mirror of
https://github.com/golang/go
synced 2024-11-15 01:40:25 -07:00
crypto: document that Verify inputs are not confidential
Fixes #67043 Closes #67044 Closes #67214 Change-Id: I6ad2838864d82b32a75f7b85804c894357ad57d4 Reviewed-on: https://go-review.googlesource.com/c/go/+/587277 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
This commit is contained in:
parent
56ec5d96bc
commit
2d98f0e494
@ -8,6 +8,10 @@
|
|||||||
// Signatures generated by this package are not deterministic, but entropy is
|
// Signatures generated by this package are not deterministic, but entropy is
|
||||||
// mixed with the private key and the message, achieving the same level of
|
// mixed with the private key and the message, achieving the same level of
|
||||||
// security in case of randomness source failure.
|
// security in case of randomness source failure.
|
||||||
|
//
|
||||||
|
// Operations involving private keys are implemented using constant-time
|
||||||
|
// algorithms, as long as an [elliptic.Curve] returned by [elliptic.P224],
|
||||||
|
// [elliptic.P256], [elliptic.P384], or [elliptic.P521] is used.
|
||||||
package ecdsa
|
package ecdsa
|
||||||
|
|
||||||
// [FIPS 186-4] references ANSI X9.62-2005 for the bulk of the ECDSA algorithm.
|
// [FIPS 186-4] references ANSI X9.62-2005 for the bulk of the ECDSA algorithm.
|
||||||
@ -463,6 +467,9 @@ func (zr) Read(dst []byte) (n int, err error) {
|
|||||||
|
|
||||||
// VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the
|
// VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the
|
||||||
// public key, pub. Its return value records whether the signature is valid.
|
// public key, pub. Its return value records whether the signature is valid.
|
||||||
|
//
|
||||||
|
// The inputs are not considered confidential, and may leak through timing side
|
||||||
|
// channels, or if an attacker has control of part of the inputs.
|
||||||
func VerifyASN1(pub *PublicKey, hash, sig []byte) bool {
|
func VerifyASN1(pub *PublicKey, hash, sig []byte) bool {
|
||||||
if boring.Enabled {
|
if boring.Enabled {
|
||||||
key, err := boringPublicKey(pub)
|
key, err := boringPublicKey(pub)
|
||||||
|
@ -115,6 +115,9 @@ func signLegacy(priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, er
|
|||||||
// Verify verifies the signature in r, s of hash using the public key, pub. Its
|
// Verify verifies the signature in r, s of hash using the public key, pub. Its
|
||||||
// return value records whether the signature is valid. Most applications should
|
// return value records whether the signature is valid. Most applications should
|
||||||
// use VerifyASN1 instead of dealing directly with r, s.
|
// use VerifyASN1 instead of dealing directly with r, s.
|
||||||
|
//
|
||||||
|
// The inputs are not considered confidential, and may leak through timing side
|
||||||
|
// channels, or if an attacker has control of part of the inputs.
|
||||||
func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
|
func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
|
||||||
if r.Sign() <= 0 || s.Sign() <= 0 {
|
if r.Sign() <= 0 || s.Sign() <= 0 {
|
||||||
return false
|
return false
|
||||||
|
@ -10,6 +10,9 @@
|
|||||||
// representation includes a public key suffix to make multiple signing
|
// representation includes a public key suffix to make multiple signing
|
||||||
// operations with the same key more efficient. This package refers to the RFC
|
// operations with the same key more efficient. This package refers to the RFC
|
||||||
// 8032 private key as the “seed”.
|
// 8032 private key as the “seed”.
|
||||||
|
//
|
||||||
|
// Operations involving private keys are implemented using constant-time
|
||||||
|
// algorithms.
|
||||||
package ed25519
|
package ed25519
|
||||||
|
|
||||||
import (
|
import (
|
||||||
@ -258,6 +261,9 @@ func sign(signature, privateKey, message []byte, domPrefix, context string) {
|
|||||||
|
|
||||||
// Verify reports whether sig is a valid signature of message by publicKey. It
|
// Verify reports whether sig is a valid signature of message by publicKey. It
|
||||||
// will panic if len(publicKey) is not [PublicKeySize].
|
// will panic if len(publicKey) is not [PublicKeySize].
|
||||||
|
//
|
||||||
|
// The inputs are not considered confidential, and may leak through timing side
|
||||||
|
// channels, or if an attacker has control of part of the inputs.
|
||||||
func Verify(publicKey PublicKey, message, sig []byte) bool {
|
func Verify(publicKey PublicKey, message, sig []byte) bool {
|
||||||
return verify(publicKey, message, sig, domPrefixPure, "")
|
return verify(publicKey, message, sig, domPrefixPure, "")
|
||||||
}
|
}
|
||||||
@ -270,6 +276,9 @@ func Verify(publicKey PublicKey, message, sig []byte) bool {
|
|||||||
// message is expected to be a SHA-512 hash, otherwise opts.Hash must be
|
// message is expected to be a SHA-512 hash, otherwise opts.Hash must be
|
||||||
// [crypto.Hash](0) and the message must not be hashed, as Ed25519 performs two
|
// [crypto.Hash](0) and the message must not be hashed, as Ed25519 performs two
|
||||||
// passes over messages to be signed.
|
// passes over messages to be signed.
|
||||||
|
//
|
||||||
|
// The inputs are not considered confidential, and may leak through timing side
|
||||||
|
// channels, or if an attacker has control of part of the inputs.
|
||||||
func VerifyWithOptions(publicKey PublicKey, message, sig []byte, opts *Options) error {
|
func VerifyWithOptions(publicKey PublicKey, message, sig []byte, opts *Options) error {
|
||||||
switch {
|
switch {
|
||||||
case opts.Hash == crypto.SHA512: // Ed25519ph
|
case opts.Hash == crypto.SHA512: // Ed25519ph
|
||||||
|
@ -321,6 +321,9 @@ func SignPKCS1v15(random io.Reader, priv *PrivateKey, hash crypto.Hash, hashed [
|
|||||||
// function and sig is the signature. A valid signature is indicated by
|
// function and sig is the signature. A valid signature is indicated by
|
||||||
// returning a nil error. If hash is zero then hashed is used directly. This
|
// returning a nil error. If hash is zero then hashed is used directly. This
|
||||||
// isn't advisable except for interoperability.
|
// isn't advisable except for interoperability.
|
||||||
|
//
|
||||||
|
// The inputs are not considered confidential, and may leak through timing side
|
||||||
|
// channels, or if an attacker has control of part of the inputs.
|
||||||
func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) error {
|
func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) error {
|
||||||
if boring.Enabled {
|
if boring.Enabled {
|
||||||
bkey, err := boringPublicKey(pub)
|
bkey, err := boringPublicKey(pub)
|
||||||
|
@ -338,6 +338,9 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte,
|
|||||||
// result of hashing the input message using the given hash function. The opts
|
// result of hashing the input message using the given hash function. The opts
|
||||||
// argument may be nil, in which case sensible defaults are used. opts.Hash is
|
// argument may be nil, in which case sensible defaults are used. opts.Hash is
|
||||||
// ignored.
|
// ignored.
|
||||||
|
//
|
||||||
|
// The inputs are not considered confidential, and may leak through timing side
|
||||||
|
// channels, or if an attacker has control of part of the inputs.
|
||||||
func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts *PSSOptions) error {
|
func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts *PSSOptions) error {
|
||||||
if boring.Enabled {
|
if boring.Enabled {
|
||||||
bkey, err := boringPublicKey(pub)
|
bkey, err := boringPublicKey(pub)
|
||||||
|
@ -19,10 +19,9 @@
|
|||||||
// over the public key primitive, the PrivateKey type implements the
|
// over the public key primitive, the PrivateKey type implements the
|
||||||
// Decrypter and Signer interfaces from the crypto package.
|
// Decrypter and Signer interfaces from the crypto package.
|
||||||
//
|
//
|
||||||
// Operations in this package are implemented using constant-time algorithms,
|
// Operations involving private keys are implemented using constant-time
|
||||||
// except for [GenerateKey], [PrivateKey.Precompute], and [PrivateKey.Validate].
|
// algorithms, except for [GenerateKey], [PrivateKey.Precompute], and
|
||||||
// Every other operation only leaks the bit size of the involved values, which
|
// [PrivateKey.Validate].
|
||||||
// all depend on the selected key size.
|
|
||||||
package rsa
|
package rsa
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
Loading…
Reference in New Issue
Block a user