Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ECDSA registry signatures aren't reproducible #1237

Open
Ekrekr opened this issue Aug 19, 2024 · 2 comments
Open

ECDSA registry signatures aren't reproducible #1237

Ekrekr opened this issue Aug 19, 2024 · 2 comments

Comments

@Ekrekr
Copy link

Ekrekr commented Aug 19, 2024
edited
Loading

I'm following the guide at https://docs.npmjs.com/about-registry-signatures, and I'm struggling to verify the ECDSA signatures that get published to the NPM registry.

Some example code, that shows things like which hashing algorithm is used for the contents of bundles (I'm just assuming that it's sha256 currently), and whether the keys are base64 encoded using the standard algorithm or the alternate under RFC 4648, would be immensely helpful.

I've written what I have so far below, and would appreciate some help getting it to work. Feel free to add it to your documentation once it does!

package main

import (
	"bytes"
	"crypto/ecdsa"
	"crypto/sha256"
	"crypto/x509"
	"encoding/base64"
	"fmt"
	"io"
	"net/http"
)

func downloadPackage(compressedPackage *bytes.Buffer) error {
	resp, err := http.Get("https://registry.npmjs.org/light-cycle/-/light-cycle-1.4.3.tgz")
	if err != nil {
		return fmt.Errorf("package download failed: %v", err)
	}
	defer resp.Body.Close()

	if resp.StatusCode != http.StatusOK {
		return fmt.Errorf("pacakge download bad status code: %s", resp.Status)
	}

	_, err = io.Copy(compressedPackage, resp.Body)
	if err != nil {
		return fmt.Errorf("failed to read package to buffer: %v", err)
	}

	return nil
}

func verifyPackage(compressedPackage *bytes.Buffer) error {
	// From https://registry.npmjs.org/light-cycle/1.4.3.
	versionSignature := "MEUCIQCX/49atNeSDYZP8betYWEqB0G8zZnIyB7ibC7nRNyMiQIgHosOKHhVTVNBI/6iUNSpDokOc44zsZ7TfybMKj8YdfY="

	// From https://registry.npmjs.org/-/npm/v1/keys.
	publicKey := "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1Olb3zMAFFxXKHiIkQO5cJ3Yhl5i6UPp+IhuteBJbuHcA5UogKo0EWtlWwW6KSaKoTNEYL7JlCQiVnkhBktUgg=="

	// Decode and parse the public key.
	publicKeyBytes, err := base64.StdEncoding.DecodeString(publicKey)
	fmt.Printf("PUBLIC KEY BASE 64 BYTES: %x\n", publicKeyBytes)
	if err != nil {
		return fmt.Errorf("error decoding public key bytes: %v", err)
	}
	parsedPublicKeyUntyped, err := x509.ParsePKIXPublicKey(publicKeyBytes)
	parsedPublicKey := parsedPublicKeyUntyped.(*ecdsa.PublicKey)
	fmt.Printf("PARSED PUBLIC KEY X: %v, Y: %v\n", parsedPublicKey.X, parsedPublicKey.Y)
	if err != nil {
		return fmt.Errorf("error parsing public key: %v", err)
	}

	// Decode the signature.
	versionSignatureBytes, err := base64.StdEncoding.DecodeString(versionSignature)
	fmt.Printf("SIGNATURE BYTES: %x\n", versionSignatureBytes)
	if err != nil {
		return fmt.Errorf("error decoding signature bytes: %v", err)
	}

	// Verify the signature against the package's SHA256 sum.
	// presentSHA256Bytes := md5.Sum(compressedPackage.Bytes())
	presentSHA256Bytes := sha256.Sum256(compressedPackage.Bytes())
	fmt.Printf("PRESENT SHA256: %x\n", presentSHA256Bytes)
	if !ecdsa.VerifyASN1(parsedPublicKey, presentSHA256Bytes[:], versionSignatureBytes) {
		return fmt.Errorf("signature verification failed")
	}
	return nil
}

func main() {
	var compressedPackage bytes.Buffer
	if err := downloadPackage(&compressedPackage); err != nil {
		fmt.Printf("failed to download package: %v", err)
	}
	if err := verifyPackage(&compressedPackage); err != nil {
		fmt.Printf("failed to verify package: %v", err)
	}
}

Currently this outputs:

PUBLIC KEY BASE 64 BYTES: 3059301306072a8648ce3d020106082a8648ce3d03010703420004d4e95bdf3300145c572878889103b9709dd8865e62e943e9f8886eb5e0496ee1dc03952880aa34116b655b05ba29268aa1334460bec9942422567921064b5482
PARSED PUBLIC KEY X: 96302633342102462193322732537154456057293035750541189099858346903022946840289, Y: 99515156681666470022533827122417036293197994443229625834881400620927226172546
SIGNATURE BYTES: 304502210097ff8f5ab4d7920d864ff1b7ad61612a0741bccd99c8c81ee26c2ee744dc8c8902201e8b0e2878554d534123fea250d4a90e890e738e33b19ed37f26cc2a3f1875f6
PRESENT SHA256: a1b59bcdca7b8a6844c48fee7031842fcecec26fb028e4b5cbcb8c055ca0eeaa
failed to verify package: signature verification failed

Thank you for any help!
@maxgtr992

This comment has been minimized.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Ekrekr @maxgtr992 and others