Allow configurable client signing algorithms

[ret2libc]

Summary

This PR adds a --client-signing-algorithms flag to Fulcio to restrict what key/hash combinations are allowed.

Closes #1388
This is based on #1517, but I could not mark it as Ready because done by @tetsuo-cpp .

Release Note

Documentation

[ret2libc]

cc @haydentherapper

[codecov]

Codecov Report

Attention: Patch coverage is 52.70270% with 35 lines in your changes missing coverage. Please review.

Project coverage is 51.80%. Comparing base (cf238ac) to head (811b363).
Report is 301 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/server/grpc_server.go	52.63%	15 Missing and 3 partials ⚠️
cmd/app/serve.go	50.00%	16 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1938      +/-   ##
==========================================
- Coverage   57.93%   51.80%   -6.14%     
==========================================
  Files          50       73      +23     
  Lines        3119     5683    +2564     
==========================================
+ Hits         1807     2944    +1137     
- Misses       1154     2463    +1309     
- Partials      158      276     +118     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[haydentherapper]

two tiny comments, looks great otherwise, thanks!

[ret2libc]

I was testing the Cosign changes and I've realized this is not good in general.

Something like this seems to work:

		switch pk := publicKey.(type) {
		case ed25519.PublicKey:
			// Fulcio only works with PureEd25519
			hashFunc = crypto.Hash(0)
		case *ecdsa.PublicKey:
			switch pk.Curve {
			case elliptic.P256():
				hashFunc = crypto.SHA256
			case elliptic.P384():
				hashFunc = crypto.SHA384
			case elliptic.P521():
				hashFunc = crypto.SHA512
			default:
				hashFunc = crypto.SHA256
			}
		case *rsa.PublicKey:
			hashFunc = crypto.SHA256
		default:
			hashFunc = crypto.SHA256
		}

		// Check proof of possession signature
		if err := challenges.CheckSignatureWithOpts(publicKey, proofOfPossession, principal.Name(ctx), options.WithHash(hashFunc)); err != nil {
			return nil, handleFulcioGRPCError(ctx, codes.InvalidArgument, err, invalidSignature)
		}

@haydentherapper what do you think about this?

[haydentherapper]

Is this a breaking change? Currently, it's assumed that the digest is always SHA256 regardless of key type.

Can we work around this and note this as something to correct in a major version bump?

What about other clients as well? -python for example, is it always using sha256? Or has it just so happened that we didn't notice this because only RSA and ECDSA-P256 keys have been used?

[ret2libc]

Is this a breaking change? Currently, it's assumed that the digest is always SHA256 regardless of key type.

I guess it is, yes. Right now even if you use a elliptic.P384, you use sha256 so this would break things.

What about other clients as well? -python for example, is it always using sha256? Or has it just so happened that we didn't notice this because only RSA and ECDSA-P256 keys have been used?

sigstore-python always uses sha256 (https://github.com/sigstore/sigstore-python/blob/main/sigstore/sign.py#L158).

Can we work around this and note this as something to correct in a major version bump?

Ok I think we can get away with just enforcing SHA256 when doing SignMessage for the fulcio proof of possesion. We probably need to pay attention to just ed25519 because it would fail in that case, but apart from that it should be good.

Thanks for the feedback!

[haydentherapper]

Tracking for Fulcio v2 in #1945.

[haydentherapper]

Thank you!