From ce6db4ef0301fed84c8a02aad76f357cba088ccd Mon Sep 17 00:00:00 2001 From: Riccardo Schirone Date: Tue, 16 Jan 2024 14:15:55 +0100 Subject: [PATCH] Added support for Ed25519ph in HashedRekord entries - Made X509 Signatures configurable with LoadOptions - Removed existing check that limited the use of Ed25519 keys in HashedRekord entries - Used Ed25519ph Signer/Verifier for HashedRekord entries Signed-off-by: Riccardo Schirone --- pkg/pki/x509/x509.go | 12 +++++++++--- pkg/types/hashedrekord/v0.0.1/entry.go | 8 +------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/pkg/pki/x509/x509.go b/pkg/pki/x509/x509.go index b8d0148ee..104beedd5 100644 --- a/pkg/pki/x509/x509.go +++ b/pkg/pki/x509/x509.go @@ -38,17 +38,23 @@ import ( var EmailAddressOID asn1.ObjectIdentifier = []int{1, 2, 840, 113549, 1, 9, 1} type Signature struct { - signature []byte + signature []byte + verifierLoadOpts []sigsig.LoadOption } // NewSignature creates and validates an x509 signature object func NewSignature(r io.Reader) (*Signature, error) { + return NewSignatureWithOpts(r) +} + +func NewSignatureWithOpts(r io.Reader, opts ...sigsig.LoadOption) (*Signature, error) { b, err := io.ReadAll(r) if err != nil { return nil, err } return &Signature{ - signature: b, + signature: b, + verifierLoadOpts: opts, }, nil } @@ -84,7 +90,7 @@ func (s Signature) Verify(r io.Reader, k interface{}, opts ...sigsig.VerifyOptio } } - verifier, err := sigsig.LoadVerifier(p, crypto.SHA256) + verifier, err := sigsig.LoadVerifierWithOpts(p, s.verifierLoadOpts...) if err != nil { return err } diff --git a/pkg/types/hashedrekord/v0.0.1/entry.go b/pkg/types/hashedrekord/v0.0.1/entry.go index 4fa6ebac0..74b268ef0 100644 --- a/pkg/types/hashedrekord/v0.0.1/entry.go +++ b/pkg/types/hashedrekord/v0.0.1/entry.go @@ -19,7 +19,6 @@ import ( "bytes" "context" "crypto" - "crypto/ed25519" "crypto/sha256" "encoding/hex" "encoding/json" @@ -148,7 +147,7 @@ func (v *V001Entry) validate() (pki.Signature, pki.PublicKey, error) { return nil, nil, types.ValidationError(errors.New("missing signature")) } // Hashed rekord type only works for x509 signature types - sigObj, err := x509.NewSignature(bytes.NewReader(sig.Content)) + sigObj, err := x509.NewSignatureWithOpts(bytes.NewReader(sig.Content), options.WithED25519ph()) if err != nil { return nil, nil, types.ValidationError(err) } @@ -162,11 +161,6 @@ func (v *V001Entry) validate() (pki.Signature, pki.PublicKey, error) { return nil, nil, types.ValidationError(err) } - _, isEd25519 := keyObj.CryptoPubKey().(ed25519.PublicKey) - if isEd25519 { - return nil, nil, types.ValidationError(errors.New("ed25519 unsupported for hashedrekord")) - } - data := v.HashedRekordObj.Data if data == nil { return nil, nil, types.ValidationError(errors.New("missing data"))