You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi!
I use the sigstore Azure KMS package (github.com/sigstore/sigstore/pkg/signature/kms/azure), to sign X.509 certificates with non-exportable private keys stored in Azure KeyVault.
So, I decided to use the RSA2048 key with SHA265 hash function for signing Certificate Signing Requests, and use the crypto.Signer implementation from the sigstore package.
Here is an example of creating a key in Azure Key Vault: az keyvault key create --exportable false --vault-name 'test-sigstore-kv' --name 'test-root-ca-key-rsa2048-1' --kty RSA --size 2048
Here is an example of code for creating a self-signed Root CA certificate:
This code triggers an error: failed to create certificate using CSR: x509: signature over certificate returned by signer is invalid: crypto/rsa: verification error
which is generating by built-in signature check in x509.
Version
github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.5 go version go1.19.4 darwin/arm64
Root cause
I found a similar question on Stack Overflow, which led me to check the hashing implementation in sigstore azure package.
The sigstore package uses the hashing scheme implemented in ECDSA:
Description
Hi!
I use the sigstore Azure KMS package (
github.com/sigstore/sigstore/pkg/signature/kms/azure
), to sign X.509 certificates with non-exportable private keys stored in Azure KeyVault.So, I decided to use the RSA2048 key with SHA265 hash function for signing Certificate Signing Requests, and use the
crypto.Signer
implementation from the sigstore package.Here is an example of creating a key in Azure Key Vault:
az keyvault key create --exportable false --vault-name 'test-sigstore-kv' --name 'test-root-ca-key-rsa2048-1' --kty RSA --size 2048
Here is an example of code for creating a self-signed Root CA certificate:
This code triggers an error:
failed to create certificate using CSR: x509: signature over certificate returned by signer is invalid: crypto/rsa: verification error
which is generating by built-in signature check in x509.
Version
github.com/sigstore/sigstore/pkg/signature/kms/azure v1.7.5
go version go1.19.4 darwin/arm64
Root cause
I found a similar question on Stack Overflow, which led me to check the hashing implementation in sigstore azure package.
The sigstore package uses the hashing scheme implemented in ECDSA:
sigstore/pkg/signature/kms/azure/signer.go
Lines 122 to 128 in 56b713d
But for RSASSA-PKCS1-V1_5-SIGN the scheme is different.
Solution
I forked a package and patched this behavior:
This patch works, but a the moment I decided to use an ECDSA key, while the sigstore package doesn't support RSA keys for X.509 signature.
If interested, I could rework this patch a bit and submit a pull request.
The text was updated successfully, but these errors were encountered: