Description
What: RFC 9052 §3 states: "The same label MUST NOT occur more than once in the same map." wolfCOSE currently processes header maps by iterating key-value
pairs and storing the first value it encounters for each known label. If a CBOR map contains the same label twice, the second value is silently ignored.
Why it matters: An attacker could craft a message with {1: -7, 4: h'kid1', 1: -35} (algorithm label appears twice). wolfCOSE would use ES256 (-7) from
the first occurrence, but a different COSE implementation might use ES384 (-35) from the second. This creates a verifier disagreement — the same message
could verify under different algorithms depending on the implementation. In a multi-party system this could be exploited to downgrade the effective
algorithm.
Implementation sketch:
- In wolfCose_DecodeProtectedHdr and wolfCose_DecodeUnprotectedHdr, track which labels have been seen (a small bitmask for well-known labels 1-9, plus a
counter for negative labels)
- If a label is encountered a second time, return WOLFCOSE_E_COSE_BAD_HDR
- Also detect cross-bucket duplicates: a label appearing in both protected and unprotected should be rejected (except for labels that the RFC explicitly
allows in both, which in practice is none of the standard ones)
Affected functions: wolfCose_DecodeProtectedHdr, wolfCose_DecodeUnprotectedHdr, and any future header decode path.
Description
What: RFC 9052 §3 states: "The same label MUST NOT occur more than once in the same map." wolfCOSE currently processes header maps by iterating key-value
pairs and storing the first value it encounters for each known label. If a CBOR map contains the same label twice, the second value is silently ignored.
Why it matters: An attacker could craft a message with {1: -7, 4: h'kid1', 1: -35} (algorithm label appears twice). wolfCOSE would use ES256 (-7) from
the first occurrence, but a different COSE implementation might use ES384 (-35) from the second. This creates a verifier disagreement — the same message
could verify under different algorithms depending on the implementation. In a multi-party system this could be exploited to downgrade the effective
algorithm.
Implementation sketch:
counter for negative labels)
allows in both, which in practice is none of the standard ones)
Affected functions: wolfCose_DecodeProtectedHdr, wolfCose_DecodeUnprotectedHdr, and any future header decode path.