scaffolding icon indicating copy to clipboard operation
scaffolding copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Stop using deprecated x509.EncryptPEMBlock

Open k4leung4 opened this issue 2 years ago • 7 comments

Description

As noted in the documentation, https://pkg.go.dev/crypto/x509#EncryptPEMBlock

Deprecated: Legacy PEM encryption as specified in [RFC 1423](https://rfc-editor.org/rfc/rfc1423.html) is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.

https://github.com/sigstore/scaffolding/blob/main/cmd/fulcio/createcerts/main.go#L172

k4leung4 avatar Apr 08 '22 22:04 k4leung4

I'd be happy to fix this, since this is for test code, I'm curious how important it is atm. I poked a bit and having a hard time finding a suitable replacement without going to external libraries: https://github.com/golang/go/issues/8860

vaikas avatar Apr 12 '22 21:04 vaikas

I don't have a sense of how important this is. With us using scaffolding for bringing up production infrastructure rather than just for testing purposes, we might want to review these things to ensure that it is something that we are comfortable using for production environments.

k4leung4 avatar Apr 12 '22 22:04 k4leung4

Yes! Makes sense. I guess we need to chase down what a suitable replacement is.

vaikas avatar Apr 14 '22 18:04 vaikas

@k4leung4 A couple questions for this -

  • Where is createAll used?
  • Is this for setting up a CA that's backed by an on-disk private key?
  • Does this run regardless of the type of CA backend that's being used (like KMS/CA Service)? If so, we should revisit this, because we shouldn't generate unused keys.

On-disk signing keys are not as secure as a remote signer, so I want to make sure this isn't the default. I've also been digging into this a bit recently - EncryptPEMBlock is deprecated because there's a certain attack that's possible with its weak encryption scheme. One option are PKCS#8 encrypted keys, what Ville linked, which are still vulnerable to the same attack but use a stronger PBKDF function that makes brute force harder. The other option is a better encryption algorithm like AES-GCM, but it's harder to generate an encrypted key using available tooling.

haydentherapper avatar May 19 '22 03:05 haydentherapper

@haydentherapper

This not used for staging or production, as it is only used when the certificate authority is set to fileca For sigstore staging and production, we use kmsca, which does not use createcerts job.

k4leung4 avatar May 19 '22 03:05 k4leung4

Sweet, thanks for confirming. I'm looking at dropping support for RFC1423 keys in Fulcio, so I may need to import a third-party library for PKCS#8 key generation in Scaffolding. Any concerns?

haydentherapper avatar May 19 '22 03:05 haydentherapper

the main use case for this at the moment is e2e testing i think. no concerns from me as long as we have a way to run e2e tests.

k4leung4 avatar May 19 '22 04:05 k4leung4