Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(keys): JSON unmarshal hardening. #275

Merged
merged 10 commits into from Jul 20, 2022
Merged

feat(keys): JSON unmarshal hardening. #275

merged 10 commits into from Jul 20, 2022

Conversation

Zenithar
Copy link
Contributor

@Zenithar Zenithar commented Apr 22, 2022
edited

Types of changes:

  • Bug fix (non-breaking change which fixes an issue)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Description of the changes being introduced by the pull request:

  • Add io.LimitReader to block public key content larger than 512Kb.
  • Fix Ed25519 signer constructor to be referenced as ECDSASigner.
  • Rename NewEd25519Signer to NewEd25519SignerFromKey to support
    the signer registry registration and prevent double declaration. (breaking-change)
  • Add ECDSA unmarshaller tests.
  • Add crypto related tests on unmarshalling (private / public key association).

Please verify and check that the pull request fulfills the following requirements:

  • Tests have been added for the bug fix or new feature
  • Docs have been added for the bug fix or new feature

@ethan-lowman-dd
Copy link
Contributor

Fixes #258

ethan-lowman-dd
ethan-lowman-dd reviewed Apr 22, 2022
View reviewed changes
pkg/keys/ecdsa.go Outdated Show resolved Hide resolved
@Zenithar Zenithar force-pushed the feat_key_json_unmarshaller_hardening branch from 5c25a92 to b383cc5 Compare April 22, 2022 15:35
ethan-lowman-dd
ethan-lowman-dd reviewed Apr 22, 2022
View reviewed changes
pkg/keys/ed25519_test.go Outdated Show resolved Hide resolved
pkg/keys/ed25519_test.go Outdated Show resolved Hide resolved
pkg/keys/ecdsa_test.go Outdated Show resolved Hide resolved
pkg/keys/ed25519.go Outdated Show resolved Hide resolved
pkg/keys/ed25519.go Outdated Show resolved Hide resolved
pkg/keys/ed25519.go Outdated Show resolved Hide resolved
asraa
asraa reviewed Apr 22, 2022
View reviewed changes
Copy link
Contributor

@asraa asraa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for tackling this!

data/types.go Outdated Show resolved Hide resolved
pkg/keys/ecdsa.go Outdated Show resolved Hide resolved
pkg/keys/ecdsa.go Outdated Show resolved Hide resolved
pkg/keys/ecdsa_test.go Outdated Show resolved Hide resolved
pkg/keys/ed25519.go Outdated Show resolved Hide resolved
@Zenithar Zenithar force-pushed the feat_key_json_unmarshaller_hardening branch 3 times, most recently from 08c4916 to 3085d4b Compare June 28, 2022 06:15
@Zenithar
Copy link
Contributor Author

Zenithar commented Jun 28, 2022
edited

Branch rebased to master - e3efe98

asraa
asraa previously approved these changes Jun 29, 2022
View reviewed changes
@asraa
Copy link
Contributor

asraa commented Jun 29, 2022

One more quick check? @mnm678 @joshuagl

mnm678
mnm678 reviewed Jun 29, 2022
View reviewed changes
go.mod Outdated Show resolved Hide resolved
pkg/keys/ed25519.go Show resolved Hide resolved
@Zenithar
feat(keys): JSON unmarshal hardening.
89bc447 
* Add io.LimitReader to block public key content larger than 512Kb.
* Fix Ed25519 signer constructor to be referenced as ECDSASigner.
* Rename `NewEd25519Signer` to `NewEd25519SignerFromKey` to support
  the signer registry registration and prevent double declaration.
* Add ECDSA unmarshaller tests.

Signed-off-by: Thibault Normand <me@zenithar.org>
@Zenithar
feat(key): add crypto related controls.
195e762 
Signed-off-by: Thibault Normand <me@zenithar.org>
@Zenithar
feat(key): ecdsa unmarshal already check if point is on curve.
497dae2 
Signed-off-by: Thibault Normand <me@zenithar.org>
@Zenithar
fix(key): test all errors.
0154d36 
Signed-off-by: Thibault Normand <me@zenithar.org>
@Zenithar
fix(key): use appropriate type for random seed.
af01849 
Signed-off-by: Thibault Normand <me@zenithar.org>
@Zenithar
fix(key): display ed25519 public key size on error.
5ddf4cb 
Signed-off-by: Thibault Normand <me@zenithar.org>
@Zenithar
feat(keys): support unknown fields for json decoder.
71a5d7f 
Signed-off-by: Thibault Normand <me@zenithar.org>
@Zenithar
feat(types): support unknown fields for json decoder.
17f393f 
Signed-off-by: Thibault Normand <me@zenithar.org>
@Zenithar
style(go): convert switch to if.
a2635a0 
Signed-off-by: Thibault Normand <me@zenithar.org>
@Zenithar Zenithar dismissed stale reviews from asraa and trishankatdatadog via a2635a0 July 1, 2022 08:28
@Zenithar Zenithar force-pushed the feat_key_json_unmarshaller_hardening branch from d5af22b to a2635a0 Compare July 1, 2022 08:28
@Zenithar
Copy link
Contributor Author

Zenithar commented Jul 1, 2022

Branch rebased to master - 0d40b25

joshuagl
joshuagl approved these changes Jul 19, 2022
View reviewed changes
Copy link
Member

@joshuagl joshuagl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great, thank you!

go.mod Show resolved Hide resolved
go.sum Show resolved Hide resolved
@joshuagl joshuagl mentioned this pull request Jul 20, 2022
Closed
@joshuagl joshuagl merged commit 4febe4c into theupdateframework:master Jul 20, 2022
@trishankatdatadog
Copy link
Member

Great job, thanks Thibault, and Marina/Joshua for reviewing!

@Zenithar Zenithar deleted the feat_key_json_unmarshaller_hardening branch July 21, 2022 08:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuagl joshuagl joshuagl approved these changes

@mnm678 mnm678 mnm678 approved these changes

@ethan-lowman-dd ethan-lowman-dd Awaiting requested review from ethan-lowman-dd

@trishankatdatadog trishankatdatadog Awaiting requested review from trishankatdatadog

@asraa asraa Awaiting requested review from asraa

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@Zenithar @ethan-lowman-dd @asraa @trishankatdatadog @mnm678 @joshuagl