cppki: use appropriate digest algorithm during CMS signature creation (#4785)

oncilla · web-flow · commit 3062768739e5 · 2025-07-03T14:37:10.000Z
Mirror of github/smimesign#97 Pass the public key instead of the marshalled public key to digestAlgorithmForPublicKey in SignedData.AddSignerInfo. Previously, the marshalled public key was passed instead of the actual public key. The result is that always SHA256 was being selected, even for ECDSA where the hash algorithm should be selected based on the curve.
diff --git a/pkg/scrypto/cms/protocol/protocol.go b/pkg/scrypto/cms/protocol/protocol.go
@@ -647,7 +647,7 @@ func (sd *SignedData) AddSignerInfo(chain []*x509.Certificate, signer crypto.Sig
 	if err != nil {
 		return err
 	}
-	digestAlgorithmID := digestAlgorithmForPublicKey(pub)
+	digestAlgorithmID := digestAlgorithmForPublicKey(signer.Public())
 
 	signatureAlgorithmOID, ok := oid.X509PublicKeyAndDigestAlgorithmToSignatureAlgorithm[cert.PublicKeyAlgorithm][digestAlgorithmID.Algorithm.String()] // nolint:lll
 	if !ok {

Original file line number	Diff line number	Diff line change
`@@ -647,7 +647,7 @@ func (sd SignedData) AddSignerInfo(chain []x509.Certificate, signer crypto.Sig`
`647`	`647`	`if err != nil {`
`648`	`648`	`return err`
`649`	`649`	`}`
`650`		`- digestAlgorithmID := digestAlgorithmForPublicKey(pub)`
	`650`	`+ digestAlgorithmID := digestAlgorithmForPublicKey(signer.Public())`
`651`	`651`
`652`	`652`	`signatureAlgorithmOID, ok := oid.X509PublicKeyAndDigestAlgorithmToSignatureAlgorithm[cert.PublicKeyAlgorithm][digestAlgorithmID.Algorithm.String()] // nolint:lll`
`653`	`653`	`if !ok {`