fix: Backwards compatibility issue when hash length doesn't match algo

taneltm · mrts · commit 308b46c9e17c · 2022-01-19T11:47:34.000+02:00
Resolves WE2-620

Signed-off-by: Tanel Metsar &lt;tanel.metsar@cgi.com&gt;
diff --git a/src/background/actions/TokenSigning/digestCommands.ts b/src/background/actions/TokenSigning/digestCommands.ts
diff --git a/src/background/actions/TokenSigning/sign.ts b/src/background/actions/TokenSigning/sign.ts
@@ -32,12 +32,34 @@ import {
 import ByteArray from "../../../shared/ByteArray";
 import NativeAppService from "../../services/NativeAppService";
 import config from "../../../config";
-import digestCommands from "./digestCommands";
 import errorToResponse from "./errorToResponse";
 import threeLetterLanguageCodes from "./threeLetterLanguageCodes";
 import { throwAfterTimeout } from "../../../shared/utils/timing";
 import tokenSigningResponse from "../../../shared/tokenSigningResponse";
 
+
+const digestCommandToHashFunction = {
+  "sha224":   "SHA-224",
+  "sha256":   "SHA-256",
+  "sha384":   "SHA-384",
+  "sha512":   "SHA-512",
+  "sha3-224": "SHA3-224",
+  "sha3-256": "SHA3-256",
+  "sha3-384": "SHA3-384",
+  "sha3-512": "SHA3-512",
+} as Record<string, string>;
+
+const hashFunctionToLength = {
+  "SHA-224":  28,
+  "SHA-256":  32,
+  "SHA-384":  48,
+  "SHA-512":  64,
+  "SHA3-224": 28,
+  "SHA3-256": 32,
+  "SHA3-384": 48,
+  "SHA3-512": 64,
+} as Record<string, number>;
+
 export default async function sign(
   nonce: string,
   sourceUrl: string,
@@ -53,18 +75,54 @@ export default async function sign(
   const nativeAppService = new NativeAppService();
 
   try {
+    const warnings: Array<string> = [];
     const nativeAppStatus = await nativeAppService.connect();
 
     config.DEBUG && console.log("Sign: connected to native", nativeAppStatus);
 
+    let hashFunction = (
+      Object.keys(digestCommandToHashFunction).includes(algorithm)
+        ? digestCommandToHashFunction[algorithm]
+        : algorithm
+    );
+
+    const expectedHashByteLength = (
+      Object.keys(hashFunctionToLength).includes(hashFunction)
+        ? hashFunctionToLength[hashFunction]
+        : undefined
+    );
+
+    const hashByteArray = new ByteArray().fromHex(hash);
+
+    if (hashByteArray.length !== expectedHashByteLength) {
+      warnings.push(
+        `${algorithm} hash must be ${expectedHashByteLength} bytes long.\n` +
+        `The provided hash was ${hashByteArray.length} bytes long.\n` +
+        "See further details at https://github.com/web-eid/web-eid-webextension#hwcrypto-compatibility"
+      );
+
+      const autodetectedHashFunction = Object.keys(hashFunctionToLength).find((hashFunctionName) => (
+        hashFunctionToLength[hashFunctionName] == hashByteArray.length)
+      );
+
+      if (autodetectedHashFunction) {
+        warnings.push(
+          `Changed the algorithm from ${hashFunction} to ${autodetectedHashFunction} in order to match the hash length`
+        );
+
+        hashFunction = autodetectedHashFunction;
+      }
+    }
+
     const message: NativeSignRequest = {
       command: "sign",
 
       arguments: {
-        hash:         new ByteArray().fromHex(hash).toBase64(),
-        hashFunction: Object.keys(digestCommands).includes(algorithm) ? digestCommands[algorithm] : algorithm,
-        origin:       (new URL(sourceUrl)).origin,
-        certificate:  new ByteArray().fromHex(certificate).toBase64(),
+        hashFunction,
+
+        hash:        hashByteArray.toBase64(),
+        origin:      (new URL(sourceUrl)).origin,
+        certificate: new ByteArray().fromHex(certificate).toBase64(),
 
         ...(lang ? { lang } : {}),
       },
@@ -80,6 +138,8 @@ export default async function sign(
     } else {
       return tokenSigningResponse<TokenSigningSignResponse>("ok", nonce, {
         signature: new ByteArray().fromBase64(response.signature).toHex(),
+
+        warnings,
       });
     }
   } catch (error) {
diff --git a/src/content/content.ts b/src/content/content.ts
@@ -108,7 +108,11 @@ window.addEventListener("message", async (event) => {
 
       window.postMessage(response, event.origin);
     } else {
-      window.postMessage(await send(event.data), event.origin);
+      const response = await send(event.data) as { warnings?: [], [key: string]: any } | void;
+
+      response?.warnings?.forEach((warning) => console.warn(warning));
+
+      window.postMessage(response, event.origin);
     }
   }
 });
diff --git a/src/shared/ByteArray.ts b/src/shared/ByteArray.ts
@@ -32,6 +32,10 @@
 export default class ByteArray {
   data: number[];
 
+  get length(): number {
+    return this.data.length;
+  }
+
   constructor(byteArray?: number[]) {
     this.data = byteArray || [];
   }

Original file line number	Diff line number	Diff line change
`@@ -108,7 +108,11 @@ window.addEventListener("message", async (event) => {`
`108`	`108`
`109`	`109`	`window.postMessage(response, event.origin);`
`110`	`110`	`} else {`
`111`		`- window.postMessage(await send(event.data), event.origin);`
	`111`	`+ const response = await send(event.data) as { warnings?: [], [key: string]: any } \| void;`
	`112`	`+`
	`113`	`+ response?.warnings?.forEach((warning) => console.warn(warning));`
	`114`	`+`
	`115`	`+ window.postMessage(response, event.origin);`
`112`	`116`	`}`
`113`	`117`	`}`
`114`	`118`	`});`