David Howells <[email protected]> wrote:
> Also, we probably don't actually need to copy the authattrs, just retain a
> pointer into the source buffer and the length since we don't intend to keep
> the digest around beyond the verification procedure. So I might be able to
> get away with just a flag saying I don't need to free it.
Actually, we probably do need to copy it. The problem is that we have to
modify the tag on the authenticatedAttributes (PKCS#7)/signedAttrs (CMS) blob
before we digest it, e.g. in pkcs7_digest():
memcpy(sig->digest, sinfo->authattrs, sinfo->authattrs_len);
((u8 *)sig->digest)[0] = ASN1_CONS_BIT | ASN1_SET;
as specified in RFC9882 and other places:
3.2. Signature Generation and Verification
...
When signed attributes are included, ML-DSA (pure mode) signatures are
computed over the complete DER encoding of the SignedAttrs value
contained in the SignerInfo's signedAttrs field. As described in
Section 5.4 of [RFC5652], this encoding includes the tag and length
octets, but an EXPLICIT SET OF tag is used rather than the IMPLICIT
[0] tag that appears in the final message. ...
We might be able to get away with modifying it in place - but I don't know
that that's true for all users.
David
