cybercyst/go
1
0
Fork 0
mirror of https://github.com/golang/go.git synced 2025-05-18 22:04:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

crypto/x509: bypass signature verification in CreateCertificate when using MD5WithRSA

Browse Source 
Bypasses the signature verification check we previously added if the
signature algorithm is MD5WithRSA, as we only support this algorithm
for signing and not verification.

Change-Id: Idba6dbba8b365d6199d467526746b88a5f734af1
Reviewed-on: https://go-review.googlesource.com/c/go/+/264019
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Trust: Roland Shoemaker <roland@golang.org>
This commit is contained in:
Roland Shoemaker 2020-10-20 13:50:52 -07:00 committed by Roland Shoemaker
parent 6f45b39e4d
commit b04eb73a68
2 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/crypto/x509/x509.go
View File

@ -2156,8 +2156,12 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv
} }
// Check the signature to ensure the crypto.Signer behaved correctly. // Check the signature to ensure the crypto.Signer behaved correctly.
if err := checkSignature(getSignatureAlgorithmFromAI(signatureAlgorithm), c.Raw, signature, key.Public()); err != nil { // We skip this check if the signature algorithm is MD5WithRSA as we
return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err) // only support this algorithm for signing, and not verification.
if sigAlg := getSignatureAlgorithmFromAI(signatureAlgorithm); sigAlg != MD5WithRSA {
if err := checkSignature(sigAlg, c.Raw, signature, key.Public()); err != nil {
return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err)
}
} }
return signedCert, nil return signedCert, nil

16
src/crypto/x509/x509_test.go
View File

@ -2896,3 +2896,19 @@ func TestCreateCertificateBrokenSigner(t *testing.T) {
t.Fatalf("CreateCertificate returned an unexpected error: got %q, want %q", err, expectedErr) t.Fatalf("CreateCertificate returned an unexpected error: got %q, want %q", err, expectedErr)
} }
} }
func TestCreateCertificateMD5(t *testing.T) {
template := &Certificate{
SerialNumber: big.NewInt(10),
DNSNames: []string{"example.com"},
SignatureAlgorithm: MD5WithRSA,
}
k, err := rsa.GenerateKey(rand.Reader, 1024)
if err != nil {
t.Fatalf("failed to generate test key: %s", err)
}
_, err = CreateCertificate(rand.Reader, template, template, k.Public(), &brokenSigner{k.Public()})
if err != nil {
t.Fatalf("CreateCertificate failed when SignatureAlgorithm = MD5WithRSA: %s", err)
}
}