qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-23 22:00:11 -07:00
Code Releases Activity

crypto/x509: clarify that CheckSignatureFrom and CheckSignature are low-level APIs

Browse Source 
In particular, CheckSignatureFrom just can't check the path length
limit, because it might be enforced above the parent.

We don't need to document the supported signature algorithms for
CheckSignatureFrom, since we document at the constants in what contexts
they are allowed and not. That does leave CheckSignature ambiguous,
though, because that function doesn't have an explicit context.

Change-Id: I4c107440a93f60bc0de07df2b7efeb1a4a766da0
Reviewed-on: https://go-review.googlesource.com/c/go/+/460537
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
This commit is contained in:
Filippo Valsorda 2023-01-04 21:51:50 +01:00 committed by Gopher Robot
parent 8409251e10
commit f375b305c8
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/crypto/x509/x509.go
View File

@ -815,8 +815,10 @@ func (c *Certificate) hasSANExtension() bool {
return oidInExtensions(oidExtensionSubjectAltName, c.Extensions)
}
// CheckSignatureFrom verifies that the signature on c is a valid signature
// from parent. SHA1WithRSA and ECDSAWithSHA1 signatures are not supported.
// CheckSignatureFrom verifies that the signature on c is a valid signature from parent.
//
// This is a low-level API that performs very limited checks, and not a full
// path verifier. Most users should use [Certificate.Verify] instead.
func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
// RFC 5280, 4.2.1.9:
// "If the basic constraints extension is not present in a version 3
@ -836,13 +838,16 @@ func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
return ErrUnsupportedAlgorithm
}
// TODO(agl): don't ignore the path length constraint.
return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature, parent.PublicKey, false)
}
// CheckSignature verifies that signature is a valid signature over signed from
// c's public key.
//
// This is a low-level API that performs no validity checks on the certificate.
//
// [MD5WithRSA] signatures are rejected, while [SHA1WithRSA] and [ECDSAWithSHA1]
// signatures are currently accepted.
func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) error {
return checkSignature(algo, signed, signature, c.PublicKey, true)
}