Don't enforce public key compliance
You have to trust the public key anyways, so compliance checks are superfluous.
This commit is contained in:
parent
f75c47d9ca
commit
902755d4e8
|
@ -3,22 +3,17 @@ package ct
|
||||||
import (
|
import (
|
||||||
"crypto"
|
"crypto"
|
||||||
"crypto/ecdsa"
|
"crypto/ecdsa"
|
||||||
"crypto/elliptic"
|
|
||||||
"crypto/rsa"
|
"crypto/rsa"
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"encoding/asn1"
|
"encoding/asn1"
|
||||||
"encoding/pem"
|
"encoding/pem"
|
||||||
"errors"
|
"errors"
|
||||||
"flag"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"log"
|
"log"
|
||||||
"math/big"
|
"math/big"
|
||||||
)
|
)
|
||||||
|
|
||||||
var allowVerificationWithNonCompliantKeys = flag.Bool("allow_verification_with_non_compliant_keys", false,
|
|
||||||
"Allow a SignatureVerifier to use keys which are technically non-compliant with RFC6962.")
|
|
||||||
|
|
||||||
// PublicKeyFromPEM parses a PEM formatted block and returns the public key contained within and any remaining unread bytes, or an error.
|
// PublicKeyFromPEM parses a PEM formatted block and returns the public key contained within and any remaining unread bytes, or an error.
|
||||||
func PublicKeyFromPEM(b []byte) (crypto.PublicKey, SHA256Hash, []byte, error) {
|
func PublicKeyFromPEM(b []byte) (crypto.PublicKey, SHA256Hash, []byte, error) {
|
||||||
p, rest := pem.Decode(b)
|
p, rest := pem.Decode(b)
|
||||||
|
@ -38,23 +33,7 @@ type SignatureVerifier struct {
|
||||||
func NewSignatureVerifier(pk crypto.PublicKey) (*SignatureVerifier, error) {
|
func NewSignatureVerifier(pk crypto.PublicKey) (*SignatureVerifier, error) {
|
||||||
switch pkType := pk.(type) {
|
switch pkType := pk.(type) {
|
||||||
case *rsa.PublicKey:
|
case *rsa.PublicKey:
|
||||||
if pkType.N.BitLen() < 2048 {
|
|
||||||
e := fmt.Errorf("public key is RSA with < 2048 bits (size:%d)", pkType.N.BitLen())
|
|
||||||
if !(*allowVerificationWithNonCompliantKeys) {
|
|
||||||
return nil, e
|
|
||||||
}
|
|
||||||
log.Printf("WARNING: %v", e)
|
|
||||||
}
|
|
||||||
case *ecdsa.PublicKey:
|
case *ecdsa.PublicKey:
|
||||||
params := *(pkType.Params())
|
|
||||||
if params != *elliptic.P256().Params() {
|
|
||||||
e := fmt.Errorf("public is ECDSA, but not on the P256 curve")
|
|
||||||
if !(*allowVerificationWithNonCompliantKeys) {
|
|
||||||
return nil, e
|
|
||||||
}
|
|
||||||
log.Printf("WARNING: %v", e)
|
|
||||||
|
|
||||||
}
|
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("Unsupported public key type %v", pkType)
|
return nil, fmt.Errorf("Unsupported public key type %v", pkType)
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue