From 47f79aa62bce2a151771c0bfc599113933fa4fc7 Mon Sep 17 00:00:00 2001 From: ryan Date: Thu, 10 Apr 2025 15:31:06 -0400 Subject: [PATCH] miniquorum: fix duplicate-signature validation logic --- crates/miniquorum/src/lib.rs | 39 ++++++++++++++++++++---------------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/crates/miniquorum/src/lib.rs b/crates/miniquorum/src/lib.rs index af889d8..4f1dca1 100644 --- a/crates/miniquorum/src/lib.rs +++ b/crates/miniquorum/src/lib.rs @@ -439,14 +439,6 @@ impl Payload { for issuer in signature.issuer_fingerprints() { let mut currently_seen = std::collections::HashMap::new(); for cert in &certs { - if let Some(seen_index) = seen.get(&cert.fingerprint()) { - return Err(BaseError::DuplicateSignature( - cert.fingerprint(), - index, - *seen_index, - ) - .into()); - } match cert .with_policy(&policy, None)? .keys() @@ -456,16 +448,29 @@ impl Payload { .next() .map(|signing_key| signature.verify_hash(&signing_key, hashed.clone())) { - Some(Ok(())) => { - // key found, signature matched - signature_matched = true; + Some(result) => { + // matching key found, check for duplicates + if let Some(seen_index) = seen.get(&cert.fingerprint()) { + return Err(BaseError::DuplicateSignature( + cert.fingerprint(), + index, + *seen_index, + ) + .into()); + } - // mark the cert as seen, so it isn't reusable - currently_seen.insert(cert.fingerprint(), index); - } - Some(Err(e)) => { - if error_on_invalid { - return Err(e)?; + match result { + Ok(()) => { + signature_matched = true; + + // mark the cert as seen, so it isn't reusable + currently_seen.insert(cert.fingerprint(), index); + } + Err(e) => { + if error_on_invalid { + return Err(e)?; + } + } } } None => {