From e563a1795dfc1bec897b727fc097345d596810b2 Mon Sep 17 00:00:00 2001 From: Hayden Blauzvern Date: Fri, 3 Jun 2022 20:02:51 +0000 Subject: [PATCH] Improve error message when using ED25519 with HashedRekord type ED25519 signatures are not supported with the hashedrekord type, though they are supported with rekord. The reason is that ED25519 computes the digest as part of its algorithm, so the original artifact is needed to verify a signature. The previous error message was very unclear, complaining about a nil message. Signed-off-by: Hayden Blauzvern --- pkg/types/hashedrekord/v0.0.1/entry.go | 6 +++++ pkg/types/hashedrekord/v0.0.1/entry_test.go | 29 +++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/pkg/types/hashedrekord/v0.0.1/entry.go b/pkg/types/hashedrekord/v0.0.1/entry.go index f405eb5fb..c44c568a1 100644 --- a/pkg/types/hashedrekord/v0.0.1/entry.go +++ b/pkg/types/hashedrekord/v0.0.1/entry.go @@ -18,6 +18,7 @@ package hashedrekord import ( "bytes" "context" + "crypto/ed25519" "crypto/sha256" "encoding/hex" "encoding/json" @@ -159,6 +160,11 @@ func (v *V001Entry) validate() (pki.Signature, pki.PublicKey, error) { return nil, nil, types.ValidationError(err) } + _, isEd25519 := keyObj.CryptoPubKey().(ed25519.PublicKey) + if isEd25519 { + return nil, nil, types.ValidationError(errors.New("ed25519 unsupported for hashedrekord")) + } + data := v.HashedRekordObj.Data if data == nil { return nil, nil, types.ValidationError(errors.New("missing data")) diff --git a/pkg/types/hashedrekord/v0.0.1/entry_test.go b/pkg/types/hashedrekord/v0.0.1/entry_test.go index 449fbbf0c..99b1177d7 100644 --- a/pkg/types/hashedrekord/v0.0.1/entry_test.go +++ b/pkg/types/hashedrekord/v0.0.1/entry_test.go @@ -20,6 +20,7 @@ import ( "context" "crypto" "crypto/ecdsa" + "crypto/ed25519" "crypto/elliptic" "crypto/rand" "crypto/sha256" @@ -73,6 +74,20 @@ func TestCrossFieldValidation(t *testing.T) { Type: "PUBLIC KEY", }) + // testing lack of support for ed25519 + invalidEdPubKey, _, err := ed25519.GenerateKey(rand.Reader) + if err != nil { + t.Fatal(err) + } + invalidDer, err := x509.MarshalPKIXPublicKey(invalidEdPubKey) + if err != nil { + t.Fatal(err) + } + invalidKeyBytes := pem.EncodeToMemory(&pem.Block{ + Bytes: invalidDer, + Type: "PUBLIC KEY", + }) + dataBytes := []byte("sign me!") h := sha256.Sum256(dataBytes) dataSHA := hex.EncodeToString(h[:]) @@ -124,6 +139,20 @@ func TestCrossFieldValidation(t *testing.T) { }, expectUnmarshalSuccess: false, }, + { + caseDesc: "signature with ed25519 public key", + entry: V001Entry{ + HashedRekordObj: models.HashedrekordV001Schema{ + Signature: &models.HashedrekordV001SchemaSignature{ + Content: sigBytes, + PublicKey: &models.HashedrekordV001SchemaSignaturePublicKey{ + Content: invalidKeyBytes, + }, + }, + }, + }, + expectUnmarshalSuccess: false, + }, { caseDesc: "signature without data", entry: V001Entry{