Address signature hash: ASN.1 size and file size mismatched (on new card)

[PoroCYon]

This is probably a low-priority issue, as validation still works, but, given the amount of bugs and security issues caused by mis-parses of ASN.1, I thought I'd better pass it on anyway.

In my log, the message W: signature length mismatch between asn.1 encoding and filelength, will use the value in asn.1 can be seen. Apparently, in verify_once(), the hash length inside the ASN.1 message is 0x63+1 (i.e. 101) while the siglen parameter has a value of 104. The code calling this function is here. I couldn't immediately find where addsiglen comes from as the caching stuff made things a bit confusing.

[Frederikus]

Hello,

Thanks for passing this on. The filesize is the maximum size that could be needed to contain the signature. As a rekeying of the card is possible, the signature contained in the file can change, but the file itself will not be deleted and recreated, so it will need to have the maximum size. So always the ASN.1 length need to be used. As we know why this happens, not sure if this need to be a warning level message indeed.