Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redesign of Vec<u8> usage #20

Open
WingZer0o opened this issue Dec 31, 2024 · 4 comments
Open

Redesign of Vec<u8> usage #20

WingZer0o opened this issue Dec 31, 2024 · 4 comments

Comments

@WingZer0o
Copy link
Member

Major redesign required. Vec are stored on the heap.
@WingZer0o
Copy link
Member Author

@rakurame96

It is quite apparent sometimes when a byte array should be used. For instance when verifying with a public key in cas_rsa. You can see the hash and signature passing a reference of Vec into the verify function. This simply isn't necessary and can lead to security vulnerabilities within the life time of variables stored on the heap. Simple noobie mistake and moving way to fast.

fn verify(public_key: String, hash: Vec<u8>, signature: Vec<u8>) -> bool {
        let public_key = RsaPublicKey::from_pkcs1_pem(&public_key).unwrap();
        let verified = public_key.verify(Pkcs1v15Sign::new_unprefixed(), &hash, &signature);
        if verified.is_err() == false {
            return true;
        } else {
            return false;
        }
    }

Depends on where you want to start to be completely honest, you are now a member of the organization and should have read/write access directly to the repositories and shouldn't have to use your fork. It would be easier that way run test cases and things of that nature in your branch if you wanna work off the organization branch instead of the fork.

@rakurame96
Copy link
Contributor

I queried about the current problem statement in LLM (ChatGPT) and its response is like instead of passing it as a Vec pass them as a reference.
`
fn verify(public_key: &str, hash: &[u8], signature: &[u8]) -> bool {
// Parse the public key from PEM format
let public_key = RsaPublicKey::from_pkcs1_pem(public_key).expect("Invalid public key format");

// Perform the verification
public_key.verify(Pkcs1v15Sign::new_unprefixed(), hash, signature).is_ok()

}
`
Maybe should I proceed with this approach? It does seem to work, but I will wait until I make changes and test them

@WingZer0o
Copy link
Member Author

I do agree with this approach for the time being until I am proven otherwise.

If you check the ED25519-Dalek API you can see how those methods are passing byte arrays by reference.

@rakurame96
Copy link
Contributor

rakurame96 commented Jan 7, 2025 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rakurame96 @WingZer0o