diff --git a/openpgp/packet/signature.go b/openpgp/packet/signature.go index ff14da31..42062538 100644 --- a/openpgp/packet/signature.go +++ b/openpgp/packet/signature.go @@ -127,13 +127,6 @@ type VerifiableSignature struct { Packet *Signature } -// SaltedHashSpecifier specifies that the given salt and hash are -// used by a v6 signature. -type SaltedHashSpecifier struct { - Hash crypto.Hash - Salt []byte -} - // NewVerifiableSig returns a struct of type VerifiableSignature referencing the input signature. func NewVerifiableSig(signature *Signature) *VerifiableSignature { return &VerifiableSignature{ diff --git a/openpgp/read.go b/openpgp/read.go index ac897d70..40850659 100644 --- a/openpgp/read.go +++ b/openpgp/read.go @@ -6,7 +6,6 @@ package openpgp // import "github.com/ProtonMail/go-crypto/openpgp" import ( - "bytes" "crypto" _ "crypto/sha256" _ "crypto/sha512" @@ -455,19 +454,13 @@ func (scr *signatureCheckReader) Read(buf []byte) (int, error) { // if any, and a possible signature verification error. // If the signer isn't known, ErrUnknownIssuer is returned. func VerifyDetachedSignature(keyring KeyRing, signed, signature io.Reader, config *packet.Config) (sig *packet.Signature, signer *Entity, err error) { - return verifyDetachedSignature(keyring, signed, signature, nil, nil, false, config) + return verifyDetachedSignature(keyring, signed, signature, nil, false, config) } // VerifyDetachedSignatureAndHash performs the same actions as // VerifyDetachedSignature and checks that the expected hash functions were used. func VerifyDetachedSignatureAndHash(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, config *packet.Config) (sig *packet.Signature, signer *Entity, err error) { - return verifyDetachedSignature(keyring, signed, signature, expectedHashes, nil, true, config) -} - -// VerifyDetachedSignatureAndSaltedHash performs the same actions as -// VerifyDetachedSignature and checks that the expected hash functions and salts were used. -func VerifyDetachedSignatureAndSaltedHash(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, expectedSaltedHashes []*packet.SaltedHashSpecifier, config *packet.Config) (sig *packet.Signature, signer *Entity, err error) { - return verifyDetachedSignature(keyring, signed, signature, expectedHashes, expectedSaltedHashes, true, config) + return verifyDetachedSignature(keyring, signed, signature, expectedHashes, true, config) } // CheckDetachedSignature takes a signed file and a detached signature and @@ -475,25 +468,18 @@ func VerifyDetachedSignatureAndSaltedHash(keyring KeyRing, signed, signature io. // signature verification error. If the signer isn't known, // ErrUnknownIssuer is returned. func CheckDetachedSignature(keyring KeyRing, signed, signature io.Reader, config *packet.Config) (signer *Entity, err error) { - _, signer, err = verifyDetachedSignature(keyring, signed, signature, nil, nil, false, config) - return -} - -// CheckDetachedSignatureAndSaltedHash performs the same actions as -// CheckDetachedSignature and checks that the expected hash functions or salted hash functions were used. -func CheckDetachedSignatureAndSaltedHash(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, expectedSaltedHashes []*packet.SaltedHashSpecifier, config *packet.Config) (signer *Entity, err error) { - _, signer, err = verifyDetachedSignature(keyring, signed, signature, expectedHashes, expectedSaltedHashes, true, config) + _, signer, err = verifyDetachedSignature(keyring, signed, signature, nil, false, config) return } // CheckDetachedSignatureAndHash performs the same actions as // CheckDetachedSignature and checks that the expected hash functions were used. func CheckDetachedSignatureAndHash(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, config *packet.Config) (signer *Entity, err error) { - _, signer, err = verifyDetachedSignature(keyring, signed, signature, expectedHashes, nil, true, config) + _, signer, err = verifyDetachedSignature(keyring, signed, signature, expectedHashes, true, config) return } -func verifyDetachedSignature(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, expectedSaltedHashes []*packet.SaltedHashSpecifier, checkHashes bool, config *packet.Config) (sig *packet.Signature, signer *Entity, err error) { +func verifyDetachedSignature(keyring KeyRing, signed, signature io.Reader, expectedHashes []crypto.Hash, checkHashes bool, config *packet.Config) (sig *packet.Signature, signer *Entity, err error) { var issuerKeyId uint64 var hashFunc crypto.Hash var sigType packet.SignatureType @@ -523,22 +509,11 @@ func verifyDetachedSignature(keyring KeyRing, signed, signature io.Reader, expec sigType = sig.SigType if checkHashes { matchFound := false - if sig.Version == 6 { - // check for salted hashes - for _, expectedSaltedHash := range expectedSaltedHashes { - if hashFunc == expectedSaltedHash.Hash && bytes.Equal(sig.Salt(), expectedSaltedHash.Salt) { - matchFound = true - break - } - } - - } else { - // check for hashes - for _, expectedHash := range expectedHashes { - if hashFunc == expectedHash { - matchFound = true - break - } + // check for hashes + for _, expectedHash := range expectedHashes { + if hashFunc == expectedHash { + matchFound = true + break } } if !matchFound { diff --git a/openpgp/v2/read.go b/openpgp/v2/read.go index a8ed9349..880b9a3b 100644 --- a/openpgp/v2/read.go +++ b/openpgp/v2/read.go @@ -669,8 +669,6 @@ func VerifyDetachedSignature(keyring KeyRing, signed, signature io.Reader, confi // Once all data is read from md.UnverifiedBody the detached signature is verified. // If a verification error occurs it is stored in md.SignatureError // If the signer isn't known, ErrUnknownIssuer is returned. -// If expectedHashes or expectedSaltedHashes is not nil, the method checks -// if they match the signatures metadata or else return an error func VerifyDetachedSignatureReader(keyring KeyRing, signed, signature io.Reader, config *packet.Config) (md *MessageDetails, err error) { return verifyDetachedSignatureReader(keyring, signed, signature, config) }