pkg/keys/deprecated_ecdsa.go - third_party/go-tuf - Git at Google

 package keys

 import (
 	"bytes"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/sha256"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"os"

 	"github.com/theupdateframework/go-tuf/data"
 )

 func NewDeprecatedEcdsaVerifier() Verifier {
 	return &ecdsaVerifierWithDeprecatedSupport{}
 }

 type ecdsaVerifierWithDeprecatedSupport struct {
 	key *data.PublicKey
 	// This will switch based on whether this is a PEM-encoded key
 	// or a deprecated hex-encoded key.
 	Verifier
 }

 func (p *ecdsaVerifierWithDeprecatedSupport) UnmarshalPublicKey(key *data.PublicKey) error {
 	p.key = key
 	pemVerifier := &EcdsaVerifier{}
 	if err := pemVerifier.UnmarshalPublicKey(key); err != nil {
 		// Try the deprecated hex-encoded verifier
 		hexVerifier := &deprecatedP256Verifier{}
 		if err := hexVerifier.UnmarshalPublicKey(key); err != nil {
 			return err
 		}
 		p.Verifier = hexVerifier
 		return nil
 	}
 	p.Verifier = pemVerifier
 	return nil
 }

 /*
    Deprecated ecdsaVerifier that used hex-encoded public keys.
    This MAY be used to verify existing metadata that used this
    old format. This will be deprecated soon, ensure that repositories
    are re-signed and clients receieve a fully compliant root.
 */

 type deprecatedP256Verifier struct {
 	PublicKey data.HexBytes `json:"public"`
 	key       *data.PublicKey
 }

 func (p *deprecatedP256Verifier) Public() string {
 	return p.PublicKey.String()
 }

 func (p *deprecatedP256Verifier) Verify(msg, sigBytes []byte) error {
 	x, y := elliptic.Unmarshal(elliptic.P256(), p.PublicKey)
 	k := &ecdsa.PublicKey{
 		Curve: elliptic.P256(),
 		X:     x,
 		Y:     y,
 	}

 	hash := sha256.Sum256(msg)

 	if !ecdsa.VerifyASN1(k, hash[:], sigBytes) {
 		return errors.New("tuf: deprecated ecdsa signature verification failed")
 	}
 	return nil
 }

 func (p *deprecatedP256Verifier) MarshalPublicKey() *data.PublicKey {
 	return p.key
 }

 func (p *deprecatedP256Verifier) UnmarshalPublicKey(key *data.PublicKey) error {
 	// Prepare decoder limited to 512Kb
 	dec := json.NewDecoder(io.LimitReader(bytes.NewReader(key.Value), MaxJSONKeySize))

 	// Unmarshal key value
 	if err := dec.Decode(p); err != nil {
 		if errors.Is(err, io.EOF) || errors.Is(err, io.ErrUnexpectedEOF) {
 			return fmt.Errorf("tuf: the public key is truncated or too large: %w", err)
 		}
 		return err
 	}

 	curve := elliptic.P256()

 	// Parse as uncompressed marshalled point.
 	x, _ := elliptic.Unmarshal(curve, p.PublicKey)
 	if x == nil {
 		return errors.New("tuf: invalid ecdsa public key point")
 	}

 	p.key = key
 	fmt.Fprintln(os.Stderr, "tuf: warning using deprecated ecdsa hex-encoded keys")
 	return nil
 }
	package keys

	import (
	"bytes"
	"crypto/ecdsa"
	"crypto/elliptic"
	"crypto/sha256"
	"encoding/json"
	"errors"
	"fmt"
	"io"
	"os"

	"github.com/theupdateframework/go-tuf/data"
	)

	func NewDeprecatedEcdsaVerifier() Verifier {
	return &ecdsaVerifierWithDeprecatedSupport{}
	}

	type ecdsaVerifierWithDeprecatedSupport struct {
	key *data.PublicKey
	// This will switch based on whether this is a PEM-encoded key
	// or a deprecated hex-encoded key.
	Verifier
	}

	func (p ecdsaVerifierWithDeprecatedSupport) UnmarshalPublicKey(key data.PublicKey) error {
	p.key = key
	pemVerifier := &EcdsaVerifier{}
	if err := pemVerifier.UnmarshalPublicKey(key); err != nil {
	// Try the deprecated hex-encoded verifier
	hexVerifier := &deprecatedP256Verifier{}
	if err := hexVerifier.UnmarshalPublicKey(key); err != nil {
	return err
	}
	p.Verifier = hexVerifier
	return nil
	}
	p.Verifier = pemVerifier
	return nil
	}

	/*
	Deprecated ecdsaVerifier that used hex-encoded public keys.
	This MAY be used to verify existing metadata that used this
	old format. This will be deprecated soon, ensure that repositories
	are re-signed and clients receieve a fully compliant root.
	*/

	type deprecatedP256Verifier struct {
	PublicKey data.HexBytes `json:"public"`
	key *data.PublicKey
	}

	func (p *deprecatedP256Verifier) Public() string {
	return p.PublicKey.String()
	}

	func (p *deprecatedP256Verifier) Verify(msg, sigBytes []byte) error {
	x, y := elliptic.Unmarshal(elliptic.P256(), p.PublicKey)
	k := &ecdsa.PublicKey{
	Curve: elliptic.P256(),
	X: x,
	Y: y,
	}

	hash := sha256.Sum256(msg)

	if !ecdsa.VerifyASN1(k, hash[:], sigBytes) {
	return errors.New("tuf: deprecated ecdsa signature verification failed")
	}
	return nil
	}

	func (p deprecatedP256Verifier) MarshalPublicKey() data.PublicKey {
	return p.key
	}

	func (p deprecatedP256Verifier) UnmarshalPublicKey(key data.PublicKey) error {
	// Prepare decoder limited to 512Kb
	dec := json.NewDecoder(io.LimitReader(bytes.NewReader(key.Value), MaxJSONKeySize))

	// Unmarshal key value
	if err := dec.Decode(p); err != nil {
	if errors.Is(err, io.EOF) \|\| errors.Is(err, io.ErrUnexpectedEOF) {
	return fmt.Errorf("tuf: the public key is truncated or too large: %w", err)
	}
	return err
	}

	curve := elliptic.P256()

	// Parse as uncompressed marshalled point.
	x, _ := elliptic.Unmarshal(curve, p.PublicKey)
	if x == nil {
	return errors.New("tuf: invalid ecdsa public key point")
	}

	p.key = key
	fmt.Fprintln(os.Stderr, "tuf: warning using deprecated ecdsa hex-encoded keys")
	return nil
	}