type: {public_key.key_details}")
 
@@ -141,20 +146,31 @@ def verify(self, signature: bytes, data: bytes) -> None:
         """
         Verifies the given `data` against `signature` using the current key.
         """
-        if isinstance(self.key, rsa.RSAPublicKey):
+        if isinstance(self.key, rsa.RSAPublicKey) and self.hash_algorithm is not None:
             self.key.verify(
                 signature=signature,
                 data=data,
                 # TODO: Parametrize this as well, for PSS.
                 padding=padding.PKCS1v15(),
                 algorithm=self.hash_algorithm,
             )
-        elif isinstance(self.key, ec.EllipticCurvePublicKey):
+        elif (
+            isinstance(self.key, ec.EllipticCurvePublicKey)
+            and self.hash_algorithm is not None
+        ):
             self.key.verify(
                 signature=signature,
                 data=data,
                 signature_algorithm=ec.ECDSA(self.hash_algorithm),
             )
+        elif (
+            isinstance(self.key, ed25519.Ed25519PublicKey)
+            and self.hash_algorithm is None
+        ):
+            self.key.verify(
+                signature=signature,
+                data=data,
+            )
         else:
             # Unreachable without API misuse.
             raise VerificationError(f"keyring: unsupported key: {self.key}")

sigstore/_utils.py

@@ -24,7 +24,7 @@
 from typing import IO, NewType, Union
 
 from cryptography.hazmat.primitives import serialization
-from cryptography.hazmat.primitives.asymmetric import ec, rsa
+from cryptography.hazmat.primitives.asymmetric import ec, ed25519, rsa
 from cryptography.x509 import (
     Certificate,
     ExtensionNotFound,
@@ -43,9 +43,13 @@
     from importlib import resources
 
 
-PublicKey = Union[rsa.RSAPublicKey, ec.EllipticCurvePublicKey]
+PublicKey = Union[rsa.RSAPublicKey, ec.EllipticCurvePublicKey, ed25519.Ed25519PublicKey]
 
-PublicKeyTypes = Union[type[rsa.RSAPublicKey], type[ec.EllipticCurvePublicKey]]
+PublicKeyTypes = Union[
+    type[rsa.RSAPublicKey],
+    type[ec.EllipticCurvePublicKey],
+    type[ed25519.Ed25519PublicKey],
+]
 
 HexStr = NewType("HexStr", str)
 """
@@ -64,7 +68,11 @@
 def load_pem_public_key(
     key_pem: bytes,
     *,
-    types: tuple[PublicKeyTypes, ...] = (rsa.RSAPublicKey, ec.EllipticCurvePublicKey),
+    types: tuple[PublicKeyTypes, ...] = (
+        rsa.RSAPublicKey,
+        ec.EllipticCurvePublicKey,
+        ed25519.Ed25519PublicKey,
+    ),
 ) -> PublicKey:
     """
     A specialization of `cryptography`'s `serialization.load_pem_public_key`
@@ -86,7 +94,11 @@ def load_pem_public_key(
 def load_der_public_key(
     key_der: bytes,
     *,
-    types: tuple[PublicKeyTypes, ...] = (rsa.RSAPublicKey, ec.EllipticCurvePublicKey),
+    types: tuple[PublicKeyTypes, ...] = (
+        rsa.RSAPublicKey,
+        ec.EllipticCurvePublicKey,
+        ed25519.Ed25519PublicKey,
+    ),
 ) -> PublicKey:
     """
     The `load_pem_public_key` specialization, but DER.

test/assets/trusted_root/trustedroot.v1.local_tlog_ed25519_rekor-tiles.json

@@ -0,0 +1,114 @@
+{
+    "mediaType": "application/vnd.dev.sigstore.trustedroot+json;version=0.1",
+    "tlogs": [
+        {
+            "baseUrl": "http://localhost:3003",
+            "hashAlgorithm": "SHA2_256",
+            "publicKey": {
+                "rawBytes": "MCowBQYDK2VwAyEAREvJyNZGjX6B3DAIuD3BTg9rIwV00GY8Xg5FU+IFDUQ=",
+                "keyDetails": "PKIX_ED25519",
+                "validFor": {
+                    "start": "1970-01-01T00:00:00Z"
+                }
+            },
+            "logId": {
+                "keyId": "tAlACZWkUrif9Z9sOIrpk1ak1I8loRNufk79N6l1SNg="
+            }
+        }
+    ],
+    "certificateAuthorities": [
+        {
+            "subject": {
+                "organization": "sigstore.dev",
+                "commonName": "sigstore"
+            },
+            "uri": "https://fulcio.sigstore.dev",
+            "certChain": {
+                "certificates": [
+                    {
+                        "rawBytes": "MIIB+DCCAX6gAwIBAgITNVkDZoCiofPDsy7dfm6geLbuhzAKBggqhkjOPQQDAzAqMRUwEwYDVQQKEwxzaWdzdG9yZS5kZXYxETAPBgNVBAMTCHNpZ3N0b3JlMB4XDTIxMDMwNzAzMjAyOVoXDTMxMDIyMzAzMjAyOVowKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLSyA7Ii5k+pNO8ZEWY0ylemWDowOkNa3kL+GZE5Z5GWehL9/A9bRNA3RbrsZ5i0JcastaRL7Sp5fp/jD5dxqc/UdTVnlvS16an+2Yfswe/QuLolRUCrcOE2+2iA5+tzd6NmMGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFMjFHQBBmiQpMlEk6w2uSu1KBtPsMB8GA1UdIwQYMBaAFMjFHQBBmiQpMlEk6w2uSu1KBtPsMAoGCCqGSM49BAMDA2gAMGUCMH8liWJfMui6vXXBhjDgY4MwslmN/TJxVe/83WrFomwmNf056y1X48F9c4m3a3ozXAIxAKjRay5/aj/jsKKGIkmQatjI8uupHr/+CxFvaJWmpYqNkLDGRU+9orzh5hI2RrcuaQ=="
+                    }
+                ]
+            },
+            "validFor": {
+                "start": "2021-03-07T03:20:29.000Z",
+                "end": "2022-12-31T23:59:59.999Z"
+            }
+        },
+        {
+            "subject": {
+                "organization": "sigstore.dev",
+                "commonName": "sigstore"
+            },
+            "uri": "https://fulcio.sigstore.dev",
+            "certChain": {
+                "certificates": [
+                    {
+                        "rawBytes": "MIICGjCCAaGgAwIBAgIUALnViVfnU0brJasmRkHrn/UnfaQwCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMjA0MTMyMDA2MTVaFw0zMTEwMDUxMzU2NThaMDcxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjEeMBwGA1UEAxMVc2lnc3RvcmUtaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE8RVS/ysH+NOvuDZyPIZtilgUF9NlarYpAd9HP1vBBH1U5CV77LSS7s0ZiH4nE7Hv7ptS6LvvR/STk798LVgMzLlJ4HeIfF3tHSaexLcYpSASr1kS0N/RgBJz/9jWCiXno3sweTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU39Ppz1YkEZb5qNjpKFWixi4YZD8wHwYDVR0jBBgwFoAUWMAeX5FFpWapesyQoZMi0CrFxfowCgYIKoZIzj0EAwMDZwAwZAIwPCsQK4DYiZYDPIaDi5HFKnfxXx6ASSVmERfsynYBiX2X6SJRnZU84/9DZdnFvvxmAjBOt6QpBlc4J/0DxvkTCqpclvziL6BCCPnjdlIB3Pu3BxsPmygUY7Ii2zbdCdliiow="
+                    },
+                    {
+                        "rawBytes": "MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMwKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0yMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3JlLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxexX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92jYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRYwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCMWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ"
+                    }
+                ]
+            },
+            "validFor": {
+                "start": "2022-04-13T20:06:15.000Z"
+            }
+        }
+    ],
+    "ctlogs": [
+        {
+            "baseUrl": "https://ctfe.sigstore.dev/test",
+            "hashAlgorithm": "SHA2_256",
+            "publicKey": {
+                "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbfwR+RJudXscgRBRpKX1XFDy3PyudDxz/SfnRi1fT8ekpfBd2O1uoz7jr3Z8nKzxA69EUQ+eFCFI3zeubPWU7w==",
+                "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+                "validFor": {
+                    "start": "2021-03-14T00:00:00.000Z",
+                    "end": "2022-10-31T23:59:59.999Z"
+                }
+            },
+            "logId": {
+                "keyId": "CGCS8ChS/2hF0dFrJ4ScRWcYrBY9wzjSbea8IgY2b3I="
+            }
+        },
+        {
+            "baseUrl": "https://ctfe.sigstore.dev/2022",
+            "hashAlgorithm": "SHA2_256",
+            "publicKey": {
+                "rawBytes": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEiPSlFi0CmFTfEjCUqF9HuCEcYXNKAaYalIJmBZ8yyezPjTqhxrKBpMnaocVtLJBI1eM3uXnQzQGAJdJ4gs9Fyw==",
+                "keyDetails": "PKIX_ECDSA_P256_SHA_256",
+                "validFor": {
+                    "start": "2022-10-20T00:00:00.000Z"
+                }
+            },
+            "logId": {
+                "keyId": "3T0wasbHETJjGR4cmWc3AqJKXrjePK3/h4pygC8p7o4="
+            }
+        }
+    ],
+    "timestampAuthorities": [
+        {
+            "subject": {
+                "organization": "GitHub, Inc.",
+                "commonName": "Internal Services Root"
+            },
+            "certChain": {
+                "certificates": [
+                    {
+                        "rawBytes": "MIIB3DCCAWKgAwIBAgIUchkNsH36Xa04b1LqIc+qr9DVecMwCgYIKoZIzj0EAwMwMjEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRkwFwYDVQQDExBUU0EgaW50ZXJtZWRpYXRlMB4XDTIzMDQxNDAwMDAwMFoXDTI0MDQxMzAwMDAwMFowMjEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRkwFwYDVQQDExBUU0EgVGltZXN0YW1waW5nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUD5ZNbSqYMd6r8qpOOEX9ibGnZT9GsuXOhr/f8U9FJugBGExKYp40OULS0erjZW7xV9xV52NnJf5OeDq4e5ZKqNWMFQwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMIMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUaW1RudOgVt0leqY0WKYbuPr47wAwCgYIKoZIzj0EAwMDaAAwZQIwbUH9HvD4ejCZJOWQnqAlkqURllvu9M8+VqLbiRK+zSfZCZwsiljRn8MQQRSkXEE5AjEAg+VxqtojfVfu8DhzzhCx9GKETbJHb19iV72mMKUbDAFmzZ6bQ8b54Zb8tidy5aWe"
+                    },
+                    {
+                        "rawBytes": "MIICEDCCAZWgAwIBAgIUX8ZO5QXP7vN4dMQ5e9sU3nub8OgwCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MB4XDTIzMDQxNDAwMDAwMFoXDTI4MDQxMjAwMDAwMFowMjEVMBMGA1UEChMMR2l0SHViLCBJbmMuMRkwFwYDVQQDExBUU0EgaW50ZXJtZWRpYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEvMLY/dTVbvIJYANAuszEwJnQE1llftynyMKIMhh48HmqbVr5ygybzsLRLVKbBWOdZ21aeJz+gZiytZetqcyF9WlER5NEMf6JV7ZNojQpxHq4RHGoGSceQv/qvTiZxEDKo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUaW1RudOgVt0leqY0WKYbuPr47wAwHwYDVR0jBBgwFoAU9NYYlobnAG4c0/qjxyH/lq/wz+QwCgYIKoZIzj0EAwMDaQAwZgIxAK1B185ygCrIYFlIs3GjswjnwSMG6LY8woLVdakKDZxVa8f8cqMs1DhcxJ0+09w95QIxAO+tBzZk7vjUJ9iJgD4R6ZWTxQWKqNm74jO99o+o9sv4FI/SZTZTFyMn0IJEHdNmyA=="
+                    },
+                    {
+                        "rawBytes": "MIIB9DCCAXqgAwIBAgIUa/JAkdUjK4JUwsqtaiRJGWhqLSowCgYIKoZIzj0EAwMwODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MB4XDTIzMDQxNDAwMDAwMFoXDTMzMDQxMTAwMDAwMFowODEVMBMGA1UEChMMR2l0SHViLCBJbmMuMR8wHQYDVQQDExZJbnRlcm5hbCBTZXJ2aWNlcyBSb290MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEf9jFAXxz4kx68AHRMOkFBhflDcMTvzaXz4x/FCcXjJ/1qEKon/qPIGnaURskDtyNbNDOpeJTDDFqt48iMPrnzpx6IZwqemfUJN4xBEZfza+pYt/iyod+9tZr20RRWSv/o0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQU9NYYlobnAG4c0/qjxyH/lq/wz+QwCgYIKoZIzj0EAwMDaAAwZQIxALZLZ8BgRXzKxLMMN9VIlO+e4hrBnNBgF7tz7Hnrowv2NetZErIACKFymBlvWDvtMAIwZO+ki6ssQ1bsZo98O8mEAf2NZ7iiCgDDU0Vwjeco6zyeh0zBTs9/7gV6AHNQ53xD"
+                    }
+                ]
+            },
+            "validFor": {
+                "start": "2023-04-14T00:00:00.000Z"
+            }
+        }
+    ]
+}

test/unit/internal/test_trust.py

@@ -65,8 +65,18 @@ def test_good(self, asset):
 
 
 class TestTrustedRoot:
-    def test_good(self, asset):
-        path = asset("trusted_root/trustedroot.v1.json")
+    @pytest.mark.parametrize(
+        "file",
+        [
+            "trusted_root/trustedroot.v1.json",
+            "trusted_root/trustedroot.v1.local_tlog_ed25519_rekor-tiles.json",
+        ],
+    )
+    def test_good(self, asset, file):
+        """
+        Ensures that the trusted_roots are well-formed and that the embedded keys are supported.
+        """
+        path = asset(file)
         root = TrustedRoot.from_file(path)
 
         assert (
@@ -76,6 +86,10 @@ def test_good(self, asset):
         assert len(root._inner.certificate_authorities) == 2
         assert len(root._inner.ctlogs) == 2
         assert len(root._inner.timestamp_authorities) == 1
+        assert root.rekor_keyring(KeyringPurpose.VERIFY) is not None
+        assert root.ct_keyring(KeyringPurpose.VERIFY) is not None
+        assert root.get_fulcio_certs() is not None
+        assert root.get_timestamp_authorities() is not None
 
     def test_bad_media_type(self, asset):
         path = asset("trusted_root/trustedroot.badtype.json")