Merge v1.2.1-master

Signed-off-by: Emile Vauge <emile@vauge.com>
2017-04-11 17:10:46 +02:00 · 2017-04-11 17:10:46 +02:00 · aeb17182b4
commit aeb17182b4
parent a590155b0b
396 changed files with 27271 additions and 9969 deletions
--- a/vendor/gopkg.in/square/go-jose.v1/asymmetric.go
+++ b/vendor/gopkg.in/square/go-jose.v1/asymmetric.go
@ -67,6 +67,10 @@ func newRSARecipient(keyAlg KeyAlgorithm, publicKey *rsa.PublicKey) (recipientKe
 		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
 	}

+	if publicKey == nil {
+		return recipientKeyInfo{}, errors.New("invalid public key")
+	}
+
 	return recipientKeyInfo{
 		keyAlg: keyAlg,
 		keyEncrypter: &rsaEncrypterVerifier{
@ -84,6 +88,10 @@ func newRSASigner(sigAlg SignatureAlgorithm, privateKey *rsa.PrivateKey) (recipi
 		return recipientSigInfo{}, ErrUnsupportedAlgorithm
 	}

+	if privateKey == nil {
+		return recipientSigInfo{}, errors.New("invalid private key")
+	}
+
 	return recipientSigInfo{
 		sigAlg: sigAlg,
 		publicKey: &JsonWebKey{
@ -104,6 +112,10 @@ func newECDHRecipient(keyAlg KeyAlgorithm, publicKey *ecdsa.PublicKey) (recipien
 		return recipientKeyInfo{}, ErrUnsupportedAlgorithm
 	}

+	if publicKey == nil || !publicKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {
+		return recipientKeyInfo{}, errors.New("invalid public key")
+	}
+
 	return recipientKeyInfo{
 		keyAlg: keyAlg,
 		keyEncrypter: &ecEncrypterVerifier{
@ -121,6 +133,10 @@ func newECDSASigner(sigAlg SignatureAlgorithm, privateKey *ecdsa.PrivateKey) (re
 		return recipientSigInfo{}, ErrUnsupportedAlgorithm
 	}

+	if privateKey == nil {
+		return recipientSigInfo{}, errors.New("invalid private key")
+	}
+
 	return recipientSigInfo{
 		sigAlg: sigAlg,
 		publicKey: &JsonWebKey{
@ -199,7 +215,7 @@ func (ctx rsaDecrypterSigner) decrypt(jek []byte, alg KeyAlgorithm, generator ke
 		// When decrypting an RSA-PKCS1v1.5 payload, we must take precautions to
 		// prevent chosen-ciphertext attacks as described in RFC 3218, "Preventing
 		// the Million Message Attack on Cryptographic Message Syntax". We are
-		// therefore deliberatly ignoring errors here.
+		// therefore deliberately ignoring errors here.
 		_ = rsa.DecryptPKCS1v15SessionKey(rand.Reader, ctx.privateKey, jek, cek)

 		return cek, nil
@ -370,6 +386,10 @@ func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientI
 		return nil, errors.New("square/go-jose: invalid epk header")
 	}

+	if !ctx.privateKey.Curve.IsOnCurve(publicKey.X, publicKey.Y) {
+		return nil, errors.New("square/go-jose: invalid public key in epk header")
+	}
+
 	apuData := headers.Apu.bytes()
 	apvData := headers.Apv.bytes()

@ -474,6 +494,8 @@ func (ctx ecEncrypterVerifier) verifyPayload(payload []byte, signature []byte, a
 	case ES512:
 		keySize = 66
 		hash = crypto.SHA512
+	default:
+		return ErrUnsupportedAlgorithm
 	}

 	if len(signature) != 2*keySize {