go-jose icon indicating copy to clipboard operation
go-jose copied to clipboard

Published 20 hours ago verified publisher icon square

Wrong error returned when verifying

Open makon opened this issue 2 years ago • 2 comments

I just noticed that DetachedVerify does not return the more detailed errors from computeAuthData or verifyPayload, but always returns the ErrCryptoFailure instead.

This is a significant loss of information, so I wanted to ask if this is intended (information hiding) or a bug?

https://github.com/square/go-jose/blob/c9ac459e06bc9a5ab7efd5d3b3f421d6de27401f/signing.go#L373-L384

makon avatar Aug 30 '21 12:08 makon

That was intentional, I didn't want to it to potentially leak information (e.g. padding oracle).

csstaub avatar Aug 30 '21 15:08 csstaub

I understand, it took me at least 2 hours to figure out what was wrong with my code. Only because I kept getting the same error until I researched further in the library and finally got the real cause as information

I'm not sure if it should be the responsibility of the user of the library to decide which errors to return and which not? Probably better to make it fail safe by default, but I would expect at least a hint in the methods' documentations. What do you think?

makon avatar Aug 30 '21 15:08 makon