Add --signing-algorithm flag

Signed-off-by: Riccardo Schirone <[email protected]>

Author: ret2libc

cmd/cosign/cli/generate/generate_key_pair.go

@@ -34,6 +34,7 @@ import (
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 	"github.com/sigstore/cosign/v2/pkg/cosign/kubernetes"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sigstore/sigstore/pkg/signature/kms"
 )
 
@@ -43,7 +44,7 @@ var (
 )
 
 // nolint
-func GenerateKeyPairCmd(ctx context.Context, kmsVal string, outputKeyPrefixVal string, args []string) error {
+func GenerateKeyPairCmd(ctx context.Context, kmsVal string, outputKeyPrefixVal string, signatureAlgorithmName string, args []string) error {
 	privateKeyFileName := outputKeyPrefixVal + ".key"
 	publicKeyFileName := outputKeyPrefixVal + ".pub"
 
@@ -86,7 +87,16 @@ func GenerateKeyPairCmd(ctx context.Context, kmsVal string, outputKeyPrefixVal s
 		return fmt.Errorf("undefined provider: %s", provider)
 	}
 
-	keys, err := cosign.GenerateKeyPair(GetPass)
+	signatureAlgorithm, err := signature.ParseSignatureAlgorithmFlag(signatureAlgorithmName)
+	if err != nil {
+		return err
+	}
+	algorithmDetails, err := signature.GetAlgorithmDetails(signatureAlgorithm)
+	if err != nil {
+		return err
+	}
+
+	keys, err := cosign.GenerateKeyPairWithAlgo(GetPass, algorithmDetails)
 	if err != nil {
 		return err
 	}

cmd/cosign/cli/generate/generate_key_pair_test.go

@@ -57,7 +57,7 @@ func TestGenerationOfKeys(t *testing.T) {
 	// be default it's set to `cosign`, but this is done by the CLI flag
 	// framework if there is no value set by the user when running the
 	// command.
-	GenerateKeyPairCmd(context.Background(), "", "my-test", nil)
+	GenerateKeyPairCmd(context.Background(), "", "my-test", "ecdsa-sha2-256-nistp256", nil)
 
 	checkIfFileExistsThenDelete(privateKeyName, t)
 	checkIfFileExistsThenDelete(publicKeyName, t)

cmd/cosign/cli/generate_key_pair.go

@@ -34,6 +34,9 @@ func GenerateKeyPair() *cobra.Command {
   # generate key-pair and write to cosign.key and cosign.pub files
   cosign generate-key-pair
 
+  # generate ED25519 key-pair and write to cosign.key and cosign.pub files
+  cosign generate-key-pair --signing-algorithm=ed25519-ph
+
   # generate key-pair and write to custom named my-name.key and my-name.pub files
   cosign generate-key-pair --output-key-prefix my-name
 
@@ -67,7 +70,7 @@ CAVEATS:
 
 		PersistentPreRun: options.BindViper,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return generate.GenerateKeyPairCmd(cmd.Context(), o.KMS, o.OutputKeyPrefix, args)
+			return generate.GenerateKeyPairCmd(cmd.Context(), o.KMS, o.OutputKeyPrefix, o.SigningAlgorithm, args)
 		},
 	}
 

cmd/cosign/cli/options/generate_key_pair.go

@@ -16,14 +16,21 @@
 package options
 
 import (
+	"fmt"
+	"strings"
+
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
+	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/spf13/cobra"
 )
 
 // GenerateKeyPairOptions is the top level wrapper for the generate-key-pair command.
 type GenerateKeyPairOptions struct {
 	// KMS Key Management Service
-	KMS             string
-	OutputKeyPrefix string
+	KMS              string
+	OutputKeyPrefix  string
+	SigningAlgorithm string
 }
 
 var _ Interface = (*GenerateKeyPairOptions)(nil)
@@ -34,4 +41,9 @@ func (o *GenerateKeyPairOptions) AddFlags(cmd *cobra.Command) {
 		"create key pair in KMS service to use for signing")
 	cmd.Flags().StringVar(&o.OutputKeyPrefix, "output-key-prefix", "cosign",
 		"name used for generated .pub and .key files (defaults to `cosign`)")
+
+	keyAlgorithmTypes := cosign.GetSupportedAlgorithms()
+	keyAlgorithmHelp := fmt.Sprintf("signing algorithm to use for signing/hashing (allowed %s)", strings.Join(keyAlgorithmTypes, ", "))
+	defaultKeyFlag, _ := signature.FormatSignatureAlgorithmFlag(v1.KnownSignatureAlgorithm_ECDSA_SHA2_256_NISTP256)
+	cmd.Flags().StringVar(&o.SigningAlgorithm, "signing-algorithm", defaultKeyFlag, keyAlgorithmHelp)
 }

cmd/cosign/cli/options/key.go

@@ -15,12 +15,15 @@
 
 package options
 
-import "github.com/sigstore/cosign/v2/pkg/cosign"
+import (
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+)
 
 type KeyOpts struct {
 	Sk                   bool
 	Slot                 string
 	KeyRef               string
+	SigningAlgorithm     string
 	FulcioURL            string
 	RekorURL             string
 	IDToken              string

cmd/cosign/cli/options/sign.go

@@ -16,12 +16,19 @@
 package options
 
 import (
+	"fmt"
+	"strings"
+
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
+	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/spf13/cobra"
 )
 
 // SignOptions is the top level wrapper for the sign command.
 type SignOptions struct {
 	Key                   string
+	SigningAlgorithm      string
 	Cert                  string
 	CertChain             string
 	Upload                bool
@@ -67,6 +74,11 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) {
 		"path to the private key file, KMS URI or Kubernetes Secret")
 	_ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{})
 
+	keyAlgorithmTypes := cosign.GetSupportedAlgorithms()
+	keyAlgorithmHelp := fmt.Sprintf("signing algorithm to use for signing/hashing (allowed %s)", strings.Join(keyAlgorithmTypes, ", "))
+	defaultKeyFlag, _ := signature.FormatSignatureAlgorithmFlag(v1.KnownSignatureAlgorithm_ECDSA_SHA2_256_NISTP256)
+	cmd.Flags().StringVar(&o.SigningAlgorithm, "signing-algorithm", defaultKeyFlag, keyAlgorithmHelp)
+
 	cmd.Flags().StringVar(&o.Cert, "certificate", "",
 		"path to the X.509 certificate in PEM format to include in the OCI Signature")
 	_ = cmd.Flags().SetAnnotation("certificate", cobra.BashCompFilenameExt, []string{"cert"})

cmd/cosign/cli/options/signblob.go

@@ -16,13 +16,20 @@
 package options
 
 import (
+	"fmt"
+	"strings"
+
+	"github.com/sigstore/cosign/v2/pkg/cosign"
+	v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
+	"github.com/sigstore/sigstore/pkg/signature"
 	"github.com/spf13/cobra"
 )
 
 // SignBlobOptions is the top level wrapper for the sign-blob command.
 // The new output-certificate flag is only in use when COSIGN_EXPERIMENTAL is enabled
 type SignBlobOptions struct {
 	Key                  string
+	SigningAlgorithm     string
 	Base64Output         bool
 	Output               string // deprecated: TODO remove when the output flag is fully deprecated
 	OutputSignature      string // TODO: this should be the root output file arg.
@@ -57,6 +64,11 @@ func (o *SignBlobOptions) AddFlags(cmd *cobra.Command) {
 		"path to the private key file, KMS URI or Kubernetes Secret")
 	_ = cmd.Flags().SetAnnotation("key", cobra.BashCompFilenameExt, []string{})
 
+	keyAlgorithmTypes := cosign.GetSupportedAlgorithms()
+	keyAlgorithmHelp := fmt.Sprintf("signing algorithm to use for signing/hashing (allowed %s)", strings.Join(keyAlgorithmTypes, ", "))
+	defaultKeyFlag, _ := signature.FormatSignatureAlgorithmFlag(v1.KnownSignatureAlgorithm_ECDSA_SHA2_256_NISTP256)
+	cmd.Flags().StringVar(&o.SigningAlgorithm, "signing-algorithm", defaultKeyFlag, keyAlgorithmHelp)
+
 	cmd.Flags().BoolVar(&o.Base64Output, "b64", true,
 		"whether to base64 encode the output")
 

cmd/cosign/cli/sign.go

@@ -102,6 +102,7 @@ race conditions or (worse) malicious tampering.
 			}
 			ko := options.KeyOpts{
 				KeyRef:                         o.Key,
+				SigningAlgorithm:               o.SigningAlgorithm,
 				PassFunc:                       generate.GetPass,
 				Sk:                             o.SecurityKey.Use,
 				Slot:                           o.SecurityKey.Slot,

cmd/cosign/cli/sign/sign.go

@@ -18,7 +18,6 @@ package sign
 import (
 	"bytes"
 	"context"
-	"crypto"
 	"crypto/x509"
 	"encoding/base64"
 	"encoding/json"
@@ -32,6 +31,7 @@ import (
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
+	pb_go_v1 "github.com/sigstore/protobuf-specs/gen/pb-go/common/v1"
 
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio"
 	"github.com/sigstore/cosign/v2/cmd/cosign/cli/fulcio/fulcioverifier"
@@ -138,12 +138,7 @@ func SignCmd(ro *options.RootOptions, ko options.KeyOpts, signOpts options.SignO
 	ctx, cancel := context.WithTimeout(context.Background(), ro.Timeout)
 	defer cancel()
 
-	svOptions := []signature.LoadOption{
-		signatureoptions.WithHash(crypto.SHA256),
-		signatureoptions.WithED25519ph(),
-	}
-
-	sv, err := signerFromKeyOptsWithSVOpts(ctx, signOpts.Cert, signOpts.CertChain, ko, svOptions...)
+	sv, err := SignerFromKeyOpts(ctx, signOpts.Cert, signOpts.CertChain, ko)
 	if err != nil {
 		return fmt.Errorf("getting signer: %w", err)
 	}
@@ -531,8 +526,8 @@ func signerFromKeyRef(ctx context.Context, certPath, certChainPath, keyRef strin
 	return certSigner, nil
 }
 
-func signerFromNewKey(svOpts ...signature.LoadOption) (*SignerVerifier, error) {
-	privKey, err := cosign.GeneratePrivateKey()
+func signerFromNewKey(algorithmDetails signature.AlgorithmDetails, svOpts ...signature.LoadOption) (*SignerVerifier, error) {
+	privKey, err := cosign.GeneratePrivateKeyWithAlgo(algorithmDetails)
 	if err != nil {
 		return nil, fmt.Errorf("generating cert: %w", err)
 	}
@@ -569,9 +564,27 @@ func keylessSigner(ctx context.Context, ko options.KeyOpts, sv *SignerVerifier)
 	}, nil
 }
 
-func signerFromKeyOptsWithSVOpts(ctx context.Context, certPath string, certChainPath string, ko options.KeyOpts, svOpts ...signature.LoadOption) (*SignerVerifier, error) {
+func SignerFromKeyOpts(ctx context.Context, certPath string, certChainPath string, ko options.KeyOpts) (*SignerVerifier, error) {
+	var svOpts []signature.LoadOption
+	signingAlgorithm, err := signature.ParseSignatureAlgorithmFlag(ko.SigningAlgorithm)
+	if err != nil {
+		// Default to ECDSA_SHA2_256_NISTP256 if no algorithm is specified
+		signingAlgorithm = pb_go_v1.KnownSignatureAlgorithm_ECDSA_SHA2_256_NISTP256
+	}
+
+	algorithmDetails, err := signature.GetAlgorithmDetails(signingAlgorithm)
+	if err != nil {
+		return nil, err
+	}
+	hashAlgorithm := algorithmDetails.GetHashType()
+	svOpts = []signature.LoadOption{
+		signatureoptions.WithHash(hashAlgorithm),
+	}
+	if algorithmDetails.GetSignatureAlgorithm() == pb_go_v1.KnownSignatureAlgorithm_ED25519_PH {
+		svOpts = append(svOpts, signatureoptions.WithED25519ph())
+	}
+
 	var sv *SignerVerifier
-	var err error
 	genKey := false
 	switch {
 	case ko.Sk:
@@ -581,7 +594,7 @@ func signerFromKeyOptsWithSVOpts(ctx context.Context, certPath string, certChain
 	default:
 		genKey = true
 		ui.Infof(ctx, "Generating ephemeral keys...")
-		sv, err = signerFromNewKey(svOpts...)
+		sv, err = signerFromNewKey(algorithmDetails, svOpts...)
 	}
 	if err != nil {
 		return nil, err
@@ -594,10 +607,6 @@ func signerFromKeyOptsWithSVOpts(ctx context.Context, certPath string, certChain
 	return sv, nil
 }
 
-func SignerFromKeyOpts(ctx context.Context, certPath string, certChainPath string, ko options.KeyOpts) (*SignerVerifier, error) {
-	return signerFromKeyOptsWithSVOpts(ctx, certPath, certChainPath, ko)
-}
-
 type SignerVerifier struct {
 	Cert  []byte
 	Chain []byte

cmd/cosign/cli/sign/sign_blob.go

@@ -36,7 +36,6 @@ import (
 	"github.com/sigstore/cosign/v2/pkg/cosign"
 	cbundle "github.com/sigstore/cosign/v2/pkg/cosign/bundle"
 	"github.com/sigstore/sigstore/pkg/cryptoutils"
-	"github.com/sigstore/sigstore/pkg/signature"
 	signatureoptions "github.com/sigstore/sigstore/pkg/signature/options"
 )
 
@@ -66,12 +65,7 @@ func SignBlobCmd(ro *options.RootOptions, ko options.KeyOpts, payloadPath string
 	ctx, cancel := context.WithTimeout(context.Background(), ro.Timeout)
 	defer cancel()
 
-	svOptions := []signature.LoadOption{
-		signatureoptions.WithHash(crypto.SHA256),
-		signatureoptions.WithED25519ph(),
-	}
-
-	sv, err := signerFromKeyOptsWithSVOpts(ctx, "", "", ko, svOptions...)
+	sv, err := SignerFromKeyOpts(ctx, "", "", ko)
 	if err != nil {
 		return nil, err
 	}