Skip to content

Add check for matching group in CertificateSelection  #218

New issue
New issue
Open
Open
Add check for matching group in CertificateSelection #218
@tatianab

Description

@tatianab
tatianab
opened on Jun 12, 2020

Currently, the CertificateSelection function calls the schemeValidForKey function, which checks if the signature type (RSA_PKCS1, RSA_PSS, or ECDSA) is correct for the given key, but does not check if the underlying group is correct for the signature algorithm in the ECDSA case. This causes the function to sometimes output a signature algorithm incompatible with the chosen certificate.

I propose to add the following check inside schemeValidForKey:

func schemeValidForKey(alg SignatureScheme, key crypto.Signer) bool {
        ...
	case *ecdsa.PrivateKey:
		// proposed check
		if curveFromNamedGroup(curveMap[alg]) != key.Public().(*ecdsa.PublicKey).Curve {
			return false
		}
       ...

If you agree, I will submit a PR with this change.

@chris-wood

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions