Skip to content

Fix: Cleanup Crypto Issues#30

Merged
sephynox merged 2 commits into
mainfrom
fix/crypto-issues
Jul 7, 2026
Merged

Fix: Cleanup Crypto Issues#30
sephynox merged 2 commits into
mainfrom
fix/crypto-issues

Conversation

@sephynox

@sephynox sephynox commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Summary

Fixes various issues with cryptographic contexts.

Related Issues

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens X.509 ECDSA signature verification to avoid cryptographically-weak “try multiple curves” behavior by requiring verification to use the curve explicitly declared in the issuer’s SubjectPublicKeyInfo, and by only accepting DER-encoded ECDSA signatures as required by X.509/RFC 5480.

Changes:

  • Remove multi-curve ECDSA verification fallback and dispatch verification based on the declared EC named-curve OID in SPKI parameters.
  • Restrict ECDSA signature verification helpers to DER-encoded signatures only, updating/adding tests to enforce the behavior.
  • Add AlgorithmIdentifier::parameters_oid() helpers (DER + RASN backends) and make small refactors in AES/account code paths.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
keetanetwork-x509/tests/builders.rs Adds a regression test ensuring certificate verification requires a declared curve and fails for mismatched/absent curve parameters.
keetanetwork-x509/src/utils.rs Updates ECDSA verification helpers to accept DER-only signatures and removes the multi-curve fallback verifier; adjusts tests accordingly.
keetanetwork-x509/src/certificates.rs Adds verify_ecdsa_declared_curve() and routes ECDSA certificate signature verification through the SPKI-declared curve.
keetanetwork-crypto/src/algorithms/aes_ctr.rs Minor refactor to avoid repeated as_ref() calls and make intermediate values explicit.
keetanetwork-crypto/src/algorithms/aes_common.rs Minor refactor around IV/payload split return value.
keetanetwork-crypto/src/algorithms/aes_cbc.rs Minor refactor to avoid repeated as_ref() calls and make intermediate values explicit.
keetanetwork-asn1/src/rasn.rs Adds AlgorithmIdentifier::parameters_oid() for the RASN backend plus tests.
keetanetwork-asn1/src/der.rs Adds AlgorithmIdentifier::parameters_oid() for the DER backend plus tests.
keetanetwork-account/src/account.rs Minor refactor to avoid repeated as_ref() and make decrypted plaintext explicit.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread keetanetwork-x509/src/certificates.rs Outdated
@sonarqubecloud

sonarqubecloud Bot commented Jul 6, 2026

Copy link
Copy Markdown

@sephynox sephynox merged commit 8f392c8 into main Jul 7, 2026
7 checks passed
@sephynox sephynox mentioned this pull request Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants