WIP (passing) verifies RSA sig
This commit is contained in:
parent
e8c50dee76
commit
ca84b8dbca
|
@ -141,7 +141,6 @@ func JOSESign(privkey keypairs.PrivateKey, hash []byte) []byte {
|
|||
// TODO: move to keypairs
|
||||
|
||||
func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
|
||||
var verified bool
|
||||
|
||||
switch pub := pubkey.Key().(type) {
|
||||
case *rsa.PublicKey:
|
||||
|
@ -149,8 +148,9 @@ func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
|
|||
//alg := "SHA256"
|
||||
// TODO: this hasn't been tested yet
|
||||
if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, hash, sig); nil != err {
|
||||
verified = true
|
||||
return false
|
||||
}
|
||||
return true
|
||||
case *ecdsa.PublicKey:
|
||||
r := &big.Int{}
|
||||
r.SetBytes(sig[0:32])
|
||||
|
@ -158,12 +158,11 @@ func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
|
|||
s.SetBytes(sig[32:])
|
||||
fmt.Println("debug: sig len:", len(sig))
|
||||
fmt.Println("debug: r, s:", r, s)
|
||||
verified = ecdsa.Verify(pub, hash, r, s)
|
||||
return ecdsa.Verify(pub, hash, r, s)
|
||||
default:
|
||||
panic("impossible condition: non-rsa/non-ecdsa key")
|
||||
return false
|
||||
}
|
||||
|
||||
return verified
|
||||
}
|
||||
|
||||
func issueNonce(w http.ResponseWriter, r *http.Request) {
|
||||
|
|
|
@ -49,14 +49,14 @@ func SignClaims(privkey keypairs.PrivateKey, header Object, claims Object) (*JWS
|
|||
}
|
||||
payload64 := base64.RawURLEncoding.EncodeToString(payload)
|
||||
|
||||
hash := sha256.Sum256([]byte(fmt.Sprintf(
|
||||
`%s.%s`,
|
||||
protected64,
|
||||
payload64,
|
||||
)))
|
||||
signable := fmt.Sprintf(`%s.%s`, protected64, payload64)
|
||||
hash := sha256.Sum256([]byte(signable))
|
||||
|
||||
sig := Sign(randsrc, privkey, hash[:])
|
||||
sig64 := base64.RawURLEncoding.EncodeToString(sig)
|
||||
//log.Printf("\n(Sign)\nSignable: %s", signable)
|
||||
//log.Printf("Hash: %s", hash)
|
||||
//log.Printf("Sig: %s", sig64)
|
||||
|
||||
return &JWS{
|
||||
Header: header,
|
||||
|
|
|
@ -73,26 +73,31 @@ func VerifyClaims(pubkey keypairs.PublicKey, jws *JWS) (bool, error) {
|
|||
fmt.Println("Security TODO: did not check jws.Claims[\"kid\"] against thumbprint")
|
||||
}
|
||||
|
||||
hash := sha256.Sum256([]byte(fmt.Sprintf("%s.%s", jws.Protected, jws.Payload)))
|
||||
signable := fmt.Sprintf("%s.%s", jws.Protected, jws.Payload)
|
||||
hash := sha256.Sum256([]byte(signable))
|
||||
sig, err := base64.RawURLEncoding.DecodeString(jws.Signature)
|
||||
if nil != err {
|
||||
return false, err
|
||||
}
|
||||
//log.Printf("\n(Verify)\nSignable: %s", signable)
|
||||
//log.Printf("Hash: %s", hash)
|
||||
//log.Printf("Sig: %s", jws.Signature)
|
||||
|
||||
return Verify(pub, hash[:], sig), nil
|
||||
}
|
||||
|
||||
func Verify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
|
||||
var verified bool
|
||||
|
||||
switch pub := pubkey.Key().(type) {
|
||||
case *rsa.PublicKey:
|
||||
//log.Printf("RSA VERIFY")
|
||||
// TODO keypairs.Size(key) to detect key size ?
|
||||
//alg := "SHA256"
|
||||
// TODO: this hasn't been tested yet
|
||||
if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, hash, sig); nil != err {
|
||||
verified = true
|
||||
return false
|
||||
}
|
||||
return true
|
||||
case *ecdsa.PublicKey:
|
||||
r := &big.Int{}
|
||||
r.SetBytes(sig[0:32])
|
||||
|
@ -100,12 +105,11 @@ func Verify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
|
|||
s.SetBytes(sig[32:])
|
||||
fmt.Println("debug: sig len:", len(sig))
|
||||
fmt.Println("debug: r, s:", r, s)
|
||||
verified = ecdsa.Verify(pub, hash, r, s)
|
||||
return ecdsa.Verify(pub, hash, r, s)
|
||||
default:
|
||||
panic("impossible condition: non-rsa/non-ecdsa key")
|
||||
return false
|
||||
}
|
||||
|
||||
return verified
|
||||
}
|
||||
|
||||
const maxRetry = 16
|
||||
|
|
Loading…
Reference in New Issue