asf-tooling opened a new issue, #985:
URL: https://github.com/apache/tooling-trusted-releases/issues/985
**ASVS Level(s):** [L2-only]
**Description:**
### Summary
The application accepts and stores OpenPGP public keys without validating
their cryptographic strength. Keys are parsed and stored with their algorithm
type and key length recorded in the database, but no validation is performed to
ensure these parameters meet minimum security requirements. This allows weak
keys (e.g., RSA 1024-bit or smaller, deprecated DSA keys) to be imported and
subsequently used for release artifact signature verification.
### Details
**Affected Files and Lines:**
- `atr/storage/writers/keys.py:109-350` - Key import without strength
validation
- `atr/tasks/checks/signature.py:64-131` - Signature verification without
strength check
Keys are imported and used without validating they meet minimum
cryptographic strength requirements.
### Recommended Remediation
Add validation in `keyring_fingerprint_model()` and `_check_core_logic()`:
```python
# Approved algorithms
APPROVED_ALGORITHMS = {
pgpy.constants.PubKeyAlgorithm.RSAEncryptOrSign,
pgpy.constants.PubKeyAlgorithm.RSASign,
pgpy.constants.PubKeyAlgorithm.ECDSA,
pgpy.constants.PubKeyAlgorithm.EdDSA,
pgpy.constants.PubKeyAlgorithm.ECDH,
}
# Minimum key sizes
MIN_KEY_SIZES = {
pgpy.constants.PubKeyAlgorithm.RSAEncryptOrSign: 3072,
pgpy.constants.PubKeyAlgorithm.RSASign: 3072,
pgpy.constants.PubKeyAlgorithm.ECDSA: 256,
pgpy.constants.PubKeyAlgorithm.EdDSA: 255,
}
def validate_key_strength(key: pgpy.PGPKey) -> None:
"""Validate key meets minimum cryptographic requirements."""
if key.key_algorithm not in APPROVED_ALGORITHMS:
raise ValueError(f"Key algorithm {key.key_algorithm} not approved")
min_size = MIN_KEY_SIZES.get(key.key_algorithm)
if min_size and key.key_size < min_size:
raise ValueError(
f"Key size {key.key_size} below minimum {min_size} "
f"for algorithm {key.key_algorithm}"
)
```
Reject keys that do not meet these criteria with a descriptive error
message. Filter keys by cryptographic strength before verification.
### Acceptance Criteria
- [ ] Key strength validation implemented
- [ ] Approved algorithms enforced
- [ ] Minimum key sizes enforced
- [ ] Weak keys rejected on import
- [ ] Descriptive error messages
- [ ] Unit test verifying the fix
### References
- Source reports: L2:11.2.3.md, L2:11.6.1.md
- Related findings: FINDING-058
- ASVS sections: 11.2.3, 11.6.1
### Priority
High
---
---
**Triage notes:** discussion, long-term, find standard and choose a spec
level; allow 2048, new keys to be 4096 (add a check, sbp)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
