Implement signing of pre-hashed data (#3448)

Transit backend sign and verify endpoints now support algorithm=none
This commit is contained in:
Jeremy Voorhis 2017-10-11 08:48:51 -07:00 committed by Jeff Mitchell
parent 893c63ef01
commit af24163abd
3 changed files with 10 additions and 2 deletions

View file

@ -37,6 +37,7 @@ derivation is enabled; currently only available with ed25519 keys.`,
Default: "sha2-256",
Description: `Hash algorithm to use (POST body parameter). Valid values are:
* none
* sha2-224
* sha2-256
* sha2-384
@ -108,6 +109,7 @@ derivation is enabled; currently only available with ed25519 keys.`,
Default: "sha2-256",
Description: `Hash algorithm to use (POST body parameter). Valid values are:
* none
* sha2-224
* sha2-256
* sha2-384
@ -166,7 +168,7 @@ func (b *backend) pathSignWrite(
}
}
if p.Type.HashSignatureInput() {
if p.Type.HashSignatureInput() && algorithm != "none" {
var hf hash.Hash
switch algorithm {
case "sha2-224":
@ -259,7 +261,7 @@ func (b *backend) pathVerifyWrite(
}
}
if p.Type.HashSignatureInput() {
if p.Type.HashSignatureInput() && algorithm != "none" {
var hf hash.Hash
switch algorithm {
case "sha2-224":

View file

@ -164,6 +164,10 @@ func TestTransit_SignVerify_P256(t *testing.T) {
sig = signRequest(req, false, "")
verifyRequest(req, false, "", sig)
req.Data["algorithm"] = "none"
sig = signRequest(req, false, "")
verifyRequest(req, false, "", sig)
// Test 512 and save sig for later to ensure we can't validate once min
// decryption version is set
req.Data["algorithm"] = "sha2-512"

View file

@ -779,6 +779,7 @@ supports signing.
own hash algorithm). This can also be specified as part of the URL.
Currently-supported algorithms are:
- `none`
- `sha2-224`
- `sha2-256`
- `sha2-384`
@ -831,6 +832,7 @@ data.
- `algorithm` `(string: "sha2-256")` Specifies the hash algorithm to use. This
can also be specified as part of the URL. Currently-supported algorithms are:
- `none`
- `sha2-224`
- `sha2-256`
- `sha2-384`