From a5740b41676d740d3f91c88d14a5877a3562d2d4 Mon Sep 17 00:00:00 2001 From: Joel Kamp Date: Tue, 2 Apr 2024 07:38:42 -0500 Subject: [PATCH] fix: use SHA384 for ECDSA P384 (#629) Signed-off-by: mrjoelkamp Co-authored-by: Fredrik Skogman --- metadata/keys.go | 1 + metadata/metadata.go | 9 ++++++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/metadata/keys.go b/metadata/keys.go index b567c6ab..57e38612 100644 --- a/metadata/keys.go +++ b/metadata/keys.go @@ -38,6 +38,7 @@ const ( KeyTypeRSASSA_PSS_SHA256 = "rsa" KeySchemeEd25519 = "ed25519" KeySchemeECDSA_SHA2_P256 = "ecdsa-sha2-nistp256" + KeySchemeECDSA_SHA2_P384 = "ecdsa-sha2-nistp384" KeySchemeRSASSA_PSS_SHA256 = "rsassa-pss-sha256" ) diff --git a/metadata/metadata.go b/metadata/metadata.go index 8bfecbb6..dc407ba8 100644 --- a/metadata/metadata.go +++ b/metadata/metadata.go @@ -312,7 +312,14 @@ func (meta *Metadata[T]) VerifyDelegate(delegatedRole string, delegatedMetadata // use corresponding hash function for key type hash := crypto.Hash(0) if key.Type != KeyTypeEd25519 { - hash = crypto.SHA256 + switch key.Scheme { + case KeySchemeECDSA_SHA2_P256: + hash = crypto.SHA256 + case KeySchemeECDSA_SHA2_P384: + hash = crypto.SHA384 + default: + hash = crypto.SHA256 + } } // load a verifier based on that key verifier, err := signature.LoadVerifier(publicKey, hash)