Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Metadata API: (maybe) Enforce public key content uniqueness in keys

See original GitHub issue

Root and targets have a keys dictionary with keyid as key. It would be nice to know for sure that these keys are actually unique keys (and not e.g. the same key content with two different keyids).

One solution would be to validate that the keyid is correct according to spec:

KEYID: … a hexdigest of the SHA-256 hash of the canonical form of the key.

Having looked at the securesystemslib implementation I don’t think we can consider keyid reproducible… what SSLib considers canonical form depends on the settings that were used on the machine that generated the key, and those settings are not stored on the key itself.

The other solution would be to validate key content uniqueness in the keys dict ourselves. This might make sense: we could just not accept a keys dictionary that contained two keys with identical key content – I don’t think there’s a non-malicious, non-error case where that would happen.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:10 (9 by maintainers)

github_iconTop GitHub Comments

1reaction
jkucommented, Jun 8, 2021

We want to warn the user on accidental duplicating keys, but do we want to stop the execution with an exception?

Maybe yes?

  • it would prevent a repository tool from creating broken metadata
  • it would prevent a client from being in a situation where signatures refers to a key that exists (in the file) and does not exist (in deserialized keys) at the same time
1reaction
jkucommented, Jun 2, 2021

Thanks. So to recap:

  • we could check for key content uniqueness
  • it would be a minor usability/sanitycheck feature, to prevent accidentally using the same key with two keyids
  • it would not prevent maliciously using the same key in two forms (but if attacker is able to define the key content, they are typically also able to e.g. change thresholds or add new keys so this is not a huge issue)
Read more comments on GitHub >

github_iconTop Results From Across the Web

Web Authentication: An API for accessing Public Key ... - W3C
The user agent mediates access to authenticators and their public key credentials in order to preserve user privacy.
Read more >
On API Keys Best Practices - The Mergify Blog
The technical solutions for authenticating API users vary, and can be anything between JSON Web Tokens, OAuth 2.0, or API keys.
Read more >
Reagent React Clojurescript Warning: Every element in a seq ...
My problem is that even although a unique :key is being put into all of them, the warning message is still seen. So...
Read more >
Restricting API access with API keys - gRPC - Google Cloud
You can use API keys to restrict access to specific API methods or all methods in an API. This page describes how to...
Read more >
Key and ID Attestation - Android Open Source Project
Key and ID Attestation ... Keystore provides a more secure place to create, store, and use cryptographic keys in a controlled way. When...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

api/metadata input validation: hashes

Next page

Metadata API: Consider if Metadata class should contain role name