Hashed payload is not properly handled

cardano-foundation / cardano-verify-datasignature

A lightweight typescript library to verify a cip30 datasignature

Apache License 2.0

17 stars 7 forks source link

Hashed payload is not properly handled #18

Open yushih opened 1 week ago

yushih commented 1 week ago

Per CIP8, if there is a hashed protected header with the value true in the cose_sign1 structure, the payload is blake2b224-hashed. But currently, this lib is not handling this and I have to manually blake2b224-hash the payload before passing it to the verification function.

yushih commented 1 week ago

I see that the message must be non-hex in order to be hashed: https://github.com/cardano-foundation/cardano-verify-datasignature/blob/e499642453fa16bb7a8723969f8719624c657a7a/index.ts#L121

But the test !/^[0-9a-fA-F]+$/.test(message)) might be problematic. What if the message is the word "beef" ? It would be falsely treated as a hex.