Merge pull request #7 from maxraab/mr-add-support-for-hashed-signatures

Add support for verifying hashed signatures

Author: bitbeans

Minisign.Net.Tests/BaseTests.cs

@@ -67,6 +67,29 @@ public void Sign2Test()
             File.Delete(signedFile);
         }
 
+        [Fact]
+        public void ValidateLegacySignature()
+        {
+            var file = Path.Combine("Data", "testfile.jpg");
+            var fileBinary = File.ReadAllBytes(file);
+
+            var minisignSignature = Core.LoadSignatureFromFile(Path.Combine("Data", "test.jpg.minisig"));
+            var minisignPublicKey = Core.LoadPublicKeyFromFile(Path.Combine("Data", "test.pub"));
+
+            Assert.True(Core.ValidateSignature(file, minisignSignature, minisignPublicKey));
+        }
+
+        [Fact]
+        public void ValidateHashedSignature()
+        {
+            var file = Path.Combine("Data", "testfile.jpg");
+            var fileBinary = File.ReadAllBytes(file);
+
+            var minisignSignature = Core.LoadSignatureFromFile(Path.Combine("Data", "test.jpg.minisig-hashed"));
+            var minisignPublicKey = Core.LoadPublicKeyFromFile(Path.Combine("Data", "test2.pub"));
+
+            Assert.True(Core.ValidateSignature(file, minisignSignature, minisignPublicKey));
+        }
 
         [Fact]
         public void LoadSignatureFromStringTest()

Minisign.Net.Tests/Data/test.jpg.minisig-hashed

@@ -0,0 +1,4 @@
+untrusted comment: signature from minisign secret key
+RURkEyeJ3BlJXNvdwel3JozOQ7kDi59j2qqyCo0lqBLL54h8ThExW6T07L2rpO+L4DRTOiiDU+MRd26EZMqcFBUoslWhgvEUpgQ=
+trusted comment: timestamp:1763131221	file:testfile.jpg	hashed
+0SOzbBbowMWp1KAfhLw7P8TtrdTUAflySfHvGTlcoMUedxRW2J3FJ7fF6TSAU55yxsKNjHDUKQocr9YK2IPjAw==

Minisign.Net.Tests/Data/test2.key

@@ -0,0 +1,2 @@
+untrusted comment: minisign encrypted secret key
+RWRTY0IyU6NgdxALuM7TmqLur9Vyow0JO/nq3K4EEgfMzAjsIxIAAAACAAAAAAAAAEAAAAAABSc/wG1tSf1x+XCTAwEImd1ajn3WFnsXo7vaQcV3XWVedffbKLRi5zGI0SdDcICtFgg2FS/gaVi6MAul0MhpD9JzEvJXblEKNQ1xJThMxoIl9loWfIOFFVTG41s5C3WRU4X0xA3y0vQ=

Minisign.Net.Tests/Data/test2.pub

@@ -0,0 +1,2 @@
+untrusted comment: minisign public key 5C4919DC89271364
+RWRkEyeJ3BlJXHYzPYxOBLrCP2/b9hBN7tExRifl7KMX9EQCKuPYt9zR

Minisign.Net.Tests/Minisign.Net.Tests.csproj

@@ -19,12 +19,21 @@
     <Content Include="Data\test.jpg.minisig">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </Content>
+    <Content Include="Data\test.jpg.minisig-hashed">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </Content>
     <Content Include="Data\test.key">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </Content>
     <Content Include="Data\test.pub">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </Content>
+    <Content Include="Data\test2.key">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </Content>
+    <Content Include="Data\test2.pub">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </Content>
     <Content Include="Data\testfile.jpg">
       <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
     </Content>

Minisign.Net/Core.cs

@@ -278,9 +278,7 @@ public static MinisignKeyPair GenerateKeyPair(string password, bool writeOutputF
 		public static bool ValidateSignature(string filePath, MinisignSignature signature, MinisignPublicKey publicKey)
 		{
 			if (filePath != null && !File.Exists(filePath))
-			{
 				throw new FileNotFoundException("could not find filePath");
-			}
 
 			if (signature == null)
 				throw new ArgumentException("missing signature input", nameof(signature));
@@ -289,19 +287,30 @@ public static bool ValidateSignature(string filePath, MinisignSignature signatur
 				throw new ArgumentException("missing publicKey input", nameof(publicKey));
 
 			if (!ArrayHelpers.ConstantTimeEquals(signature.KeyId, publicKey.KeyId)) return false;
-			// load the file into memory
-			var file = LoadMessageFile(filePath);
-			// verify the signature
-			if (PublicKeyAuth.VerifyDetached(signature.Signature, file, publicKey.PublicKey))
+
+
+			if (!signature.IsHashed)
 			{
-				// verify the trusted comment
-				return PublicKeyAuth.VerifyDetached(signature.GlobalSignature,
-					ArrayHelpers.ConcatArrays(signature.Signature, signature.TrustedComment), publicKey.PublicKey);
+				var file = LoadMessageFile(filePath);
+
+				// Legacy: Ed25519(message)
+				if (!PublicKeyAuth.VerifyDetached(signature.Signature, file, publicKey.PublicKey)) return false;
+			}
+			else
+			{
+				// Hashed: Ed25519(Blake2b-512(message))
+				var blake = ComputeBlake2bFileHash(filePath);
+				if (!PublicKeyAuth.VerifyDetached(signature.Signature, blake, publicKey.PublicKey)) return false;
 			}
 
-			return false;
+			// Global signature is the same for both formats
+			return PublicKeyAuth.VerifyDetached(
+				signature.GlobalSignature,
+				ArrayHelpers.ConcatArrays(signature.Signature, signature.TrustedComment),
+				publicKey.PublicKey);
 		}
 
+
 		/// <summary>
 		///     Validate a file with a MinisignSignature and a MinisignPublicKey object.
 		/// </summary>
@@ -325,17 +334,27 @@ public static bool ValidateSignature(byte[] message, MinisignSignature signature
 				throw new ArgumentException("missing publicKey input", nameof(publicKey));
 
 			if (!ArrayHelpers.ConstantTimeEquals(signature.KeyId, publicKey.KeyId)) return false;
-			// verify the signature
-			if (PublicKeyAuth.VerifyDetached(signature.Signature, message, publicKey.PublicKey))
+
+			if (!signature.IsHashed)
+			{
+				// Legacy: Ed25519(message)
+				if (!PublicKeyAuth.VerifyDetached(signature.Signature, message, publicKey.PublicKey)) return false;
+			}
+			else
 			{
-				// verify the trusted comment
-				return PublicKeyAuth.VerifyDetached(signature.GlobalSignature,
-					ArrayHelpers.ConcatArrays(signature.Signature, signature.TrustedComment), publicKey.PublicKey);
+				// Hashed: Ed25519(Blake2b-512(message))
+				var blake = GenericHash.Hash(message, null, 64);
+				if (!PublicKeyAuth.VerifyDetached(signature.Signature, blake, publicKey.PublicKey)) return false;
 			}
 
-			return false;
+			return PublicKeyAuth.VerifyDetached(
+				signature.GlobalSignature,
+				ArrayHelpers.ConcatArrays(signature.Signature, signature.TrustedComment),
+				publicKey.PublicKey);
 		}
 
+
+
 		#endregion
 
 		#region Signature Handling
@@ -430,15 +449,29 @@ public static MinisignSignature LoadSignature(byte[] signature, byte[] trustedCo
 			if (globalSignature == null)
 				throw new ArgumentException("missing globalSignature input", nameof(globalSignature));
 
-			var minisignSignature = new MinisignSignature
+			var result = new MinisignSignature()
 			{
 				SignatureAlgorithm = ArrayHelpers.SubArray(signature, 0, 2),
 				KeyId = ArrayHelpers.SubArray(signature, 2, 8),
-				Signature = ArrayHelpers.SubArray(signature, 10),
 				TrustedComment = trustedComment,
 				GlobalSignature = globalSignature
 			};
-			return minisignSignature;
+
+			var alg = Encoding.UTF8.GetString(result.SignatureAlgorithm);
+				result.IsHashed = alg == "ED";
+
+			if (!result.IsHashed)
+			{
+				// Legacy minisign: Ed + keyid(8) + raw signature
+				result.Signature = ArrayHelpers.SubArray(signature, 10);
+			}
+			else
+			{
+				// Hashed minisign: ED + keyid(8) + signature(64)
+				result.Signature = ArrayHelpers.SubArray(signature, 10, 64);
+			}
+
+			return result;
 		}
 
 		#endregion
@@ -710,6 +743,33 @@ private static byte[] LoadMessageFile(string messageFile)
 			return File.ReadAllBytes(messageFile);
 		}
 
+		/// <summary>
+		///     Computes a BLAKE2b-512 hash of a file without loading it fully into memory.
+		///     Used for hashed minisign signatures.
+		/// </summary>
+		/// <param name="messageFile">Path to the file.</param>
+		/// <returns>64-byte BLAKE2b hash of the file contents.</returns>
+		/// <exception cref="ArgumentException"></exception>
+		/// <exception cref="FileNotFoundException"></exception>
+		/// <exception cref="IOException"></exception>
+		/// <exception cref="SecurityException"></exception>
+		/// <exception cref="UnauthorizedAccessException"></exception>
+		/// <exception cref="DirectoryNotFoundException"></exception>
+		private static byte[] ComputeBlake2bFileHash(string messageFile)
+		{
+			if (messageFile == null)
+				throw new ArgumentException("missing messageFile input", nameof(messageFile));
+
+			if (!File.Exists(messageFile))
+				throw new FileNotFoundException("could not find messageFile");
+
+			using (var stream = File.OpenRead(messageFile))
+			using (var hashStream = new GenericHash.GenericHashAlgorithm((byte[])null, 64))
+			{
+				return hashStream.ComputeHash(stream);
+			}
+		}
+
 		/// <summary>
 		///     Get the current Unix Timestamp.
 		/// </summary>

Minisign.Net/Models/MinisignSignature.cs

@@ -7,5 +7,6 @@ public class MinisignSignature
         public byte[] Signature { get; set; }
         public byte[] GlobalSignature { get; set; }
         public byte[] TrustedComment { get; set; }
+        public bool IsHashed { get; set; }
     }
 }