Sign1Message.UnmarshalCBOR does not check that the message strictly follows the COSE_Sign1 definition. It does check for the presence of COSE_Sign1_Tagged
What did you do?
package main
import "github.com/veraison/go-cose"
func main() {
b := []byte("҄\xf7\xf7\xf7\xf7")
var msg cose.Sign1Message
err := msg.UnmarshalCBOR(b)
if err == nil {
panic("error expected!")
}
}
What did you expect to see?
UnmarshalCBOR returns an error due to malformed COSE_Sign1 message
What did you see instead?
UnmarshalCBOR does not return an error.
Notice that the []byte("҄\xf7\xf7\xf7\xf7") input has a valid COSE_Sign1_Tagged prefix but an invalid protected header, as per RFC8152, Section 3
shizhMSFT
commented
2 years ago
First issue spotted by the fuzz tests!
Sign1Message.UnmarshalCBORdoes not check that the message strictly follows theCOSE_Sign1definition. It does check for the presence ofCOSE_Sign1_TaggedWhat did you do?
What did you expect to see?
UnmarshalCBOR returns an error due to malformed COSE_Sign1 message
What did you see instead?
UnmarshalCBOR does not return an error.
Notice that the
[]byte("҄\xf7\xf7\xf7\xf7")input has a validCOSE_Sign1_Taggedprefix but an invalidprotectedheader, as per RFC8152, Section 3