fix(passport-signature): guard ECDSA bruteforce returns and add safe fallbacks

common/src/utils/passports/passport_parsing/brutForceDscSignature.ts

@@ -14,11 +14,13 @@ import { hash } from '../../hash.js';
 export function brutforceSignatureAlgorithmDsc(dsc: CertificateData, csca: CertificateData) {
   if (csca.signatureAlgorithm === 'ecdsa') {
     const hashAlgorithm = brutforceHashAlgorithmDsc(dsc, csca, 'ecdsa');
-    return {
-      signatureAlgorithm: 'ecdsa',
-      hashAlgorithm: hashAlgorithm,
-      saltLength: 0,
-    };
+    if (hashAlgorithm) {
+      return {
+        signatureAlgorithm: 'ecdsa',
+        hashAlgorithm: hashAlgorithm,
+        saltLength: 0,
+      };
+    }
   } else if (csca.signatureAlgorithm === 'rsa') {
     const hashAlgorithm = brutforceHashAlgorithmDsc(dsc, csca, 'rsa');
     if (hashAlgorithm) {

common/src/utils/passports/passport_parsing/brutForcePassportSignature.ts

@@ -14,11 +14,13 @@ export function brutforceSignatureAlgorithm(passportData: PassportData) {
   const parsedDsc = parseCertificateSimple(passportData.dsc);
   if (parsedDsc.signatureAlgorithm === 'ecdsa') {
     const hashAlgorithm = brutforceHashAlgorithm(passportData, 'ecdsa');
-    return {
-      signatureAlgorithm: 'ecdsa',
-      hashAlgorithm: hashAlgorithm,
-      saltLength: 0,
-    };
+    if (hashAlgorithm) {
+      return {
+        signatureAlgorithm: 'ecdsa',
+        hashAlgorithm: hashAlgorithm,
+        saltLength: 0,
+      };
+    }
   } else if (parsedDsc.signatureAlgorithm === 'rsa') {
     const hashAlgorithm = brutforceHashAlgorithm(passportData, 'rsa');
     if (hashAlgorithm) {

common/src/utils/passports/passport_parsing/parseDscCertificateData.ts

@@ -35,11 +35,17 @@ export function parseDscCertificateData(
         cscaParsed = parseCertificateSimple(csca);
         const details = brutforceSignatureAlgorithmDsc(dscCert, cscaParsed);
         cscaFound = true;
-        cscaHashAlgorithm = details.hashAlgorithm;
-        cscaSignatureAlgorithm = details.signatureAlgorithm;
+        if (details && details.hashAlgorithm && details.signatureAlgorithm) {
+          cscaHashAlgorithm = details.hashAlgorithm;
+          cscaSignatureAlgorithm = details.signatureAlgorithm;
+          cscaSaltLength = details.saltLength;
+        } else if (cscaParsed) {
+          cscaHashAlgorithm = cscaParsed.hashAlgorithm;
+          cscaSignatureAlgorithm = cscaParsed.signatureAlgorithm;
+          cscaSaltLength = 0;
+        }
         cscaCurveOrExponent = getCurveOrExponent(cscaParsed);
         cscaSignatureAlgorithmBits = parseInt(cscaParsed.publicKeyDetails.bits);
-        cscaSaltLength = details.saltLength;
       }
     } catch (error) {}
   } else {

common/src/utils/passports/passport_parsing/parsePassportData.ts

@@ -111,8 +111,6 @@ export function parsePassportData(
     passportData.signedAttr
   );
 
-  const brutForcedPublicKeyDetails = brutforceSignatureAlgorithm(passportData);
-
   let parsedDsc = null;
   let dscSignatureAlgorithmBits = 0;
 
@@ -125,6 +123,20 @@ export function parsePassportData(
     dscMetaData = parseDscCertificateData(parsedDsc, skiPem);
   }
 
+  // Determine signature algorithm/hash with fallback if brute-force fails
+  const brutForcedPublicKeyDetails = brutforceSignatureAlgorithm(passportData);
+  let resolvedSignatureAlgorithm = brutForcedPublicKeyDetails?.signatureAlgorithm as string | undefined;
+  let resolvedSignedAttrHashFunction = brutForcedPublicKeyDetails?.hashAlgorithm as string | undefined;
+  let resolvedSaltLength = (brutForcedPublicKeyDetails?.saltLength as number | undefined) ?? undefined;
+
+  if (!resolvedSignatureAlgorithm || !resolvedSignedAttrHashFunction) {
+    if (parsedDsc) {
+      resolvedSignatureAlgorithm = parsedDsc.signatureAlgorithm;
+      resolvedSignedAttrHashFunction = parsedDsc.hashAlgorithm;
+      resolvedSaltLength = 0;
+    }
+  }
+
   return {
     dataGroups:
       passportData.dgPresents
@@ -141,9 +153,9 @@ export function parsePassportData(
     eContentHashFunction,
     eContentHashOffset,
     signedAttrSize: passportData.signedAttr?.length || 0,
-    signedAttrHashFunction: brutForcedPublicKeyDetails.hashAlgorithm,
-    signatureAlgorithm: brutForcedPublicKeyDetails.signatureAlgorithm,
-    saltLength: brutForcedPublicKeyDetails.saltLength,
+    signedAttrHashFunction: resolvedSignedAttrHashFunction,
+    signatureAlgorithm: resolvedSignatureAlgorithm,
+    saltLength: resolvedSaltLength || 0,
     curveOrExponent: parsedDsc ? getCurveOrExponent(parsedDsc) : 'unknown',
     signatureAlgorithmBits: dscSignatureAlgorithmBits,
     countryCode: passportData.mrz ? getCountryCodeFromMrz(passportData.mrz) : 'unknown',