crypto

package
v0.0.0-...-80a9b72 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 16, 2025 License: BSD-2-Clause Imports: 4 Imported by: 1

Documentation

Overview

Package crypto implements XBPS' signature signing and verification using crypto/rsa.

XBPS SHA1-SHA256 workaround

xbps specifies sha1 as algorithm for RSA_{sign,verify} but uses a sha256 message and length.

xbps still uses full sha256 hashes for the verification, the describes issue is just a parsing issue which with strict ASN1/PKCS1 implementations.

As a workaround this implementation disables golangs PKCS1v15 prefix by using crypto.Hash(0) as hash argument for rsa.VerifyPKCS1v15 and rsa.SignPKCS1v15 and uses a precomputed ASN1 prefix instead.

The ANS1 prefix comes from xbps generated signature, dumped using the openssl command: 

openssl rsautl -verify -in foo-1.0_1.noarch.xbps.sig  -inkey ~/.ssh/id_rsa -raw -hexdump

XBPS implementation:

https://github.com/void-linux/xbps/blob/b4eebaf/lib/verifysig.c#L66

Original bug report:

https://github.com/voidlinux/xbps/issues/146

Note: golang also hardcodes the ASN1 prefix for performance reasons:

https://github.com/golang/go/blob/dca707b/src/crypto/rsa/pkcs1v15.go#L210

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Sign 

func Sign(priv *rsa.PrivateKey, hashed []byte) ([]byte, error)

Sign a sha256 hash using xbps' quirks

func Verify 

func Verify(pub *rsa.PublicKey, hashed []byte, sig []byte) error

Verify a sha256 hash signature and work around xbps' quirks

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.