verifyHandshakeSignature verifies a signature against pre-hashed handshake contents.
(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, digest, sig []byte)
| 87 | // verifyHandshakeSignature verifies a signature against pre-hashed handshake |
| 88 | // contents. |
| 89 | func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, digest, sig []byte) error { |
| 90 | switch sigType { |
| 91 | case signatureECDSA: |
| 92 | pubKey, ok := pubkey.(*ecdsa.PublicKey) |
| 93 | if !ok { |
| 94 | return errors.New("tls: ECDSA signing requires a ECDSA public key") |
| 95 | } |
| 96 | ecdsaSig := new(ecdsaSignature) |
| 97 | if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil { |
| 98 | return err |
| 99 | } |
| 100 | if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 { |
| 101 | return errors.New("tls: ECDSA signature contained zero or negative values") |
| 102 | } |
| 103 | if pubKey.Curve == sm2.P256Sm2() { |
| 104 | sm2Public := sm2.PublicKey{ |
| 105 | Curve: pubKey.Curve, |
| 106 | X: pubKey.X, |
| 107 | Y: pubKey.Y, |
| 108 | } |
| 109 | if !sm2Public.Verify(digest, sig) { |
| 110 | return errors.New("tls: SM2 verification failure") |
| 111 | } |
| 112 | } else if !ecdsa.Verify(pubKey, digest, ecdsaSig.R, ecdsaSig.S) { |
| 113 | return errors.New("tls: ECDSA verification failure") |
| 114 | } |
| 115 | case signaturePKCS1v15: |
| 116 | pubKey, ok := pubkey.(*rsa.PublicKey) |
| 117 | if !ok { |
| 118 | return errors.New("tls: RSA signing requires a RSA public key") |
| 119 | } |
| 120 | if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, digest, sig); err != nil { |
| 121 | return err |
| 122 | } |
| 123 | case signatureRSAPSS: |
| 124 | pubKey, ok := pubkey.(*rsa.PublicKey) |
| 125 | if !ok { |
| 126 | return errors.New("tls: RSA signing requires a RSA public key") |
| 127 | } |
| 128 | signOpts := &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash} |
| 129 | if err := rsa.VerifyPSS(pubKey, hashFunc, digest, sig, signOpts); err != nil { |
| 130 | return err |
| 131 | } |
| 132 | case signatureSM2: |
| 133 | pubKey, ok := pubkey.(*sm2.PublicKey) |
| 134 | if !ok { |
| 135 | return errors.New("tls: SM2 signing requires a SM2 public key") |
| 136 | } |
| 137 | if ok := pubKey.Verify(digest, sig); !ok { |
| 138 | return errors.New("verify sm2 signature error") |
| 139 | } |
| 140 | default: |
| 141 | return errors.New("tls: unknown signature algorithm") |
| 142 | } |
| 143 | return nil |
| 144 | } |
no test coverage detected
searching dependent graphs…