Don't enforce public key compliance

You have to trust the public key anyways, so compliance checks are
superfluous.
This commit is contained in:
Andrew Ayer 2016-07-26 17:00:01 -07:00
parent f75c47d9ca
commit 902755d4e8
1 changed files with 0 additions and 21 deletions

View File

@ -3,22 +3,17 @@ package ct
import ( import (
"crypto" "crypto"
"crypto/ecdsa" "crypto/ecdsa"
"crypto/elliptic"
"crypto/rsa" "crypto/rsa"
"crypto/sha256" "crypto/sha256"
"crypto/x509" "crypto/x509"
"encoding/asn1" "encoding/asn1"
"encoding/pem" "encoding/pem"
"errors" "errors"
"flag"
"fmt" "fmt"
"log" "log"
"math/big" "math/big"
) )
var allowVerificationWithNonCompliantKeys = flag.Bool("allow_verification_with_non_compliant_keys", false,
"Allow a SignatureVerifier to use keys which are technically non-compliant with RFC6962.")
// PublicKeyFromPEM parses a PEM formatted block and returns the public key contained within and any remaining unread bytes, or an error. // PublicKeyFromPEM parses a PEM formatted block and returns the public key contained within and any remaining unread bytes, or an error.
func PublicKeyFromPEM(b []byte) (crypto.PublicKey, SHA256Hash, []byte, error) { func PublicKeyFromPEM(b []byte) (crypto.PublicKey, SHA256Hash, []byte, error) {
p, rest := pem.Decode(b) p, rest := pem.Decode(b)
@ -38,23 +33,7 @@ type SignatureVerifier struct {
func NewSignatureVerifier(pk crypto.PublicKey) (*SignatureVerifier, error) { func NewSignatureVerifier(pk crypto.PublicKey) (*SignatureVerifier, error) {
switch pkType := pk.(type) { switch pkType := pk.(type) {
case *rsa.PublicKey: case *rsa.PublicKey:
if pkType.N.BitLen() < 2048 {
e := fmt.Errorf("public key is RSA with < 2048 bits (size:%d)", pkType.N.BitLen())
if !(*allowVerificationWithNonCompliantKeys) {
return nil, e
}
log.Printf("WARNING: %v", e)
}
case *ecdsa.PublicKey: case *ecdsa.PublicKey:
params := *(pkType.Params())
if params != *elliptic.P256().Params() {
e := fmt.Errorf("public is ECDSA, but not on the P256 curve")
if !(*allowVerificationWithNonCompliantKeys) {
return nil, e
}
log.Printf("WARNING: %v", e)
}
default: default:
return nil, fmt.Errorf("Unsupported public key type %v", pkType) return nil, fmt.Errorf("Unsupported public key type %v", pkType)
} }