add missing rsapss instance with unusual salt length for Denmark

- add new mock certs - did a terrible things in the SignatureAlgorithm type, might want to refactor later
2026-01-09 14:48:06 -05:00 · 2025-03-08 18:20:07 -08:00
parent 8fb6265955
commit b10667f5fc
12 changed files with 155 additions and 10 deletions
--- a/circuits/circuits/register/instances/register_sha256_sha256_sha256_rsapss_65537_64_2048.circom
+++ b/circuits/circuits/register/instances/register_sha256_sha256_sha256_rsapss_65537_64_2048.circom
@@ -0,0 +1,5 @@
+pragma circom 2.1.9;
+
+include "../register.circom";
+
+component main { public [ merkle_root ] } = REGISTER(256, 256, 46, 120, 35, 512, 128);
--- a/circuits/circuits/utils/passport/signatureAlgorithm.circom
+++ b/circuits/circuits/utils/passport/signatureAlgorithm.circom
@@ -44,6 +44,7 @@ ID to Signature Algorithm
 43: rsapss_sha256_3_2048
 44: ecdsa_sha224_secp224r1_224
 45: rsapss_sha384_65537_2048
+ 46: rsapss_sha256_65537_2048 salt 64
 */


@@ -134,6 +135,8 @@ function getHashLength(signatureAlgorithm) {
        return 224;
    } else if (signatureAlgorithm == 45) {
        return 384;
+    } else if (signatureAlgorithm == 46) {
+        return 256;
    } else {
        assert(1==0);
        return 0;
@@ -229,6 +232,8 @@ function getMinKeyLength(signatureAlgorithm) {
        return 224;
    } else if (signatureAlgorithm == 45) {
        return 2048;
+    } else if (signatureAlgorithm == 46) {
+        return 2048;
    } else {
        assert(1==0);
        return 0;
@@ -323,6 +328,8 @@ function getKLengthFactor(signatureAlgorithm) {
        return 2;
    } else if (signatureAlgorithm == 45) {
        return 1;
+    } else if (signatureAlgorithm == 46) {
+        return 1;
    } else {
        assert(1==0);
        return 0;
@@ -378,6 +385,8 @@ function getExponentBits(signatureAlgorithm) {
        return 2;
    } else if (signatureAlgorithm == 45) {
        return 17;
+    } else if (signatureAlgorithm == 46) {
+        return 17;
    } else {
        assert(1==0);
        return 0;
@@ -442,7 +451,6 @@ function prefixIndexToRSAKeyLength() {
    return keyLengths;
 }

-
 function getValidECDSAPrefixes() {
    var prefixes[13][33];

--- a/circuits/circuits/utils/passport/signatureVerifier.circom
+++ b/circuits/circuits/utils/passport/signatureVerifier.circom
@@ -72,9 +72,11 @@ template SignatureVerifier(signatureAlgorithm, n, k) {
        || signatureAlgorithm == 39
        || signatureAlgorithm == 42
        || signatureAlgorithm == 45
+        || signatureAlgorithm == 46
    ) {
        var pubKeyBitsLength = getMinKeyLength(signatureAlgorithm);
-        var SALT_LEN = HASH_LEN_BITS / 8;
+        // Handle Denmark when salt length is 64 but sha256 is used
+        var SALT_LEN = signatureAlgorithm == 46 ? 64 : HASH_LEN_BITS / 8;
        var E_BITS = getExponentBits(signatureAlgorithm);
        component rsaPss65537ShaVerification = VerifyRsaPss65537Sig(n, k, SALT_LEN, HASH_LEN_BITS, pubKeyBitsLength);
        rsaPss65537ShaVerification.pubkey <== pubKey;
--- a/circuits/tests/dsc/test_cases.ts
+++ b/circuits/tests/dsc/test_cases.ts
@@ -45,6 +45,7 @@ export const fullSigAlgs = [
  { sigAlg: 'ecdsa', hashFunction: 'sha384', domainParameter: 'brainpoolP512r1', keyLength: '512' },
  { sigAlg: 'ecdsa', hashFunction: 'sha512', domainParameter: 'brainpoolP512r1', keyLength: '512' },
  //secp
+  { sigAlg: 'ecdsa', hashFunction: 'sha1', domainParameter: 'secp256r1', keyLength: '256' },
  { sigAlg: 'ecdsa', hashFunction: 'sha256', domainParameter: 'secp256r1', keyLength: '256' },
  { sigAlg: 'ecdsa', hashFunction: 'sha256', domainParameter: 'secp384r1', keyLength: '384' },
  { sigAlg: 'ecdsa', hashFunction: 'sha384', domainParameter: 'secp384r1', keyLength: '384' },
--- a/circuits/tests/register/register.test.ts
+++ b/circuits/tests/register/register.test.ts
@@ -21,17 +21,17 @@ dotenv.config();
 const testSuite = process.env.FULL_TEST_SUITE === 'true' ? fullSigAlgs : sigAlgs;

 testSuite.forEach(
-  ({ dgHashAlgo, eContentHashAlgo, sigAlg, hashFunction, domainParameter, keyLength }) => {
+  ({ dgHashAlgo, eContentHashAlgo, sigAlg, hashFunction, domainParameter, keyLength, saltLength }) => {
    describe(`Register - ${dgHashAlgo.toUpperCase()} ${eContentHashAlgo.toUpperCase()} ${hashFunction.toUpperCase()} ${sigAlg.toUpperCase()} ${
      domainParameter
-    } ${keyLength}`, function () {
+    } ${keyLength}${saltLength ? ` Salt:${saltLength}` : ''}`, function () {
      this.timeout(0);
      let circuit: any;

      const passportData = genMockPassportData(
        dgHashAlgo,
        eContentHashAlgo,
-        `${sigAlg}_${hashFunction}_${domainParameter}_${keyLength}` as SignatureAlgorithm,
+        `${sigAlg}_${hashFunction}_${domainParameter}_${keyLength}${saltLength ? `_${saltLength}` : ''}` as SignatureAlgorithm,
        'FRA',
        '000101',
        '300101'
--- a/circuits/tests/register/test_cases.ts
+++ b/circuits/tests/register/test_cases.ts
@@ -1,12 +1,32 @@
-export const sigAlgs = [
+// Define the interface for test cases with optional saltLength
+export interface TestCase {
+  dgHashAlgo: string;
+  eContentHashAlgo: string;
+  sigAlg: string;
+  hashFunction: string;
+  domainParameter: string;
+  keyLength: string;
+  saltLength?: string; // Optional salt length for RSA-PSS
+}
+
+export const sigAlgs: TestCase[] = [
  {
-    dgHashAlgo: 'sha384',
-    eContentHashAlgo: 'sha384',
-    hashFunction: 'sha384',
+    dgHashAlgo: 'sha256',
+    eContentHashAlgo: 'sha256',
+    hashFunction: 'sha256',
    sigAlg: 'rsapss',
    domainParameter: '65537',
    keyLength: '2048',
+    saltLength: '64' // Denmark case
  },
+  // {
+  //   dgHashAlgo: 'sha512',
+  //   eContentHashAlgo: 'sha512',
+  //   hashFunction: 'sha512',
+  //   sigAlg: 'ecdsa',
+  //   domainParameter: 'secp521r1',
+  //   keyLength: '521',
+  // }, // same problem as other 521s
 ];

 export const fullSigAlgs = [
--- a/common/pubkeys/serialized_dsc_tree.json
+++ b/common/pubkeys/serialized_dsc_tree.json
--- a/common/src/constants/mockCertificates.ts
+++ b/common/src/constants/mockCertificates.ts
@@ -1382,6 +1382,61 @@ T+IT21KRE3H2EOSjTgDoIJ0niJQOLA==
 -----END PRIVATE KEY-----
 `;

+export const mock_dsc_sha256_rsapss_64_65537_2048 = `-----BEGIN CERTIFICATE-----
+MIID9jCCAqqgAwIBAgIUa9oNgj40lpD26sDZ+0t0MqrctnswQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgFAMGAxCzAJBgNVBAYTAkZSMQwwCgYDVQQIDANJREYxDjAMBgNVBAcMBVBh
+cmlzMRIwEAYDVQQKDAlNb2NrIENTQ0ExDDAKBgNVBAsMA1BLSTERMA8GA1UEAwwI
+TW9ja0NTQ0EwHhcNMjUwMzA4MjIxNzU2WhcNMzUwMzA2MjIxNzU2WjBeMQswCQYD
+VQQGEwJGUjEMMAoGA1UECAwDSURGMQ4wDAYDVQQHDAVQYXJpczERMA8GA1UECgwI
+TW9jayBEU0MxDDAKBgNVBAsMA1BLSTEQMA4GA1UEAwwHTW9ja0RTQzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMHNiy+eXBHA9rERtX2o75TZhHPyrq+H
+mpW1cuoAlAPKFabRrCGmxZxQY3HvBsBmIMHRDX8N2uodNWEDeIlL0e4Zl7B5j28y
+l+KaZYt5zbcmhwHHQ3XvAcmfy/yQbhxrSM/K0IVJLCTrAOvvLGhWvFqO5TTaN2f0
+LY1+SxQqs1jBjdsGFF/smhC27X8ZqMIynvT//k+hwanKlVlJxQaR2K9fRbVsIfZ2
+Xoytr8ESRwEdTyBqdoJ17X3P6FCRcoRn8CLM1kA6SPcLcQtXZSyTz14qgarFL8Hs
+5JayqXWTv9HQMaSMTf9bvqvmc/5F0VTjp92zFPnuwGcarrXgB0N2XmsCAwEAAaNC
+MEAwHQYDVR0OBBYEFNJdNilIgxU2R8C325jvIODPwFUWMB8GA1UdIwQYMBaAFAE6
+UdAfRGcoWlVWuk+Dcdk8jIXrMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIB
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIBBQCiAwIBQAOCAQEAW7PUzrfj
+QYVjFm+agYma1YcETdrZ0NpqIrOZWRlgxBfV9gKzTpV/zn0be140L/HfovNxWwj3
+fN0jNA6KZQWtNkD30xpJ8yGJ7MHKaouSk9SQgdJac+1SsWV1SO6W4k0gCxNMMTpP
+Yf7HLV7PvOwpJCcBF6Qlcym54+mNX3w9niBCz/qlhLkx/AwuKdPQ2XfPmdZD/IWv
+jq4NgP3L6d/0WBN33babaeRMqp0XiOBIHFc+u0Ne9LVnUO7IboQ0+mzmhx0UjSHi
+Gb6ZbZmp6Ib9zdm5pH7dNdB3Ez2hwTAnQH+WurAoj8wiMFwh6tHKs5wWGMkZL/rn
+EHJ/axnrSbSLnw==
+-----END CERTIFICATE-----
+`;
+export const mock_dsc_sha256_rsapss_64_65537_2048_key = `-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBzYsvnlwRwPax
+EbV9qO+U2YRz8q6vh5qVtXLqAJQDyhWm0awhpsWcUGNx7wbAZiDB0Q1/DdrqHTVh
+A3iJS9HuGZeweY9vMpfimmWLec23JocBx0N17wHJn8v8kG4ca0jPytCFSSwk6wDr
+7yxoVrxajuU02jdn9C2NfksUKrNYwY3bBhRf7JoQtu1/GajCMp70//5PocGpypVZ
+ScUGkdivX0W1bCH2dl6Mra/BEkcBHU8ganaCde19z+hQkXKEZ/AizNZAOkj3C3EL
+V2Usk89eKoGqxS/B7OSWsql1k7/R0DGkjE3/W76r5nP+RdFU46fdsxT57sBnGq61
+4AdDdl5rAgMBAAECggEAF4aPfE7RZ1hQuern6KKevqdu9DJD8UvZQI4frnc2gIVB
+/peaORWJDHIXuEdnPujG1jA93qv8ZIn6JlYpBiWdjLUvnD0NY9a06E2MwRMenTqA
+jf812bWTNnn+5aBUtX9yfcLlcCCTSsH6QSmt7taEk8uf2DwbGLPj6baof4C1d7ME
+57go1AFCrUrV6tWG4u8iRlFb6ZvSOScnjf8SrrrdDMuXeYvOFCwyD45cUg9bOsTk
+plLzq7DDS5ACBLiLMBRpVj1wWM3TsSrsK6G9byWPkh1mQJ4p1tUajLEYQoXCv9zf
+RsBzLKdsgrJ5P9rxJp+i5fz0n+Z2RvL/Fz60nUSh9QKBgQD0sh+aOY53xLYgtscw
+I8MOIEYn15bO0IXjr2hbAIfOp/Gg1sXkwRCOyNbAgew5eopzDCTnbYy16/8gqjU7
+h4UGrWb9iikXbxXgNs2hYV0fablNupZfDhhabnEGJBlB/qMIC5iOTTC3m+A2h1MG
+C6HAgGi1mqcDwILpFjboDtvOFQKBgQDKwYoOuykY3eLd4VO4E75hqHm61ATXDACg
+9TUbIIVjasrfvJxvwzOjE4yrXh1//5hM8KVz1mvpmwJM/gOITNkVfZxWv55lIVpS
+yZFnu7xV9exjavLNhFHdVJgrOPUZzwFcxjBDh6wsNZgHXHV9J0iEDlgTwZWSe6hD
+Lagxd8kafwKBgQDgdn1S5jVwXHyNqd0ypbuKO8TfS37FnLcVU5Sw1d2+joSyfBHw
+c8ISmN2Wnhfp6iUSwDMiMHYBc8kHV9uZDgnTREHTlmd3Xal9kggzX7Mi28LmMKE7
+9RwV6HW5omehCErZWHnLH7fu1ghpPN3GD+mDQsfKv2ExqejslDotyWOMuQKBgH+v
+knnkc+UtFwoUNNzf0i0+JCr8CnBDJsI2qdMDj/0j688qwHnBvGsejJ//DSTmmcsa
+YZepmRvsem5yKVdUzgEysZoP4nhdoLwyJFfnapvX255gY7f5dHSmKY5OuEwgiQMb
+7Jkaf9r3hV5dY8AFVS2UuvL2HnO5XCWyQxGkFgmRAoGBALpiyix0GA/zfJdH2Sz4
+qqB/ljT/9NASLoP4oK8X0rlKl1jwiNKaBnU7Xd/llO/u6BFwRwLrr1nK1wSAgJVd
+35tk0XEJT4Y+MBmDla2wMt3iUEaUCsXIBA2wKiT/XnnvJ9UmjVAKcnKMsvFPZK57
+AXmKNbIPc2cvVTdGLrkodBOb
+-----END PRIVATE KEY-----
+`;
+
 export const mock_dsc_sha384_ecdsa_brainpoolP256r1 = `-----BEGIN CERTIFICATE-----
 MIIC3zCCAoSgAwIBAgIUKULpD4PsRkzlJAoeRfOf9ujRpbcwCgYIKoZIzj0EAwMw
 YDELMAkGA1UEBhMCRlIxDDAKBgNVBAgMA0lERjEOMAwGA1UEBwwFUGFyaXMxEjAQ
--- a/common/src/mock_certificates/sha256_rsapss_64_65537_2048/mock_dsc.key
+++ b/common/src/mock_certificates/sha256_rsapss_64_65537_2048/mock_dsc.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBzYsvnlwRwPax
+EbV9qO+U2YRz8q6vh5qVtXLqAJQDyhWm0awhpsWcUGNx7wbAZiDB0Q1/DdrqHTVh
+A3iJS9HuGZeweY9vMpfimmWLec23JocBx0N17wHJn8v8kG4ca0jPytCFSSwk6wDr
+7yxoVrxajuU02jdn9C2NfksUKrNYwY3bBhRf7JoQtu1/GajCMp70//5PocGpypVZ
+ScUGkdivX0W1bCH2dl6Mra/BEkcBHU8ganaCde19z+hQkXKEZ/AizNZAOkj3C3EL
+V2Usk89eKoGqxS/B7OSWsql1k7/R0DGkjE3/W76r5nP+RdFU46fdsxT57sBnGq61
+4AdDdl5rAgMBAAECggEAF4aPfE7RZ1hQuern6KKevqdu9DJD8UvZQI4frnc2gIVB
+/peaORWJDHIXuEdnPujG1jA93qv8ZIn6JlYpBiWdjLUvnD0NY9a06E2MwRMenTqA
+jf812bWTNnn+5aBUtX9yfcLlcCCTSsH6QSmt7taEk8uf2DwbGLPj6baof4C1d7ME
+57go1AFCrUrV6tWG4u8iRlFb6ZvSOScnjf8SrrrdDMuXeYvOFCwyD45cUg9bOsTk
+plLzq7DDS5ACBLiLMBRpVj1wWM3TsSrsK6G9byWPkh1mQJ4p1tUajLEYQoXCv9zf
+RsBzLKdsgrJ5P9rxJp+i5fz0n+Z2RvL/Fz60nUSh9QKBgQD0sh+aOY53xLYgtscw
+I8MOIEYn15bO0IXjr2hbAIfOp/Gg1sXkwRCOyNbAgew5eopzDCTnbYy16/8gqjU7
+h4UGrWb9iikXbxXgNs2hYV0fablNupZfDhhabnEGJBlB/qMIC5iOTTC3m+A2h1MG
+C6HAgGi1mqcDwILpFjboDtvOFQKBgQDKwYoOuykY3eLd4VO4E75hqHm61ATXDACg
+9TUbIIVjasrfvJxvwzOjE4yrXh1//5hM8KVz1mvpmwJM/gOITNkVfZxWv55lIVpS
+yZFnu7xV9exjavLNhFHdVJgrOPUZzwFcxjBDh6wsNZgHXHV9J0iEDlgTwZWSe6hD
+Lagxd8kafwKBgQDgdn1S5jVwXHyNqd0ypbuKO8TfS37FnLcVU5Sw1d2+joSyfBHw
+c8ISmN2Wnhfp6iUSwDMiMHYBc8kHV9uZDgnTREHTlmd3Xal9kggzX7Mi28LmMKE7
+9RwV6HW5omehCErZWHnLH7fu1ghpPN3GD+mDQsfKv2ExqejslDotyWOMuQKBgH+v
+knnkc+UtFwoUNNzf0i0+JCr8CnBDJsI2qdMDj/0j688qwHnBvGsejJ//DSTmmcsa
+YZepmRvsem5yKVdUzgEysZoP4nhdoLwyJFfnapvX255gY7f5dHSmKY5OuEwgiQMb
+7Jkaf9r3hV5dY8AFVS2UuvL2HnO5XCWyQxGkFgmRAoGBALpiyix0GA/zfJdH2Sz4
+qqB/ljT/9NASLoP4oK8X0rlKl1jwiNKaBnU7Xd/llO/u6BFwRwLrr1nK1wSAgJVd
+35tk0XEJT4Y+MBmDla2wMt3iUEaUCsXIBA2wKiT/XnnvJ9UmjVAKcnKMsvFPZK57
+AXmKNbIPc2cvVTdGLrkodBOb
+-----END PRIVATE KEY-----
--- a/common/src/mock_certificates/sha256_rsapss_64_65537_2048/mock_dsc.pem
+++ b/common/src/mock_certificates/sha256_rsapss_64_65537_2048/mock_dsc.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID9jCCAqqgAwIBAgIUa9oNgj40lpD26sDZ+0t0MqrctnswQQYJKoZIhvcNAQEK
+MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEF
+AKIDAgFAMGAxCzAJBgNVBAYTAkZSMQwwCgYDVQQIDANJREYxDjAMBgNVBAcMBVBh
+cmlzMRIwEAYDVQQKDAlNb2NrIENTQ0ExDDAKBgNVBAsMA1BLSTERMA8GA1UEAwwI
+TW9ja0NTQ0EwHhcNMjUwMzA4MjIxNzU2WhcNMzUwMzA2MjIxNzU2WjBeMQswCQYD
+VQQGEwJGUjEMMAoGA1UECAwDSURGMQ4wDAYDVQQHDAVQYXJpczERMA8GA1UECgwI
+TW9jayBEU0MxDDAKBgNVBAsMA1BLSTEQMA4GA1UEAwwHTW9ja0RTQzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMHNiy+eXBHA9rERtX2o75TZhHPyrq+H
+mpW1cuoAlAPKFabRrCGmxZxQY3HvBsBmIMHRDX8N2uodNWEDeIlL0e4Zl7B5j28y
+l+KaZYt5zbcmhwHHQ3XvAcmfy/yQbhxrSM/K0IVJLCTrAOvvLGhWvFqO5TTaN2f0
+LY1+SxQqs1jBjdsGFF/smhC27X8ZqMIynvT//k+hwanKlVlJxQaR2K9fRbVsIfZ2
+Xoytr8ESRwEdTyBqdoJ17X3P6FCRcoRn8CLM1kA6SPcLcQtXZSyTz14qgarFL8Hs
+5JayqXWTv9HQMaSMTf9bvqvmc/5F0VTjp92zFPnuwGcarrXgB0N2XmsCAwEAAaNC
+MEAwHQYDVR0OBBYEFNJdNilIgxU2R8C325jvIODPwFUWMB8GA1UdIwQYMBaAFAE6
+UdAfRGcoWlVWuk+Dcdk8jIXrMEEGCSqGSIb3DQEBCjA0oA8wDQYJYIZIAWUDBAIB
+BQChHDAaBgkqhkiG9w0BAQgwDQYJYIZIAWUDBAIBBQCiAwIBQAOCAQEAW7PUzrfj
+QYVjFm+agYma1YcETdrZ0NpqIrOZWRlgxBfV9gKzTpV/zn0be140L/HfovNxWwj3
+fN0jNA6KZQWtNkD30xpJ8yGJ7MHKaouSk9SQgdJac+1SsWV1SO6W4k0gCxNMMTpP
+Yf7HLV7PvOwpJCcBF6Qlcym54+mNX3w9niBCz/qlhLkx/AwuKdPQ2XfPmdZD/IWv
+jq4NgP3L6d/0WBN33babaeRMqp0XiOBIHFc+u0Ne9LVnUO7IboQ0+mzmhx0UjSHi
+Gb6ZbZmp6Ib9zdm5pH7dNdB3Ez2hwTAnQH+WurAoj8wiMFwh6tHKs5wWGMkZL/rn
+EHJ/axnrSbSLnw==
+-----END CERTIFICATE-----
--- a/common/src/scripts/generateCertificates.sh
+++ b/common/src/scripts/generateCertificates.sh
@@ -262,6 +262,7 @@ generate_certificate csca sha256 rsapss 32 65537 2048
 generate_certificate csca sha256 rsapss 32 65537 3072
 generate_certificate dsc sha256 rsapss 32 65537 4096 --signer sha256_rsapss_32_65537_4096
 generate_certificate dsc sha256 rsapss 32 65537 2048 --signer sha256_rsapss_32_65537_2048
+generate_certificate dsc sha256 rsapss 64 65537 2048 --signer sha256_rsapss_32_65537_2048 # DMK
 generate_certificate dsc sha256 rsapss 32 65537 3072 --signer sha256_rsapss_32_65537_3072
 generate_certificate csca sha256 rsapss 32 3 4096
 generate_certificate csca sha256 rsapss 32 3 3072
--- a/common/src/utils/types.ts
+++ b/common/src/utils/types.ts
@@ -21,6 +21,7 @@ export type SignatureAlgorithm =
  | 'rsa_sha256_65537_2048'
  | 'rsa_sha384_65537_4096'
  | 'rsapss_sha256_65537_2048'
+  | 'rsapss_sha256_65537_2048_64'
  | 'rsapss_sha256_3_4096'
  | 'rsapss_sha256_3_3072'
  | 'rsapss_sha384_65537_3072'