don't panic on bad ed25519 key lengths

2026-03-10 00:31:54 -07:00 · 2026-02-06 14:01:22 -06:00 · 2026-02-06 14:01:22 -06:00 · 8c828b3cae
commit 8c828b3cae
parent f573e8a266
2 changed files with 6 additions and 0 deletions
--- a/cert/cert_v1.go
+++ b/cert/cert_v1.go
@ -112,6 +112,9 @@ func (c *certificateV1) CheckSignature(key []byte) bool {
 	}
 	switch c.details.curve {
 	case Curve_CURVE25519:
+		if len(key) != ed25519.PublicKeySize {
+			return false //avoids a panic internal to ed25519
+		}
 		return ed25519.Verify(key, b, c.signature)
 	case Curve_P256:
 		pubKey, err := ecdsa.ParseUncompressedPublicKey(elliptic.P256(), key)
--- a/cert/cert_v2.go
+++ b/cert/cert_v2.go
@ -151,6 +151,9 @@ func (c *certificateV2) CheckSignature(key []byte) bool {

 	switch c.curve {
 	case Curve_CURVE25519:
+		if len(key) != ed25519.PublicKeySize {
+			return false //avoids a panic internal to ed25519
+		}
 		return ed25519.Verify(key, b, c.signature)
 	case Curve_P256:
 		pubKey, err := ecdsa.ParseUncompressedPublicKey(elliptic.P256(), key)