Change EcdsaVerify to specifically P-384 and compute the SHA384 digest.

PiperOrigin-RevId: 398336708
author: Carmen Hanish <cyhanish@google.com> 2021-09-22 14:56:26 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-09-22 15:01:56 -0700
commit: 4f67756752002dc72bb64cdecd1fa17746f8217f (patch)
tree: 0f5e3b052020ae633b968f69969e0839753947a6
parent: 5768a147b124efbeff2800794da7ba961146af19 (diff)
1 files changed, 11 insertions, 4 deletions
diff --git a/pkg/crypto/crypto_stdlib.go b/pkg/crypto/crypto_stdlib.go
index 69e867386..28eba2ff6 100644
--- a/pkg/crypto/crypto_stdlib.go
+++ b/pkg/crypto/crypto_stdlib.go
@@ -19,14 +19,21 @@ package crypto
 
 import (
 	"crypto/ecdsa"
+	"crypto/elliptic"
 	"crypto/sha512"
+	"fmt"
 	"math/big"
 )
 
-// EcdsaVerify verifies the signature in r, s of hash using ECDSA and the
-// public key, pub. Its return value records whether the signature is valid.
-func EcdsaVerify(pub *ecdsa.PublicKey, hash []byte, r, s *big.Int) (bool, error) {
-	return ecdsa.Verify(pub, hash, r, s), nil
+// EcdsaP384Sha384Verify verifies the signature in r, s of hash using ECDSA
+// P384 + SHA 384 and the public key, pub. Its return value records whether
+// the signature is valid.
+func EcdsaP384Sha384Verify(pub *ecdsa.PublicKey, data []byte, r, s *big.Int) (bool, error) {
+	if pub.Curve != elliptic.P384() {
+		return false, fmt.Errorf("unsupported key curve: want P-384, got %v", pub.Curve)
+	}
+	digest := sha512.Sum384(data)
+	return ecdsa.Verify(pub, digest[:], r, s), nil
 }
 
 // SumSha384 returns the SHA384 checksum of the data.
author	Carmen Hanish <cyhanish@google.com>	2021-09-22 14:56:26 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-09-22 15:01:56 -0700
commit	4f67756752002dc72bb64cdecd1fa17746f8217f (patch)
tree	0f5e3b052020ae633b968f69969e0839753947a6
parent	5768a147b124efbeff2800794da7ba961146af19 (diff)