feat: support rsa public keys for cosign

as of v1.3.0, cosign allows verifying signatures using RSA instead of ECDSA. this is integrated via the rsa package.

fixes #201

Co-authored-by: Ivan Wallis <iwallis@gmail.com>

connaisseur/crypto.py

@@ -2,6 +2,8 @@
 import base64
 import binascii
 import ecdsa
+import rsa
+from pyasn1.error import PyAsn1Error
 
 
 def verify_signature(
@@ -25,3 +27,10 @@ def load_key(pem_key: str):
         return ecdsa.VerifyingKey.from_pem(pem_key)
     except (ecdsa.der.UnexpectedDER, binascii.Error, TypeError, AttributeError) as err:
         raise ValueError from err
+
+
+def load_rsa_key(pem_key: str):
+    try:
+        return rsa.PublicKey.load_pkcs1_openssl_pem(pem_key)
+    except (ValueError, PyAsn1Error) as err:
+        raise ValueError from err

connaisseur/validators/cosign/cosign_validator.py

@@ -13,7 +13,7 @@
     UnexpectedCosignData,
     InvalidFormatException,
 )
-from connaisseur.crypto import load_key
+from connaisseur import crypto
 
 
 class CosignValidator(ValidatorInterface):
@@ -89,7 +89,11 @@ def __get_cosign_validated_digests(self, image: str, key: str):
                 trust_data_type="dev.cosignproject.cosign/signature",
                 stderr=stderr,
             )
-        elif "Error: no matching signatures:\n\nmain.go:" in stderr:
+        elif (
+            "Error: no matching signatures:\n\nmain.go:" in stderr
+            or "Error: no matching signatures:\ncrypto/rsa: verification error"
+            in stderr
+        ):
             msg = 'No trust data for image "{image}".'
             raise NotFoundException(
                 message=msg,
@@ -166,7 +170,15 @@ def __get_pubkey_config(key: str):
 
         # key is ecdsa public key
         try:
-            pkey = load_key(key).to_pem()  # raises if invalid
+            pkey = crypto.load_key(key).to_pem()  # raises if invalid
+            return ["--key", "/dev/stdin"], {}, pkey
+        except ValueError:
+            pass
+
+        # key is rsa public key
+        try:
+            crypto.load_rsa_key(key)  # raises if invalid
+            pkey = key.encode()
             return ["--key", "/dev/stdin"], {}, pkey
         except ValueError:
             pass

requirements.txt

@@ -9,4 +9,5 @@ python-dateutil~=2.8.2
 PyYAML~=6.0
 aiohttp~=3.7.4.post0
 Jinja2~=3.0.3
-cheroot~=8.5.2
+cheroot~=8.5.2
+rsa~=4.7.2

tests/validators/cosign/test_cosign_validator.py

@@ -347,6 +347,25 @@ def callback_function(input):
             (["--key", "k8s://connaisseur/test_key"], {}, b""),
             fix.no_exc(),
         ),
+        (
+            (
+                "-----BEGIN PUBLIC KEY-----\n"
+                "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvnReRPdqtEAdg18WEao+\n"
+                "NN0DSCxDjFS/MoJzSWc7G6oeakp0UHeCbBTW9V2yNqF4jbLrUhgiIl+dkKw0nqS0\n"
+                "kyD95Wv/Dl2vcHo87GqcFuFgrOpPibxtIgCy2s4hr7wRPAv+CyOfQZTNEAjKEZak\n"
+                "+RzoevsNlA2kZbpGnUSZeaMEIBD0M9GtxTXJBWhFcR9gtyz8n6MU9J1QkZgBUPSd\n"
+                "l1B/14bnehgeC5D26Ssk2wjVqAq1FEv0u0N9CczEDkLhQJ7MEChjVFN7B32u/J+d\n"
+                "6Cjzhk/S8RYOzefXHFuPGeAnEPFCvW1gXaiGDkl/EM+fC4kFAUm1xmFBQPz21sk7\n"
+                "OQIDAQAB\n"
+                "-----END PUBLIC KEY-----\n"
+            ),
+            (
+                ["--key", "/dev/stdin"],
+                {},
+                b"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvnReRPdqtEAdg18WEao+\nNN0DSCxDjFS/MoJzSWc7G6oeakp0UHeCbBTW9V2yNqF4jbLrUhgiIl+dkKw0nqS0\nkyD95Wv/Dl2vcHo87GqcFuFgrOpPibxtIgCy2s4hr7wRPAv+CyOfQZTNEAjKEZak\n+RzoevsNlA2kZbpGnUSZeaMEIBD0M9GtxTXJBWhFcR9gtyz8n6MU9J1QkZgBUPSd\nl1B/14bnehgeC5D26Ssk2wjVqAq1FEv0u0N9CczEDkLhQJ7MEChjVFN7B32u/J+d\n6Cjzhk/S8RYOzefXHFuPGeAnEPFCvW1gXaiGDkl/EM+fC4kFAUm1xmFBQPz21sk7\nOQIDAQAB\n-----END PUBLIC KEY-----\n",
+            ),
+            fix.no_exc(),
+        ),
         (
             "123step123step",
             ([], {}, b""),