Use hash algorithm from signed attributes to hash encapsilated content

rarimo · Jan 2, 2025 · 8e35e2c · 8e35e2c
1 parent 17ed21e
commit 8e35e2c
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 17 deletions.
diff --git a/internal/service/api/handlers/register.go b/internal/service/api/handlers/register.go
@@ -330,12 +330,12 @@ func Register(w http.ResponseWriter, r *http.Request) {
 }
 
 func verifySod(
-		signedAttributes []byte,
-		encapsulatedContent []byte,
-		signature []byte,
-		cert *x509.Certificate,
-		algorithmPair types.AlgorithmPair,
-		cfg *config.VerifierConfig,
+	signedAttributes []byte,
+	encapsulatedContent []byte,
+	signature []byte,
+	cert *x509.Certificate,
+	algorithmPair types.AlgorithmPair,
+	cfg *config.VerifierConfig,
 ) error {
 	if err := validateSignedAttributes(signedAttributes, encapsulatedContent, algorithmPair.HashAlgorithm); err != nil {
 		return &types.SodError{
@@ -396,9 +396,9 @@ func parseCertificate(pemFile []byte) (*x509.Certificate, error) {
 }
 
 func validateSignedAttributes(
-		signedAttributes,
-		encapsulatedContent []byte,
-		hashAlgorithm types.HashAlgorithm,
+	signedAttributes,
+	encapsulatedContent []byte,
+	hashAlgorithm types.HashAlgorithm,
 ) error {
 	signedAttributesASN1 := make([]asn1.RawValue, 0)
 
@@ -415,14 +415,24 @@ func validateSignedAttributes(
 		return errors.Wrap(err, "failed to unmarshal ASN1")
 	}
 
-	h := types.GeneralHash(hashAlgorithm)
-	h.Write(encapsulatedContent)
-	d := h.Sum(nil)
-
 	if len(digestAttr.Digest) == 0 {
 		return errors.New("signed attributes digest values amount is 0")
 	}
 
+	hashAlgorithmFromDigest := types.HashAlgorithmFromSize(len(digestAttr.Digest[0].Bytes))
+	if hashAlgorithmFromDigest != hashAlgorithm {
+		// TODO use log
+		fmt.Printf("found different hash algorithm in signed attr %s\n", hashAlgorithmFromDigest.String())
+		if _, ok := types.IsValidHashAlgorithm(hashAlgorithmFromDigest.String()); ok {
+			fmt.Printf("changing hash algorithm from %s to %s\n", hashAlgorithm.String(), hashAlgorithmFromDigest.String())
+			hashAlgorithm = hashAlgorithmFromDigest
+		}
+	}
+
+	h := types.GeneralHash(hashAlgorithm)
+	h.Write(encapsulatedContent)
+	d := h.Sum(nil)
+
 	if !bytes.Equal(digestAttr.Digest[0].Bytes, d) {
 		return errors.From(
 			errors.New("digest values are not equal"), logan.F{
@@ -436,10 +446,10 @@ func validateSignedAttributes(
 }
 
 func verifySignature(
-		signature []byte,
-		cert *x509.Certificate,
-		signedAttributes []byte,
-		algorithmPair types.AlgorithmPair,
+	signature []byte,
+	cert *x509.Certificate,
+	signedAttributes []byte,
+	algorithmPair types.AlgorithmPair,
 ) error {
 	h := types.GeneralHash(algorithmPair.HashAlgorithm)
 	h.Write(signedAttributes)

diff --git a/internal/types/enums.go b/internal/types/enums.go
@@ -20,6 +20,14 @@ var hashAlgorithmMap = map[string]HashAlgorithm{
 	"SHA512": SHA512,
 }
 
+var hashAlgorithmSizeMap = map[int]HashAlgorithm{
+	20: SHA1,
+	28: SHA224,
+	32: SHA256,
+	48: SHA384,
+	64: SHA512,
+}
+
 func (h HashAlgorithm) String() string {
 	switch h {
 	case SHA1:
@@ -45,6 +53,14 @@ func HashAlgorithmFromString(alg string) HashAlgorithm {
 	return h
 }
 
+func HashAlgorithmFromSize(size int) HashAlgorithm {
+	h, ok := hashAlgorithmSizeMap[size]
+	if !ok {
+		return HashAlgorithm(0)
+	}
+	return h
+}
+
 func IsValidHashAlgorithm(alg string) (HashAlgorithm, bool) {
 	h, ok := hashAlgorithmMap[alg]
 	return h, ok