From 2c694301edabfa35b4113762e469d0b4a215415b Mon Sep 17 00:00:00 2001 From: Joonas Bergius Date: Thu, 18 Jul 2024 17:33:31 -0500 Subject: [PATCH] fix: Catch invalid signature length when verifying signature Signed-off-by: Joonas Bergius --- src/error.rs | 3 +++ src/lib.rs | 19 ++++++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/error.rs b/src/error.rs index e8445ab..8a6318c 100644 --- a/src/error.rs +++ b/src/error.rs @@ -44,6 +44,8 @@ pub enum ErrorKind { InvalidPayload, /// Thumbprint could not be calculated over the provided public key value ThumbprintCalculationFailure, + /// Signature did not match the expected length (64 bytes) + InvalidSignatureLength, } /// A handy macro borrowed from the `signatory` crate that lets library-internal code generate @@ -66,6 +68,7 @@ impl ErrorKind { match self { ErrorKind::InvalidPrefix => "Invalid byte prefix", ErrorKind::InvalidKeyLength => "Invalid key length", + ErrorKind::InvalidSignatureLength => "Invalid signature length", ErrorKind::VerifyError => "Signature verification failure", ErrorKind::ChecksumFailure => "Checksum match failure", ErrorKind::CodecFailure => "Codec failure", diff --git a/src/lib.rs b/src/lib.rs index dc19ec6..c1572e0 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -270,6 +270,13 @@ impl KeyPair { /// Attempts to verify that the given signature is valid for the given input pub fn verify(&self, input: &[u8], sig: &[u8]) -> Result<()> { + if sig.len() != ed25519::Signature::BYTE_SIZE { + return Err(err!( + InvalidSignatureLength, + "Signature did not match expected length" + )); + } + let mut fixedsig = [0; ed25519::Signature::BYTE_SIZE]; fixedsig.copy_from_slice(sig); let insig = ed25519::Signature::from_bytes(&fixedsig); @@ -530,7 +537,7 @@ mod tests { } #[test] - fn sign_and_verify_rejects_mismatched_sig() { + fn sign_and_verify_rejects_mismatched_input() { let user = KeyPair::new_user(); let msg = b"this is super secret"; @@ -539,6 +546,16 @@ mod tests { assert!(res.is_err()); } + #[test] + fn sign_and_verify_rejects_invalid_signature_length() { + let kp = KeyPair::new_user(); + let res = kp.verify(&[], &[]); + assert!(res.is_err()); + if let Err(e) = res { + assert_eq!(e.kind(), ErrorKind::InvalidSignatureLength); + } + } + #[test] fn from_public_key_rejects_bad_length() { let public_key = "ACARVGW77LDNWYXBAH62YKKQRVHYOTKKDDVVJVOISOU75WQPXOO7N3";