search

veraison / go-cose

go library for CBOR Object Signing and Encryption (COSE)
Mozilla Public License 2.0
49 stars 26 forks source link

Signature.Sign doesn't check for malformed protected data containing extraneous bytes #165

Closed qmuntal closed 11 months ago

qmuntal commented 1 year ago

What is the areas you experience the issue in?

Go-COSE Library

What is not working as expected?

Signature.Sign validates that the protected parameter contains a wellformed bstr, but it misses to detect byte arrays with more bytes than defined in the bstr prelude.

For example, []byte{0x40, 0xa1, 0x00, 0x00} declares a bstr (major type 2) with 0 entries, but it contains 3 entries.

Notice that the validation happens inside deterministicBinaryString, which is also used in Sign1Message.toBeSigned, so it's possible that Sign1Message is also affected by this bug.

What did you expect to happen?

Signature.Sign should return an error if protected contains extraneous bytes.

How can we reproduce it?

package main

import (
    "crypto/ecdsa"
    "crypto/elliptic"
    "crypto/rand"

    "github.com/veraison/go-cose"
)

func main() {
    priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
    if err != nil {
        panic(err)
    }
    sig := cose.NewSignature()
    signer, err := cose.NewSigner(cose.AlgorithmES256, priv)
    if err != nil {
        panic(err)
    }
    err = sig.Sign(rand.Reader, signer, []byte{0x40, 0xa1, 0x00, 0x00}, []byte("Hello, world!"), nil)
    if err != nil {
        panic(err)
    }
}

Describe your environment

Windows 11, go1.21

What is the version of your Go-COSE Library?

v1.1.0

qmuntal commented 1 year ago

Luckily, github.com/fxamacker/cbor@v2.5.0, which has just been released, will validate extraneous data for us: https://github.com/fxamacker/cbor/pull/380.