mirror of
https://github.com/golang/go
synced 2024-11-15 01:50:28 -07:00
crypto: document that Verify inputs are not confidential
Fixes #67043 Closes #67044 Closes #67214 Change-Id: I6ad2838864d82b32a75f7b85804c894357ad57d4 Reviewed-on: https://go-review.googlesource.com/c/go/+/587277 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
This commit is contained in:
parent
56ec5d96bc
commit
2d98f0e494
@ -8,6 +8,10 @@
|
||||
// Signatures generated by this package are not deterministic, but entropy is
|
||||
// mixed with the private key and the message, achieving the same level of
|
||||
// security in case of randomness source failure.
|
||||
//
|
||||
// Operations involving private keys are implemented using constant-time
|
||||
// algorithms, as long as an [elliptic.Curve] returned by [elliptic.P224],
|
||||
// [elliptic.P256], [elliptic.P384], or [elliptic.P521] is used.
|
||||
package ecdsa
|
||||
|
||||
// [FIPS 186-4] references ANSI X9.62-2005 for the bulk of the ECDSA algorithm.
|
||||
@ -463,6 +467,9 @@ func (zr) Read(dst []byte) (n int, err error) {
|
||||
|
||||
// VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the
|
||||
// public key, pub. Its return value records whether the signature is valid.
|
||||
//
|
||||
// The inputs are not considered confidential, and may leak through timing side
|
||||
// channels, or if an attacker has control of part of the inputs.
|
||||
func VerifyASN1(pub *PublicKey, hash, sig []byte) bool {
|
||||
if boring.Enabled {
|
||||
key, err := boringPublicKey(pub)
|
||||
|
@ -115,6 +115,9 @@ func signLegacy(priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, er
|
||||
// Verify verifies the signature in r, s of hash using the public key, pub. Its
|
||||
// return value records whether the signature is valid. Most applications should
|
||||
// use VerifyASN1 instead of dealing directly with r, s.
|
||||
//
|
||||
// The inputs are not considered confidential, and may leak through timing side
|
||||
// channels, or if an attacker has control of part of the inputs.
|
||||
func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
|
||||
if r.Sign() <= 0 || s.Sign() <= 0 {
|
||||
return false
|
||||
|
@ -10,6 +10,9 @@
|
||||
// representation includes a public key suffix to make multiple signing
|
||||
// operations with the same key more efficient. This package refers to the RFC
|
||||
// 8032 private key as the “seed”.
|
||||
//
|
||||
// Operations involving private keys are implemented using constant-time
|
||||
// algorithms.
|
||||
package ed25519
|
||||
|
||||
import (
|
||||
@ -258,6 +261,9 @@ func sign(signature, privateKey, message []byte, domPrefix, context string) {
|
||||
|
||||
// Verify reports whether sig is a valid signature of message by publicKey. It
|
||||
// will panic if len(publicKey) is not [PublicKeySize].
|
||||
//
|
||||
// The inputs are not considered confidential, and may leak through timing side
|
||||
// channels, or if an attacker has control of part of the inputs.
|
||||
func Verify(publicKey PublicKey, message, sig []byte) bool {
|
||||
return verify(publicKey, message, sig, domPrefixPure, "")
|
||||
}
|
||||
@ -270,6 +276,9 @@ func Verify(publicKey PublicKey, message, sig []byte) bool {
|
||||
// message is expected to be a SHA-512 hash, otherwise opts.Hash must be
|
||||
// [crypto.Hash](0) and the message must not be hashed, as Ed25519 performs two
|
||||
// passes over messages to be signed.
|
||||
//
|
||||
// The inputs are not considered confidential, and may leak through timing side
|
||||
// channels, or if an attacker has control of part of the inputs.
|
||||
func VerifyWithOptions(publicKey PublicKey, message, sig []byte, opts *Options) error {
|
||||
switch {
|
||||
case opts.Hash == crypto.SHA512: // Ed25519ph
|
||||
|
@ -321,6 +321,9 @@ func SignPKCS1v15(random io.Reader, priv *PrivateKey, hash crypto.Hash, hashed [
|
||||
// function and sig is the signature. A valid signature is indicated by
|
||||
// returning a nil error. If hash is zero then hashed is used directly. This
|
||||
// isn't advisable except for interoperability.
|
||||
//
|
||||
// The inputs are not considered confidential, and may leak through timing side
|
||||
// channels, or if an attacker has control of part of the inputs.
|
||||
func VerifyPKCS1v15(pub *PublicKey, hash crypto.Hash, hashed []byte, sig []byte) error {
|
||||
if boring.Enabled {
|
||||
bkey, err := boringPublicKey(pub)
|
||||
|
@ -338,6 +338,9 @@ func SignPSS(rand io.Reader, priv *PrivateKey, hash crypto.Hash, digest []byte,
|
||||
// result of hashing the input message using the given hash function. The opts
|
||||
// argument may be nil, in which case sensible defaults are used. opts.Hash is
|
||||
// ignored.
|
||||
//
|
||||
// The inputs are not considered confidential, and may leak through timing side
|
||||
// channels, or if an attacker has control of part of the inputs.
|
||||
func VerifyPSS(pub *PublicKey, hash crypto.Hash, digest []byte, sig []byte, opts *PSSOptions) error {
|
||||
if boring.Enabled {
|
||||
bkey, err := boringPublicKey(pub)
|
||||
|
@ -19,10 +19,9 @@
|
||||
// over the public key primitive, the PrivateKey type implements the
|
||||
// Decrypter and Signer interfaces from the crypto package.
|
||||
//
|
||||
// Operations in this package are implemented using constant-time algorithms,
|
||||
// except for [GenerateKey], [PrivateKey.Precompute], and [PrivateKey.Validate].
|
||||
// Every other operation only leaks the bit size of the involved values, which
|
||||
// all depend on the selected key size.
|
||||
// Operations involving private keys are implemented using constant-time
|
||||
// algorithms, except for [GenerateKey], [PrivateKey.Precompute], and
|
||||
// [PrivateKey.Validate].
|
||||
package rsa
|
||||
|
||||
import (
|
||||
|
Loading…
Reference in New Issue
Block a user