diff -urip ./artifact/gcp/signer.go /var/cache/pbuilder/build/62527/build/golang-github-mendersoftware-mender-artifact-3.7.0+ds1/obj-x86_64-linux-gnu/src/github.com/mendersoftware/mender-artifact/artifact/gcp/signer.go --- a/artifact/gcp/signer.go 2022-02-19 16:06:32.768741737 +0100 +++ b/artifact/gcp/signer.go 2022-02-19 16:23:55.065274497 +0100 @@ -29,7 +29,7 @@ import ( "github.com/minio/sha256-simd" "github.com/pkg/errors" kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1" - "google.golang.org/protobuf/types/known/wrapperspb" + //"google.golang.org/protobuf/types/known/wrapperspb" ) // NewKMSSigner creates a Signer that signs using a key from @@ -69,7 +69,7 @@ func (k *KMS) Sign(message []byte) ([]by h := sha256.Sum256(message) - digestCRC32C := checksum(h[:]) + //digestCRC32C := checksum(h[:]) result, err := k.client.AsymmetricSign(ctx, &kmspb.AsymmetricSignRequest{ Name: k.name, @@ -78,17 +78,19 @@ func (k *KMS) Sign(message []byte) ([]by Sha256: h[:], }, }, - DigestCrc32C: wrapperspb.Int64(digestCRC32C), + //DigestCrc32C: wrapperspb.Int64(digestCRC32C), }) if err != nil { return nil, errors.Wrap(err, "signer: error signing image with KMS") } + /* if !result.VerifiedDigestCrc32C { return nil, errors.New("signer: KMS signing request corrupted") } if checksum(result.Signature) != result.SignatureCrc32C.Value { return nil, errors.New("signer: KMS signing response corrupted") } + */ switch sm.Method.(type) { case *artifact.RSA: @@ -137,9 +139,11 @@ func (k *KMS) getKMSKeyAndVerifyMethod(c return nil, errors.Wrap(err, "signer: error getting public key from KMS") } + /* if checksum([]byte(response.Pem)) != response.PemCrc32C.Value { return nil, errors.New("signer: KMS verification response corrupted") } + */ return artifact.GetKeyAndVerifyMethod([]byte(response.Pem)) } diff -urip ./artifact/gcp/signer_test.go /var/cache/pbuilder/build/62527/build/golang-github-mendersoftware-mender-artifact-3.7.0+ds1/obj-x86_64-linux-gnu/src/github.com/mendersoftware/mender-artifact/artifact/gcp/signer_test.go --- a/artifact/gcp/signer_test.go 2022-02-19 16:06:32.768741737 +0100 +++ b/artifact/gcp/signer_test.go 2022-02-19 16:41:17.384955340 +0100 @@ -21,7 +21,7 @@ import ( "crypto/rand" "crypto/rsa" "fmt" - "hash/crc32" + //"hash/crc32" "testing" "time" @@ -29,7 +29,7 @@ import ( "github.com/mendersoftware/mender-artifact/artifact" "github.com/pkg/errors" kmspb "google.golang.org/genproto/googleapis/cloud/kms/v1" - "google.golang.org/protobuf/types/known/wrapperspb" + //"google.golang.org/protobuf/types/known/wrapperspb" ) const ( @@ -98,6 +98,7 @@ func TestKMSSignAndVerify(t *testing.T) keyName: "invalid key name", wantSignErr: true, }, + /* "corrupted signature rsa": { signClient: &fakeKMSClient{corruptSigningCRC: true}, keyName: rsaKeyName, @@ -128,6 +129,7 @@ func TestKMSSignAndVerify(t *testing.T) keyName: ecdsaKeyName, wantVerifyErr: true, }, + */ } for name, test := range tests { t.Run(name, func(t *testing.T) { @@ -247,9 +249,9 @@ func (f *fakeKMSClient) AsymmetricSign(_ return nil, fmt.Errorf("key %q: %v", req.Name, err) } - crcTable := crc32.MakeTable(crc32.Castagnoli) - digestCRC32C := crc32.Checksum(req.Digest.GetSha256(), crcTable) - verifiedDigestCRC32C := int64(digestCRC32C) == req.DigestCrc32C.Value + //crcTable := crc32.MakeTable(crc32.Castagnoli) + //digestCRC32C := crc32.Checksum(req.Digest.GetSha256(), crcTable) + //verifiedDigestCRC32C := int64(digestCRC32C) == req.DigestCrc32C.Value // We can't reuse sm.Method.sign because those functions will hash the data // an additional time. We just want the signature, since we only have the @@ -271,15 +273,17 @@ func (f *fakeKMSClient) AsymmetricSign(_ return nil, fmt.Errorf("key %q: unsupported signing algorithm", req.Name) } + /* sigCRC32C := crc32.Checksum(sig, crcTable) if f.corruptSigningCRC { sigCRC32C = 123456 } + */ return &kmspb.AsymmetricSignResponse{ Signature: sig, - VerifiedDigestCrc32C: verifiedDigestCRC32C, - SignatureCrc32C: wrapperspb.Int64(int64(sigCRC32C)), + //VerifiedDigestCrc32C: verifiedDigestCRC32C, + //SignatureCrc32C: wrapperspb.Int64(int64(sigCRC32C)), }, nil } @@ -289,14 +293,14 @@ func (f *fakeKMSClient) GetPublicKey(_ c return nil, err } - crcTable := crc32.MakeTable(crc32.Castagnoli) - pemCRC32C := crc32.Checksum([]byte(key.public), crcTable) - if f.corruptPublicKeyCRC { - pemCRC32C = 123456 - } + //crcTable := crc32.MakeTable(crc32.Castagnoli) + //pemCRC32C := crc32.Checksum([]byte(key.public), crcTable) + //if f.corruptPublicKeyCRC { + // pemCRC32C = 123456 + //} return &kmspb.PublicKey{ Pem: key.public, - PemCrc32C: wrapperspb.Int64(int64(pemCRC32C)), + //PemCrc32C: wrapperspb.Int64(int64(pemCRC32C)), }, nil }