You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the dev branch, when T_COSE_OPT_DECODE_ONLY is set but T_COSE_OPT_VERIFY_ALL_SIGNATURES is clear, the verification fails when multiple signatures exist and one succeeds and another fails.
if(me->option_flags & (T_COSE_OPT_VERIFY_ALL_SIGNATURES | T_COSE_OPT_DECODE_ONLY)) {
if(return_value == T_COSE_ERR_DECLINE) {
/* When verifying all, there can be no declines.
* Also only decoding (not verifying) there can be
* no declines because every signature must be
* decoded so its parameters can be returned.
* TODO: is this really true? It might be OK to
* only decode some as long as the caller knows
* that some weren't decoded. How to indicate this
* if it happens? An error code? A special
* indicator parameter in the returned list?
*/
break;
Specifically, setting T_COSE_OPT_DECODE_ONLY causes it to take the T_COSE_OPT_VERIFY_ALL_SIGNATURES code path and fail unless all succeed, which breaks the ability to compute auxiliary buffer size (by using T_COSE_OPT_DECODE_ONLY) in the just-one-success-needed case.
The text was updated successfully, but these errors were encountered:
In the dev branch, when T_COSE_OPT_DECODE_ONLY is set but T_COSE_OPT_VERIFY_ALL_SIGNATURES is clear, the verification fails when multiple signatures exist and one succeeds and another fails.
The root cause seems to be in
https://github.com/laurencelundblade/t_cose/blob/dev/src/t_cose_sign_verify.c#L284
Specifically, setting T_COSE_OPT_DECODE_ONLY causes it to take the T_COSE_OPT_VERIFY_ALL_SIGNATURES code path and fail unless all succeed, which breaks the ability to compute auxiliary buffer size (by using T_COSE_OPT_DECODE_ONLY) in the just-one-success-needed case.
The text was updated successfully, but these errors were encountered: