document ImportKeyPair and LoadPrivateKey functions in pkg/cosign #3776
Conversation
dmitris
changed the title
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3776 +/- ##
==========================================
- Coverage 40.10% 37.09% -3.02%
==========================================
Files 155 200 +45
Lines 10044 12280 +2236
==========================================
+ Hits 4028 4555 +527
- Misses 5530 7178 +1648
- Partials 486 547 +61 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
I don't think we need to update LoadPrivateKey to support keys that are not encoded as PKCS8. Its purpose is to load the password-encrypted key which is expected to be generated with GenerateKeyPair or ImportKeyPair, both of which output encrypted PKCS8 encoded keys. Did you have another use case in mind?
Let's update the documentation. As for the TODOs, I agree this should be in an internal package, this isn't meant to be general purpose.
dmitris
changed the title
pkg/cosign/keys.go
Outdated
|
|
||
| // given already decrypted blob with x509 encoded private key, try different x509.Parse<*>PrivateKey | ||
| // functions to load it. | ||
| func parsePrivateKey(key []byte) (crypto.PrivateKey, error) { |
There was a problem hiding this comment.
Can we revert this change, since it should only be for PKCS8 encoded keys?
Currently ImportKeyPair() in pkg/cosign supports only private keys in PKCS sigstore#8 form. This change extends it to also support PKCS #1 for RSA keys ("RSA PUBLIC KEY") and SEC 1 for EC keys ("EC PRIVATE KEY"). Fix sigstore#3775. Signed-off-by: Dmitry S <[email protected]>
Signed-off-by: Dmitry S <[email protected]>
Summary
Document the
IMportKeyPairandLoadPrivateKeyfunctions in the pkg/cosign to explicitly indicate the supported PKCS #8 format.Fix #3775.
Release Note
NONE
Documentation
A godoc function comments added for
ImportKeyPairandLoadPrivateKey.