Description
t_add_dsc_verify_1300/src/main.nr uses tbs_certificate_len to determine which bytes are passed to sha256_finalize, but the length itself is never included in the output commitment:
comm_out = hash_salt_country_tbs(salt_out, country, tbs_certificate)
A prover can supply an undersized tbs_certificate_len to shorten the range of bytes that get SHA-256'd, potentially excluding authenticated certificate content from the commitment chain.
Root Cause
hash_salt_country_tbs commits to the full 1300-byte tbs_certificate buffer and to salt_out / country, but not to tbs_certificate_len. The length is consumed only by the SHA-256 path (determining which bytes get hashed for RSA verification) and is otherwise unconstrained with respect to the commitment output.
Fix
Either:
- Option A — Include
tbs_certificate_len as an explicit field in the hash_salt_country_tbs Poseidon2 hash, or
- Option B — Restructure the commitment to hash only the authenticated prefix (the first
tbs_certificate_len bytes) rather than the raw fixed-size buffer.
Description
t_add_dsc_verify_1300/src/main.nrusestbs_certificate_lento determine which bytes are passed tosha256_finalize, but the length itself is never included in the output commitment:A prover can supply an undersized
tbs_certificate_lento shorten the range of bytes that get SHA-256'd, potentially excluding authenticated certificate content from the commitment chain.Root Cause
hash_salt_country_tbscommits to the full 1300-bytetbs_certificatebuffer and tosalt_out/country, but not totbs_certificate_len. The length is consumed only by the SHA-256 path (determining which bytes get hashed for RSA verification) and is otherwise unconstrained with respect to the commitment output.Fix
Either:
tbs_certificate_lenas an explicit field in thehash_salt_country_tbsPoseidon2 hash, ortbs_certificate_lenbytes) rather than the raw fixed-size buffer.