Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove the optional "kid" parameter #1511

Merged
merged 1 commit into from
Feb 15, 2024
Merged

Remove the optional "kid" parameter #1511

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGES/1485.removal
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Removed the optional "kid" parameter stored inside the signatures' payload generated during
docker manifest v2 schema 1 conversion. This change also removes the ``ecdsa`` dependency,
which is vulnerable to Minevra timing attacks.
52 changes: 0 additions & 52 deletions pulp_container/app/schema_convert.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
import base64
import binascii
import datetime
import ecdsa
import hashlib
import itertools
import json
import logging

Expand Down Expand Up @@ -129,7 +125,6 @@ def convert(self):
)

key = jwk.ECKey().load_key(ecc.P256)
key.kid = getKeyId(key)
manifest_data = _jsonDumps(manifest)
signed_manifest_data = sign(manifest_data, key)
return manifest_data, signed_manifest_data
Expand Down Expand Up @@ -250,53 +245,6 @@ def sign(data, key):
return data_with_signature


def getKeyId(key):
"""
DER-encode the key and represent it in the format XXXX:YYYY:...
"""
derRepr = toDer(key)
shaRepr = hashlib.sha256(derRepr).digest()[:30]
b32Repr = base64.b32encode(shaRepr).decode()
return ":".join(byN(b32Repr, 4))


def toDer(key):
"""Return the DER-encoded representation of the key"""
point = (
b"\x00\x04" + number2string(key.x, key.curve.bytes) + number2string(key.y, key.curve.bytes)
)
der = ecdsa.der
curveEncodedOid = der.encode_oid(1, 2, 840, 10045, 3, 1, 7)
return der.encode_sequence(
der.encode_sequence(ecdsa.keys.encoded_oid_ecPublicKey, curveEncodedOid),
der.encode_bitstring(point),
)


def byN(strobj, N):
"""
Yield consecutive substrings of length N from string strobj
"""
it = iter(strobj)
while True:
substr = "".join(itertools.islice(it, N))
if not substr:
return
yield substr


def number2string(num, order):
"""
Hex-encode the number and return a zero-padded (to the left) to a total
length of 2*order
"""
# convert to hex
nhex = "%x" % num
# Zero-pad to the left so the length of the resulting unhexified string is order
nhex = nhex.rjust(2 * order, "0")
return binascii.unhexlify(nhex)


def compute_digest(manifest_data):
"""
Compute the digest from the passed manifest data.
Expand Down
1 change: 0 additions & 1 deletion requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
ecdsa>=0.14,<=0.18.0
jsonschema>=4.4,<4.18
pulpcore>=3.25.0,<3.40
pyjwkest>=1.4,<=1.4.2
Expand Down
Loading