From 7bdf67dbef01cc44474cf80d604de9bf4ee51679 Mon Sep 17 00:00:00 2001 From: Artem Skriabin Date: Tue, 25 Jun 2024 13:29:02 +0300 Subject: [PATCH 1/2] Handle SHA1 with RSA, handle RSA as SHA256 with RSA --- .../service/api/handlers/create_identity.go | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/internal/service/api/handlers/create_identity.go b/internal/service/api/handlers/create_identity.go index 8aa1f4f..406a60e 100644 --- a/internal/service/api/handlers/create_identity.go +++ b/internal/service/api/handlers/create_identity.go @@ -41,6 +41,7 @@ const ( SHA1 = "sha1" SHA256 = "sha256" + SHA1withRSA = "SHA1withRSA" SHA256withRSA = "SHA256withRSA" SHA1withECDSA = "SHA1withECDSA" SHA256withECDSA = "SHA256withECDSA" @@ -49,6 +50,7 @@ const ( var algorithmsListMap = map[string]map[string]string{ "SHA1": { "ECDSA": SHA1withECDSA, + "RSA": SHA1withRSA, }, "SHA256": { "RSA": SHA256withRSA, @@ -120,7 +122,7 @@ func CreateIdentity(w http.ResponseWriter, r *http.Request) { cfg := api.VerifierConfig(r) switch algorithm { - case SHA1withECDSA: + case SHA1withRSA, SHA1withECDSA: if err := verifier.VerifyGroth16(req.Data.ZKProof, cfg.VerificationKeys[SHA1]); err != nil { log.WithError(err).Error("failed to verify Groth16") ape.RenderErr(w, problems.BadRequest(err)...) @@ -356,7 +358,7 @@ func validateSignedAttributes(signedAttributes, encapsulatedContent []byte, algo d := make([]byte, 0) switch algorithm { - case SHA1withECDSA: + case SHA1withRSA, SHA1withECDSA: h := sha1.New() h.Write(encapsulatedContent) d = h.Sum(nil) @@ -387,6 +389,10 @@ func signatureAlgorithm(passedAlgorithm string) string { return SHA256withRSA } + if passedAlgorithm == "RSA" { + return SHA256withRSA + } + if strings.Contains(strings.ToUpper(passedAlgorithm), "PSS") { return "" // RSA-PSS is not currently supported } @@ -428,6 +434,16 @@ func verifySignature(req requests.CreateIdentityRequest, cert *x509.Certificate, } switch algo { + case SHA1withRSA: + pubKey := cert.PublicKey.(*rsa.PublicKey) + + h := sha1.New() + h.Write(signedAttributes) + d := h.Sum(nil) + + if err := rsa.VerifyPKCS1v15(pubKey, crypto.SHA1, d, signature); err != nil { + return errors.Wrap(err, "failed to verify SHA256 with RSA signature") + } case SHA256withRSA: pubKey := cert.PublicKey.(*rsa.PublicKey) From 2b14e7c8bd3bd41d00f43501d80d5079da563e3c Mon Sep 17 00:00:00 2001 From: Artem Skriabin Date: Tue, 25 Jun 2024 13:32:33 +0300 Subject: [PATCH 2/2] Fix typo --- internal/service/api/handlers/create_identity.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/service/api/handlers/create_identity.go b/internal/service/api/handlers/create_identity.go index 406a60e..1e7f5fb 100644 --- a/internal/service/api/handlers/create_identity.go +++ b/internal/service/api/handlers/create_identity.go @@ -442,7 +442,7 @@ func verifySignature(req requests.CreateIdentityRequest, cert *x509.Certificate, d := h.Sum(nil) if err := rsa.VerifyPKCS1v15(pubKey, crypto.SHA1, d, signature); err != nil { - return errors.Wrap(err, "failed to verify SHA256 with RSA signature") + return errors.Wrap(err, "failed to verify SHA1 with RSA signature") } case SHA256withRSA: pubKey := cert.PublicKey.(*rsa.PublicKey)