Clarify pin.reserve() comment, update extension submodule in mac/js

WE2-1007

Signed-off-by: Mart Somermaa <[email protected]>

Author: mrts

src/controller/command-handlers/authenticate.cpp

@@ -124,10 +124,13 @@ QVariantMap Authenticate::onConfirm(WebEidUI* window,
         const auto signatureAlgorithm =
             QString::fromStdString(cardCertAndPin.cardInfo->eid().authSignatureAlgorithm());
         pcsc_cpp::byte_vector pin;
-        pin.reserve(5 + 16); // Avoid realloc: apdu + pin padding
+        // Reserve space for APDU overhead (5 bytes) + PIN padding (16 bytes) to prevent PIN memory
+        // reallocation. The 16-byte limit comes from the max PIN length of 12 bytes across all card
+        // implementations in lib/libelectronic-id/src/electronic-ids/pcsc/.
+        pin.reserve(5 + 16);
         getPin(pin, cardCertAndPin.cardInfo->eid(), window);
-        const auto signature =
-            createSignature(origin.url(), challengeNonce, cardCertAndPin.cardInfo->eid(), std::move(pin));
+        const auto signature = createSignature(origin.url(), challengeNonce,
+                                               cardCertAndPin.cardInfo->eid(), std::move(pin));
         return createAuthenticationToken(signatureAlgorithm, cardCertAndPin.certificateBytesInDer,
                                          signature);
 

src/controller/command-handlers/sign.cpp

@@ -99,9 +99,13 @@ QVariantMap Sign::onConfirm(WebEidUI* window, const CardCertificateAndPinInfo& c
 {
     try {
         pcsc_cpp::byte_vector pin;
-        pin.reserve(5 + 16); // Avoid realloc: apdu + pin padding
+        // Reserve space for APDU overhead (5 bytes) + PIN padding (16 bytes) to prevent PIN memory
+        // reallocation. The 16-byte limit comes from the max PIN length of 12 bytes across all card
+        // implementations in lib/libelectronic-id/src/electronic-ids/pcsc/.
+        pin.reserve(5 + 16);
         getPin(pin, cardCertAndPin.cardInfo->eid(), window);
-        const auto signature = signHash(cardCertAndPin.cardInfo->eid(), std::move(pin), docHash, hashAlgo);
+        const auto signature =
+            signHash(cardCertAndPin.cardInfo->eid(), std::move(pin), docHash, hashAlgo);
         return {{QStringLiteral("signature"), signature.first},
                 {QStringLiteral("signatureAlgorithm"), signature.second}};