Explicitly use LoadRSAPSSVerifier for RSASSA_PSS_SHA256 keys

Signed-off-by: Radoslav Dimitrov <[email protected]>
theupdateframework · Sep 19, 2024 · 0e3e8c1 · 0e3e8c1
1 parent f95222b
commit 0e3e8c1
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/metadata/metadata.go b/metadata/metadata.go
@@ -21,6 +21,7 @@ import (
  "bytes"
  "crypto"
  "crypto/hmac"
+ "crypto/rsa"
  "crypto/sha256"
  "crypto/sha512"
  "encoding/base64"
@@ -322,7 +323,19 @@ func (meta *Metadata[T]) VerifyDelegate(delegatedRole string, delegatedMetadata
  }
  }
  // load a verifier based on that key
- verifier, err := signature.LoadVerifier(publicKey, hash)
+ // handle RSA PSS keys separately as the LoadVerifier function doesn't identify them correctly
+ var verifier signature.Verifier
+ if key.Type == KeyTypeRSASSA_PSS_SHA256 {
+ // Load a verifier for rsa
+ publicKeyRSAPSS, ok := publicKey.(*rsa.PublicKey)
+ if !ok {
+ return &ErrType{Msg: "failed to convert public key to RSA PSS key"}
+ }
+ verifier, err = signature.LoadRSAPSSVerifier(publicKeyRSAPSS, hash, &rsa.PSSOptions{Hash: crypto.SHA256})
+ } else {
+ // Load a verifier for ed25519 and ecdsa
+ verifier, err = signature.LoadVerifier(publicKey, hash)
+ }
  if err != nil {
  return err
  }