From 0b5940749b2f2e3015ed3257e682666fce9120c6 Mon Sep 17 00:00:00 2001 From: Artem Skriabin Date: Fri, 3 Jan 2025 16:27:15 +0200 Subject: [PATCH] Find encapsulated content hash in signed attributes by oid --- go.mod | 4 +- go.sum | 6 ++ internal/service/api/handlers/register.go | 75 +++++++++++++++-------- 3 files changed, 57 insertions(+), 28 deletions(-) diff --git a/go.mod b/go.mod index 45af64d..4470973 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/iden3/go-rapidsnark/types v0.0.3 github.com/iden3/go-rapidsnark/verifier v0.0.5 github.com/pkg/errors v0.9.1 - github.com/rarimo/certificate-transparency-go v0.0.0-20240305114501-050b1f19639a + github.com/rarimo/certificate-transparency-go v0.0.0-20241028131422-3b57d6495419 github.com/rubenv/sql-migrate v1.6.1 github.com/stretchr/testify v1.8.4 gitlab.com/distributed_lab/ape v1.7.1 @@ -45,6 +45,7 @@ require ( github.com/getsentry/sentry-go v0.27.0 // indirect github.com/go-gorp/gorp/v3 v3.1.0 // indirect github.com/go-jose/go-jose/v4 v4.0.1 // indirect + github.com/go-logr/logr v1.4.1 // indirect github.com/go-ole/go-ole v1.3.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/gorilla/websocket v1.5.0 // indirect @@ -100,5 +101,6 @@ require ( golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect + k8s.io/klog/v2 v2.120.1 // indirect rsc.io/tmplfunc v0.0.3 // indirect ) diff --git a/go.sum b/go.sum index d1795f9..202864e 100644 --- a/go.sum +++ b/go.sum @@ -1427,6 +1427,8 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= github.com/go-logr/logr v1.2.3/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab/go.mod h1:/P9AEU963A2AYjv4d1V5eVL1CQbEJq6aCNHDDjibzu8= github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8= github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= @@ -1990,6 +1992,8 @@ github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3c github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/rarimo/certificate-transparency-go v0.0.0-20240305114501-050b1f19639a h1:4PfCUdJ8IdegZj2LjFv5qJ8CzXaXTAqgNSJd34a86ac= github.com/rarimo/certificate-transparency-go v0.0.0-20240305114501-050b1f19639a/go.mod h1:9WBW36Eaqp+++3u2TemGbVFqxe7Wpes4H7Ufomqn/DA= +github.com/rarimo/certificate-transparency-go v0.0.0-20241028131422-3b57d6495419 h1:SEDEM+NwYCHH0KkCiik/QiVb4TUJN9XlH6RdvKb1JwA= +github.com/rarimo/certificate-transparency-go v0.0.0-20241028131422-3b57d6495419/go.mod h1:9WBW36Eaqp+++3u2TemGbVFqxe7Wpes4H7Ufomqn/DA= github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= github.com/retailnext/hllpp v1.0.1-0.20180308014038-101a6d2f8b52/go.mod h1:RDpi1RftBQPUCDRw6SmxeaREsAaRKnOclghuzp/WRzc= @@ -3103,6 +3107,8 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= +k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= +k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk= lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk= modernc.org/cc/v3 v3.36.0/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI= diff --git a/internal/service/api/handlers/register.go b/internal/service/api/handlers/register.go index 7a95bf0..7c4432c 100644 --- a/internal/service/api/handlers/register.go +++ b/internal/service/api/handlers/register.go @@ -6,6 +6,7 @@ import ( "encoding/asn1" "encoding/hex" "encoding/pem" + errors3 "errors" "fmt" "math/big" "net/http" @@ -414,44 +415,64 @@ func validateSignedAttributes( return errors.New("signed attributes amount is 0") } - digestAttr := types.DigestAttribute{} - if _, err := asn1.Unmarshal(signedAttributesASN1[len(signedAttributesASN1)-1].FullBytes, &digestAttr); err != nil { - return errors.Wrap(err, "failed to unmarshal ASN1") - } + allErr := make([]error, 0, 2) + // Some countries put encapsulated content hash in the middle of signed attr + // but the most put as last value, so we start from the end + for i := len(signedAttributesASN1) - 1; i >= 0; i-- { + digestAttr := types.DigestAttribute{} + if _, err := asn1.Unmarshal(signedAttributesASN1[i].FullBytes, &digestAttr); err != nil { + allErr = append(allErr, errors.Wrap(err, "failed to unmarshal ASN1")) + continue + } - if len(digestAttr.Digest) == 0 { - return errors.New("signed attributes digest values amount is 0") - } + if len(digestAttr.Digest) == 0 { + allErr = append(allErr, errors.New("signed attributes digest values amount is 0")) + continue + } - hashAlgorithmFromDigest := types.HashAlgorithmFromSize(len(digestAttr.Digest[0].Bytes)) - if hashAlgorithm == nil { - fmt.Printf("passed hash algorithm is nil, using from signed attr: %s\n", hashAlgorithmFromDigest.String()) - hashAlgorithm = &hashAlgorithmFromDigest - } + // we cannot hash some rubbish because it allows to pass illegal encapsulated content + if !digestAttr.ID.Equal(asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 4}) { + allErr = append(allErr, errors.From(errors.New("field is not message digest"), logan.F{ + "oid": digestAttr.ID, + })) + continue + } - if hashAlgorithmFromDigest != *hashAlgorithm { - // TODO use log - fmt.Printf("found different hash algorithm in signed attr %s\n", hashAlgorithmFromDigest.String()) - if _, ok := types.IsValidHashAlgorithm(hashAlgorithmFromDigest.String()); ok { - fmt.Printf("changing hash algorithm from %s to %s\n", hashAlgorithm.String(), hashAlgorithmFromDigest.String()) - *hashAlgorithm = hashAlgorithmFromDigest + maybeHash := digestAttr.Digest[0].Bytes + hashAlgorithmFromDigest := types.HashAlgorithmFromSize(len(maybeHash)) + if hashAlgorithm == nil { + fmt.Printf("passed hash algorithm is nil, using from signed attr: %s\n", hashAlgorithmFromDigest.String()) + hashAlgorithm = &hashAlgorithmFromDigest } - } - h := types.GeneralHash(*hashAlgorithm) - h.Write(encapsulatedContent) - d := h.Sum(nil) + if hashAlgorithmFromDigest != *hashAlgorithm { + // TODO use log + fmt.Printf("found different hash algorithm in signed attr %s\n", hashAlgorithmFromDigest.String()) + if _, ok := types.IsValidHashAlgorithm(hashAlgorithmFromDigest.String()); ok { + fmt.Printf("changing hash algorithm from %s to %s\n", hashAlgorithm.String(), hashAlgorithmFromDigest.String()) + *hashAlgorithm = hashAlgorithmFromDigest + } + } + + h := types.GeneralHash(*hashAlgorithm) + h.Write(encapsulatedContent) + d := h.Sum(nil) + + if bytes.Equal(maybeHash, d) { + return nil + } - if !bytes.Equal(digestAttr.Digest[0].Bytes, d) { - return errors.From( + allErr = append(allErr, errors.From( errors.New("digest values are not equal"), logan.F{ - "signed_attributes": hex.EncodeToString(digestAttr.Digest[0].Bytes), + "maybe_hash": hex.EncodeToString(maybeHash), + "signed_attributes": hex.EncodeToString(signedAttributes), "content_hash": hex.EncodeToString(d), "encapsulated_content": hex.EncodeToString(encapsulatedContent), }, - ) + )) } - return nil + + return errors3.Join(allErr...) } func verifySignature(