fix: use SHA384 for ECDSA P384 (#629)

mrjoelkamp · kommendorkapten · web-flow · commit a5740b41676d · 2024-04-02T15:38:42.000+03:00
Signed-off-by: mrjoelkamp &lt;joel.kamp@docker.com&gt;
Co-authored-by: Fredrik Skogman &lt;kommendorkapten@github.com&gt;
diff --git a/metadata/keys.go b/metadata/keys.go
@@ -38,6 +38,7 @@ const (
 	KeyTypeRSASSA_PSS_SHA256      = "rsa"
 	KeySchemeEd25519              = "ed25519"
 	KeySchemeECDSA_SHA2_P256      = "ecdsa-sha2-nistp256"
+	KeySchemeECDSA_SHA2_P384      = "ecdsa-sha2-nistp384"
 	KeySchemeRSASSA_PSS_SHA256    = "rsassa-pss-sha256"
 )
 
diff --git a/metadata/metadata.go b/metadata/metadata.go
@@ -312,7 +312,14 @@ func (meta *Metadata[T]) VerifyDelegate(delegatedRole string, delegatedMetadata
 		// use corresponding hash function for key type
 		hash := crypto.Hash(0)
 		if key.Type != KeyTypeEd25519 {
-			hash = crypto.SHA256
+			switch key.Scheme {
+			case KeySchemeECDSA_SHA2_P256:
+				hash = crypto.SHA256
+			case KeySchemeECDSA_SHA2_P384:
+				hash = crypto.SHA384
+			default:
+				hash = crypto.SHA256
+			}
 		}
 		// load a verifier based on that key
 		verifier, err := signature.LoadVerifier(publicKey, hash)

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,7 @@ const (`
`38`	`38`	`KeyTypeRSASSA_PSS_SHA256 = "rsa"`
`39`	`39`	`KeySchemeEd25519 = "ed25519"`
`40`	`40`	`KeySchemeECDSA_SHA2_P256 = "ecdsa-sha2-nistp256"`
	`41`	`+ KeySchemeECDSA_SHA2_P384 = "ecdsa-sha2-nistp384"`
`41`	`42`	`KeySchemeRSASSA_PSS_SHA256 = "rsassa-pss-sha256"`
`42`	`43`	`)`
`43`	`44`