ed25519: check incoming PKCS#8 public key

Author: ctz

graviola/src/error.rs

@@ -39,6 +39,7 @@ pub enum KeyFormatError {
     UnsupportedPkcs8Version,
     MismatchedPkcs8Algorithm,
     MismatchedPkcs8Parameters,
+    MismatchedPkcs8PublicKey,
     MismatchedSec1Curve,
     MismatchedSec1PublicKey,
     MismatchedSpkiAlgorithm,
@@ -56,6 +57,7 @@ impl core::fmt::Display for KeyFormatError {
             Self::UnsupportedPkcs8Version => write!(f, "unsupported PKCS#8 version"),
             Self::MismatchedPkcs8Algorithm => write!(f, "mismatched PKCS#8 algorithm"),
             Self::MismatchedPkcs8Parameters => write!(f, "mismatched PKCS#8 parameters"),
+            Self::MismatchedPkcs8PublicKey => write!(f, "mismatched PKCS#8 public key"),
             Self::MismatchedSec1Curve => write!(f, "mismatched SEC1 curve"),
             Self::MismatchedSec1PublicKey => write!(f, "mismatched SEC1 public key"),
             Self::MismatchedSpkiAlgorithm => write!(f, "mismatched SPKI algorithm"),

graviola/src/high/ed25519.rs

@@ -92,9 +92,20 @@ impl Ed25519SigningKey {
     pub fn from_pkcs8_der(bytes: &[u8]) -> Result<Self, Error> {
         let _entry = Entry::new_secret();
 
-        pkcs8::Key::decode(bytes, &asn1::oid::id_ed25519, None)
-            .and_then(|k| asn1::OctetString::from_bytes(k.private_key()).map_err(Error::Asn1Error))
-            .and_then(|pk| Self::from_bytes(pk.as_octets()))
+        let p8 = pkcs8::Key::decode(bytes, &asn1::oid::id_ed25519, None)?;
+
+        let key = asn1::OctetString::from_bytes(p8.private_key())
+            .map_err(Error::Asn1Error)
+            .and_then(|pk| Self::from_bytes(pk.as_octets()))?;
+
+        if let Some(alleged_pub_key) = p8.public_key() {
+            let actual_pub_key = key.public_key().as_bytes();
+            if alleged_pub_key != actual_pub_key {
+                return Err(KeyFormatError::MismatchedPkcs8PublicKey.into());
+            }
+        }
+
+        Ok(key)
     }
 
     /// Encode this private key in PKCS#8 DER format.
@@ -174,4 +185,34 @@ mod tests {
         let buf = key.to_pkcs8_der(&mut buf).unwrap();
         assert_eq!(bytes, buf);
     }
+
+    #[test]
+    fn pkcs8_public_key_wrong() {
+        let mut bytes = include_bytes!("asn1/testdata/ed25519-p8v2.bin").to_vec();
+        bytes[52] ^= 0x01;
+        assert_eq!(
+            Ed25519SigningKey::from_pkcs8_der(&bytes).err(),
+            Some(KeyFormatError::MismatchedPkcs8PublicKey.into())
+        );
+    }
+
+    #[test]
+    fn spki_wrong_oid() {
+        Ed25519VerifyingKey::from_spki_der(&[
+            0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00, 0xdd, 0x2d,
+            0x67, 0x8b, 0xae, 0x22, 0x2f, 0x3f, 0xb6, 0xe8, 0x27, 0x8f, 0x08, 0xcc, 0x9e, 0x1a,
+            0x66, 0x33, 0x9c, 0x92, 0x6c, 0x29, 0xac, 0x0a, 0x16, 0xf9, 0x71, 0x7f, 0x5e, 0xe1,
+            0x8c, 0xd8,
+        ])
+        .unwrap();
+
+        let e = Ed25519VerifyingKey::from_spki_der(&[
+            0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x64, 0x70, 0x03, 0x21, 0x00, 0xdd, 0x2d,
+            0x67, 0x8b, 0xae, 0x22, 0x2f, 0x3f, 0xb6, 0xe8, 0x27, 0x8f, 0x08, 0xcc, 0x9e, 0x1a,
+            0x66, 0x33, 0x9c, 0x92, 0x6c, 0x29, 0xac, 0x0a, 0x16, 0xf9, 0x71, 0x7f, 0x5e, 0xe1,
+            0x8c, 0xd8,
+        ])
+        .unwrap_err();
+        assert_eq!(e, KeyFormatError::MismatchedSpkiAlgorithm.into());
+    }
 }

graviola/src/high/pkcs8.rs

@@ -97,7 +97,6 @@ impl<'a> Key<'a> {
     ///
     /// This can be decoded by the caller as the correct asn1 type (or
     /// used raw, depending on the type)
-    #[cfg_attr(not(test), expect(dead_code))]
     pub(crate) fn public_key(&self) -> Option<&'a [u8]> {
         self.0.publicKey.inner().as_ref().map(|x| x.as_octets())
     }