deprecated_ecdsa.go

Documentation: github.com/theupdateframework/go-tuf/pkg/keys

     1  package keys
     2  
     3  import (
     4  	"bytes"
     5  	"crypto/ecdsa"
     6  	"crypto/elliptic"
     7  	"crypto/sha256"
     8  	"encoding/json"
     9  	"errors"
    10  	"fmt"
    11  	"io"
    12  
    13  	"github.com/theupdateframework/go-tuf/data"
    14  )
    15  
    16  func NewDeprecatedEcdsaVerifier() Verifier {
    17  	return &ecdsaVerifierWithDeprecatedSupport{}
    18  }
    19  
    20  type ecdsaVerifierWithDeprecatedSupport struct {
    21  	key *data.PublicKey
    22  	// This will switch based on whether this is a PEM-encoded key
    23  	// or a deprecated hex-encoded key.
    24  	Verifier
    25  }
    26  
    27  func (p *ecdsaVerifierWithDeprecatedSupport) UnmarshalPublicKey(key *data.PublicKey) error {
    28  	p.key = key
    29  	pemVerifier := &EcdsaVerifier{}
    30  	if err := pemVerifier.UnmarshalPublicKey(key); err != nil {
    31  		// Try the deprecated hex-encoded verifier
    32  		hexVerifier := &deprecatedP256Verifier{}
    33  		if err := hexVerifier.UnmarshalPublicKey(key); err != nil {
    34  			return err
    35  		}
    36  		p.Verifier = hexVerifier
    37  		return nil
    38  	}
    39  	p.Verifier = pemVerifier
    40  	return nil
    41  }
    42  
    43  /*
    44     Deprecated ecdsaVerifier that used hex-encoded public keys.
    45     This MAY be used to verify existing metadata that used this
    46     old format. This will be deprecated soon, ensure that repositories
    47     are re-signed and clients receieve a fully compliant root.
    48  */
    49  
    50  type deprecatedP256Verifier struct {
    51  	PublicKey data.HexBytes `json:"public"`
    52  	key       *data.PublicKey
    53  }
    54  
    55  func (p *deprecatedP256Verifier) Public() string {
    56  	return p.PublicKey.String()
    57  }
    58  
    59  func (p *deprecatedP256Verifier) Verify(msg, sigBytes []byte) error {
    60  	x, y := elliptic.Unmarshal(elliptic.P256(), p.PublicKey)
    61  	k := &ecdsa.PublicKey{
    62  		Curve: elliptic.P256(),
    63  		X:     x,
    64  		Y:     y,
    65  	}
    66  
    67  	hash := sha256.Sum256(msg)
    68  
    69  	if !ecdsa.VerifyASN1(k, hash[:], sigBytes) {
    70  		return errors.New("tuf: deprecated ecdsa signature verification failed")
    71  	}
    72  	return nil
    73  }
    74  
    75  func (p *deprecatedP256Verifier) MarshalPublicKey() *data.PublicKey {
    76  	return p.key
    77  }
    78  
    79  func (p *deprecatedP256Verifier) UnmarshalPublicKey(key *data.PublicKey) error {
    80  	// Prepare decoder limited to 512Kb
    81  	dec := json.NewDecoder(io.LimitReader(bytes.NewReader(key.Value), MaxJSONKeySize))
    82  
    83  	// Unmarshal key value
    84  	if err := dec.Decode(p); err != nil {
    85  		if errors.Is(err, io.EOF) || errors.Is(err, io.ErrUnexpectedEOF) {
    86  			return fmt.Errorf("tuf: the public key is truncated or too large: %w", err)
    87  		}
    88  		return err
    89  	}
    90  
    91  	curve := elliptic.P256()
    92  
    93  	// Parse as uncompressed marshalled point.
    94  	x, _ := elliptic.Unmarshal(curve, p.PublicKey)
    95  	if x == nil {
    96  		return errors.New("tuf: invalid ecdsa public key point")
    97  	}
    98  
    99  	p.key = key
   100  	return nil
   101  }
   102
View as plain text