MCPcopy
hub / github.com/XTLS/REALITY / verifyHandshakeSignature

Function verifyHandshakeSignature

auth.go:23–62  ·  view source on GitHub ↗

verifyHandshakeSignature verifies a signature against pre-hashed (if required) handshake contents.

(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, signed, sig []byte)

Source from the content-addressed store, hash-verified

21// verifyHandshakeSignature verifies a signature against pre-hashed
22// (if required) handshake contents.
23func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, signed, sig []byte) error {
24 switch sigType {
25 case signatureECDSA:
26 pubKey, ok := pubkey.(*ecdsa.PublicKey)
27 if !ok {
28 return fmt.Errorf("expected an ECDSA public key, got %T", pubkey)
29 }
30 if !ecdsa.VerifyASN1(pubKey, signed, sig) {
31 return errors.New("ECDSA verification failure")
32 }
33 case signatureEd25519:
34 pubKey, ok := pubkey.(ed25519.PublicKey)
35 if !ok {
36 return fmt.Errorf("expected an Ed25519 public key, got %T", pubkey)
37 }
38 if !ed25519.Verify(pubKey, signed, sig) {
39 return errors.New("Ed25519 verification failure")
40 }
41 case signaturePKCS1v15:
42 pubKey, ok := pubkey.(*rsa.PublicKey)
43 if !ok {
44 return fmt.Errorf("expected an RSA public key, got %T", pubkey)
45 }
46 if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, signed, sig); err != nil {
47 return err
48 }
49 case signatureRSAPSS:
50 pubKey, ok := pubkey.(*rsa.PublicKey)
51 if !ok {
52 return fmt.Errorf("expected an RSA public key, got %T", pubkey)
53 }
54 signOpts := &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash}
55 if err := rsa.VerifyPSS(pubKey, hashFunc, signed, sig, signOpts); err != nil {
56 return err
57 }
58 default:
59 return errors.New("internal error: unknown signature type")
60 }
61 return nil
62}
63
64const (
65 serverSignatureContext = "TLS 1.3, server CertificateVerify\x00"

Callers 4

readServerCertificateMethod · 0.85
readClientCertificateMethod · 0.85
doFullHandshakeMethod · 0.85

Calls

no outgoing calls

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…