crypto/verify.go at 1ba24e3978235b9295fbabce286ee72a571837c3 · julien.rbrt.fr/tangled-core

Monorepo for Tangled — https://tangled.org

tangled-core / crypto / verify.go

at 1ba24e3978235b9295fbabce286ee72a571837c3 1.1 kB view raw

 1package crypto
 2
 3import (
 4	"bytes"
 5	"crypto/sha256"
 6	"encoding/base64"
 7	"fmt"
 8
 9	"github.com/hiddeco/sshsig"
10	"golang.org/x/crypto/ssh"
11)
12
13func VerifySignature(pubKey, signature, payload []byte) (error, bool) {
14	pub, _, _, _, err := ssh.ParseAuthorizedKey(pubKey)
15	if err != nil {
16		return fmt.Errorf("failed to parse public key: %w", err), false
17	}
18
19	sig, err := sshsig.Unarmor(signature)
20	if err != nil {
21		return fmt.Errorf("failed to parse signature: %w", err), false
22	}
23
24	buf := bytes.NewBuffer(payload)
25	// we use sha-512 because ed25519 keys require it internally; rsa keys support
26	// multiple algorithms but sha-512 is most secure, and git's ssh signing defaults
27	// to sha-512 for all key types anyway.
28	err = sshsig.Verify(buf, sig, pub, sshsig.HashSHA512, "git")
29
30	return err, err == nil
31}
32
33// SSHFingerprint computes the fingerprint of the supplied ssh pubkey.
34func SSHFingerprint(pubKey string) (string, error) {
35	pk, _, _, _, err := ssh.ParseAuthorizedKey([]byte(pubKey))
36	if err != nil {
37		return "", err
38	}
39
40	hash := sha256.Sum256(pk.Marshal())
41	return "SHA256:" + base64.StdEncoding.EncodeToString(hash[:]), nil
42}