suzanne.soy/fork-openpgpjs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reject signatures with hash digest shorter than 256-bit for ed25519

Browse Source 
As mandated by the new crypto-refresh spec.
This applies to both the new and legacy EdDSA format.
For the legacy signatures, it is not expected to be a breaking change, since the spec
already mandated the use SHA-256 (or stronger).
This commit is contained in:
larabr 2023-10-03 18:07:49 +02:00
parent c0f57dffb2
commit a12ca976a0
3 changed files with 19 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/crypto/crypto.js
View File

@ -480,7 +480,7 @@ export function getPreferredCurveHashAlgo(algo, oid) {
case enums.publicKey.eddsaLegacy: case enums.publicKey.eddsaLegacy:
return publicKey.elliptic.getPreferredHashAlgo(oid); return publicKey.elliptic.getPreferredHashAlgo(oid);
case enums.publicKey.ed25519: case enums.publicKey.ed25519:
return enums.hash.sha256; return publicKey.elliptic.eddsa.getPreferredHashAlgo(algo);
default: default:
throw new Error('Unknown elliptic signing algo'); throw new Error('Unknown elliptic signing algo');
} }

17
src/crypto/public_key/elliptic/eddsa.js
View File

@ -61,9 +61,8 @@ export async function generate(algo) {
* @async * @async
*/ */
export async function sign(algo, hashAlgo, message, publicKey, privateKey, hashed) { export async function sign(algo, hashAlgo, message, publicKey, privateKey, hashed) {
if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) { if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo(algo))) {
// see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2 throw new Error('Hash algorithm too weak for EdDSA.');
throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.');
} }
switch (algo) { switch (algo) {
case enums.publicKey.ed25519: { case enums.publicKey.ed25519: {
@ -90,6 +89,9 @@ export async function sign(algo, hashAlgo, message, publicKey, privateKey, hashe
* @async * @async
*/ */
export async function verify(algo, hashAlgo, { RS }, m, publicKey, hashed) { export async function verify(algo, hashAlgo, { RS }, m, publicKey, hashed) {
if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(getPreferredHashAlgo(algo))) {
throw new Error('Hash algorithm too weak for EdDSA.');
}
switch (algo) { switch (algo) {
case enums.publicKey.ed25519: { case enums.publicKey.ed25519: {
return nacl.sign.detached.verify(hashed, RS, publicKey); return nacl.sign.detached.verify(hashed, RS, publicKey);
@ -124,3 +126,12 @@ export async function validateParams(algo, A, seed) {
return false; return false;
} }
} }
export function getPreferredHashAlgo(algo) {
switch (algo) {
case enums.publicKey.ed25519:
return enums.hash.sha256;
default:
throw new Error('Unknown EdDSA algo');
}
}

5
src/crypto/public_key/elliptic/eddsa_legacy.js
View File

@ -47,7 +47,7 @@ nacl.hash = bytes => new Uint8Array(sha512().update(bytes).digest());
export async function sign(oid, hashAlgo, message, publicKey, privateKey, hashed) { export async function sign(oid, hashAlgo, message, publicKey, privateKey, hashed) {
if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) { if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
// see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2 // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.'); throw new Error('Hash algorithm too weak for EdDSA.');
} }
const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]); const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]);
const signature = nacl.sign.detached(hashed, secretKey); const signature = nacl.sign.detached(hashed, secretKey);
@ -71,6 +71,9 @@ export async function sign(oid, hashAlgo, message, publicKey, privateKey, hashed
* @async * @async
*/ */
export async function verify(oid, hashAlgo, { r, s }, m, publicKey, hashed) { export async function verify(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
throw new Error('Hash algorithm too weak for EdDSA.');
}
const signature = util.concatUint8Array([r, s]); const signature = util.concatUint8Array([r, s]);
return nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1)); return nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1));
} }