// Verify does the actual check. func (v RSAPSSVerifier) Verify(key data.Key, sig []byte, msg []byte) error { algorithm := key.Algorithm() var pubKey crypto.PublicKey switch algorithm { case data.RSAx509Key: pemCert, _ := pem.Decode([]byte(key.Public())) if pemCert == nil { logrus.Infof("failed to decode PEM-encoded x509 certificate") return ErrInvalid } cert, err := x509.ParseCertificate(pemCert.Bytes) if err != nil { logrus.Infof("failed to parse x509 certificate: %s\n", err) return ErrInvalid } pubKey = cert.PublicKey case data.RSAKey: var err error pubKey, err = x509.ParsePKIXPublicKey(key.Public()) if err != nil { logrus.Infof("failed to parse public key: %s\n", err) return ErrInvalid } default: logrus.Infof("invalid key type for RSAPSS verifier: %s", algorithm) return ErrInvalid } digest := sha256.Sum256(msg) return verifyPSS(pubKey, digest[:], sig) }
func (v Ed25519Verifier) Verify(key data.Key, sig []byte, msg []byte) error { var sigBytes [ed25519.SignatureSize]byte if len(sig) != len(sigBytes) { logrus.Infof("signature length is incorrect, must be %d, was %d.", ed25519.SignatureSize, len(sig)) return ErrInvalid } copy(sigBytes[:], sig) var keyBytes [ed25519.PublicKeySize]byte copy(keyBytes[:], key.Public()) if !ed25519.Verify(&keyBytes, msg, &sigBytes) { logrus.Infof("failed ed25519 verification") return ErrInvalid } return nil }
// Verify does the actual check. // N.B. We have not been able to make this work in a way that is compatible // with PyCrypto. func (v RSAPyCryptoVerifier) Verify(key data.Key, sig []byte, msg []byte) error { digest := sha256.Sum256(msg) k, _ := pem.Decode([]byte(key.Public())) if k == nil { logrus.Infof("failed to decode PEM-encoded x509 certificate") return ErrInvalid } pub, err := x509.ParsePKIXPublicKey(k.Bytes) if err != nil { logrus.Infof("failed to parse public key: %s\n", err) return ErrInvalid } return verifyPSS(pub, digest[:], sig) }
func (v RSAPemVerifier) Verify(key data.Key, sig []byte, msg []byte) error { digest := sha256.Sum256(msg) k, _ := pem.Decode([]byte(key.Public())) cert, err := x509.ParseCertificate(k.Bytes) if err != nil { logrus.Errorf("Failed to parse public key: %s\n", err.Error()) return ErrInvalid } rsaPub, ok := cert.PublicKey.(*rsa.PublicKey) if !ok { logrus.Infof("Value returned from ParsePKIXPublicKey was not an RSA public key") return ErrInvalid } if err = rsa.VerifyPKCS1v15(rsaPub, crypto.SHA256, digest[:], sig); err != nil { logrus.Errorf("Failed verification: %s", err.Error()) return ErrInvalid } return nil }
func (v RSAVerifier) Verify(key data.Key, sig []byte, msg []byte) error { digest := sha256.Sum256(msg) keyReader := base64.NewDecoder(base64.StdEncoding, strings.NewReader(key.Public())) keyBytes, _ := ioutil.ReadAll(keyReader) pub, err := x509.ParsePKIXPublicKey(keyBytes) if err != nil { logrus.Infof("Failed to parse public key: %s\n", err) return ErrInvalid } rsaPub, ok := pub.(*rsa.PublicKey) if !ok { logrus.Infof("Value returned from ParsePKIXPublicKey was not an RSA public key") return ErrInvalid } if err = rsa.VerifyPKCS1v15(rsaPub, crypto.SHA256, digest[:], sig); err != nil { logrus.Infof("Failed verification: %s", err) return ErrInvalid } return nil }
// Verify does the actual check. // N.B. We have not been able to make this work in a way that is compatible // with PyCrypto. func (v RSAPSSVerifier) Verify(key data.Key, sig []byte, msg []byte) error { digest := sha256.Sum256(msg) k, _ := pem.Decode([]byte(key.Public())) pub, err := x509.ParsePKIXPublicKey(k.Bytes) if err != nil { logrus.Infof("Failed to parse public key: %s\n", err) return ErrInvalid } rsaPub, ok := pub.(*rsa.PublicKey) if !ok { logrus.Infof("Value returned from ParsePKIXPublicKey was not an RSA public key") return ErrInvalid } opts := rsa.PSSOptions{SaltLength: sha256.Size, Hash: crypto.SHA256} if err = rsa.VerifyPSS(rsaPub, crypto.SHA256, digest[:], sig, &opts); err != nil { logrus.Infof("Failed verification: %s", err) return ErrInvalid } return nil }
// Verify does the actual check. func (v ECDSAVerifier) Verify(key data.Key, sig []byte, msg []byte) error { algorithm := key.Algorithm() var pubKey crypto.PublicKey switch algorithm { case data.ECDSAx509Key: pemCert, _ := pem.Decode([]byte(key.Public())) if pemCert == nil { logrus.Infof("failed to decode PEM-encoded x509 certificate for keyID: %s", key.ID()) logrus.Debugf("certificate bytes: %s", string(key.Public())) return ErrInvalid } cert, err := x509.ParseCertificate(pemCert.Bytes) if err != nil { logrus.Infof("failed to parse x509 certificate: %s\n", err) return ErrInvalid } pubKey = cert.PublicKey case data.ECDSAKey: var err error pubKey, err = x509.ParsePKIXPublicKey(key.Public()) if err != nil { logrus.Infof("Failed to parse private key for keyID: %s, %s\n", key.ID(), err) return ErrInvalid } default: logrus.Infof("invalid key type for ECDSA verifier: %s", algorithm) return ErrInvalid } ecdsaPubKey, ok := pubKey.(*ecdsa.PublicKey) if !ok { logrus.Infof("value isn't an ECDSA public key") return ErrInvalid } sigLength := len(sig) expectedOctetLength := 2 * ((ecdsaPubKey.Params().BitSize + 7) >> 3) if sigLength != expectedOctetLength { logrus.Infof("signature had an unexpected length") return ErrInvalid } rBytes, sBytes := sig[:sigLength/2], sig[sigLength/2:] r := new(big.Int).SetBytes(rBytes) s := new(big.Int).SetBytes(sBytes) digest := sha256.Sum256(msg) if !ecdsa.Verify(ecdsaPubKey, digest[:], r, s) { logrus.Infof("failed ECDSA signature validation") return ErrInvalid } return nil }