WIP (passing) verifies RSA sig

This commit is contained in:
AJ ONeal 2020-08-05 09:06:45 +00:00
parent e8c50dee76
commit ca84b8dbca
3 changed files with 19 additions and 16 deletions

View File

@ -141,7 +141,6 @@ func JOSESign(privkey keypairs.PrivateKey, hash []byte) []byte {
// TODO: move to keypairs // TODO: move to keypairs
func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool { func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
var verified bool
switch pub := pubkey.Key().(type) { switch pub := pubkey.Key().(type) {
case *rsa.PublicKey: case *rsa.PublicKey:
@ -149,8 +148,9 @@ func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
//alg := "SHA256" //alg := "SHA256"
// TODO: this hasn't been tested yet // TODO: this hasn't been tested yet
if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, hash, sig); nil != err { if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, hash, sig); nil != err {
verified = true return false
} }
return true
case *ecdsa.PublicKey: case *ecdsa.PublicKey:
r := &big.Int{} r := &big.Int{}
r.SetBytes(sig[0:32]) r.SetBytes(sig[0:32])
@ -158,12 +158,11 @@ func JOSEVerify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
s.SetBytes(sig[32:]) s.SetBytes(sig[32:])
fmt.Println("debug: sig len:", len(sig)) fmt.Println("debug: sig len:", len(sig))
fmt.Println("debug: r, s:", r, s) fmt.Println("debug: r, s:", r, s)
verified = ecdsa.Verify(pub, hash, r, s) return ecdsa.Verify(pub, hash, r, s)
default: default:
panic("impossible condition: non-rsa/non-ecdsa key") panic("impossible condition: non-rsa/non-ecdsa key")
return false
} }
return verified
} }
func issueNonce(w http.ResponseWriter, r *http.Request) { func issueNonce(w http.ResponseWriter, r *http.Request) {

View File

@ -49,14 +49,14 @@ func SignClaims(privkey keypairs.PrivateKey, header Object, claims Object) (*JWS
} }
payload64 := base64.RawURLEncoding.EncodeToString(payload) payload64 := base64.RawURLEncoding.EncodeToString(payload)
hash := sha256.Sum256([]byte(fmt.Sprintf( signable := fmt.Sprintf(`%s.%s`, protected64, payload64)
`%s.%s`, hash := sha256.Sum256([]byte(signable))
protected64,
payload64,
)))
sig := Sign(randsrc, privkey, hash[:]) sig := Sign(randsrc, privkey, hash[:])
sig64 := base64.RawURLEncoding.EncodeToString(sig) sig64 := base64.RawURLEncoding.EncodeToString(sig)
//log.Printf("\n(Sign)\nSignable: %s", signable)
//log.Printf("Hash: %s", hash)
//log.Printf("Sig: %s", sig64)
return &JWS{ return &JWS{
Header: header, Header: header,

View File

@ -73,26 +73,31 @@ func VerifyClaims(pubkey keypairs.PublicKey, jws *JWS) (bool, error) {
fmt.Println("Security TODO: did not check jws.Claims[\"kid\"] against thumbprint") fmt.Println("Security TODO: did not check jws.Claims[\"kid\"] against thumbprint")
} }
hash := sha256.Sum256([]byte(fmt.Sprintf("%s.%s", jws.Protected, jws.Payload))) signable := fmt.Sprintf("%s.%s", jws.Protected, jws.Payload)
hash := sha256.Sum256([]byte(signable))
sig, err := base64.RawURLEncoding.DecodeString(jws.Signature) sig, err := base64.RawURLEncoding.DecodeString(jws.Signature)
if nil != err { if nil != err {
return false, err return false, err
} }
//log.Printf("\n(Verify)\nSignable: %s", signable)
//log.Printf("Hash: %s", hash)
//log.Printf("Sig: %s", jws.Signature)
return Verify(pub, hash[:], sig), nil return Verify(pub, hash[:], sig), nil
} }
func Verify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool { func Verify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
var verified bool
switch pub := pubkey.Key().(type) { switch pub := pubkey.Key().(type) {
case *rsa.PublicKey: case *rsa.PublicKey:
//log.Printf("RSA VERIFY")
// TODO keypairs.Size(key) to detect key size ? // TODO keypairs.Size(key) to detect key size ?
//alg := "SHA256" //alg := "SHA256"
// TODO: this hasn't been tested yet // TODO: this hasn't been tested yet
if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, hash, sig); nil != err { if err := rsa.VerifyPKCS1v15(pub, crypto.SHA256, hash, sig); nil != err {
verified = true return false
} }
return true
case *ecdsa.PublicKey: case *ecdsa.PublicKey:
r := &big.Int{} r := &big.Int{}
r.SetBytes(sig[0:32]) r.SetBytes(sig[0:32])
@ -100,12 +105,11 @@ func Verify(pubkey keypairs.PublicKey, hash []byte, sig []byte) bool {
s.SetBytes(sig[32:]) s.SetBytes(sig[32:])
fmt.Println("debug: sig len:", len(sig)) fmt.Println("debug: sig len:", len(sig))
fmt.Println("debug: r, s:", r, s) fmt.Println("debug: r, s:", r, s)
verified = ecdsa.Verify(pub, hash, r, s) return ecdsa.Verify(pub, hash, r, s)
default: default:
panic("impossible condition: non-rsa/non-ecdsa key") panic("impossible condition: non-rsa/non-ecdsa key")
return false
} }
return verified
} }
const maxRetry = 16 const maxRetry = 16