Missing signature verification of CSCA master list

[smlu]

Due to the issues with cryptography library and it's implementation of DSA signature verification, the integrety check is currently not implemented for master list.

[smlu]

The problem has been identified at least for one master list (C=ES crc=02409DA3).

The issue doesn't lay in the cryptography library as initially thought but in a different asn1 serialization format that was used to store a SignedAttributes object in the master list and for making a digital signature.

Specifically, a SignedtAttributes object is stored in the master list as asn1 DER-encoded ComplexType type (0xA0 DER tag) but the signature was made over SignedAttributes object serialized as asn1 DER-encoded Set type (0x31 DER tag). The type Set is the correct type to be used according to RFC-5652. When serializing this object with the asn1crypto library the object's type is preserved (ComplexType) thus the invalid message is generated and the signature verification fails.

[smlu]

Commit 8b934bf fixes this issue. Closing issue.

[smlu]

The examination of master lists publicly available at ICAO PKD showed that every master list has this issue.

[smlu]

There is still issue with signature verification of the Hungarian master list.
The Hungarian master list has some additional unknown fields within signed attributes field and no documentation was found on what those unknown fields represent or how the SignedtAttributes object should be serialized to produce valid message to verifay signature with.

[smlu]

The RFC 5652 Section 5.4 specifies that the message digest should be calculated over SignedtAttributes encoded with EXPLICIT SET OF tag rather than IMPLICIT [0] tag.