fix: populate common_name in CertificateInfo for CAWG identity assertions#2126
Open
rajat-2023 wants to merge 2 commits into
Open
fix: populate common_name in CertificateInfo for CAWG identity assertions#2126rajat-2023 wants to merge 2 commits into
rajat-2023 wants to merge 2 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
cawg.identity.signature_info.common_nameis always absent when verifyinga CAWG identity assertion, even when the signing certificate has a valid CN.
The top-level manifest
signature.common_name(standard C2PA) works correctlybecause it uses a different code path.
Root Cause
Two divergent code paths exist in
c2pa:src/cose_validator.rs→get_signing_info()(standard C2PA manifest signatures)calls
extract_common_name_from_cert()and setscommon_nameinCertificateInfo. ✅src/crypto/cose/verifier.rs→verify_signature()(CAWG identity assertions)builds
CertificateInfowith..Default::default(), leavingcommon_name: None. ❌The
CertificateInfostruct (certificate_info.rs:38) haspub common_name: Option<String>defined, and
cose_validator.rscorrectly populates it. But whenverifier.rswasintroduced in #801 (Dec 2024) to handle the CAWG identity verification path,
common_namewas never ported over.Fix
Extract
common_namefrom the end-entity cert's subject inverifier.rs,using the same
x509_parserapproach already used forissuer_orgjust above.Testing
Verified by:
c2patool file.jpeg -dshowscawg.identity.signature_infowith
alg,issuer,cert_serial_numberbut nocommon_namecommon_name: "rajat customer"appears correctly