pk-crypto: Use RFC6979 when signing with an ECC or DSA key.

* guix/pk-crypto.scm (bytevector->hash-data): Add #:key-type parameter. Use the 'pkcs1' flag when KEY-TYPE is 'rsa', and 'rfc6979' when KEY-TYPE is 'ecc' or 'dsa'. (key-type): New procedure. * guix/scripts/authenticate.scm (read-hash-data): Add 'key-type' parameter. Pass it to 'bytevector->hash-data'. Adjust caller accordingly. * tests/pk-crypto.scm (%ecc-key-pair): New variable. ("key-type"): New test. ("sign + verify"): Pass #:key-type to 'bytevector->hash-data'. ("sign + verify, Ed25519"): New test.
2025-10-02 02:15:12 +00:00 · 2014-03-19 21:40:10 +01:00 · 2014-03-19 21:40:10 +01:00 · 32a1eb8025
commit 32a1eb8025
parent 0f4139e97e
3 changed files with 65 additions and 11 deletions
--- a/guix/scripts/authenticate.scm
+++ b/guix/scripts/authenticate.scm
@ -39,11 +39,12 @@
  (call-with-input-file file
    (compose string->canonical-sexp get-string-all)))

-(define (read-hash-data file)
-  "Read sha256 hash data from FILE and return it as a gcrypt sexp."
+(define (read-hash-data file key-type)
+  "Read sha256 hash data from FILE and return it as a gcrypt sexp.  KEY-TYPE
+is a symbol representing the type of public key algo being used."
  (let* ((hex (call-with-input-file file get-string-all))
         (bv  (base16-string->bytevector (string-trim-both hex))))
-    (bytevector->hash-data bv)))
+    (bytevector->hash-data bv #:key-type key-type)))


 ;;;
@ -64,7 +65,7 @@
                            (leave
                             (_ "cannot find public key for secret key '~a'~%")
                             key)))
-            (data       (read-hash-data hash-file))
+            (data       (read-hash-data hash-file (key-type public-key)))
            (signature  (signature-sexp data secret-key public-key)))
       (display (canonical-sexp->string signature))
       #t))