Fix to GenerateChallenge

DenisKarch · DenisKarch · commit f11ed96ad172 · 2019-03-12T11:06:56.000-07:00
crypto/x509 now enforces that rsa public keys must have NULL parameters. The old no longer solves the issue and instead will silently fail when parsing the key, ultimately causing a null pointer dereference at (pubkey := cert.PublicKey.(*rsa.PublicKey)). Currently working with crypto/x509 to add support for RSAES-OAEP keys golang/go#30416
diff --git a/verification/verification.go b/verification/verification.go
@@ -71,8 +71,10 @@ func GenerateChallenge(ekcert []byte, aikpub []byte, secret []byte) (asymenc []b
 	 * The EK certificate has an OID for rsaesOaep which will break
 	 * parsing. Replace it with rsaEncryption instead.
 	 */
-	ekcert = bytes.Replace(ekcert, []byte{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x07}, []byte{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01}, 1)
 	cert, err := x509.ParseCertificate(ekcert)
+	if err != nil {
+		return nil, nil, fmt.Errorf("ParseCertificate failed: %v", err)
+	}
 	pubkey := cert.PublicKey.(*rsa.PublicKey)
 
 	asymplain := []byte{0x00, 0x00, 0x00, 0x06, 0x00, 0xff, 0x00, 0x10}
