pkcs7.Verify doesn't support signature algorithms other than RSA in golang v1.10

fullsailor / pkcs7

Implements a subset of PKCS#7/Crytpographic Message Syntax (rfc2315, rfc5652)

MIT License

123 stars 201 forks source link

pkcs7.Verify doesn't support signature algorithms other than RSA in golang v1.10 #29

Closed joelthompson closed 6 years ago

joelthompson commented 6 years ago

I'm pretty sure this is the culprit: https://github.com/fullsailor/pkcs7/blob/a009d8d7de53d9503c797cb8ec66fa3b21eed209/pkcs7.go#L257

The issue is that golang, starting with 1.10, now enforces that the algorithm passed in to Certificate.CheckSignature matches the algorithm in the the public key (see golang/go@083ad28622580195a97cbe83a877c7d49b1dadfa). This is causing hashicorp/vault#4014 as the PKCS7 identity document uses DSA signatures.

joelthompson commented 6 years ago

Seems that #27 and #28 duplicate this, so closing this issue

fullsailor commented 6 years ago

I'm reopening this issue since #27 and #28 don't fix the problem generally, only the issue with AWS identity documents, these are failing in TestVerifyEC2 in Go 1.10. I'm working on a fix that doesn't also break TestSign