Skip to content

Fix issue #18: Handle tokens without algorithm in protected headers#52

Open
kallal79 wants to merge 1 commit intoveraison:mainfrom
kallal79:fix/issue-18-compile-token-verification
Open

Fix issue #18: Handle tokens without algorithm in protected headers#52
kallal79 wants to merge 1 commit intoveraison:mainfrom
kallal79:fix/issue-18-compile-token-verification

Conversation

@kallal79
Copy link
Copy Markdown

@kallal79 kallal79 commented Oct 3, 2025

This PR fixes issue #18 where tokens created by compile_token or other tools without algorithm information in protected headers could not be verified.

Problem

The original Evidence.Verify() function required the algorithm to be present in the COSE protected headers. When the algorithm was missing, verification would fail with an Error fetching alg message.

Solution

  • Algorithm Inference: When protected.Algorithm() fails, the function now attempts to infer the algorithm from the public key type
  • Supported Key Types: ECDSA keys (P-256 to ES256, P-384 to ES384, P-521 to ES512), EdDSA keys to EdDSA, RSA keys to PS256, Fallback to ES256 for unknown key types
  • Backward Compatibility: Properly formed tokens with algorithm in protected headers continue to work as before

Changes

  1. Modified Evidence.Verify() to handle missing algorithm gracefully
  2. Added inferAlgorithmFromPublicKey() helper function with support for multiple key types
  3. Exported InferAlgorithmFromPublicKey() for testing purposes
  4. Added comprehensive tests covering the fix and algorithm inference functionality

Testing

  • All existing tests continue to pass
  • New tests verify algorithm inference for different key types
  • Regression tests ensure normal verification still works

Fixes #18

@kallal79
Fix issue veraison#18: Handle tokens without algorithm in protected h…
6b048fb 
…eaders

- Add algorithm inference from public key type when algorithm is missing
  from protected headers (e.g., tokens created by compile_token)
- Support ECDSA (ES256/384/512), EdDSA, and RSA (PS256) keys
- Maintain backward compatibility with properly formed tokens
- Add comprehensive tests for algorithm inference functionality
- Export InferAlgorithmFromPublicKey for testing purposes

This fixes the 'Error fetching alg' issue when verifying tokens that
don't have algorithm information in their protected COSE headers.

Signed-off-by: Kallal Mukherjee <ritamukherje62@gmail.com>
@kallal79 kallal79 force-pushed the fix/issue-18-compile-token-verification branch from 9d1137f to 6b048fb Compare October 3, 2025 21:13
@kallal79
Copy link
Copy Markdown
Author

kallal79 commented Oct 3, 2025

@thomas-fossati @yogeshbdeshpande @setrofim Fixes #18 by inferring alg from public key when missing in protected headers. All checks passed. Regression tests confirm compatibility.

Requesting review and assignment. Happy to clarify.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

BUG: The token created by compile_token can not be verified by psatoken.Verify

1 participant

@kallal79