Skip to content

Commit

Permalink
Remove VerifyDetachedSignatureAndSaltedHash and SaltedHashSpecifier (#…
Browse files Browse the repository at this point in the history
…196)

This commit removes the openpgp.VerifyDetachedSignatureAndSaltedHash function and the packet.SaltedHashSpecifier as they are not required anymore. They were introduced for verifying the headers in cleartext messages. However, in the latest crypto refresh specification, cleartext message headers were dropped.
  • Loading branch information
lubux authored Jan 24, 2024
1 parent f60acf6 commit 9d2beb2
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 44 deletions.
7 changes: 0 additions & 7 deletions openpgp/packet/signature.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,13 +127,6 @@ type VerifiableSignature struct {
Packet *Signature
}

// SaltedHashSpecifier specifies that the given salt and hash are
// used by a v6 signature.
type SaltedHashSpecifier struct {
Hash crypto.Hash
Salt []byte
}

// NewVerifiableSig returns a struct of type VerifiableSignature referencing the input signature.
func NewVerifiableSig(signature *Signature) *VerifiableSignature {
return &VerifiableSignature{
Expand Down
45 changes: 10 additions & 35 deletions openpgp/read.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
package openpgp // import "github.com/ProtonMail/go-crypto/openpgp"

import (
"bytes"
"crypto"
_ "crypto/sha256"
_ "crypto/sha512"
Expand Down Expand Up @@ -455,45 +454,32 @@ func (scr *signatureCheckReader) Read(buf []byte) (int, error) {
// if any, and a possible signature verification error.
// If the signer isn't known, ErrUnknownIssuer is returned.
func VerifyDetachedSignature(keyring KeyRing, signed, signature io.Reader, config *packet.Config) (sig *packet.Signature, signer *Entity, err error) {
return verifyDetachedSignature(keyring, signed, signature, nil, nil, false, config)
return verifyDetachedSignature(keyring, signed, signature, nil, false, config)
}

// VerifyDetachedSignatureAndHash performs the same actions as
// VerifyDetachedSignature and checks that the expected hash functions were used.
func VerifyDetachedSignatureAndHash(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, config *packet.Config) (sig *packet.Signature, signer *Entity, err error) {
return verifyDetachedSignature(keyring, signed, signature, expectedHashes, nil, true, config)
}

// VerifyDetachedSignatureAndSaltedHash performs the same actions as
// VerifyDetachedSignature and checks that the expected hash functions and salts were used.
func VerifyDetachedSignatureAndSaltedHash(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, expectedSaltedHashes []*packet.SaltedHashSpecifier, config *packet.Config) (sig *packet.Signature, signer *Entity, err error) {
return verifyDetachedSignature(keyring, signed, signature, expectedHashes, expectedSaltedHashes, true, config)
return verifyDetachedSignature(keyring, signed, signature, expectedHashes, true, config)
}

// CheckDetachedSignature takes a signed file and a detached signature and
// returns the entity the signature was signed by, if any, and a possible
// signature verification error. If the signer isn't known,
// ErrUnknownIssuer is returned.
func CheckDetachedSignature(keyring KeyRing, signed, signature io.Reader, config *packet.Config) (signer *Entity, err error) {
_, signer, err = verifyDetachedSignature(keyring, signed, signature, nil, nil, false, config)
return
}

// CheckDetachedSignatureAndSaltedHash performs the same actions as
// CheckDetachedSignature and checks that the expected hash functions or salted hash functions were used.
func CheckDetachedSignatureAndSaltedHash(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, expectedSaltedHashes []*packet.SaltedHashSpecifier, config *packet.Config) (signer *Entity, err error) {
_, signer, err = verifyDetachedSignature(keyring, signed, signature, expectedHashes, expectedSaltedHashes, true, config)
_, signer, err = verifyDetachedSignature(keyring, signed, signature, nil, false, config)
return
}

// CheckDetachedSignatureAndHash performs the same actions as
// CheckDetachedSignature and checks that the expected hash functions were used.
func CheckDetachedSignatureAndHash(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, config *packet.Config) (signer *Entity, err error) {
_, signer, err = verifyDetachedSignature(keyring, signed, signature, expectedHashes, nil, true, config)
_, signer, err = verifyDetachedSignature(keyring, signed, signature, expectedHashes, true, config)
return
}

func verifyDetachedSignature(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, expectedSaltedHashes []*packet.SaltedHashSpecifier, checkHashes bool, config *packet.Config) (sig *packet.Signature, signer *Entity, err error) {
func verifyDetachedSignature(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, checkHashes bool, config *packet.Config) (sig *packet.Signature, signer *Entity, err error) {
var issuerKeyId uint64
var hashFunc crypto.Hash
var sigType packet.SignatureType
Expand Down Expand Up @@ -523,22 +509,11 @@ func verifyDetachedSignature(keyring KeyRing, signed, signature io.Reader, expec
sigType = sig.SigType
if checkHashes {
matchFound := false
if sig.Version == 6 {
// check for salted hashes
for _, expectedSaltedHash := range expectedSaltedHashes {
if hashFunc == expectedSaltedHash.Hash && bytes.Equal(sig.Salt(), expectedSaltedHash.Salt) {
matchFound = true
break
}
}

} else {
// check for hashes
for _, expectedHash := range expectedHashes {
if hashFunc == expectedHash {
matchFound = true
break
}
// check for hashes
for _, expectedHash := range expectedHashes {
if hashFunc == expectedHash {
matchFound = true
break
}
}
if !matchFound {
Expand Down
2 changes: 0 additions & 2 deletions openpgp/v2/read.go
Original file line number Diff line number Diff line change
Expand Up @@ -669,8 +669,6 @@ func VerifyDetachedSignature(keyring KeyRing, signed, signature io.Reader, confi
// Once all data is read from md.UnverifiedBody the detached signature is verified.
// If a verification error occurs it is stored in md.SignatureError
// If the signer isn't known, ErrUnknownIssuer is returned.
// If expectedHashes or expectedSaltedHashes is not nil, the method checks
// if they match the signatures metadata or else return an error
func VerifyDetachedSignatureReader(keyring KeyRing, signed, signature io.Reader, config *packet.Config) (md *MessageDetails, err error) {
return verifyDetachedSignatureReader(keyring, signed, signature, config)
}
Expand Down

0 comments on commit 9d2beb2

Please sign in to comment.