@@ -374,80 +374,94 @@ func signMessage(keyPath string, r io.Reader, w io.Writer) error {
374374}
375375
376376func verifyMessage (r io.Reader , w io.Writer ) error {
377- data , err := io .ReadAll (r )
378- if err != nil {
379- return fmt .Errorf ("read error: %v" , err )
380- }
377+ data , err := io .ReadAll (r )
378+ if err != nil {
379+ return fmt .Errorf ("read error: %v" , err )
380+ }
381381
382- data = bytes .ReplaceAll (data , []byte ("\r \n " ), []byte ("\n " ))
383- data = bytes .ReplaceAll (data , []byte ("\n " ), []byte ("\r \n " ))
384-
385- secureData := memguard .NewBufferFromBytes (data )
386- defer secureData .Destroy ()
382+ data = bytes .ReplaceAll (data , []byte ("\r \n " ), []byte ("\n " ))
383+ data = bytes .ReplaceAll (data , []byte ("\n " ), []byte ("\r \n " ))
387384
388- scanner := bufio .NewScanner (bytes .NewReader (secureData .Bytes ()))
389- var messageBuffer bytes.Buffer
390- var sigBlockLines []string
391- inSigBlock := false
385+ secureData := memguard .NewBufferFromBytes (data )
386+ defer secureData .Destroy ()
392387
393- for scanner .Scan () {
394- line := scanner .Text ()
395- if line == signatureMarker {
396- inSigBlock = true
397- continue
398- }
399- if inSigBlock {
400- sigBlockLines = append (sigBlockLines , line )
401- } else {
402- messageBuffer .WriteString (line )
403- messageBuffer .WriteString ("\r \n " )
404- }
405- }
388+ scanner := bufio .NewScanner (bytes .NewReader (secureData .Bytes ()))
389+ var messageBuffer bytes.Buffer
390+ var sigBlockLines []string
391+ inSigBlock := false
406392
407- messageBytes := messageBuffer .Bytes ()
408- if bytes .HasSuffix (messageBytes , []byte ("\r \n " )) {
409- messageBytes = messageBytes [:len (messageBytes )- 2 ]
410- }
393+ for scanner .Scan () {
394+ line := scanner .Text ()
395+ if line == signatureMarker {
396+ inSigBlock = true
397+ continue
398+ }
399+ if inSigBlock {
400+ sigBlockLines = append (sigBlockLines , line )
401+ } else {
402+ messageBuffer .WriteString (line )
403+ messageBuffer .WriteString ("\r \n " )
404+ }
405+ }
411406
412- secureMessage := memguard .NewBufferFromBytes (messageBytes )
413- defer secureMessage .Destroy ()
407+ messageBytes := messageBuffer .Bytes ()
414408
415- if ! inSigBlock {
416- return errors . New ( "signature marker not found" )
417- }
409+ for bytes . HasSuffix ( messageBytes , [] byte ( " \r \n " )) {
410+ messageBytes = messageBytes [: len ( messageBytes ) - 2 ]
411+ }
418412
419- if len (sigBlockLines ) < 3 {
420- return errors .New ("signature block incomplete" )
421- }
413+ secureMessage := memguard .NewBufferFromBytes (messageBytes )
414+ defer secureMessage .Destroy ()
422415
423- pubKeyHex := sigBlockLines [len (sigBlockLines )- 1 ]
424- sigHex := sigBlockLines [0 ] + sigBlockLines [1 ]
416+ if ! inSigBlock {
417+ return errors .New ("signature marker not found" )
418+ }
425419
426- pubKey , err := hex .DecodeString (pubKeyHex )
427- if err != nil {
428- return fmt .Errorf ("public key could not be decoded" )
429- }
420+ if len (sigBlockLines ) < 3 {
421+ return errors .New ("signature block incomplete" )
422+ }
430423
431- securePubKey := memguard . NewBufferFromBytes ( pubKey )
432- defer securePubKey . Destroy ( )
424+ pubKeyHex := strings . TrimSpace ( sigBlockLines [ len ( sigBlockLines ) - 1 ] )
425+ sigHex := strings . TrimSpace ( sigBlockLines [ 0 ]) + strings . TrimSpace ( sigBlockLines [ 1 ] )
433426
434- signature , err := hex .DecodeString (sigHex )
435- if err != nil {
436- return fmt .Errorf ("signature could not be decoded" )
437- }
427+ if len (pubKeyHex ) != ed25519PublicKeyHexLength {
428+ return fmt .Errorf ("invalid public key length in signature block: expected %d, got %d" , ed25519PublicKeyHexLength , len (pubKeyHex ))
429+ }
430+ if len (sigHex ) != ed25519SignatureHexLength {
431+ return fmt .Errorf ("invalid signature length in signature block: expected %d, got %d" , ed25519SignatureHexLength , len (sigHex ))
432+ }
438433
439- secureSignature := memguard .NewBufferFromBytes (signature )
440- defer secureSignature .Destroy ()
434+ pubKey , err := hex .DecodeString (pubKeyHex )
435+ if err != nil {
436+ return fmt .Errorf ("failed to decode public key: %v" , err )
437+ }
438+ if len (pubKey ) != ed25519 .PublicKeySize {
439+ return fmt .Errorf ("invalid public key size: expected %d bytes, got %d" , ed25519 .PublicKeySize , len (pubKey ))
440+ }
441441
442- isValid := ed25519 .Verify (securePubKey .Bytes (), secureMessage .Bytes (), secureSignature .Bytes ())
443-
444- if isValid {
445- _ , err = fmt .Fprintln (w , "Signature is valid." )
446- } else {
447- _ , err = fmt .Fprintln (w , "Signature is invalid." )
448- }
442+ securePubKey := memguard .NewBufferFromBytes (pubKey )
443+ defer securePubKey .Destroy ()
449444
450- return err
445+ signature , err := hex .DecodeString (sigHex )
446+ if err != nil {
447+ return fmt .Errorf ("failed to decode signature: %v" , err )
448+ }
449+ if len (signature ) != ed25519 .SignatureSize {
450+ return fmt .Errorf ("invalid signature size: expected %d bytes, got %d" , ed25519 .SignatureSize , len (signature ))
451+ }
452+
453+ secureSignature := memguard .NewBufferFromBytes (signature )
454+ defer secureSignature .Destroy ()
455+
456+ isValid := ed25519 .Verify (securePubKey .Bytes (), secureMessage .Bytes (), secureSignature .Bytes ())
457+
458+ if isValid {
459+ _ , err = fmt .Fprintln (w , "Signature is valid." )
460+ } else {
461+ _ , err = fmt .Fprintln (w , "Signature is invalid." )
462+ }
463+
464+ return err
451465}
452466
453467func pad (r io.Reader , size int , w io.Writer ) error {
0 commit comments