Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkcs7.Verify doesn't support signature algorithms other than RSA in golang v1.10 #29

Closed
joelthompson opened this issue Feb 22, 2018 · 2 comments
Closed

pkcs7.Verify doesn't support signature algorithms other than RSA in golang v1.10 #29

joelthompson opened this issue Feb 22, 2018 · 2 comments
Assignees
@fullsailor
Labels
bug

Comments

@joelthompson
Copy link

I'm pretty sure this is the culprit:

pkcs7/pkcs7.go

Line 257 in a009d8d

algo := x509.SHA1WithRSA

The issue is that golang, starting with 1.10, now enforces that the algorithm passed in to Certificate.CheckSignature matches the algorithm in the the public key (see golang/go@083ad28). This is causing hashicorp/vault#4014 as the PKCS7 identity document uses DSA signatures.
@joelthompson joelthompson mentioned this issue Feb 22, 2018
Closed
@joelthompson
Copy link
Author

Seems that #27 and #28 duplicate this, so closing this issue

@fullsailor fullsailor mentioned this issue Feb 22, 2018
Open
@fullsailor fullsailor self-assigned this Feb 22, 2018
@fullsailor
Copy link
Owner

I'm reopening this issue since #27 and #28 don't fix the problem generally, only the issue with AWS identity documents, these are failing in TestVerifyEC2 in Go 1.10. I'm working on a fix that doesn't also break TestSign

@fullsailor fullsailor reopened this Feb 22, 2018
@fullsailor fullsailor added the bug label Feb 22, 2018
msiebeling pushed a commit to sggms/pkcs7 that referenced this issue Nov 25, 2019
@fullsailor @msiebeling
Fix hardcoded signature algorithm for verifying signers
fa02d36 
Since Go 1.10, the SignatureAlgorithm is now validated against the public key type. It was "working" before because the Amazon key used DSA with SHA1, and so the RSA/DSA mismatch didn't matter since the SHA1 hash type did.

This uses some unexported code from `crypto/x509` that looks up a signature algorithm for a given `pxix.AlgorithmIdentifier`

Fixes fullsailor#27
Fixes fullsailor#28
Fixes fullsailor#29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fullsailor fullsailor

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fullsailor @joelthompson