Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixed: hardcoded signature algo #27

Closed
wants to merge 1 commit into from
Closed

fixed: hardcoded signature algo #27

wants to merge 1 commit into from

Conversation

primalmotion
Copy link

This patch removes the hardcoded value of the signature verification ago.
This fixes an error that starts to appear in go1.10

@joelthompson joelthompson mentioned this pull request Feb 22, 2018
Closed
@fullsailor
Copy link
Owner

This patch is incomplete, the signature algorithm of the certificate is not always the same one that is used for the actual signature. We'll need to merge the hash algorithm with the encryption algorithm.

For example, I can sign a with an RSA key, my cert's signature is in SHA256, but the signer info may have a SHA1 digest. Always using the cert's algorithm will cause some usages to fail. I'm pretty sure this is why the tests are failing,

@fullsailor fullsailor mentioned this pull request Feb 22, 2018
Open
@primalmotion
Copy link
Author

ok then I'm not sure how to do it :/

@fullsailor
Copy link
Owner

That's fine, I'm working on a fix now using some of the code from crypto/x509 to figure out which x509.SignatureAlgorithm to use for the given pkix.AlgorithmIdentifier.

msiebeling pushed a commit to sggms/pkcs7 that referenced this pull request Nov 25, 2019
@fullsailor @msiebeling
Fix hardcoded signature algorithm for verifying signers
fa02d36 
Since Go 1.10, the SignatureAlgorithm is now validated against the public key type. It was "working" before because the Amazon key used DSA with SHA1, and so the RSA/DSA mismatch didn't matter since the SHA1 hash type did.

This uses some unexported code from `crypto/x509` that looks up a signature algorithm for a given `pxix.AlgorithmIdentifier`

Fixes fullsailor#27
Fixes fullsailor#28
Fixes fullsailor#29
chrisccoulson pushed a commit to chrisccoulson/pkcs7 that referenced this pull request Apr 25, 2020
@mozmark
Merge pull request fullsailor#27 from jpap/oid-cleanup
86d10f8 
OID cleanup.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@primalmotion @fullsailor