diff options
| author | Luca Casonato <hello@lcas.dev> | 2024-08-09 12:58:20 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-08-09 12:58:20 +0200 |
| commit | fc023038424f3de81d7dd66c68634024a5b29eed (patch) | |
| tree | 24cf26fd44306c35bb898d017fc342bce0d319dc /ext/node/ops/crypto/sign.rs | |
| parent | c9f626e2512d52fdc354e490b179eed7200b394b (diff) | |
fix(ext/node): ed25519 signing and cipheriv autopadding fixes (#24957)
- Return auth tag for GCM ciphers from auto padding shortcircuit
- Use _ring_ for ed25519 signing
---------
Co-authored-by: Divy Srivastava <dj.srivastava23@gmail.com>
Diffstat (limited to 'ext/node/ops/crypto/sign.rs')
| -rw-r--r-- | ext/node/ops/crypto/sign.rs | 148 |
1 files changed, 6 insertions, 142 deletions
diff --git a/ext/node/ops/crypto/sign.rs b/ext/node/ops/crypto/sign.rs index 9aea3aab7..2dba15aba 100644 --- a/ext/node/ops/crypto/sign.rs +++ b/ext/node/ops/crypto/sign.rs @@ -2,12 +2,6 @@ use deno_core::error::generic_error; use deno_core::error::type_error; use deno_core::error::AnyError; -use digest::Digest; -use digest::FixedOutput; -use digest::FixedOutputReset; -use digest::OutputSizeUser; -use digest::Reset; -use digest::Update; use rand::rngs::OsRng; use rsa::signature::hazmat::PrehashSigner as _; use rsa::signature::hazmat::PrehashVerifier as _; @@ -146,29 +140,9 @@ impl KeyObjectHandle { AsymmetricPrivateKey::X25519(_) => { Err(type_error("x25519 key cannot be used for signing")) } - AsymmetricPrivateKey::Ed25519(key) => { - if !matches!( - digest_type, - "rsa-sha512" | "sha512" | "sha512withrsaencryption" - ) { - return Err(type_error(format!( - "digest not allowed for Ed25519 signature: {}", - digest_type - ))); - } - - let mut precomputed_digest = PrecomputedDigest([0; 64]); - if digest.len() != precomputed_digest.0.len() { - return Err(type_error("Invalid sha512 digest")); - } - precomputed_digest.0.copy_from_slice(digest); - - let signature = key - .sign_prehashed(precomputed_digest, None) - .map_err(|_| generic_error("failed to sign digest with Ed25519"))?; - - Ok(signature.to_bytes().into()) - } + AsymmetricPrivateKey::Ed25519(_) => Err(type_error( + "Ed25519 key cannot be used for prehashed signing", + )), AsymmetricPrivateKey::Dh(_) => { Err(type_error("DH key cannot be used for signing")) } @@ -275,122 +249,12 @@ impl KeyObjectHandle { AsymmetricPublicKey::X25519(_) => { Err(type_error("x25519 key cannot be used for verification")) } - AsymmetricPublicKey::Ed25519(key) => { - if !matches!( - digest_type, - "rsa-sha512" | "sha512" | "sha512withrsaencryption" - ) { - return Err(type_error(format!( - "digest not allowed for Ed25519 signature: {}", - digest_type - ))); - } - - let mut signature_fixed = [0u8; 64]; - if signature.len() != signature_fixed.len() { - return Err(type_error("Invalid Ed25519 signature")); - } - signature_fixed.copy_from_slice(signature); - - let signature = ed25519_dalek::Signature::from_bytes(&signature_fixed); - - let mut precomputed_digest = PrecomputedDigest([0; 64]); - precomputed_digest.0.copy_from_slice(digest); - - Ok( - key - .verify_prehashed_strict(precomputed_digest, None, &signature) - .is_ok(), - ) - } + AsymmetricPublicKey::Ed25519(_) => Err(type_error( + "Ed25519 key cannot be used for prehashed verification", + )), AsymmetricPublicKey::Dh(_) => { Err(type_error("DH key cannot be used for verification")) } } } } - -struct PrecomputedDigest([u8; 64]); - -impl OutputSizeUser for PrecomputedDigest { - type OutputSize = <sha2::Sha512 as OutputSizeUser>::OutputSize; -} - -impl Digest for PrecomputedDigest { - fn new() -> Self { - unreachable!() - } - - fn new_with_prefix(_data: impl AsRef<[u8]>) -> Self { - unreachable!() - } - - fn update(&mut self, _data: impl AsRef<[u8]>) { - unreachable!() - } - - fn chain_update(self, _data: impl AsRef<[u8]>) -> Self { - unreachable!() - } - - fn finalize(self) -> digest::Output<Self> { - self.0.into() - } - - fn finalize_into(self, _out: &mut digest::Output<Self>) { - unreachable!() - } - - fn finalize_reset(&mut self) -> digest::Output<Self> - where - Self: digest::FixedOutputReset, - { - unreachable!() - } - - fn finalize_into_reset(&mut self, _out: &mut digest::Output<Self>) - where - Self: digest::FixedOutputReset, - { - unreachable!() - } - - fn reset(&mut self) - where - Self: digest::Reset, - { - unreachable!() - } - - fn output_size() -> usize { - unreachable!() - } - - fn digest(_data: impl AsRef<[u8]>) -> digest::Output<Self> { - unreachable!() - } -} - -impl Reset for PrecomputedDigest { - fn reset(&mut self) { - unreachable!() - } -} - -impl FixedOutputReset for PrecomputedDigest { - fn finalize_into_reset(&mut self, _out: &mut digest::Output<Self>) { - unreachable!() - } -} - -impl FixedOutput for PrecomputedDigest { - fn finalize_into(self, _out: &mut digest::Output<Self>) { - unreachable!() - } -} - -impl Update for PrecomputedDigest { - fn update(&mut self, _data: &[u8]) { - unreachable!() - } -} |