c2pa-rs Data hash verification does not respect assertion's alg field

Data hash verification does not respect assertion's alg field

Open cyraxx opened this issue 5 months ago • 0 comments

Taken from the spec regarding the alg field in data-hash-map: (emphasis mine)

? "alg":tstr .size (1..max-tstr-length) ; A string identifying the cryptographic hash algorithm used to compute the hash in this assertion, taken from the C2PA hash algorithm identifier list. If this field is absent, the hash algorithm is taken the alg value of the enclosing structure. If both are present, the field in this structure is used. If no value is present in any of these places, this structure is invalid; there is no default.

However, data_hash.verify_hash() only uses the supplied alg parameter from the claim, not self.alg: https://github.com/contentauth/c2pa-rs/blob/d7868aa6e343ac44cae691d84d8b6a404beb8db9/sdk/src/assertions/data_hash.rs#L222

Notably, verify_stream_hash() seems to do it correctly: https://github.com/contentauth/c2pa-rs/blob/d7868aa6e343ac44cae691d84d8b6a404beb8db9/sdk/src/assertions/data_hash.rs#L239-L245

Aug 30 '24 10:08 cyraxx

c2pa-rs c2pa-rs copied to clipboard

Data hash verification does not respect assertion's alg field

c2pa-rs
c2pa-rs copied to clipboard