Пример #1
0
// Verify does the actual check.
func (v RSAPSSVerifier) Verify(key data.Key, sig []byte, msg []byte) error {
	algorithm := key.Algorithm()
	var pubKey crypto.PublicKey

	switch algorithm {
	case data.RSAx509Key:
		pemCert, _ := pem.Decode([]byte(key.Public()))
		if pemCert == nil {
			logrus.Infof("failed to decode PEM-encoded x509 certificate")
			return ErrInvalid
		}
		cert, err := x509.ParseCertificate(pemCert.Bytes)
		if err != nil {
			logrus.Infof("failed to parse x509 certificate: %s\n", err)
			return ErrInvalid
		}
		pubKey = cert.PublicKey
	case data.RSAKey:
		var err error
		pubKey, err = x509.ParsePKIXPublicKey(key.Public())
		if err != nil {
			logrus.Infof("failed to parse public key: %s\n", err)
			return ErrInvalid
		}
	default:
		logrus.Infof("invalid key type for RSAPSS verifier: %s", algorithm)
		return ErrInvalid
	}

	digest := sha256.Sum256(msg)

	return verifyPSS(pubKey, digest[:], sig)
}
Пример #2
0
func (v Ed25519Verifier) Verify(key data.Key, sig []byte, msg []byte) error {
	var sigBytes [ed25519.SignatureSize]byte
	if len(sig) != len(sigBytes) {
		logrus.Infof("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig))
		return ErrInvalid
	}
	copy(sigBytes[:], sig)

	var keyBytes [ed25519.PublicKeySize]byte
	copy(keyBytes[:], key.Public())

	if !ed25519.Verify(&keyBytes, msg, &sigBytes) {
		logrus.Infof("failed ed25519 verification")
		return ErrInvalid
	}
	return nil
}
Пример #3
0
// Verify does the actual check.
// N.B. We have not been able to make this work in a way that is compatible
// with PyCrypto.
func (v RSAPyCryptoVerifier) Verify(key data.Key, sig []byte, msg []byte) error {
	digest := sha256.Sum256(msg)

	k, _ := pem.Decode([]byte(key.Public()))
	if k == nil {
		logrus.Infof("failed to decode PEM-encoded x509 certificate")
		return ErrInvalid
	}

	pub, err := x509.ParsePKIXPublicKey(k.Bytes)
	if err != nil {
		logrus.Infof("failed to parse public key: %s\n", err)
		return ErrInvalid
	}

	return verifyPSS(pub, digest[:], sig)
}
Пример #4
0
func (v RSAPemVerifier) Verify(key data.Key, sig []byte, msg []byte) error {
	digest := sha256.Sum256(msg)

	k, _ := pem.Decode([]byte(key.Public()))
	cert, err := x509.ParseCertificate(k.Bytes)
	if err != nil {
		logrus.Errorf("Failed to parse public key: %s\n", err.Error())
		return ErrInvalid
	}

	rsaPub, ok := cert.PublicKey.(*rsa.PublicKey)
	if !ok {
		logrus.Infof("Value returned from ParsePKIXPublicKey was not an RSA public key")
		return ErrInvalid
	}

	if err = rsa.VerifyPKCS1v15(rsaPub, crypto.SHA256, digest[:], sig); err != nil {
		logrus.Errorf("Failed verification: %s", err.Error())
		return ErrInvalid
	}
	return nil
}
Пример #5
0
func (v RSAVerifier) Verify(key data.Key, sig []byte, msg []byte) error {
	digest := sha256.Sum256(msg)
	keyReader := base64.NewDecoder(base64.StdEncoding, strings.NewReader(key.Public()))
	keyBytes, _ := ioutil.ReadAll(keyReader)
	pub, err := x509.ParsePKIXPublicKey(keyBytes)
	if err != nil {
		logrus.Infof("Failed to parse public key: %s\n", err)
		return ErrInvalid
	}

	rsaPub, ok := pub.(*rsa.PublicKey)
	if !ok {
		logrus.Infof("Value returned from ParsePKIXPublicKey was not an RSA public key")
		return ErrInvalid
	}

	if err = rsa.VerifyPKCS1v15(rsaPub, crypto.SHA256, digest[:], sig); err != nil {
		logrus.Infof("Failed verification: %s", err)
		return ErrInvalid
	}
	return nil
}
Пример #6
0
// Verify does the actual check.
// N.B. We have not been able to make this work in a way that is compatible
// with PyCrypto.
func (v RSAPSSVerifier) Verify(key data.Key, sig []byte, msg []byte) error {
	digest := sha256.Sum256(msg)

	k, _ := pem.Decode([]byte(key.Public()))
	pub, err := x509.ParsePKIXPublicKey(k.Bytes)
	if err != nil {
		logrus.Infof("Failed to parse public key: %s\n", err)
		return ErrInvalid
	}

	rsaPub, ok := pub.(*rsa.PublicKey)
	if !ok {
		logrus.Infof("Value returned from ParsePKIXPublicKey was not an RSA public key")
		return ErrInvalid
	}

	opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256}
	if err = rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil {
		logrus.Infof("Failed verification: %s", err)
		return ErrInvalid
	}
	return nil
}
Пример #7
0
// Verify does the actual check.
func (v ECDSAVerifier) Verify(key data.Key, sig []byte, msg []byte) error {
	algorithm := key.Algorithm()
	var pubKey crypto.PublicKey

	switch algorithm {
	case data.ECDSAx509Key:
		pemCert, _ := pem.Decode([]byte(key.Public()))
		if pemCert == nil {
			logrus.Infof("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID())
			logrus.Debugf("certificate bytes: %s", string(key.Public()))
			return ErrInvalid
		}
		cert, err := x509.ParseCertificate(pemCert.Bytes)
		if err != nil {
			logrus.Infof("failed to parse x509 certificate: %s\n", err)
			return ErrInvalid
		}
		pubKey = cert.PublicKey
	case data.ECDSAKey:
		var err error
		pubKey, err = x509.ParsePKIXPublicKey(key.Public())
		if err != nil {
			logrus.Infof("Failed to parse private key for keyID: %s, %s\n", key.ID(), err)
			return ErrInvalid
		}
	default:
		logrus.Infof("invalid key type for ECDSA verifier: %s", algorithm)
		return ErrInvalid
	}

	ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey)
	if !ok {
		logrus.Infof("value isn't an ECDSA public key")
		return ErrInvalid
	}

	sigLength := len(sig)
	expectedOctetLength := 2 * ((ecdsaPubKey.Params().BitSize + 7) >> 3)
	if sigLength != expectedOctetLength {
		logrus.Infof("signature had an unexpected length")
		return ErrInvalid
	}

	rBytes, sBytes := sig[:sigLength/2], sig[sigLength/2:]
	r := new(big.Int).SetBytes(rBytes)
	s := new(big.Int).SetBytes(sBytes)

	digest := sha256.Sum256(msg)

	if !ecdsa.Verify(ecdsaPubKey, digest[:], r, s) {
		logrus.Infof("failed ECDSA signature validation")
		return ErrInvalid
	}

	return nil
}