-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
missing EC public key validation when creating a new Verifier #115
Comments
Fix #115 Signed-off-by: Thomas Fossati <thomas.fossati@arm.com>
Fix #115 Signed-off-by: Thomas Fossati <thomas.fossati@arm.com>
The implementer is passing a public key and currently it is on them to make sure it is a correct one. Nothing prevents the implementer from making the appropriate checks before using their own key. Furthermore, it is a reasonable expectation to be provided with a valid argument to begin with. It is interesting though that Go went ahead with a |
I don't know you, but for an old-school derelict like myself input validation has always been no. 1 rule of secure coding practices 😄
I agree with you that was a pretty interesting choice -- which makes upfront validation without crashing the caller even more valuable. |
But you get that key from somewhere, are you saying you do not verify it before using in the library? |
^^ My question was more about the production code that gets the key from somewhere and passes it to this library for a verification. Otherwise, I am just trying to understand if it is a good idea to add this curve check to the library, because:
|
Currently, when we instantiate a Verifier we do not check that the supplied public key EC point is on the supposed curve.
This is not best practice. See for example BCP225 in the JWS/JWT context:
It'd also result in a
panic
when the go-cose application is built against go1.19. See go1.19 release notes:This can potentially widen the DoS surface of a go-cose application. Users should be shielded from such situation.
The text was updated successfully, but these errors were encountered: