fix DSC Key Smuggling via Unsigned TBS Data [LA-A]#369
Open
x-senpai-x wants to merge 3 commits intomainfrom
Open
fix DSC Key Smuggling via Unsigned TBS Data [LA-A]#369x-senpai-x wants to merge 3 commits intomainfrom
x-senpai-x wants to merge 3 commits intomainfrom
Conversation
x-senpai-x
changed the title
x-senpai-x
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a missing zero-padding constraint to the 1300-byte DSC verification circuit so that bytes past the signed TBS length cannot be prover-controlled when computing commitments/signature checks.
Changes:
- Import
utils::check_zero_paddingint_add_dsc_verify_1300. - Enforce
check_zero_padding(tbs_certificate, tbs_certificate_len)immediately after the existing length upper-bound check. - Add a clarifying comment explaining the rationale for the constraint.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
noir-examples/noir-passport/merkle_age_check/t_add_dsc_verify_1300/src/main.nr
Show resolved
Hide resolved
…on, pubkey signed-length bound check added
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a check_zero_padding(tbs_certificate, tbs_certificate_len) constraint in t_add_dsc_verify_1300 immediately after the length bounds check
Imports utils::check_zero_padding, which already exists and is used in the 720-byte path
Background
The 1300-byte DSC registration circuit splits SHA-256 hashing across two sub-circuits (t_add_dsc_hash_1300 + t_add_dsc_verify_1300) using a pre-computed hash. Unlike the 720-byte path — which calls sig_check_rsa::verify_signature → sha256_and_check_data_to_sign → check_zero_padding automatically — the 1300-byte path passes a pre-computed msg_hash: [u8; 32] directly to fragmented_sig_check_rsa::verify_rsa_signature, which never sees the raw TBS buffer. This meant the zero-padding guard was never applied.