Update to c/image main branch

> go get github.com/containers/image/v5@main > make vendor ... to make sure that we don't regress against Skopeo 1.9.3. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
2025-09-04 08:04:56 +00:00 · 2022-10-20 20:09:25 +02:00
parent bdbb46be5a
commit 5c69302d75
65 changed files with 1864 additions and 855 deletions
--- a/vendor/github.com/sigstore/sigstore/pkg/signature/ecdsa.go
+++ b/vendor/github.com/sigstore/sigstore/pkg/signature/ecdsa.go
@@ -167,6 +167,10 @@ func (e ECDSAVerifier) PublicKey(_ ...PublicKeyOption) (crypto.PublicKey, error)
 //
 // All other options are ignored if specified.
 func (e ECDSAVerifier) VerifySignature(signature, message io.Reader, opts ...VerifyOption) error {
+	if e.publicKey == nil {
+		return errors.New("no public key set for ECDSAVerifier")
+	}
+
 	digest, _, err := ComputeDigestForVerifying(message, e.hashFunc, ecdsaSupportedVerifyHashFuncs, opts...)
 	if err != nil {
 		return err
@@ -181,6 +185,11 @@ func (e ECDSAVerifier) VerifySignature(signature, message io.Reader, opts ...Ver
 		return fmt.Errorf("reading signature: %w", err)
 	}

+	// Without this check, VerifyASN1 panics on an invalid key.
+	if !e.publicKey.Curve.IsOnCurve(e.publicKey.X, e.publicKey.Y) {
+		return fmt.Errorf("invalid ECDSA public key for %s", e.publicKey.Params().Name)
+	}
+
 	if !ecdsa.VerifyASN1(e.publicKey, digest, sigBytes) {
 		return errors.New("invalid signature when validating ASN.1 encoded signature")
 	}