fix: Catch invalid signature length when verifying signature

Signed-off-by: Joonas Bergius <joonas@cosmonic.com>
wasmCloud · Jul 18, 2024 · 2c69430 · 2c69430
1 parent 7e52c00
commit 2c69430
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/src/error.rs b/src/error.rs
@@ -44,6 +44,8 @@ pub enum ErrorKind {
     InvalidPayload,
     /// Thumbprint could not be calculated over the provided public key value
     ThumbprintCalculationFailure,
+    /// Signature did not match the expected length (64 bytes)
+    InvalidSignatureLength,
 }
 
 /// A handy macro borrowed from the `signatory` crate that lets library-internal code generate
@@ -66,6 +68,7 @@ impl ErrorKind {
         match self {
             ErrorKind::InvalidPrefix => "Invalid byte prefix",
             ErrorKind::InvalidKeyLength => "Invalid key length",
+            ErrorKind::InvalidSignatureLength => "Invalid signature length",
             ErrorKind::VerifyError => "Signature verification failure",
             ErrorKind::ChecksumFailure => "Checksum match failure",
             ErrorKind::CodecFailure => "Codec failure",

diff --git a/src/lib.rs b/src/lib.rs
@@ -270,6 +270,13 @@ impl KeyPair {
 
     /// Attempts to verify that the given signature is valid for the given input
     pub fn verify(&self, input: &[u8], sig: &[u8]) -> Result<()> {
+        if sig.len() != ed25519::Signature::BYTE_SIZE {
+            return Err(err!(
+                InvalidSignatureLength,
+                "Signature did not match expected length"
+            ));
+        }
+
         let mut fixedsig = [0; ed25519::Signature::BYTE_SIZE];
         fixedsig.copy_from_slice(sig);
         let insig = ed25519::Signature::from_bytes(&fixedsig);
@@ -530,7 +537,7 @@ mod tests {
     }
 
     #[test]
-    fn sign_and_verify_rejects_mismatched_sig() {
+    fn sign_and_verify_rejects_mismatched_input() {
         let user = KeyPair::new_user();
         let msg = b"this is super secret";
 
@@ -539,6 +546,16 @@ mod tests {
         assert!(res.is_err());
     }
 
+    #[test]
+    fn sign_and_verify_rejects_invalid_signature_length() {
+        let kp = KeyPair::new_user();
+        let res = kp.verify(&[], &[]);
+        assert!(res.is_err());
+        if let Err(e) = res {
+            assert_eq!(e.kind(), ErrorKind::InvalidSignatureLength);
+        }
+    }
+
     #[test]
     fn from_public_key_rejects_bad_length() {
         let public_key = "ACARVGW77LDNWYXBAH62YKKQRVHYOTKKDDVVJVOISOU75WQPXOO7N3";