cosign could not import encrypted RSA or ECDSA keys ?

Question

cosign could not import encrypted RSA or ECDSA keys ?

Closed this issue 4 months ago · 5 comments

Description
Problem Statement: Cosign could not import encrypted RSA or ECDSA keys.

I was trying to import PEM formatted RSA or ECDSA keys and they were perfectly imported by cosign.

# generate private key
$ openssl ecparam -name prime256v1 -genkey -noout -out ecdsa_private.ec.key

# convert the private key in PEM format without encrypting
$ openssl ec -in ecdsa_private.ec.key -out private.pem

# import the ECDSA key
$ cosign import-key-pair --key private.pem --output-key-prefix=import-ecdsa-cosign

But when I provided encrypted PEM formatted RSA or ECDSA keys, cosign could not import and throws an error.

# encrypt the ECDSA key
$ openssl pkcs8 -topk8 -in ecdsa_private.ec.key -out ecdsa_private.pem

# Now, import the key
$ cosign import-key-pair --key ecdsa_private.pem --output-key-prefix=import-ecdsa-cosign
Error: unsupported private key
main.go:74: error during command execution: unsupported private key

AFAIK, why it throws an error because the provided keys were encrypted hence cosign don't know how to decrypt them.

Why we need cosign to import encrypted keys ??
The common use case is most of the time our keys are encrypted so, I think would be important feature if cosign implement this.

Solution:
What cosign can do is, basically when encrypted keys are provided, it can ask the user for the password and decrypt the keys. As the key is decrypted, hence cosign can now import this using decrypted key.

I tried to decrypt the ECDSA keys and when imported the decrypted keys the cosign would able to import it.

# decrypt the keys
$ openssl ec -in ecdsa_private.pem -out  decrypted.pem

# import the decrypted ECDSA keys
$ cosign import-key-pair --key decrypted.pem --output-key-prefix= import-ecdsa-cosign

viveksahu26 commented 4 months ago

/assign

Answer 1 · 2024-01-30T21:31:13.000Z

I would be good with this being added. Note that there is already code in import-key-pair for requesting a password to encrypt the imported key.

Answer 2 · 2024-02-07T08:51:04.000Z

Update: Basically to decrypt the encrypted key we need a function. Earlier the function DecryptPEMBlock from x509 package was used for the same purpose, but currently it has been deprecated because some vulnerability found in it.

Hey @haydentherapper what can we do next ??

Answer 3 · 2024-02-07T18:55:40.000Z

The OpenSSL encryption isn't necessarily insecure, it's just dated. Thinking more on this, is there a reason we can't use openssl to decrypt the key before passing it to cosign? Given openssl is widely available, I think we can forgo adding this feature.

Answer 4 · 2024-02-08T08:20:58.000Z

Yes, OpenSSL has such functionality, to convert encrypted key to decrypted mode:
openssl ec -in ecdsa_private.ec.pem -out ecdsa_private.pem
So, user can first decrypt it and then provide to cosign for importing:
cosign import-key-pair --key ecdsa_private.pem --output-key-prefix import-cosign-ecdsa.