feat: add rsa key module

Close #27

Signed-off-by: Xynnn007 <[email protected]>

Author: Xynnn007

Cargo.toml

@@ -28,7 +28,7 @@ picky = { version = "7.0.0-rc.3", default-features = false, features = [ "x509",
 regex = "1.5.5"
 serde_json = "1.0.79"
 serde = { version = "1.0.136", features = ["derive"] }
-sha2 = "0.10.2"
+sha2 = { version = "0.10.6", features = ["oid"] }
 thiserror = "1.0.30"
 tokio = { version = "1.17.0", features = ["full"] }
 tough = { version = "0.12", features = [ "http" ] }
@@ -48,6 +48,8 @@ digest = "0.10.3"
 signature = { version = "1.5.0", features = [ "digest-preview" ] }
 ed25519 = { version = "1", features = [ "alloc" ] }
 ed25519-dalek-fiat = "0.1.0"
+rsa = "0.7.0-rc.1"
+pkcs1 = "0.4.0"
 
 [dev-dependencies]
 anyhow = "1.0.54"

examples/fulcio/cert/main.rs

@@ -1,4 +1,4 @@
-use sigstore::crypto::signing_key::SigningScheme;
+use sigstore::crypto::SigningScheme;
 use sigstore::fulcio::oauth::OauthTokenProvider;
 use sigstore::fulcio::{FulcioClient, TokenProvider, FULCIO_ROOT};
 use url::Url;

examples/key_interface/key_pair_import/main.rs

@@ -71,7 +71,7 @@ fn main() -> Result<()> {
             inner.to_sigstore_signer()?;
             println!("Converted SigStoreKeyPair to SigStoreSigner.");
         }
-        SigStoreKeyPair::ED25519(_) => bail!("Wrong key pair type."),
+        _ => bail!("Wrong key pair type."),
     }
 
     Ok(())

src/cosign/verification_constraint.rs

@@ -88,6 +88,7 @@ impl PublicKeyVerifier {
     /// The `key_raw` variable holds a PEM encoded rapresentation of the
     /// public key to be used at verification time. The verification
     /// algorithm will be derived from the public key type:
+    /// * `RSA public key`: `RSA_PSS_SHA256`
     /// * `EC public key with P-256 curve`: `ECDSA_P256_SHA256_ASN1`
     /// * `EC public key with P-384 curve`: `ECDSA_P384_SHA384_ASN1`
     /// * `Ed25519 public key`: `Ed25519`

src/crypto/mod.rs

@@ -24,6 +24,19 @@ pub use signing_key::SigStoreSigner;
 pub use verification_key::CosignVerificationKey;
 
 /// Different digital signature algorithms.
+/// * `RSA_PSS_SHA256`: RSA PSS padding using SHA-256
+/// for RSA signatures. All the `usize` member inside
+/// an RSA enum represents the key size of the RSA key.
+/// * `RSA_PSS_SHA384`: RSA PSS padding using SHA-384
+/// for RSA signatures.
+/// * `RSA_PSS_SHA512`: RSA PSS padding using SHA-512
+/// for RSA signatures.
+/// * `RSA_PKCS1_SHA256`: PKCS#1 1.5 padding using
+/// SHA-256 for RSA signatures.
+/// * `RSA_PKCS1_SHA384`: PKCS#1 1.5 padding using
+/// SHA-384 for RSA signatures.
+/// * `RSA_PKCS1_SHA512`: PKCS#1 1.5 padding using
+/// SHA-512 for RSA signatures.
 /// * `ECDSA_P256_SHA256_ASN1`: ASN.1 DER-encoded ECDSA
 /// signatures using the P-256 curve and SHA-256. It
 /// is the default signing scheme.
@@ -36,7 +49,12 @@ pub use verification_key::CosignVerificationKey;
 #[allow(non_camel_case_types)]
 #[derive(Debug, Clone, Copy)]
 pub enum SigningScheme {
-    // TODO: Support RSA
+    RSA_PSS_SHA256(usize),
+    RSA_PSS_SHA384(usize),
+    RSA_PSS_SHA512(usize),
+    RSA_PKCS1_SHA256(usize),
+    RSA_PKCS1_SHA384(usize),
+    RSA_PKCS1_SHA512(usize),
     ECDSA_P256_SHA256_ASN1,
     ECDSA_P384_SHA384_ASN1,
     ED25519,
@@ -50,6 +68,12 @@ impl TryFrom<&str> for SigningScheme {
             "ECDSA_P256_SHA256_ASN1" => Ok(Self::ECDSA_P256_SHA256_ASN1),
             "ECDSA_P384_SHA384_ASN1" => Ok(Self::ECDSA_P384_SHA384_ASN1),
             "ED25519" => Ok(Self::ED25519),
+            "RSA_PSS_SHA256" => Ok(Self::RSA_PSS_SHA256(DEFAULT_KEY_SIZE)),
+            "RSA_PSS_SHA384" => Ok(Self::RSA_PSS_SHA384(DEFAULT_KEY_SIZE)),
+            "RSA_PSS_SHA512" => Ok(Self::RSA_PSS_SHA512(DEFAULT_KEY_SIZE)),
+            "RSA_PKCS1_SHA256" => Ok(Self::RSA_PKCS1_SHA256(DEFAULT_KEY_SIZE)),
+            "RSA_PKCS1_SHA384" => Ok(Self::RSA_PKCS1_SHA384(DEFAULT_KEY_SIZE)),
+            "RSA_PKCS1_SHA512" => Ok(Self::RSA_PKCS1_SHA512(DEFAULT_KEY_SIZE)),
             unknown => Err(format!("Unsupported signing algorithm: {}", unknown)),
         }
     }
@@ -68,6 +92,48 @@ impl SigningScheme {
             SigningScheme::ED25519 => {
                 SigStoreSigner::ED25519(Ed25519Signer::from_ed25519_keys(&Ed25519Keys::new()?)?)
             }
+            SigningScheme::RSA_PSS_SHA256(bit_size) => {
+                SigStoreSigner::RSA_PSS_SHA256(RSASigner::from_rsa_keys(
+                    &RSAKeys::new(*bit_size)?,
+                    DigestAlgorithm::Sha256,
+                    PaddingScheme::PSS,
+                ))
+            }
+            SigningScheme::RSA_PSS_SHA384(bit_size) => {
+                SigStoreSigner::RSA_PSS_SHA384(RSASigner::from_rsa_keys(
+                    &RSAKeys::new(*bit_size)?,
+                    DigestAlgorithm::Sha384,
+                    PaddingScheme::PSS,
+                ))
+            }
+            SigningScheme::RSA_PSS_SHA512(bit_size) => {
+                SigStoreSigner::RSA_PSS_SHA512(RSASigner::from_rsa_keys(
+                    &RSAKeys::new(*bit_size)?,
+                    DigestAlgorithm::Sha512,
+                    PaddingScheme::PSS,
+                ))
+            }
+            SigningScheme::RSA_PKCS1_SHA256(bit_size) => {
+                SigStoreSigner::RSA_PKCS1_SHA256(RSASigner::from_rsa_keys(
+                    &RSAKeys::new(*bit_size)?,
+                    DigestAlgorithm::Sha256,
+                    PaddingScheme::PKCS1v15,
+                ))
+            }
+            SigningScheme::RSA_PKCS1_SHA384(bit_size) => {
+                SigStoreSigner::RSA_PKCS1_SHA384(RSASigner::from_rsa_keys(
+                    &RSAKeys::new(*bit_size)?,
+                    DigestAlgorithm::Sha384,
+                    PaddingScheme::PKCS1v15,
+                ))
+            }
+            SigningScheme::RSA_PKCS1_SHA512(bit_size) => {
+                SigStoreSigner::RSA_PKCS1_SHA512(RSASigner::from_rsa_keys(
+                    &RSAKeys::new(*bit_size)?,
+                    DigestAlgorithm::Sha512,
+                    PaddingScheme::PKCS1v15,
+                ))
+            }
         })
     }
 }
@@ -98,6 +164,7 @@ pub mod verification_key;
 use self::signing_key::{
     ecdsa::ec::{EcdsaKeys, EcdsaSigner},
     ed25519::{Ed25519Keys, Ed25519Signer},
+    rsa::{keypair::RSAKeys, DigestAlgorithm, PaddingScheme, RSASigner, DEFAULT_KEY_SIZE},
 };
 
 pub mod signing_key;

src/crypto/signing_key/mod.rs

@@ -22,10 +22,17 @@
 //! * [`SigStoreSigner`]: an abstraction for digital signing algorithms.
 //!
 //! The [`SigStoreKeyPair`] now includes the key types of the following algorithms:
-//! * [`SigStoreKeyPair::ECDSA`]: Elliptic curve digital signing algorithm
-//! * [`SigStoreKeyPair::ED25519`]: Edwards curve-25519 digital signing algorithm
+//! * [`SigStoreKeyPair::RSA`]: RSA key pair
+//! * [`SigStoreKeyPair::ECDSA`]: Elliptic curve key pair
+//! * [`SigStoreKeyPair::ED25519`]: Edwards curve-25519 key pair
 //!
 //! The [`SigStoreSigner`] now includes the following signing schemes:
+//! * [`SigStoreSigner::RSA_PSS_SHA256`]: RSA signatures using PSS padding and SHA-256.
+//! * [`SigStoreSigner::RSA_PSS_SHA384`]: RSA signatures using PSS padding and SHA-384.
+//! * [`SigStoreSigner::RSA_PSS_SHA512`]: RSA signatures using PSS padding and SHA-512.
+//! * [`SigStoreSigner::RSA_PKCS1_SHA256`]: RSA signatures using PKCS#1v1.5 padding and SHA-256.
+//! * [`SigStoreSigner::RSA_PKCS1_SHA384`]: RSA signatures using PKCS#1v1.5 padding and SHA-384.
+//! * [`SigStoreSigner::RSA_PKCS1_SHA512`]: RSA signatures using PKCS#1v1.5 padding and SHA-512.
 //! * [`SigStoreSigner::ECDSA_P256_SHA256_ASN1`]: ASN.1 DER-encoded ECDSA
 //! signatures using the P-256 curve and SHA-256.
 //! * [`SigStoreSigner::ECDSA_P384_SHA384_ASN1`]: ASN.1 DER-encoded ECDSA
@@ -68,6 +75,7 @@ use crate::errors::*;
 use self::{
     ecdsa::{ec::EcdsaSigner, ECDSAKeys},
     ed25519::{Ed25519Keys, Ed25519Signer},
+    rsa::{keypair::RSAKeys, RSASigner},
 };
 
 use super::{verification_key::CosignVerificationKey, SigningScheme};
@@ -89,6 +97,9 @@ pub const SIGSTORE_PRIVATE_KEY_PEM_LABEL: &str = "ENCRYPTED SIGSTORE PRIVATE KEY
 /// The label for pem of private keys.
 pub const PRIVATE_KEY_PEM_LABEL: &str = "PRIVATE KEY";
 
+/// The label for pem of RSA private keys.
+pub const RSA_PRIVATE_KEY_PEM_LABEL: &str = "RSA PRIVATE KEY";
+
 /// Every signing scheme must implement this interface.
 /// All private export methods using the wrapper `Zeroizing`.
 /// It will tell the compiler when the
@@ -125,7 +136,7 @@ pub trait KeyPair {
 pub enum SigStoreKeyPair {
     ECDSA(ECDSAKeys),
     ED25519(Ed25519Keys),
-    // RSA,
+    RSA(RSAKeys),
 }
 
 /// This macro helps to reduce duplicated code.
@@ -147,6 +158,7 @@ macro_rules! sigstore_keypair_code {
         match $obj {
             SigStoreKeyPair::ECDSA(keys) => keys.as_inner().$func($($args,)*),
             SigStoreKeyPair::ED25519(keys) => keys.$func($($args,)*),
+            SigStoreKeyPair::RSA(keys) => keys.$func($($args,)*),
         }
     }
 }
@@ -217,6 +229,12 @@ pub trait Signer {
 
 #[allow(non_camel_case_types)]
 pub enum SigStoreSigner {
+    RSA_PSS_SHA256(RSASigner),
+    RSA_PSS_SHA384(RSASigner),
+    RSA_PSS_SHA512(RSASigner),
+    RSA_PKCS1_SHA256(RSASigner),
+    RSA_PKCS1_SHA384(RSASigner),
+    RSA_PKCS1_SHA512(RSASigner),
     ECDSA_P256_SHA256_ASN1(EcdsaSigner<p256::NistP256, sha2::Sha256>),
     ECDSA_P384_SHA384_ASN1(EcdsaSigner<p384::NistP384, sha2::Sha384>),
     ED25519(Ed25519Signer),
@@ -230,6 +248,12 @@ impl SigStoreSigner {
             SigStoreSigner::ECDSA_P256_SHA256_ASN1(inner) => inner,
             SigStoreSigner::ECDSA_P384_SHA384_ASN1(inner) => inner,
             SigStoreSigner::ED25519(inner) => inner,
+            SigStoreSigner::RSA_PSS_SHA256(inner) => inner,
+            SigStoreSigner::RSA_PSS_SHA384(inner) => inner,
+            SigStoreSigner::RSA_PSS_SHA512(inner) => inner,
+            SigStoreSigner::RSA_PKCS1_SHA256(inner) => inner,
+            SigStoreSigner::RSA_PKCS1_SHA384(inner) => inner,
+            SigStoreSigner::RSA_PKCS1_SHA512(inner) => inner,
         }
     }
 
@@ -244,6 +268,12 @@ impl SigStoreSigner {
             SigStoreSigner::ECDSA_P256_SHA256_ASN1(_) => SigningScheme::ECDSA_P256_SHA256_ASN1,
             SigStoreSigner::ECDSA_P384_SHA384_ASN1(_) => SigningScheme::ECDSA_P384_SHA384_ASN1,
             SigStoreSigner::ED25519(_) => SigningScheme::ED25519,
+            SigStoreSigner::RSA_PSS_SHA256(_) => SigningScheme::RSA_PSS_SHA256(0),
+            SigStoreSigner::RSA_PSS_SHA384(_) => SigningScheme::RSA_PSS_SHA384(0),
+            SigStoreSigner::RSA_PSS_SHA512(_) => SigningScheme::RSA_PSS_SHA512(0),
+            SigStoreSigner::RSA_PKCS1_SHA256(_) => SigningScheme::RSA_PKCS1_SHA256(0),
+            SigStoreSigner::RSA_PKCS1_SHA384(_) => SigningScheme::RSA_PKCS1_SHA384(0),
+            SigStoreSigner::RSA_PKCS1_SHA512(_) => SigningScheme::RSA_PKCS1_SHA512(0),
         };
         self.as_inner()
             .key_pair()
@@ -262,6 +292,18 @@ impl SigStoreSigner {
             SigStoreSigner::ED25519(inner) => {
                 SigStoreKeyPair::ED25519(Ed25519Keys::from_ed25519key(inner.ed25519_keys())?)
             }
+            SigStoreSigner::RSA_PSS_SHA256(inner) => SigStoreKeyPair::RSA(inner.rsa_keys().clone()),
+            SigStoreSigner::RSA_PSS_SHA384(inner) => SigStoreKeyPair::RSA(inner.rsa_keys().clone()),
+            SigStoreSigner::RSA_PSS_SHA512(inner) => SigStoreKeyPair::RSA(inner.rsa_keys().clone()),
+            SigStoreSigner::RSA_PKCS1_SHA256(inner) => {
+                SigStoreKeyPair::RSA(inner.rsa_keys().clone())
+            }
+            SigStoreSigner::RSA_PKCS1_SHA384(inner) => {
+                SigStoreKeyPair::RSA(inner.rsa_keys().clone())
+            }
+            SigStoreSigner::RSA_PKCS1_SHA512(inner) => {
+                SigStoreKeyPair::RSA(inner.rsa_keys().clone())
+            }
         })
     }
 }